Security certification: A guide to the HIPAA requirements

Transcription

1 Security certification: A guide to the HIPAA requirements A publication of Opus Communications

2 Dear reader, We are pleased to present Security certification: A guide to the HIPAA requirements, a special report that expands on the critical information on network security rules and regulations found in Healthcare Information Security. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to define a secure operating mode for networks that store and carry protected health information and to periodically review their networks to be sure that they are operating in compliance with that entity s definition of a secure operating mode. That s called certification. This special report will provide an overview of how to perform security certification to comply with the HIPAA requirements. The HIPAA security rule remains a draft rule at this point, but government spokespeople have said the final rule will change little and that the expected date of compliance will be April Sincerely, Dan Landrigan HIS Executive Editor dlandrigan@hcpro.com Table of contents Security certification: Where do I get one? Start with HIPAA requirements Inventory tips: What have I got, how did it get there, and how is it being used? Avoiding the network creep Securing the consultants: When to bring in help Inside or outside certification teams which is best? How should network components be configured? Security certification: A guide to the HIPAA requirements

3 Security certification: Where do I get one? Security certification represents nothing more than the process of evaluating your computer network and its components to see that it meets a pre-specified set of security requirements, according to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). For the most part, your organization gets to determine what those pre-specified security requirements are, and you can inspect your own network and produce a certification report. This turns out to be both the good news and the bad news. That s the double-edged sword of HIPAA security certification. The law tells you that you must secure your network, but it doesn t tell you how. Defining what your secure network should look like represents the first step in certifying it. What ports should be open on your routers? What file-types should pass through your firewalls? What services should be enabled on servers? How should a standard desktop be configured? How often are passwords changed? The list goes on. It would be nice if you could lift all this right out of a book, but it s not that simple, says Walter S. Kobus, Jr., CISSP, MSTI, of Total Enterprise Security Solutions, in Raleigh, NC. Don t make certification more complicated and expensive than it has to be, Kobus warns. Establishing baseline rules for your network will prepare you to move forward and test the network and issue a certification report. The first step, even before setting out rules, will be to find out how people use the network and what s attached to it. Establishing baselines In health care, warns Thomas Walsh, CISSP, manager of enterprise security for Healthcare Computing Strategies of Overland Park, KS, the biggest obstacle to establishing baselines will be accommodating the needs of your users. In other industries, it s sometimes possible to agree to a single, standardized server, for example, and put that in place. In health care settings, many server platforms and configurations are often needed to support all the different programs and applications required. Still, it s not impossible to standardize to some extent. But it does take time. Kobus warns that in highly complicated environments it can take months to get the baseline configurations established. Health care organizations should begin working as soon as possible to start this process. Start by understanding all the components that make up your network. By conducting an inventory of what s there, you ll have the starting place for establishing a secure operating configuration specification your baseline requirements. For your routers, firewalls, servers, and other network components, you ll want to identify how they should be configured for secure operation. Some examples of security requirements include the following: Specify that no modems should operate from individual workstations, and that all traffic should travel over the network not unsecured modems Determine which ports will be opened on your routers, with a policy that all vendors wishing to open ports must make a request to the help desk or operate through your virtual private network Ensure that workstations in public areas automatically log off after five minutes of inactivity, while others log off after longer specified periods of time continued on p. 4 Security certification: A guide to the HIPAA requirements 3

4 Security certification continued from p. 3 Establish that all servers will be hardened by changing the default password for administrative controls Obviously, these are a few of many security requirements you will implement. These become what you intend to measure against as you begin the certification process. Using the examples mentioned above, you would begin checking your network. As you begin the certification process, you will start finding those areas where your network is out of compliance. In some cases, such as automatic log-offs, your finding may simply recommend resetting the automatic log-off feature, a simple, low-cost change. Testing It will probably be necessary to test your configurations in a test environment so you can be sure that in securing your components you aren t disabling the programs that are running on them. Kobus warns that you should not take anything for granted because everyone who has ever installed a component on your network probably did it in a slightly different way. In any organization, take a look at 15 servers maintained by 15 different contractors, Kobus says, You ll see that each one looks a little different. The process of establishing baselines brings together those 15 visions of how a server should be configured and select one model for each implementation. Once you select that model, that s the model everyone uses, Kobus says. Going forward, you are a team. Certification time Once you have established the baseline standards a process that will take anywhere from a few hours at a small physician office to several months or even a year at a large hospital system your system can undergo certification. You can hire a consultant to conduct certification, or you can self certify under HIPAA. What you re doing, in the simplest sense, is making an assurance that the minimum security controls are being met. In other instances, the answer will not be so simple. For instance, you may find in examining a router that some unauthorized ports have been opened. However, it s not feasible to simply close that port, because a vendor is using it to support one of your clinical information systems. In another case, you find that a department is using a modem connection with a vendor to supply needed data and support. Thomas Walsh, CISSP Your certification report will note that you need to require these vendors to change their operation or find new vendors. You may find that a server has not been secured. Its password has been left in the default setting, or it has not been protected by the firewall. Again, your certification report notes the changes that are needed. What you re doing, in the simplest sense, is making an assurance that the minimum security controls are being met, Walsh says. Prepare for the report The certification examination may be completed by people affiliated with your organization or by outside consultants. In either case, the certification report is a statement by the organization s management about the status of the network with regard to its security features. It s not a third party stamp of approval of your network. This certification report should be signed by the 4 Security certification: A guide to the HIPAA requirements

5 upper management. This is the formal report from the information security officer to the governing board about the status of information security features. It should include specific recommendations to address deficiencies, along with cost estimates. HIPAA certification requirements contain one unfortunate twist. Although other industries have required certification, in those settings it has often been up to management to decide whether it will make the changes pointed out in the certification or whether the company will accept the risk represented by the weakness discovered. Under HIPAA, Kobus warns, that option doesn t exist. Because HIPAA is a law, the organization cannot choose to accept and ignore deficiencies noted in the certification report. Bear that in mind as you draw up your baselines so that you are not doing more than necessary. For example, HIPAA allows organizations to authenticate users through passwords, tokens, biometrics, or telephone callbacks. If the baseline you establish specifies biometric authentication for access to medical records, you must adhere to that baseline for your certification. But if you leave yourself flexibility in requiring that simply one of these methods must be used, you are in compliance with the security rule. Start with HIPAA requirements The security features of your system will be unique. That s because all organizations have different needs from their networked systems and different priorities in establishing security baselines. But as you re building the baseline standards that will serve as the guide for certifying your network, keep in mind that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has some specific features that your network must employ. Using the HIPAA draft security rule as a guide, you can determine what network security you must provide to satisfy HIPAA certification requirements. Reviewing this list of features and services will provide a good starting point for discussion of security. Though you ll obviously expand it as needed, below is a list of the specific technical controls that HIPAA requires you to have in place and to certify as working properly: For all systems A procedure for emergency access. This essentially ensures that at all times you will have access to network data. Think of it like the emergency exit from a building. It can be alarmed and you can, and should, control its use. But it must always be available. Access control. You must employ either userbased or role-based access controls to protect data. Assign privileges for individuals to look at protected health information (PHI), based either on who they are or what their needs are. Audit controls. This means you must have in place a means to record and examine system activity. Typically, this will involve setting up the logging features on your network, and setting standards for retention and auditing of logs. Specify what actions should be noted in the log. Typically you would log creation and deletion of and changes to user accounts; installation, removal or changes to hardware and software; logon attempts and failures; views and changes to files; individual access to records; and unauthorized attempts to view records. Ensure that logs are not just operating, but are secured. continued on p. 11 Security certification: A guide to the HIPAA requirements 5

6 Inventory tips: What have I got, how did it get there, and how is it being used? Do you know everything that s on your network? And if you say yes, are you willing to bet your job on that answer? If you still say yes, you are one in a million. For many information technology (IT) shops, there are those corners of the network maybe offsite clinics or departments running legacy systems where the approach to network security has been don t ask, don t tell. An important step to certifying your system security is figuring out what you ve got. There are system scanners that will assist in this work, but generally it means sending someone physically to conduct a count and an examination of server closets, connections, desktops, etc. Everyone from the helpful vendor to the technologysavvy nurse may have been busily attaching equipment or installing software, and you need to get a handle on what s happened. With a complete list of what is on your network, you will be able to begin the process of setting the baselines for your security practices. Again, this may seem like a difficult task. Approaching it in small pieces is the best way to go about it. That means identifying your most important network components first and moving down the list. The review can also be included as part of regular maintenance or other duties. If your system administrators have routine duties, checking the system configuration can be piggybacked onto those duties. It sounds overwhelming, but it isn t. Chances are you have IT support folks and system administrators who visit all areas of your organization at some point in a given quarter. These people are your eyes and ears and can develop a firm inventory. Of course, you ll want to budget their time so that they have the ability to do an assessment while they re out working, but it can be pieced into their regular work day. Survey says? In addition, you may wish to kick off the inventory update by asking a few questions, which can be part of your risk assessment process. For example, survey employees and ask simple questions, such as the following: Do you have a computer in your office? What programs are on your work computer? Do you ever use a modem? Do you use ? What type of do you use? Do you use instant messengers? Do you send data to mailing houses or marketing or collections firms? How? Do you use a fax? Do you ever contact patients during the course of your day? Do you ever submit bills for services? What types of computers do you have in your department? Do you work from home? Does anyone in your department take work home? Does anyone use a personal digital assistant or a laptop? Who in your department is the most knowledgeable about computers? How do physicians get access to data in your department? Who needs information from your department, and how do they get it? Digging for information like this on a departmentby-department basis will let you begin to develop an actual picture of what s going on with your organization s information. You may come up with some surprising answers. 6 Security certification: A guide to the HIPAA requirements

7 One of the earliest challenges you ll need to meet is reining in that informal, shadow information system that has perhaps developed over time. You may find that some of the following common practices have crept into your organization: Modems have been added Services like FTP have been enabled Servers may have been added Workstations are added to run legacy systems Hotmail accounts are used Instant messenger systems are installed Data is being downloaded and stored on personal equipment Programs like PC Anywhere have been installed Other organizations report that logging has been disabled at times or never enabled. Virus scanning has been turned off to speed up the system. Or old versions of software have been reinstalled. And there are a host of other questionable practices that have been discovered. Remember, people don t make these changes to make your life difficult, they make changes to do their jobs better. And in some cases, their solutions are the only way they have found to do their jobs. Leave room in your survey for people to expand on their answers. You may find that someone knows of a vendor who routinely accesses the system using a modem, or someone who is using software they ve brought in from home. And finally, make sure you don t intimidate people. The employees are your main ally in keeping the network operating in a secure manner. You need to enlist their help, not drive the nonsecure practices further underground. Avoid the network creep Now is the time to take control of system expansion What s the network creep? No, it s not that guy who s always loitering around the office. It s the inevitable expansion of your network in ways that you don t control. The vendor slipping in a modem, the helpful assistant who installs programs such as PC Anywhere, the system administrator who creates an extra workstation for a department... these are all examples of network creep. If you re going to operate in an environment that undergoes certification, preventing network creep becomes increasingly important. So what s the answer? For starters, you need strong policy. That means that it s written into policy that no software gets added, no component gets connected, and no service gets activated on your network without approval from an information technology authority. For some organizations, this can be best handled by an individual. But for many, the best approach involves establishing a committee. Walter S. Kobus, Jr., CISSP, MSTI, of Total Enterprise Security Solutions, in Raleigh, NC says establishing this committee is one of the most important steps you can take for your security effort. A committee allows an organization to decentralize the approving authority. For example, a clinic or department can have its own person with authority to approve changes. For simple changes such as adding a workstation or installing an additional piece of software that s already in use elsewhere that person can simply sign off and make sure the change is continued on p. 8 Security certification: A guide to the HIPAA requirements 7

8 Network creep continued from p. 7 centrally recorded. For more involved requests, such as adding a new software package or service, that person becomes the representative who carries the requested change to the committee for a more thorough analysis of the security issues associated with the implementation. What the committee wants to do is establish standardization in purchasing, Kobus says. The committee says we are only going to buy certain operating systems. We re only going to use these software languages. In most cases, the standardization will take a back seat to the mission of the organization if a specific software is needed to do a job, that s the one to buy but the committee can make sure the organization avoids unnecessary diversity in its systems, and ensures that security issues are addressed before the network is expanded or changed. It can assist in ensuring that if the product being purchased is going to process protected information, it meets the organization s standards, and if it needs to be part of the disaster recovery program, that is accounted for as well. The committee s greatest value lies in keeping the system in compliance with the security requirements, not in initially bringing it into compliance. Since ongoing certification is one of the many Health Insurance Portability and Accountability Act of 1996 requirements, controlling network creep is an important consideration. Securing the consultants: When to bring in help Remember all those slick consultants who told you during the past 10 years that outsourcing would dramatically improve your information technology operation? Well, they re back and they re trolling for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security work. Don t be fooled into thinking that outside expertise is the best way to approach security. Not only will it cost a lot, it will probably not work in large and changing organizations, since you need to make security an ongoing concern. That s not to say consultants don t have an important role to play. But they need to be monitored and given direction. What to outsource Walter S. Kobus, Jr., CISSP, MSTI, a consultant at Total Enterprise Security Solutions, in Raleigh, NC. And he warns hospitals that preparation is the key to controlling consulting costs. You re paying good money for these people, says Kobus. You should see nothing but solid work going on from the minute they walk in the door. Before a consultant arrives, you should have a current map of your network available, with details about all the components. Spending $300 an hour to have someone wandering the halls looking for your server closet is not a good use of money. Survey employees to gain a basic understanding of how they are using the system. And you should have a specific scope of work defined for your consultant. Consultants responsibilities Your consultant should agree to develop a plan for your organization to become compliant, visit your 8 Security certification: A guide to the HIPAA requirements

9 facility and train your staff on how to secure your specific network, and then leave behind a work plan covering several months. At that point, he or she may provide long-distance support while your staff implements the plan. Your consultant only needs to return to check on work as it is completed and update the plan. At the end of the project, you should have baseline standards to use in certification of your system and a process plan for maintaining certification. All the rest, Kobus says, you want to keep in-house, if at all possible. The goal should not be to have someone like me come in and secure your network, he says. I should be transferring knowledge to you and your staff, so they can move on without me. Prices The cost of a consultant will vary somewhat depending on your region, but Kobus suggests that a qualified consultant with a CISSP credential can be hired for a fee of about $125 an hour. The organization that administers the CISSP certification provides a help-wanted service that allows organizations to advertise for help with their security needs. As you solicit consultants, review their qualifications and references and hire someone with the best track record performing relevant work, Kobus says. They should come to the job with the goal of imparting information rather than fixing your security holes, he says. You can advertise your need for consulting help at the following Web site: or Inside or outside certification teams which is best? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows you to have your network certified either by individuals from within your organization or an outside team. So how do you know which is best? On the surface, this is a no-brainer. Why would you go to the expense and open yourself up to the hassles of an outside inspection team if you didn t have to? There is no good reason for most organizations to use outsiders, say HIPAA consultants. But that doesn t mean you shouldn t be aware of the drawbacks to using your own people to certify your system. Issues to consider If you are a very small organization such as a physician office or small clinic hiring outsiders to perform certification makes sense. You don t need to develop the in-house expertise to secure your information technology assets. For a small cost, a consultant can develop baseline documents for your network and inspect it for certification. Otherwise, develop the expertise in-house to perform your own certification. Conflicts Be mindful of conflicts of interest, warns Walter S. Kobus, Jr., CISSP, MSTI, of Total Enterprise Security Solutions, in Raleigh, NC. Make sure that the certifying individual has the authority to access what he or she needs and knows what he or she is looking for. But these issues needn t be an obstacle to training insiders to do the work. Thomas Walsh, CISSP, manager of enterprise security for Healthcare Computing Strategies of Overland Park, KS, says the process of both implementing security and certifying it can be worked into routine maintenance assignments in many cases. If a system administrator is responsible for security configurations, then simply have another individual learn to certify the system. continued on p. 10 Security certification: A guide to the HIPAA requirements 9

10 Certification teams continued from p. 9 You just need to have someone other than the administrator go through and validate that the minimum requirements are being met, he says. In fact, bringing in an outside consultant would be very expensive, since that person would need time to learn your baseline requirements something your staff will already be familiar with. However, it may be worthwhile to have a consultant review your approach to security, simply to catch weaknesses you may have missed. But that will be far less expensive than having consultants traipsing through your organization checking the network. If you re an integrated delivery network or a hospital, learn self-certification, Walsh advises. You will always be adding new systems, and it does not make sense to hire an outside firm to perform the certifications. How should network components be configured? The first thing to consider when determining how best to configure network components will be deciding on the manufacturer. With some specialized health care products, that may be almost your only source of information. These products may not have vulnerabilities of concern themselves. But you may find that in some cases they require you to enable services or functions on your desktops or elsewhere in the network that pose a risk that must be offset. For example, a vendor may use a particular port to provide support for an application. Yet you don t want this port open continuously. You may establish a protocol for that vendor to contact the help desk to temporarily open the port. You might create security requirements for that vendor, and allow him or her access to your network through a virtual private network. You can choose to lease a direct line to that vendor for access to your network, and require certain security assurances from them. By going through this process, you implement a system that allows work to continue while you maintain a secure configuration. For software and hardware with broader uses outside of health care such as server operating systems and common business applications you can find a wealth of resources that will detail the vulnerabilities and make recommendations for patching and configuring. One of the best sources of information about secure configurations is the Carnegie Mellon University Software Engineering Institute s CERT Coordination Center. The CERT guidelines, along with others, will help you establish baselines for configuring operating systems and many software programs. CERT makes its recommendations available on its Web site and in a number of publications that are available for purchase. Visit www. cert.org for more information. 10 Security certification: A guide to the HIPAA requirements

11 HIPAA requirements continued from p. 5 Data authentication. This requirement established that your network employs a mechanism to ensure that data is not corrupted or altered inappropriately. Check sums, double keying, message authentication codes, or digital signatures are some of the ways to address this requirement. Entity authentication. This requirement directs you to maintain some system of checking that you know who is accessing PHI. It has the following three components: 1. Your network components must have an automatic logoff feature enabled 2. Your users must be assigned unique identifiers 3. You must authenticate users using one of the following methods: - biometric identification - password, personal identification number (PIN) - telephone callback - token For all networks If you employ a network, the following elements must be addressed in your security configuration: Alarms. Your network must have a system that will notify someone in the event of abnormal conditions. Typically an intrusion detection system (IDS) will provide this type of feature. Audit trail. You must be able to recreate events to analyze and investigate incidents that occur. This typically requires maintenance of IDS logs or other tools to analyze events. Identify and authenticate users, programs and processes. This addresses the same requirements of identifiers, passwords, and authentication addressed above, but at the network level. Deny access to unauthorized users. This requirement simply states that you have protected access to your data so that unauthorized individuals are not able to bypass your controls. Event reporting. This requires that you have a system in place that checks for and reports unusual or irregular events. You may use an IDS or other tools for this purpose. continued on p. 12 Need more copies? That s easy If you d like to order extra copies of this special report, please use the coupon below or call customer service at 800/ Extra copies are $49 each. I d like copies. The price is $49 each. Payment enclosed. Please bill me. Please bill me using PO # Charge AmEx MasterCard VISA Signature (Required for authorization) Card # Expires (Your credit card bill will reflect a charge to Opus Communications. ) Name & Title Organization Address City State ZIP Phone ( ) Fax ( ) Mail to: Opus Communications, a division of HCPro P.O. Box 1168, Marblehead, MA Call: 800/ Fax: 800/ customerservice@hcpro.com Internet: R0001 Security certification: A guide to the HIPAA requirements 11

12 HIPAA requirements continued from p. 11 For open network transmission If you intend to use open networks such as the Internet for transmission of PHI, the following three controls must be reflected in your security configuration: Integrity controls. You must employ mechanisms to ensure PHI transmitted over open networks is valid. Authentication. You need to ensure that transmitted PHI is not altered in transmission. Encryption. PHI passing across open networks must be encrypted. A starting place As you can see, the requirements listed in HIPAA s proposed security rule are not prescriptive. And that s deliberate. Your organization must determine the risks and appropriate security safeguards that meet your needs. Everything from deciding how long a computer may run unattended before it s automatically logged off to what is the appropriate level of encryption to how you will authenticate messages is left to you. Other entities, such as the Center for Medicare & Medicaid Services, the Joint Commission on Accreditation of Healthcare Organizations, or other standard-makers may set more specific guidelines that you will need to consider. Over time, the level of protection will change, as techniques and standards that are secure today become compromised. Your security baselines will need to adjust to meet these changes. But starting with the HIPAA requirements and defining how you intend to meet them will begin the certification process by establishing your network baselines. 01/02 SR3601 This special report is published by Opus Communications, Inc., 200 Hoods Lane, Marblehead, MA Copyright 2002 Opus Communications, Inc. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of Opus Communications or the Copyright Clearance Center at 978/ Please notify us immediately if you have received an unauthorized copy. For editorial comments or questions, call 781/ or fax 781/ For renewal or subscription information, call customer service at 800/ , fax 800/ , or customerservice@hcpro.com Opinions expressed are not necessarily those of the editors. Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions. Opus Communications is not affiliated in any way with the Joint Commission on Accreditation of Healthcare Organizations. 12 Security certification: A guide to the HIPAA requirements