13.1 OVERVIEW OF AVAILABLE MECHANISMS

While the Security Rule itself does not prescribe any particular technology to be used, it expects CE's to be able to strike a balance between the value of the stored EPHI and the added cost of protective measures. This section broadly outlines general technical approaches to protection in order to help the Covered Entities understand their alternatives with regards to technical solutions. More detailed discussion, along with cost/complexity/effectiveness estimates, belongs to the specific sections.

Section on access control standard discusses hardware, OS and application mechanisms for access control, secure storage, and authorization. Access control starts at the unique identifiers, ranging from usernames to Social Security Numbers. It continues on to session management, which requires some kind of dealing with long-running sessions and their termination, to secure storage requirements, with choices from installing a personal firewall and locking the keyboard to implementing a sophisticated PKI schema. Lastly, authorization mechanism, DAC vs. MAC and its derivatives, are discussed in details.
Implementing Audit standard requires insight into availability and reliability of auditing mechanisms in modern OS' and in stand-alone applications. This section discusses in detail content of log files, necessary measures to protect them from unauthorized modifications, monitoring activities aimed at prevention and early detection of improper activities.
Integrity control standard may be implemented in a variety of ways. Approaches may be implemented ranging in complexity from basic checksums to digital signatures of various types (not necessarily PKI-based). The appropriate section dwells on packages and algorithms, available for integrity checking.
Authentication standard presents a significant, yet very common security feature of modern systems. All major types of authentication mechanisms are presented: password/PINs, biometrics, tokens, etc. They are categorized and classified according to the ease of implementation, use, reliability, etc. Recommendations are provided on selecting more efficient mechanisms for certain environments.
Implementation of transmission security standard looks at the methods of protection while data is en route. This section presents a number of cryptography algorithms, as well as implementation options, available for secure transmission of data. Hashes, symmetrical and asymmetrical algorithms, PKI and necessary hardware and software utilities are represented here.
In vast majority of case, security starts with perimeter protection rings. Applicability of antivirus, IDS, IDP, filtering software and hardware, testing mechanisms and procedures to HIPAA is explained in the appropriate section.