Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional healthcare is expanding to extend the reach of the healthcare system, allowing greater access to health data historically housed in separate information systems. Tighter integration, closer relationships and more open communication enable better patient care outcomes and lower costs. Access to appropriate information in a timely manner can be the difference between life and death. However, significant security and privacy concerns arise when a healthcare stakeholder decides to leverage its internal healthcare related information outside of its four walls.
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management 2 Securely Managing Patient Information To help solve these problems, the healthcare industry is turning to information technology. However, with the benefits of an extended information exchange come new challenges, including the need to manage identities. Patient identifying information and the appropriate access by various healthcare professionals to a patient s health and demographic information must be accurate and secure. These challenges include: Regulatory compliance Management of large communities of users Administrative and support processes Two-factor authentication Password reset AT&T Healthcare Community Online (HCO) helps healthcare entities manage this risk through a cloud-based identity management system. HIPAA As organizations extend the reach of enterprise information and access, regulatory requirements quickly surface as a significant challenge. The Health Insurance Portability and Accountability Act (HIPAA) was designed to make healthcare more affordable by ridding the system of waste, fraud and inefficiency. The effort to streamline industry administrative practices led to an emphasis on standardizing the exchange of electronic healthcare information between organizations. Due to concerns about the vulnerabilities of electronic information specifically accidental or unauthorized disclosure requirements were written into HIPAA to help protect the privacy of healthcare information and secure the systems that contain it from unauthorized access. Though HIPAA was signed into law in 1996, the final rules governing the privacy and security of protected healthcare information were not enacted by the Department of Health and Human Services until 2002 and 2003 respectively. The Final Privacy Rule and the Final Security Rule require healthcare organizations, known as covered entities, to implement safeguards for protecting healthcare information and controlling access to the systems in which it is contained. The two rules overlap considerably and both emphasize minimizing accidental or unauthorized disclosure by strictly controlling who can access healthcare information systems. Secure centralized provisioning systems, such as HCO s, are key components in the effort to comply with HIPAA. Through its ability to automate the creation, management and revoking of user access to enterprise systems and applications, HCO helps organizations confirm that only properly authorized individuals can access sensitive information. This paper outlines the HIPAA requirements for information privacy and system security, how provisioning systems work and their ability to provide the level of security mandated by this sweeping legislation. Privacy, Security and HIPAA Core to HIPAA s goals for increased efficiency are the streamlining of administration and the standardization of electronic data interchange (EDI) between healthcare organizations. In addition to information protection, HIPAA requires organizations to maintain a secure infrastructure that controls all users access to systems that contain protected health information (PHI). Therefore, managing PHI and the access rights for people who need access is the essence of HIPAA compliance. The Department of Health and Human Services (DHHS) guideline 45 CFR, Part 146, provides detailed rules governing privacy (the Final Privacy Rule), security standards (the Final Security Rule) and their implementation. These rules require: Standardization of electronic patient health, administrative and financial data Creation and use of unique identifiers for individuals, employers, health plans and healthcare providers Establishment of security standards for protecting the confidentiality and integrity of past, current and future individually identifiable health information. It is this last provision that affects the IT practices and systems used by covered entities. The Final Security Rule The Final Security Rule specifies a long and complicated list of requirements for providing a uniform level of protection for all PHI housed or transmitted electronically. Further, the rule requires the covered entity to protect against any reasonably anticipated threats, security hazards or unauthorized disclosures. This includes safeguarding systems access and documenting that technical security measures are in place to protect networks, computers and other devices. Portions of the rule leave it up to the covered entity to select the solution that best suits it as long as it is supported by a thorough assessment and risk analysis. Based on the results of the risk assessment, the covered entity must develop and implement the necessary technical and management infrastructure. This includes the development of a secure technical and information infrastructure, updating information systems to safeguard PHI, developing and maintaining an internal policy and security management and enforcement infrastructure including the appointment of a Privacy and Security Officer.
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management 3 The Final Privacy Rule The Final Privacy Rule focuses on protecting healthcare information from unauthorized and accidental disclosure by controlling who can access the systems that contain the information. The DHHS requires covered entities to confirm the confidentiality, integrity and availability of all electronic PHI created, received, maintained or transmitted by them. 45 CFR 146 also spells out specific privacy regulations, designed to protect the privacy of all individually identifiable health information stored by covered entities regardless of whether it is in hard copy or electronic form. Complying with the Privacy Rule requires covered entities to implement controls on user access to PHI. These controls require covered entities to make reasonable efforts to restrict access to the minimum necessary, or only individuals who have a legitimate need to access PHI. This is understood to mean individuals who either provide healthcare treatment or conduct business operations (such as billing). Clearly, there is a need to user access via proper authentication to the covered entity s information systems. Organizations with networked systems (intranets and extranets) are required to make reasonable efforts to limit access of such persons. Typically, these organizations implement one or more security authentication access mechanisms that are either user-based, role-based and/or context-based to meet the minimum necessary requirements. Systems that restrict access by job function or role are generally deemed to be adequate. This means that users need to be uniquely identified to each system containing PHI and granted access and other privileges based on their roles. With numerous information systems within a given covered entity, each having its own password and authentication requirements, this can be a very complicated and costly undertaking. The Permitted Uses Complication One of the more complex aspects of the Final Privacy Rule is the permitted uses for data. This capability must be supported by all systems that expose PHI. Under the permitted uses clause, a covered entity is permitted to use and disclose PHI, without an individual s authorization, given the following purposes or situations: 1. Individuals to whom the PHI relates. 2. Treatment, payment and healthcare operations. A covered entity may also disclose PHI for the purpose of quality or competency assurance activities. a) Treatment is the provision, coordination or management of healthcare and related services for an individual by one or more healthcare providers. b) Payment encompasses activities of a health plan to obtain premiums for coverage and provision of benefits, and furnish reimbursement for healthcare delivered to an individual. c) Healthcare operations are any of the following activities: i. Quality assessment ii. Competency assurance iii. Conducting medical reviews iv. Insurance functions v. Business planning vi. General administration 3. Opportunity to agree or object. Information permission may be obtained by asking the individual outright. Where the individual is incapacitated or not available, the covered entity may make such use and disclosure, if in the exercise of its professional judgment the use is determined to be in the best interest of the individual. a) Facility directories are allowed to use patient contact information. A covered healthcare provider may rely on an individual s informal permission to list the individual s name, general condition, religious affiliation and location in the provider facility. b) For notification and other purposes, a covered entity also may rely on an individual s informal permission to disclose to family and friends PHI relevant to that person s involvement in the individual s care or payment for care. 4. Incident to an otherwise permitted use and disclosure. The privacy rule does not require that all incidental disclosures be handled. Unfortunately in electronic systems incidental access is very difficult to prove. 5. Public interest and benefit activities. The rule permits use and disclosure of PHI without an individual s authorization or permission for 12 national priority purposes: a) Required by law b) Public health activities c) Victims of abuse, neglect or domestic violence d) Health oversight e) Judicial and administrative proceeding f) Law enforcement purposes g) Decedents h) Cadaveric organ, eye or tissue donation i) Research j) Serious threat to health or safety k) Essential government functions l) Worker s compensation. 6. Limited dataset for the purposes of research, public health or healthcare operations. Often the most complex portion of provisioning is to design a system to restrict access while also recognizing the cases where access must be granted. Who Must Comply? In general, the standards and implementation specifications of HIPAA apply to the following covered entities (inclusive of federal agencies, their contractors and service providers that meet the following descriptions): Healthcare Providers Any provider of medical or other health services, or supplies, that transmits health information in an electronic form in connection with a transaction for which a standard has been adopted.
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management 4 Health plans Any individual or group plan that provides or pays the cost of healthcare. Healthcare Clearinghouses A public or private entity that processes healthcare transactions from a standard format to a nonstandard format, or vice versa. How to Comply Complying with HIPAA security and privacy rules can be overwhelming. Granting and managing individual user s access rights and privileges to every IT system containing PHI can be complicated and costly especially if handled manually. At the end of the day, HIPAA compliance requires protecting the integrity and confidentiality of PHI and controlling the access rights and privileges of people who use it. HIPAA security and privacy regulations focus on a broad range of system practices and processes. First, they require covered entities to educate their own employees on the practices and responsibilities relative to information privacy and security. Second, they require the covered entity to comply with certain security requirements. However, under certain instances, the path to compliance is left to the discretion of the covered entity. Determining the path to compliance requires the covered entity to conduct a comprehensive risk assessment. This assessment includes privacy and security practices; information security systems and procedures; and use of electronic transactions. Though healthcare organizations have their unique set of issues, other regulated industries encounter similar challenges. Legislation affecting the financial services industry, pharmaceutical companies and the financial reporting functions of all publicly traded companies impose similar information access restrictions. As with HIPAA, a centralized provisioning system, such as HCO s, can help covered entities comply with 45 CFR. A centralized provisioning system automates the entire user lifecycle, including granting, managing and revoking of user access rights and privileges to enterprise systems and applications. In the case of HCO s centralized provisioning solution, organizational policies governing user access to information are defined and enforced. Access to designated systems is thereby limited to properly authorized individuals. In addition, as a centralized provisioning solution, HCO minimizes the business and IT resources necessary to support the security, privacy and privilege management infrastructure. Protecting Information Systems Managing PHI and the people who access it is a major aspect of HIPAA compliance. With PHI contained in different systems residing in multiple locations, it s difficult for a covered entity to maintain tight control over user access. Compounding the problem is the growing number of patients and employees who access healthcare insurance information via the Internet. To provide the level of user access security required by HIPAA, IT departments need to centralize control of user access for all enterprise systems and applications. Unfortunately, centralized control can be very expensive. If handled manually, enforcement of HIPAA compliance requires added headcount in the form of costly administrators who manage the various systems and their user access rights. A more efficient and cost-effective approach to centralized control is automation. Leveraging an automated approach, the centralized provisioning system would control the creation, management and deletion of user access rights and privileges, substantially reducing the cost of HIPAA compliance. In addition, the automated provisioning systems would enforce corporate policies governing who is authorized to access particular information and systems. Finally, when a user leaves the company, the automated system would delete their access rights from all corporate systems. Community Provisioning Defined Community provisioning involves the management activities, business processes and technology systems that govern the creation, modification and deletion of user access rights and privileges to a community of IT systems (this includes governing what, if any, authorizations are needed before access is granted). By definition, community provisioning systems are shared and leveraged across multiple enterprises, thereby reducing the cost for all involved. Creating user access accounts for the specific IT systems managed, provisioning systems (including that provided by HCO) match user information (e.g., job function, location, department and title) to organizational policies governing system and application access. In addition, provisioning systems strengthen security via approval processes. Provisioning and Great Systems Security HCO s centralized provisioning service helps strengthen security so that only properly authorized individuals have access to PHI, thereby enabling an organization to comply with HIPAA requirements. HCO s provisioning service automates the process of determining who are allowed to access each system and what data they can view. Through process automation, policies are strictly and consistently enforced, regardless of the department or location from which the user is gaining access. As an added layer of security, HCO automates and enforces approval policies. Given a particular user who requests access, the HCO service will initiate an approval process notification to authorizers, denying access until the proper approvals are secured. Rogue accounts No matter how careful an organization might be, there is always the risk of access being granted to unauthorized individuals. One scenario involves the use of a rogue account. In this scenario, a user account is created on a system that bypasses normal access policy controls. A local system administrator or contractors working on the system are typical creators of rogue accounts. HCO minimizes the risk of rogue accounts by separating data related to access from the organization. This separation of duty is unique to HCO s centrally hosted identity management system. Orphan accounts Another tactic used to gain unauthorized access is the orphan account. An orphan account is a user account that may have legitimate origins (e.g., an employee or contractor is granted access) but, due to inaccurate or untimely records, the account is not properly deactivated upon the employee s or contractor s departure. Hunting for gaps in security, savvy users locate and exploit orphan accounts, using them to create unauthorized access for themselves. Using a combination of a user access database, delegated administration and connectivity to HR systems of remote clients, HCO s solution immediately and completely deactivates user access upon departure, promoting a secure enterprise infrastructure. HCO s database also enables robust reporting to confirm that access has been terminated, which also helps with regulatory compliance.
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management 5 Conclusion HIPAA has forced major changes on the healthcare industry and will continue to change security requirements as new rules are adopted. Sections of the act specify information security requirements designed to protect privacy and information systems security. The many information systems that contain PHI need adequate user access controls to comply with HIPAA. Covered entities can help enhance their regulatory compliance by strengthening security around who can access systems that contain protected health information. Centralized provisioning systems such as HCO s can help. By strictly enforcing user information access policies, detecting and auditing unauthorized system access, and deleting terminated employees and contractors access rights immediately and accurately, HCO establishes that enterprise systems are provisioned correctly. Providing robust reporting and audit capabilities, companies can demonstrate to regulators that their IT systems are properly protected. Finally, because HCO is implemented using a central shared service model, the burden of installation and maintenance is significantly reduced. Auditing and Reporting Supporting Regulatory Compliance Stricter information access and privacy controls specified by HIPAA affect the entire organization. The organization must determine that every person who accesses PHI is authorized to do so. HCO helps organizations comply with HIPAA requirements by providing detailed reports on all systems and user access, including when access was created, who authorized access and what information has been accessed or changed. This reporting capability demonstrates the organization s use of strict policies governing information privacy and strict information access controls. Combined with the security of remote user provisioning, HCO s centralized audit capability will help companies pass regulators scrutiny for HIPAA compliance. AT&T Helping People and Systems Work Better Together AT&T enables information ecosystems that quickly revolutionize organizations by providing secure communication and collaboration between people and systems in remarkably simple ways. As a recognized pioneer in cloud computing, AT&T has driven the on-demand evolution in the way organizations connect, communicate, and collaborate with all the stakeholders required to achieve optimum performance. For more information contact an AT&T Representative or visit www.att.com/hco. 07/13/10 AB-1834-01 2010 Compuware Corporation and AT&T Intellectual Property. Covisint, the Covisint logo and all Covisint products and services listed within are trademarks or registered trademarks of Compuware Corporation. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.