HIPAA Security Rule Is your unicare

Document Sample
HIPAA Security Rule Is your unicare Powered By Docstoc
					t h e                  p e r s p e c t i v e

                                  February 2005

Rule: Is your

        a special supplement to
Security Compliance Tips
  Develop information security policies

  Allocate financial and staff resources

  Develop procedures to implement information security policies

  Train clinical staff on the importance of computerized information
  security practices

  Establish senior management understanding and commitment to
  information security

  Perform an internal risk assessment

  Document internal security breaches/risks

  Rank the threat level of the identified breaches/risks

  Develop corrective action plans

  Assess/Reassess the adequacy of current security controls

  Develop follow-up measures

  Develop periodic training programs
t a b l e                           o f               c o n t e n t s

The UNI/CARE Perspective                                                                2-3
by May Ahdab Ph.D.
President & CEO, UNI/CARE Systems, Inc.

Security of Health Information-                                                         4-5
The Latest HIPAA Deadline
by Paul Litwak

HIPAA Deadline Update                                                                   6-9
by Henry Yennie, GSW
State of Louisiana Office of Mental Health

Countdown to HIPAA Security Rule Compliance                                          10-12
by Jim Catan, Vice President of Consulting Services
UNI/CARE Systems Inc.

Implementation Challenges for HIPAA Security Regulations                             13-16
by Arnold Scarpitti, CISSP

The UNI/CARE Perspective was created for you! Did you like what you read? Do you have
an experience you would like to share? We welcome your feedback and would value your
articles. If you would like to give us your feedback or submit an article, please send it by
email to, by fax to (941) 954-2033, or mail to UNI/CARE
Systems, Inc., 540 North Tamiami Trail, Sarasota FL 34236.

Thank You
UNI/CARE would like to extend a special thanks to Paul Litwak, Henry Yennie, Jim Catan,
Arnold Scarpitti, Jamie Smith, Nona Sullivan and all those who contributed to this supple-

                                                                  the UNI/CARE perspective
  The UNI/CARE Perspective
  by May Ahdab, Ph.D.
  President & CEO

Risk analysis, self-assessment, implementation of security standards and safeguards are the buzz words dis-
cussed by many organizations providing behavioral healthcare services, in their quest to meet the HIPAA Final
Security Rules by April 20, 2005. Regardless of the current issues facing our industry including budget restric-
tions, limited reimbursement, HIPAA transactions processing requirements and information overload, organi-
zations are once again being asked to revise their internal culture in an attempt to understand and implement
new processes designed globally to protect the security of a consumer's health record.

Our current supplement focuses on providing our readers with an outline of the HIPAA Final Security Rules
as well as a review of their implementation from various perspectives. With only three months remaining prior
to the rules becoming effective, it is important for every organization to review the status of its compliance
effort, and rate its effectiveness in the following areas:

      Definition of the scope of the project charter, including strategic planning and allocated
      budget and staff resources
      Review of the current security related policies and procedures
      Development of a gap analysis comparing current policies and procedures with the required HIPAA
      Security Rules and identifying deficiencies
      Design of a risk analysis methodology aimed at the assessment of vulnerabilities and threats as well
      as the ranking of their impact on security compliance
      Design of an action plan documenting corrective actions and follow-up tasks
      Design of a training plan aimed at staff working with consumers health records
      Design of a periodic self-assessment tool to be used to identify further risks and vulnerabilities
      Design of periodic remediation plans
      Development of a communication plan with executives, managers, clinical staff and clerical staff

In closing, a properly developed and implemented security program has the potential to provide your organi-
zation with a valuable assurance tool for evaluating the state of your compliance with the HIPAA Security
Rules. We hope that you find the information provided in this supplement useful, and that you will put our sug-
gestions into action (if appropriate) to ensure the security and compliancy of your information network.


The following is a list of the Safeguards, Standards and Implementation Specifications that can be of use,
while ensuring that your organization is compliant as of April 21, 2005. Standards are underlined. If a stan-
dard has related Implementation Specifications, they are listed below the standard. In addition, every
Implementation Specifications is categorized either as and R or an A. "R" means that an implementation spec-
ification is required. "A" means it is "addressable". You should note, however that "addressable" does not
equate with an optional item. As an organization, you should address whether or not the standard is reason-
able and appropriate within the uniqueness of your organizational environment, and document the results of
such an assessment, as well as the subsequent decision to implement or not to implement. If the standard
is found to be reasonable and appropriate within your organizational culture, it should be implemented.

Implementation of a standard will require the design of an assessment checklist by your security team. The
checklist should include whether the standard is already implemented or needs to be implemented. If the stan-
dard needs to be implemented, the checklist should include the documentation of the process undertaken to
deploy the implementation of the standard. As such, the checklist should include items such as the policies
to be developed, the procedures to be implemented by the security team, the final draft agreed upon by
administration and the documentation of the training provided to staff.

  2                                                                            the UNI/CARE perspective
                                                                           HIPAA Privacy Regulations
                                                  Workstation Use (Section 164.310(b)
Security Management Process
(Standard, Section 164.308(a)(1)                  Workstation Security (Section 164.310(c)
Implementation Specifications
Risk Analysis (R)                                 Device and Media Controls (Section 164.310(d)(1)
Risk Management (R)                               Implementation Specifications
Sanction Policy (R)
                                                  Disposal (R)
Information System Activity Review (R)            Media Re-use (R)
                                                  Accountability (A)
Assigned Security Responsibility                  Data backup and storage (A)
(Standard, Section 164.308(a)(2)
                                                  TECHNICAL SAFEGUARDS
Workforce Security (Section 163.308(a)(3)
Implementation Specifications                     Access Control (Section 164.312(a)(1)
Authorization and/or Supervision (A)              Implementation Specifications
Workforce Clearance Procedure (A)                 Unique user identification (R)
Termination Procedures (A)                        Emergency access procedure (R)
                                                  Automatic logoff (A)
                                                  Encryption and decryption (A)
Information Access Management
(Section 163.308(a)(4)
                                                  Audit Controls (Section 164.312(b)
Implementation Specifications
Isolate Healthcare Clearinghouse (R)
Access Authorization (A)                          Integrity (Section 164.312(c)(1)
Access Establishment and Modification (A)         Implementation Specifications
                                                  Mechanism to authenticate ePHI (A)
Security Awareness and Training
(Section 163.308(a)(5)                            Person/Entity Authentication (Section 164.312(d)
Implementation Specifications
Security Reminders (A)                            Transmission Security (Section 164.312(e)(1)
Protection from Malicious Software (A)            Implementation Specifications
Log-in Monitoring (A)                             Integrity controls (A)
Password Management (A)                           Encryption (A)

Security Incident Procedures                      ORGANIZATIONAL REQUIREMENTS
(Section 163.308(a)(6)
Implementation Specifications                     Security Policies and Procedures
Response and Reporting (R)                        (Section 164.316(a)
                                                  Implementation Specifications
Contingency Plan (Section 163.308(a)(7)           Reasonable and appropriate (R)
Implementation Specifications                     Comply with standards (R)
Data Backup Plan (R)
Disaster Recovery Plan (R)
                                                  Documentation (Section 164.316(b)(1)(2)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)                Implementation Specifications
Applications and Data Criticality Analysis (A)    Document policies and procedures (R)
                                                  Document action, activity or assessment (R)
                                                  Maintain documentation for 6 years of initial date (R)
Evaluation (Section 163.308(a)(8)                 Make documentation available for implementation (R)
                                                  Review and update documentation periodically (R)
                                                  Business Associate Agreements
Facility Access Controls (Section 164.310(a)(1)   (Section 164.308(b)(1)
Implementation Specifications                     Implementation Specifications
Contingency operations (A)                        Implement administrative, physical and technical safeguards (R)
Facility security plan (A)                        Ensure that agents agree to implement safeguards (R)
Access control/validation procedures (A)          Report to covered entity any security incident (R)
Maintenance records (A)                           Authorize termination of contract by the covered entity (R)

   3                                                                       the UNI/CARE perspective
Security of Health Information:
The Latest HIPAA Deadline
by Paul Litwak

April 21, 2005 is the deadline for compliance with the          Eli Lilly & Co., maker of the antidepressant
HIPAA Security Rule. You’re probably sick of HIPAA,       Prozac, inadvertently divulged the names and e-mail
and I don’t blame you. But this isn’t a job that can be   addresses of 600 psychiatric patients in a mass e-
assigned to your computer network administrator           mail. The company was investigated by the Federal
and forgotten. Security management decisions              Trade Commission, and reached a settlement in
should be made on the "enterprise" level and be           which it agreed to bolster the security of its Internet
based on a solid understanding of business needs,         site.
regulatory requirements, security risks, and risk
management.                                                    A Nevada woman bought a used computer, and
                                                          discovered the prescription records of thousands of
Real Stories                                              people on the machine’s hard drive. The previous
Here are a few publicly reported events in which the      owner was a pharmacy.
security of confidential information was compro-
mised and individual privacy rights were compro-                On Dec. 14, 2002, burglars stole computer
mised. In each case, the organization that held the       equipment and data files from TriWest Healthcare
information meant to keep it confidential.                Alliance, a Phoenix-based management service
                                                          organization. The equipment included health records
     The Miami Herald reported on Sept. 30, 2004          of over 500,000 people covered by the Department
that confidential child-abuse and foster-care records     of Defense TRICARE program in 16 states.
for nearly 4,000 Central Florida children were made
available to anyone with Internet access through a        Legal and Accreditation Standards Relating
gaping security breach in a child welfare agency’s        to Information Security
computer system.                                          The Department of Health and Human Services and
                                                          JCAHO each require healthcare organizations to
     On April 2, 2004, a hacker gained access to a        adhere to standards for securing the confidentiality,
server at the University of Kansas that contained         integrity and availability of "electronic protected
records of prescriptions filled at an on-campus phar-     health information".
macy since 1994. Files on the server included pre-
scription information for students, faculty and staff,    The final HIPAA Security Rule, codified at 45 CFR
Social Security numbers, student identification num-      Parts 160 - 164, is the most comprehensive state-
bers, names, addresses and birth dates.                   ment of standards for the security of health informa-
                                                          tion. JCAHO standards for Confidentiality and
     In February 2003, a jury awarded $2.3 million to     Security (IM.2.10-40) are far less specific.
three women whose mental health treatment records         Compliance with the Security Rule ensures compli-
were not kept private by West Virginia University         ance with the JCAHO information security stan-
Medical Corp., also called University Health              dards, but the opposite is not true. For that reason,
Associates. A records clerk had removed the               the focus here is on the Security Rule.
records, taken them home and to local bars and dis-
cussed them with people. The clerk was clearly act-       The HIPAA1 statute required the Secretary of Health
ing outside the scope of his employment and was           and Human Services to enact national standards for
fired. Nonetheless, the jury found that the hospital      the security of health information systems. Those
had breached its duty of confidentiality. The verdicts    standards, published in February 2003, supersede
did not include punitive damages.                         inconsistent requirements of state law (unlike the
                                                          Privacy Rule, which defers to "more stringent" provi-
      For eight days, beginning on Oct. 29, 2001,         sions of state law). The deadline for compliance with
detailed psychological records of at least 62 children    the Security Rule is April 21, 2005 for covered
and teenagers were accidentally posted on the             providers and most health plans. It is April 21, 2006
University of Montana website.                            for small health plans.

  4                                                                            the UNI/CARE perspective
                                                                                      Security of Health Information
                                                            entities are permitted to apply any security measure
Both the HIPAA statute and the final Security Rule          that is reasonable and appropriate to meet the
require covered entities to:                                underlying standards. The measure of "reasonable
                                                            and appropriate" is based on a number of factors,
      Ensure the confidentiality, integrity, and            including the nature of the security risk, the size,
      availability of all electronic protected health       complexity, and resources of the covered entity, and
      information the covered entity creates,               cost.
      receives, maintains, or transmits.
                                                            Standards and Implementation Specifications
      Protect against any reasonably anticipated
      threats or hazards to the security or integrity       The Security Rule includes standards and imple-
      of such information.                                  mentation specifications that provide instructions for
                                                            implementing standards. Covered entities are
      Protect against any reasonably anticipated            required to meet each standard. Implementation
      uses or disclosures of such information that          specifications fall into two categories - "required"
      are not permitted or required under the               and "addressable". There are only 13 required
      Privacy Rule.                                         implementation specifications, and covered entities
                                                            must implement all of them. DHHS introduced the
      Ensure compliance by its workforce.2                  concept of "addressable implementation specifica-
                                                            tions" to provide covered entities additional flexibility
The Secretary of Health and Human Services is               with respect to compliance with the security stan-
empowered to impose civil penalties for non-compli-         dards. Covered entities are free to evaluate each
ance with these requirements. The law also creates          addressable implementation specification to deter-
criminal penalties for willful or malicious violations of   mine if it is "reasonable and appropriate" to apply
privacy rights (although criminal prosecution is            that specification to meet the underlying standard, or
extremely unlikely for anything short of selling            whether alternative security measures are sufficient,
celebrity medical records).                                 given the risks involved.

While there is no "private right of action" to directly
enforce the HIPAA Security Rule, it is reasonable to
expect that the standards adopted in the rule will             About the Author
become the "standard of care" applied to determine
liability in private lawsuits.                                 Paul Litwak is a health lawyer and con-
                                                               sultant whose specialty is health infor-
A Few Important Principles                                     mation technology. He is the author of A
Flexibility                                                    Path to HIPAA Compliance, and co-
The final Security Rule is based on three concepts             author of A Path to Compliance with the
derived from the HIPAA statute. It is designed to be:          HIPAA Security Rule, a comprehensive
                                                               guide to the Security Rule, including
      Comprehensive and coordinated to address                 model forms, policies, compliance
      all aspects of security.
                                                               checklists, and detailed references to
                                                               security resources. The guide is avail-
      Scalable, so that it can be effectively
      implemented by covered entities of all types             able at
      and sizes.                                               Mr. Litwak can be reached at
                                                               757-431-2020 or
      Technology Neutral, allowing covered
      entities to make use of future technology
                                                            1 HIPAA refers to title II, the "Administrative Simplification" provisions of the
The rule allows covered entities a great deal of flex-
                                                            Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91)
ibility in selecting security measures to meet its stan-    2 42 USC 1320d-2(d)(2); 45 CFR 164.306(a)
dards and implementation specifications. Covered            3 68 Federal Register 8335

  5                                                                                          the UNI/CARE perspective
HIPAA Deadline Update
by Henry Yennie, GSW
State of Louisiana Office of Mental Health
Source: CMS Website

As the New Year arrives, so does the deadline for compliance with the HIPAA Security Rule. In review, let’s
look at the recent information on HIPAA deadlines published by CMS1 (Center for Medicare and Medicaid

Date                 Deadline
April 20, 2005       Security Standards - all covered entities except small health plans.
August 1, 2005       Employer Identifier Standard - small health plans.
April 20, 2006       Security Standards - small health plans.
May 23, 2007         National Provider Identifier - all covered entities except small health plans
May 23, 2008         National Provider Identifier - small health plans

As the Security Rule is the next impending event, we have assembled the following information to help behav-
ioral health organizations craft a compliance strategy. First, we should all speak the same language, and the
following list of definitions may help:

       Access means the ability or the means necessary to read, write, modify, or communicate
       data/information or otherwise use any system resource.

       Administrative safeguards are administrative actions, and policies and procedures, to
       manage the selection, development, implementation, and maintenance of security measures
       to protect electronic protected health information and to manage the conduct of the covered
       entity’s workforce in relation to the protection of that information.

       Authentication means the corroboration that a person is the one claimed.

       Availability means the property that data or information is accessible and usable upon demand by an
       authorized person.

       Confidentiality means the property that data or information is not made available or disclosed
       to unauthorized persons or processes.

       Encryption means the use of an algorithmic process to transform data into a form in which
       there is a low probability of assigning meaning without use of a confidential process or key.

       Facility means the physical premises and the interior and exterior of a building(s).

       Information system means an interconnected set of information resources under the same
       direct management control that shares common functionality. A system normally includes
       hardware, software, information, data, applications, communications, and people.

       Integrity means the property that data or information have not been altered or destroyed in an
       unauthorized manner.

       Malicious software means software (for example, a virus) designed to damage or disrupt a system.

  6                                                                           the UNI/CARE perspective
                                                                            HIPAA Deadline Update
    Password means confidential authentication information composed of a string of characters.

    Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s
    electronic information systems and related buildings and equipment, from natural and environmental
    hazards, and unauthorized intrusion.

    Security or Security measures encompass all of the administrative, physical, and technical safe
    guards in an information system.

    Security incident means the attempted or successful unauthorized access, use, disclosure,
    modification, or destruction of information or interference with system operations in an information

    Technical safeguards means the technology and the policy and procedures for its use that protect
    electronic protected health information and control access to it.

    User means a person or entity with authorized access.

    Workstation means an electronic computing device (for example, a laptop or desktop
    computer) or any other device that performs similar functions, and electronic media stored in its
     immediate environment. Second, we need to understand some fundamental concepts about the final
    rule. The final Security Rule, in many respects, is somewhat simpler to interpret and apply that the
    draft standards that caused so much concern. The following summary outlines the general
    requirements and the flexibility allowed by the final rule:

7                                                                         the UNI/CARE perspective
                                                                                  HIPAA Deadline Update

       Covered entities must do the following:

               1.      Ensure the confidentiality, integrity, and availability of all electronic protected health
                       information the covered entity creates, receives, maintains, or transmits.
               2.      Protect against any reasonably anticipated threats or hazards to the security or
                       integrity of such information.
               3.      Protect against any reasonably anticipated uses or disclosures of such information
                       that are not permitted or required.
               4.      Ensure compliance with this subpart by its workforce.

       Flexibility of approach:

               1.      Covered entities may use any security measures that allow the covered entity to
                       reasonably and appropriately implement the standards and implementation
                       specifications as specified.
               2.      In deciding which security measures to use, a covered entity must take into account
                       the following factors:
                                a. The size, complexity, and capabilities of the covered entity.
                                b. The covered entity’s technical infrastructure, hardware, and software
                                security capabilities.
                                c. The costs of security measures.
                                d. The probability and criticality of potential risks to electronic protected
                                health information.

Let’s focus on the issue of flexibility. The final rule introduces a critical distinction between "required" and
"addressable" standards and implementation specifications. This distinction can be first summarized in
the following manner:

Implementation specifications:

       1.      Implementation specifications are required or addressable.
       2.      When a standard includes required implementation specifications, a covered entity must
               implement the implementation specifications.
       3.      When a standard includes addressable implementation specifications, a covered entity
               a. Assess whether each implementation specification is a reasonable and appropriate
               safeguard in its environment, when analyzed with reference to the likely contribution to
               protecting the entity’s electronic protected health information
               b. As applicable to the entity-
                              i. Implement the implementation specification if reasonable and
                              appropriate; or
                              ii. If implementing the implementation specification is not reasonable and
                                        1. Document why it would not be reasonable and appropriate to
                                        implement the implementation specification; and
                                        2. Implement an equivalent alternative measure if reasonable and

For the visually inclined, we have provided the following graphical decision tree for determining how your
organization might comply with the "addressable standards":

8                                                                               the UNI/CARE perspective
                                                                                                   HIPAA Deadline Update

                                                                    Final Security Rule
                                                                 Implementation Standards

                 Standard is Required                                                                Standard is Addressable

                                                                                                       Assess if reasonable
                                                                                                         and appropriate
                  CE must implement
                      as written

                                                                                                        Reasonable and
                                                                               Implement     Yes

                                                                           Must be
                                                                         based on a
                                                                                                         Document why
                                                                        Risk Analysis

                                                                          Implement         Yes

                                                                                                      alternative reasonable
                                                                                                         and appropriate?

                                                                      Document why          No

It is important to note the following qualifications:

         Although cost of compliance can be a factor in not implementing an addressable standard
         as written, it cannot be the only factor.
         In order to effectively make this decision, the organization must have completed a Risk
         Assessment (which is not an addressable standard - it is required of all covered entities)

1 CMS Website:

Contact Information:
Henry Yennie, GSW
State of Louisiana Office of Mental Health
210 State Street, Cottage #4
New Orleans, LA 70118
Office: (504) 896-2639

 9                                                                                                the UNI/CARE perspective
Countdown to HIPAA Security Rule Compliance
by Jim Catan, Vice President of Consulting Services
UNI/CARE Systems, Inc.

Thursday, February 20th, 2003 started the count-           zation’s most important high-risk areas. The well-
down on the HIPAA Security Rule compliance clock.          known business adage that twenty percent of the
Although the Security Rule had been published in           issues will determine eighty percent of the cost, will
draft form for over a year prior to that, many organi-     likely apply to security compliance costs as well.
zations waited to see the final form before beginning
their planning. Fast forward to the present, late          Performing a Security Risk Analysis
2004. With procrastination taking its toll and just        Security deals with integrity, availability and confi-
under 6 months until compliance is required (April         dentiality. Using this definition, HIPAA security is
21, 2005 is the official date.), the stress is mounting    about ensuring that systems are available, that
on the question of preparedness. Can your organi-          viable contingency planning and disaster recovery
zation count itself among the minority of companies        plans have been made, and that adequate access
who claim full compliance with the comprehensive           security measures are in place.
new Security Rule? Executive teams and Boards of
Directors should be asking this question on a week-        A critical eye and careful planning are required prior
ly basis. Even if the answer is "no", it is not too late   to beginning the process of risk analysis and securi-
to kick your Security Rule compliance efforts into full    ty planning. The risks, threats, problems and extent
gear.                                                      of possible damage must be fully understood, prior
                                                           to drawing conclusions about what needs to be
While the Privacy Rule was all about the Human             addressed.
Resources issues surrounding your new HIPAA-
mandated privacy policies and procedures, the              According to the HIPAA Security Rule, covered
search for answers to the Security Rule compliance         organizations or entities (CE’s) are required to imple-
should start with a call on your Chief Information         ment a risk management program. The purpose of
Officer (CIO) or Information Systems manager. The          the risk management program is to evaluate the
staff of the IT department has most likely been            value of the assets, the potential for a loss or disclo-
tasked with developing and implementing cost-effec-        sure, and the cost of additional countermeasures.
tive, enterprise-wide security programs. However,
the entire senior management team should play an           The HIPAA Security Rule references major national
important strategic planning role in the process, as       standards by which CE’s can quantify their risk as
the rules effect the nearly the entire corporate back-     well as their return on investment (ROI) of associat-
bone in one form or another.                               ed security measures. One such national standard
                                                           is published by the National Institute of Standards
The compliance planning process should focus on            and Technology or NIST. Their publication Risk
three major questions as follows:                          Management Guide for IT Systems (800-30) is a
1.     Security risks to the organization - what are       benchmark for all organizations engaged in risk
       they and which are the highest priorities or        analysis. It assists in the analysis of risks based on
       greatest threat?                                    the following factors:
2.     Security measures to implement - what
       should your plan be to reduce risk and                     The likelihood of a given threat-source’s
       become HIPAA Security compliant?                           attempting to exercise a given vulnerability
3.     Fiscal-based analysis - how much money                     The magnitude of the impact should a threat-
       and resources should you budget for                        source successfully exercise the vulnerability
       security, based on the stated risk of each                 The adequacy of planned or existing security
       threat?                                                    controls for reducing or eliminating risk

In order to address these questions, both the short        While the NIST approach may be adequate for a risk
term and long-term effects of the HIPAA Security           management program focusing only on IT systems,
Rule must be analyzed, with a focus on the organi-

  10                                                                            the UNI/CARE perspective
                                                       Countdown to HIPAA Security Rule Compliance
the scope of the HIPAA Security Rule encompasses           Additionally, your analysis of ePHI should extend
more than IT. Executives should review threats to all      beyond the obvious areas of your medical record
organization’s assets including risk caused by finan-      system and encompass your ancillary patient
cial and personnel issues.                                 records such as electronic lab, pharmacy data,
                                                           MRI’s/CT scans, biomedical devices, and PDAs.
It is of utmost importance that you include staff from
all areas on your HIPAA risk analysis team. By doing       You must also consider external risk factors, for
so you will ultimately achieve a comprehensive risk        example a software vendor that won’t meet the min-
analysis. Be sure that areas like contract adminis-        imum security requirements by the compliance date.
tration, human resources, business office, and phys-       This can include Business Associates (BA’s). If one
ical facilities are made an integral part of the HIPAA     of these businesses is culpable in a security breach,
Security analysis and planning team or task force.         your organization may face consequences, unless
                                                           you have performed all required due diligence. This
The following guideline can assist security planners       is where the importance of due diligence comes in
and executives through the initial phases of devel-        and most importantly in the documentation of your
oping an appropriate security program for their com-       HIPAA security planning and activities. Notes of all
pany. Some companies may want to consider con-             security meetings, decisions and subsequent actions
tracting with a security consultant, who can perform       should be documented and kept - in order to prove
vulnerability and penetration studies on your network      due diligence if need be.
and computer systems.
                                                           In assessing risk it is important to determine the
Identifying Security Risks                                 potential outcome that could result from each identi-
The management team’s first task is to identify what       fied risk. Ask what adverse events could occur at
is worth protecting. HIPAA is specifically about safe-     your facility? What damage or harm could they
guarding patient information from both disclosure          cause? What is the likelihood of their occurring?
and damage. Your analysis should consider the fol-         Have you taken steps to prevent them or minimize
lowing security risks:                                     their impact? Examples include:
        Unauthorized access to or disclosure of                    Misuse of authorized access (an employee
        electronic Protected Health Information                    divulges system passwords or PHI to an
        (ePHI)                                                     outside source or an errant email containing
        Complete loss or corruption of ePHI                        ePHI is sent to a large group of unauthorized
        Temporary loss or unavailability of medical                users)
        records                                                    Unexpected systems downtime
        Loss of physical assets (network infrastruc-               Ineffective disposal of ePHI and other
        ture, computers, etc.)                                     sensitive data
        Threats to safety of patients and employees                Unauthorized access by employees, ex-
        Loss of cash flow                                          employees or the general public to facility
        Harm to reputation and/or public confidence                areas that are not properly secured
        in your organization                                       Natural physical events (fires, floods,
                                                                   explosions, earthquake, hurricane)
Each of the above risks should be analyzed and                     Unauthorized access to systems by hackers
quantified in order to prioritize their potential damage           Physical harm to employees or patients
to the organization. This ranking will assist in the               Systems are not set up to effectively monitor
development of a security plan and allow you to                    security incidents
focus on the highest threats to your specific organi-              Inadequate training of staff for emergency
zation. One important ancillary of this analysis is                incidents
that the analysis must be individualized for each                  Financial malfeasance
company, since a one-size-fits-all approach could
end up focusing on the wrong or inappropriate              Security Action Plan
issues, while leaving more important vulnerabilities       The HIPAA Security Task Force should:
specific to your agency, unchecked or with insuffi-              identify and evaluate the organization’s
cient focus on mitigation of risk.                               assets
                                                                 determine what causes are most likely to

  11                                                                           the UNI/CARE perspective
                                                    Countdown to HIPAA Security Rule Compliance
       threaten them                                    All risks identified in your analysis should be
       estimate the level and likelihood of harm        ranked with the threat level from 1 to 5, with 1
       occurring                                        being the highest risks and 5 being a low level of
       assess the adequacy of current security          risk. This will assist in prioritizing activities that
       controls                                         must be performed. Next, determine what control
                                                        options exist and the cost associated with each
When the above risk assessment information has          option. Using this information your organization
been documented, then an action plan involving all      can document decisions based on reducing risk to
stakeholders can be created, spearheaded by your        acceptable levels, while ensuring that resources
IT and security staff. The plan should clearly docu-    are expended appropriately and prudently based
ment how your organization is planning to reduce        on the risk to the organization.
risk to acceptable levels.
                                                        Cost is clearly one of the factors in determining
                                                        what security measures to implement. Cost cannot
                                                        be used as a reason for NOT implementing secu-
                                                        rity controls that are reasonable. You will need to
                                                        defend how much is your organization spends to
                                                        ensure the security of your information and reduce
                                                        risk to an appropriate level. You will need to justi-
                                                        fy and balance the level of your security invest-
                                                        ment with the importance of ensuring the integrity,
                                                        availability and confidentiality of your ePHI.

                                                        Finally, the organization must prioritize, budget,
                                                        plan and implement controls that will limit the risk
                                                        to its assets. The Security Rule requires that you
                                                        document the actions you take to reduce risk to
                                                        your assets. Ultimately, your documentation could
                                                        serve as the basis of the proof of your due dili-
                                                        gence security efforts.

                                                        You should be able to ascertain from this short
                                                        overview that if you have not yet begun your
                                                        HIPAA Security planning, you have your work cut
                                                        out for you. Getting started is sometime the hard-
                                                        est part, so once the momentum is created along
Part of the analysis should include a review of all     with the increasing pressure of the looming dead-
HIPAA requirements to determine what gaps exist         line, you should be able to see this project through.
between the current environment and the standards.      Even if you are not 100% complete as of April 21,
These gaps represent risks that must be addressed,      2005, any progress is better than no progress or
although other risks may have been identified that      effort.
the organization will also want to plan for.
                                                        You can use this information as springboard for
It is important to realize that some security-related   discussion among your team and get the ball
events or conditions cannot be "managed", but must      rolling or push a little harder if need be.
be addressed. For example, if you share computer        Information is the key to success and there are
terminals in the same workspace where all users         many, many sources of good HIPAA Security plan-
have the same network or application sign-on such       ning resources available. So use them to turn
as "clinician" - that would be a breach of HIPAA        what may be a fearful situation within your organi-
security requirements. The security plan must           zation, into one driven by the desire for a success-
include measures to eliminate these types of securi-    ful HIPAA Security implementation.
ty gaps, not just attempt to manage them.

  12                                                                         the UNI/CARE perspective
Implementation Challenges for HIPAA Security Regulations
by Arnold Scarpitti, CISSP

The road to compliance with HIPAA Security regula-          1.      Inventory PHI assets in the entire
tions is a relatively complex and difficult one for most            organization.
organizations. This article focuses on my experi-           2.      Analyze risks to all PHI, electronic, paper,
ence with large and medium-sized providers. As an                   oral, and voice.
information security officer at a large multi-facility      3,      Take appropriate actions to safeguard PHI of
hospital group, and as information security consult-                all types.
ant for a number of clients in the past several years,
I have strived to create solid information security         Organizations that took this Privacy standard seri-
management programs for healthcare providers.               ously were well positioned to take steps to be in
The impetus for these programs has been primarily           compliance with the HIPAA Security regulations,
HIPAA, especially HIPAA security.                           which focus on Electronic PHI (EPHI). Policies, pro-
                                                            cedures, risk assessment, training, network infra-
For purposes of this article, I am focusing on seven        structure issues, application security, et al were
specific challenges that impact compliance with             implied by the mini-security rule.
HIPAA Security regulations. Naturally, there are
many other challenges relating to HIPAA security            Unfortunately, in many organizations, the focus was
than those I cite. Each challenge mentioned is also         almost entirely on notice of privacy practices, disclo-
more complex than I can fully address in a short arti-      sure procedures, patient rights, and certain adminis-
cle. The challenges are those that many large and           trative procedures. Although necessary for compli-
medium-sized providers will have encountered, and           ance with HIPAA Privacy regulations, these areas
are identified from my experience with information          did not, from an information security standpoint,
security and HIPAA Privacy and Security regula-             improve the protection of patient data. If Privacy
tions. At the end of this article, I include a brief out-   regulation compliance efforts also addressed proper
line of a process I have used successfully to set-up        storage and handling practices of PHI, the protection
an information security program.                            of patient data would be improved.

The seven implementation challenges I will address          Without the gathering of good information, many
are:                                                        tasks in implementing HIPAA Security are difficult, if
                                                            not impossible. A smart organization began this
A.     Inadequate understanding and efforts to              process by focusing on the mini-security rule prior to
comply with the "mini-security rule" in the HIPAA           April of 2003.
Privacy regulations.
In the HIPAA Privacy regulations, which cover all           B.      Minimal understanding of the Risk
protected health information (PHI), a section which         Management process as it relates to information
impacts the HIPAA Security regulations probably             security.
received inadequate attention during many Privacy           Risk management for information security is com-
implementations. The section follows:                       plex and not well understood by healthcare
                                                            providers. Although much valuable information from
Section 164.530 (c) (1) Standard: Safeguards. A             NIST and CMS and other resources is available,
covered entity must have in place appropriate               provider staff is not familiar with this absolutely criti-
administrative, technical and physical safeguards to        cal task.
protect the privacy of PHI.
                                                            Performing an internal risk assessment, evaluating
Section 164.530 (c) (1) was effective in April 2001         the risks to various systems, and then prioritizing
with a compliance date of April 2003, effectively           those risks for action are important steps in risk man-
required covered entities to do the following:              agement. However, using the common qualititative
                                                            method for risk assessment can be quite subjective.
                                                            Staff is very likely to minimize the likelihood of

  13                                                                              the UNI/CARE perspective
                                       Implementation Challenges for HIPAA Security Regulations
events, minimize the impact, and identify low resid-     edgeable about infosec. In most cases, that knowl-
ual risks. One of the reasons this occurs, in my         edge relates to the security of specific systems,
view, is poor information on security breaches.          often focused on controlling outsider access to the
Although we are all aware of healthcare information      internal network. Information security knowledge is
security breaches that have appeared in newspa-          not typically a strength of information system staffs,
pers, providers are unlikely to have good information    including programmers. Until relatively recently,
on those occurrences in their own organization.          infosec has not been a focus for those working with
Lack of data makes it appear these are potential, but    application programs. Security has been a low pri-
unlikely threats, and they are evaluated as corre-       ority. This is understandable since system features
spondingly low risks.                                    and functionality is critical to the day-to-day opera-
                                                         tions of providers.
This will result in a false sense of security from the
internal risk assessment. Without knowledge of           Naturally, since providers were not asking for secu-
security breaches that have already occurred at an       rity features, vendors were not focused on including
organization, it is unlikely much time or money will     them. And even when solid infosec features were
be spent addressing many potential vulnerabilities.      included in applications, administrators frequently do
Focus is usually on outside attacks of various types,    not use or enable the features for various reasons,
which are well known to occur. Incidents of insider      usually because it requires more administrative time
action, much more common and easier to initiate,         to implement security.
are consider unlikely.
                                                         As infosec requirements have increased, more staff
C.      Clinical professionals resent "excessive         members are acquiring the necessary background
security". In most clinical areas, staff is well aware   to make good decisions and recommendations on
and understands that PHI is to be properly protect-      infosec issues.
ed, not to be discussed in public areas, and is confi-
dential. As clinical professionals, staff is often       E.      Given limited resources, the focus is on
resentful that security controls are implemented to      clients/patients. This challenge is especially diffi-
control or track their activities. Passwords, logins,    cult to overcome. Most providers have limited
application time-outs, etc. are seen as impediments      resources. With limited resources, where do you
to patient care, wasting time that could be better       place them? The mission of most providers includes
spent. Without good evidence that the information        excellent patient care as a top priority... So, when
security practices are needed and valuable, clini-       you are considering in your capital budget to move
cians are justifiably suspicious and can be uncoop-      to a single-sign on product that simplifies clinical
erative.                                                 interactions or adding some nursing staff or a new
                                                         MRI, the organization mission virtually requires
This is another area where good data on security         those investments that benefit patients the most.
violations or breaches would be valuable, but little
exists. I suspect many violations are never reported     It is not impossible to provide a business justification
as "incidents". This failure deprives information        for information security efforts. That said, it is not
security staff and management of the information         particularly easy to do. Can you market the fact you
needed to justify various security measures, provide     keep information confidential for your patients?
for additional training, and manage the entire infos-    They expect that already. In many ways, the HIPAA
ec process.                                              Privacy and Security regulations gave an impetus to
                                                         focusing on confidentiality of information that did not
Use of clinical physician order entry systems has        exist. It is not that healthcare providers did not care
mitigated this challenge slightly, for those providers   about confidentiality, just that it was not a high prior-
that have implemented them. The understanding            ity. I personally believe it is still not a high priority at
that good records need to be maintained in the           many healthcare organizations. Many efforts that I
ordering process seems universally understood.           am aware of are aimed at minimal compliance, and
                                                         may include only policies, not actual practice.
D.      Information Security (infosec) knowledge
is limited among information systems staff. Only         Information system staffs are typically quite busy
a small group of information systems staff are knowl-    keeping up with installations, updates, routine sys-

  14                                                                            the UNI/CARE perspective
                                       Implementation Challenges for HIPAA Security Regulations
tems requests, maintenance of applications, user          G.      Early vendor hype and failed products.
help desk requests, etc. Without compelling rea-          When the Security NPRM was released in August
sons, and a high priority from senior management,         1998, many vendors of software and hardware prod-
little time may be available for attention to infosec     ucts jumped on the HIPAA bandwagon enthusiasti-
issues.                                                   cally. Clearly, healthcare is a huge market. Now,
                                                          security products that were used primarily in finan-
F.      Enforcement action for privacy has been           cial industries could be marketed to an entire new
very limited. Although some action to enforce the         group.
privacy regulation has occurred, the potential for
large fines to organizations that are not in compli-      The HIPAA Security NPRM released in August 1998
ance, based on valid complaints, has not been real-       laid out a very comprehensive set of standards for
ized. Nor is it likely to happen soon. The federal        security of electronic PHI. Many of those standards
government is notorious for creating regulations for      were revised, made addressable, or deleted from the
various issues, and failing to properly enforce them.     final Security rule. However, since the Security
                                                          Regulations were not final until January, 2003, much

Depending on the point at which an organization is        effort went into making so-called HIPAA compliant
starting, a reasonable amount of time is needed to        products. Many products were good efforts, and cer-
comply with the HIPAA Privacy and Security regula-        tainly some remain. Others were not ready for use,
tions. Two years for many organizations is just not       and have been dropped. However, the vendor hype
enough time to achieve that compliance. However, I        about what was required, what was compliant, etc.
question whether an adequate effort is being made         caused much uncertainty and confusion among
by some organizations. I do not feel punitive actions     providers.
should be taken against providers who are making
good faith efforts to comply. However, whether the        An Approach to HIPAA Security that works.
efforts are truly good faith or "minimal" is a question   With the requirements of the HIPAA Security regula-
for legal staffs and perhaps CMS to determine. In         tions in mind, an approach that has worked suc-
any event, lack of enforcement effort unquestionably      cessfully for me is outlined below. These are initial
causes provider management to back off their              steps, and require ongoing attention to maintain a
efforts, and focus more on other priorities.              good information security program.

  15                                                                          the UNI/CARE perspective
                                        Implementation Challenges for HIPAA Security Regulations
1.      Establish senior management understanding          6.      Perform a risk assessment of important sys-
and commitment to information security. It is impos-       tems. This includes major PHI applications, network
sible to overstress the importance of this element.        infrastructure, servers and server rooms, and other
Real commitment, and willingness to enforce poli-          important organizational assets involved in EPHI.
cies, budget for any essential capital investment          Risk assessment, evaluation, and prioritized recom-
involved, commit appropriate staff resources, and          mendations for senior management are the ele-
making infosec activity a high priority are all critical   ments of the risk management process.
to developing a good information security program.
                                                           Although the challenges to implementing the HIPAA
2.      Develop, with appropriate input from busi-         Security regulations are significant, they can be
ness units and clinicians, information security poli-      overcome. Building a good information security pro-
cies. Policies cover overall approach to data secu-        gram requires a solid foundation, senior manage-
rity, specific computer security issues, email, fax,       ment support, appropriate resources, and continued
physical access control to server rooms, risk man-         efforts. It is not a short-term project, and must
agement, user login and password, and other                become part of the organization’s business plan for
appropriate areas for each organization.                   the long term.

3.      Train staff on policies. It is a clichØ that
users are the first line of defense, but it is unques-
tionably true. All staff should receive basic instruc-
tion on securing data, selecting and changing pass-          Arnold Scarpitti, CISSP
words, social engineering, use of email, laptop com-
puters, and other issues that are applicable to their
jobs. Managers and supervisors need additional
training to understand what responsibilities they
have relating to information security. Senior man-           Arnold Scarpitti, CISSP
agement should be provided an adequate under-      
standing of infosec issues so they can make
informed decisions, and participate in the risk man-
                                                             Arnold has twenty years of experience
agement process by accepting or mitigating risk.
                                                             with information systems, computer
4.      Develop appropriate procedures to imple-             networks and information security in
ment the infosec policies. Policies are only as good         large and medium-sized provider set-
as the training and implementation steps taken. To           tings. Arnold is a consultant for infor-
develop policies then fail to proceduralize those poli-      mation security programs, policy and
cies guarantees an ineffective information security          procedure development, and informa-
program. Procedures needed vary by organization,             tion security training. Arnold is a certi-
but should include the process for acquiring appro-          fied Information Systems Security
priate authorization for PHI systems, details on             Professional. Affiliated with HealthCare
password issues and verification for changes, com-           Perspective, LLC
munication of access changes (terminations\trans-
fers), server and workstation configuration. Many
other areas relating to control of external access,
auditing and monitoring of various systems are
probably needed also.

5.      Train appropriate staff on procedures. For
procedures, only affected staff needs to be trained.
However, these individuals are really enforcing the
policies, and need a clear and solid understanding
of the procedures. Many procedures are informa-
tion system focused, however managers likely need
some training also.

  16                                                                          the UNI/CARE perspective
                    Pro-Filer™ integrates all relevant health-
                    care information into a unified, secure,
                    web-enabled computer-based record

Profiling for your...                         Offering remote technology using:
Organization                                                               PDA
Best Practice                                                       Tablet PC’s
Consumers                                                              Laptops

Demonstrating ease-of-use with:                  Using cutting edge technology...
Multi-company processing                                        Visual Basic C++
Expansive user-defined fields                                       N-tier design
Customized table data entry                                        SQL Database
Wizards for workflows, clinical
standards, and management
Quality, UM Review & Compliance

                        w w w. u n i c a r e s y s . c o m

                    UNI/CARE Systems, Inc. offers a comprehensive
                    set of software applications and services for
                    Behavioral Health, Public Health and Child

Shared By:
Description: HIPAA Security Rule Is your unicare