Chapter 15: Continuing Compliance-Maintaining Security Best Practices for the Future

15.1 INTRODUCTION

This section discusses a variety of practices, processes and methodologies for maintaining HIPAA compliance, which is a requirement of the HIPAA security rule. You'll find the reference to this requirement somewhat modestly buried under section §164.308 (a) (1) (B) of the final security rule. However modest its placement, it is arguably the most far reaching of the HIPAA requirements.

The risk analysis your organization undertook as part of your compliance efforts likely hinted at the overall scope of your organization's security concerns. Maintaining and continuing compliance involves managing that risk by implementing a system of practices and feedback mechanisms that would allow information security managers to measure the performance of the controls and policies the organization has implemented for it to be able to consider itself HIPAA compliant.

Many organizations entering the information security management business for the first time are often left asking themselves the following question: 'How is an information security management system organized, and how is such an entity run?' The implications of such a program are pretty far reaching in that good security for any organization requires that individuals assume security management responsibilities, and in the case of medium to larger sized organizations, dedicated staff. Also, a good information security management program requires a high degree of coordination with all the elements of the organization.

Fortunately, there are a variety of resources out there to help guide you on risk management. One important resource is the National Institute for Standards and Technology or NIST. NIST has several informational guides available in PDF format for download. Another important resource is the set of information security best practices defined in the ISO 17799 standard. This is an internationally recognized standard upon which many organizations around the globe have modeled their security practices. The remainder of this chapter is loosely based on the ISO 17799 standard and NIST methodologies.

To give you an idea of the amount of ground covered by the ISO 17799 ten domains or categories of information security best practices are listed below:

• Security policy

• Security organization

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• System development

• Access control

• Business continuity

• Compliance

As you can see from the list above, the ISO 17799 standard is fairly broad in scope. Virtually no aspect of an organization's operations is left unaffected by the practices defined in this standard. Additionally, the standard defines practices for obtaining feedback from many of the controls and processes covered by the organization's risk management operations. This provides the feedback information security management can use to measure the effectiveness of its security practices.

By now, it should be fairly evident that using a recognized standard as the basis of your risk management system has some real benefits over trying to decipher what the framers of the HIPAA legislation meant when they put in a requirement with broad implications such as Risk Management. You need to show proof of following accepted security best practices if your organization is ever called upon to defend its risk management practices in a court of law.

Although HIPAA makes fairly liberal use of the term 'reasonable and appropriate' in an effort to provide covered entities with the maximum amount of flexibility, no real standard for the definition of this term exists. So the best way to be confident that your risk management decisions are both effective and defensible is to base them on existing standards and practices.