HIPAA: Getting in tune
The heat has been turned up for those charged with bringing their institutions into HIPAA compliance, reports Greg Masters.
In the good old days, the IT staffs at a lot of hospitals did what they could to protect their patient's privacy, but there was little in the way of requirements or enforcement. But, with increasing instances of data breaches and the introduction of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other state and federal mandates, closer attention is being paid to these privacy concerns.
The challenges are daunting. Access to health care records can come from any number of places – from hospital staff tapping into the database, or from malicious outsiders hacking their way into the database mining for the valuable personal information.
Larry Whiteside Jr. (left), chief information security officer, Visiting Nurse Service of New York (VNSNY), which provides home health care and community-based health services in the five boroughs of New York City and Nassau County on Long Island, argues that HIPAA has little bite.
“The infractions that companies have been fined for have been due to publicly identified breaches that affect public confidence in the company and health care systems,” he says. “HIPAA has to step into those situations with a big hand. For those of us that have not had a breach, but take security seriously, we focus on things that deal with reducing risk. That's the underlying factor for everything, RISK.”
All HIPAA does, he adds, is provide some general security guidelines that are specific to the health care vertical. “I don't know one entity that has had a government agency come through and hit them with fines and sanctions due to not meeting HIPAA regulations. The reality is that everyone wants to be secure, everyone wants to reduce risk, everyone wants to be compliant (eventually).”
It's just that the road companies take to get there are all different, says Whiteside. Some entities actually hit potholes while on that road (the breaches we have seen). For those that don't hit that pothole, they hit speed bumps (budget, executive buy-in, etc.), he says.
“Regardless of the obstacle that is hit or the direction we started in, we are all on a road with a big secure sign at the end,” he says.
Despite the caveats, all the regulations, including HIPAA, have benefits and those are the guidance that they provide, he says, adding that the Visiting Nurse Service of New York takes HIPAA seriously.
But, the organization, the largest not-for-profit home health care agency in the nation, is not completely focused on just being HIPAA compliant.
“My more overall goal is to be secure,” says Whiteside. “Thus, I will inherently be compliant through being secure.”
There is no one-stop shop to security, however.
“Having regulations allows specific industries a way to focus in on the things that should matter to them and allow them to prioritize what should be done first based on their industry and regulations,” says Whiteside. “Am I saying that in health care one should meet all their HIPAA requirements before addressing anything else? No, I am saying that when you look at becoming a secure organization and you begin trying to determine what to address first, things like HIPAA help you make that decision.”
Across the border
Our neighbors to the north in Canada have similar compliance laws in place, many based on U.S. legislation, says Bobby Singh, director of information security at Smart Business Systems for Health Agency eHealth Ontario, an agency of the Ontario Ministry of Health and Long-Term Care.
Singh, who has the advantage of having worked in the states before moving to Canada several years ago, says Canadians are much more cognizant than their U.S. neighbors of privacy issues and how personal information is handled.
“More proactive steps are taken in Canada,” he says. While HIPAA allows some flexibility and provides suggested guidelines more than prescriptive steps, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law, mandates how entities collect, use and disseminate sensitive personal information.
In addition, there are some provincial acts in the health care space that replace the federal regulations – for example, the Personal Health Information Protection Act (PHIPA), in Ontario where Singh works.
But, even though matters are somewhat simplified in Canada by having only one state-run HMO, whether in the U.S. or Canada, hospitals and health care facilities face similar issues in protecting patient data, says Singh.
However, while the system may be a bit simpler in Canada, on the other hand, there is a political component, being that the state is running the health care system.
“There's somewhat of a big brother approach,” says Singh. “The government defines what doctors and patients should be doing as far as managing personal data.”
The prescription, he adds, just may be a higher level of priorities. “Hospitals need to talk to each other so data can be electronically transferred.”
He's optimistic that as the process evolves, those in charge of the health care system will gain a better understanding of how to use IT for efficiencies.
Measures are being taken to protect health records. HIPAA, for example, requires that two verifiable forms of identity be needed to allow access to records.
A lot of hospitals are using single sign-on (SSO), says Hiroko Naito (right), health care development manager, Fujitsu. SSO solutions eliminate the need for multiple password entries, but HIPAA requires that passwords be changed every 60-90 days, she says.
“This places a heavy burden not only on the health care providers, but the IT staff. The question is: Is this password system well-managed?”
She says a biometric solution can replace the need for passwords. “There's no memorization, a user can't forget it or leave it somewhere. It complements an SSO solution and adds strong authentication.
Health care organizations are aware that they must comply with regulations, she says. The challenge is convincing them that a new layer of security, which they might perceive as a complication, can, in fact, take some of the burden off the user. It's a better way of managing access for the IT department. Biometrics is a simple way to gain access to protected health records, she says. It correctly identifies patients at the point of entry.
While she admits that the number one reason for hospitals to accurately identify patients is patient safety, she also points out that it is now a HIPAA requirement to protect the privacy of patients.
“Our hospital customers expressed concern about eliminating the need to ask patients sensitive questions.”
The solution: when a patient enters the facility, a registrar stores vein information using Fujitsu's biometric reader, PalmSecure, and that reading is tied to the patient's medical record. The next time that patient walks into the hospital, they don't need to present sensitive, personal information. Plus, there is no chance they will be misidentified.
“They wave their hand over the PalmSecure, and it will identify that patient and bring up the medical record, so the registration person knows and can direct the patient to the right doctor for the right treatment. That patient's identity is verified and the hospital can provide appropriate care,” says Naito.
Plus, she adds, even though the deadline for compliance with Identity Theft Red Flag regulations, a part of the Fair and Accurate Credit Transactions (FACT) Act, has been pushed back, any organization that deals with credit, such as a hospital, must have guards in place to detect fraud, report fraud and to protect customers from fraud.
“A biometric identity system can help prevent fraud, specifically, insurance fraud, she says.
All health care organizations that are classifiable as “covered entities” by HIPAA law must demonstrate “reasonable” efforts to comply with HIPAA's privacy and security aspects—whether the security standards are “required” or “addressable,” says Christopher Paidhrin, HIPAA & IT Security officer for ACS Healthcare Solutions/Southwest Washington Medical Center (SWMC). “Each organization must be prepared to explain their rationale for their compliance efforts, especially if the HIPAA standards are not met.
There are at least 40 security standards for HIPAA, and, he says, Imprivata's SSO solution (OneSign) has helped Southwest Washington Medical Center directly address eight of these requirements and an additional 15 security standards, in an indirect way. OneSign, which serves a vital role as an access control gateway—both for internal and external workforce members—also delivers more IT security compliance for HIPAA than any other single security control or solution at Southwest.
“It is our best bang-for-the-buck security solution,” says Paidhrin.
HIPAA compliance supports the overall IT security posture by providing regulatory compliance motivation, he adds. “Peer institutions look to each other for how communities meet these requirements. A robust identity access management (IAM) solution garners confidence between provider partners — as we must constantly share patient information between each other.”
Security technologies play a vital role in helping organizations achieve compliance with HIPAA regulations, but can deliver substantial benefits beyond compliance, says Paidhrin. Imprivata's OneSign solution has enabled SWMC to achieve compliance with HIPAA regulations, and delivered critical benefits beyond compliance, including: reduce provisioning costs; reduce support for remote users to a browser-support issue for the help desk; improve access time at all workstations; reduce logon time for over 200 applications; improve workforce satisfaction by reducing “hassle factors” that come from HIPAA time-out requirements; improve auditing capabilities with non-repudiation of workforce access; allow seamless remote user access via an internet-base portal (Citrix), while still authenticating to a single IAM datastore; easily generate, update and lock out user accounts; centrally manage security policies; and enforce role-based access control, greatly simplifying user provisioning and management.
More than half of Southwest's workforce members are direct care providers. They are highly mobile individuals dealing with time-critical circumstances and patient service delivery issues, so every second counts, says Paidhrin.
“Before Imprivata's OneSign SSO, Southwest struggled to maintain efficient workflow due to the large number of applications and the frequent necessity to log on and off of workstations — and into and out of each application (most of our applications do not share a common IAM solution).”
Southwest workforce members were not only losing up to an hour a day struggling with access issues, they were frustrated by the number of passwords, plus they needed to remember new ones every 90 days, he says.
“OneSign addressed all of our access control concerns while providing secure and timely access for our workforce — not only the 3,250 internal employees, but the 3,000-plus external provider partners who access our patient information via a secure portal,” says Paidhrin. “By reducing IAM to a single username and password — for the majority of our applications — our workforce productivity and worker satisfaction shot up.”
For those environments where Southwest wanted even further security, or convenience, they installed about 150 finger biometric devices — which OneSign supports out-of-the-box without additional cost. In the facility's emergency department, they found that biometrics sped up the access even further.
Meanwhile, in Indiana
The IT team at Good Samaritan Hospital (right) in Indiana also are advocates of single sign-on technology. The 247-bed hospital and medical center found its SSO solution from Imprivata to ensure password security and mitigate and manage privacy risk. Chuck Christian, director of IS and CIO, Good Samaritan Hospital, says the facility was able to reduce costs by eliminating the need for physicians and staff to memorize multiple passwords. He and his team have cut help desk costs (physicians needing system access help after forgetting a password) and improved productivity (less time spent on logging in and out) — thus improving the security of patient data and overall patient care.
“Our SSO project is rolled out to approximately 900 clinical staff covering several departments, as well as our medical staff,” he says. “The rollout population was chosen due to the fact that these individuals utilize several different applications during the course of their very busy day, and juggling multiple passwords created challenges and restricted their productivity.”
In the health care environment, it is absolutely necessary for his team to ensure the confidentiality of patients' medical records, he says, not simply for HIPAA compliance reasons, but more so because it is the correct thing to do.
“Using the SSO application, we can provide quick access to the required systems/information, while at the same time guaranteeing that the appropriate staff is accessing only that information to which they have been granted access – in addition to creating audit trails, if that need arises. The need was based more on staff satisfaction and usability than on compliance issues,” Christian (left) says.
The SSO application provides an additional level of authorization, which can be controlled and monitored more closely than your typical system and security logs, Christian explains. The reporting features from SSO can very quickly provide a detailed listing of all applications accessed. Otherwise, this can prove to be a very labor intensive process if staff has to access each application/system separately. The SSO application also provides a platform to utilize biometric or other methods of strong, multi-component authorization.
Is it enough?
But, many say that it is is not enough to have a software or appliance solution implemented to ensure HIPAA compliance. This can give a false sense of security to a company, because while the institution has taken a necessary step to comply with regulations, there are too many ways for data to leave the internal safety zone.
“What happens when Dr. Smith emails an insurance company and the email is stored on a file server,” posits Nick Cavalancia, vice president of Windows management at ScriptLogic. “This opens the floodgates.”
He points to the vulnerability of a practice management system, such as that used by many health care providers, tracking the personal information of patients. The software keeps track of patient information, but for the organization to be HIPAA compliant, it's imperative that the data doesn't leave the environment, he says. “We try to educate customers not to rely on management systems to keep track of data,” he says.
“I think customers see HIPAA compliance not as an absolute, but more as a set of guidelines with a goal in mind,” says Cavalancia. There are different ways to reach that goal, but the end goal must be achieved, he says.
Two factor solution
There are myriad ways someone can obtain a user's login name and password, for example, through malware downloads, various phishing schemes or non-technical social engineering tactics, says Jen Gilburg, director of business development for VeriSign's identity and authentication solutions team.
“Two factor authentication, vis a vis a VIP credential, provides an extra layer of protection to users' online accounts -- in this case, an online health record -- by combining something the user knows (login name and password) with something they have (token, smart card, mobile phone, etc), thus making it nearly impossible for an outsider to access someone else's online account.”
With health care fraud on the rise, many users are concerned about safeguarding their online medical records and insurance information, Gilburg says. “Offering two-factor authentication through VIP not only protects accounts, but increases confidence that the account is protected by technology more users associate with trust.”
Through its VeriSign Identity Protection (VIP) Authentication Network, VeriSign helps reduce the cost of fraud to organizations by reducing the risk of unauthorized account entry and identity theft to its users.
The VIP Authentication Network also solves the problem of having to use a different credential on different websites because it is deployed on a network, which allows end-users to use a single security device to authenticate themselves across any VIP-enabled website.
Additionally, the VIP Authentication Network solves the problem of cost to issuing organizations. VIP is easy and less costly for companies to implement and maintain because it leverages a shared security and logistics infrastructure, thus making it simpler and more cost-effective for companies with extensive online presence to implement stronger authentication for its users, says Gilburg.
VIP is a service-based authentication solution so there is no software, servers or databases to install. A simple Webservices integration allows health care providers to offer strong second factor account protection without the overhead of maintaining it themselves.
Finally, VIP is based on open standards, such as OATH, and enables a wide choice of credential form factors from a multitude of vendors.
“You can't be compliant if you don't have visibility into your network,” agrees Andy Busard, information security analyst, at Mercy Health Partners, Hackley Campus Muskegon, Mich. “In the past, one of our workstations was infected with a virus that virtually put a halt on all our network activity.”
Using a solution from TriGeo, his team was able to quickly diagnose the problem and shut down the computer in a matter of minutes.
“Policy awareness plays a big part in HIPAA compliance and network security,” he says. “We're taking steps to be sure that all our employees know what they can and cannot view or send over the internet. We take a ‘trust but verify' position by keeping a close eye on hospital staff – making sure that employees are not accessing patient records inappropriately or inadvertently, which is in direct violation of our network security policies. We can't allow patient records to be distributed via email to unauthorized third parties and we certainly can't allow employees to take a peek at their neighbor's medical background. ”
As a hospital with a network of close to 2,000 computers, Busard (right) says that TriGeo gave the “best bang for the buck” as a mid-market solution to monitor and track all network activity and to keep a close eye on firewalls for suspicious behavior or attacks.
Dan Nutkiss, CEO, HITRUST, agrees that there have been a lot of challenges for health care organizations in complying to HIPAA. He points specifically to gaps that allow the guidance to be flexible.
“Organizations can determine the level of risk and how they interpret those risk assessments,” he says.
Also, some organizations are not able to comply and others are not willing to take a risk. He says that a Common Security Framework from HITRUST provides more clarity. His organization is establishing a certifiable framework that any organization that creates, accesses, stores or exchanges personal health and financial information can implement. The intent is to protect electronic information and establish greater trust in how electronic information is safeguarded by the health care industry, he says.
HITRUST has spent the last year developing the framework to allow organizations to have guidance to protect sensitive information,” he says. “It's extremely prescriptive and scalable and doesn't require one organization to have an undue burden.”
Just released, the Common Security Framework from HITRUST, is also available on a licensing basis.
“We think it clarifies things and provides more specificity. It will substantially reduce risk and add efficiencies in health care systems.”
HIPAA: BackgroundThe Health Insurance Portability and Accountability Act (HIPAA) was passed into law in August 1996, placing new requirements on thousands of U.S. organizations involved with the provision of health care. Its two principle aims are: (1) to increase availability of health care by standardizing the exchange of health care information and (2) to protect the confidentiality and security of patient records.
Organizations that must comply with HIPAA are known as Covered Entities. These include health plans (e.g., HMOs, group health plans), health care clearinghouses (e.g., billing and repricing companies) and health care providers (e.g., doctors, dentists, hospitals).
The HIPAA Privacy Rule came into effect in April 2001, requiring Covered Entities to come into compliance by April 2003, and formalized procedural restrictions on the handling of health care information.
HIPAA's effect on IT requires that an organization must secure all information related to an individual's health care, regardless of the location of the data, referred to as electronic protected health information (EPHI). This means that to be HIPAA compliant, organizations must take steps to prevent inappropriate access to EPHI by putting into place both proactive and reactive controls over IT systems.
Sign on: AuthenticateWhile the convenience of a centralized store of historical health information presents security and privacy implications, VeriSign is combining the convenience of OpenID single sign-on with the security of strong two-factor authentication via VeriSign Identity Protection (VIP) credentials, making it harder for identity thieves to illegally access sensitive medical and insurance data. VeriSign was recently selected by Microsoft as an OpenID provider for users of HealthVault, a free service that enables consumers to store and manage their health information online.
Unlike other online accounts, compromised medical records are not easily remedied. An individual cannot be reimbursed once their privacy has been violated. What's more, the rising number of uninsured Americans creates demand for health insurance policies stolen from consumers and sold on the black market the same way Social Security numbers and credit card numbers are stolen and sold.
But secure online medical records is a reality with a technology that has worked within enterprises for many years: two factor authentication. Two-factor authentication combines what the end-user knows — user name and password — with what they have – a one-time password generated by a physical device.
Greg Masters is managing editor of SC Magazine. He can be reached at firstname.lastname@example.org.