Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide
Downloads: This chapterpdf (PDF - 38.0 KB) The complete bookPDF (PDF - 27.09 MB) | Feedback

Table Of Contents


HIPAA Solution Summary Results

Lessons Learned


HIPAA is flexible and open to interpretation based on the type of healthcare entity. Cisco customers have asked for clarification in relation to the common architectures and security products that might be utilized. In response, Cisco contracted Verizon Business to assess Cisco's enterprise reference architectures and components. Verizon provides design guidance and explains the rationale that they used for assessing healthcare entities in the context of Cisco's enterprise solution set.

This Cisco Compliance Solution for HIPAA Security Rule provides a reference architecture designed to help covered entities and business associates clarify compliance with the HIPAA Security Rule by mapping architectures and products to the HIPAA Security Rule Technical Safeguards, standards, and implementation specifications.

Compliance is a journey, not a destination. It requires continual attention to maintain. It is a journey that cannot be traveled alone. Trusted advisors such as auditors and vendors simplify the goal of maintaining compliance. The following provides a summary of the assessment results.

HIPAA Solution Summary Results

Table 6-1 lists the HIPAA citations that were addressed within the solution.

Table 6-1 HIPAA Citations Addressed 



Security Management Process


Information System Activity Review


Authorization and/or Supervision


Termination Procedures


Isolating Health Care Clearinghouse Function


Access Authorization


Access Establishment and Modification


Protection from Malicious Software


Log-in Monitoring


Password Management


Response and Reporting


Contingency Plan




Facility Access Control and Validation Procedures


Unique User Identification


Emergency Access Procedure


Automatic Logoff


Encryption and Decryption


Audit Controls


Data Integrity


Person or Entity Authentication


Transmission Integrity Controls


Transmission Encryption

Lessons Learned

Addressing the individual HIPAA safeguards without an encompassing security framework is difficult; there are many grey areas that are contested by auditors and interpretations that can be made for corner cases. The best strategy is to use a common control structure that addresses multiple compliance standards using a "unified compliance" mindset. The intent is that regardless of the type of sensitive data, a single security strategy should meet the needs of an organization to protect it from a compliance perspective.

As an example, there is no specific mention of firewall technology in the HIPAA standard because HIPAA is written to be flexible enough to address all types of healthcare entities. However, when considering the common risks that are associated with enterprise organizations, such as the Internet and partner connections that share ePHI, Verizon cites the following controls that inductively requires the use of a firewall:

164.308(a)(1)(i) Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Requirements addressed include: Access Control, Integrity, Incident Response, and Auditing.

164.308(a)(4)(ii)(A) Isolating healthcare clearinghouse function. If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Requirements addressed include: Access Control, Integrity, Incident Response, and Auditing.

The word procedures requires the use of a technology to address the commensurate risk. In organizations that are represented in the Cisco solution, the Internet is a tremendous threat that can be addressed only through the use of a stateful firewall.

In HIPAA, regardless of inconsistencies and specifics from interpretation, the resonant idea is that reasonable controls must be in place to mitigate existing risks that threaten the integrity and ownership of sensitive Healthcare data. By implementing a broader and often more specific common industry security framework such as HiTrust's Common Security Framework (CSF), ISO 27002, or NIST Security Publications, as well as other industry-based standards, a comprehensive policy can be tailored to address the risk and governance needs specific to the enterprise organization.