HIPAA Final Omnibus Rule Applies to More Than ePHI
The details and regulations of HIPAA and HITECH were essentially merged over the past year into the Final Omnibus Rule and many organizations outside of the medical community could really benefit from its structure. One thing we have noticed in our years of IT security and regulatory compliance work, is that every organization wants to hold themselves in comparison to a “standard” or set a target for how to align their processes and programs — the Omnibus Rule provides a suitable framework.
While there are many aspects to the Omnibus Rule and elements that can be drilled-down to granular details, the core block of the Omnibus Rule can be broken into four areas of concentration and used by organizations to develop and implement a solid starting place for security, even if HIPAA is not a requirement.
Security base-lining or baseline protection is the methodology of identifying and implementing security measures within an environment. Managed correctly, this should provide an overview of the current security level with:
- Catalogue of systems and components throughout the environment
- Applications in use in the organization
- Assist with determining any regulatory requirements
Annual Risk Assessment
Whether a particular regulatory requirement is in play within an organization is irrelevant with regards to performing an Annual Risk Assessment. Companies across the board should perform risk assessments at least annually to ensure the security posture of assets remains intact and to identify possible threats that have potentially developed since their last risk assessment. Risk assessments should identify at a minimum:
- Study of vulnerabilities and effectiveness of security components
- Evaluation of threats
- Determine expected loss and acceptability of those losses
- Decision criteria for implementing stronger security measures
We’ve briefly covered the initial steps in establishing a security program, but in order to formalize the security baseline process and risk assessments, a security program structure must be implemented to manage these activities and begin a security strategy for how future security-related initiatives are managed. An effective security program should effectively:
- Assess Risk for an organization
- Document an entity-wide security plan
- Establish a security-management structure and clearly assign roles/responsibilities
- Implement effective security-related personnel policies
- Monitor the security programs effectiveness and modify as needed
No security program is guaranteed to remove all threats, and protect against every potential breach to systems and data within the environment. That said, an organization should form an incident response team to address the aftermath of a security breach or attack (also known as incident). With incident response the goal will be to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan should include:
- Establishment of Incident Response Team
- Policy and Plan for Incident Response Team
- Education and Communication to the organization on security measures
- Determination of Identification of security incidents
- Containment procedures
- Eradication of the root cause of the problem
- Recovery from known good backups
- Proper documentation of handling incidents and recommendations for addressing future events
The increasing amount of security-related breaches has caused executive leaders to consider overall counter measures to balance risk with the everyday operational business needs. Everyone should be concerned with the level of enterprise security within their organization and how to best utilize limited internal security resources.
Praetorian Secure offers solutions for delivering professional security services to help recognize and understand each client’s current security posture, assess risk, and consult as trusted third-party advisors providing comprehensive solutions as an insurance policy against attacks.
Praetorian Secure has IT Security and Compliance Professionals on staff certified and able to supplement the security expertise needed. We have provided enterprise security solutions to Fortune 100 and 500 companies in the insurance, banking, software and all military branches.