Healthcare Security and Privacy

Healthcare Privacy and Security

Patient privacy is a major issue for today's healthcare providers. Safeguarding the confidentiality, integrity, and availability of patient information is no longer a goal - it is a legal requirement. Keeping pace with ever- expanding government regulations is an expensive and resource-intensive proposition. The adoption of new technologies such as electronic health records (EHRs) and on-line personal health services makes the task even more difficult.

Using content awareness, NitroView is able to provide a comprehensive monitoring & reporting solution for healthcare providers, ensuring patient privacy, meeting HIPAA Security & PCI Security mandates, ensuring safe exchange of patient health records, and meeting FTC Red Flag Rules and 21CFR Part 11 requirements.

 

  • Overview
  • Privacy
  • Compliance
  • Use Cases

Healthcare providers face a number of unique security and compliance challenges, including a proliferation of healthcare regulations from HIPAA, ARRA and HITECH, to Federal laws and the FTC Red Flags Rule, as well as varying state laws.

NitroView has addressed these challenges by integrating leading privacy monitoring solutions with the industry's only content aware SIEM, providing:

  • Regulatory Compliance - Federal and state laws (HIPAA, FTC Identity Theft, California AB 211, and California SB 541) require healthcare providers to tightly monitor and control access to medical records, IT systems, and clinical applications.
  • Investigations and Audits - Healthcare provid- ers must archive patient, user, physician, consultant and contractor records for investiga- tions and audits.
  • Privacy Assurance Monitoring - Numerous healthcare personnel - registration, accounting, nursing, physicians, technicians, and associates - have access to a patient's records. Providers must find innovative ways to protect patient privacy without blocking legitimate access to medical records or impairing patient safety.
  • Identity Theft Protection - EHRs and on-line personal health services open new doors for hackers and identity thieves. Healthcare providers must detect and curtail identity theft plus introduce systems and practices to comply with the FTC Red Flags Rule.
  • Incident Response and Remediation - Compliance and information security teams must identify and contain internal and external security threats as quickly as possible to minimize exposure and mitigate risk. 

fairwarningNitroSecurity NitroView Enterprise Security Manager is fully integrated with FairWarning(R) Privacy Solutions, providing everything you need to enforce patient privacy, protect against non-compliance, and secure electronic medical records and systems.

FairWarning monitors clinical applications and systems to ensure patient privacy, while NitroSecurity monitors network devices and applications to protect against data loss and risk. Together, NitroSecurity and FairWarning provide a privacy and early-warning notification system to both privacy officers and information security analysts, simplifying the mitigation of privacy issues before they lead to non-compliance, or worse, lawsuits.

FairWarning brings full visibility of patient information, policies and privacy violations into NitroView ESM, where this information is correlated and analyzed in real-time along with network security events from firewalls, hosts, databases and applications. The result is a common platform for the detection, investigation, and response of healthcare security and privacy concerns.

Benefits include:

  • Provide visibility to healthcare and clinical systems, patient records and policies along with network, database and application visibility
  • Correlate security logs & events with privacy alerts to track policy violations to their source
  • Minimize loss with a faster and more comprehensive early warning system

The compliance landscape for healthcare organizations has changed significantly since the passage of the legislation creating HIPAA in 1996, and the subsequent introduction of the HIPAA Security and Privacy Rules. In 2009, the passage of the HI- TECH Act as a part of the American Recovery and Reinvestment Act of 2009 (ARRA) ushered in changes in what kinds of organizations are considered covered entities, and changes in scope for compliance requirements for healthcare organiza- tions. In addition, regulators tasked with enforcing the requirements of HIPAA and HITECH have become more aggressive in audits of healthcare organizations.

With the increased regulatory attention on the healthcare sector, many Healthcare service providers are exploring security technologies that can help ensure and ease the burden of regulatory compliance. In creating this paper, Compliance Re- search Group undertook an extensive evaluation of the functionality provided by each of the NitroSecurity products, and their ability to satisfy HIPAA and HITECH healthcare compliance requirements. This document maps functionality from the Nitro Security solutions - NitroView ESM, NitroView DBM, NitroGuard IPS, NitroView ADM, and NitroView ELM - to specific requirements of HIPAA and HITECH. Our goal in analyzing the fit for the Nitro products has been to identify those areas where the product directly addresses requirements, and additionally those areas where the product helps to identify compliance gaps by providing audit and event information that is critical to proving or disproving compliance.

NitroView is able to directly address the following requirements:

  • 164.306 Security standards: General rules
    • 164.308 Administrative (1)(i) Standard: Security management process
    • 164.308 Administrative (4)(ii) (a) Standard: Information access management
    • 164.308 Administrative (5)(i) Standard: Security awareness and training
    • 164.308 Administrative (6)(i) Standard: Security incident procedures
    • 164.308 Administrative (8)(i) Standard: Evaluation
  • 164.310 Physical safeguards
    • 164.310 (a) (2) Physical Standard: Facility access controls
  • 164.312 Technical safeguards
    • 164.312 (a) (1) Technical Standard: Access control
    • 164.312 (b) Technical Standard: Audit controls
    • 164.312 (e) (1) Technical Standard: Transmission security
  • HITECH/ARRA Requirements Section 13402
  • Proactive Risk Management & Data Security
  • Fast & Accurate Privacy Breach Investigations
  • Integrated Privacy Monitoring
  • Regulatory Investigations and Auditing
  • Detecting "Snooping" Patterns
  • Detecting Identity Theft Patterns
  • Safeguarding against PHI data leak
  • Detect "Inappropriate Access" and Fraud
  • Correlating System Access with Physical Access
  • Detect Rogue Devices & Vulnerable Applications
more use cases

For more detail on popular use cases, please visit our Use Cases page, or Contact Us to arrange a personal webinar, and see how NitroView can meet your individual requirements.