Educause Security Discussion mailing list archives
Re: HIPAA Assessments and Network Access
From: "Schmidt, Eric W" <erschmid () IUPUI EDU>
Date: Wed, 28 Jul 2004 20:48:15 -0500
Here at the IU School of Medicine we decided we couldn't afford the cost of HIPAA consultants so we developed our own baseline security assessment tool. It is based on a tool developed by the North Carolina HHS and was available for use out on their web site. We adapted the tool to match the final security rule since the North Carolina toolwas written for the proposed rule and we're almost finished with our initial assessment phase now. The IT and business administrators for all of our various departments, offices, and centers have all used the tool as a self-assessment. The results of each departments assessment will be rolled up into a school-wide report in the next month or so. Department reports will be prepared as well as a gap analysis report to help the school's executive leadership determine where to best deploy our limited resources to help us comply with the rule. If anyone's interested let me know and I'll be glad to share the assessment tool. The tool is basically several spreadsheets. One spreadsheet allows the user to determine compliance with each specification of the rule, the other spreadsheet is a central area to capture all specific policy, procedures, and documentation supporting each specification of the rule. One spreadsheet provides a summary of the compliance and another spreadsheet contains reference information for the entire rule. So far it's been a lot better than a $100,000+ bill from a consultant group.... Eric W. Schmidt, CISSP, CISM Chief Security Officer Indiana University School of Medicine -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv on behalf of Michael Cole Sent: Wed 7/28/2004 4:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Cc: Subject: Re: [SECURITY] HIPAA Assessments and Network Access Check out Bradford Software's Campus Manager and Remediation center, it'll do what your looking for as well as register all your computers. www.bradford-sw.com Mike -----Original Message----- From: Doug Sandford [mailto:dsandfor () SEEBECK UA EDU] Sent: Wednesday, July 28, 2004 5:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA Assessments and Network Access Apologies for the rather broad subject area(s). I know these items have been discussed in the past, but am looking for some more recent experiences/recommendations. Have any of you brought in consultants to perform the full range of compliance checks necessary for HIPAA compliance, ie, Risk Assessment, policy and function creation, etc? Your recommendations would be welcomed. Additionally, we are interested in a solution (such as Perfigo or one of the others) that would enable us to check computers as they are attached to our network for current Windows patches, virus software and updates, etc. SUS is certainly a partial answer but requires that we get our hands on each machine. Again, any recommendations, successes or horror stories will be welcome. Thanks in advance.... Doug Sandford Information Security Officer University of Alabama Seebeck Computer Center doug () ua edu This email is intended only for the person to whom it is addressed. Any review or other use of this information by persons or entities other than the intended recipient or any retransmission without the consent of the sender is prohibited. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- HIPAA Assessments and Network Access Doug Sandford (Jul 28)
- <Possible follow-ups>
- Re: HIPAA Assessments and Network Access Michael Cole (Jul 28)
- Re: HIPAA Assessments and Network Access Bob Kalal (Jul 28)
- Re: HIPAA Assessments and Network Access Schmidt, Eric W (Jul 28)
- Re: HIPAA Assessments and Network Access Ben Sookying (Jul 29)
- Re: HIPAA Assessments and Network Access Angel L Cruz (Jul 29)
- Re: HIPAA Assessments and Network Access Schmidt, Eric W (Jul 29)