Health Information Portability and Accountability Act (HIPAA)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> The Health Information Portability
00:00
and Accountability Act,
00:00
also known as HIPAA.
00:00
In this lesson, we want to talk about
00:00
the origins of HIPAA,
00:00
the types of information that are regulated by HIPAA,
00:00
and some of the implications for HIPAA in the cloud.
00:00
The Healthcare Information Portability and
00:00
Accountability Act, known as HIPAA,
00:00
was originally enacted in 1996 to
00:00
regulate the protection of
00:00
patient records and health care data.
00:00
One important thing to know is that in 2009,
00:00
a similar act called HITECH was enacted.
00:00
HITECH required
00:00
that medical and health care providers digitize
00:00
health care records that made the importance of
00:00
information security with regards
00:00
to HIPAA increase significantly.
00:00
In the contexts of HIPAA, what your mentally protecting
00:00
is electronic protected health care information,
00:00
what they referred to as ePHI.
00:00
Now, in contrast to PII,
00:00
Personally Identifiable identifiable information,
00:00
this is information with regards
00:00
to an individual's health care.
00:00
Now, HIPAA is broken out
00:00
into three main control families,
00:00
administrative security,
00:00
physical security, and technical security.
00:00
The administrative security elements are things
00:00
such as having a security management plan and making sure
00:00
that you have the proper processes and procedures in
00:00
place that you're able
00:00
to properly administer and ensure that
00:00
the security and privacy of patient data is protected.
00:00
The physical security controls
00:00
are related to ensuring that
00:00
electronic records stations in hospitals have
00:00
particular safeguards on them and can't be reached by,
00:00
or access by individuals who aren't
00:00
supposed to be able to get access to them.
00:00
One of the things that is important in
00:00
HIPAA is the protection of devices and
00:00
workstations that when a nurse
00:00
is filling out the patient record at the hospital,
00:00
she has to identify and authenticate herself or himself,
00:00
and that when they leave the station,
00:00
it automatically locks out
00:00
after a certain period of lack of activity.
00:00
Then the technical controls are
00:00
around the protection of the data itself,
00:00
how it's transmitted,
00:00
how integrity checks are run on the data
00:00
to ensure that it hasn't been
00:00
changed by an unauthorized party.
00:00
Now, HIPAA related
00:00
data can be stored and processed in the Cloud.
00:00
However, the standard is that
00:00
reasonable security and privacy controls
00:00
are in place to protect it.
00:00
I think many companies in the Cloud,
00:00
it can get in trouble when they don't realize
00:00
that many of their applications,
00:00
especially those that record health-related information,
00:00
especially health related apps,
00:00
they can often cross into the territory
00:00
of HIPAA related ePHI.
00:00
Quiz question, ePHI can be processed and
00:00
stored in the Cloud so
00:00
long as it meets which of the following requirements?
00:00
One, it is encrypted in transit process
00:00
and at rest, two adequate,
00:00
security and privacy protections are in place,
00:00
or three, ePHI should not be stored in the cloud.
00:00
If you said adequate security and privacy protections
00:00
are in place, you're correct.
00:00
You might be thinking, well,
00:00
that seems like a fairly broad requirement.
00:00
What does that mean exactly?
00:00
Well, that's part of the point.
00:00
Many of these acts and
00:00
their regulatory standards are
00:00
written in a way that are open to interpretation.
00:00
It's really designed to not name
00:00
any particular control or
00:00
technical standard because technology is always changing.
00:00
You really want to put the owners on the organization
00:00
that is a steward of this ePHI,
00:00
that they are enacting
00:00
due diligence and due care concepts that we've talked
00:00
about earlier in this module to ensure that they
00:00
have a reasonable baseline of security controls
00:00
that that implement effective security and privacy
00:00
with relation to the patient records or
00:00
health data that they are storing or processing.
00:00
In summary, we talked about the origins
00:00
and importance of HIPAA,
00:00
and we talked about the implications of
00:00
HIPAA in cloud environments.
00:00
I'll see you in the next lesson.
Up Next