In the Healthcare Industry
As Dictated by the Health Insurance Portability
And Accountability Act of 1996 (HIPAA)
A JOHNSTON McLAMB WHITE PAPER
By Christine L. Hutchison
Senior Consultant with Johnston McLamb’s Mobile Computing Practice
INTRODUCTION person per incident for improper disclosures of health
Healthcare executives are dealing with a number of information to $250,000 and 10 years in prison for
initiatives that are placing competing demands on their intentional violations (on top of violators always being at
information technology resources. While mandates like the risk for class action lawsuits), any entity who offers mobile
President’s push for electronic health records (EHRs) are computing solutions in the healthcare industry must be
encouraging the healthcare industry to consider mobile aware of the technical requirements put in place by
computing solutions, regulations like the Health Insurance Congress.
Portability and Accountability Act (HIPAA) have placed
stringent—and somewhat ambiguous—data security Those technical requirements—which are used to control
constraints on the field. access to computer systems and enable covered entities to
protect communications containing Protected Health
The EHR mandate does provide healthcare organizations Information (PHI) transmitted over open networks for being
with incentive to consider mobile computing options. At intercepted by any individual other than the intended
the same time, it has put a greater sense of urgency on the recipient—are as follows:
need to protect data in the healthcare industry. President
George W. Bush’s April 2004 charge to build a system that • Information systems housing PHI must be protected
would provide each U.S. citizen with access to his or her from intrusion. When information flows over open
EHR from any location by 2014 has brought additional networks, some form of encryption must be utilized. If
attention to the issue. His subsequent establishment of the closed systems/networks are utilized, existing access
Nationwide Health Information Network (NHIM) is pushing controls are considered sufficient and encryption is
the healthcare industry to look toward web-based systems.
• Each covered entity is responsible for ensuring that
At the same time that these EHR mandates are pushing the data within its systems has not been changed or
healthcare organizations to consider mobile computing erased in an unauthorized manner.
options, regulations like HIPAA have announced security
standards with which many organizations are grappling. • Data corroboration (including the use of check sum,
The administrative, physical, and technical requirements double-keying, message authentication, and digital
outlined in the HIPAA documentation are requiring signature) may be used to ensure data integrity.
organizations to place extra attention on their existing data
security requirements, never mind those of new mobile • Covered entities must also authenticate entities they
communicate with. Authentication consists of corrobo-
computing systems they may be considering.
rating that an entity is who it claims to be. Examples of
corroboration include: password systems, two- or three-
These competing demands should not turn healthcare way handshakes, telephone callback, and token systems.
organizations away from considering mobile computing
implementations, though, because there are significant • Covered entities must make documentation of their
benefi ts to be reaped from such efforts. For example, HIPAA practices available to the government to
healthcare personnel such as doctors and nurses are determine compliance.
constantly on the move. Whether they are moving from
room to room within the same building performing rounds • In addition to policies and procedures and access
records, information technology documentation should
or are in transit from hospital to physician office, the
also include a written record of all configuration settings
healthcare workforce is by nature always on the go. As
on the components of the network because these
advancements in technology are made, keeping workers components are complex, configurable, and always
productive and efficient becomes more obtainable and changing.
realistic via the implementation of mobile computing
applications. • Documented risk analysis and risk management
programs are required. Covered entities must carefully
A BRIEF HISTORY OF HIPAA consider the risks of their operations as they implement
The U.S. Congress enacted the Health Insurance Portability systems to comply with the act. (This requirement of risk
and Accountability Act (HIPAA) in 1996. Title II (Preventing analysis and risk management implies that the act’s
Healthcare Fraud and Abuse; Administrative Simplification; security requirements are a minimum standard and places
Medical Liability Reform), in part, includes The Security responsibility on covered entities to take all reasonable
Rule. The final rule on Security Standards was established precautions necessary to prevent PHI from being used for
on February 20, 2003, and took effect on April 21, 2003, non-health purposes.)
with a compliance requirement date of April 21, 2005.
In summary, these standards (1) ensure confidentiality,
integrity and availability of all created, received, maintained, or
There are three types of security standards required for
transmitted electronic protected health information, and (2)
compliance: administrative, physical, and technical. Since
protect against any reasonably anticipated security threats or
the penalty for HIPAA violations range from $100 per
Because there are no government-sanctioned Office of Civil Rights, which is in charge of enforcing the
certifications available for Health Information Systems law, states, “Our first approach to dealing with any
(HIS), no HIS can unequivocally claim HIPAA compliance. complaint is to work for voluntary compliance.”
However, by implementing certain technologies and However, the HHS has the authority to impose fines of
standards, integrated mobile applications can meet $100 for each violation, up to a maximum of $25,000. The
HIPAA requirements. HHS also has the power to pass a violation on to the
Justice Department, which can seek penalties up to
$250,000 and 10 years in jail.
THE CASE FOR MOBILE COMPUTING
Health care organizations have identified the HIPAA acknowledges that improper disclosure of PHI
implementation of wireless local area networks (WLANs) can and will happen. What HIPAA requires in these
as a major area for potential growth. Recent surveys instances is the accounting of these occurrences.
indicate WLANs have only penetrated about 13% of the Medical records are, of course, considered to be PHI.
healthcare industry, though. Additionally, any information that contains any data that
can identify a person from demographic information and
Indicators show decision makers need and want to have linked to any information about healthcare services
justifi cation for investing into this open mobile market. received is also PHI. This is the type of information that
Within the market spaces utilizing WLANs, decision needs to be guarded. So, PHI can be any of the following,
makers are looking to see which industries are incurring but is not limited to:
the greatest benefi ts and what type of benefi ts are
being observed. • Names
The 2003 NOP World Technology study reveals the most • Geographic information, including street address,
city, county, precinct and all digits of the ZIP code
significant result of mobilization is the ability to be
except the first three
connected to work, on average, over 3.5 more hours per
day. Healthcare workers surveyed also incurred the • Dates (except year) directly related to the patient
largest amount of time and money savings and also saw including birth date, admission date, discharge
the largest increase in productivity and efficiency across date, and date of death
• Telephone numbers
The healthcare industry’s number-one implementation of
• Fax numbers
mobility solutions involves workflow. The main benefits
from mobilization are 1) improving patient care; 2) • Electronic mail addresses
reducing transaction costs; 3) increasing healthcare
quality; and 4) enhancing teaching and research. • Social Security numbers
Research also shows that nurses reap the benefits of
mobilization the most since nurses have a higher • Medical record numbers
percentage of access to WLANs than doctors (19%
• Health plan beneficiary numbers
compared to 7%).
• Account numbers
So, although only 13% of healthcare institutions
currently deploy WLANs, the healthcare industry is • Certificate/license numbers
reaping and has the potential to reap the highest
percentage of the benefits. By providing education about • Vehicle identifiers and serial numbers including
the enormity of the benefits of mobilization and license plate numbers
alleviating concerns about security, the healthcare
• Device identifiers and serial numbers
industry has the potential to be the largest beneficiaries
from a mobilized workforce. • Web universal resource locators (URLs)
THE REAL IMPACT OF HIPAA ON MOBILE • Internet protocol (IP) address numbers
• Biometric identifiers including finger and voice
In the three years since HIPAA compliance has been
mandated, 19,420 grievances have been lodged. The
most common infractions are that personal medical
• Full face photographic images and any comparable
information has been wrongly revealed or ineffectively images
protected and— as a result—improper release
authorization was obtained. Winston Wilkinson, who • Any other unique identifying number, characteristic
heads the Department of Health and Human Services or code, except as permitted
PHI is routinely stored in computer networks, put into application is web-based.
email communications, entered into mobile devices,
written down on paper, and distributed over the phone or 802.11 security is a popular WLAN standard. By
fax. Each and every institution that handles or comes in incorporating 802.1x, and IEEE 802.11 security standard,
contact with any type of this information is responsible wireless devices are required to authenticate with access
for its security and is required to limit and control to points before accessing the 801.11 network. Cisco’s
whom any type of PHI is distributed. As a mobile solution lightweight extensible authentication protocol (LEAP) is
provider, it is important that any systems created and based on the 802.1x standard and provides mutual
deployed protect this type of information and can authentication based on password challenge-response.
withstand any scrutiny from HIPAA. LEAP also addresses the wired equivalent privacy (WEP)
key reuse weakness by exchanging dynamic keys.
THE GOOD NEWS: YOUR CURRENT
SECURITY MODEL TRANSLATES TO MOBILE Bluetooth security is becoming more popular as more
Although the HIPAA Privacy Rule took effect in April and more Bluetooth-capable devices and accessories are
2003, misconceptions about the rule remain since there being released. Bluetooth links devices within about 30
is no one governmental agency that can verify any feet of each other. The Bluetooth protocol includes user
computer system as being “‘HIPAA compliant.” Meeting authentication, communication encryption, new
the safeguards outlined in the HIPAA Privacy Rule, encryption key per session, link level security with 128-
though, can typically be accomplished by using many of bit encryption, “trusted” connections and “discoverable”
the same security measures that are used to secure data settings. Many VPN clients can run over Bluetooth.
in organizations’ existing wired systems.
Infrared (IR) security requires devices to communicate
with 4 feet or less of the beaming device. The recipient is
WLANs’ security risks include the concerns of protecting
prompted for accepted when incoming transmission are
data, authenticating users, and shielding against
attempted. This puts control of incoming data in the
intruders and viruses. These risks are the same risks any
hands of the user.
other wired computer platform would incur. However—
because WLANs integrate handheld devices—there are a
System threats and risks are very similar for both wired
few added risks and challenges. Handheld devices are
and wireless applications, but WLANs add technological
often treated as personal devices and are more easily
risks like interference. The 2.4 GHz frequency is the main
lost or stolen. Also, because handhelds connect to a
frequency for items like Bluetooth, cordless phone
network so frequently, extensive wireless security is
systems, and baby monitors. 802.11b and 802.11g
networks all share these same radio frequencies.
Current technologies used to secure wired networks like Wireless systems are now at risk from inadvertent
VPN, SSL, LDAP, etc. can all be extended to WLANs, eavesdropping by users of these types of devices. The IT
wide area networks (WANs), and personal area networks industry needs to have solutions to secure protected
(PANs). WLANs use cell phone technology to replace health information.
telephone wires. WANs use Wi-Fi (802.11b) to replace
“Wired equivalent privacy (WEP) looks to protect the
Ethernet cables. PANs use Bluetooth® technology to link
authorized users from eavesdropping by making the
devices in close proximity and replace USB cables.
wireless link as secure as the replaced wired link,”
Virtual private network (VPN) solution provides secure explains Frost & Sullivan Research Analyst Arjun
access to intranet and extranet resources. VPN works Chokkappan. “WEP uses symmetric encryption
well in WANs, local area networks (LANs), and WLANs, techniques and stream ciphering that can be embedded
so expanding existing VPN security to mobile devices is in the hardware components.”
very cost efficient. Internet protocol security (IPSec),
INFORMED MOBILE COMPUTING PLAN
VPN, and point-to-point tunneling protocol (PPTP) VPN
Fully leveraging the existing infrastructure to address
offer strong security with authentication, encryption, and
HIPAA-related security concerns is one of the most
data integrity checks. IPSec is supported by most
effective ways to begin the process of implementing a
Microsoft servers and CISCO gateways. PPTP is
mobile computing solution within a healthcare setting.
compatible with all devices and networks, including
Johnston McLamb’s Mobile Computing practice
802.11 and 3G wireless.
promotes this approach and follows an Informed Mobile
Secure sockets layer (SSL) is found in almost every web Computing Plan (IMCP) methodology when working with
browser and is the most popular wireless protocol. Many clients facing these challenges. This IMCP is a five-phase
handhelds on the market today feature SSL 2.0, SSL 3.0 process that includes Business Intelligence, Business
and 128-bit encryption. SSL VPN takes advantage of this Planning, Product/ Service Evaluation, Implementation,
built protocol built into web browsers. They work over and Support and Maintenance.
almost any network require no additional software as the
In order to generate an appropriate and effective mobile transfer and potentially take part in revisiting some of
solution, it is of key importance that the company the earlier phases in order to enhance the solution to
providing the solution knows the client’s business and meet additional client requirements.
industry regulations and that the client receiving the
solution understands all available options. All of the The ultimate goal of Johnston McLamb’s Informed
IMCP phases work together to achieve these goals and Mobility Computing Plan is to ensure that our clients
to help both parties fully understand workflow have a complete understanding of the mobile
requirements, industry standards and regulations, and computing options available to them. Additionally
implementation options. within the healthcare arena, data security becomes a
key part of the discussion during each phase of the
• Phase 1 (Business Intelligence) is the phase where IMCP.
Johnston McLamb’s experienced consultants obtain
on-site knowledge of the business processes per- SUMMARY
formed on a daily basis. The healthcare industry is positioned to reap a
significant number of benefits and rewards from
• Phase 2 (Business Planning) is where Johnston mobilizing its workforce. The move by NHIM
McLamb provides recommendations for mobile (Nationwide Health Information Network) to require
solutions. Each potential solution is evaluated on a Electronic Health Records (EHR) to be accessible by
number of factors, including its flexibility, its risk every person in the United States from any location if
and complexity, its turnover time, its cost, and the forcing the healthcare industry to act now.
potential return of investment it could generate.
By providing decision makers with accurate and timely
• Phase 3 (Product/Service Evaluation) is the phase information to dispel any security concerns they may
where Johnston McLamb provides analysis and have about mobilization and utilizing the guidelines set
recommendations regarding the selection of by HIPAA, the healthcare industry can implement
devices, service providers, and networking setup. mobile solutions that will increase efficiency and
productivity while reducing costs and errors. Johnston
• Phase 4 (Implementation) is where Johnston
McLamb’s Informed Mobile Computing Plan is designed
McLamb’s technical professionals design, develop,
to aid decision makers by defining their business
and deploy the hardware and software solutions
processes and needs, analyzing and recommending
chosen by the client.
appropriate—and secure—mobile solutions, and
implementing a solution that move an organization
• Phase 5 (Support and Maintenance) is the phase
toward achieving the workflow improvements so clearly
where Johnston McLamb’s consultants remain avail-
tied to mobile computing.
able to the client to provide training and knowledge
ABOUT THE AUTHOR
Christine L. Hutchison is a Senior Consultant with Johnston McLamb’s Mobile Computing Practice. She has done
Oracle PL/SQL and Java programming for more than 10 years. She currently specializes in front-end/GUI
development, specifically within the mobile computing market.
4840 Westfields Boulevard, Suite 200 | Chantilly, VA 20151 | P: 703.502.0901 | F: 703.502.0905 www.johnstonmclamb.com