Enabling HIPAA Compliance with ClearCube

Enabling HIPAA Compliance with ClearCube Executive Summary

The Traditional PC Undermines HIPAA SecurityThe traditional desktop PC was originally designed for stand-alone use and later retrofitted to function in a networked healthcare institution. It is severely limited in terms of meeting the physical and data security re-quirements of HIPAA.

As the country moves toward the goal of having electronic health records, protecting the confidentiality, integrity and availability of EPHI (electron-ic patient health information) becomes even more critical. The security standards in HIPAA were developed for two primary purposes: first, the implementation of security safeguards makes an effort to protect EPHI that could be at risk, and second, protecting an individual’s health infor-mation promotes the use of electronic health information in the industry.

Meeting HIPAA Regulations with ClearCubeHealthcare organizations are turning to ClearCube to meet these reg-ulations. ClearCube’s PC Blade computing solutions are designed for the security, control, and manageability requirements of the healthcare environment.

The Healthcare Insurance Portability and Accountability Act (HIPAA) leg-islation’s final Security Rule released in February 2003, contains specific standards for implementing physical and technical safeguards of patient

healthcare information. The traditional distributed PC is fundamentally unable to meet these requirements be-cause it physically locates the computer in unsecured public areas. April 21, 2005 marked the date to meet compliance with the privacy rule as well as the date the security rule went into effect for midsize and large health-care organizations.

ClearCube is engineered from the ground up to enable a HIPAA compliant PC computing solution AND deliver a full PC experience to any part of the hospital/clinic.

The ClearCube Solution

ClearCube takes the computer off the user’s desk, shrinks it to a PC Blade (powered by the latest Intel pro-cessors), centralizes the PC Blades in a secure location, and uses software tools to remotely manage and switch between computers and users. ClearCube’s manage-ment software enables a “touchless IT” environment where IT staff can remotely manage, control, and virtu-alize the resources of their end-user computing assets – without any trips to the desktop.

Five Key HIPAA Regulations

The following five HIPAA regulations summarize the many significant challenges posed by using traditional desktop PCs in the healthcare environment.

1. Facility Access Controls (Section 164.310(a)(1))

What it requires Healthcare organizations covered by HIPAA must imple-ment policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, yet still ensure that properly authorized access is allowed.

The desktop challenge Easily accessible desktop PCs in high-traffic, high-in-tensity healthcare environments pose a huge risk to data and equipment security. It is difficult to “lock down” a traditional PC when the unit is physically located in public areas.

8834 Capital of Texas Highway North Austin, Texas 78759 Voice 512.652.3500 Fax 512.652.3501 Toll Free 866-652-3500

www.clearcube.com

The ClearCube solution ClearCube solves the accessibility problems inherent with desktop PCs by central-izing them (CPU, disk drive, and memory) in a secure location. Only the peripherals and User Port (which connects the peripherals to the PC Blade) remain in the user’s workspace.

Key questions to consider:

• Are policies and procedures developed and implemented that allow authorized physical access to electronic files at the facility where they are housed? • Do the policies and procedures identify individuals with authorized access by title and/or job function? • Do the policies and procedures specify the methods used to control physical access?

2. Workstation Use (Section 164.310(b))

What it requires HIPAA requires organizations to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic patient health information. The workstation use standard also applies to covered entities with workforce members that work offsite using workstations that can access EPHI.

The desktop challenge PC access is necessary throughout a healthcare environment- whether in exam and operating rooms, nursing stations, emergency rooms, administration areas, training rooms or in remote locations. Limiting workstation use without limiting the function-ality of PCs in these areas presents a significant challenge.

The ClearCube solution ClearCube removes the PC (CPU, disk drive, and memory) from the work environ-ment and secures it in a centralized, rack-mounted environment in the facility’s data center. As a result, patient health information is no longer accessible to anyone but qualified users.


• Do the policies and procedures identify workstations that access EPHI and those that do not, even in remote locations? • Do the policies and procedures specify where to place and position workstations to only allow viewing by authorized individuals? • Do the policies and procedures specify the use of additional security measures to protect workstations with EPHI, such as using privacy screens, enabling password protected screen savers or logging off the workstation?

Stolen computers contain data on 185,000 patients

A San Jose-based medical practice has no-tified about 185,000 current and former pa-tients about the theft of their personal infor-mation contained on two computers stolen from its offices during a burglary.

The desktop computers were stolen from a locked administrative office during the burglary and contained names, addresses, confidential medical information and Social Security numbers of some 185,000 current and former patients. The two stolen desk-top towers were recently purchased Dell PCs that were being used for year-end au-dits at the practice.

The data included personal information about patients from the last seven years.

“San Jose Medical Group is committed to protecting the privacy and security of your personal and medical information,” the or-ganization said in its statement. “Unfortu-nately, it is difficult to fully protect against burglaries and thefts. As your health care provider, one of our top priorities is the pro-tection of your personal information; this is something that we take very seriously. We apologize for any inconvenience or concern this incident has caused.”


www.clearcube.com

3. Workstation Security (Section 164.310(c))

What it requires Organizations must implement physical safeguards for all workstations that access EPHI in order to restrict access to authorized users.

The desktop challenge Box PCs are easy targets for unauthorized access. Damage, abuse, and theft (both of equipment and data assets) are serious concerns. Adding physical security safe-guards to traditional PCs only serves to exacerbate the space constraint problem.

The ClearCube solution The centralized ClearCube PC Blades greatly increase the security of IT equip-ment, solving problems associated with unauthorized network access and data theft. Access to the workstation is restricted by keeping it in a secure room where only authorized personnel work. The central, convenient location of the PC Blades simplifies ongoing support, maintenance, moves/adds/changes, and upgrades, and significantly reduces interruptions and increases uptime.


• Are physical safeguards implemented for all workstations that access EPHI, to restrict access to authorized users? • Are current physical safeguards used to protect workstations with EPHI effective? • Have all types of workstations that access EPHI been identified, such as laptops, desktop computers, PDA’s?

4. Device and Media Controls (Section 164.310(d))

What it requires Organizations must implement policies and procedures that control the acquisi-tion, disposal, and movement of hardware and electronic media containing patient health information.

The desktop challenge Traditional PCs using mass storage devices (CD-ROM, Zip, or floppy disks) greatly compromise the security of patient data while also inviting the support hassle of user-introduced software and viruses.

The ClearCube solution With ClearCube’s PC Blades, IT administrators can enable or disable the use of mass-storage devices at the desktop, so sensitive patient data cannot be down-loaded. The elimination of desktop peripherals defends against the infiltration of viruses and unlicensed software as well.


• Are policies and procedures developed and implemented that monitor the receipt and removal of hardware and electronic media that contain EPHI? • Do the policies and procedures identify the types of hardware and electronic media that must be tracked?

“An added benefit of ClearCube is the reduction of desktop operating costs and the conservation of much needed space in crowded nurses’ stations, operating rooms, emergency rooms, and training facilities.”

--Gene Strickland, IT Director Medical Center of Central GA

“ClearCube’s centralized management of our technology assets is great for the operating room and other hard-to-accesslocations.”

--Gerry Boden, Desktop Engineer Cambridge Health Alliance


www.clearcube.com

5. Access Controls (Section 164.312(a)(1))

What it requires Implementation of unique user identification and emergency access procedures ensure that protected healthcare information is available to authorized individuals. The healthcare institution must utilize technical safeguards to enable secure ac-cess to data.

The desktop challenge Providing system access to the right people at the right time is a challenge for any organization. Healthcare workers are constantly on the move between exam rooms, operating rooms, training rooms, labs, and offices. Frequently, a rushed doctor or nurse may leave a station without properly logging out, exposing patient information.

The ClearCube solution The ClearCube architecture enables the use of secondary authentication devices like proximity cards, which automatically log users on when they approach a sta-tion and log them off when they walk away. This means doctors and nurses can instantly retrieve patient information, quickly access lab results, immediately enter exam notes or prepare diagnostic reports all without ever leaving the patient’s side.


• What is the current format used for unique user identification? • Do current information systems have an automatic logoff capability?

ConclusionClearCube provides full PC performance while limiting both physical and electronic access to the computer equipment. The result is enhanced system security without increases in management costs. In addition to helping organizations meet the HIPAA security regulations, PC Blades meet the unique challenges of the health-care environment by enabling healthcare organizations to:

• Improve equipment and data security

• Reduce support costs by 40%

• Simplify maintenance and manageability

• Deliver 99.9% uptime with 5 minute return to service

• Shrink workspace footprint with no heat, noise or fan

ClearCube is the solution of choice for healthcare entities seeking an efficient, powerful, and cost-effective way to comply with HIPAA privacy and security rules.

Source: Centers for Medicare and Medicaid Services

“The ClearCube solution has allowed us to achieve our goal of being a top-notch medical facility by securely and safely deploying PCs where it would otherwise have been impossible using traditional PCs.”

--Keith Minard, CIO Oklahoma Heart Hospital

Documents

Enabling HIPAA Compliance with ClearCube