This document provides an overview of the HIPAA Security Rule for office administrators, doctors, and IT professionals. It explains that while many covered entities focus on complying with the Privacy Rule, the Security Rule is a separate regulation that requires technical and physical safeguards to protect electronic protected health information. Not complying with the Security Rule can result in significant fines and damage to reputation if a data breach or compromise occurs. It recommends that covered entities find help from compliance experts, conduct risk assessments, identify gaps, and budget for security implementations in order to cost-effectively comply with both the Privacy and Security Rules.

1. The HIPAA Security Rule:
Yes, It’s Your Problem
An overview for office administrators, receptionists, doctors, and IT professionals

2. About Us
• SecurityMetrics
– Regulatory security
compliance assessments
and consulting
– Digital forensics &
penetration testing
– Regulatory compliance
programs (validation,
tracking, training, support)
– Helped over 1 million small to
large entities manage
security compliance

3. Scenario
• Office managers/receptionists access Facebook,
personal email, etc.
• Accessed on same computer with patient records
• All it takes is for a single click on a malicious link
and a key logger is installed
• Key logger listens in for any sensitive data

4. The Looming Problem
“I’m already
doing HIPAA.”
“I don’t have the
time or budget
for this.”
“My affiliates
take care of
HIPAA.”

5. The Unfortunate Reality
• Small covered entity (SCE)
merchant processor, EHR
vendor, IT specialists:
– Don’t fulfill HIPAA
requirements for a business
– Won’t pay for a compromise
– Don’t suffer brand damage if
a business is compromised
• Risk and liability rest
entirely upon the SCE

6. Why Would Anyone Steal From Me?
• “My business isn’t large or important
enough for a criminal to steal from!”
• Actually…hackers go after smaller entities
because they spend less resources on
beefing up security
• Criminals steal from entities
they know won’t catch them

7. HIPAA Fines
*U.S. Dept. of Health and Human Services

8. Privacy vs. Security
• Healthcare entities haven’t separated
Security/Privacy regulation, and leave many
Security Rule regulations unfulfilled
• Privacy Rule compliance doesn’t extend to
Security Rule
• To be truly HIPAA compliant,
must comply with BOTH aspects.

9. The HIPAA Privacy Rule
• Federally protects health
information and patient rights
from unauthorized disclosure
• Written policy procedures
must include safeguards for
administration of PHI,
electronic health information
(ePHI), physical security, etc.
• Implemented in healthcare
industry in 1996
• Healthcare entities well-
trained, understand Privacy
Rule

10. The HIPAA Security Rule
• Requires covered entities,
business associates,
subcontractors to protect
ePHI
• Implemented 2003-2005
• HITECH Act 2009:
increased the legal liability
of non-compliance
• Completely separate from
Privacy Rule

11. Security Rule Implementation Examples
• As per HIPAA regulations:
– Passwords must be changed every 90 days
– Substantially different from last password
– Contain 6 characters (min.)
– Can’t use dictionary words, slang, proper
names
– Each user must use a different username
and password
• As per HIPAA regulations:
– CE must protect electronic networks with
WPA2
– WEP must never be used
• Are you implementing these policies?

12. Policy vs. Implementation
• Common to conglomerate
HIPAA policies and
implementation
• Healthcare religiously
generates Privacy Rule
policies, but few implement
principles
• A policy doesn’t cover
business from compromise,
but through implementation,
you stand a fair chance
against data thieves

13. Best Practices: Find Help
• Acknowledge you (or IT specialist)
don’t have the training/time to
pursue true HIPAA compliance
• Find a provider to guide you
– Caution: many HIPAA vendors don’t care
about policy implementation because it
increases their costs. Ensure your provider
leads you through policy implementation.

14. Best Practices: Who’s In Charge?
• Identify who holds the assigned HIPAA
Security Rule responsibility
• If you don’t have someone, assign a
HIPAA Security ambassador

15. Best Practices: What’s Your Budget?
• Determine implementation budget:
– Weigh ROI against custom loss estimate
– This will tell you how much a breach would
cost your organization.
• Use NIST risk calculation worksheet:
– http://csrc.nist.gov/publications/nistpubs/800-
30-rev1/sp800_30_r1.pdf

16. Best Practices: Record
• Review current policy and procedure
documentation
• Take record of which policies you currently
implement
• What policies pertain to
Privacy and what pertain
to Security?

17. Best Practices: Don’t Assume
• Don’t assume new technology is
secure
– “But the package says it's a safe
product!”
– “But everyone says it’s invincible to
viruses!”
– “But the salesman at the HIPAA trade
show says it follows HIPAA standards!”
• Can’t believe what you read in
marketing materials, or what people
tell you about the security of a product
or technology.
• Counsel with your HIPAA advisor to
learn how to safely implement new
technology

18. Best Practices: Where Are The Gaps?
• Discover current security gaps
– Get a HIPAA audit
– Easiest, most thorough way to discover gaps
• Take action
– Come up with a plan to remediate gaps

19. The True Cost
• How expensive is
implementation when
compared to cost of
compromise?
• Are you willing to
sacrifice patient trust?

20. Sound Familiar?
• “If you want a healthy body, you have two choices”
– Diet, exercise, healthy foods now (inexpensive)
– Hospital, surgery, personal trainer later (expensive)
• Identical to HIPAA
• “If you want to be secure, you have two choices”
– Take necessary security precautions now
(inexpensive)
– Pay for forensic investigations, auditing, fines
later(expensive)

21. Contact Us
HIPAA Compliance Team
877.364.9183 | hipaa@securitymetrics.com