HIPAA and Network Security

13 09 2007

A friend of mine, who used to work for a company that’s contracted to the state of Wisconsin for its Medicare/Medicaid program, worked more specifically with HIPAA. I asked him this:

I’ve got a question for you… do you have, or know where I might find, information about HIPAA in regards to network security? For instance, companies’ legal responsibilities for keeping electronic data secure?

His response:

That’s a hell of a loaded question. HIPAA actually has very few specifics about what is required for network security, but instead is written vaguely enough that everyone is keeping on their toes. It was enacted back in ’96 so anything they wrote into it is already 11 years old. It’s far from being as simple as “and every entity must have a XXXX type firewall system”… It’s really more like “everyone must do what is necessary to keep the information secure”.

Overall, it affects any covered entity that works with health data: hospitals, other health care providers, health/pharmaceutical insurance companies, state health programs (i.e. medicaid) etc. All of these need to have a privacy/security plan in place. Also, a LOT of the network security aspect of this is paperwork. When one of the above entities has someone else working for them (like EDS for WI Medicaid), they need to have a business associate agreement or agent subcontractor agreement in place. This forces the subcontractor to follow the rules of the covered entity. And there’s a trickle down effect as well: when the subcontractor has another subcontractor working for them (like when UGS worked for EDS) there’s another agent subcontractor agreement in place between them. Also, for things like web portals or other remote systems, there are user agreements in place for each user to protect against the dissemination of the data to persons not needing to see it. And user accounts should always follow the “minimum necessary” rule which says that any user should only have access to exactly what they need to accomplish the job and nothing more.

So a security administrator for a company that handles medical records needs to be aware of the nebulous regulations set up by the federal and state governments. Not only do they need to design a security system that will keep information secure, but they need to keep the “minimum necessary” rule in mind, too. It’s a tight rope to walk in ever changing conditions.

He also provided these links:

Wikipedia has a good article (see the “security rule” section):

The official government site:

Another good government site (more security heavy):

And a good Wisconsin based org that pretty much sets the industry standard for this sort of thing in the state, HIPAA Cow:

She’s not a baby any more.

5 09 2007

Today is Willow’s first full day of Kindergarten. Her first full day going alone. Right at this moment, 8:21 am, she should be sitting on the bus, making her way to school. There are some other kids that live in our apartment building/complex that she knows, and who are a year or few older than she, so she can follow their lead. I just hope she doesn’t freak out and start to panic. I think she’ll be alright though.

I’m probably more worried than she is. This is such a big day for her. I thought about taking the morning off, or at least come in an hour late or something, but I figured it would probably be best if we made the day as normal and routine as possible. I’ll call Lindsey in a little while and see how she did. I’m not too worried about Willow catching the bus after school; I’m sure they’ll have teachers out there to help the new kids. We’ve tried to make sure that Willow understands that if she gets lost or scared, that she can ask a teacher for help.

Once she gets used to it, time will fly by, and next thing we know, Ari will be going off to Kindergarten. Then we’ll have graduations. And college.


Almost there….

27 08 2007

This school term is almost over. Thank the heavens.

This term has been the hardest so far. The two classes I’ve had, Speech and Linux Administration, were each incredibly demanding. I really wish I’d had these classes separately, especially the Linux class. I’ve really enjoyed it so far, but being paired up with Speech, I wasn’t able to devote as much time and attention to it as I would have liked. I’ve learned a lot of cool things you can do in Linux, and I feel a LOT more comfortable using it.

For my final project, I’ve set up a blog and chat server. Aside from a few anomalous roadblocks, the installations went very smoothly. It wouldn’t be much at all to set up a chat or blog server for our company, I don’t think. It certainly wouldn’t cost a ton of money, especially if you use existing hardware.

I used WordPress for the blogging, and 123flashchat for the IM.

WordPress took a little bit of configuration, but even so, it was very simple and straightforward. There’s very good documentation on the WordPress site, and via Google.

123flashchat was even easier. I just downloaded the server media, unzipped it, and that was it. There was no configuration at all. I was having trouble with it for a while – I couldn’t access the chat interface from a client computer. I tried tweaking IP addresses, subnets, and gateways, but nothing I tried worked. Then I finally realized that the firewall on the server was still on. chkconfig iptables off and service iptables stop did the trick.

Now I just have to show my teacher that the blog and chat servers work, and that will be that. From what I’ve learned doing this, I might see if I can set up a chat server for use here at work, so we don’t have to go through GTalk or other 3rd party services.

This marks the end of my third semester at Herzing. I’m 1/3 of the way through the Bachelor Degree. Next semester I only have two classes, one per term. Which means no online class. Next semester shouldn’t be nearly so hellish.

It’s like pulling teeth

17 07 2007

I’m taking Speech class online this term, and for our first assignement we had to write a speech introducing ourselves using three aspects of our culture. By “culture”, the instructor means any and every aspect of your life. On one hand that makes it easier to write, but on the other hand, it makes it more difficult. How am I supposed to choose just three aspects of my personality to describe myself? I’m more than that.

I thought about this for about three days, but it never got any clearer. I started several times, only to delete it and start again. Finally I’d had enough and shoved my finger down my mental throat and puked out the required five paragraphs. We were supposed to write it as we would normally speak; this is how I speak, minus the tongue-trippings and if I had a few seconds to mentally organize my thoughts. This is what I wrote:

My name is Chris Mathewson. I’ve been searching my whole life for my own culture, and while I’ve made some discoveries, I’m growing more and more certain that what I would consider to be my culture is undefinable. Being an adopted child, my natural heritage is unknown, uncertain, or so dilluted as to be indistinguishable. On the other hand, however, not having a specific cultural heritage has allowed me to be open to a wide variety of different cultures from around the world, as well as develop my own unique system of beliefs and customs.

I believe that a person’s spirituality is a completely personal experience. It should involve years of study and discovery on one’s own. Just as people are unique in other aspects, their beliefs should be just as unique. That’s why I’ve stopped labeling myself as belonging to any religion. I’ve gone through years of introspection and have a pretty good grasp on my own spirituality. Just like my heritage, my spiritual beliefs are sampled from many, many different faiths, cut and pasted into an amalgam that is unique from anything else.

My tastes in music, movies, and other forms of entertainment are just as varied. There are only a very few musical genres that I genuinely dislike, while my list of favorites ranges from classical music like Beethoven and Tchaikovsky to fast-paced, guitar-driven heavy metal like White Zombie and System of a Down, with a myriad in between. I also enjoy a variety of movies, some that make you think and others that are filled with the crudest of humor. These varying forms of entertainment appeal to different aspects of my personality and imagination.

Albert Einstein once said, “Imagination is more important than knowledge.” The imagination is limitless and I enjoy stretching my mind as far as I can. I read fantasy novels like The Lord of the Rings, watch movies like The Matrix, and partake in my own meditative exercises that force my mind to think outside the accepted boundaries of our known reality. One of my favorite pastimes is contemplating the concept of infinity, and how our reality fits into it.

Socrates said, “The unexamined life is not worth living.” I’m constantly examining my life, evaluating it, and altering it depending on how I feel it is evolving. Though I see what my life should be like, I can’t always make the necessary changes, either because of environmental reasons or simply because of my own laziness and lack of will power. There is a lot of room for improvement in my life, but I’m fairly confident that my perceptions of myself are mostly accurate.

I know. Pretty bad, eh? Hopefully my instructor will see it as a “good first attempt” and be merciful on me.

I wasn’t able to talk about as much as I probably might have liked, were it a blog entry or some such. But I think the things I did talk about serve as the foundation of the other aspects of my personality, culture, etc. These things are why I believe in the things I do. These are the things that I was born with.

Perhaps at a later time I will examine more specific aspects of myself and delve more into why I am the way I am.

So while this exercise was more painful than a tooth extraction, it served to remind me that I can’t stop evaluating myself and improving what is already there.