HIPAA Compliance Solutions

The goal of the Health Insurance Portability and Accountability Act (HIPAA) is to simplify the administrative processes of the healthcare system and to protect patients’ privacy. Information security considerations are involved throughout the guidelines and play a major role in the Privacy Rule of HIPAA compliance. The purpose of this rule is to protect personally identifiable information (PII) as it moves through the healthcare system. Healthcare organizations, including providers, payers and clearinghouses, must comply with the Privacy Rule.

Importance of Adhering to HIPAA Compliance

To help healthcare organizations comply with the Privacy Rule, Security Standards have been created to help organizations protect PII. These standards encompass administrative procedures, technical security mechanisms and services, and physical safeguards. Security standards compliance and overall HIPAA compliance outlined by the Act is imperative to the ongoing business operations of healthcare companies. Failure to comply may not only result in regulatory actions, such as fines, but also direct business loss from lawsuits, damage to reputation and degradation of the public’s trust.

HIPAA Compliance Services

SecureWorks offers a full breadth of services to help healthcare organizations address HIPAA compliance Security Standards. We have extensive experience partnering with healthcare providers and we can help you improve your security and compliance posture while reducing costs. As described below, our Managed Security Services and Professional Services align directly with many components of the HIPAA Security Standards.

Administrative Procedures

Administrative Safeguards
Standard	Summary of Requirements	Solutions
A. Security Management Process	Implement policies and procedures to prevent, detect, contain and correct security violations. Specifications include: Risk analysis (1A) Risk management (1B) Sanction policy (1C) Information system activity review (1D)	How does SecureWorks Help? Using a risk-based methodology aligned with HIPAA requirements, SecureWorks' Security and Risk Consulting team can conduct the required Risk Analysis (1A) and recommend appropriate security measures and controls. SecureWorks Security Management, Security Monitoring and SIM On-Demand Services facilitate the review of system activity such as logs and access reports (1D). Management and tracking of security incidents from identification to full closure is also provided via the SecureWorks Portal (which is provided with our Managed Security Services). Managed Firewall Managed Intrusion Prevention and Detection Security Monitoring SIM On-Demand Security and Risk Consulting
B. Workforce Security	Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information (EPHI) and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. Specifications include: Authorization and/or supervision (3A) Workforce clearance procedure (3B) Termination procedures (3C)	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can help you develop appropriate access control policies and procedures to secure EPHI. SecureWorks can also review existing access control policies and procedures to identify areas of weakness and recommend improvements in regards to security and HIPAA requirements for Authorization and/or Supervision (3A), Workforce Clearance (3B) and Termination Procedures (3C). Security and Risk Consulting
C. Information Access Management	Implement policies and procedures for authorizing access to EPHI. Specifications include: Isolating health care clearinghouse functions (4A) Access authorization (4B) Access establishment and modification (4C)	How does SecureWorks Help? SecureWorks Security and Risk Consulting team can help you develop policies and procedures for access management, as well as provide recommendations for logically isolating EPHI within your network. We can also review your existing policies and procedures for authorizing access to identify areas of weakness and recommend improvements in regards to security and HIPAA requirements for isolating health care clearing house functions (4A), access authorization (4B), access establishment and modification (4C). Security and Risk Consulting
D. Security Awareness and Training	Implement a security awareness and training program for all members of its workforce including management. Specifications include: Security reminders (5A) Protection from malicious software (5B) Log-in monitoring (5C) Password management (5D)	How does SecureWorks Help? SecureWorks Security and Risk Consulting team can review your security awareness and training program for compliance with HIPAA requirements concerning security reminders (5A), protection from malicious software (5B), log-in monitoring (5C) and password management (5D). We can also perform Social Engineering testing to validate the effectiveness of your security awareness and training program. Security and Risk Consulting
E. Security Incident Procedures	Implement policies and procedures to address security incidents. Specifications include: Response and reporting	How does SecureWorks Help? SecureWorks Security Management, Security Monitoring and SIM On-Demand Service identify and provide first line response to security incidents. We also provide unlimited remote incident response support from our certified security professionals. Within the SecureWorks Portal, incidents are fully documented from identification to closure for tracking and audit purposes. SecureWorks Security and Risk Consulting can also help you develop HIPAA-compliant procedures for responding to incidents and reporting them. SecureWorks can also review your existing incident response procedures for compliance with HIPAA requirements and industry best practices. Managed Firewall Managed Intrusion Prevention and Detection Security Monitoring SIM On-Demand Security and Risk Consulting
F. Contingency Plan	Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain EPHI. Specifications include: Data backup plan (7A) Disaster recovery plan (7B) Emergency mode operation plan (7C) Testing and revision procedures (7D) Applications and data criticality analysis (7E)	How does SecureWorks Help? SecureWorks' Security and Risk Consulting can help you develop and review procedures for business continuity and disaster recovery in accordance with HIPAA requirements and industry best practices. Security and Risk Consulting
G. Evaluation	Perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the above administrative safeguard requirements.	How does SecureWorks Help? SecureWorks’ Security and Risk Consulting team can perform periodic evaluations of your security policies and procedures to determine the extent to which they comply with HIPAA administrative safeguard requirements. Security and Risk Consulting
Physical Safeguards
Standard	Summary of Requirements	Solutions
A. Facility Access Controls	Implement policies and procedures to limit physical access to its electronic information systems while ensuring that properly authorized access is allowed. Specifications include: Contingency operations (i) Facility security plan (ii) Access control and validation procedures (iii) Maintenance records (iv)	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can recommend and review policies and procedures to limit physical access to electronic information systems based on HIPAA requirements and industry best practices for contingency operations (i), facility security plans (ii), access control and validation (iii) and maintenance records (iv). Security and Risk Consulting
B. Workstation Use	Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI.	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can help you develop appropriate HIPAA-compliant policies and procedures for workstation use. We can also review your existing workstation use policies and procedures and provide recommendations to improve security and HIPAA compliance. Security and Risk Consulting
C. Workstation Security	Implement physical safeguards for all workstations that access EPHI, to restrict access to authorized users.	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can help you determine appropriate HIPAA-compliant physical safeguards for workstations with access to EPHI. We can also evaluate your current physical safeguards and make recommendations for improvement based on industry best practices. Security and Risk Consulting
D. Device and Media Controls	Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Specifications include: Disposal (i) Media re-use (ii) Accountability (iii) Data backup and storage (iv)	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can help you develop appropriate device policies and procedures for device and media controls, including those required by HIPAA for disposal (i), media re-use (ii), accountability (iii) and data backup and storage (iv). We can also review your existing policies and procedures and provide recommendations to improve security and HIPAA compliance. Security and Risk Consulting
Technical Safeguards
Standard	Summary of Requirements	Solutions
A. Access Control	Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights. Specifications include: Unique user ID (i) Emergency access procedure (ii) Automatic logoff (iii) Encryption and decryption (iv)	How does SecureWorks Help? SecureWorks Security Monitoring and SIM On-Demand service can monitor the logs of information systems such as servers or applications that maintain EPHI to detect unauthorized access attempts (i.e. password grinding). SecureWorks' Security and Risk Consulting team can help you develop appropriate technical policies and procedures to control the access of staff and applications to EPHI. We can also review your existing technical policies and procedures for access control to identify areas of weakness (i.e. inappropriate access privileges, lack of supervision, etc) and make recommendations for improvement. Security Monitoring SIM On-Demand Security and Risk Consulting
B. Audit Controls	Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.	How does SecureWorks Help? Using a risk-based methodology aligned with HIPAA requirements, SecureWorks' Security and Risk Consulting team can determine the appropriate controls to meet the requirement. SecureWorks can then deploy and monitor or manage the controls. SecureWorks Security Monitoring, Log Retention and SIM On-Demand services facilitate the recording and examination of system activity such as logs and access reports. SecureWorks Hosted Intrusion Prevention/Detection services can be used to provide active response to critical systems. Management and tracking of security incidents from identification to full closure is also provided via the SecureWorks Portal (which is provided with our Security Services). Security Monitoring Log Retention SIM On-Demand Host Intrusion Prevention (HIPS) Security and Risk Consulting
C. Transmission Security	Implement technical security mechanisms to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. This includes both: Security measures to ensure that EPHI is not improperly modified; and Mechanisms to encrypt EPHI The appropriate control should be determined through a risk analysis to ensure that EPHI is protected in a manner commensurate with the associated risk when it is transmitted from one place to another. With regard to unsolicited EPHI –e.g., in email from patients -- protection must subsequently be afforded once that information is in the possession of the covered entity.	How does SecureWorks Help? SecureWorks' Security and Risk Consulting team can perform the risk analysis to determine the appropriate controls based on your organizational risk. Once determined, SecureWorks can provide protection for EPHI in transit that includes Managed Firewall & VPN services, Encrypted Email services, and Security Monitoring services to provide assurance for data at rest. Management and reporting on transmission security is also provided via the SecureWorks Portal (which is provided with our Security Services). Managed Firewall & VPN Email Encryption Security Monitoring Security and Risk Consulting

Additional Resources

HIPAA Compliance Solutions

Importance of Adhering to HIPAA Compliance

HIPAA Compliance Services

Administrative Procedures

Next Steps

SecureWorks News >>

Press Releases >>

Threats >>

Online Tools

Info Request

Newsletter Signup

Next Steps
	Request More Information Now
	Call Us Today 877-905-6661