HIPAA Tip 8/24/09: Protection from Malicious Software

HIPAA Tip

The HIPAA Tip is emailed regularly each month. In it you will find valuable information to ensure you are current on the latest news, trends and regulatory issues surrounding HIPAA. Subscribers total over 2,500.

If you're looking for assistance in HIPAA compliance training solutions, please contact:

Ali Pabrai, Security+, CISSP,
CHP, CSCS
ecfirst.com/HIPAA Academy,
Chief Executive
www.HIPAAAcademy.Net

August 24, 2009

Protection from Malicious Software – HIPAA Compliance

The Security Awareness and Training Standard (§ 164.308(a)(5) in the HIPAA Security Rule requires that organizations implement a security awareness and training program for all members of its workforce, including management.

One of the implementation specifications (addressable) defined in this Standard is Protection from Malicious Software. This requires that organizations implement capabilities to guard against, detect and report malicious software.

It is important to verify that employees understand the importance of timely application of system patches to protect against malicious software and exploitation of vulnerabilities.

Several hospitals have experienced significant down-times of critical systems as a result of poorly addressing this HIPAA compliance requirement. Malware such as PWS-Banker, Hehed21 or Backdoor/CKB are just three examples of malicious software that can cause havoc in critical systems within organizations. These malware are examples of swarms of parasites – including worms, grabbers, spyware and others – that hide in emails, pictures, programs, instant messages and Websites. Malware found in 2008 exceeded the total for 2006 and 2007 combined.

Identifying and blocking malware on a timely basis is key. Nimble vendor solutions are emerging. For example, it is now possible to guard against new attacks as they happen. Through the Internet, computers such as PCs are linked to a constantly updated list of malware, rather than relying on a static list that is hosted on the computer and updated periodically.

Critical questions that need to be addressed include:

What is your organization’s policy to address malware?
What controls have been deployed?
How are these controls being actively and automatically updated to identify and block malware?

The HIPAA Academy can assist your efforts with policy development and the selection of controls that will work best in your environment. For more information about HIPAA Academy’s Managed Compliance Services Program (MCSP) and other HIPAA consulting solutions including development of a proposal for addressing your enterprise security requirements, please contact John Schelewitz at 1.480.663.3225 or at John.Schelewitz@ecfirst.com.

Certified HIPAA Professional (CHP) - A 2-day Class
November 16-17, Phoenix, AZ

Learn about key aspects of the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security. This is an exceptional program delivered by Ms. Lorna Waggoner, a HIPAA expert. Take the certification exam at the end of the second day. To register, please visit www.HIPAAAcademy.Net or call Eugene Kunkle at 1.877.899.9974 x20. The CHP program is offered in several cities across the USA – check the schedule on-line at www.HIPAAAcademy.Net.

HIPAA Security Quick Reference Card is Now Available!

The fastest reference to the HIPAA Security Rule, the HIPAA Academy’s HIPAA Security Quick Reference Card, is now available at the ecfirst e-store at www.ecfirst.com. Contact Eugene Kunkle at Eugene.Kunkle@ecfirst.com or phone 1.877.899.9974 x20.

Webcast: Are You In Compliance with HITECH’s Data Breach Mandate?

September 4, 12 noon CDT

The HITECH Act requires healthcare providers, payers, clearinghouses (Covered Entities), and Business Associates to begin reporting breaches based on the number of individuals impacted, not only to patients, but to the U.S. Department of Health and Human Services (HHS) and the media. This represents a sweeping change in the industry. The HITECH Act introduces specific requirements for business associates to report breaches by a covered entity. Join expert Ali Pabrai, CISSP, CSCS and other experts to examine how best to comply with the HITECH Data Breach Mandate. Register at http://www.ecfirst.com/.

Are You in Compliance with California or Massachusetts New Security Regulations?

Schedule a tailored 60 minute webcast with cyber security and compliance expert Ali Pabrai to examine the mandatory requirements of several California security regulations including SB 1386, AB 1950, AB 1298, AB 211, SB 541 and others or the Massachusetts 201 CMR 17.00. To meet mandates outlined in the new regulations, organizations will need to establish a comprehensive security program. Pabrai will step through frameworks that will enable your organization to comply with numerous California or Massachusetts’ requirements for protecting personal information. For more information, please visit www.ecfirst.com. To bring this program to your site, please contact John Schelewitz at 1.480.663.3225 or email him at John.Schelewitz@ecfirst.com.

HIPAA Certification Online Updated with New Healthcare Privacy and Security Mandates

Learn about key aspects of the new HITECH Act (economic stimulus bill recently enacted) and the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security. HIPAA Academy, the industry’s gold standard for HIPAA training, certification and consulting, has made available on-line the content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP) and the Certified HIPAA Security Specialist (CHSS).

Recent clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms including Microsoft, McKesson, Symantec, IBM, HP, E&Y, Kaiser Permanente and many others. Review the content and take the exams, and become certified on-line with the HIPAA Academy. For details, please visit www.HIPAAAcademy.Net or call Eugene Kunkle at Eugene.Kunkle@ecfirst.com.