Re: HIPAA Assessments and Network Access

["Schmidt, Eric W" <erschmid () IUPUI EDU>]

Here at the IU School of Medicine we decided we couldn't afford the cost of HIPAA consultants so we developed our own 
baseline security assessment tool.  It is based on a tool developed by the North Carolina HHS and was available for use 
out on their web site.  We adapted the tool to match the final security rule since the North Carolina toolwas written 
for the proposed rule and we're almost finished with our initial assessment phase now.  The IT and business 
administrators for all of our various departments, offices, and centers have all used the tool as a self-assessment.  
The results of each departments assessment will be rolled up into a school-wide report in the next month or so.  
Department reports will be prepared as well as a gap analysis report to help the school's executive leadership 
determine where to best deploy our limited resources to help us comply with the rule.  If anyone's interested let me 
know and I'll be glad to share the assessment tool.  The tool is basically several spreadsheets.  One spreadsheet 
allows the user to determine compliance with each specification of the rule, the other spreadsheet is a central area to 
capture all specific policy, procedures, and documentation supporting each specification of the rule.  One spreadsheet 
provides a summary of the compliance and another spreadsheet contains reference information for the entire rule.  So 
far it's been a lot better than a $100,000+ bill from a consultant group....
 
 
Eric W. Schmidt, CISSP, CISM
Chief Security Officer
Indiana University School of Medicine

        -----Original Message----- 
        From: The EDUCAUSE Security Discussion Group Listserv on behalf of Michael Cole 
        Sent: Wed 7/28/2004 4:38 PM 
        To: SECURITY () LISTSERV EDUCAUSE EDU 
        Cc: 
        Subject: Re: [SECURITY] HIPAA Assessments and Network Access
        
        

        Check out Bradford Software's Campus Manager and Remediation center, it'll do what your looking for as well as 
register all your computers.   www.bradford-sw.com

        Mike 

        -----Original Message----- 
        From: Doug Sandford [mailto:dsandfor () SEEBECK UA EDU] 
        Sent: Wednesday, July 28, 2004 5:02 PM 
        To: SECURITY () LISTSERV EDUCAUSE EDU 
        Subject: [SECURITY] HIPAA Assessments and Network Access 


        Apologies for the rather broad subject area(s). I know these items 
        have been discussed in the past, but am looking for some more recent 
        experiences/recommendations. 

        Have any of you brought in consultants to perform the full range of 
        compliance checks necessary for HIPAA compliance, ie, Risk 
        Assessment, policy and function creation, etc? Your recommendations 
        would be welcomed. 

        Additionally, we are interested in a solution (such as Perfigo or one 
        of the others) that would enable us to check computers as they are 
        attached to our network for current Windows patches, virus software 
        and updates, etc. SUS is certainly a partial answer but requires that 
        we get our hands on each machine. Again, any recommendations, 
        successes or horror stories will be welcome. 

        Thanks in advance.... 




        Doug Sandford 
        Information Security Officer 
        University of Alabama 
        Seebeck Computer Center 
        doug () ua edu 

        This email is intended only for the person to whom it is 
        addressed.  Any review or other use of this information by 
        persons or entities other than the intended recipient or any 
        retransmission without the consent of the sender is prohibited. 

        ********** 
        Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found 
at http://www.educause.edu/cg/.