From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards
Abstract HIPAA requires a number of administrative, technical, and physical safeguards to protect patient information that is stored and exchanged, both in paper and electronic form. These technical safeguards recommend implementation of solutions for access control, data integrity, person or entity authentication, transmission security, and to ensure compliance. Although there are no one-size-fits-all solutions to HIPAA compliance, there are some common sense information security strategies to help comply with these regulations. These strategies include understanding the intention of HIPAA, the spirit in which it was written, and applying them to the particular needs of your organization. This document outlines the Act s main points, describes strategies for implementation, highlights pitfalls to avoid, and explains how SecureZIP can aid compliance. Please note this whitepaper is for general information purposes only and does not constitute legal advice. 2
Introduction The security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the protection of medical records and other personal health information created or maintained by healthcare providers, health plans, hospitals, health insurers and healthcare clearinghouses. HIPAA regulations apply to patient health information in all its forms, both paper and digital, and require sound business practices as well as electronic safeguards to protect the confidentiality of information. Healthcare organizations and individuals face stiff penalties and lost reputations if they fail to comply with government requirements for safeguarding protected health information as prescribed by HIPAA. Originally, HIPAA was focused on the portability aspect of its requirements. The act was initially intended to protect the confidentiality of pre-existing conditions to prevent a person from being denied coverage when he or she changed group insurance plans or moved to a new job. However, in recent years, healthcare organizations like many other companies have been leveraging the Internet and other computer technologies to streamline their business processes and become more profitable. As a result, HIPAA has expanded its reach to protect all patient information that is stored or exchanged electronically. This means that not only healthcare organizations such as hospitals, insurance companies, and clearing houses are subject to HIPAA requirements, but any organization that has an HR department which processes employee medical information electronically. When they speak about complying with HIPAA, most organizations refer to HIPAA s final rule the Security Rule. Whereas the prior Privacy Rule concerns itself with defining the type of information that must be protected and applies to data in any form, the Security Rule addresses how electronic data is to be protected in electronic form. This description of how is what most concerns IT and IS managers. General requirements of the Security Rule are as follows: HIPAA 164.36 General Requirements Covered entities must do the following: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information. 4. Ensure compliance by its workforce. 3
Three safeguards are described in this final Security Rule. They include administrative, physical, and technical safeguards. As mentioned above, sound business processes such as developing organizational policies, workforce security and training, and performing periodic evaluations should be implemented that protect administrative procedures. Popular physical safeguards include controlling access to facilities, workstation security, and device and media controls. Technical safeguards address access control, audit controls, data integrity, authentication, and transmission security. While not everything mentioned in the safeguards is required, organizations that do not implement suggested measures must be able to justify why it is not feasible or necessary for their particular environment. Implementation What s Right for Your Organization? The good news in the midst of all these rules and regulations is that HIPAA is also explicitly technology neutral. There is no single solution that is required for compliance. The act instead suggests that each organization analyze such variables as its size and technological capabilities as well as realistic risk factors to come up with an approach that will reasonably protect the information under its trust. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity s technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. HIPAA also acknowledges that data security initiatives must evolve over time. Not only are current computing landscapes variable, but they are constantly changing, driven by the evolution of technology and rapidly changing business landscape. What works for a small organization today might not work for them tomorrow when they go through a merger, or roll out new servers, or decide to outsource all claims processing. In addition, company wide security initiatives are often not implemented all at once but in phased approaches across different groups. HIPAA compliance will remain a continually ongoing process for those affected. 4
The Security Scrapheap The fact that HIPAA does not explicitly prescribe best practices for compliance reiterates what industry insiders have long known that there is no magic security dust that instantly and completely protects networks and information from any kind of breach. Often, solutions that have been touted as security panaceas are tremendously costly, and so complex to implement that they remain in pilot phase and are never fully deployed. Not to mention the fact that what secures your network today might leave it vulnerable in the future as technologies become more advanced and complex, or the rapidly changing business landscape brings your organization face to face with new requirements. All of which begs the simple but seemingly rarely addressed question, if your security solution can t actually be used, or is obsolete by the time you can deploy it, how can it protect you? An enormous amount of energy and money has been expended by IT and IS groups to address regulations such as HIPAA over the past few years often with very little in tangible results to show for it. Expensive PKI projects and other security initiatives can remain perpetually in pilot due to complexities of implementation, usability, and support. And those who have been successful in deploying sophisticated solutions within their organizations often find themselves isolated on islands of security due to incompatible technologies, infrastructures, and policies between themselves and their external customers and business partners. So all the hype about security solutions PGP, PKI, smart cards, biometrics, automated security policy enforcement, client authentication, message security, VPNs, access control all too often remains hype. In order to implement truly workable data security, flexibility must be a key component of the solution. However, flexible and secure are traditionally mutually exclusive (think guard dogs, stoic soldiers, and steel doors at Fort Knox not exactly flexible). No one will argue that strong security is not only valuable but necessary. The challenge comes in finding malleable applications that will enable organizations to actually use that strength in unique and ever-changing real-world environments. Policy to Practice The Pragmatic Approach Rather than throwing money at the most complex technology, a more pragmatic approach to protecting information often has a greater chance of success. Conceptually, it starts with determining what information your organization is trying to protect and how, and assessing the existing and planned infrastructure within which the solution must operate. Finally, the needs of users the most important element in the mix, must be understood and taken into consideration. The healthcare industry is characterized by enormous amounts of patient information traveling over widely diverse network and computing environments. While large hospitals and insurance claims processors have their own IT organizations that manage a complex web of information, they often need to share that information with medical professionals in small offices that have just a few desktops and no IT infrastructure. In order to efficiently exchange patient information, common ground solutions must be found that don t require a security expert to implement and maintain, are completely interoperable, and yet can also handle the demands of complex networks. 5
PKWARE s SecureZIP family of products leverages RSA s proven encryption technology for data protection via digital certificates and strong passwords. However, because SecureZIP is built on the ubiquitous and fully interoperable ZIP standard, it is easy to deploy it across your organization on all major computing platforms. As a result, communication with external partners is uncomplicated. Below we show how SecureZIP helps you to implement major safeguards required by HIPAA. Access Control HIPAA requires that access to PHI (protected health information) be limited to authorized parties and those who have been granted access rights. As more and more information is stored on network servers and exchanged with external partners, physicians, and patients, covered entities need to ensure that data isn t viewed by prying eyes. SecureZIP delivers access control through the use of digital certificates or passwords to protect data at the file level. Only those for whom the files have been encrypted can view contents. Because information is encrypted at the file level, rather than other means that protect only the pathways through which information travels, that file is always protected whether it is in transit or in storage. SecureZIP also supports the use of Smart Cards or tokens that contain digital certificates or passwords. This is also known as two-factor authentication. Data Integrity Not only must data be protected from unauthorized viewing, it must also be guarded against improper alteration or destruction. Access must be denied to those who do not have the permission to change information, and there must be some mechanism for users to know if a document has been altered. SecureZIP enables users to protect information in two ways: by encrypting it and by digitally signing it. When a document is encrypted, all access is denied to unauthorized users. They cannot view, edit, or delete that document. When a document is digitally signed, that ensures that the document has not been altered in any way since the time the document was originally signed. If the document is tampered with or changed by someone else, the digital signature will no longer be valid. Person or Entity Authentication In addition to providing data integrity, digital signatures provide authentication and non-repudiation. Within an organization, each person or entity is given a unique digital certificate which functions much like a driver s license or passport. When a document is digitally signed with that unique certificate, the recipient of that document can rest assured that the document did in fact come from that person. The issuer of the digital certificate, or the certificate authority (CA), is responsible for guaranteeing the identity of the certificate holder. The CA can be the company or organization implementing a PKI from CA software providers such as RSA, Entrust, or Microsoft, as well as one of the CA service providers such as Verisign.. SecureZIP supports both individual and organizational certificates for digital signatures using X.509 V3. Certificates can be issued either from the company or from any of the trusted CAs. 6
Transmission Security HIPAA requires that organizations not only protect PHI when it is stored, but also when it is transmitted over both public and private networks. This ensures that sensitive information is persistently secured as it is shared amongst employees, partners, doctors, and patients. SecureZIP protects information at the file level, rather than other solutions which only provide secure communication channels. This means that data is secured wherever the file travels and while in transit say, between the hospital and the insurance company, or from server to desktop. Ensure Compliance In addition to helping you comply with the major safeguards of HIPAA s Security Rule, SecureZIP can also help you ensure compliance of your workforce through centralized administrative controls. SecureZIP enables administrators to lock user options, requiring that employees use password or certificate encryption to ensure compliance. SecureZIP provides practical solutions for access control, data integrity, authentication, and transmission security through cross-platform applications that can deploy data protection across your entire organization from the desktop to the datacenter. Because it is built on the familiar ZIP standard, users can protect information via a Safeguard Access Control Data Integrity Person or Entity Authentication Transmission Security Ensure Compliance SecureZIP Features Digital certificate and password-based encryption Supports two-factor authentication using Smart Cards or tokens Digital certificate and password-based encryption Digital Signatures Digital Signatures Integration of password and certificate encryption features with Outlook and Lotus Notes Integration of password and certificate encryption features with FTP and SMTP file transfer processes Administrative features to centrally lock user options to ensure encryption of email attachments familiar process. ZIP also ensures portability of encrypted files to outside partners and customers. Because it is completely interoperable, you can send encrypted files to anyone outside your organization knowing they will be protected with persistent security. In turn, your partners will be able to view those protected files, no matter what security infrastructure they have implemented. 7 Real-World Success Many large organizations are now using SecureZIP to transfer data securely and efficiently across, and outside, the enterprise. One example is Gilsbar, a US-based health benefits and life insurance company that has sold over 250,000 policies through its network of distributors.
Gilsbar needed a cost-effective, efficient and easy to implement and support method for enabling secure communications between its data center and its external partners to comply with consumer health information privacy regulations. Gilsbar had examined a number of different technologies, including PGP, and decided on SecureZIP because ZIP was already widely adopted internally and externally thereby reducing the learning curve and support costs. It was also one of the few solutions that worked seamlessly across different computing systems. Gilsbar distributed ZIP Reader to its external partners using the ZIP Reader Partner Program. The program allows Gilsbar to provide PKWARE s freely available tool for viewing zipped and encrypted files directly from its website. In this way, anyone who does not own a PKWARE product can view zipped and encrypted files if they are intended recipients. The Reader Partner Program made it possible to quickly enable a scaleable solution for sending encrypted information throughout its network. Gilsbar deployed the solution in a matter of days, and is now able to send sensitive information to hundreds of their partners both efficiently and securely. Summary Technology safeguards are only one consideration for full HIPAA compliance which includes developing business policies and procedures, workforce training, evaluations, contracts with partners to ensure compliance, and restricting physical access to documents and computers with patient information. However, while data protection solutions in and of themselves won t make you fully compliant, they remain an increasingly more important piece of the puzzle. Implementation of a data protection solution can not only help ensure that your networks meet compliance guidelines, it can also help you to actually improve your return on investment by improving efficiencies in your most common business practices. Insurance claims processing can be easily outsourced without undue strain on the IT department. Doctors can digitally sign prescriptions which can be emailed directly to the pharmacy. Nurses in hospitals can be given access rights to patient records online. In this way, data protection becomes more than just a costcenter, but another way to improve your organization s bottom line. www.pkware.com United States 648 N. Plankinton Ave., Suite 220 Milwaukee WI 53203 1-888-4-PKWARE International Hatch Farm, Mill Lane Sindlesham, Wokingham, RG41 5DF Phone: +44 (0) 118-979-9909 8