HIPAA Part 3 - What is HIPAA Security Rule

Video Activity

This lesson covers the HIPPA Security Rule. This rule protects the privacy of an individual's health information while allowing enough flexibility to adapt to new and changing technology. The HIPPA Security Rule requires appropriate measures to allow the security of electronic protected information. The HIPPA Security Rule has four basic requiremen...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 14 minutes
Video Description

This lesson covers the HIPPA Security Rule. This rule protects the privacy of an individual's health information while allowing enough flexibility to adapt to new and changing technology. The HIPPA Security Rule requires appropriate measures to allow the security of electronic protected information. The HIPPA Security Rule has four basic requirements. Participants also learn about privacy versus security.

Video Transcription
the next aspect of Hippo. We've just talked about the privacy rules. We're gonna move on to talking about the security rule, and once again, the two do go hand in hand. So the goals of the security rules protect the privacy of individuals health information. So
the idea here is we've got to specify some elements some ways to keep your information private.
Now, once again, the flip side of that is we have to be flexible enough for growth as well as emerging technologies. Sometimes we refer to those ideas as being scalable, as in an organization can get larger and larger and larger and still maintain all of this information in a protected manner.
And then we also refer to this sometimes is being extensible,
meaning that new technologies come and grow. Go. So we don't want to be so particular that we say this health care information must be protected with this specific encryption algorithm. Because as new technologies come along, its algorithms get broken, a stronger ones emerge and so on and so forth. We want to allow for that same degree of flexibility.
So what we really haven't The security rule is more of a framework than it is a specific set of methodologies or
Now, once again, we go back to this idea of physical, administrative and technical safeguards in order to protect our information, our health care information. And if you've worked it all in the security field, you're probably familiar with the C I A Triad and the C I. A. Stands for confidentiality,
integrity and availability.
So confidentiality we're looking to protect against unauthorized disclosure of information. We've talked about that with the privacy rule, and confidentiality can be used in exchange for the word privacy. Sometimes we referred that a secrecy of information as well. So those three words are synonyms, at least for our perfect
purposes. Confidentiality, privacy
and secrecy. But remember hip of focuses and primarily uses the word privacy
now the next element integrity. What we have to do to guarantee the integrity of information is we have to be able to detect any sort of modification. So, for instance, I need to be able to ensure that your patient records have not been modified in an unauthorized manner by perhaps
on accident or by an attacker by corruption
across lines by which we transmit this information. So integrity protects us against modification
and then availability. We're familiar with availability and availability means that this information is going to be protected and available is needed. Now. I noticed up here that it doesn't have availability listed, but that is also an important tenant of security, that your files don't accidentally get deleted.
That health care providers have access to that
as necessary. So confidentiality, integrity and availability and those all come together to provide us with the security that we need for our electronically protected health information.
Now four basic requirements and again, here is our confidentiality, integrity and availability for all E. P h i that's created, received, maintained or transmitted. So of course, when we talk about e p. H. I Elektronik
protected health information
and you know, we have transmitted information across stored in Elektronik format and transmitted across Elektronik media for years and years and years when I was first involved in the health care in the insurance field, which was my background in relation to hip,
did a lot of work for health insurance organizations.
Uh, you know, back 20 some years ago, we were using the modems with I don't love any of you. Remember, the old command said that you'd use a t d. T. You're 80 dp in order to get your modem to dial and we transparent information for Medicare billing and so on.
And I look back at the security that was provided that it was so very minimal
versus what we have to do today to protect that information. So once again, part of the security rule is for Elektronik protected health information. We have to have controls in place to guarantee that C. I a try at confidentiality, integrity and availability.
Now we also have to identify and protect against reasonably anticipated threats to the security of this information. And this is really part of due diligence and do care, you know, if we are protecting ourselves against the threats of today, were already far behind
because as soon as we patch one hole and Attackers found another one,
and that's not just in relation to protected health information, we see that every day you know there's a new compromise from this organization or that organization, whether identity theft or credit card numbers are being stolen, or this element or that element.
So What we have to do is we have Thio anticipate the next step of the Attackers and sometimes that's very difficult to do.
But when we talk about that, what it really comes down to is risk management. We have to look at what we're protecting. We have to understand its value. That's part of risk assessment. Then we have to look at the threats and vulnerabilities that's risk analysis. And when we do risk analysis, we're primarily looking at two elements were looking at
the potential or the probability of a risk event,
and then we're looking at the impact.
If that event does happen, so probability times impact really gives us the value in the amount of risk. And if we truly understand the value of what we're protecting
and the potential for loss, then we will be able to spend the right amount of money in order to protect those assets so again under him. But we have to be thinking on her feet. We gotta be ready for what comes down the road now. Of course, you cannot eliminate all threats,
but what we want to do is we want to mitigate those threats
within a threshold of cholera protect against reasonably anticipated impermissible uses or disclosures. So they're certain information that might be more appealing toe leak. You know, one of the things that comes to my mind.
You know, within the past few months, we've seen various celebrities being admitted to this hospital for one calls or another this that the other.
And we can anticipate that certain information is more valuable than others, whether it's to the media, whether it's to an attacker. So Okay, so in that instance, you know, specifically the cause of admissions might be warranted. But we also have to understand that payment information, Ah, social security numbers,
information that could be used to further identity theft.
That's gonna have a higher value. Two Attackers as well. So we need to be able to put our thumb on those pieces of information that arm or significant, and that when we're storing that information, there is a higher threat
and then last but not least, ensure compliance by their workforce. Now, insurer is a hefty word. You know, that's almost like guarantee, and they're very few things that we can guarantee in this world and with, you know, with in this life.
But what we have to do is again show our due diligence and do care.
So if you think about how am I gonna ensure that my workforce adheres to the standards set out by HIPPA?
You can answer these questions yourself. What do I have to do? Act to train them.
But we can't stop it training right? I have to make sure they know the policies. They understand the policies. I have to create an environment in which following the policies is supported and I must audit those policies. I have to make sure you know, to me, Ah, policy that's not enforced is worthless
or another way. To say that is a policy is only as good as its enforcement. So it's great to write the policy. It's great to train our employees on the policy, but if we don't follow up and audit, our employees make that a part of our job assessments or their job assessments. If we don't keep a record, if we don't keep an audit
than having those policies in place is not gonna be beneficial.
So that's the closest we can come to ensuring compliance within our work again. privacy and security. Thes two words go hand in hand, but we have a privacy rule and we have a security rule. So obviously there's some degree of difference.
Well, there are a couple of elements that I've highlighted on this slide for us.
So when we talk about the privacy,
this is the right of the individual to control how that information is used and how it's distributed.
Basically, that come has to do with ownership. This is my information about me. I have control off what goes or what goes on this information. Now again, there are exclusions to this, but as a general rule, that information belongs to me,
and I have the right to control how it's distributed.
Protected health information should not be divulged or used by others against my wishes. And again if you think about being at a health care provider, if you think about you know, forms that you've signed, generally you have to jot down
who, if anyone, you want your health care information divulged, too.
I recently had someone take me to a health care provider, and they were present with me in the examining room and the doctor verbally asked me, Is it okay that we discussed this information in front of such and such person? Usually better to get these things in writing. But
you're seeing physician's offices. You're seeing hospitals become much more cognizant
off these requirements. Okay, So again, with the privacy rule, here's another important distinction.
This covers the confidentiality of pH I in all formats. It applies to Elektronik, but it also applies to paper based and Orel information. So in any means that my information is collected, gathered, stored, disseminated,
I am in control with that information.
Confidentiality again is Thea Assurance. The information will be protected from unauthorized disclosure, the physical security of pH I in all formats. Now that differs from the security room because the security rules
focuses on Elektronik information. So it really is much more focused on our data. The information that's digitally stored and what it specifies is administrative, technical and physical safeguards mechanisms that we put in place to protect our information.
E p. H. I said this is gonna protect this static from unauthorized access and another element, whether external or internal,
just because you work in the same hospital that a patient is treated doesn't mean you have access to that patient's information. So it's not just from external disclosure. It's very important that we consider internal disclosure as well, and we'll talk about how we limit that in a few minutes.
what will you know? One other point that I want to mention is that data has various states in which it can exist. For instance, data can be a rest.
Sometimes we refer to that is data being stored so data can be stored on your hard drive. It can be stored on a physical device like a thumb drive removable media. But when we talk about that at rest or data in storage,
it is there and it's permanent. And by permanent, I mean, it's there until you manually remove it, right. So when you store a file on your hard drive,
it stays on your hard drive until you decide to get rid of it.
So we have to protect data while it's being stored.
Okay, so we would think about encrypting those files maybe with third party software or within filing systems of the operating systems were using select to encrypt patient data.
All right now, data also can exist in processing. So while I have this file open and I'm working on processing the file, that's another state of data as well. So I have to protect Adam while it's loaded and Durant, so to speak.
Now one of the things is that's probably the hardest way or the hardest state of data in which to protect
because it's open. It's in RAM, it's being processed, and there aren't a lot of mechanisms currently that can easily protect Gabba loaded into memory.
So what do we do? Well, we follow good security principles. We don't walk away from our workstation with an unlocked. We make sure no one's shoulder surfing that we access only the data that we're authorized to and that we, as administrators, ensure that that access is controlled very strongly.
So, really, we have to rely on other security principles,
even physical security principles. You know, while I'm working at my desk on patient data, the general public shouldn't be milling around right? So we would have an area for the processing of medical forms that has physical boundaries. Right? So some of those more traditional security means they're gonna help us protect data while it's in process.
And in the final element, we've gotta protect data while it's in transit, meaning
as it's across the network. Our own internal network or information frequently travels across external networks or even across the public Internet. So we need to make sure that we're using protocols that are gonna provide encrypted transmission off the sensitive information.
now, when we do talk about data at rest or Dad in storage, I just mentioned hard drives, magnetic tapes, backups. Never, ever forget the significance of protecting your backup tapes. So we have all this information on their hard drives. We go through all these steps to protect that information.
Then we back that information up
tape, and we put the tape in our car and we take it home. And I know that sounds silly, but I actually worked for Physicians office at one point in time where their backup strategy was to back up the material, the work of the day, every night, and then the backups would go home with a different person each night of the week,
and that protected them in case there was a fire in the building that was
thought process, right? So the tapes were stored off site and it was cheap, and it was easy from their perspective. But think about all the hoops I've gone through to protect health care information during the day and at night it's sitting in somebody's living room
That does not work.
All right, um, transmission, any removable, uh, sort of, uh, storage material, whether it's USB devices, memory sticks, whatever those have to be protected. And again anything that we're using,
uh, any short of media that we're using to transmit that of the Internet,
whatever has to be protected as well. So those were the two differences between the privacy rule and the security room. Just a quick summary there. The privacy rule allows me the patient, to control dissemination of my information, and it does. It does state that
my protected health information
is covered in all forms, whether it be aural, written, written on paper or digitally stored. The security rule is more of a mandate about how or the framework, at least for how that information should be protected, how we provide the security to keep information private.
This is specifically focused on
Elektronik protected health information and it focuses on providing the C. I A triad confidentiality, integrity and availability to our electronic health care information.
Up Next
HIPAA Training Archive

HIPAA is the federal health insurance portability act of 1996. HIPAA helps protect the privacy of patients and it helps healthcare industry companies control administrative costs.

Instructed By