Security Basics mailing list archives
RE: Healthcare Standards and Regulations
From: Mattias Baecklund <mattias.baecklund () ifsworld com>
Date: Fri, 16 Apr 2010 09:19:56 +0200
Put medical records and that stuff on one network. Put email and internet access on another network. Make the two networks physically separate from one another and don't connect the medical network to the internet if you don't absolutely must do that (read gov regulation). You would have "surf" computers. Also look in to PCI-DSS if they are going to handle credit cards as a form of payment for there services. That's my instinctive train of thought. Mattias Baecklund SOFTWARE SECURITY ENGINEER Foundation 1 | Research & Development Please consider the environment before printing my email
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Kolpin Sent: den 15 april 2010 21:22 To: John Morrison Cc: security-basics () securityfocus com Subject: Re: Healthcare Standards and Regulations I've looked here and now have looked again. Is it just me or is there absolutely no cut and dry guidance for the physical and logical network design regulations for healthcare IT infrastructures? I can sit and read and read to get my one or two sentences per document that covers what I am positive is a tiny chunk of the entire whole, but is this really necessary? Somewhere there must be some cut and dry list of HIPAA requirements for IT infrastructure, segmentation, firewalling, and data security. I'm not so concerned about the software or services, I am positive I can manage that what I am concerned about is not having the email server sharing a zone that their medical records zone is or whatever the requirements may be. I'm also concerned about network user policy and the regulations that apply there as well including vlan implementation, what doctors should be able to see and do as well as what others should and should not be able to do. Nice guess at California as we have offices there, I am in MT though. I also must note that at a glance the suggestion from another post to read NIST P-800-66 looks promising to a degree. Jason Kolpin Web Specialist National Center for Appropriate Technology www.ncat.org John Morrison wrote:Jason, As you are in California I assume the main regulation is HIPAA. Have you tried the HIPAA Resource Center (http://www.aishealth.com/Compliance/HIPAAResource.html) as astartingpoint? Also, do the suppliers of the products have any literature? On 14 April 2010 23:22, Jason Kolpin <jasonk () ncat org> wrote:Hello! I have been approached by a small medical practice to build an infrastructure from the ground up. After some research I decided Iknewnothing about best practices and such in this environment, thesefolks arein a rural area and have no clue who to contact, I am at a loss aswellother than a big company like Seimans or something. It would begreatlyappreciated if anyone on this list knew of a place where I could getsomesolid information on this subject, refer these folks to a companythat doesthis sort of thing, or offer some advice for a situation such asthis. It'snot like I am completely clueless concerning server setup and stufflikethat, I work IT, I am more interested in security relatedinformation suchas typical physical layout for the network, IE firewalling anddata/serviceseparation issues. Excuse my ignorance here as this is completely new to me. I have been asked about LIS, RIS, PM, patient records server, scheduling/calendar, billing, email server, domain controller, VPNfrom twolocations and some more. I'm just looking for some simple "stickman"drawings of a typical physical layout using this type of stuff, aswell as aplace I might go to find out about required/mandated policies andsuch, andeven a few hints on policies you may know that you find important inasituation such as this. FYI I have already informed these people I am not the man for thejob as therisk is too great for me should something bad happen but they areprobablygoing to use me as a consultant, they have no IT staff and arecompletelyclueless about how the simplest of things work. I know this is a lot to ask of a mailing list so no surprise if Iget noresponse. -- Jason Kolpin Web Specialist National Center for Appropriate Technology www.ncat.org ------------------------------------------------------------------------Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needsan SSLcertificate. We look at how SSL works, how it benefits your companyand howyour customers can tell if a site is secure. You will find out howto test,purchase, install and use a thawte Digital Certificate on yourApache webserver. Throughout, best practices for set-up are highlighted tohelp youensure efficient ongoing management of your encryption keys anddigitalcertificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44 2f727d1------------------------------------------------------------------------------------------------------------------------------------------------Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needsan SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44 2f727d1----------------------------------------------------------------------------------------------------------------------------------------------- - Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44 2f727d1 ----------------------------------------------------------------------- -
------------------------------------------------------------------------------ CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail, including any attachments, is confidential and for use only by the intended recipient. If you are not the intended recipient, please notify us immediately and delete this e-mail from your system. Any use or disclosure of the information contained herein is strictly prohibited. As internet communications are not secure, we do not accept legal responsibility for the contents of this message nor responsibility for any change made to this message after it was sent by the original sender. We advise you to carry out your own virus check as we cannot accept liability for damage resulting from software viruses.
Current thread:
- Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- Re: Healthcare Standards and Regulations John Morrison (Apr 15)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- RE: Healthcare Standards and Regulations Mattias Baecklund (Apr 16)
- Re: Healthcare Standards and Regulations John Morrison (Apr 16)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 16)
- RE: Healthcare Standards and Regulations Brenda C. Henderson (Apr 16)
- Re: Healthcare Standards and Regulations Caspian (Apr 19)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- Message not available
- RE: Healthcare Standards and Regulations Barbara L. Filkins (Apr 16)
- Re: Healthcare Standards and Regulations John Morrison (Apr 15)