164.308(a)(4)(ii)(A) - Isolating Health Care Clearinghouse Functions (Required)

If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Illustrative Controls and TIBCO LogLogic Solution

Administrators must identify all servers and applications related to health care clearinghouse have been properly isolated from the rest of the organization. The most prevalent method of isolating these functions is to use firewalls to protect the related servers and applications.

Administrators must identify all changes to firewall and router configurations and ensure that a formal process is in place for all changes, including management approval and testing for all changes to external network connections and the firewall configurations. Administrators must also ensure all changes are authorized and that rule sets are periodically reviewed.

The most efficient way to identify configuration changes is at the time of the modification. Administrators must set up alerts so that any changes to the configuration of network systems and devices, authorized or otherwise, are detected and notified.

Administrators must periodically review all firewall rules to ensure an accurate access control list. Administrators must correlate network traffic with the firewall policy to validate that the appropriate rules are in place to protect the company.

In addition, no firewall in any company must allow the use of any known risky services or protocol. These known risky services provide intruders an easy way into the company.

Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. Any risky protocols or services must be immediately removed from the firewall policies.

TIBCO LogLogic reports and alerts augment processes and procedures to protect electronic health information from a larger organization by recording and reporting on the addition of new users from the larger organization on clearinghouse servers and systems and attempted access from other network segments.

Reports and Alerts

Use the following link or reference to see the 164.308(a)(4)(ii)(A) reports and alerts: 164.308(a)(4)(ii)(A) - Isolating Health Care Clearinghouse Functions (Required).