-
Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide
-
Authors
-
Preface
-
Solution Overview
-
HIPAA and the Solution Framework
-
Solution Architecture
-
Solution Implementation
-
Component Assessment
-
Summary
-
Appendix A: Bill of Material
-
Appendix B: Cisco Products and Software Versions
-
Appendix C: Reference Architecture Assessment Report—Cisco Healthcare Solution
-
Appendix D: Simplified Crosswalk—HIPAA, PCI, and SOX
-
Appendix E: Detailed Full Running Configurations
-
Table Of Contents
HIPAA Solution Summary Results
Summary
HIPAA is flexible and open to interpretation based on the type of healthcare entity. Cisco customers have asked for clarification in relation to the common architectures and security products that might be utilized. In response, Cisco contracted Verizon Business to assess Cisco's enterprise reference architectures and components. Verizon provides design guidance and explains the rationale that they used for assessing healthcare entities in the context of Cisco's enterprise solution set.
This Cisco Compliance Solution for HIPAA Security Rule provides a reference architecture designed to help covered entities and business associates clarify compliance with the HIPAA Security Rule by mapping architectures and products to the HIPAA Security Rule Technical Safeguards, standards, and implementation specifications.
Compliance is a journey, not a destination. It requires continual attention to maintain. It is a journey that cannot be traveled alone. Trusted advisors such as auditors and vendors simplify the goal of maintaining compliance. The following provides a summary of the assessment results.
HIPAA Solution Summary Results
Table 6-1 lists the HIPAA citations that were addressed within the solution.
Lessons Learned
Addressing the individual HIPAA safeguards without an encompassing security framework is difficult; there are many grey areas that are contested by auditors and interpretations that can be made for corner cases. The best strategy is to use a common control structure that addresses multiple compliance standards using a "unified compliance" mindset. The intent is that regardless of the type of sensitive data, a single security strategy should meet the needs of an organization to protect it from a compliance perspective.
As an example, there is no specific mention of firewall technology in the HIPAA standard because HIPAA is written to be flexible enough to address all types of healthcare entities. However, when considering the common risks that are associated with enterprise organizations, such as the Internet and partner connections that share ePHI, Verizon cites the following controls that inductively requires the use of a firewall:
•
164.308(a)(1)(i) Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Requirements addressed include: Access Control, Integrity, Incident Response, and Auditing.
•
The word procedures requires the use of a technology to address the commensurate risk. In organizations that are represented in the Cisco solution, the Internet is a tremendous threat that can be addressed only through the use of a stateful firewall.
In HIPAA, regardless of inconsistencies and specifics from interpretation, the resonant idea is that reasonable controls must be in place to mitigate existing risks that threaten the integrity and ownership of sensitive Healthcare data. By implementing a broader and often more specific common industry security framework such as HiTrust's Common Security Framework (CSF), ISO 27002, or NIST Security Publications, as well as other industry-based standards, a comprehensive policy can be tailored to address the risk and governance needs specific to the enterprise organization.