HIPAA Compliance: A Document Management Approach

Key Healthcare Challenge:
To comply with Compliance for the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA Background:
The Health Insurance Portability and Accountability Act (HIPAA), and its enabling regulations, ensures patient information and records are protected and maintain their integrity.

This requires healthcare organizations to control the use and access to a patient’s private identity and medical information.

HIPAA defines regulations for:

• Electronic healthcare transactions
• Health information privacy
• Security requirements
• Unique identification for providers
• Unique identification for health plans
• Enforcement procedures 

Solution:
Document Management for Electronic Medical Records

Implementation:

• Simple and easy to implement
• Replaces paper patient records and archives with immediate ROI
• Enables physicians to maintain current work practices:
• Does NOT require any menu-driven patient information input workflows
• Can use current paper-based note taking during office visits
• Provides flexibility to access patient charts immediately at remote locations
• Can also be implemented in concert with a formal EMR system
• Link external information (lab reports, correspondence from specialists, signed consent forms) to EMR records

Features:

• Security
• Audit trail
• Reporting
• Electronic Payment Standardization

ROI:

• Access and quality of care: users report very significant gains in fast access to patient information.  
• Reduce costs associated with copying and retrieving health information. 
• Ensure aspects of system are compliant. 
• Health information is more tightly controlled, while at the same time more accessible to those who need it. 
• Data is protected. 
• Flexible and Scalable
• Small Medical Practice Applications:
• Electronic patient records
• Billing, insurance EOB
• Personnel records
• Hospital Applications:
• Patient records and consent forms linked to EMR system
• Accounts Payable
• Billing
• HR and credentialing
• Purchasing and supply chain

What does it mean to all healthcare organizations?
Regardless of where patient information originates - scanned from hard copy, faxed, e-mailed, PC-based or mainframe-based - Document Management Software solutions provides a secure repository that can track all aspects of patient information.

Ritesh Sujir is a Delivery Manager in the Testing Practice at Prolifics. He is an accomplished project management professional with 14+ years of experience working with Fortune 500 clients. Ritesh specializes in all aspects across project management and is accountable for the development and maintenance of project plans, risk assessments, and status reports. His recent experience includes clients in the Banking, Retail, and Healthcare verticals.

The Case for Penetration Testing

Overview
Penetration Testing is the method of testing that focuses on finding areas of weakness in software systems in terms of security. These areas are put to the test to determine if they can be broken into or not.

A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating end-users’ adherence to security policies.

The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.

Reason for Penetration Testing

• Security breaches and service interruptions are costly
• Security breaches and any related interruptions in the performance of services or applications can result in direct financial losses, threaten organizations’ reputations, hamper customer loyalties, and trigger significant fines and penalties.
• Identifies and prioritizes security risks 
• Penetration testing evaluates an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets.

When Should Penetration Testing be Performed?

Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. Tests should also be run whenever:

• New network infrastructure or applications are added
• Significant upgrades or modifications are applied to infrastructure or applications
• New office locations are established
• Security patches are applied
• End user policies are modified

Benefits of Penetration Testing

• Intelligently Manage vulnerabilities
• Avoid the cost of downtime
• Meet Regulatory requirements and avoid fines
• Preserve customer loyalty and corporate image

How to Conduct Penetration Testing

• It starts with a list of Vulnerabilities/potential problem areas that would cause a security breach for the systems.
• If possible, this list of items has to be ranked in the order of priority/criticality.
• Devise penetration tests that would work (attack your system) from both within the network and outside (externally) to determine if you can access data/network/server/website unauthorized.
• If the unauthorized access is possible, the system has to be corrected and the series of steps need to be re-run until the problem area is fixed.

Criteria for Selecting the Best Penetrating Tool

• It should be easy to deploy, configure and use.
• It should scan your system easily.
• It should categorize vulnerabilities based on severity that needs immediate fix.
• It should be able to automate verification of vulnerabilities.
• It should re-verify exploits found previously.
• It should generate detailed vulnerability reports and logs.

Some of Tools Used for Penetration Testing

• Metasploit
• This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating the perfect framework for penetration testing.
• It can be used on web applications, networks, servers etc. It has a command-line and a GUI clickable interface, works on Linux, Apple Mac OS X and Microsoft Windows. 
• WireShark
• This is basically a network protocol analyzer –popular for providing the minutest details about your network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI, or the TTY-mode TShark utility. 
• Core Impact
• CORE Impact Pro can be used to test mobile device penetration, network/network devise penetration, password identification and cracking, etc. It has a command-line and a GUI clickable interface, works Microsoft Windows. This is one of the expensive tools in this line and all the information can be found at below page.

Conclusion

Penetration testing must be performed to manage 

• Intelligently Manage vulnerabilities
• Avoid the cost of downtime
• Meet Regulatory requirements and avoid fines

To learn more about Prolifics' testing solutions, visit: http://www.prolifics.com/solutions/quality-assurance-testing

Ritesh Sujir is a Delivery Manager in the Testing Practice at Prolifics. He is an accomplished project management professional with 14+ years of experience working with Fortune 500 clients. Ritesh specializes in all aspects across project management and is accountable for the development and maintenance of project plans, risk assessments, and status reports. His recent experience includes clients in the Banking, Retail, and Healthcare verticals.