HIPAA 203: Security HIPAA 203: Security
An Introduction to the Draft HIPAA Security
Regulations
Presentation Agenda
◗ Security Introduction
◗ Security Component Requirements and Impacts – Administrative Procedures
– Physical Safeguards
– Technical Security Services
– Technical Security Mechanisms
◗ Summary
Presentation Objectives
At the end of this presentation, you should:
◗ Understand the background for the security regulations
◗ Understand the specific HIPAA security components
◗ Understand the business and technology impacts of the HIPAA security components
◗ Begin to understand the gaps between the current
environment and the HIPAA security requirements
Security Introduction
Definition
Organizational Threats Principles
Key Points of Security Rule Structure
Categories
Definition
◗ “The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.” –draft Security Rule
◗ Security also protects information from alteration, destruction or loss
◗ Security should reasonably ensure the confidentiality,
integrity and availability of health care information
Type of Threat Description Examples
Accidental
No intent; usually
carelessness, low awareness or lack of training
• Employee leaves application logged on to patient record and walks away
• Employee leaves patient charts in open area in clear view of patients
• Employee discards confidential information in regular trash
receptacle where others can access Abuse of
privileges
Authorized access for unauthorized purpose with no malicious intent or personal gain
• Employee accesses colleague’s medical record with concern about his recent hospitalization
Inter n a l
Intentional
Malicious intent or personal gain
Authorized access for unauthorized purpose with malicious intent or for personal gain
• Supervisor accesses employee’s medical record to determine mental health status so that she can
potentially be fired
Targeted
Unauthorized access by accessible means
• Terminated employee whose
password was never deleted from the system uses access privileges to uncover confidential information about former boss
• Employee imposter steals PC database containing HIV patients
Ex te rn al
Organizational Threats
Principles
◗ Healthcare security is about risk mitigation – Operational risk
– Financial risk – Regulatory risk – Fraud risk
◗ “The standard does not address the extent to which a particular entity should implement the specific features.
Instead, we would require that each affected entity assess its own security needs and risks and devise,
implement, and maintain appropriate security to address
its business requirements.” –draft Security Rule
Key Points of Security Rule:
Source
◗ Security requirements were taken from the National Research Council’s report For the Record: Protecting Electronic Health Information
◗ “This report presents findings and recommendations related to health data security, and…concludes that
appropriate security practices are highly dependent on individual circumstances…
◗ “It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and
resources to determine optimal security measures.
Nevertheless, the committee believes that a set of
practices can be articulated in a sufficiently general way
that they can be adopted by all health care organizations
Key Points of Security Rule:
Standards
◗ Organizations must therefore establish a reasonable
“defensible position” for security compliance – Develop specifications for security requirements
– Determine what technologies to implement to meet those specifications
– Balance usability and cost with risk
◗ We can set the community standard for these practices in
the Pacific Northwest
◗ The standards are not only scalable, but technology neutral as well
◗ Covered entities must establish and maintain reasonable and appropriate…safeguards
◗ Healthcare organizations must ensure the protection of all electronic PHI
– Final rule may also cover PHI in paper format to align with final HIPAA Privacy rule
◗ Policies and procedures must be developed to implement both the Privacy and Security Rules
Key Points of Security Rule:
Standards (cont.)
◗ Business processes related to security functions within the organization must be formally documented,
implemented, and enforced throughout the organization
◗ Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately
◗ The final Security Rule will be harmonized with the final Privacy Rule
Key Points of Security Rule:
More Standards
Structure
◗ The current HIPAA Security standards are organized into five categories:
1. Administrative Procedures 2. Physical Safeguards
3. Technical Security Services (applications) 4. Technical Security Mechanisms (networks) 5. Electronic Signatures *
* For the purposes of this discussion only the first four categories will be addressed
◗ Administrative Procedures: formal policies and procedures to address operating procedures,
management controls, personnel requirements, audit mechanisms and disciplinary procedures
– Security management/maintenance – Security training
– Internal system certification
– Procedures upon employee hire, transfer, or termination – System security audits
– Chain of trust partner agreements – Contingency plan
– Information access control – Security incident procedures
Administrative Procedures
Physical Safeguards
◗ Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access
– Security responsibility and accountability – Media control
– Physical access to data
– Workstation use and location
– Security awareness training
Technical Security Services
◗ Technical Security Services: measures to control and monitor information access
– Employee access controls, such as passwords – System audits
– Intrusion and detection alarms – Automatic logoffs
– Telephone callback procedures – Message authentication
– Integrity contols
– Data authentication
Technical Security Mechanisms
◗ Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network
– Employee access controls – Entity authentication
– Message authentication – Integrity contols
– Encryption – Alarms – Audit trail
– Event reporting
Security Requirements and Impacts
Administrative Procedures Physical Safeguards
Technical Security Services
Technical Security Mechanisms
Administrative Procedures
Rules
Impacts
Administrative Procedures – Rules
◗ Certification: technical evaluation certifying that systems and network meet pre-defined criteria
– Example: Annual certification audit
◗ Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties
– Example: Claims processing
◗ Contingency Plan: Includes application and data criticality
analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures
– Example: Business continuity plans
◗ Formal Record Processing Mechanisms: Policies and
procedures for receipt, manipulation, storage, dissemination,
transmission, and/or disposal of health information
Administrative Procedures – Rules (cont.)
◗ Information Access Controls: Policies and procedures for granting different levels of access to health care information
– Example: Application profile documentation
◗ Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents)
– Example: Proactive, defensible review of PHI activity
◗ Personnel Security: Granting of access to health information via an authorization process
– Example: Card key access systems to file rooms, background checks maintenance of security personnel
◗ Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses
– Example: Routine pre- and post-implementation procedures
Administrative Procedures – Rules (cont.)
◗ Security Incident Procedures: Documented instructions for reporting and reviewing security breaches
– Example: Reporting pathways (anonymous if necessary)
◗ Security Management Process: Processes to ensure the prevention, detection, containment and correction of security
breaches. Includes risk analysis, risk management, sanction policy and security policy
– Example: Annual risk level reviews
◗ Termination Procedures : Procedures for securing systems upon employee termination
– Example: Exit interviews and checklists
◗ Training : User education and awareness training
– Example: Incorporated awareness training with existing programs
Administrative Procedures – Impact
◗ Most organizations have inadequate security policies and procedures
◗ This requires additional resources for updates and development efforts
◗ Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels
◗ Integration of chain of trust partner agreement language may require new contracts with third parties
◗ Providing security awareness training for all employees
requires a detailed training program with ongoing
Physical Safeguards
Rules
Impacts
Physical Safeguards – Rules
◗ Assigned Security Responsibility : Security responsibility assigned to a specific individual(s)
– Example: Security committee
◗ Media Controls : Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal
– Example: Property accountability documentation
◗ Physical Access Controls: Limiting physical access to systems.
Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification,
maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components
– Example: Data center restrictions
Physical Safeguards – Rules (cont.)
◗ Workstation Use: Instructions and procedures delineating secure use of computer workstations
– Example: Acceptable workstation usage guidelines
◗ Workstation Location: Safeguards for secure location of computer workstations
– Example: Monitor position in public areas
◗ Security Awareness Training: Security awareness training for all employees, agents and contractors
– Example: Incorporated awareness training with existing programs
Physical Safeguards – Impacts
◗ In order to properly address security issues organizational charts and individual responsibilities may need review
◗ Workstation use must be addressed through employee education and consistent enforcement of policies and procedures
◗ Physical access controls and secure workstation locations
may affect current business practices
Technical Security Services
Rules
Impacts
Technical Security Services – Rules
◗ Access Control: Restricted access to health information by need-to-know
– Example: Application access based on job description
◗ Audit Controls: Audit control mechanisms to record and examine system activity
– Example: Turn on network event logs to allow for appropriate audits
◗ Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information
– Example: Application functionality which allows “flagging”
◗ Data Authentication: Ability to corroborate that data have not been altered or destroyed
– Example: Use or check sum, double keying or digital signature to assure the data are not altered
◗ Entity Authentication: Ability to corroborate that user is who he claims
Technical Security Services – Impact
◗ Some systems in use today may not have adequate security controls to comply
◗ Implementation of access controls for systems must be an integrated effort between business and IT
◗ System processing and storage requirements may increase to support enhanced auditing capabilities
◗ Group ID’s and shared passwords will not be permitted
Technical Security Mechanisms
Rules
Impacts
Technical Security Mechanisms – General Rules
For all systems:
◗ Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored
– Example: Approved/unapproved network protocols
◗ Message Authentication: Ensuring, typically with a message
authentication code, that a message received (usually via a network) matches the message sent
– Example: Verification that data packet sent is received
◗ Access Controls or Encryption: Protection of sensitive
communications over open or private networks so that they cannot be
easily intercepted and interpreted by parties other than the intended
recipient OR
Technical Security Mechanisms – Network Rules
If using a network for communications:
◗ Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality
– Example: Devices that sense abnormal conditions
◗ Audit Trail: The data collected and potentially used to facilitate a security audit
– Example: Audit log retention
Technical Security Mechanisms – Network Rules (cont.)
If using a network for communications:
◗ Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes
– Example: Unique identification
◗ Event Reporting: A network message indicating operational
irregularities in physical elements of a network or a response to the
occurrence of a significant task, typically the completion of a request for information
– Example: Network messages indicating operational abnormalities
Technical Security Mechanisms – Impacts
◗ Implementation of access controls to the network must be an integrated effort between the business and IT
◗ Use of new network security technologies (e.g.
encryption) will require significant end user training
◗ Group ID’s and shared passwords will not be permitted
◗ Network alarms, audit trail, and event reporting
requirements may require additional resources and
technologies to ensure compliance
Summary
Summary
The Bottom Line
Questions
Summary
◗ Areas of impact on health care organizations will be:
– Development, documentation and training of policies and procedures
– Assignment and operation of security responsibility
– Identifying and contracting chain of trust agreements with trading partners
– Training workforce members on information security and altering the confidentiality culture
– Implementing access controls, authorization controls and entity authentication for all systems
– Identifying and implementing the “right” technical solutions
The Bottom Line
◗ The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002
◗ Compliance is 26 months after the final rule is published
◗ At the present time, there is no indication who will be the
enforcement agency, when enforcement will be effective, and
how enforcement will be conducted
Questions and Discussion
?? ? ?
?
? ? ?
Resources
Resources
http://www.ehnac.org Electronic Healthcare Network Accreditation Commission (EHNAC):
–Certification Program for HIPAA Compliance (under development)
http://aspe.hhs.gov/admnsimp/index.htm Department of Health and Human Services HIPAA Administrative
Simplification:
–Latest News on Regulations –Current proposed and final rules
http://www.cpri-host.org Computer-Based Patient Record Institute (CPRI):
–CPRI Security Toolkit
http://www.chim.org Center for Healthcare Information Management (CHIM):
–Up-to-date industry perspective on proposed rules and their status
http://www.astm.org American Society for Testing and Materials (ASTM):
–Standards guides for security
http://www.ahima.org/hipaa.html American Health Information Management Association (AHIMA):
–Benchmark information and case studies –Interim Steps for Getting Started
http://www.afehct.org Association for Electronic Health Care Transactions (AFEHCT):
–Impacts of HIPAA (particularly EDI) –Security Self-Evaluation Checklist
Resources (cont.)
http://www.hcfa.gov/medicare/edi/edi.htm Medicare EDI
http://www.hcfa.gov/medicare/edi/hipaaedi.htm Links to other HIPAA sites
http://www.jhita.org Joint Healthcare Information Technology Alliance (JHITA)
–Summary of Privacy rules –Upcoming HIPAA conferences
http://www.wpc-edi.com HIPAA Transaction Implementation Guides from the Washington
Publishing Company
http://www.hcfa.gov/hipaa/hippahm.htm HIPAA Home Page
http://www.himss.org HIMSS: Protecting the Security and Confidentiality of Healthcare
Information (Volume 12, Number 1, Spring 1998)
–Articles
http://www.healthprivacy.org Health Privacy Forum
–Comparison of Privacy proposed and final rules –Comparison of state privacy laws
http://www.nap.edu
For the Record: Protecting Electronic Health Information (NationalAcademy Press, 1997) 800-624-6242
–Full Report
Resources (cont.)
http://www.wedi.org Workgroup for Electronic Data Interchange (WEDI):
–Details of SNIP effort (Strategic National Implementation Pilot)
http://www.hcfa.gov/medicare/edi/admnlist.htm Subscribe to email release of HIPAA documents (such as notice of
proposed rule making)
http://www.wpc-edi.com/hipaa Washington Publishing Company
–ANSI ASC X12N HIPAA Implementation Guides
