Companies Nervous as First HIPAA Deadline Approaches

Automated monitoring key to HIPAA compliance; Symantec fields questions from worried users

As the Health Insurance Portability and Accountability Act of 1996 (HIPAA) deadline creeps closer, organizations are stuck with but a partial set of regulations to implement. Fielding customer fears over the chaotic deadline state, Cupertino, Calif.-based Symantec Corp. recently interacted with its customers via a Web cast, answering questions about the HIPAA timeline, implementation curves and where proactive companies need to be.

One-half of HIPAA, the standards for privacy of individually identifiable health information, comes into effect April 14, 2003. But the other deadline, security and electronic signature standards, still hasn’t been finalized, nor has a deadline been set. Once finalized, however, many companies will have to rush to get compliant.

Based on customer questions he fielded at the recent Web cast, Symantec’s Ronald Van Geijn, director of product management, says: “I think there’s still a big group of people in organizations out there that are very concerned, that are thinking about HIPAA but are still uncertain about how they’re going to achieve HIPAA compliance. Only one of the two standards has been finalized, so organizations are looking at the deadline and seeing there isn’t a lot of time.”

Symantec is pitching a HIPAA module for its Enterprise Security Manager (ESM) vulnerability management software as a way for proactive companies to plan their attack—time, resources, and people—to close any gaps once HIPAA gets finalized. Specifically that means assuring the confidentiality, integrity, and availability of data.

ESM monitors policy compliance and vulnerabilities by checking such security controls as account integrity and password policies, and backup and restore plans. ESM for HIPAA gives companies pre-configured HIPAA-based security policies they can customize to their particular environment. Companies not under the auspices of HIPAA can use a product such as ESM to measure compliance. ESM also contains standard security policies companies can adopt to their needs, such as one based on ISO 17799—controls for best practices in information security.

Organizations still behind with HIPAA have time to get compliant, and even integrate ESM, so long as they’re talking about security policies now. "ESM integration isn’t difficult," says Van Geijn, but it isn’t the first thing that needs to be done; policy is. “Setting up the software is typically less than 10% of the effort to implement the overall systems. Developing policy is typically 40-50%, and the remaining time is measuring compliance and bringing systems into compliance."

With HIPAA, “It’s important for customer organizations to know how secure they are,” says Van Geijn. “If you don’t know how secure you are, then how do you know what business risk you’re taking if business user can break into your systems.” Yet, he notes, “customers are struggling to measure their security posture.”

Companies can’t just declare themselves HIPAA-compliant either; they need outside experts to say that. “Typically, that would be an auditor,” says Van Geijn, and that process also includes interviews with personnel to ascertain the degrees of electronic and physical security.

To give organizations a clue as to their security policy compliance, ESM uses agents that are installed on every server and PC. Then ESM tracks policy compliance, displaying red, yellow or green flags in a centralized security manager’s console for every system it’s tracking.

Getting networks and computers compliant means having a real-time view of machines that change constantly, always knowing if they’re compliant or not. “The key here is while it can be done manually, sitting behind a computer, it really has to be automated,” says Van Geijn. ESM “can check thousands of systems virtually at the same time.”

“Many healthcare institutions will need to automate security policy enforcement if they hope to get HIPAA compliant,” Van Geijn observes. “Their primary task is giving care—it’s not about information security, which is probably why the government has imposed these regulations, because they’re concerned that the security falls by the wayside.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.