The good news on this is that, with the proper configuration, some of your existing applications and operating systems may already meet some, if not all, of the authentication, encryption and password management requirements of HIPAA. For example, Windows 2000 and above supports solid user authentication, access controls, password management and even the added protection of file system encryption. If your software doesn't support it, and depending on the size of your organization and budget, you may want to look at offerings from RSA, PGP, your software vendor(s), etc. for more in-depth support for what you need. You'll most likely have to implement third-party products for any content scanning you want to do. For this, you should check out the offerings from NetIQ (Marshal), CipherTrust, Tumbleweed, SurfControl, etc.
Keep in mind that there is no small, or even large, set of products you can buy that will make your organization completely HIPAA compliant. It's the policies, procedures and the ongoing maintenance of your technology systems that will put you more in line with privacy/security best practices and the HIPAA regulations. For more on this, see my article entitled HIPAA compliance doesn't come in a box.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in February 2003