Matching BlackBerry Features to HIPAA Security Requirements Author: Michael A. Eck The Segal Company Sponsored By: Research In Motion
Forward About this Guide This guide is sponsored by Research In Motion (RIM ) and was developed by The Segal Company with editorial input and technical review from RIM. About the Author The Segal Company is an independent, privately held, employeeowned consulting firm that provides a variety of consultancy services to public, private and non-profit organizations throughout the United States and Canada. Founded over 70 years ago, The Segal Company's consulting philosophy and overall approach is highlighted by our commitment to our clients. We operate within specialized practice areas, two of which have been called upon for the development of this white paper: Compliance and our Automation & Technology practices. Michael A. Eck is a Vice President in Segal s New York offices and responsible for the firm s Automation and Technology practice. He regularly assesses and advises clients on information security and privacy concerns relating to HIPAA and other best practices for the management and security of information assets. BlackBerry and HIPAA 2
Table of Contents Forward...2 About this Guide...2 About the Author...2 Introduction...4 Section 1: BlackBerry in a HIPAA Security Environment...5 The HIPAA Security Rule...5 BlackBerry IT Policies...6 HIPAA Security Standards...7 Deploying BlackBerry in a HIPAA Security Environment...10 Technical Safeguards...11 Administrative Safeguards...15 Physical Safeguards...19 Additional Valuable Security Management Features...21 Section 2: Background on HIPAA Administrative Simplification Provisions...23 What is HIPAA?...23 Who Must Comply?...25 HIPAA Compliance Deadlines...26 What are the Penalties for Non-compliance?...26 Appendix I: Password Management Close-up...28 Appendix II: Communication Types...30 Resources...32 End Notes...33 BlackBerry and HIPAA 3
Introduction The Health Insurance Portability and Accountability Act (HIPAA) of 1996 led to promulgation of a broad and comprehensive set of regulations requiring healthcare organizations to address privacy and security concerns related to healthcare data. These rules and their updates have extended beyond traditional paper-based information to include data stored and transmitted electronically. The HIPAA Security Rule focuses exclusively on protecting the confidentiality, integrity, and availability of electronic protected health information (ephi). HIPAA s Security Rule mandates technical, administrative, and physical safeguards and further details the security protocols to be implemented by organizations for the protection of electronic data. Although the Security Rule provides covered entities with implementation specifications describing how the standards are to be implemented, HIPAA is designed to be technology-neutral. Individual organizations must determine which technology solutions are consistent with and facilitate the organization s need to comply with all of the HIPAA requirements. Information security management is a constant and on-going process, and the tools and techniques used to manage security and threats will continue to evolve. HIPAA compliance is also an ongoing and all inclusive program that requires a complete complement of technical, administrative and physical safeguards, all which must be unique to an organization s environment. This document focuses on how to apply the tools, functionality and resources that are available through the BlackBerry Enterprise Solution to help support the HIPAA security requirements and combat the ever-growing number of security challenges in healthcare information technology. This guide is designed to help identify and illustrate the HIPAA security requirements, provide alternatives to help meet the requirements, as well as provide education and supporting information to help an IT professional design and implement a HIPAA supportive security architecture. BlackBerry and HIPAA 4
Section 1: BlackBerry in a HIPAA Security Environment The HIPAA Security Rule Section 164.306, the statement of the general Security Rule, requires covered entities to: Ensure the confidentiality, integrity, and availability of all electronic protected health information (ephi) the covered entity creates, receives, maintains, or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and Ensure compliance by its workforce. The Security Rule focuses on safeguarding the confidentiality, integrity, and availability of all electronic protected health information (ephi) that a covered entity (or its business associates) creates, receives, maintains, or transmits. The Security Rule details essential standards and describes addressable and required implementation specifications. The rule stipulates that entities must protect ephi against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures, and must ensure compliance by their workforce. Required safeguards include implementing appropriate policies and procedures, safeguarding physical access to ephi, and ensuring that technical security measures are in place to protect networks, computers and electronic devices. The Security Rule is scalable and technology neutral it describes a set of standards and specifications for protecting ephi but does not specify technological product solutions. Covered entities and their business associates are allowed to implement technological solutions appropriate to their operations and environment. CMS Guidance on Remote Access & Portable Devices The U.S. Department of Health and Human Services (HHS) has not amended the Security Rule to address the growing use of wireless devices, but the Centers for Medicare and Medicaid Services (CMS) released some guidance for covered entities that permit the use of portable electronic devices that store ephi or that allow remote access to ephi via electronic devices such as laptop computers, PDAs and smartphones. In this guidance, CMS cautions covered entities to permit use of these devices only where there is a clear business need and the entity has taken great rigor to ensure that appropriate policies and procedures are in place and staff are adequately trained. CMS also discusses some of the risk BlackBerry and HIPAA 5
management strategies that covered entities should consider adopting when these devices are used, including requiring encryption for stored ephi and ephi being transmitted over the Internet, as well as enforcing session termination. Communication Types & Messaging Mobility has emerged as a key requirement for healthcare practitioners. Consider the need for a doctor to use a smartphone to receive a message about a patient including attached medical records, or a clinician uses an application on their smartphone for remote access to their practice management system. ephi can exist in several forms, mediums and transports. Very frequently, smartphones are at the intersection ephi and mobility. In particular, ephi is often rendered in the form of messages or data in a mobile environment. There are several different messaging types including, e-mail, SMS, MMS, BlackBerry PIN and BlackBerry Messenger. ephi can also be accessed and viewed through applications that are developed for smartphone use. Tools to manage and control both messaging and data, must be robust enough to effectively manage the security of ephi. For further information on these types of messaging and applications, see Appendix II Communication Types. BlackBerry IT Policies BlackBerry IT Policies are the mechanisms that administrators use to set the rules on how the BlackBerry Enterprise Server and smartphones will operate. IT policies can be applied at an individual user level or applied to a group of like users. These policies override the security settings that users define on their BlackBerry smartphones. For example, an administrator can configure whether or not a password is required for a BlackBerry smartphone, the length of time that a password can exist before it becomes invalid, and the length and composition of the password (as well as many other options). An administrator can also use IT policies to specify encryption key details. The BlackBerry Enterprise Solution gives administrators tight control over many aspects of the solution. With over 400 published IT policies, administrators can use these policies to enforce specific capabilities. BlackBerry and HIPAA 6
With the BlackBerry Enterprise Solution, IT policies are oneway, server-initiated, outbound communications. This ensures that administrators can control each BlackBerry smartphone reliably, with complete confidence that the device is appropriately configured. Users cannot intervene or prevent a policy from being applied once the administrator has initiated it. As well, IT policies carry unique digital signatures to ensure that only the designated BlackBerry Enterprise Server can send updates to a BlackBerry smartphone. Through the use of specific IT policies, the BlackBerry Enterprise Server and associated smartphones can be configured to meet many of the best practice security and HIPAA requirements. HIPAA IT Policy Group One size does not always fit all, nor should it need to. In healthcare organizations not all members of the workforce need access to ephi. For example, employees in the finance or purchasing departments, some IT functions and also many members of the senior management team do not need access to ephi to fulfill their job functions. Based upon a formalized and documented risk assessment, the level of security and protection applied to devices will likely be different depending upon whether that user is or is not allowed to view, use, or manage ephi. Organizations should consider the use of different IT policy groups for different segments of their workforce population. This allows administrators to tailor security settings based upon each employee s or group s role within the organization. HIPAA Security Standards Security standards are divided into categories of administrative, physical and technical safeguards. Administrative safeguards: Documented, formal practices to manage the selection and implementation of security measures that protect information and guide the conduct of personnel in relation to the protection of information. Physical safeguards: Practices to manage the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. BlackBerry and HIPAA 7
Technical safeguards: Processes that are put in place to protect and to control information access and data that is stored and transmitted over a communications network. BlackBerry smartphones and BlackBerry Enterprise Server can assist organizations not only with the technical safeguards, but also with their administrative and physical safeguard responsibilities under the HIPAA regulations. The following chart summarizes the HIPAA specifications that the BlackBerry Enterprise Solution can support to complement a full security environment. Each set of safeguards is comprised of a number of standards, which generally consist of several implementation specifications that are either required (R) or addressable (A). An implementation specification is a detailed instruction for implementing a particular HIPAA Security Rule standard. While required specifications are mandatory as the name suggests, addressable specifications must also be implemented if reasonable and appropriate under the circumstances. Addressable specifications are not optional. If the entity chooses not to implement an addressable specification based on its risk assessment, it must document the rationale supporting that determination and, if reasonable and appropriate, implement an equivalent alternative measure. BlackBerry and HIPAA 8
HIPAA SECURITY STANDARDS & IMPLEMENTATION SPECIFICATIONS (Abbreviated) Technical Safeguards Access Controls (R) - Unique User Identification (R) - Emergency Access Procedure (R) - Automatic Logoff (A) - Encryption & Decryption (A) Audit Controls (R) Integrity (R) - Mechanism to Authenticate ephi (A) Person or Entity Authentication (R) Transmission Security (R) - Integrity Controls (A) - Encryption (A) Physical Safeguards Workstation Use (R) Device and Media Controls (R) - Disposal (R) - Media Re-Use (R) - Accountability (A) Administrative Safeguards Security Management Process (R) - Risk Management (R) - Information System Activity Review (R) Workforce Security (R) - Workforce Clearance Procedure (A) - Termination Procedures (A) Information Access Management (R) - Access Authorization (A) - Access Establishment & Modification (A) Security Awareness & Training (R) - Protection from Malicious Code (A) - Log-in Monitoring (A) - Password Management (A) Contingency Plan (R) - Emergency Mode Operation Plan (R) (R) Required (A) Addressable BlackBerry and HIPAA 9
Deploying BlackBerry in a HIPAA Security Environment The following pages in this section contain standards and implementation specifications of the HIPAA Security Rule where the BlackBerry Enterprise Solution can help achieve HIPAA security requirements. We identify the standard and related implementation specifications, the specific HIPAA Security Rule language, whether the implementation specification is required (as is) or addressable by an organization, and a brief real life discussion of the requirement. With each of these specifications we suggest BlackBerry IT policies or tools that can help an organization realize an enhanced security position. The following guidelines are developed from our experience with practiced industry standards, real-life application and from regulatory guidance. While many may view the BlackBerry Enterprise Solution as having the capability to assist only with the technical safeguards established by the HIPAA Security Rule, the technology and tools can also assist with both the administrative and physical safeguards, as outlined in the following pages. HIPAA security compliance is not achieved with a single piece of hardware, software, or process. All IT technologies and processes must be working in unison to create an entire secure environment. Each security practice must be considered within an entity s own technology environment and only after having completed a full risk assessment. The following is not a complete list of the HIPAA Security Rule standards and implementation specifications. For a complete list, view BlackBerry and The Health Insurance Portability and Accountability Act White Paper. BlackBerry and HIPAA 10
Technical Safeguards In general, these are the processes used to protect data and to control access to ephi. They include authentication controls to verify sign-ons and transmission security (such as data encryption) to protect integrity and confidentiality of data. Standard: Access Control (R) 164.312(a)(1) Implement policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs that have been granted access rights Implementation Specification Unique User Identification (R): Assign a unique name and/or number for identifying and tracking user identity entity. BlackBerry Tools and Functionality Each BlackBerry smartphone is identified with an 8 digit PIN that uniquely identifies the smartphone to the BlackBerry Enterprise Server. During the activation process, the user is associated to their unique e-mail address and the administrator establishes a temporary activation password that is given to the user. Once administration is complete, the user activates their smartphone by entering their e-mail address and the temporary activation password on the smartphone. This process ensures the unique identification of the end user. Users cannot change their PIN numbers on their smartphones. Organization policies and procedures should also be established that require written authorization and approval to activate user smartphones. In some technical environments where a lightweight directory access protocol (LDAP) is used. LDAP is integrated with the user administration and messaging platform, so the selection of the user s e-mail address is further automated. The BlackBerry Enterprise Service Policy can create allowed lists that control which BlackBerry smartphones can connect to the BlackBerry Enterprise Server down to the individual device level by the PIN. Ranges of PINs can also be used to eliminate the need for individual PIN identification. To keep from overriding centralized IT policies, users should not be authorized or enabled to override the Enterprise Service Policy. Emergency Access Procedure (R): Establish (and implement as needed) procedures for obtaining necessary ephi during an emergency. Emergency access procedures are necessary when normal procedures for system access, particularly via a desktop or laptop computer inside an office or healthcare facility may not be feasible (i.e., floods, power failures, earthquakes). BlackBerry Enterprise Solution combined with the power of mobile computing enable users to maintain connection with the applications and messaging infrastructures that provide the information and data needed to perform their jobs. BlackBerry Enterprise Server integrates with the enterprise messaging and collaboration systems to provide mobile users with highly secure access to e-mail, calendar, voice, instant messaging, browser, enterprise applications, and personal information management tools. In addition to mobile computing, the BlackBerry Enterprise Solution architecture provides for a high availability infrastructure. The BlackBerry Enterprise Server high availability solution is based on a component level architecture which includes a primary server and a standby server. Either server is capable of running the mobile solution without the other. BlackBerry and HIPAA 11
Implementation Specification Automatic Logoff (A): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. BlackBerry Tools and Functionality Automatic logoff configurations provide protection from unauthorized access for critical assets that contain ephi. Automatic logoff features assure that unattended smartphones cannot be accessed by unauthorized personnel that might have physical access to the smartphone. Security timeout intervals can be set (in minutes) after which a BlackBerry smartphone locks and prompts a user to type a password regardless of whether the BlackBerry smartphone was active during that interval. In addition, administrators can specify the number of minutes of inactivity before the security timeout occurs on a BlackBerry smartphone and users must type the password to unlock the BlackBerry smartphone. Best practices suggest to set this threshold between 15 and 30 minutes. Reference: See Password Management Close-up in the Appendix of this document Encryption and Decryption (A): Implement a mechanism to encrypt and decrypt ephi. ephi that is stored on information systems can be at a risk of theft or breach through unauthorized channels or server mis-configuration. Encryption of ephi during storage will greatly lower the risk of breach of confidentiality should a security incident occur. BlackBerry Enterprise Server is designed to be able to encrypt all data that is stored on the BlackBerry smartphone and the BlackBerry Enterprise Server with symmetric key cryptography using the AES 256-bit encryption algorithm. The BlackBerry Enterprise Server administrator enables protected storage of data on the BlackBerry smartphone. The administrator can set the cryptography strength that a BlackBerry smartphone uses to encrypt content that it receives. Settings are Strong (160-bit ECC), Stronger (283-bit ECC), and Strongest (571-bit ECC). Standard: Audit Controls (R) 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi Implementation Specification BlackBerry Tools and Functionality Audit measures are crucial for verifying that security controls are functioning properly. Through the use of the BlackBerry Monitoring Service, the BlackBerry Enterprise Server and smartphones can be monitored through a variety of reports. Effective and efficient ways of monitoring these devices and infrastructure are available through the use of thresholds. Threshold Analysis Tool can analyze existing usage data to establish appropriate thresholds based upon past activity and experience. As an example on the BlackBerry Enterprise Server, variables such as these can be monitored: CPU usage, memory usage, high availability information. On the BlackBerry smartphone messaging statistics, smartphone diagnostics, battery level, and network coverage can be monitored. These monitoring capabilities can alert administrators when unusual threshold activities are approached. BlackBerry and HIPAA 12
Standard: Integrity (R) 164.312(c)(1) Implement policies and procedures to protect ephi from improper alteration or destruction Implementation Specification Mechanism to Authenticate ephi (A): Implement electronic mechanisms to corroborate that ephi has not been altered or destroyed in an unauthorized manner. BlackBerry Tools and Functionality A mobile solution should authenticate traffic between devices and the server to ensure that only authenticated data is accepted. When using BlackBerry Enterprise Server, for example, all connections are authenticated and the data exchanged between the BlackBerry Enterprise Server and BlackBerry smartphone is encrypted to ensure that unauthorized third parties do not compromise the data. The BlackBerry Enterprise Solution uses symmetric key cryptography to help protect every e-mail message that the BlackBerry smartphone sends and to help prevent third parties from decrypting or altering the message data. The BlackBerry Enterprise Server or BlackBerry smartphone automatically reject a message that is not encrypted with keys that they recognize as valid. Standard: Person or Entity Authentication (R) 164.312(d) Implement procedures to verify that a person or entity seeking access to ephi is the one claimed Implementation Specification BlackBerry Tools and Functionality Access to critical information assets that contain ephi without unique user authentication can result in unauthorized, unaccountable, and/or unattributable access and risk of loss, damage or disclosure of protected health information. BlackBerry Enterprise Solution can enable up to three-factor authentication schema. In addition to the activation of the smartphone and user account, the establishment of a user account and the use of passwords support one-factor authentication. Using a smartcard with a BlackBerry smartphone can require users to prove their identities to their BlackBerry smartphone using two factors: what they have (the smart card) what they know (their smart card password). A third factor using bio-metrics is also available. Once authenticated, the person can be inserted into a particular IT policy group for individuals that have access to ephi. Reports can then be run to show user activity. BlackBerry and HIPAA 13
Standard: Transmission Security (R) 164.312(e)(1) Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network Implementation Specification Integrity Controls (A): Implement security measures to ensure that electronically transmitted ephi is not improperly modified without detection until disposed of. BlackBerry Tools and Functionality Integrity of ephi during transmission requires controls protecting the data from unauthorized access or modification during the transmission. Integrity enables a recipient or system to detect if a message has been tampered with in transit while authenticity allows the recipient to identify the sender and trust that the sender actually did send the message. The BlackBerry Enterprise Solution encryption mechanism provides integrity and authenticity because decrypted and decompressed messages must conform to a known message format in order to be accepted by the BlackBerry smartphone. Since the value of the encryption key is known only to the BlackBerry Enterprise Server and the BlackBerry smartphone, a recipient will know that a message that does not conform has been altered in transit. The BlackBerry smartphone automatically rejects messages that do not conform to the known message format upon decryption. Encryption (A): Implement a mechanism to encrypt ephi whenever deemed appropriate. Encryption is crucial to creating confidential messages. Encryption is the scrambling of data based on a secret key so that only the parties that know the secret key can decrypt the encrypted data. BlackBerry Enterprise Server is designed to encrypt data in transit at all points between the BlackBerry smartphone and the BlackBerry Enterprise Server with symmetric key cryptography using the AES 256-bit encryption algorithm. By default, The BlackBerry Enterprise Server does not encrypt a message when it forwards the message to a message recipient outside of the senders BlackBerry Enterprise Server environment. Organizations can extend the messaging security by installing additional secure messaging technology (S/MIME or PGP) on the BlackBerry smartphone. The Mobile Data Service (MDS) feature of the BlackBerry Enterprise Server acts as a secure gateway between the wireless network and corporate intranets and the Internet. Leveraging the AES or optionally Triple DES encryption transport, MDS also enables HTTPS connections to application servers. BlackBerry and HIPAA 14
Administrative Safeguards In general, this section of the HIPAA Security Rule describes administrative procedures that include formal practices governing the selection and implementation of security measures and the conduct of personnel. Standard: Security Management Process (R) 164.308(a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations Implementation Specification Risk Management (R): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. BlackBerry Tools and Functionality All relevant information technology and computing resources should be identified and diagrammed. Complete and current system documentation of all critical asset systems and associated infrastructure is critical to protecting those assets. The BlackBerry Administration Service (BAS) can provide a detailed hierarchy of all BlackBerry Enterprise Server components installed. Using the BlackBerry Enterprise Server Resource Kit, administrators can build reports to monitor and manage system as well as individual performance and usage. Information Systems Activity Review (R): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The value of audit logs is only realized if they are analyzed and reported on regularly. A lack of routine analysis and reporting could compromise critical assets by failing to detect unauthorized access in time to take appropriate incident response actions. All system logs should be audited on a regular basis (e.g., every week or at least monthly). Auditing can be enabled on the BlackBerry Enterprise Server for PIN and SMS messages as well as BlackBerry Messenger conversations, e-mail and applications. Using the BlackBerry Enterprise Server Resource Kit, administrators can report on user activity, check patterns of usage and provide statistics. Standard: Workforce Security (R) 164.308(a)(3)(i) Implement policies and procedures to ensure that all members of its workforce have appropriate access to ephi and to prevent those workforce members who do not have access from obtaining access to ephi Implementation Specification Workforce Clearance (A): Implement procedures to determine that the access of a workforce member to ephi is appropriate. BlackBerry Tools and Functionality All aspects of security depend in some measure on the trustworthiness of the personnel involved. Those with direct access to critical assets should be carefully screened to reduce the threat of nefarious behavior. BlackBerry Enterprise Server allows administration accounts to be set-up leveraging an organization s Active Directory credentials for authentication purposes, therefore eliminating the need to establish generic user accounts. This ability coupled with role-based administration features allow an organization to specify the actions that administrators can perform. The Active Directory functionality combined with an automated and robust process for adding, removing and identifying employees that should have access to ephi can extend the overall security framework and eliminate manual administration of accounts. BlackBerry and HIPAA 15
Implementation Specification Termination Procedures (A): Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations that access to ephi is no longer appropriate. BlackBerry Tools and Functionality Immediate removal of access or clearance helps safeguard the integrity and proper use of ephi, even if the termination is voluntary. Immediate removal of access or clearance is critical when termination is involuntary or required for emergency purposes. The terminated workforce member may be disgruntled and may attempt to damage to the organization s systems. BlackBerry provides two sets of tools to assist in automating the user management process. The User Administration Tool (part of the BlackBerry Resource Kit and the Administration API) can be automatically called from a scripting language, such as PHP or Perl to automate user management tasks such as disabling redirection or account deletion. Additionally, the Administration API provides an interface for either.net or Java language programmers to write custom code to automate many tasks within the BlackBerry Administration Service, including user management. This could include an automatic remote wipe when circumstances require immediate or instant removal of data. Standard: Information Access Management (R) 164.308(a)(4)(i) Implement policies and procedures for authorizing access to ephi that are consistent with the entity s determinations under the HIPAA Privacy Rule (i.e., who may access which type(s) of ephi for what purposes) Implementation Specification Access Authorization (A): Implement policies and procedures for granting access to ephi, for example, through access to a workstation, transaction, program, process, or other mechanism. BlackBerry Tools and Functionality Restricted access helps safeguard the integrity and the proper use of ephi. Authorization procedures validate the minimum necessary information that staff members require to perform their job functions and support HIPAA minimum necessary requirements. BlackBerry Enterprise Server can control whether users or applications can initiate external connections (for example, to WAP, SMS, MMS or other public gateways) on the BlackBerry smartphone. Access Establishment and Modification (A): Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Restricted access helps safeguard the integrity and the proper use of ephi. Access procedures implement the authorization decisions made and ensure that all system users access the minimum necessary ephi on a need-to-know basis. BlackBerry provides two sets of tools to assist in automating the user management process. The User Administration Tool (part of the BlackBerry Resource Kit and the Administration API) can be automatically called from a scripting language, such as PHP or Perl to automate user management tasks such as disabling redirection or account deletion. Additionally, the Administration API provides an interface for either.net or Java language programmers to write custom code to automate many tasks within the BlackBerry Administration Service, including user management. BlackBerry and HIPAA 16
Standard: Security Awareness and Training (R) 164.308(a)(5)(i) Implement a security awareness and training program for all members of the workforce highlighting protection from malicious software, log-in monitoring and password management Implementation Specification Protection from Malicious Code (A): Implement procedures for guarding against, detecting, and reporting malicious software. BlackBerry Tools and Functionality Virus control measures are critical for detecting viruses, worms, and malicious unauthorized software that may be introduced to critical servers through legitimate communications channels. The BlackBerry Enterprise Solution focuses on containing malicious programs. The BlackBerry Enterprise Server comes with over 25 Application Control IT policies that allow the administrator to limit the resources and user data available to a given application. For example, restrictions can be imposed on internal or external domains, the smartphone, Bluetooth, USB and user data such as e-mail and personal information management (PIM). Sensitive areas of the BlackBerry smartphone device options such as the cryptographic, phone, and PIM (personal information management) are protected by RIM signed code and can only be accessed by code that has been signed by the RIM code signing process. Additionally, lists can be maintained on the BlackBerry Enterprise Server to control which applications are or are not allowed to be installed on the BlackBerry smartphone. Log-in Monitoring (A): Implement procedures for monitoring log-in attempts and reporting discrepancies. Awareness of system misuse is important to ensuring the confidentiality, integrity, and availability of an organization s information and systems. In addition to the ability to monitor log-in activities, an administrator (if requested) can review reports that show what the user has been doing on their smartphone. Administrators can review this information through the BlackBerry Enterprise Server logs. BlackBerry Enterprise Server logs should be secured and only available to individuals who have been properly trained and educated on the use of ephi. Password Management (A): Implement procedures for creating, changing, and safeguarding passwords. Passwords remain the most convenient and cost-effective method of controlling access and maintaining accountability for information systems. Awareness of good password practices is important to ensuring the confidentiality, integrity and availability of information. The lack of a documented and widely disseminated policy for strong passwords can lead to potential exposure of critical assets. A password policy is the first step toward a sound password program. A password's strength is directly related to its construction. Adequate guidelines for password construction assure that each workforce member can create sufficiently strong passwords. Passwords should be changed regularly to mitigate the potential losses that may result from stolen or broken passwords. Reference: See Password Management Close-up in the Appendix of this document BlackBerry and HIPAA 17
Standard: Contingency Plan (R) 164.308(a)(7)(i) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ephi Implementation Specification Emergency Mode Operation Plan (R): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ephi while operating in emergency mode. BlackBerry Tools and Functionality Procedures need to describe which operations are basic and critical to ensure the security of ephi. For example, the only type of operations necessary in emergency mode for one organization might be to keep the networks running or making sure that encryption does not fail. For another organization, the only basic operation might be to collect all backup tapes and abandon the premises. BlackBerry high availability supports database mirroring which provides fault tolerance. In addition, high availability is configurable in a distributed environment. Automated methods are available to calculate the health scores of the BlackBerry Enterprise Server and automatically failover to standby instances. BlackBerry and HIPAA 18
Physical Safeguards This category focuses on the mechanisms required for the protection of physical computer systems, equipment and the buildings in which ephi is stored from threats such as fires, natural disasters, environmental hazards, and unauthorized intrusion. Also covered are physical access controls such as locks and sign-in procedures. Standard: Device and Media Controls (R) 164.310(d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi into and out of a facility, and the movement of these items within the facility Implementation Specification Disposal (R): Implement policies and procedures to address the final disposition of ephi, and/or the hardware or electronic media on which it is stored. BlackBerry Tools and Functionality It is important to establish and follow proper sanitization procedures to avoid unauthorized disclosure of ephi. Organizations can erase and disable the smartphone, making the smartphone unavailable for use. By default, the BlackBerry smartphone continually runs a standard Java garbage collection process to reclaim BlackBerry smartphone memory that is no longer referenced. Secure garbage collection is another means to permanently remove any data that is no longer referenced. Secure garbage collection is automatically turned on when content protection is enabled or S/MIME or PGP Support Packages are installed. Media Re-Use (R): Implement procedures for removal of ephi from electronic media before the media are made available for reuse. It is important to develop procedures as to how the organization will re-use smartphones and any type of media containing ephi so that PHI is not accessed improperly. Organizations can erase and disable the smartphone, preparing it for the next user. Additionally, an administrator can remotely erase and disable the smartphone, making the smartphone unavailable for use. BlackBerry and HIPAA 19
Implementation Specification Accountability (A): Maintain a record of the movement of hardware and electronic media and any person responsible therefore. BlackBerry Tools and Functionality It is important to maintain a record of the actions of a person relative to the receipt and removal of hardware and/or software into and out of a facility that are traceable to that person. An inventory of all smartphones and their users is available through reporting tools. Standard: Workstation Use (R) 164.310(b) Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ephi Implementation Specification BlackBerry Tools and Functionality All workstations/devices storing or transmitting ephi should be inventoried as to what type of ephi they can process and in which manner. An inventory of all smartphones and their users is available through reporting tools. BlackBerry and HIPAA 20
Additional Valuable Security Management Features While not directly related to a HIPAA Security Rule specification, BlackBerry also has other significant security features that help to manage information and data flow. Activity Lost or stolen BlackBerry smartphone Misplaced BlackBerry smartphone BlackBerry Security Management Feature Users using Web Desktop Manager or administrators can remotely erase and disable the smartphone, making the smartphone unavailable for use. You can also set the owner information on the smartphone so if it is found, the person who finds it can contact the owner (via a displayed e-mail or phone number) Remotely set a password and lock the smartphone Forgotten BlackBerry password Remotely set a password and lock the smartphone Duress notification SMS management MMS management PIN messaging management Refer to Appendix II for more information on messaging types including: BlackBerry Messenger SMS MMS PIN Disable forwarding services PIN message security enforcement This rule specifies the e-mail address that is notified when users type their BlackBerry device passwords under duress. User can indicate that they are unlocking their devices against their will by moving the first character of the password to the end. For example, if a BlackBerry device password is rosebud, the duress password is osebudr. Text messaging is not encrypted. Turning off SMS will keep users from transmitting text messages. MMS messaging is not encrypted. Turning off MMS will keep users from transmitting text messages. PIN messages are encrypted using Triple DES; however, they are considered scrambled not encrypted because every BlackBerry smartphone stores the same global peer-to-peer encryption key. Additionally, PIN messages by-pass an organizations BlackBerry Enterprise Server and network. If someone other than the intended recipient receives a PIN message through their BlackBerry smartphone, they would be able to decipher and read that PIN message. Individual organizations can create a unique organization PIN peer-to-peer encryption key. If they do, PIN message communications are restricted to viewing by only that organization. For stronger security, each organization that chooses to use PIN communications should set their own unique organization encryption key and if the key is compromised it should be updated and resent to users. When the BlackBerry Enterprise Server administrator turns off PIN messaging, BlackBerry device users cannot send PIN messages from their BlackBerry devices; however, they can still receive PIN messages on their BlackBerry devices. BlackBerry Messenger is an instant messenger program for BlackBerry to BlackBerry communications that utilize PIN messaging. Prevents a BlackBerry device user from forwarding or replying to a message using a different BlackBerry Enterprise Server from the one that delivered the original message. This IT policy rule also prevents using an e-mail account to forward or reply to a PIN message or reply to an e-mail message with a PIN message. Prevents a BlackBerry device user from sending plain text PIN messages when using a secure messaging package, such as the S/MIME Support Package for BlackBerry devices or the PGP Support Package for BlackBerry devices. BlackBerry and HIPAA 21
Additional Valuable Security Management Features - continued While not directly related to a HIPAA Security Rule specification, BlackBerry also has other significant security features that help to manage information and data flow. Activity Discoverable Bluetooth BlackBerry Security Management Feature With Discoverable mode turned off, users can still connect to headsets, car kits, etc., while others will not be able to connect to the smartphone. BlackBerry and HIPAA 22
Section 2: Background on HIPAA Administrative Simplification Provisions What is HIPAA? The administrative simplification section of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted for two key reasons: 1. To protect the confidentiality and security of individual patient health data by setting and enforcing standards; and 2. To improve the efficiency of healthcare delivery through the standardization of electronic data interchange. US Data Breaches Between January 2005 and April 2010, over 350,000,000 records containing sensitive personal information have been reported compromised Source: www.privacyrights.org Over 75% of states have passed laws that require that individuals be notified of security breaches HIPAA is a federal mandate that requires organizations to report and notify if a breach of unsecured Protected Health Information occurs HIPAA required HHS to issue various sets of regulations, including the Privacy Rule and the Security Rule. The Privacy Rule governs the use and disclosure of protected health information (PHI) in any form (electronic, oral, and/or paper), while the Security Rule is concerned with ensuring the confidentiality, integrity, and availability of PHI in electronic format (ephi). The Security Rule contains the technical safeguards applicable to the security of data stored and exchanged through mobile wireless smartphones such as BlackBerry. PHI consists of all individually identifiable health information created or received by a covered entity. This refers to information (including demographic information) that either identifies an individual or provides a reasonable basis by which the information can be used to identify an individual. HIPAA lists 18 different types of identifiers (including obvious identifiers such as name and social security number and less sensitive identifiers such as a person s 5- digit zip code), any one of which is sufficient to render health information identifiable. Health information is information that relates to an individual s physical or mental health (such as a medical record containing symptoms or a diagnosis), the provision of health care to an individual (such as a treatment record), or payment for health care (such as an insurance claim). BlackBerry and HIPAA 23
The key distinctions between the Privacy Rule and Security Rule are: 1. Electronic vs. paper and oral: the Privacy Rule applies to all forms of PHI (electronic, written, and oral). The Security Rule applies only to ephi, encompassing ephi that is created, received, maintained or transmitted by a covered entity or its business associates. 2. The Privacy Rule safeguards requirement generally requires covered entities to implement appropriate safeguards for PHI. In contrast, the Security Rule provides specific security requirements at a more granular level of detail than that provided for by the Privacy Rule. 3. The Privacy Rule requires (among other things) that healthcare organizations determine who within an organization may access and use PHI and what type(s) of PHI they may access and use for certain purposes. The Security Rule establishes the specific types of safeguards that the organization must implement to enforce those roles within the organization. For example, if only certain workforce members are permitted to access medical data within a healthcare organization s database, appropriate access controls must be in place to ensure that only those designated workforce members access medical data. HITECH Act Goals Promote meaningful use of electronic health records by providers Improve health care quality, reduce medical errors, reduce health disparities and advance the delivery of patientcentered health care Reduce health care costs due to inefficiency, errors and inappropriate care Protect privacy and security The Health Information Technology for Economic and Clinical Health Act (HITECH) was included as part of the economic stimulus law (the American Recovery and Reinvestment Act) enacted in early 2009 (Public Law No. 111-5, signed into law on February 17, 2009). While HITECH did not change the HIPAA Security Rule s required safeguards, the law includes certain provisions that give covered entities new incentives and their business associates new requirements to keep ephi secure. Effective February 17, 2010 (the one-year anniversary of HITECH s enactment), HIPAA business associates are required to comply with the key requirements of the HIPAA Security Rule in the same manner as covered entities. In the HIPAA framework, business associates are persons or entities that provide services on behalf of a HIPAA covered entity when the performance of those services requires access to PHI. Examples include medical transcription companies, third party administrators (TPAs) that administer health benefits for self-insured group health plans, pharmacy benefit managers (PBMs) that administer pharmacy benefits for health plans (including group health plans), health benefits administration system vendors, attorneys, health actuaries and health benefit consultants. BlackBerry and HIPAA 24
For covered entities, the most significant provision in HITECH is the breach notification requirement that took effect on September 23, 2009. For the first time, covered entities are required by federal law to provide notice to affected individuals when there is a breach involving their unsecured PHI. Notice must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered. Notice must also be provided to HHS (with the timing determined by the number of individuals whose PHI was involved in the breach) and, in some cases, to prominent media outlets. HITECH requires business associates that discover a breach to notify the affected covered entity and provide the covered entity with the information necessary to provide the required notices. Guidance issued by HHS specified the only two acceptable methods for rendering PHI secure for purposes of avoiding breach notification: encryption (applicable to ephi at rest or in motion) and destruction (applicable to documents containing PHI and to ephi stored on electronic media). Although this guidance does not require covered entities or business associates to use encryption to secure ephi, it provides a safe harbor from the breach notification requirement. In essence, if the ephi is encrypted and the decryption key remains separate and secure, there has been no breach and the notice requirement is not triggered. While encryption would provide the most reliable path to avoid breach notification, rendering ephi more secure through the adoption of other security safeguards would also minimize the risk of a breach and the need to comply with the notification requirement. Who Must Comply? Initially, three general categories of entities were required to comply with HIPAA s privacy and security requirements. These are described below. That changed when Congress enacted HITECH, effectively expanding the reach of the HIPAA requirements. In general, the following are considered to be covered entities under HIPAA: 1. Covered Health Care Providers: Any provider of medical or health services (as defined by Medicare) and any other person or organization who furnishes, bills or is paid for health care in the normal course of business if that provider or person transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. Generally, health-care providers that do not accept insurance or use regular BlackBerry and HIPAA 25
U.S. mail to process insurance claims and perform other administrative functions do not have to comply. 2. Health Plans: Any individual or group plan providing or paying for the cost of medical care. This is broadly defined to include health insurance issuers, HMOs, group health plans, issuers of long-term care policies (with certain exceptions) and Medigap policies, and many federal and state programs (e.g., Medicare including Prescription Drug Plans under Medicare Part D, Medicaid, and state high risk pools). 3. Health Care Clearinghouses: Public or private entities (including a billing service or repricing company) that process another entity s health care transactions from a standard format to a non-standard format, or vice-versa. HIPAA Compliance Deadlines The Privacy Rule became effective on April 14, 2001, with compliance required by covered entities as of April 14, 2003 (except for small health plans, which had until April 14, 2004). The Security Rule, effective on April 21, 2003, required compliance by April 21, 2005 (except for small health plans, which had until April 21, 2006). HITECH s requirements have various effective dates. The breach notification requirement took effect September 23, 2009, for breaches occurring on or after that date. Many of HITECH s provisions took effect one year after enactment (e.g., the requirement that business associates comply with the Security Rule s key requirements), while others take effect in mid 2010 or beyond. What are the Penalties for Non-compliance? The original HIPAA statute called for fairly severe civil and criminal penalties for non-compliance, but the civil penalties increased significantly under HITECH. HITECH also ushered in a number of other changes in the way HIPAA privacy and security requirements will be enforced. BlackBerry and HIPAA 26
Original Statute: Penalties included civil fines of up to $25K for multiple violations of the same standard in a calendar year and criminal penalties of up to $250K and/or imprisonment up to 10 years for particularly egregious disclosures of individually identifiable health information. The Office for Civil Rights (OCR) within HHS oversees and enforces the Privacy Rule, while until mid 2009 CMS within HHS oversaw and enforced the Security Rule. The enforcement regime changed on July 27, 2009, when the Secretary of HHS delegated enforcement of the Security Rule to OCR, thus combining privacy and security enforcement efforts under one roof. HITECH Act Penalties Summary Introduced significant changes to HIPAA enforcement and penalties New penalties can reach $1.5 million per year per standard Penalties will be mandatory in situations involving willful neglect and formal investigation required (beginning 2/17/2011) Explicit authority for state Attorneys General to enforce HIPAA rules Criminal penalties against employees of covered entities Expectation of more aggressive enforcement by the administration HITECH: This law included a number of significant changes to HIPAA enforcement. Most significant is the increase in civil monetary penalties, with new minimums and maximums based on the nature of the conduct. For situations where the entity did not know its conduct violated HIPAA (and would not have known even with due diligence), the penalty for one violation ranges from $100 to $50K, with an annual maximum of $1.5 million for all violations of the same requirement. For violations caused by willful neglect (that are not corrected on a timely basis), the minimum penalty for each violation is $50K, with an annual maximum of $1.5 million for all violations of the same requirement. This new penalty structure applies to violations by covered entities on or after February 18, 2009. Beginning February 17, 2010, these new civil penalties apply to violations by HIPAA business associates, and business associates and others (e.g., workforce of covered entities) become subject to criminal prosecutions under HIPAA. Another change that took effect when HITECH was enacted is the new authority given to state Attorneys General to enforce HIPAA s privacy and security requirements. Until HITECH, only the federal government had authority to enforce these requirements. Under HITECH, if a state Attorney General has reason to believe that any of the state s residents has been threatened or adversely affected by a HIPAA violation occurring after February 17, 2009, the Attorney General may sue the suspected violator to stop the violation and obtain damages on the resident s behalf. Other HITECH changes include a requirement effective February 17, 2010, that HHS conduct periodic compliance audits of covered entities and business associates, and a requirement effective February 17, 2011, that HHS impose civil monetary penalties when a violation is due to willful neglect. BlackBerry and HIPAA 27
Appendix I: Password Management Close-up Password Management: Close-up Best practice suggestions are guidelines to establishing your environment. Each organization s risk tolerance is different and should be taken into account before setting these guidelines and thresholds. Password Feature Whether required Minimum length Maximum length Construction/Pattern Expiration Maximum attempts Password Management Best Practice Defines whether a user must use a password to access their smartphone. Best practices suggest to enable this feature and not allow user override. Defines the minimum length of the password. Length must be at least 4 characters. Best practices suggest to set this threshold between 4 and 8 characters. (12 characters if using Blackberry s Content Protection). Defines the maximum length of the password. Upper restriction is 32 characters. Best practices suggest to set this threshold to the maximum. Combined with the minimum length setting, this will allow users to create as robust a password as they like. Defines whether the password must follow a certain construction, for example, requiring a combination of alpha, numeric, case or special characters. Best practices suggest to set this to at least two types of patterns. Defines the number of days before a new password must be set on a smartphone. Best practices suggest to set this threshold between 60 and 90 days. This rule specifies the number of password attempts that a user can make before a BlackBerry smartphone erases all of the application data. Best practices suggest to set this threshold between 6 and 10 attempts. Reuse/history count This rule specifies the maximum number of previous passwords that a BlackBerry smartphone checks new passwords against to prevent a user from reusing previous passwords. Best practices suggest to set this threshold between 6 and 10 passwords. Challenge time This rule specifies the security timeout interval (in minutes) after which a BlackBerry smartphone locks and prompts a user to type a password regardless of whether the BlackBerry smartphone was active during that interval. This rule is used to shorten or lengthen the Enable Long-Term Timeout IT policy rule which is set to 60 minutes. Best practices suggest to set this threshold between 45 and 60 minutes. Timeout Inactivity This rule specifies the number of minutes of inactivity before the security timeout occurs and a BlackBerry smartphone user must type the password to unlock the BlackBerry smartphone. BlackBerry and HIPAA 28
Password Management: Close-up Best practice suggestions are guidelines to establishing your environment. Each organization s risk tolerance is different and should be taken into account before setting these guidelines and thresholds. Password Feature Suppress Echo Forbidden passwords Password Management Best Practice Best practices suggest to set this threshold between 15 and 30 minutes and to not allow the user the ability to override this option. After a given number of incorrect password attempts, the characters that a user types in the Password dialog box appear on the screen. Best practices suggest to set this threshold to 2 attempts minus the maximum number of allowable password attempts. This rule specifies any passwords that a BlackBerry smartphone user cannot use. By default, a BlackBerry smartphone prevents users from configuring passwords that use a natural sequence of characters or numbers. Best practices suggest to establish a list of commonly used passwords and restrict their usage (i.e., password, admin, test, letmein) BlackBerry and HIPAA 29
Appendix II: Communication Types Messaging Personal Identification Number (PIN): A form of instant text messaging between two BlackBerry smartphones that does not require any additional software. The sender must know the recipient s PIN in order to use PIN messaging. These types of messages are not charged by the wireless carriers the same as SMS messages. Instead, they are accounted for as data in your data plan. The transport of these messages relies entirely on the carrier s wireless data network and bypasses the BlackBerry Enterprise Server and your organization s e-mail platforms. These types of messages are not recorded by the BlackBerry Enterprise Server; however, through wireless back-ups, most messages can be logged unless they are deleted before the back-up occurs. PIN messages are not encrypted; however, they can be scrambled through the use of a BlackBerry algorithm. BlackBerry administrators have the ability to enable or disable PIN messaging as well as restrict the messages to inside or outside your organization. BlackBerry Messenger (BBM): An instant messaging application that uses the BlackBerry PIN messaging transports. It allows users to carry on several conversations at the same time and supports group chat. Along with text, files can also be transmitted to others using BBM. And, as with PIN messaging, only BlackBerry smartphone users can use BBM. Smartphones must contain the instant messaging application on their smartphones in order to use this type of messaging. Since BBM uses the BlackBerry infrastructure, all messages are logged and can also be scrambled (not encrypted). BlackBerry administrators have the ability to enable or disable BBM as well as restrict the messages to inside or outside your organization. Short Message Service (SMS): Industry standardized communications protocol to text messages up to 160 characters in length. SMS messages travel the carrier s wireless networks and are accounted for in the BlackBerry Enterprise Server. If logging is enabled, the logs of all SMS text messages are stored in an unencrypted format. Considerations should be made to ensure that the log file is in a location that restricts internal and external user access. BlackBerry administrators have the ability to enable or disable outbound SMS messaging. In addition, administrators can block incoming SMS messages. SMS messages are not encrypted during transmission. BlackBerry and HIPAA 30
Multimedia Messaging Service (MMS): Industry standard communications protocol to send messages with multimedia content (e.g., pictures, videos, audio). MMS messages follow the same guidelines and set-up options of SMS. Electronic Mail (e-mail): An application for exchanging digital messages across the internet or other computer networks. BlackBerry smartphones, BlackBerry Internet Service and BlackBerry Enterprise Server all support many different models of e-mail communications as well as different security models. Data Applications: BlackBerry provides development tools for developers to build and deploy applications for an organization. BlackBerry smartphones support BlackBerry Browser Applications, BlackBerry Java Applications and BlackBerry MDS Runtime Applications. BlackBerry and HIPAA 31
Resources Complete HIPAA information is located at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html HHS guidance on the Security Rule is located at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securit yruleguidance.html HHS Security Rule guidance on remote access is located at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remot euse.pdf HHS guidance on the HITECH breach notification requirement is located at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationr ule/index.html BlackBerry Policy Reference Guide: http://docs.blackberry.com/en/admin/deliverables/16679/blackberry_e nterprise_server-policy_reference_guide-t323212-1063796- 0616124539-001-5.0.2-US.pdf BlackBerry Feature and Technical Overview: http://docs.blackberry.com/en/admin/deliverables/16574/blackberry_e nterprise_server_for_microsoft_exchange- Feature_and_Technical_Overview-T305802-1108946-0615123042-001-5.0.2-US.pdf BlackBerry Security Technical Overview: http://docs.blackberry.com/en/admin/deliverables/12035/security_tech nical_overview.pdf BlackBerry and HIPAA 32
End Notes RIM and BlackBerry solutions offer several different deployment models on multiple platforms. Not all features and functionality are the same across these models and platforms. The RIM and BlackBerry families of related marks, images and symbols are the exclusive properties and trademarks of Research In Motion Limited-used by permission. BlackBerry and Always On, Always Connected are registered with the U.S. Patent and Trademark Office and may be pending or registered in other countries. The Segal Company cannot represent any electronic device or organization as being HIPAA compliant. Devices are only a single part of an organization s overall security posture. This guide was developed considering BlackBerry Enterprise Server, running behind a corporate firewall, using Microsoft Exchange as the basis for discussion. BlackBerry security features and options vary with different platforms, services and software. BlackBerry and HIPAA 33