t h e p e r s p e c t i v e February 2005 H I PA A Security Rule: Is your Organization Compliant? a special supplement to Security Compliance Tips Develop information security policies Allocate financial and staff resources Develop procedures to implement information security policies Train clinical staff on the importance of computerized information security practices Establish senior management understanding and commitment to information security Perform an internal risk assessment Document internal security breaches/risks Rank the threat level of the identified breaches/risks Develop corrective action plans Assess/Reassess the adequacy of current security controls Develop follow-up measures Develop periodic training programs t a b l e o f c o n t e n t s The UNI/CARE Perspective 2-3 by May Ahdab Ph.D. President & CEO, UNI/CARE Systems, Inc. Security of Health Information- 4-5 The Latest HIPAA Deadline by Paul Litwak HIPAA Deadline Update 6-9 by Henry Yennie, GSW State of Louisiana Office of Mental Health Countdown to HIPAA Security Rule Compliance 10-12 by Jim Catan, Vice President of Consulting Services UNI/CARE Systems Inc. Implementation Challenges for HIPAA Security Regulations 13-16 by Arnold Scarpitti, CISSP Comments? The UNI/CARE Perspective was created for you! Did you like what you read? Do you have an experience you would like to share? We welcome your feedback and would value your articles. If you would like to give us your feedback or submit an article, please send it by email to firstname.lastname@example.org, by fax to (941) 954-2033, or mail to UNI/CARE Systems, Inc., 540 North Tamiami Trail, Sarasota FL 34236. Thank You UNI/CARE would like to extend a special thanks to Paul Litwak, Henry Yennie, Jim Catan, Arnold Scarpitti, Jamie Smith, Nona Sullivan and all those who contributed to this supple- ment. the UNI/CARE perspective The UNI/CARE Perspective by May Ahdab, Ph.D. President & CEO Risk analysis, self-assessment, implementation of security standards and safeguards are the buzz words dis- cussed by many organizations providing behavioral healthcare services, in their quest to meet the HIPAA Final Security Rules by April 20, 2005. Regardless of the current issues facing our industry including budget restric- tions, limited reimbursement, HIPAA transactions processing requirements and information overload, organi- zations are once again being asked to revise their internal culture in an attempt to understand and implement new processes designed globally to protect the security of a consumer's health record. Our current supplement focuses on providing our readers with an outline of the HIPAA Final Security Rules as well as a review of their implementation from various perspectives. With only three months remaining prior to the rules becoming effective, it is important for every organization to review the status of its compliance effort, and rate its effectiveness in the following areas: Definition of the scope of the project charter, including strategic planning and allocated budget and staff resources Review of the current security related policies and procedures Development of a gap analysis comparing current policies and procedures with the required HIPAA Security Rules and identifying deficiencies Design of a risk analysis methodology aimed at the assessment of vulnerabilities and threats as well as the ranking of their impact on security compliance Design of an action plan documenting corrective actions and follow-up tasks Design of a training plan aimed at staff working with consumers health records Design of a periodic self-assessment tool to be used to identify further risks and vulnerabilities Design of periodic remediation plans Development of a communication plan with executives, managers, clinical staff and clerical staff In closing, a properly developed and implemented security program has the potential to provide your organi- zation with a valuable assurance tool for evaluating the state of your compliance with the HIPAA Security Rules. We hope that you find the information provided in this supplement useful, and that you will put our sug- gestions into action (if appropriate) to ensure the security and compliancy of your information network. HIPAA PRIVACY REGULATIONS - FINAL SECURITY RULES The following is a list of the Safeguards, Standards and Implementation Specifications that can be of use, while ensuring that your organization is compliant as of April 21, 2005. Standards are underlined. If a stan- dard has related Implementation Specifications, they are listed below the standard. In addition, every Implementation Specifications is categorized either as and R or an A. "R" means that an implementation spec- ification is required. "A" means it is "addressable". You should note, however that "addressable" does not equate with an optional item. As an organization, you should address whether or not the standard is reason- able and appropriate within the uniqueness of your organizational environment, and document the results of such an assessment, as well as the subsequent decision to implement or not to implement. If the standard is found to be reasonable and appropriate within your organizational culture, it should be implemented. Implementation of a standard will require the design of an assessment checklist by your security team. The checklist should include whether the standard is already implemented or needs to be implemented. If the stan- dard needs to be implemented, the checklist should include the documentation of the process undertaken to deploy the implementation of the standard. As such, the checklist should include items such as the policies to be developed, the procedures to be implemented by the security team, the final draft agreed upon by administration and the documentation of the training provided to staff. 2 the UNI/CARE perspective HIPAA Privacy Regulations ADMINISTRATIVE SAFEGUARDS Workstation Use (Section 164.310(b) Security Management Process (Standard, Section 164.308(a)(1) Workstation Security (Section 164.310(c) Implementation Specifications Risk Analysis (R) Device and Media Controls (Section 164.310(d)(1) Risk Management (R) Implementation Specifications Sanction Policy (R) Disposal (R) Information System Activity Review (R) Media Re-use (R) Accountability (A) Assigned Security Responsibility Data backup and storage (A) (Standard, Section 164.308(a)(2) TECHNICAL SAFEGUARDS Workforce Security (Section 163.308(a)(3) Implementation Specifications Access Control (Section 164.312(a)(1) Authorization and/or Supervision (A) Implementation Specifications Workforce Clearance Procedure (A) Unique user identification (R) Termination Procedures (A) Emergency access procedure (R) Automatic logoff (A) Encryption and decryption (A) Information Access Management (Section 163.308(a)(4) Audit Controls (Section 164.312(b) Implementation Specifications Isolate Healthcare Clearinghouse (R) Access Authorization (A) Integrity (Section 164.312(c)(1) Access Establishment and Modification (A) Implementation Specifications Mechanism to authenticate ePHI (A) Security Awareness and Training (Section 163.308(a)(5) Person/Entity Authentication (Section 164.312(d) Implementation Specifications Security Reminders (A) Transmission Security (Section 164.312(e)(1) Protection from Malicious Software (A) Implementation Specifications Log-in Monitoring (A) Integrity controls (A) Password Management (A) Encryption (A) Security Incident Procedures ORGANIZATIONAL REQUIREMENTS (Section 163.308(a)(6) Implementation Specifications Security Policies and Procedures Response and Reporting (R) (Section 164.316(a) Implementation Specifications Contingency Plan (Section 163.308(a)(7) Reasonable and appropriate (R) Implementation Specifications Comply with standards (R) Data Backup Plan (R) Disaster Recovery Plan (R) Documentation (Section 164.316(b)(1)(2) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Implementation Specifications Applications and Data Criticality Analysis (A) Document policies and procedures (R) Document action, activity or assessment (R) Maintain documentation for 6 years of initial date (R) Evaluation (Section 163.308(a)(8) Make documentation available for implementation (R) Review and update documentation periodically (R) PHYSICAL SAFEGUARDS Business Associate Agreements Facility Access Controls (Section 164.310(a)(1) (Section 164.308(b)(1) Implementation Specifications Implementation Specifications Contingency operations (A) Implement administrative, physical and technical safeguards (R) Facility security plan (A) Ensure that agents agree to implement safeguards (R) Access control/validation procedures (A) Report to covered entity any security incident (R) Maintenance records (A) Authorize termination of contract by the covered entity (R) 3 the UNI/CARE perspective Security of Health Information: The Latest HIPAA Deadline by Paul Litwak April 21, 2005 is the deadline for compliance with the Eli Lilly & Co., maker of the antidepressant HIPAA Security Rule. You’re probably sick of HIPAA, Prozac, inadvertently divulged the names and e-mail and I don’t blame you. But this isn’t a job that can be addresses of 600 psychiatric patients in a mass e- assigned to your computer network administrator mail. The company was investigated by the Federal and forgotten. Security management decisions Trade Commission, and reached a settlement in should be made on the "enterprise" level and be which it agreed to bolster the security of its Internet based on a solid understanding of business needs, site. regulatory requirements, security risks, and risk management. A Nevada woman bought a used computer, and discovered the prescription records of thousands of Real Stories people on the machine’s hard drive. The previous Here are a few publicly reported events in which the owner was a pharmacy. security of confidential information was compro- mised and individual privacy rights were compro- On Dec. 14, 2002, burglars stole computer mised. In each case, the organization that held the equipment and data files from TriWest Healthcare information meant to keep it confidential. Alliance, a Phoenix-based management service organization. The equipment included health records The Miami Herald reported on Sept. 30, 2004 of over 500,000 people covered by the Department that confidential child-abuse and foster-care records of Defense TRICARE program in 16 states. for nearly 4,000 Central Florida children were made available to anyone with Internet access through a Legal and Accreditation Standards Relating gaping security breach in a child welfare agency’s to Information Security computer system. The Department of Health and Human Services and JCAHO each require healthcare organizations to On April 2, 2004, a hacker gained access to a adhere to standards for securing the confidentiality, server at the University of Kansas that contained integrity and availability of "electronic protected records of prescriptions filled at an on-campus phar- health information". macy since 1994. Files on the server included pre- scription information for students, faculty and staff, The final HIPAA Security Rule, codified at 45 CFR Social Security numbers, student identification num- Parts 160 - 164, is the most comprehensive state- bers, names, addresses and birth dates. ment of standards for the security of health informa- tion. JCAHO standards for Confidentiality and In February 2003, a jury awarded $2.3 million to Security (IM.2.10-40) are far less specific. three women whose mental health treatment records Compliance with the Security Rule ensures compli- were not kept private by West Virginia University ance with the JCAHO information security stan- Medical Corp., also called University Health dards, but the opposite is not true. For that reason, Associates. A records clerk had removed the the focus here is on the Security Rule. records, taken them home and to local bars and dis- cussed them with people. The clerk was clearly act- The HIPAA1 statute required the Secretary of Health ing outside the scope of his employment and was and Human Services to enact national standards for fired. Nonetheless, the jury found that the hospital the security of health information systems. Those had breached its duty of confidentiality. The verdicts standards, published in February 2003, supersede did not include punitive damages. inconsistent requirements of state law (unlike the Privacy Rule, which defers to "more stringent" provi- For eight days, beginning on Oct. 29, 2001, sions of state law). The deadline for compliance with detailed psychological records of at least 62 children the Security Rule is April 21, 2005 for covered and teenagers were accidentally posted on the providers and most health plans. It is April 21, 2006 University of Montana website. for small health plans. 4 the UNI/CARE perspective Security of Health Information entities are permitted to apply any security measure Both the HIPAA statute and the final Security Rule that is reasonable and appropriate to meet the require covered entities to: underlying standards. The measure of "reasonable and appropriate" is based on a number of factors, Ensure the confidentiality, integrity, and including the nature of the security risk, the size, availability of all electronic protected health complexity, and resources of the covered entity, and information the covered entity creates, cost. receives, maintains, or transmits. Standards and Implementation Specifications Protect against any reasonably anticipated threats or hazards to the security or integrity The Security Rule includes standards and imple- of such information. mentation specifications that provide instructions for implementing standards. Covered entities are Protect against any reasonably anticipated required to meet each standard. Implementation uses or disclosures of such information that specifications fall into two categories - "required" are not permitted or required under the and "addressable". There are only 13 required Privacy Rule. implementation specifications, and covered entities must implement all of them. DHHS introduced the Ensure compliance by its workforce.2 concept of "addressable implementation specifica- tions" to provide covered entities additional flexibility The Secretary of Health and Human Services is with respect to compliance with the security stan- empowered to impose civil penalties for non-compli- dards. Covered entities are free to evaluate each ance with these requirements. The law also creates addressable implementation specification to deter- criminal penalties for willful or malicious violations of mine if it is "reasonable and appropriate" to apply privacy rights (although criminal prosecution is that specification to meet the underlying standard, or extremely unlikely for anything short of selling whether alternative security measures are sufficient, celebrity medical records). given the risks involved. While there is no "private right of action" to directly enforce the HIPAA Security Rule, it is reasonable to expect that the standards adopted in the rule will About the Author become the "standard of care" applied to determine liability in private lawsuits. Paul Litwak is a health lawyer and con- sultant whose specialty is health infor- A Few Important Principles mation technology. He is the author of A Flexibility Path to HIPAA Compliance, and co- The final Security Rule is based on three concepts author of A Path to Compliance with the derived from the HIPAA statute. It is designed to be: HIPAA Security Rule, a comprehensive guide to the Security Rule, including Comprehensive and coordinated to address model forms, policies, compliance all aspects of security. checklists, and detailed references to security resources. The guide is avail- Scalable, so that it can be effectively implemented by covered entities of all types able at www.hipaacomplianceguide.com. and sizes. Mr. Litwak can be reached at 757-431-2020 or email@example.com. Technology Neutral, allowing covered entities to make use of future technology advancements.3 1 HIPAA refers to title II, the "Administrative Simplification" provisions of the The rule allows covered entities a great deal of flex- Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91) ibility in selecting security measures to meet its stan- 2 42 USC 1320d-2(d)(2); 45 CFR 164.306(a) dards and implementation specifications. Covered 3 68 Federal Register 8335 5 the UNI/CARE perspective HIPAA Deadline Update by Henry Yennie, GSW State of Louisiana Office of Mental Health Source: CMS Website As the New Year arrives, so does the deadline for compliance with the HIPAA Security Rule. In review, let’s look at the recent information on HIPAA deadlines published by CMS1 (Center for Medicare and Medicaid Services): Date Deadline April 20, 2005 Security Standards - all covered entities except small health plans. August 1, 2005 Employer Identifier Standard - small health plans. April 20, 2006 Security Standards - small health plans. May 23, 2007 National Provider Identifier - all covered entities except small health plans May 23, 2008 National Provider Identifier - small health plans As the Security Rule is the next impending event, we have assembled the following information to help behav- ioral health organizations craft a compliance strategy. First, we should all speak the same language, and the following list of definitions may help: Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. Authentication means the corroboration that a person is the one claimed. Availability means the property that data or information is accessible and usable upon demand by an authorized person. Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes. Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Facility means the physical premises and the interior and exterior of a building(s). Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner. Malicious software means software (for example, a virus) designed to damage or disrupt a system. 6 the UNI/CARE perspective HIPAA Deadline Update Password means confidential authentication information composed of a string of characters. Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Security or Security measures encompass all of the administrative, physical, and technical safe guards in an information system. Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. User means a person or entity with authorized access. Workstation means an electronic computing device (for example, a laptop or desktop computer) or any other device that performs similar functions, and electronic media stored in its immediate environment. Second, we need to understand some fundamental concepts about the final rule. The final Security Rule, in many respects, is somewhat simpler to interpret and apply that the draft standards that caused so much concern. The following summary outlines the general requirements and the flexibility allowed by the final rule: 7 the UNI/CARE perspective HIPAA Deadline Update Covered entities must do the following: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. 4. Ensure compliance with this subpart by its workforce. Flexibility of approach: 1. Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified. 2. In deciding which security measures to use, a covered entity must take into account the following factors: a. The size, complexity, and capabilities of the covered entity. b. The covered entity’s technical infrastructure, hardware, and software security capabilities. c. The costs of security measures. d. The probability and criticality of potential risks to electronic protected health information. Let’s focus on the issue of flexibility. The final rule introduces a critical distinction between "required" and "addressable" standards and implementation specifications. This distinction can be first summarized in the following manner: Implementation specifications: 1. Implementation specifications are required or addressable. 2. When a standard includes required implementation specifications, a covered entity must implement the implementation specifications. 3. When a standard includes addressable implementation specifications, a covered entity must- a. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information b. As applicable to the entity- i. Implement the implementation specification if reasonable and appropriate; or ii. If implementing the implementation specification is not reasonable and appropriate- 1. Document why it would not be reasonable and appropriate to implement the implementation specification; and 2. Implement an equivalent alternative measure if reasonable and appropriate. For the visually inclined, we have provided the following graphical decision tree for determining how your organization might comply with the "addressable standards": 8 the UNI/CARE perspective HIPAA Deadline Update HIPAA Final Security Rule Implementation Standards Standard is Required Standard is Addressable Assess if reasonable and appropriate CE must implement as written Reasonable and Implement Yes appropriate? No Must be based on a Document why Risk Analysis Implement Yes Equivalent alternative reasonable and appropriate? Document why No It is important to note the following qualifications: Although cost of compliance can be a factor in not implementing an addressable standard as written, it cannot be the only factor. In order to effectively make this decision, the organization must have completed a Risk Assessment (which is not an addressable standard - it is required of all covered entities) 1 CMS Website: http://www.cms.hhs.gov/hipaa/hipaa2/default.asp Contact Information: Henry Yennie, GSW State of Louisiana Office of Mental Health 210 State Street, Cottage #4 New Orleans, LA 70118 Office: (504) 896-2639 Email: firstname.lastname@example.org 9 the UNI/CARE perspective Countdown to HIPAA Security Rule Compliance by Jim Catan, Vice President of Consulting Services UNI/CARE Systems, Inc. Thursday, February 20th, 2003 started the count- zation’s most important high-risk areas. The well- down on the HIPAA Security Rule compliance clock. known business adage that twenty percent of the Although the Security Rule had been published in issues will determine eighty percent of the cost, will draft form for over a year prior to that, many organi- likely apply to security compliance costs as well. zations waited to see the final form before beginning their planning. Fast forward to the present, late Performing a Security Risk Analysis 2004. With procrastination taking its toll and just Security deals with integrity, availability and confi- under 6 months until compliance is required (April dentiality. Using this definition, HIPAA security is 21, 2005 is the official date.), the stress is mounting about ensuring that systems are available, that on the question of preparedness. Can your organi- viable contingency planning and disaster recovery zation count itself among the minority of companies plans have been made, and that adequate access who claim full compliance with the comprehensive security measures are in place. new Security Rule? Executive teams and Boards of Directors should be asking this question on a week- A critical eye and careful planning are required prior ly basis. Even if the answer is "no", it is not too late to beginning the process of risk analysis and securi- to kick your Security Rule compliance efforts into full ty planning. The risks, threats, problems and extent gear. of possible damage must be fully understood, prior to drawing conclusions about what needs to be While the Privacy Rule was all about the Human addressed. Resources issues surrounding your new HIPAA- mandated privacy policies and procedures, the According to the HIPAA Security Rule, covered search for answers to the Security Rule compliance organizations or entities (CE’s) are required to imple- should start with a call on your Chief Information ment a risk management program. The purpose of Officer (CIO) or Information Systems manager. The the risk management program is to evaluate the staff of the IT department has most likely been value of the assets, the potential for a loss or disclo- tasked with developing and implementing cost-effec- sure, and the cost of additional countermeasures. tive, enterprise-wide security programs. However, the entire senior management team should play an The HIPAA Security Rule references major national important strategic planning role in the process, as standards by which CE’s can quantify their risk as the rules effect the nearly the entire corporate back- well as their return on investment (ROI) of associat- bone in one form or another. ed security measures. One such national standard is published by the National Institute of Standards The compliance planning process should focus on and Technology or NIST. Their publication Risk three major questions as follows: Management Guide for IT Systems (800-30) is a 1. Security risks to the organization - what are benchmark for all organizations engaged in risk they and which are the highest priorities or analysis. It assists in the analysis of risks based on greatest threat? the following factors: 2. Security measures to implement - what should your plan be to reduce risk and The likelihood of a given threat-source’s become HIPAA Security compliant? attempting to exercise a given vulnerability 3. Fiscal-based analysis - how much money The magnitude of the impact should a threat- and resources should you budget for source successfully exercise the vulnerability security, based on the stated risk of each The adequacy of planned or existing security threat? controls for reducing or eliminating risk In order to address these questions, both the short While the NIST approach may be adequate for a risk term and long-term effects of the HIPAA Security management program focusing only on IT systems, Rule must be analyzed, with a focus on the organi- 10 the UNI/CARE perspective Countdown to HIPAA Security Rule Compliance the scope of the HIPAA Security Rule encompasses Additionally, your analysis of ePHI should extend more than IT. Executives should review threats to all beyond the obvious areas of your medical record organization’s assets including risk caused by finan- system and encompass your ancillary patient cial and personnel issues. records such as electronic lab, pharmacy data, MRI’s/CT scans, biomedical devices, and PDAs. It is of utmost importance that you include staff from all areas on your HIPAA risk analysis team. By doing You must also consider external risk factors, for so you will ultimately achieve a comprehensive risk example a software vendor that won’t meet the min- analysis. Be sure that areas like contract adminis- imum security requirements by the compliance date. tration, human resources, business office, and phys- This can include Business Associates (BA’s). If one ical facilities are made an integral part of the HIPAA of these businesses is culpable in a security breach, Security analysis and planning team or task force. your organization may face consequences, unless you have performed all required due diligence. This The following guideline can assist security planners is where the importance of due diligence comes in and executives through the initial phases of devel- and most importantly in the documentation of your oping an appropriate security program for their com- HIPAA security planning and activities. Notes of all pany. Some companies may want to consider con- security meetings, decisions and subsequent actions tracting with a security consultant, who can perform should be documented and kept - in order to prove vulnerability and penetration studies on your network due diligence if need be. and computer systems. In assessing risk it is important to determine the Identifying Security Risks potential outcome that could result from each identi- The management team’s first task is to identify what fied risk. Ask what adverse events could occur at is worth protecting. HIPAA is specifically about safe- your facility? What damage or harm could they guarding patient information from both disclosure cause? What is the likelihood of their occurring? and damage. Your analysis should consider the fol- Have you taken steps to prevent them or minimize lowing security risks: their impact? Examples include: Unauthorized access to or disclosure of Misuse of authorized access (an employee electronic Protected Health Information divulges system passwords or PHI to an (ePHI) outside source or an errant email containing Complete loss or corruption of ePHI ePHI is sent to a large group of unauthorized Temporary loss or unavailability of medical users) records Unexpected systems downtime Loss of physical assets (network infrastruc- Ineffective disposal of ePHI and other ture, computers, etc.) sensitive data Threats to safety of patients and employees Unauthorized access by employees, ex- Loss of cash flow employees or the general public to facility Harm to reputation and/or public confidence areas that are not properly secured in your organization Natural physical events (fires, floods, explosions, earthquake, hurricane) Each of the above risks should be analyzed and Unauthorized access to systems by hackers quantified in order to prioritize their potential damage Physical harm to employees or patients to the organization. This ranking will assist in the Systems are not set up to effectively monitor development of a security plan and allow you to security incidents focus on the highest threats to your specific organi- Inadequate training of staff for emergency zation. One important ancillary of this analysis is incidents that the analysis must be individualized for each Financial malfeasance company, since a one-size-fits-all approach could end up focusing on the wrong or inappropriate Security Action Plan issues, while leaving more important vulnerabilities The HIPAA Security Task Force should: specific to your agency, unchecked or with insuffi- identify and evaluate the organization’s cient focus on mitigation of risk. assets determine what causes are most likely to 11 the UNI/CARE perspective Countdown to HIPAA Security Rule Compliance threaten them All risks identified in your analysis should be estimate the level and likelihood of harm ranked with the threat level from 1 to 5, with 1 occurring being the highest risks and 5 being a low level of assess the adequacy of current security risk. This will assist in prioritizing activities that controls must be performed. Next, determine what control options exist and the cost associated with each When the above risk assessment information has option. Using this information your organization been documented, then an action plan involving all can document decisions based on reducing risk to stakeholders can be created, spearheaded by your acceptable levels, while ensuring that resources IT and security staff. The plan should clearly docu- are expended appropriately and prudently based ment how your organization is planning to reduce on the risk to the organization. risk to acceptable levels. Cost is clearly one of the factors in determining what security measures to implement. Cost cannot be used as a reason for NOT implementing secu- rity controls that are reasonable. You will need to defend how much is your organization spends to ensure the security of your information and reduce risk to an appropriate level. You will need to justi- fy and balance the level of your security invest- ment with the importance of ensuring the integrity, availability and confidentiality of your ePHI. Finally, the organization must prioritize, budget, plan and implement controls that will limit the risk to its assets. The Security Rule requires that you document the actions you take to reduce risk to your assets. Ultimately, your documentation could serve as the basis of the proof of your due dili- gence security efforts. Conclusion You should be able to ascertain from this short overview that if you have not yet begun your HIPAA Security planning, you have your work cut out for you. Getting started is sometime the hard- est part, so once the momentum is created along Part of the analysis should include a review of all with the increasing pressure of the looming dead- HIPAA requirements to determine what gaps exist line, you should be able to see this project through. between the current environment and the standards. Even if you are not 100% complete as of April 21, These gaps represent risks that must be addressed, 2005, any progress is better than no progress or although other risks may have been identified that effort. the organization will also want to plan for. You can use this information as springboard for It is important to realize that some security-related discussion among your team and get the ball events or conditions cannot be "managed", but must rolling or push a little harder if need be. be addressed. For example, if you share computer Information is the key to success and there are terminals in the same workspace where all users many, many sources of good HIPAA Security plan- have the same network or application sign-on such ning resources available. So use them to turn as "clinician" - that would be a breach of HIPAA what may be a fearful situation within your organi- security requirements. The security plan must zation, into one driven by the desire for a success- include measures to eliminate these types of securi- ful HIPAA Security implementation. ty gaps, not just attempt to manage them. 12 the UNI/CARE perspective Implementation Challenges for HIPAA Security Regulations by Arnold Scarpitti, CISSP The road to compliance with HIPAA Security regula- 1. Inventory PHI assets in the entire tions is a relatively complex and difficult one for most organization. organizations. This article focuses on my experi- 2. Analyze risks to all PHI, electronic, paper, ence with large and medium-sized providers. As an oral, and voice. information security officer at a large multi-facility 3, Take appropriate actions to safeguard PHI of hospital group, and as information security consult- all types. ant for a number of clients in the past several years, I have strived to create solid information security Organizations that took this Privacy standard seri- management programs for healthcare providers. ously were well positioned to take steps to be in The impetus for these programs has been primarily compliance with the HIPAA Security regulations, HIPAA, especially HIPAA security. which focus on Electronic PHI (EPHI). Policies, pro- cedures, risk assessment, training, network infra- For purposes of this article, I am focusing on seven structure issues, application security, et al were specific challenges that impact compliance with implied by the mini-security rule. HIPAA Security regulations. Naturally, there are many other challenges relating to HIPAA security Unfortunately, in many organizations, the focus was than those I cite. Each challenge mentioned is also almost entirely on notice of privacy practices, disclo- more complex than I can fully address in a short arti- sure procedures, patient rights, and certain adminis- cle. The challenges are those that many large and trative procedures. Although necessary for compli- medium-sized providers will have encountered, and ance with HIPAA Privacy regulations, these areas are identified from my experience with information did not, from an information security standpoint, security and HIPAA Privacy and Security regula- improve the protection of patient data. If Privacy tions. At the end of this article, I include a brief out- regulation compliance efforts also addressed proper line of a process I have used successfully to set-up storage and handling practices of PHI, the protection an information security program. of patient data would be improved. The seven implementation challenges I will address Without the gathering of good information, many are: tasks in implementing HIPAA Security are difficult, if not impossible. A smart organization began this A. Inadequate understanding and efforts to process by focusing on the mini-security rule prior to comply with the "mini-security rule" in the HIPAA April of 2003. Privacy regulations. In the HIPAA Privacy regulations, which cover all B. Minimal understanding of the Risk protected health information (PHI), a section which Management process as it relates to information impacts the HIPAA Security regulations probably security. received inadequate attention during many Privacy Risk management for information security is com- implementations. The section follows: plex and not well understood by healthcare providers. Although much valuable information from Section 164.530 (c) (1) Standard: Safeguards. A NIST and CMS and other resources is available, covered entity must have in place appropriate provider staff is not familiar with this absolutely criti- administrative, technical and physical safeguards to cal task. protect the privacy of PHI. Performing an internal risk assessment, evaluating Section 164.530 (c) (1) was effective in April 2001 the risks to various systems, and then prioritizing with a compliance date of April 2003, effectively those risks for action are important steps in risk man- required covered entities to do the following: agement. However, using the common qualititative method for risk assessment can be quite subjective. Staff is very likely to minimize the likelihood of 13 the UNI/CARE perspective Implementation Challenges for HIPAA Security Regulations events, minimize the impact, and identify low resid- edgeable about infosec. In most cases, that knowl- ual risks. One of the reasons this occurs, in my edge relates to the security of specific systems, view, is poor information on security breaches. often focused on controlling outsider access to the Although we are all aware of healthcare information internal network. Information security knowledge is security breaches that have appeared in newspa- not typically a strength of information system staffs, pers, providers are unlikely to have good information including programmers. Until relatively recently, on those occurrences in their own organization. infosec has not been a focus for those working with Lack of data makes it appear these are potential, but application programs. Security has been a low pri- unlikely threats, and they are evaluated as corre- ority. This is understandable since system features spondingly low risks. and functionality is critical to the day-to-day opera- tions of providers. This will result in a false sense of security from the internal risk assessment. Without knowledge of Naturally, since providers were not asking for secu- security breaches that have already occurred at an rity features, vendors were not focused on including organization, it is unlikely much time or money will them. And even when solid infosec features were be spent addressing many potential vulnerabilities. included in applications, administrators frequently do Focus is usually on outside attacks of various types, not use or enable the features for various reasons, which are well known to occur. Incidents of insider usually because it requires more administrative time action, much more common and easier to initiate, to implement security. are consider unlikely. As infosec requirements have increased, more staff C. Clinical professionals resent "excessive members are acquiring the necessary background security". In most clinical areas, staff is well aware to make good decisions and recommendations on and understands that PHI is to be properly protect- infosec issues. ed, not to be discussed in public areas, and is confi- dential. As clinical professionals, staff is often E. Given limited resources, the focus is on resentful that security controls are implemented to clients/patients. This challenge is especially diffi- control or track their activities. Passwords, logins, cult to overcome. Most providers have limited application time-outs, etc. are seen as impediments resources. With limited resources, where do you to patient care, wasting time that could be better place them? The mission of most providers includes spent. Without good evidence that the information excellent patient care as a top priority... So, when security practices are needed and valuable, clini- you are considering in your capital budget to move cians are justifiably suspicious and can be uncoop- to a single-sign on product that simplifies clinical erative. interactions or adding some nursing staff or a new MRI, the organization mission virtually requires This is another area where good data on security those investments that benefit patients the most. violations or breaches would be valuable, but little exists. I suspect many violations are never reported It is not impossible to provide a business justification as "incidents". This failure deprives information for information security efforts. That said, it is not security staff and management of the information particularly easy to do. Can you market the fact you needed to justify various security measures, provide keep information confidential for your patients? for additional training, and manage the entire infos- They expect that already. In many ways, the HIPAA ec process. Privacy and Security regulations gave an impetus to focusing on confidentiality of information that did not Use of clinical physician order entry systems has exist. It is not that healthcare providers did not care mitigated this challenge slightly, for those providers about confidentiality, just that it was not a high prior- that have implemented them. The understanding ity. I personally believe it is still not a high priority at that good records need to be maintained in the many healthcare organizations. Many efforts that I ordering process seems universally understood. am aware of are aimed at minimal compliance, and may include only policies, not actual practice. D. Information Security (infosec) knowledge is limited among information systems staff. Only Information system staffs are typically quite busy a small group of information systems staff are knowl- keeping up with installations, updates, routine sys- 14 the UNI/CARE perspective Implementation Challenges for HIPAA Security Regulations tems requests, maintenance of applications, user G. Early vendor hype and failed products. help desk requests, etc. Without compelling rea- When the Security NPRM was released in August sons, and a high priority from senior management, 1998, many vendors of software and hardware prod- little time may be available for attention to infosec ucts jumped on the HIPAA bandwagon enthusiasti- issues. cally. Clearly, healthcare is a huge market. Now, security products that were used primarily in finan- F. Enforcement action for privacy has been cial industries could be marketed to an entire new very limited. Although some action to enforce the group. privacy regulation has occurred, the potential for large fines to organizations that are not in compli- The HIPAA Security NPRM released in August 1998 ance, based on valid complaints, has not been real- laid out a very comprehensive set of standards for ized. Nor is it likely to happen soon. The federal security of electronic PHI. Many of those standards government is notorious for creating regulations for were revised, made addressable, or deleted from the various issues, and failing to properly enforce them. final Security rule. However, since the Security Regulations were not final until January, 2003, much Depending on the point at which an organization is effort went into making so-called HIPAA compliant starting, a reasonable amount of time is needed to products. Many products were good efforts, and cer- comply with the HIPAA Privacy and Security regula- tainly some remain. Others were not ready for use, tions. Two years for many organizations is just not and have been dropped. However, the vendor hype enough time to achieve that compliance. However, I about what was required, what was compliant, etc. question whether an adequate effort is being made caused much uncertainty and confusion among by some organizations. I do not feel punitive actions providers. should be taken against providers who are making good faith efforts to comply. However, whether the An Approach to HIPAA Security that works. efforts are truly good faith or "minimal" is a question With the requirements of the HIPAA Security regula- for legal staffs and perhaps CMS to determine. In tions in mind, an approach that has worked suc- any event, lack of enforcement effort unquestionably cessfully for me is outlined below. These are initial causes provider management to back off their steps, and require ongoing attention to maintain a efforts, and focus more on other priorities. good information security program. 15 the UNI/CARE perspective Implementation Challenges for HIPAA Security Regulations 1. Establish senior management understanding 6. Perform a risk assessment of important sys- and commitment to information security. It is impos- tems. This includes major PHI applications, network sible to overstress the importance of this element. infrastructure, servers and server rooms, and other Real commitment, and willingness to enforce poli- important organizational assets involved in EPHI. cies, budget for any essential capital investment Risk assessment, evaluation, and prioritized recom- involved, commit appropriate staff resources, and mendations for senior management are the ele- making infosec activity a high priority are all critical ments of the risk management process. to developing a good information security program. Although the challenges to implementing the HIPAA 2. Develop, with appropriate input from busi- Security regulations are significant, they can be ness units and clinicians, information security poli- overcome. Building a good information security pro- cies. Policies cover overall approach to data secu- gram requires a solid foundation, senior manage- rity, specific computer security issues, email, fax, ment support, appropriate resources, and continued physical access control to server rooms, risk man- efforts. It is not a short-term project, and must agement, user login and password, and other become part of the organization’s business plan for appropriate areas for each organization. the long term. 3. Train staff on policies. It is a clichØ that users are the first line of defense, but it is unques- tionably true. All staff should receive basic instruc- tion on securing data, selecting and changing pass- Arnold Scarpitti, CISSP words, social engineering, use of email, laptop com- email@example.com puters, and other issues that are applicable to their jobs. Managers and supervisors need additional training to understand what responsibilities they have relating to information security. Senior man- Arnold Scarpitti, CISSP agement should be provided an adequate under- firstname.lastname@example.org standing of infosec issues so they can make informed decisions, and participate in the risk man- Arnold has twenty years of experience agement process by accepting or mitigating risk. with information systems, computer 4. Develop appropriate procedures to imple- networks and information security in ment the infosec policies. Policies are only as good large and medium-sized provider set- as the training and implementation steps taken. To tings. Arnold is a consultant for infor- develop policies then fail to proceduralize those poli- mation security programs, policy and cies guarantees an ineffective information security procedure development, and informa- program. Procedures needed vary by organization, tion security training. Arnold is a certi- but should include the process for acquiring appro- fied Information Systems Security priate authorization for PHI systems, details on Professional. Affiliated with HealthCare password issues and verification for changes, com- Perspective, LLC munication of access changes (terminations\trans- fers), server and workstation configuration. Many other areas relating to control of external access, auditing and monitoring of various systems are probably needed also. 5. Train appropriate staff on procedures. For procedures, only affected staff needs to be trained. However, these individuals are really enforcing the policies, and need a clear and solid understanding of the procedures. Many procedures are informa- tion system focused, however managers likely need some training also. 16 the UNI/CARE perspective Pro-Filer™ integrates all relevant health- care information into a unified, secure, web-enabled computer-based record system Profiling for your... Offering remote technology using: Organization PDA Best Practice Tablet PC’s Consumers Laptops Payors Staff Demonstrating ease-of-use with: Using cutting edge technology... Multi-company processing Visual Basic C++ Expansive user-defined fields N-tier design Customized table data entry SQL Database Wizards for workflows, clinical standards, and management Quality, UM Review & Compliance w w w. u n i c a r e s y s . c o m UNI/CARE Systems, Inc. offers a comprehensive set of software applications and services for Behavioral Health, Public Health and Child Welfare.