HIPAA Security Service Helps Hospitals to Comply With Privacy Regulations
StillSecure, a company that offers managed network security and certified compliance, has announced HIPAA Essential, a service that provides networking as well as support for health care providers as they aim to comply with the Health Insurance Portability and Accountability Act (HIPAA).
Announced July 24, HIPAA Essential offers a firewall, intrusion detection and prevention (IDPS), Secure Sockets Layer and IPSec VPN, multifactor authentication, internal and external vulnerability scanning, file integrity monitoring (FIM), a Web application firewall (WAF) and security event log management (SELM) and monitoring.
StillSecure also provides an intrusion detection and prevention system.
"We monitor traffic from protected hardware looking for signatures to indicate an attack in progress," James Brown, CTO of StillSecure, told eWEEK.
This bundle is similar to that offered by StillSecure for PCI cards, Brown noted.
"HIPAA is a lot more process-focused than PCI," said Brown, referring to PCI's straightforward hardware requirements.
StillSecure's Security Operations Centers (SOCs) manage the data security as part of HIPAA Essential.
With HIPAA Essential, health care organizations can focus on their work rather than compliance, said Brown. StillSecure aims to make security requirements transparent.
Coalfire Systems, an independent IT governance, risk and compliance (IT GRC) firm, has provided independent auditing for HIPAA Essential.
With the HIPAA rules strengthened under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, health care organizations need technology that allows them to ensure regular compliance, noted Rick Dakin, CEO and senior security strategist, of Coalfire Systems.
HIPAA Essential provides compliance with the full set of HIPAA implementation specifications rather than just a subset of controls for the service provider, said Dakin. "By addressing the full range of requirements as a monthly managed service, the cost of compliance is streamlined and dramatically reduced," said Dakin.
Health care providers need to be HIPAA-compliant to qualify for Stage 1 meaningful-use incentives for implementing electronic health records (EHRs), Dakin noted.
StillSecure also provides semiannual reviews by the company's security experts, who manage and monitor HIPAA Essential around the clock, the company reported. "To achieve HIPAA compliance, organizations have to start off with an inventory and scoping of where they collect and shore up electronic protected health information," said Dakin. "That is the root of the assessment and compliance validation."
HIPAA Essential is an "end-to-end" platform, according to StillSecure.
It manages technology and performs process reviews to help health care organizations conform to HIPAA requirements and access-management procedures, said Brown.
StillSecure's data center partners help health care providers with the physical security requirements of HIPAA, including installing door locks and cameras, as well as implementing sign-in sheets. The company also makes sure providers are protected from malicious software, said Brown.
HIPAA Essential allows providers to reduce costs, make audits easier and simplify the security "gruntwork," said Brown.
It uses a software as a service (SaaS) portal called Radar to provide a view of a health care organization's protected appliances, said Brown. It also works with telecommunication providers to encrypt and decrypt Web traffic as a gateway application.
"All of the traffic between the Internet and protected devices goes through us," said Brown.
StillSecure blocks data from Internet addresses that are suspect and allows data that's legitimate, he said.
In addition, HIPAA Essential authenticates users that can access a hospital's network, according to Brown.
If a hospital's data center has 10 servers and only five people are authorized to access the network, HIPAA Essential secures access with two-factor authentication, said Brown.
HIPAA Essential will be available by the end of July.
Editor's note: This story has been updated to clarify the role of StillSecure's data center partners in covering the physical security requirements of HIPAA.