Healthcare Security Regulations: Challenges or Opportunities?
In the Internet era, comprehensive security protections in the enterprise data network must be a central part of any organization. And with the dreaded Y2K projects behind us, data security and privacy protection becomes the most challenging topic for almost any industry - especially important for healthcare.
In the Internet era, comprehensive security protection in the enterprise data network must be a central part of any organization. And with the dreaded Y2K projects, hopefully, behind us, data security and privacy protection becomes the most challenging topic for almost any industry. However, it is especially important for healthcare due to the 1996 U.S. federal law under the Health Insurance Portability and Accountability Act (HIPAA) – also known as the Kennedy-Kassebaum Act – which establishes regulations designed to protect health insurance benefits, as well as sensitive information about the insured.
HIPAA offers workers who change employment better access to health insurance coverage by limiting exclusions for preexisting conditions, and restraining health plans from denying people health insurance based on their health status. But, HIPAA also calls for the development and implementation of uniform national standards for the secure electronic transmission of health information.
HIPAA: Protecting the Security of Confidential Data
HIPAA imposes regulations on the Department of Health and Human Services (DHHS), other federal agencies, state Medicaid agencies, private health plans, healthcare providers and healthcare clearinghouses to assure their customers (i.e., patients, the insured, providers and healthcare plans) of the confidentiality and privacy of healthcare information that is electronically collected, maintained, used or transmitted.
Confidentiality of information is generally threatened by the risk of unauthorized access to stored information, as well as the risk of interception while such data is in transit. The threats to confidential data kept in an electronic format are no less serious than those to paper-based records. In fact, the ever-growing use of the Internet introduces additional challenges and security exposures for electronic data, potentially placing it at much higher risk than data kept in secure filing cabinets behind locked doors. Methods are available today to ensure the protection of health information stored and transmitted in electronic format. But, electronic storage and transmission of data requires organizations to adjust their information security policies – and in some cases to establish such policies for the first time. Ensuring an appropriate and consistent level of information security for computer-based patient records, both within individual healthcare organizations and throughout the entire healthcare delivery system, also requires consistent and compatible security policies among different organizations.
Since an organization’s communications network becomes the principal medium for electronic delivery of healthcare information, optimal network design for secure delivery of information becomes a crucial task for healthcare providers.
In order to better understand the healthcare industry’s readiness for HIPAA, Sheldon I. Dorenfest & Associates, in conjunction with 3Com Corporation, conducted a survey of healthcare providers to determine their awareness of the HIPAA legislation, their current security procedures, and future needs to become HIPAA-compliant. This article will report high-level excerpts from the survey responses, discuss what CIOs need to know, and outline specific action steps the industry should be taking to secure their information technology infrastructure.
Survey Results
This survey was completed in June 1999, and included respondents from a range of acute care hospitals and integrated delivery systems. Respondents were asked if they were familiar with HIPAA. Approximately one-third of all providers surveyed were not familiar with HIPAA. Generally, smaller institutions were less likely to be aware of HIPAA regulations than were large institutions: Forty-four percent of small providers indicated that they were not familiar with HIPAA, while only 25 percent of larger providers indicated likewise.
There appeared to be great disparity between large and small institutions about when HIPAA compliance will be addressed. While several large providers have already started to address HIPAA requirements, most small providers surveyed are still focusing on Y2K issues.
What to Do About HIPAA
Compliance with HIPAA regulations will take many more person-hours and potentially twice the dollars spent on Y2K. Why? For starters, during the past few years, providers have been so focused on achieving Y2K compliance, that initiatives, such as updating information security plans, security training, documentation and disaster recovery, have been put on the back burner. Now, because of HIPAA, providers will have to play catch-up, and fast! Moreover, the demands of new client server systems, virtual private networks and e-commerce add to the ever-increasing complexity of maintaining the security of patient information.
To help clarify this situation, we have defined a set of 10 critical success factors (CSF) that must be in place to ensure a secure and confidential information infrastructure.
CSF 1 – An Overall Information Security Plan for All Systems. Maintaining the security of patient information is not just an IT issue; it’s an organization-wide initiative.
CSF 2 – Secure User Authentication. Using identifiers, passwords and other devices (e.g., biometric systems) to control who can access patient data in your computer system.
CSF 3 – Access Control Mechanisms. Using technology to restrict the ability to view, update and print patient data according to who the user is, and what needs they have to access that record.
CSF 4 – Information Access Monitoring/Audit Trails. Monitoring who accesses information and being able to audit instances of suspected security breaches are fundamental requirements of ensuring patient confidentiality.
CSF 5 – Physical Security and Disaster Recovery. The overall goal of the Physical Security and Disaster Recovery planning is to ensure that essential services are maintained or restored quickly, during a disaster.
CSF 6 – Protection of Remote Access Points and External Electronic Communications. Securing information at the point of data origin and throughout the information transmission process is a key requirement of impending HIPAA legislation.
CSF 7 – Data Integrity Monitoring. As providers begin to implement process-improving technologies, such as digital signature capability for medical staff, HIPAA legislation will mandate that these systems have non-repudiation functionality built-in.
CSF 8 – Organizational Practices for Communication and Awareness of Security and Confidentiality Practices. A secure information infrastructure is only as good as the employees and medical staff who use these systems.
CSF 9 – Risk Assessment for All Systems. Providers should assess the strengths and weaknesses of all systems with regard to confidentiality.
CSF 10 – Documentation. Critical to every provider’s HIPAA compliance effort will be the process of documenting all of the aforementioned activities and keeping this information up to date.
Securing Your IT Infrastructure
Since the network becomes the principal medium for electronic delivery of healthcare information, optimal network design for secure delivery of information becomes the most crucial task for healthcare providers. And due to the high sensitivity of patients’ data, security considerations become even more crucial in the context of HIPAA. According to a recent survey by Healthcare Information and Management Systems Society (HIMSS; www.himss.org) top security concerns mentioned by the respondents include:
• Limitations of existing security technology (21%, compared to 18% in 1998)
• External breaches of security (14% in both 1998 and 1999)
• Unauthorized use of data by third-parties (13% vs. 5% for "payors," and 1% for "vendors" in 1998)
Based on this survey, when it comes to HIPAA security requirement compliance, only 18 percent of U.S. healthcare organizations have already implemented security policies and procedures. Table 1 charts the progress toward compliance.
Table 1: Progress toward complying with HIPAA’s security requirements.
Progress Statement | % of Respondents |
We haven’t begun yet | 13% |
Assessed organization compliance | 24% |
Documented security policies and procedures | 22% |
Implemented security policies and procedures | 18% |
Hired a security officer | 13% |
Don’t know | 10% |
It’s important to note that threats aren’t necessarily external. In fact, the FBI Computer Crime Unit reports that more than 80 percent of all network security breaches are inside jobs – disgruntled or dishonest employees with their own particular agendas. HIMSS survey respondents paint a similar picture. When it comes to the security of computerized medical information, the respondents’ biggest concern continues to be internal breaches of security. Thirty-one percent of the respondents said that this is their number one security concern this year, the same percentage as in 1998.
A computer networking system can be attacked in a number of ways, resulting in differing degrees of damage. Establishing adequate or even impenetrable security at one point of attack while leaving one or more of the other points uncovered is like posting a guard at the front desk and leaving the company’s doors and windows wide open. An employee seeking revenge, or a serious thief, will try every avenue of entry, particularly if the value of the information is great and the access is relatively easy.
Building Blocks of Security
Security and high availability (a.k.a., the "four nines" or 99.99 percent) are among the most important design criteria for today’s networks. Properly designed network infrastructure that maximizes the benefits of networked data communications must contain these elements:
• Physical protection – Where are you?
• User authentication – Who are you?
• Access control – What asset(s) are you allowed to use?
• Encryption – What information should be hidden and how?
• Management – What is happening within the network?
An enterprise may employ any or all of these elements to achieve integrity and access control. The best strategy depends on the risk involved, the cost of the deployment, and the cost of a security breach or lost data.
And for securing the integrity of information while maintaining availability of information assets, an enterprise must:
• Allow access to information by authorized parties
• Implement policies to determine who is authorized for what kind of access to which information
• Employ a strong user-authentication system
• Deny malicious or destructive access to any information asset
• Protect data from end to end
Securing Your Information
Computer viruses, Trojan-horses and other malicious "electronic creatures" are among the most serious threats for desktop computers. Since there are so many different viruses, operating systems, and ways of encoding and compressing binary files, an Internet firewall cannot be expected to accurately scan each and every file for potential viruses. Therefore, antivirus software has to be deployed at each desktop to protect against infection from floppy disks or any other source.
Encrypting sensitive data on end users’ devices (i.e., workstations, desktop and laptop computers, and even PDAs) is no less important. Encryption is used to protect against eavesdropping. It renders information private by making it unreadable to all except those who have the key needed to decrypt the data. It does not matter whether a third party intercepts packets over the Internet; the data still cannot be read. This approach can be used throughout the enterprise network, including within the enterprise (intranet), between enterprises (extranet) or over the public Internet to carry private data in a Virtual Private Network (VPN).
Security starts with well-defined and monitored security policies. Next, is the implementation of an efficient and robust data encryption on the end users’ devices and the Network Interface Cards (NICs). No less important, however, is implementation of security polices on the corporate LANs.
Controlling Access by User
Proof of identity is an essential component of any security system. It’s the only way to differentiate authorized users from intruders. User authentication to the network is a necessity for any enterprise that is serious about protecting information assets and knowing who is attempting to gain access to the network. Authentication becomes particularly important when some of the more sophisticated communication methods are used.
In addition to proving identity, authentication systems are used to determine what information the requestor can access True authentication generally incorporates the following elements:
• What the user has or possesses (smart card, certificate)
• What the user knows (password)
• A physical attribute (fingerprint or other biometric information)
Authentication is most often achieved through challenge and response, digital certificates, or message digests and digital signatures.
Protection from the Outside
Access control governs a user’s ability to make a connection to a particular network, computer or application, or to a specific kind of data traffic. The increasing use of the Internet is heightening the concerns of network administrators about the security of their network infrastructure and their organization’s private data.
What is so special about Internet security, one may ask? And, why are Internet security concerns many magnitudes higher than those for, say, public circuit, packet, or frame relay switching networks?
One of the key differences is the fact that no single body is responsible for the Internet. If, for example, a company were using a certain carrier for public frame relay service, this carrier would have contractual obligations to deliver reliable and secure services. With the Internet, such an approach would not be applicable.
Another major reason is the ever-growing number of sophisticated users who are "surfing" the Net, sometimes with a clear intention to break into someone’s network either as a "hobby" or for industrial espionage. In other words, some do it for money, some for pleasure. However, do not be fooled by the "innocent" intentions of the "hobbyist" amateur hackers: The first computer virus inventors did not do it for profit either, but they managed to cause some significant losses for quite a few organizations.
Firewalls are among the most efficient and popular tools for addressing security matters that offer a convenient point where Internet security can be monitored and alarms generated. It should be noted that for organizations that have connections to the Internet, the question is not whether, but when, attacks will occur. Network administrators must audit and log all significant traffic through the firewall. If the network administrator doesn’t take the time to respond to each alarm and examine logs on a regular basis, there is no need for the firewall, since the network administrator will never know if the firewall has been successfully attacked!
For the past few years, the Internet has been experiencing an address space crisis that has made registered IP addresses a less plentiful resource. This means that organizations wanting to connect to the Internet may not be able to obtain enough registered IP addresses to meet the demands of their user population. An Internet firewall is a logical place to deploy a Network Address Translator (NAT) that can help alleviate the address space shortage and eliminate the need to renumber when an organization changes Internet service providers (ISPs).
It is also important to emphasize that an Internet firewall is not just a router, a bastion host, or a combination of devices that provides security for a network. The firewall is part of an overall security policy that creates a perimeter defense, designed to protect the information resources of the organization. This security policy must include published security guidelines to inform users of their responsibilities; corporate policies defining network access, service access, local and remote user authentication, dial-in and dial-out, disk and data encryption, and virus protection measures; and employee training.
What Should You Do Now?
Privacy and security provisions of HIPAA are plain and sound business and technology practices that every patient care delivery organization should be practicing. As more patient data becomes accessible in an online fashion, the information technology professional must assure that all users who access these data are authorized, authenticated and are accountable. Our systems must have adequate audit trails inherently available, and all data available to the user must be accurate.
The reader will note that these are not necessarily technological capabilities of systems; rather, these are many times organizational policy, procedural and educational issues that should be addressed as capable healthcare professionals regardless of any law requirements. Documentation of the above, including proof that policies are indeed audited and violations are dealt with, is critical to assuring a sound, secure, and ultimately, HIPAA-compliant program.
These can be addressed now. It is critical for IT managers to assess their security/data-access environments and to educate their management teams in order to better understand the magnitude of the work to be done in this area. Thus, planning on how the solutions to potential issues will be developed can be done well in advance of data transmission and identifier standards being finalized.
Studies indicate that businesses do not use the Internet for daily communication will suffer in the marketplace within the five years. As enterprise resources are connected to a larger global network, the implementation of an effective security system becomes imperative.
Security awareness and precautions can definitely protect and insulate corporate networks from would-be Internet meddlers. Another issue to keep in mind is allowing connectivity to legitimate users: That probably was the reason the network was put in place.
Partnering with a competent consulting organization, both for the initial design and deployment of the most appropriate secure networking infrastructure, is imperative in today’s one networking environment. Regardless of what some vendors may tell you, nobody can guarantee fool-proof security against any imaginable intruder. No tool or technique will protect the network 100 percent. But a sound, up-to-date, and continuously reviewed and improved security policy and HIPAA compliance could certainly help to make it very expensive to compromise network security.
About the Author: Eddie Rabinovitch is with Extreme Networks (Saddle Brook, N.J.), and has more than 20 years of experience in information technology and data communications.
Larry Pawola is Executive Vice President at Dorenfest & Associates (Chicago). He can be reached via e-mail at lpawola@dorenfest.com.