|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
The HIPAA Implementation Newsletter - Issue #42 - Friday, Sept. 20, 2002
|
|
| |
The HIPAA Implementation Newsletter
Issue #42 – Friday, Sept 20, 2002
| Banking | Clearinghouses | Security
Posted: Sep 24 2002
Hal Amens
Banking and HIPAA
“The Banking Industry HIPAA Task Force, a joint initiative of NACHA - The Electronic Payments Association and the American Bankers Association, has issued a white paper on HIPAA-related issues affecting the banking industry. …The white paper is part of an effort by the NACHA and ABA to prepare banks to meet the demands of their health care customers.
“Financial institutions have been processing a large and growing number of financial electronic data interchange (‘FEDI’) transactions for years, including healthcare payments and related addenda. Moreover, the banking industry’s unique capability to keep “dollars and data together” - i.e., payment-related information flowing as addenda with the payment entry itself through the ACH Network - is consistent with HIPAA’s objective to reduce costs and simplify administration.
“The white paper provides interpretive guidance and test cases for banks to determine whether they meet the definitions of "healthcare clearinghouse" or "business associate" as defined under HIPAA. The Banking Industry HIPAA Task Force has determined that: …
A small number of banks are healthcare clearinghouses and are covered entities under HIPAA as a result of services provided in addition to their payment processing services.
Banks providing services to the healthcare industry may often be business associates of health plans and providers.
“The White Paper provides guidelines and tests to determine the status of a bank. The status of the bank as either a covered entity or as a clearinghouse will affect the operating and contractual relationships between the bank and its customers who are covered entities.”
The key test identified in the White Paper is the receipt and/or transmission of a CTX (NACHA format) containing a Healthcare Claim Payment/Advice (835) transaction. If your bank provides this service, you probably need a business associate agreement.
COMMENTARY: If you are a covered entity, you need to know what your bank is planning. We recommend you discuss this with your bank and get a definitive answer about whether or not they are providing services that qualify them as a covered entity (clearinghouse), business associate or neither. In most large banks – the ones most likely to be impacted – this may present significant organizational challenges and therefore take longer than expected. If you deal with a small bank, they may be obtaining services from a large bank that is subject to HIPAA regulations. You need to know that. Start now.
More at: www.hipaabanking.org
White Paper at: www.hipaabankinb.org
Sample letter requesting HIPAA compliance deadline extension for banks at: www.hipaabanking.org
Clearinghouses and HIPAA
“Claims clearinghouses are going to have to upgrade what they offer to health insurers, hospitals and physician practices. Otherwise, they'll be pushed to the sidelines of claims management by advancing technology, market competition, and the Health Insurance Portability and Accountability Act demands for electronic claims submission. So predicts Thomas P. Fitzpatrick, head of e-business for Horizon Blue Cross Blue Shield (BCBS). Paul Buerstetta, a managing director at KPMG Consulting, Nashville, Tenn., agrees. From an intellectual point of view, today's clearinghouses ‘are dinosaurs and should be going extinct.’ But in actuality, they're surviving and thriving.
“ ‘Retiring the old legacy systems is very difficult and time-consuming,’ Fitzgerald says, and requires daunting financial investments. Over the short term, he sees clearinghouses continuing to improve adjudication editing and other functions and competing more and more aggressively on value-added services.
“Given that scenario, providers and payers nationwide are pursuing a number of innovative strategies. At Novant Health Systems … has switched from traditional clearinghouses to a new, Web-based clearinghouse service … which will clean up claims, speed up management, and reduce reliance on traditional claims submission practices.
“HealthTrio, is positioning itself as an ‘Internet connectivity company’ and building on partnerships with employers, brokers, health insurers, hospitals and physicians. It has, for example, put eligibility and claims status review online for more than 30,000 physicians and hospitals and has created an employer portal for online enrollment and billing reconciliation …
“Some of the most innovative new and expanded services could help reshape the whole clearinghouse concept. For example, in late June, … IBM announced that it had teamed with deNovis Inc. ... to provide New York City's Empire BCBS with Internet-based deNovis software. With the ability to read policy statements, rules and regulations electronically and make payments automatically, 4.7-million member Empire will be able to customize policies down to the individual member level. ‘A clearinghouse is really a switch. It takes something in and redirects it. We're really reengineering what happens inside the health insurer and between the insurer and its members, brokers, and physicians...’
“‘I don't think HIPAA really is the meteor out there that will cause the dinosaurs to go extinct. ‘It's really going to be the economics that will drive the clearinghouses to either develop a new value proposition for the market or get out of this market.’ Provider and health plan leaders will have to invest wisely in the technology and partnerships they need to achieve fully electronic claims management or risk the same fate.”
More at: www.healthcare-informatics.com
Security: NIST Guidelines
The National Institute of Standards and Technology (NIST) has released final publications of four computer security guidelines.
· Security for Telecommuting and Broadband Communications, provides security and policy information to assist … in better securing telecommunications resources.
· Security Guide for Interconnecting Information Technology Systems, addresses interconnections between IT systems …
· Procedures for Handling Security Patches, addresses the problem of ignored or improperly applied fixes for vulnerabilities and recommends ways to develop a patching and vulnerability policy.
· Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, recommends that federal agencies make use of CVE designations when acquiring or using CVE-compatible security-related products and services.
More information and guidelines at: csrc.nist.gov
Security: Smaller Organizations Connected to Large Networks
Security for Telecommuting and Broadband Communications couches the issues it deals with in terms of “telecommuting” but provides a good place to start dealing with networking between smaller medical practices, medical labs, etc., and large providers, e.g., hospitals. “As [smaller users] employ remote connectivity to corporate and government networks, the security of these remote end points becomes increasingly important to the overall security of a network. … This document assists organizations in addressing security issues by providing recommendations on securing a variety of applications, protocols, and networking architectures. … Ironically, as governmental and corporate organizations have hardened their networks and become more sophisticated at protecting their computing resources, they have driven some malicious entities to pursue other targets of opportunity. [Small users] with broadband connections are these new targets of opportunity both for their own computing resources and as an alternative method for attacking and gaining access to government and corporate networks. [Emphasis added.]
More at: csrc.nist.gov
The King and The Woodcutter - An Executive Parable for Network Security provides a way of looking at the risks to large systems by trusted users. You may find it useful in discussing the issues with executives and doctors.
More at: lpf.com
Security: Microsoft Word
“Microsoft's flagship word processor has for years had a security flaw that could allow a criminal to steal computer files by ‘bugging’ a document with a hidden code. The company said it will definitely repair the problem only for owners of the most recent versions of the software. That decision -- still left largely up in the air by Microsoft engineers -- may leave millions of users of Word 97 without a fix. All versions of Word are susceptible to the flaw, but the problem is most severe in Word 97.
“The attacker sends the victim a bugged document, usually with a request that the document be revised and returned to the sender -- a common form of daily communication. When the document is changed and sent back, the file the attacker wants to steal is attached. … Potential targets for theft are sensitive legal contracts, payroll records or e-mails, ... ‘The issue appears to affect all versions of Microsoft Word,’ Microsoft said in a statement Thursday in response to questions by The Associated Press.
“Word 97, an earlier version of the program, is most susceptible to the attack. Microsoft said it is its policy to no longer repair Word 97, but said the company is still exploring the issue. A research firm reported in May that about 32 percent of offices have copies of Word 97 running, according to a survey of 1,500 high-tech managers worldwide.
Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software …
COMMENTARY: Smaller organizations that do not have “high-tech managers” probably have an even higher percentage of Word 97.
More at: www.cnn.com
Comment posted on Microsoft’s Web site: “This issue has also raised questions about Microsoft’s support for Office 97. Microsoft continues to offer support on Office 97 through assisted support from Microsoft Product Support Services (PSS). … Office 97 users should be aware, however, that Office 97 was developed in an era when the security threat was very different, and Office 97 does not include any of the improved security architecture of more recent versions of Office, such as Macro and e-mail attachment security. For best security, we recommend that customers use Word 2002.
More at: www.microsoft.com
Security: Wireless Secure at Last?
“In a security briefing at this week's Intel Developer Forum in San Jose, Jesse Walker of Intel and Warren Barkley of Microsoft presented the current developments in 802.11 TGi -- an initiative designed to counteract the many security flaws in 802.11 wireless networking. … ‘Last year, we couldn't say that wireless networks could be made secure. Today, we can,’ Walker said.
“He admitted that the solution was only suitable for professionally administered enterprise networks, and that consumers would remain unprotected until at least the end of 2003. The new system uses a combination of techniques, none particularly strong in a cryptographic sense but secure together. It doesn't require new hardware, as it is only a subset of the full 802.11 TGi system, which will need new hardware and is due to be approved next year.”
“This year's system, called SSN but due to be renamed, uses an authentication system called 802.1x that positively identifies the user and the access point to each other, and then provides keys for TKIP, a WEP replacement. … Some of the limitations of SSN are due to the requirement of making it work on existing hardware; this has limited processing power, which is nearly fully occupied in managing ordinary network traffic. The result: there is little overhead in access points for adding the system software necessary to make systems secure until TGi is approved and available. Administrators should contact their vendors for software patches to add SSN. Adding SSN to an existing network is not complex: Microsoft upgraded its own worldwide 32,000-node 802.11b wireless network to the new system in two weeks.
"You can't stop wireless networking," he said. ‘It's a drug, once you've tried it you don't want to stop. If a company won't roll out 802.11, then users buy access points and plug them in -- they don't even enable WEP.’ He identified the rogue access point as one of the five major areas where more work was needed …”
More at: news.zdnet.co.uk
Security: Managing Viruses
We often pass along free information that we consider valuable. We seldom endorse information that is for sale, we let people who are selling things do that for themselves. We think we have found an exception: Managing Viruses In The Enterprise, published by searchsecurity.com. [Full disclosure: We have no financial interest but we have hosted a Webinar about HIPAA on searchsecurity.com at their invitation.]
More at: searchsecurity.techtarget.com
HIPAA Conferences
HIPAA Summit National Audioconference: HIPAA & Medicare, Thursday, Sept. 26, 2002 and HIPAA Summit National Audioconference: Employer & Health Plan HIPAA Compliance Strategies, Tuesday, Oct. 8, 2002:
www.HIPAAAudioconferences.com
The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore, MD, www.HIPAASummit.com At a special session on Thursday morning, Oct. 31, 2002, federal and state regulators of healthcare privacy and security experts will provide regulatory updates, and respond to questions and comments. From the Dept Of Health & Human Services, the White House, the Federal Trade Commission, the National Association Of Insurance Commissioners, and from North Carolina, New York, the Southern HIPAA Administrative Regional Process (SHARP), NCHICA, Indiana HIPAA Consortium, National Association of Health Data Organizations, Massachusetts Health Data Consortium, Inc, and a group of national experts.
___________
Go Top
|
|
|
|
