HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations
Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms Summary
Presentation Objectives At the end of this presentation, you should: Understand the background for the security regulations Understand the specific HIPAA security components Understand the business and technology impacts of the HIPAA security components Begin to understand the gaps between the current environment and the HIPAA security requirements
Security Introduction Definition Organizational Threats Principles Key Points of Security Rule Structure Categories
Definition The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within. draft Security Rule Security also protects information from alteration, destruction or loss Security should reasonably ensure the confidentiality, integrity and availability of health care information
Organizational Threats Internal External Type of Threat Description Examples Intentional Accidental Abuse of privileges Malicious intent or personal gain Targeted No intent; usually carelessness, low awareness or lack of training Authorized access for unauthorized purpose with no malicious intent or personal gain Authorized access for unauthorized purpose with malicious intent or for personal gain Unauthorized access by accessible means Employee leaves application logged on to patient record and walks away Employee leaves patient charts in open area in clear view of patients Employee discards confidential information in regular trash receptacle where others can access Employee accesses colleague s medical record with concern about his recent hospitalization Supervisor accesses employee s medical record to determine mental health status so that she can potentially be fired Terminated employee whose password was never deleted from the system uses access privileges to uncover confidential information about former boss Employee imposter steals PC database containing HIV patients Random Unauthorized access by pure technical means Hacker breaks into network and accesses confidential information
Principles Healthcare security is about risk mitigation Operational risk Financial risk Regulatory risk Fraud risk The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements. draft Security Rule
Key Points of Security Rule: Source Security requirements were taken from the National Research Council s report For the Record: Protecting Electronic Health Information This report presents findings and recommendations related to health data security, and concludes that appropriate security practices are highly dependent on individual circumstances It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another.
Key Points of Security Rule: Standards Organizations must therefore establish a reasonable defensible position for security compliance Develop specifications for security requirements Determine what technologies to implement to meet those specifications Balance usability and cost with risk We can set the community standard for these practices in the Pacific Northwest
Key Points of Security Rule: Standards (cont.) The standards are not only scalable, but technology neutral as well Covered entities must establish and maintain reasonable and appropriate safeguards Healthcare organizations must ensure the protection of all electronic PHI Final rule may also cover PHI in paper format to align with final HIPAA Privacy rule Policies and procedures must be developed to implement both the Privacy and Security Rules
Key Points of Security Rule: More Standards Business processes related to security functions within the organization must be formally documented, implemented, and enforced throughout the organization Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately The final Security Rule will be harmonized with the final Privacy Rule
Structure The current HIPAA Security standards are organized into five categories: 1. Administrative Procedures 2. Physical Safeguards 3. Technical Security Services (applications) 4. Technical Security Mechanisms (networks) 5. Electronic Signatures * * For the purposes of this discussion only the first four categories will be addressed
Administrative Procedures Administrative Procedures: formal policies and procedures to address operating procedures, management controls, personnel requirements, audit mechanisms and disciplinary procedures Security management/maintenance Security training Internal system certification Procedures upon employee hire, transfer, or termination System security audits Chain of trust partner agreements Contingency plan Information access control Security incident procedures
Physical Safeguards Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access Security responsibility and accountability Media control Physical access to data Workstation use and location Security awareness training
Technical Security Services Technical Security Services: measures to control and monitor information access Employee access controls, such as passwords System audits Intrusion and detection alarms Automatic logoffs Telephone callback procedures Message authentication Integrity contols Data authentication
Technical Security Mechanisms Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network Employee access controls Entity authentication Message authentication Integrity contols Encryption Alarms Audit trail Event reporting
Security Requirements and Impacts Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms
Administrative Procedures Rules Impacts
Administrative Procedures Rules Certification: technical evaluation certifying that systems and network meet pre-defined criteria Example: Annual certification audit Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties Example: Claims processing Contingency Plan: Includes application and data criticality analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures Example: Business continuity plans Formal Record Processing Mechanisms: Policies and procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information Example: PC hard drive disposal
Administrative Procedures Rules (cont.) Information Access Controls: Policies and procedures for granting different levels of access to health care information Example: Application profile documentation Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents) Example: Proactive, defensible review of PHI activity Personnel Security: Granting of access to health information via an authorization process Example: Card key access systems to file rooms, background checks maintenance of security personnel Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses Example: Routine pre- and post-implementation procedures
Administrative Procedures Rules (cont.) Security Incident Procedures: Documented instructions for reporting and reviewing security breaches Example: Reporting pathways (anonymous if necessary) Security Management Process: Processes to ensure the prevention, detection, containment and correction of security breaches. Includes risk analysis, risk management, sanction policy and security policy Example: Annual risk level reviews Termination Procedures: Procedures for securing systems upon employee termination Example: Exit interviews and checklists Training: User education and awareness training Example: Incorporated awareness training with existing programs
Administrative Procedures Impact Most organizations have inadequate security policies and procedures This requires additional resources for updates and development efforts Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels Integration of chain of trust partner agreement language may require new contracts with third parties Providing security awareness training for all employees requires a detailed training program with ongoing maintenance
Physical Safeguards Rules Impacts
Physical Safeguards Rules Assigned Security Responsibility: Security responsibility assigned to a specific individual(s) Example: Security committee Media Controls: Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal Example: Property accountability documentation Physical Access Controls: Limiting physical access to systems. Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification, maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components Example: Data center restrictions
Physical Safeguards Rules (cont.) Workstation Use: Instructions and procedures delineating secure use of computer workstations Example: Acceptable workstation usage guidelines Workstation Location: Safeguards for secure location of computer workstations Example: Monitor position in public areas Security Awareness Training: Security awareness training for all employees, agents and contractors Example: Incorporated awareness training with existing programs
Physical Safeguards Impacts In order to properly address security issues organizational charts and individual responsibilities may need review Workstation use must be addressed through employee education and consistent enforcement of policies and procedures Physical access controls and secure workstation locations may affect current business practices
Technical Security Services Rules Impacts
Technical Security Services Rules Access Control: Restricted access to health information by need-to-know Example: Application access based on job description Audit Controls: Audit control mechanisms to record and examine system activity Example: Turn on network event logs to allow for appropriate audits Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information Example: Application functionality which allows flagging Data Authentication: Ability to corroborate that data have not been altered or destroyed Example: Use or check sum, double keying or digital signature to assure the data are not altered Entity Authentication: Ability to corroborate that user is who he claims he is Example: Biometric ID or unique usernames and passwords
Technical Security Services Impact Some systems in use today may not have adequate security controls to comply Implementation of access controls for systems must be an integrated effort between business and IT System processing and storage requirements may increase to support enhanced auditing capabilities Group ID s and shared passwords will not be permitted
Technical Security Mechanisms Rules Impacts
Technical Security Mechanisms General Rules For all systems: Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored Example: Approved/unapproved network protocols Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent Example: Verification that data packet sent is received Access Controls or Encryption: Protection of sensitive communications over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient OR transforming confidential plaintext into ciphertext to protect it Example: VANs may eliminate the need for certain encryption technologies
Technical Security Mechanisms Network Rules If using a network for communications: Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality Example: Devices that sense abnormal conditions Audit Trail: The data collected and potentially used to facilitate a security audit Example: Audit log retention
Technical Security Mechanisms Network Rules (cont.) If using a network for communications: Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes Example: Unique identification Event Reporting: A network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information Example: Network messages indicating operational abnormalities
Technical Security Mechanisms Impacts Implementation of access controls to the network must be an integrated effort between the business and IT Use of new network security technologies (e.g. encryption) will require significant end user training Group ID s and shared passwords will not be permitted Network alarms, audit trail, and event reporting requirements may require additional resources and technologies to ensure compliance
Summary Summary The Bottom Line Questions
Summary Areas of impact on health care organizations will be: Development, documentation and training of policies and procedures Assignment and operation of security responsibility Identifying and contracting chain of trust agreements with trading partners Training workforce members on information security and altering the confidentiality culture Implementing access controls, authorization controls and entity authentication for all systems Identifying and implementing the right technical solutions
The Bottom Line The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002 Compliance is 26 months after the final rule is published At the present time, there is no indication who will be the enforcement agency, when enforcement will be effective, and how enforcement will be conducted
Questions and Discussion????????
Resources
Resources Association for Electronic Health Care Transactions (AFEHCT): Impacts of HIPAA (particularly EDI) Security Self-Evaluation Checklist American Health Information Management Association (AHIMA): Benchmark information and case studies Interim Steps for Getting Started American Society for Testing and Materials (ASTM): Standards guides for security Center for Healthcare Information Management (CHIM): Up-to-date industry perspective on proposed rules and their status Computer-Based Patient Record Institute (CPRI): CPRI Security Toolkit Department of Health and Human Services HIPAA Administrative Simplification: Latest News on Regulations Current proposed and final rules Electronic Healthcare Network Accreditation Commission (EHNAC): Certification Program for HIPAA Compliance (under development) http://www.afehct.org http://www.ahima.org/hipaa.html http://www.astm.org http://www.chim.org http://www.cpri-host.org http://aspe.hhs.gov/admnsimp/index.htm http://www.ehnac.org
Resources (cont.) For the Record: Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242 Full Report Health Privacy Forum Comparison of Privacy proposed and final rules Comparison of state privacy laws HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998) Articles HIPAA Home Page http://www.nap.edu http://www.healthprivacy.org http://www.himss.org http://www.hcfa.gov/hipaa/hippahm.htm HIPAA Transaction Implementation Guides from the Washington Publishing Company Joint Healthcare Information Technology Alliance (JHITA) Summary of Privacy rules Upcoming HIPAA conferences http://www.wpc-edi.com http://www.jhita.org Links to other HIPAA sites http://www.hcfa.gov/medicare/edi/hipaaedi.htm Medicare EDI http://www.hcfa.gov/medicare/edi/edi.htm
Resources (cont.) National Uniform Billing Committee http://www.nubc.org National Uniform Claims Committee http://www.nucc.org Washington Publishing Company ANSI ASC X12N HIPAA Implementation Guides Subscribe to email release of HIPAA documents (such as notice of proposed rule making) Workgroup for Electronic Data Interchange (WEDI): Details of SNIP effort (Strategic National Implementation Pilot) http://www.wpc-edi.com/hipaa http://www.hcfa.gov/medicare/edi/admnlist.htm http://www.wedi.org