The regulations from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have a number of implementing effects that set a new standard for the healthcare market, specifically in regard to the security of digital networks that are increasingly used to transmit patient data.

Medical Healthcare and Network Security

The regulations from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have a number of implementing effects that set a new standard for the healthcare market, specifically in regard to the security of digital networks that are increasingly used to transmit patient data. Patient data is being created in electronic form and the old paper records are being migrated to digital form for efficiency and cost savings. There is an increasing volume and flow of electronic patient health data.

The HIPAA regulations have created a new legal standard related to the privacy and security of those electronic medical records. The part of the HIPAA regulations that we are most interested in involves the electronic transmission of patient records. More and more of the medical worlds business relies on digital communication systems. Those are the telecommunications networks. Those networks have a number of vulnerabilities, that is, they have security weaknesses. Those security weaknesses make it possible for outside hackers or malicious insiders to compromise the privacy of the data in the network. The new HIPAA regulations have implemented a stringent legal requirement for the privacy of patient data and related security requirements for systems transmitting that data. Past practice is no longer acceptable. Security of the networks that are used to transmit and access the medical data is increasingly important. To date (mid-2004), most hospital network administrators have only dealt with the security of the data while it is in their computer, that is, they have considered the privacy issue. In general, they have not started to address the security issues related to the sensitive medical data while it is in transit over a network. That will change as more requirements of the HIPAA regulations, such as the security regulations, take effect.

Engedi Technologies, Inc has two technologies, the SRM' and Key2 technology (K2t)', that enhance network security. The Engedi SRMa' addresses a number of the vulnerabilities not currently addressed in most operating networks. Engedi is working to ensure health care companies know about the security advantages of an SRMa' enabled network. There are a number of known and reasonably anticipated vulnerabilities in the network systems now in use. The Engedi products, the SRMa' and complimentary Key2 technology (K2t)', help an entity seeking to be HIPAA compliant to eliminate or reduce those known and reasonably anticipated security vulnerabilities.

Implications for network systems affected by the HIPAA regulations

Let's think about the implications of new regulations that have in effect raised the bar for the security of systems storing or transmitting electronic medical records. Think of all the health care organizations out there transmitting data over networks that currently don't, or won't, meet the new HIPAA mandated security requirements. As an example, consider if a law was passed mandating seat belts in cars meet a certain performance standard and auto manufactures then ignored that standard. What would be the implications? What would the implications be if each auto manufacturer had clearly been put on notice that the seatbelt standard had changed, that what they had for seatbelts now was not in compliance with regulations, and that there was a way to meet the new standard? If the auto manufacturers ignored that notice and opportunity to meet the new standard, what would be the legal exposure and ramifications? HIPAA is mandating a new network security standard. The Engedi SRMa' solution helps networks meet that new standard.

Here is a web-link to the portion of the HIPAA security regulations of interest: - HIPAA security regulations

The HIPAA compliance deadline dates are presented on this site: - HIPA A compliance deadline dates

Network systems have a long list of vulnerabilities. There's no single product out there that removes all vulnerabilities. An Intrusion Detection System (IDS) might reduce or eliminate a number of known network system vulnerabilities, and a network firewall might reduce or eliminate another set of the vulnerabilities, some the same as the IDS does, and another product might close another group of vulnerabilities. The Engedi SRMa' closes or reduces a set of vulnerabilities left exposed by the product solutions currently available on the market. Closing vulnerabilities is like caulking the hull of a ship - the goal is to plug as many holes as possible. There are a significant group of vulnerabilities that the SRMa' and Key2 technology (K2t)' uniquely close. Acting to reduce those network vulnerabilities is necessary. Security breaches are costly. How much would the loss of a list of 100,000 credit card IDs from a hospitals billing center be valued in dollar terms? How important is the privacy and security of the list of AIDS infected people in a community? What's the legal liability if that list, or a similar private list, is hacked and made public? The HIPAA regulations are setting a new standard.

This intersection of digital networks, the health care industry, and government regulation presents an opportunity for forward thinking individuals and companies to define standards, become recognized thought leaders, and motivate constructive change for legal compliance in this evolving area.

The HIPAA privacy requirements phased-in on 14 April, 2003. The HIPAA security requirements have a compliance date of Spring 2005.

The Difference between Security and Privacy in HIPAA terms

Security relates to the means by which an entity protects the privacy of health information. The goal of security measures is to keep information secured, and decrease the means of tampering, destruction, or inappropriate access. There are four categories of requirements:

* Administrative Procedures--documented, formal practices to protect data

* Physical Safeguards--protect data from fire, other natural and environmental hazards, and intrusion * Technical Security Services--protect information and control individual access to information * Technical Security Mechanisms--guard against unauthorized access to data over communications network

Privacy refers to the individual's right to keep certain information private, unless that information will be used or disclosed with his or her permission. Privacy topics include:

* Scope of Providers who must Comply * Rights of Individuals * Consent/Authorization Issues/Procedures/Processes * Business Associates Requirements

* Organized Health Care Arrangements

There are civil penalties under HIPAA when entities or individuals violate the privacy rule.

Security and privacy are much intertwined -- security assures privacy.

Application of Engedi Solutions to HIPAA Requirements

Reviewing the 'Health Insurance Reform: Security Standards' final rule it seems that the Engedi Key2 Technology' would be a powerful tool for protection against "reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information". This represents a large market need.

Quoting again, "The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission". That's the Engedi K2t' and SRMa' nicely described. A 'covered entity' is defined as "one of the following: (1) A health plan; (2) a health care clearinghouse; (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by [the regulations]."

Quoting again, "the scope of the Security Rule is more limited than that of the Privacy Rule. The Privacy Rule applies to protected health information in any form, whereas [the Security] rule applies only to protected health information in electronic form".

The Security Regulations become effective in Spring 2005.

HIPAA Regulations Create a New Security Standard for Network Operations

The HIPAA regulations affect medical and healthcare providers in many ways. The new security regulations coming out of HIPAA are raising the performance bar for telecommunications networks used to transmit or access medical data. Specifically medical data in electronic form.

Entities covered by the HIPAA regulations must assess their current systems and operations to ensure their business practices conform to these new security rules. One important area coming from HIPAA is the security of the network systems used to access or transmit electronic healthcare information.

Telecommunications network systems have a large number of vulnerabilities. The networks are complex and growing. New technologies are being added. There are constantly changing network users with access to various layers of the network. Protecting the privacy and security of patient data in electronic form is a challenge. There is a long list of vulnerabilities in networks. Some of the vulnerabilities can be addressed by the use of various products and technologies such as firewalls, traffic monitoring systems, virus protection software and other solutions that protect against various known vulnerabilities. There are other known and reasonably anticipated vulnerabilities in operating networks affecting the privacy and security of protected medical data that Engedi Technologies has unique and patent-pending solutions designed to address.

The remote management of the distributed infrastructure of networks is an area in which many networks have security vulnerabilities. Engedi's Secure Remote Management (SRM)' technology is designed to provide a highly secure, multi-pathed capability for network administrators to quickly and securely access and manage the remotely located equipment and devices in their networks. Engedi's SRM technology meets the pressing need to improve the security of networks during remote management of the distributed network infrastructure. The vulnerabilities that exist in networks during remote management are well known and can be addressed today by the use of Engedi's patent pending SRM' technology.

Another area of network operations that is of particular concern is the damaging effect of the malicious insider. Over half of successful network attacks come from the insider, that is, the attacks come from a person with some level of administrative rights and access that place him or her on the inside of the network. The malicious insider is a very well known and reasonably anticipated threat to the security and privacy of network operations. Engedi Technologies has a solution to the malicious insider with a technology called "Key2 technology (K2t)". This multi-party authorization solution protects the network from the compromised or inexperienced insider. Networks that transmit data or permit access to data that is private and needs to be secure have a pressing need for a solution to the malicious insider. Engedi's Key2 Technology (K2t)' is that solution.

Engedi Technologies works with partners to deliver and implement Engedi's advanced technology solutions to networks operating under HIPAA security guidelines and regulations. HIPAA mandates that known and reasonably anticipated threats and vulnerabilities affecting the security and privacy of patient medical data be addressed. Engedi has solutions for two of the needs that operating networks must address for HIPAA compliance.

New standards exist under the HIPAA security rules for the remote management of networks and for protection against the malicious insider. It is no longer acceptable to ignore or allow security vulnerabilities to known and reasonably anticipated network threats to continue unaddressed or unabated. Engedi Technologies delivers needed solutions in the Secure Remote Management (SRM) and Key2 Technology (K2t) to create and maintain networks systems in compliance with the new HIPAA mandated security rules.

For more information on Engedi's network security solutions please contact Engedi Technologies, Inc or one of their partners. When security of the network is important and the privacy of data is paramount, Engedi Technologies provides solutions every operating network should have and can have today.


Article date: May 15, 2004

Article Links: - Engedi Technologies, Inc - - Secure Remote Management appliance (SRMA) - Key2 Technology (K2t)

© 2005 Engedi Technologies, Inc. ( ) You may reprint this article online and in print provided the links remain live and the content remains unaltered (including the "About the Author" message).

About the author: Dr. Randolph Palmore is a family medicine practitioner and is the Director of HIPAA Compliance & Healthcare Solutions for Engedi Technologies, Inc

Author: Dr. Randolph Palmore