HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
April 2002

"What's So Good About Security "Best" Practices?"

by Eric Maiwald, CISSP, Chief Technology Officer, Fortrex Technologies, Inc.

QUESTION: Even though the final Security Rule has not been published, we keep hearing that we should implement the Security provisions now because they represent necessary best practices. What makes them "best practices?" Is anyone really using them? If so, have they made a difference?

ANSWER: What you are hearing is correct - the security provisions in the draft security rule are good and in many cases necessary security precautions for most organizations.

As to your other questions - where did these things come from? Security practices have been learned by experience over time. Auditors, government regulations and, most recently, International Standards, have documented these practices. All of these practices have the objective of reducing the risk of unauthorized disclosure, modification, or denial of use for an organization.

Many of the HIPAA security provisions parallel those adopted for the financial industry. These practices can be found in legislation (such as the Gramm-Leach-Bliley Act) and the associated regulations that come from the legislation.

Most recently, ISO 17799 (Code of Practice for Information Security Management) was published. This document is an International Standard that lays out standard practices in the following areas:

  • Policy
  • Organizational Security
  • Asset Classification and Control
  • Personnel Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Systems Development and Maintenance
  • Business Continuity Management

As you can see from the list, it covers all of the HIPAA provisions (and then some).

It is wise to remember that security is all about risk management. The security provisions in HIPAA are a good start to security risk management and follow best practices, existing regulation in other industries, and international standards.

Have these practices made a difference? Only time will tell. It is sometimes difficult to determine the return on investment (ROI) from implementing security measures. It is like insurance, you buy it to cover your risk exposures. You hope you never need it. But when you do, you are sure glad you have it.

Read past HIPAA / SECURE Q/A articles.

Fortrex Technologies, a Phoenix Health Systems security partner, provides enterprise security management services and information security process and monitoring services for healthcare and other industries.
http://www.fortrex.com

Go to TOP