Five basic considerations before implementing security solution for HIPAA
Implementation security solution for HIPAA is a very challenging scenario. Listed below five basic considerations before implementing security solution for HIPAA.
1. Costs, which must be kept low on a per-user basis. IT is considered a support function and not necessarily a method of generating more revenue in the healthcare space.
2. Deployment method and costs. Given that there are many parties involved in a typical healthcare transaction (patient, doctor, nurse, administrator, HMO, hospital) having an easy-to-deploy system is essential. Frequent upgrades or replacements would become significantly expensive because most healthcare workers are so frequently mobile.
3. Compatibility with legacy systems. For example, many hospitals still use Novell as their primary network operating system and management tool. Yet in the corporate world, Novell is considered a very small segment of the market. As a result, solutions must take into account that backward compatibility must be maintained.
4. Physical security of the security solution. Any solution that may require hardware devices or tokens will have to incorporate the ability to physically secure that device as well. Because many healthcare workers are mobile, it is not trivial for them to be able to physically secure any authentication device, unless they can carry it on their identification badges or in their pockets. This requirement relates to the fact that a solution must be designed for high mobility.
5. Audit and compliance tools. Given that audit and compliance are major factors in the healthcare vertical, security solutions must be able to provide strong tools to audit use and access to information, as well as tools to enforce compliance. For example, if token devices are issued for authentication to doctors, a chain-of-custody report must be maintained. In that manner, the device can be shown to be used by only one person (and thus that person bears the liability and burden of reporting inappropriate use of that device, including loss or theft).
The original list from PKI Security Solution for the enterprise by Kapil Raina. Do you have any others suggestion?