HIPAA
About HIPAA
With HIPAA
legislation being passed into law no other authority has affected
the health care industry in such a manner in over 30 years.
All organizations involved in healthcare; from providers to
insurance payers; including private entities and government
agencies have been mandated to comply with the regulations.
HIPAA will have
varying degrees of implications in the market as each affected
organizations will have its own specific circumstances which
will dictate the measures needed to become compliant. Overall,
the aggregated impact of HIPAA to the health care industry
is at least equivalent with that of the Y2K impact, and may
be considerably more significant in many cases. Unlike Y2K,
HIPAA requires not only significant information technology
modifications but also, enforces equally and in some cases
more significant, procedural and policy transformations.
Introduction
HIPAA security
standards require changes in the healthcare industry's information
security procedures and practices. This white paper will focus
on authentication requirements of access control to electronic
medical information and provide a summary about HIPAA security
requirements, industry implications, and the measures that
will be need to be implemented. We will discuss how employing
some fundamental security measures will satisfy HIPAA regulations
and create a tangible Return On Investment.
Applicability and Scope
The Security regulations
apply to all uniquely identifiable health information that
is in electronic form, regardless if it is being stored or
transmitted. This includes all administrative and financial
healthcare transactions covered by the HIPAA Transactions
Standards Rule, including internal transmissions, reviews,
and access. All healthcare entities that handle this information,
including providers, health plans, and clearinghouses that
electronically store or transmit individual health information
will be required to comply.
Security Threats
The Security Regulations
apply to both external and internal security threats and vulnerabilities.
Threats from "outsiders" include breaking through
network firewalls, e-mail attacks through interception or
viruses, compromise of passwords, posing as organization "insiders,"
computer viruses, and modem number prefix scanning. These
activities can result in denial of service, such as the disruption
of information flow by "crashing" or overloading
critical computer servers. The outsider may steal and misuse
proprietary information, including individual health information.
Attacks can also affect the integrity of information, by corrupting
data that is being transmitted.
Internal threats are of equal concern, and in many cases a
greater concern, they are far more likely to occur according
to industry security experts and statistically they prove
to exist a great harm and destruction potential. Organizations
must protect against careless staff or others who are unaware
of security issues, and probing or malicious insiders who
deliberately take advantage of system vulnerabilities to access
and misuse personal health information.
Physical
Safeguards
This category of security standards is focused on preventing
unauthorized individuals from gaining access to electronic
information.
Five areas of physical safeguards include:
1. Assigned Security Responsibility - officially assigning
responsibility for information security.
2. Media Controls - setting up formal procedures for controlling
and tracking the handling of hardware and software, and for
data backup, storage and disposal.
3. Physical Access Controls - developing a facility security
plan, and setting up disaster recovery, emergency modes, and
other access and handling controls.
4. Work Station Use - policies and procedures to prevent unauthorized
access to protected information on workstations and terminals.
5. Security Awareness Training - awareness training for all
employees and others with physical access to protected health
information.
Technical
Security Services
Technology security services are often governed by the particular
technologies and data systems in use. Covered entities are
expected to balance the need for timely access to needed health
information with the need to protect its confidentiality and
integrity. The Rule provides for five areas of technical security
services:
1. Access Control - providing controls limiting access to
health information to those with valid needs and authorization.
2. Audit Controls - setting up system mechanisms that record
and monitor activity
3. Authorization Control -obtaining and tracking the consents
of patients for use and disclosure of their health information.
4. Data Authentication - ensuring that data is not altered,
destroyed or inappropriately processed
5. Entity Authentication - employing mechanisms such as automatic
logoff, passwords, PINs and biometrics, which identify authorized
users and deny access to, unauthorized users.
The core requirements
are as follows:
| Certification |
Media controls |
| Chain of trust partner agreement |
Physical access controls |
| Contingency plan |
Policy guideline on work
station use Secure work station location |
| Formal mechanism for processing
records |
Security awareness training |
| Information access control |
Access control (context
based) |
| Internal audit |
Audit controls |
| Personnel security |
Authentication |
| Security configuration management |
Authorization control |
| Security incident procedures |
Cryptography |
| Termination procedures |
Unique user identification |
| Training |
Communication network controls |
| Assigned security responsibilities |
Digital signature |
For
the Requirements listed below, one or more of the given Implementation
features must be in place in order to provide appropriate
security for electronic health information. Which feature(s)
will provide the most appropriate level of security, confidentiality
and privacy must be determined by
(1) the management
of the individual enterprise housing the information and
(2) the trading partners exchanging the information, and will
be dependent upon the level of risk deemed acceptable by that
enterprise or trading partnership.
| Audit
controls |
|
| Authentication (one or more
of the listed implementation features must be implemented) |
Automatic log off |
| |
Biometrics |
| |
Password |
| |
PIN |
| |
Token |
| Authorization control (one
or more of the listed implementation features must
be implemented) |
Role-based access / User-based
access |
| Cryptography (If cryptology
is employed, one or more of the listed implementation
features must be implemented) |
Confidentiality protection
using encryption |
| |
Digital signature |
| |
Integrity protection/Mandatory
access controls (MAC) |
| |
Key management |
Implications of the Security Standards
for the Healthcare Industry |
|
Being the largest producer of GDP in the United States
the healthcare industry has been the slowest to implement technology
processes to manage day-to-day processes. With the current deployed
technology it has also lacked in addressing information security
in a comprehensive manner. Most healthcare organizations have
security features in their information systems but those features
are outdated, not followed, and/or disregarded. They further
typically do not have written policies or procedures for their
employees that are authorized to access the information, such
as policies on disclosure of sensitive information or personnel
policies dictating the types of personnel actions that will
be taken if staff members violate the policies.
Automated medical information also highlights concerns about
information availability, particularly as more clinical information
is stored electronically. Ensuring information availability
through appropriate access and data integrity (i.e., knowing
that the information in an organization's systems has not been
inappropriately or inadvertently changed and that it is not
at risk of being lost if the system fails) may be as important
as confidentiality. Part of the Administrative Simplification
provisions' stated purpose is "encouraging the development
of a health information system." Such a system is intended
to support access to critical health information when and where
it is needed. Information systems can only ensure availability
if the systems are working and the information is not easily
changed.
HCFA's proposed standards imply that healthcare organizations
will develop security programs that include technological solutions,
but recognize that the persistent risk, regardless of the level
of technical security, is through the people who have authorized
access rather than "hackers". Consequently a number
of the standards address personnel and physical site access,
e.g., personnel security, training, termination procedures for
both physical and system access and physical access controls.
HCFA, at present, is not planning to require either encryption
or digital signature under the security standards for non-Medicare
information. Therefore the most significant technical requirements
may be the audit controls and the "accountability (tracking)
mechanism. At present HCFA is not planning to stipulate the
extent of the audit requirement, again relying on the organization's
determination regarding the level of appropriate auditing. Certain
types of information may warrant 100% audit trail, for instance,
organizations may want to closely monitor access to AIDS or
substance abuse information.
Technical Security
Services to Guard Data Integrity Confidentiality, and Availability
| Requirement: |
Implementation: |
| Communications/network controls
(If communications or networking
is employed, the following four implementation features
must be implemented:
· Alarm,
event reporting, and
--audit trail
· Entity
authentication
· Integrity
controls
· Message
authentication) |
Access controls |
| |
Alarm, event reporting,
and audit trail |
| |
Encryption |
| |
Entity authentication |
| |
Integrity controls |
| |
Message authentication |
Electronic
Signature
| Requirement: |
Implementation: |
| Digital signature (If digital signature
is employed, the following four implementation features
must be implemented:
· Message
integrity
· Non-repudiation
· User
authentication
Other implementation features are
optional) |
Ability to add attributes |
| |
Continuity of signature
capability |
| |
Counter signature |
| |
Independent verifiability |
| |
Interoperability |
| |
Message integrity |
| |
Multiple signatures |
| |
Non-repudiation |
| |
Transportability |
| |
User authentication |
Technical Security Services to
Guard Data Integrity, Confidentiality and Availability
| Requirement: |
Implementation: |
| Access control |
Access control |
| The following implementation feature
must be implemented: Procedure for emergency access.
In addition, at least one of the following three-implementation
features must be implemented: Context-based access,
Role-based access, User-based access. The use of Encryption
is optional. |
· Context-based
access
· Encryption
· Procedure
for emergency access
· Role-based
access
· User-based
access |
| Audit Control / Data Authentication |
Audit Control / Data Authentication |
| Authorization control -
At least one of the listed implementation features must
be implemented. |
· Role-based
access
· User-based
access |
| Data Authentication |
Data Authentication |
| Entity authentication -
The following implementation features must be implemented:
Automatic logoff, Unique user identification. In addition,
at least one of the other listed implementation features
must be implemented. |
· Automatic
logoff
· Token
· Password
· PIN
· Unique
user identification
· Biometric |
