The Criticality of Risk Assessments: FISMA, HIPAA, and other regs

 By Richard E. Mackey, Jr.
Dark Reading

One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments.What is a formal risk assessment?

Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk.

The benefits of formal risk assessments

Conducting formal assessments within a risk management program a number of benefits.

Formal assessments: 1. Require business and technical representatives to reason about risk in an objective, repeatable, way 2. Require consistent terminology and metrics to discuss and measure risk 3. Justify funding for needed controls 4. Identify controls that provide can be eliminated 5. Provide documentation of threats that were considered and risks that were identified 6. Require business and IT to acknowledge the responsibility for ownership of risk 7. Require organizations to track risks and reassess them over time and as conditions change

Why are risk assessments so important in compliance?

There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, it stands to reason that the controls may be different.

It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk based. This approach makes sense when one standard needs to apply to everyone.

Choosing a risk management framework

If your organization needs to comply with FISMA, your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management lifecycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization.

Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that help organizations meet their security and regulatory requirements.

This article was originally posted at http://www.darkreading.com/blog/231600781/the-criticality-of-risk-assessments-fisma-hipaa-and-other-regs.html

Tips on PCI DSS Compliance

Too many healthcare organizations have overlooked their obligation to comply with the Payment Card Industry Data Security Standard, says security expert Tom Walsh. Compliance with PCI DSS, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That’s because PCI DSS offers far more security specifics than HIPAA, including, for example, specific password requirements, he notes.

“If an organization can meet all of the requirements of PCI, it’s going to be in great shape when it comes to HIPAA security compliance,” Walsh contends. “The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA.”

Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a “self-assessment questionnaire.” All merchants are required to complete an “attestation of compliance.”

In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:

• Creating a diagram that shows how credit transactions are handled;
• Identifying all applications and systems involved and creating an inventory of all card reading devices;
• Conducting an initial self-assessment and creating a plan to remediate any problems identified;
• Creating a credit card handling policy and training staff annually on how to carry it out.

On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.

Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.

HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.

TOM WALSH: … To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. … In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.

The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They’ve been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.

…Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.

One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.

Security Controls

ANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA’s privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.

WALSH: Many organizations are worried about complying with HIPAA, and they’ve forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what’s called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place.

While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards.

Generally they’ll ask for … some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.

Now sometimes a breach may occur, and that is when these organizations will get involved, and then they’ll want to see proof that you’ve been compliant over the years. …

One of the things I’ve seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they’re compliant by going online to a website and completing their self-assessment questionnaire. …

The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. …

The other thing is, who gets these letters? Generally it’s not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren’t getting the word.

So as far as a compliance audit … you should be doing it on an annual basis. … In most cases, my clients, when they go through this, they’ll hold on to the result of it and won’t turn it over unless they are asked to produce it.

PCI Compliance

ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?

WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you’ve got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access … where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy … or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.

The next step would be to determine who really owns the PCI project. … They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in – are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.

Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time … may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?

Some simple things … that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.

HIPAA, PCI Overlap

ANDERSON: And is there any overlap between what HIPAA requires and what PCI requires? WALSH:Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn’t give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example … within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn’t specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it’s very detailed.

So, if an organization can meet all of the requirements of PCI, you’re going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it  would be a great help with HIPAA.

ANDERSON: Finally, you’ll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.

WALSH: In that webinar, I’m going to go into more detail about the PCI Data Security Standard. I’ll also be talking about some of the common mistakes that I’ve seen in healthcare organizations as far as addressing the standard. We’ll provide a more detailed action plan. …

This article was originally posted at  http://www.healthcareinfosecurity.com/articles.php?art_id=3581&pg=3

Cost Effective HIPAA Compliance Training Programs

emPower eLearning Solutions is excited to offer a training solution that will help organizations train their entire work population in a timely and cost effective manor. emPower eLearning Solutions Compliance Training is devoted to helping organizations meet the Administrative Simplification Act section 164.530(b)(1). This section requires employers to provide HIPAA Training awareness and Job Role policy training. Our course is designed to reach all level of employees from providers to billing clerks to housekeeping.

HIPAA’s intent is to reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of patient’s information.

For More http://www.empowerbpo.com/HIPAA_Compliance_Training.html

OCR invites state AGs to gear up for HIPAA security crackdown

The Office of Civil Rights (OCR) in the Department of Health and Human Services is expanding its fight against HIPAA security and privacy violations, as mandated by the HITECH Act. The OCR, a relatively small office with limited manpower, is now inviting the attorneys general of all 50 states to receive training in HIPAA enforcement.

According to Government Health IT, the training course will help the attorneys general and their staffs understand HIPAA rules and the penalties for violating them, and also will teach them how to investigate possible violations. The HITECH Act gives the attorneys general the authority to bring civil actions in this area.

The two-day training courses will begin in April in Dallas, and will continue on in Atlanta, San Francisco, and Washington, D.C. OCR also will provide online training to supplement its in-person sessions.

In addition, OCR will supply information to state attorneys general about pending or concluded OCR actions against healthcare providers, health plans and business associates. So far this year, OCR has levied fines of $1 million against Massachusetts General Hospital and $4.3 million against Cignet Health for HIPAA violations or potential violations.

Besides the frequent losses and thefts of HIPAA-protected personal health information, which continue to be a major problem, John Moore of Chilmark Research has focused attention on a new challenge: Applications designed for Android mobile devices, he says, are insufficiently vetted for security gaps. Google Health recently had to remove 50 malware apps in the Android mode, he says.

Moore says that iPads–which are catching on rapidly among doctors–have less vulnerability because Apple scrutinizes outside applications more thoroughly for security flaws.

This article was originally posted at http://www.fiercehealthit.com/story/ocr-invites-state-ags-gear-hipaa-security-crackdown/2011-03-11

Patient info lost on subway earns MGH $1 million HIPAA fine

Massachusetts General Hospital will pay the U.S. government $1 million to settle what the feds are calling “potential violations of the HIPAA Privacy Rule,” according to a statement issued by the U.S. Department of Health and Human Services. The case involves patient information that an employee left on the subway.

This marks the second fine related to HIPAA noncompliance in a week. The first fine, imposed on Cignet Health, was a $4.3 million civil penalty, mostly for failing to cooperate with an investigation.

The settlement follows a probe by HHS’ Office for Civil Rights, which enforces HIPAA rules that require healthcare providers to protect the privacy of patient information through administrative, physical and technical safeguards.

“We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” OCR Director Georgina Verdugo said in a statement.

The possible HIPAA violation occurred after a Mass General employee left the documents on a subway in March 2009. The documents consisted of protected health information for 192 patients of MGH’s Infectious Disease Associates outpatient practice, which includes HIV/AIDS patients. The investigation found that Mass General failed to implement “reasonable, appropriate safeguards to protect the privacy of PHI” removed from Mass General’s premises and disclosed, potentially violating the HIPAA rule.

A patient schedule containing names and medical records numbers, as well as billing forms that included names, dates of birth, diagnoses, insurer policy numbers and providers, were among documents lost.

As part of a corrective action plan, MGH has promised to develop comprehensive policies and procedures to ensure PHI is protected when removed from the MGH premises, train its workforce on the policies and send twice-yearly reports to HHS for three years.

This article was originally posted at http://www.fiercehealthcare.com/story/patient-info-lost-subway-earns-mgh-1-million-hipaa-fine/2011-02-25

Feds impose first civil fine ever in HIPAA case

The Department of Health and Human Services’ Office for Civil Rights hit Cignet Health with a $4.3 million civil penalty for violating the HIPAA Privacy Rule and failing to cooperate during the subsequent probe even after a federal subpoena was issued, according to an HHS announcement.

This marks the first time the feds have imposed a civil money penalty for violations of HIPAA since it went into effect in 2003, the Washington Post reports. In earlier cases, offenders such as Rite Aid Corp. agreed to correct their practices or pay fines to settle the case. The fine is based on the violation categories and increased penalty amounts authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

An OCR investigation found that Cignet, which operates two clinics in Maryland, violated the rights of 41 patients who requested their medical records between Sept. 2008 and Oct. 2009 by not producing their records. The patients each filed separate complaints with OCR, which initiated investigations. Under the HIPAA privacy rule, records must be made available within 60 days of a request.

Cignet’s experience is a cautionary tale. Besides violating the HIPAA privacy rule, it failed to respond to OCR’s demands to produce the records. When OCR ratcheted up the pressure and issued a subpoena, Cignet still did not product records. Only after OCR filed a petition to get a federal court to order Cignet to produce the records did the company stir. Eight days later, the boxes arrived at the DOJ. But Cignet did not make any effort to resolve the complaints through informal means, according to HHS.

OCR imposed $3 million of the $4.3 million fine for the company’s failure to cooperate with OCR’s investigations for nearly 13 months. In the case of Cignet Health, “this was really willful neglect,” Rachel Seeger, a spokeswoman for the OCR, told the Post. “They would not respond to the department.”

What’s more, when the health center finally delivered 59 boxes of records to the Justice Department, the boxes contained not only medical records for the 41 patients, but also records for about 4,500 other patients, whose information Cignet should not have been disclosing, because the records were not part of the probe.

This article was originally posted at http://www.fiercehealthcare.com/story/feds-impose-first-civil-fine-ever-hipaa-case/2011-02-23

HIPAA Compliance Business Associates Shouldering More Responsibilities

Business associate is an individual, group or an organization which participates or performs some activities on behalf of the Covered Entity in a capacity as a business partner and is not member of the workforce of the Covered Entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, which makes a person or entity Business Associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate includes payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.

The new amendment to HIPAA Privacy and Security rule recently passed by Health Information Technology for Economic and Clinical Health Act (HITECH Act) and which came into effect from February 17, 2010 makes it mandatory for all the Covered entities to revise their Business Associate Contract. This has increased the scope of the law as more entities are obliged to follow the HIPAA compliance norms. At same time the amendment adds more responsibilities on the existing Business Associates.

The Covered Entities and their existing Business Associates now have to re-negotiate their existing contracts to achieve HIPAA compliance. The Business Associates now on, have to take adopt additional procedures to completely fulfill the physical, administrative, technical and documentation requirements of the rule. The amendment makes it mandatory for the Business Associate to report loss of unsecured data to the individual patients and/or the public media,depending upon scale of the violation.

The new regulatory requirements make it necessary for the Business Associate to thoroughly carry out the risk analysis for their systems and infrastructure to know the existent loopholes in the security. The next step is to develop appropriate policy which effectively removes the security loopholes by incorporating technical security measures like email encryption, user account management, auditing and a proper disaster backup plan.

Henceforth the Business Associate will also play a more responsible and active role in secure management of the patient health information, which earlier, before this amendment, was sole responsibility of the Covered Entity.

Business Associate plays important role in preserving the privacy of the patient health information.

About emPower

emPower is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Our mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. We provide range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Our Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing our portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com/HIPAA_Compliance_Training_Course_Template_Policies.html

HIPAA Compliance through Business Associate Agreement

The new amendment to HIPAA Privacy and Security rule recently passed by Health Information Technology for Economic and Clinical Health Act (HITECH Act) and which came into effect from February 17, 2010 makes it mandatory for all the Covered entities to revise their Business Associate Contract.
The covered entity should enter into a written contract with its’ business associate to ensure complete HIPAA compliance. The Covered Entity should:

• Ensure that Business Associates complies directly with Security rule by implementing administrative, technical and physical safeguards in transaction of electronic Patient health information. This will prevent any unauthorized access during storage, exchange and processing of patient data.
• Make it mandatory for Business Associates to follow the terms and conditions as specified in the agreement or as required by law. This includes providing access, maintaining proper record of disclosures, making disclosures as per agreement, provide timely access of opening books, records and transactions to HHS for regulatory scrutiny, and returning or destroying PHI, if feasible, upon contract termination.
• Deem a Business Associate to violate HIPAA, if there is deviation from mutually accepted practices. The contract can be terminated and HHS notified about the willful violation. In case of unintentional lapse, the Covered Entity should bring it to notice of Business Associate and ensure that mistake is rectified.

Notify Business Associates regarding new requirements.

The Business Associates are now liable and accountable for any violation of HIPAA Privacy and Security rule and hence it is mandatory to revise and implement procedures to ensure complete HIPAA compliance in their business transaction with the Covered Entity. The Business Associate should:

• Adopt and implement reasonable and appropriate HIPAA Security written policies and procedures. This includes implementation of physical and technical safeguards.
• Adopt and implement policies and procedures for complying with the Business Associate provisions of the HIPAA Privacy and security rule.
• Hire a HIPAA Security Officer who reviews and asses the HIPAA compliance of the organization on a routine basis. This ensures removal of any existent loopholes and enables satisfactory compliance of the Business Associate agreement with Covered entity.
• Develop and implement a complaint system so that the clients are served properly.
• Develop a sanctions policy.
• Develop and establish a vigilant and reliable system, which identifies protected health information breach and notifies the covered entities.
• Mitigate any harm from the inappropriate use or disclosure of PHI.
• Educate and train employees and staff on the new HIPAA policies and procedures to prevent fine and conviction due to non compliance, arising out of lack of knowledge or awareness in the employees.

The purpose of the written Business Associate agreement is to ensure flow of confidential patient health information in a secure manner. A safe PHI transaction ensures that business relations flourish between both the health provider entities, without compromising the privacy and security of patient health data.

A Business Associate agreement is ensures privacy of the patient health information.

Jason Gaya

Read more on HIPAA compliance at, www.empowerbpo.com

Network Security Audit- Ensuring HIPAA Compliance

The electronic transaction of the confidential patient health information through organizational and public networks requires protection against unauthorized access.The HIPAA compliance norms make it necessary for the health entities to incorporate a security audit system in the network, to maintain complete record of all the past and present health-care transactions.Security audit brings in accountability to the system and pinpoints the offender in case of breach in privacy of patient health information.

The audit system should host such features, which allow complete monitoring of the computer network and bring to notice of administrators unnatural activity to prevent any security lapse. If however a lapse does occur the auditors can know, how and when the event happened, and who did it. Following are the features, which an ideal network audit system should have:

• Ability to record the time, nature and type of login, whether it is unauthorized or unauthorized.This deters hostile users like hackers as they know they are under spot light at same time keeps tabs on what type of information is accessed by the authorized user.
• Able to provide the log off time, details of the user and type of information accessed before the log off occurred.
• Provide detailed report on unsuccessful login, which includes the username, the number of attempts, date and time. This feedback is used to increase the vigilance and further strengthen the network.
• Able to pinpoint the objects accessed, like a file or directory and the whether the content was read, copied, deleted or modified. It should provide a feedback on the integrity of the content so that if any changes are made, the administration know whether these changes where legal or illegal.
• Maintain complete record of the start-up and shut down time of the local system.
• Able to maintain complete record of both successful and unsuccessful login of authorized users.
• Store and protect data for a desired time limit.
• Provide easy auditors easy access to the desired data.
• Ability to monitor the message flow, in and out, of the network. The security audit should track who sent the message to whom and what was in it.

It is mandatory for the health service providers to ensure HIPAA compliance of their networks, other wise they risk severe penalties or criminal convictions. The security of the health information stored in the organizational network or flowing in and out of it, is of paramount importance. A right auditing system does round-the-clock surveillance of computer network and raises alarms against hostile intrusion and thus denies any security breach. This is completely in line with HIPAA compliance norms.

The security audit protects the patient health information in the network through continuous vigilance.

Jason Gaya

Read more on HIPAA compliance at, www.empowerbpo.com

HIPAA Compliance- Selecting the Right Biometric Technology

The prime agenda of the HIPAA is to protect the privacy of the patient health information and simplify health insurance transactions between different service providers and patients. To accomplish this, it lays special emphasis on conversion of medical records of patient from paper to electronic format. The aim is to digitize the patient health information so that it can be easily managed by different health entities.

Any covered healthcare entity, which fails to protect the patient health data as per HIPAA compliance norms will invite strict penalties and criminal convictions. As the health transactions are done on the internet, it is mandatory for health service entities to provide a very secure access system so that genuine users can safely transact while the hostile intruders are kept at bay.

In Biometrics technology unique physical and behavioral characteristics like fingerprints, Iris Retina, and signature, keystroke pattern, voice print, respectively are embedded in system to create a secure and unique identification for each and every user.
For a health service provider it is of paramount importance to select the right biometric system, which is easy to implement and use.Below are some important features, which such access system should have:

• It should be easily deployable. The devices should be cost effective and sport user friendly features so that users can easily access the services.
• The system should allow the service provider to quickly gather the user data and compare it to an accepted benchmark.
• Provision for a proper training backup on installation, integration and optimization of such devices.
  High degree of accuracy. The false-acceptance rate (FAR) and false–rejection rate (FJR) used in the biometric measurement standards should balance each other so that the crossover error rate (CER) is less. A lower CER points to higher accuracy in the system.
• Customized to the environment. In patient admission, nursing, billing and administration fingerprint scan will work well but will fail in the clinics and labs where latex hand gloves are used.
• The system should support interoperability so that the data from the different biometric devices can be exchanged and compared with each other. This also provides a greater security assurance by integrating two or more different type of devices to create a strong and tamperproof access system.

A right biometric system provides the desired level of security without creating any operational hassles to both users, patients and health service providers. This very well serves the objectives of the HIPAA compliance norms, which are, security and simplification of patient health transaction.

The right biometric technology provides increased security at reduced costs.

Jason Gaya

Read more on HIPAA compliance at, www.empowerbpo.com