Security of eHealth Information HIPAA Compliance at HRAAgendaIdentify the ProblemTypes of Sensitive InformationWhy Compliance?Risk of Non-ComplianceProtect the organization!Opt 1: Data Center InfrastructureOpt 2: Citrix SolutionCitrix Solution EstimateOpt 1/2: Iron Mountain ServicesOpt 1/2: Iron Mountain ExpensesSlide 14Data Transmission - Secure FTPData Transmission - Secure EmailSolution ImplementationFeasibility AnalysisSlide 19Slide 20Group: GTR ver MGrace ChenTaru SinghalRobert SzymanekMichael ParkerSecurity of eHealth InformationHIPAA Compliance at HRAIdentify the ProblemCompliance/RiskStorage OptionsTransmission OptionsFeasibility AnalysisFinal RecommendationAgendaDeficiencies in the process of storage/backup ◦Is the current data stored? ◦Is there a secure backup currently performed?◦Is current data encrypted?◦Currently how is data archived?Deficiencies in the process of transmission ◦What is the best way to transmit data?◦What Is the best encryption◦Is E-mail safe? ftp/sftp? Identify the ProblemSocial Security numbersHome addresses and telephone numbersPersonal and family health historyBank accounts and credit card numbersTypes of Sensitive InformationThe HIPAA Privacy Rule applies to:◦Health plans◦Healthcare clearinghouses, part of an HIO◦Healthcare providers that conduct covered transactionsHealthcare Information Organization (HIO) performs certain functions or activities which require access to PHIHealthcare clearinghouses collect data such as PHI and data-mine them Why Compliance?Federal Penalties◦The U.S. Department of Health & Human Services has the authority to impose penalties of $100 to $50,000 or more per violation.Criminal Penalties◦The U.S. Department of Justice has the right to fine organizations and individuals who intentionally violate standards. The penalties range from $50,000 to $250,000, with various jail sentence lengths, depending on the offense.Risk of Non-ComplianceEncrypt data on servers and emailRestrict use of file sharing applications and portable devicesProvide protection against malware and attacksUse comprehensive security policiesLog data points for compliance auditsProtect the organization!Storage of Protected Health InformationOpt 1: Data Center/Iron MountainOpt 2: Citrix Solution/Iron MountainSAN/Servers - $160,000Cisco - $24,000VMware/Failover - $26,000Applications (VeriSign, sftp) - $10,500Contractors - $9,400Total - $229,900Opt 1: Data Center InfrastructureCitrix Access Gateway protects data using standards-based encryption technologies (SSL/TLS). Secure remote access.Leading SSL VPN performance and scalability.Protect intellectual property with corporate policies.Lets users work from anywhere.Opt 2: Citrix SolutionCitrix Solution EstimateData Center (1,000 users) - $229,900Same expense as for both solutions.Rapid recovery Extremely high security Reduce risk of server data loss and downtimeContinuous backupProtection of open files and databasesFlexible retention periodsAccess when and where you want ithttp://www.ironmountain.com/health-information/health-server-backup.htmlOpt 1/2: Iron Mountain Services$2.15 per GB per monthHIPAA Retention Period is 7 yearsOpt 1/2: Iron Mountain Expenses1 TB 2 TB 2.5 TB 3 TBPrice/GB $ 2.15 $ 2.15 $ 2.15 $ 2.15 Price/Mo $ 2,150.00 $ 4,300.00 $ 5,375.00 $ 6,450.00 Price/Yr $ 25,800.00 $ 51,600.00 $ 64,500.00 $ 77,400.00 Extended (3 yr) $ 77,400.00 $ 154,800.00 $ 193,500.00 $ 232,200.00 Operating expense, non-capitalTransmission of Protected Health InformationSecure FTP can be used as a technical mechanism, protecting data in motion within a distributed healthcare system.Secure Shell password controls file access.Secure Shell encryption controls confidentiality of the information.Server Event logs facilitates a security audit.Data Transmission - Secure FTPThe primary rule within HIPAA that affects e-mail is the Security Rule.Many encryption technologies require the user to become familiar with the use of plug-ins and other specialized “client-side” encryption softwareAnother issue faced by organizations is a lack of technological standardsThe solution to each of these issues is to move the encryption responsibility from the individual user to a specialized server.Data Transmission - Secure EmailThe team is ready to implement a multi-layered system using the Data Center storage and Iron MountainSecure transmission using secure ftp and secure email for transmission of Protected Health Information.Provision sufficient resources to implement a Citrix solution when needed, plan for FY 2012 or FY 2013.Solution ImplementationNew Deployments (No teardown)◦Storage/backup◦Secure Email◦Secure FTPMaintenance Considerations for IT staff◦Ensuring complete backups (Iron Mountain)◦Enforcing Data Center SLA standards◦Checking secure local storage◦Maintaining VeriSign certificates for email and FTPProcesses invisible to end users!Feasibility AnalysisIron Mountain (2.5 TB) - $193,500Iron Mountain is an annual operating expense at $64,500/yearOperating costs affect Income StatementData Center (Infrastructure required) - $229,900A capital expense at depreciates at $45,980/year over 5 yearsCapital expenses affect the Balance SheetMaintenance approx 10% of purchase price, capitalizedTotal - $412,900The SolutionData Center – InfrastructureIron Mountain – Secure BackupThank
View Full Document