HIPAA Applications
Airports | Government | Human Resources | Law Enforcement | Consumer | Financial | Computer | HIPAA

 

Treadstone 71 HIPAA Certification and Accreditation

 

As part of HIPAA requirements, the Centers for Medicare and Medicaid Services are working to establish a standard process, general tasks and specific subtasks to certify and accredit IT systems supporting the healthcare IT infrastructures. HIPAA will provide a new approach to certification and accreditation (C&A) that uses the standardized process to verify the correctness and effectiveness of security controls employed in a healthcare IT system to ensure adequate security surrounding protect healthcare information (PHI) is maintained. Treadstone 71 has been monitoring the progress of this effort very closely.  It is our informed belief that CMS will in fact employ government standards for certification and accreditation (C&A) already in place and in use by both DoD and non-DoD agencies. Treadstone 71 already utilizes these proven and accepted practices (NIACAP Services) and is ready to deploy them as part of our HIPAA Readiness Program. Treadstone 71’s use of standardized, minimum security controls for low, moderate, and high levels of concern for confidentiality, integrity, and availability and the employment of standardized verification techniques and verification procedures promote:

 

  • More consistent, comparable, and repeatable certifications of IT systems;
  • More complete, reliable information for HIPAA Security Officers (HSO)—leading to a better understanding of complex IT systems and associated risks and vulnerabilities; and
  • More informed decisions by management officials supporting the accreditation process.

 

While the certification and accreditation (C&A) process focuses on healthcare IT systems processing, storing, and transmitting PHI, the associated tasks and subtasks, security controls, and verification techniques and procedures, have been broadly defined so as to be universally applicable to all types of IT systems.

 

Healthcare management responsibilities presume that responsible HSOs understand the risks and other factors that could adversely affect the securing of PHI. Moreover, these HSOs must understand the current status of security programs and controls in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level.

 

The goal of the HSO is both to operate their program and to do so with what is defined as adequate security, or security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of PHI. The authorization of an IT system to process, store, or transmit PHI, granted by the HSO provides a form of quality control and challenges managers and technical staff to find the best fit for security, given technical constraints, operational constraints, and mission requirements. Treadstone 71 refers to this authorization as accreditation. Accreditation, which is required under HIPAA, should be based on an assessment of the management, operational, and technical controls associated with an IT system. Since the security plan prepared by Treadstone 71 for healthcare organizations documents the protection requirements and security controls for an IT system, the plan is the fundamental document required in the accreditation process, (thereby reducing unnecessary administrative duplication of effort), supplemented by more specific studies as needed. In addition to the security plan, accreditation is also supported by a risk assessment and security evaluation.

 

The Treadstone 71 risk assessment identifies threats and vulnerabilities, analyzes security controls planned or in place, determines likelihood that specific vulnerabilities may be exploited, and provides an impact analysis. An initial risk assessment should be initiated on the healthcare IT system prior to beginning the accreditation process. The results of the initial risk assessment activities are used during the security evaluation and revisited and possibly revised based on the findings of the evaluation. Treadstone 71’s comprehensive evaluation of the technical and non-technical security controls of a healthcare IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements, is called certification.

 

Certification provides the necessary information to the HSO to formally declare that a healthcare IT system is approved to operate at an acceptable level of risk. The decision is based on the implementation of an agreed upon set of management, operational, and technical controls. By accrediting the system, the HSO accepts the risk associated with it. Formalization of the accreditation process reduces the potential that systems will be operated without appropriate management review.

 

Treadstone 71 recommends that re-accreditation occur prior to a significant change in the healthcare IT system, but at least every three years. It should be done more often where there is high risk and potential magnitude of harm.

 


 

A significant percentage of healthcare IT systems have not completed needed security certifications, thus placing PHI and programs at risk and potentially impacting the viability of the healthcare organization. Security certifications provide HSOs with the necessary information to authorize the secure operation of those healthcare IT systems. Currently, there are numerous competing security certification procedures within the in the commercial marketplace that are excessively complex, outdated, and costly to implement—resulting in assessments that are often inconsistent, flawed, and not repeatable with any degree of confidence. There is also a shortage of competent security expertise to conduct security certifications on the vast inventory of healthcare IT systems. Treadstone 71:

 

  • Developed standard guidelines and procedures for certifying and accrediting healthcare IT systems;
  • Defined essential minimum security controls for healthcare IT systems; and
  • Promotes the development of public and private sector assessment organizations and certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures.

 

The specific benefits of the security certification and accreditation (C&A) initiative include:

 

  • More consistent, comparable, and repeatable certifications of healthcare IT systems as required by HIPAA;
  • More complete, reliable, information for authorizing officials—leading to better understanding of complex healthcare IT systems and associated risks and vulnerabilities—and therefore, more informed decisions by HSOs;
  • Greater availability of competent security evaluation and assessment services; and
  • More secure IT systems within the healthcare industry complying with HIPAA regulations.

 

The purpose of this is to establish standard processes, general tasks and specific subtasks to certify and accredit healthcare IT systems supporting the healthcare organizations. While the Treadstone 71 C&A process focuses on healthcare systems processing, storing and transmitting PHI, the associated tasks and subtasks have been broadly defined so as to be universally applicable to all types of IT systems.

 

 

Jeff Bardin

Treadstone 71

jbardin@treadstone71.com

 
RSS News Feed
RSS Biometrics Industry Events

Showcases
Fingerprint
Iris Recognition
Hand & Finger
Facial Recognition
Voice/Speaker
Consultants
Smart Cards/Multimodal
Signature/Keystroke
2D Barcodes
Sensors
Middleware/Software
Vascular Pattern Recognition

Applications



Site Search



Sponsor Links

BIO-key
 BIO-key develops and licenses advanced biometric finger identification technologies that are cost effective, scalable and easy to deploy.

Identica Corp.
Is the exclusive provider of the Techsphere Hand Vascular Pattern Recognition biometric solution in the USA, Canada, Mexico and the Caribbean Islands.

ZK Software
 ZKSoftware Inc. is a leading OEM/ODM manufacturer offering Fingerprint Time & Attendance and Access Control, Fingerprint Door Locks and IT products.

Ceelox
Ceelox is a developer and marketer of biometric authentication and biometric file security software products.

Datastrip
Datastrip is the leading provider of biometric verification devices in today's mobile arena, enabling fast, accurate identity verification.


Guides

What are "Biometrics"?
Biometrics Glossary
How Well Do Biometrics Work?
Identification vs Verification


Articles & Research

US VISIT Fact Sheet
The Anatomy Lesson
Smile: You're On Scan Camera
Privacy - Friend or Foe?
New Opportunities for Biometrics
Let Me In!
Archived Q & A's
Videos & Product Demos



Biometrics Events | Biometrics Links | Biometrics Press Releases
Biometrics Feature Articles | Biometrics Company Q&A's | Biometrics Product Videos/Demos
About Us | Contact Us | Advertising Info | Privacy Policy | Terms of Use