Good corporate governance depends on the effective management of internal controls and on the availability, confidentiality, and integrity of information within the organization. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes and on compliance with a growing array of legislation and regulation. For healthcare organizations, this particularly includes the Health Insurance Portability and Accountability Act (HIPAA). The network has a fundamentally important role to play in HIPAA compliance, because it touches every aspect of the extended organization and connects business processes. The old, perimeter-based network security model is inadequate for managing security risks related to healthcare information. Healthcare organizations need an end-to-end system-based approach that is integrated, collaborative, and adaptive, one that helps them better manage their network security risk while helping them meet HIPAA requirements.
In a compliance environment that contains overlapping, inconsistent, sometimes untested and often contradictory laws and regulations, organizations must increasingly turn to best-practice solutions that combat their real-world information threats while helping them meet regulatory requirements. ISO 17799 is one such framework. The Cisco® Self-Defending Network provides the first line of corporate defense, because it is the foundation for the organization's data, applications, and business processes-the protection of which is a prerequisite for HIPAA compliance.
Overview of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (which took effect in 2003) is a set of federal standards that requires healthcare organizations to implement security standards that protect (and keep up to date) patient data and to standardize on electronic data interchange (EDI). HIPAA was originally designed to speed the processing of medical claims by implementing certain standards for transmitting medical data. This of course raised information security concerns, so provisions were also made to protect the confidentiality of personal health information while in transit and while being stored.
The Administrative Simplification Provisions set out the specific rules that institutions must implement to comply with HIPAA; these include the rules for EDI, for electronic signatures, and for privacy standards. Although these provisions are technology-independent, any system of information security controls that a healthcare organization implements need to be integrated and comprehensive.
ISO 17799 provides an independent, internationally recognized best-practice framework for achieving these objectives, and the Cisco Self-Defending Network aligns itself with the controls recommended by ISO 17799.
Who Is Affected by HIPAA?
In general, the requirements, standards, and implementation specifications of the HIPAA Security Rule apply to the following entities:
• Covered Health Care Providers-Any provider of medical or other health services or supplies, who transmits any health information in electronic form in connection with a transaction
• Health Plans-Any individual or group plan that provides or pays the cost of medical care, including certain specifically listed governmental programs
• Health Care Clearinghouses-A public or private entity that processes another entity's healthcare transactions from a standard formation to a nonstandard one, or vice versa
• Medicare Prescription Drug Card Sponsors-A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act
Solutions
Many organizations experienced difficulty in translating the HIPAA regulation document into actionable items for their own network. To simplify this process, many healthcare organizations have taken as a model the Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS). The CMS publishes a document entitled "Information Security Acceptable Risk Safeguards" that details technology recommendations to minimize risk. Those recommendations can be cross-referenced to the controls set out in ISO 17799. The latest version is at: http://www.cms.hhs.gov/informationsecurity/downloads/ars.pdf.
A comprehensive approach to security that protects every aspect of the business is required to meet stringent regulatory standards and protect today's open environments.
The Cisco Self-Defending Network makes use of the network as the platform for security. A highly secure network platform provides a common infrastructure that integrates security throughout all aspects of the network, and it enables collaborative processes to occur between the various security and network elements. It also provides the foundation upon which innovative technologies and advanced security services may be layered to control and contain threats, maintain confidential communications, and secure transactions. Its flexible, cost-effective approach enables customers to deploy security where they need it most to address specific requirements and objectives. Cisco also offers comprehensive network security management and control solution capabilities to help organizations reach their business objectives while managing associated network risks.
The Cisco Self-Defending Network not only provides flexible, in-depth protection but enables:
• Increased revenues and opportunity
• Greater business resiliency and agility
• Improved customer relationships
• Cost-effective enhancement of efficiency while reducing complexity
Because protection of personal information is a key focus of HIPAA, access controls/perimeter security, physical security, and secure transmission are key control areas. These three controls should interact to protect data sources and personal data transmission.
Which Cisco Products and Solutions Help Address the HIPAA Requirements?
Protect Against Unauthorized Access
Cisco Access Control Server, 802.1x, Network Admission Control, Cisco Integrated Services Routers, Cisco ASA 5500 Series Adaptive Security Appliances
Secure Data Exchange with Affiliates and Service Providers
VPNs (such as those using IP Security, DMVPN, and Secure Sockets Layer VPN technologies)
Detecting, Preventing, and Responding to Attacks and Intrusions
Cisco Security Monitoring, Analysis and Response System, Cisco Intrusion Prevention System solutions, Cisco Security Agent, Cisco Security Manager
Implement, Test, and Adjust a Security Plan on a Continuing Basis
Cisco Security Posture Assessment and Penetration Testing Services
