Designing HIPAA Technical Safeguards, Research Paper Example

HIPAA Technical Safeguards

In order to minimize the cost of common administrative transactions, health plans, made the U.S congress optimistic to create an administrative outline of precise transactions related to electronic health data. (Chaikind, 2004) The Health Insurance Portability and Accountability Act (HIPAA) of 1996 produced inducements for public and private partnerships to expand and deploy standards in order to standardize data related to health care in electronic administrative transactions related to health and standards for security and privacy of independently exclusive health information. The adaptation of HIPAA standards developed by accredited standards developing organizations clearly hold the guarantee led by US government. The transactions elected by Congress, the process of selecting the principles in the Department of Human Services and Health, the doctrine that steered these selections, and the actual selections, are presented. A prosperous joint venture for administrative health data standards may cover the way for accomplishment of data standards in clinical health and their associated application, in computerized patient record systems.

For addressing and mitigating risks for the security issues small doctor’s office, professionalism is required in terms of design and development, and acquisition and maintenance while operating electronic health records. However, health professional shares their own code of ethics which is not effective in terms of Health Information Professionals (HIPS). In order to minimize these issues, the International Medical Informatics Association is in the phase of acclimatizing a suitable code of ethics (Mennerat, 2002). Furthermore, the expectations from this code are as follows:

• Privacy of information and character
• Ingenuousness
• Security
• Accessibility
• Justifiable violation
• Slightest invasive Alterative
• Responsibility
• Technical Issues

Apart from the code of ethics, principle concerns are also related to the transmission of these digital records over the computerized network in the small doctor’s office. Moreover, technical and organized measures are required when the computerized data travels on the network. In order to address the issues, expertise for the implementation cost and risk of dealing with the processed data is required. In terms of healthcare systems, it is not mandatory that the individual employing system will only operate and process the data in the system. The instructions can be passed for a processor who will access the system to process health care records. However, the processor must have adequate assurance of security. Moreover, the instructor must ensure strict compliance with the security requirements while passing instructions to the processor. Furthermore, a written contract is essential for only fulfilling instructions from a responsible instructor or senior healthcare professional. Besides, the key standards includes classification of security and safeguard profiles, passwords, algorithms for digital signatures, communication related to healthcare in a secure environment and health informatics.

Auditing Controls

For auditing, ‘Windump’ is a “freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire” (Windump.2007). The primary focus is to analyze and report issues related to packet headers in network traffic. The tool is specifically developed for supporting functions related to digital forensics investigation. The tool can specifically analyze traffic broadcasting from workstation that has a malware installed in it. Likewise, it extracts the source information from the packet header in terms of IP addresses. Moreover, the tool can also facilitate the investigation tem to filter the required information. For instance, investigation team is currently analyzing SSL packets because of an online crime. Consequently, the tool will only provide information related to SSL packets only and ignore the rest. Moreover, operating system based auditing can also be configured for creating and maintaining audit trails that can be utilized when required.

Logical Access Controls

In order to maintain a sophisticated web server, web content prevention is essential to ensure the safety of web contents available on the web server. Apache ‘digest authentication’ is made for this purpose. The command ‘digest authentication’ is executed on the module named as ‘mod_auth_digest’. This utility will never transmit the passwords across the network. In fact, these files are transmitted via MD5 digested passwords, eliminating attacks such as sniffing the network traffic for passwords. There are some steps incorporated in order to accomplish this utility from the Apache web server. Likewise, the configuration for digest authentication is quite similar to the basis authentication. The first step is to create a password file. The command executed for the creation of the password file is:

‘htdigest -c /usr/local/apache/passwd/digest realm testuser’

After the creation of the password file, it will request the user for the credentials and the location of this password file is also similar to the elementary authentication mechanism i.e. outside the documents directory. After the creation of the password file, Apache configuration is conducted with the required directives. The directives are located in an ‘.htaccess’ file in a specific server configuration directory.

There are various modules bundled with apache for user authentication on a variety of databases. These two module known as ‘mod_auth_db ’ and ‘mod_auth_dbm’ are integrated within the Apache web server. The elementary authentication mechanism and the digest authentication both lack stability in terms of data organization. For instance, these both mechanisms store passwords on a coherent text files, with no indexes, bookmarks or traceability. In comparison to the databases, that is optimized to extract any particular piece of information rapidly in a large data sets, ‘mod_auth_db ’ and ‘mod_auth_dbm’ enables web administrators to save password files in a ‘.db’ or ‘.dbm’ file formats.  The ‘.db’ extension is associated with the ‘Berkeley DB’ file. Moreover, for installing ‘mod_auth_db’ following command is executed:

‘/configure – enable – module = auth_db’

In order to secure a directory with ‘mod_auth_db ’ the same procedure is carried out as mentioned previously in elementary and digest authentications mechanisms. However, the file type is a significant difference i.e. instead of a text file; it is a ‘.db’ file. Furthermore, for allocating the password following command is executed:

‘dbmanage passwords.dat adduser testuser’

The next step would be to set credentials i.e. the password. Likewise, the last step would be to set the directives in order to configure this password file on the Apache web server.

Directives consisting of ‘allow’ and ‘deny’ parameters, scrutinize the user to grant or do not grant permission on the basis of hostnames and host address of the computer system requesting any service or medical data. Moreover, the ‘order’ directive instructs the Apache web server to apply filters on the following criteria i.e. allow from address of the computer system. Furthermore, the elaboration of the computer system address is the IP address or a qualified ‘Fully Qualified Domain Name’ (FQDN).

References

Chaikind, H. R. (2004). The health insurance portability and accountability ACT (hipaa): Overview and analysesNovinka Books.

Mennerat, & Mennerat, F.Electronic health records and communication for better health care: Proceedings of EuroRec ’01 Amsterdam ; IOS Press ; c2002.

Windump.(2007). Network Dictionary, , 528-528.