Where does a 500-lb. HIPAA sit?

Jun 1, 2000 12:00 PM, William Ryman

The intent of the law seems simple and reasonable, but the reverberations for security professionals, especially those in the health care arena, will be felt for years to come. It's called, the Health Insurance Portability and Accountability Act, known as HIPAA, passed by Congress in 1996. The main purposes of HIPAA are to protect health insurance coverage, provide fraud and abuse controls, provide tax incentives and reduce healthcare administrative costs through standardization. The administrative simplification provisions of this act call for electronic document interchange (EDI) transaction standards, standardized identifiers and code sets, privacy regulation and security standards.

HIPAA applies to any organization that electronically transmits, stores or uses identifiable medical or mental health information. The list includes, but is not limited to, hospitals, clinics, health insurance companies, HMOs, PPOs, small physician practice groups, individual health care providers, psychiatrists and psychologists, mental health counselors, pharmacies and medical record storage houses. It also includes companies that self-insure or maintain health records and incident reports concerning their employees.

The security and privacy standards required by HIPAA regulations are not new; they are simply good business practices that will now be enforced through regulations. Penalties for non-compliance may be severe. The standards can be broken down into four categories: administrative procedures; physical safeguards; technical security services; and technical security mechanisms.

Administrative procedures Administrative procedures are policy and procedure management or implementation. Examples of these would include:

* certification of compliance - each organization must evaluate computer systems and network design to certify security.

* chain of trust partner agreements - in which parties agree to electronically exchange data and to protect the transmitted data. These agreements insure that proper security is maintained at all links of the chain when data moves from one organization to another.

* contingency plans - a business resumption/disaster recovery plan.

* information access controls - documented policies and procedures for access authorization and access modification to sensitive information.

* security management

* internal audit

* security incident procedures - formal documented procedures for reporting and responding to security incidents.

* termination procedures - formal documented termination procedures must be in place to include changing combinations, removal from access lists, removal of user accounts, and return of keys, tokens, smart cards and identification badges.

* training - employees should receive formal and informal training on the vulnerabilities associated with possession of sensitive information. It should include new employee orientation, awareness training for all personnel (including management), training on virus protection procedures, education on password selection and management, and periodic security reminders.

Physical safeguards Physical safeguards are needed to guard data integrity, confidentiality and availability related to the protection of physical computer systems and related buildings and equipment from natural disasters and environmental hazards as well as from intrusion. They also cover the use of keys, locks and administrative measures used to control access to computer systems and facilities. These safeguards should include:

* assigned security responsibility - to a specific individual may be designated to manage and supervise security measures to protect data, equipment and facilities and the conduct of personnel in relating to the protection of sensitive information.

* media controls - formal documented policies and procedures must govern the receipt and removal of hardware/software at the facility. They should include such topics as access control, data backup and storage, accountability (tracking) and disposal.

* policy access controls - formal documented policies and procedures for limiting physical access while ensuring that authorized access is allowed. These policies should include equipment control, facility security plan, procedures for verifying access authorization prior to physical access, disaster recovery, emergency mode operation, "need to know" procedures for personnel access, maintenance records, visitor sign-in and escort procedures, and testing and revision.

* secure workstation location - physical safeguards must be in place to minimize or eliminate the possibility of unauthorized access to information and equipment.

* policy on workstation use - documented procedures should delineate the proper functions to be performed and the manner in which they are to be performed.

* security awareness training - training should be based on job responsibilities and tailored to various groups by job function.

Technical security services Technical security services to guard data integrity, confidentiality and availability include the processes that are put in place to protect, control and monitor information access. Some of these services are:

* access controls - prevents unauthorized access to resources and allows access only by privileged entities. This can be accomplished through encryption, role-based access and user- based access and must include documented procedures for emergency access.

* audit controls - documented procedures to record and review system activity to identify suspect data access activities, assess the security program and respond to potential vulnerabilities.

* entity authentication - ensures the entity is what it claims to be. This can be accomplished through the use of passwords, biometrics, personal identification number (PIN), tokens, smart cards, telephone callback and unique user identification.

Technical security mechanisms Technical security mechanisms include the processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network. If a communications network is employed, the following features should be enabled: access controls, alarms, audit trails, encryption, entity authentication, event reporting, integrity controls and message authentication.

What's next? Final HIPAA regulations should be published by September 2000. The industry will then have two years to comply.

Security standards will apply to all health care information, and any organization that handles healthcare information will be impacted. There are many opportunities for healthcare professionals to provide a more secure environment and opportunities for the rest of us to assist the healthcare industry in this process. Don't look at it simply as a regulation that requires compliance, but as an opportunity to ensure that networks and information are adequately protected from unauthorized or inadvertent disclosure.

Impact on the security industry The number one impact on the security industry will be on jobs, with the potential to give the economy the biggest boost in the arm since the creation of the Defense Industry. Both high-tech and low-tech companies are scrambling to get ready for the coming avalanche of opportunities. Arguably, HIPAA will drive smart card use to the forefront. System manufacturers who have invested in building relationships with smart card providers will have the edge.

McKessonHBOC is an international leader in health care information technology, providing specialized applications, systems integration, and network and access services to customers across the U.S. and around the world. The company's technology services organization, formally the Connect Technology Group (CTG), was established in 1990 to address customer communications needs, specializing in network infrastructure and connectivity solutions.

"We have an extensive customer base, with our applications supporting mission-critical operations in hospitals throughout the country," says Marco Alvarez, Atlanta-based McKessonHBOC's director of network infrastructure. "Part of our group's responsibility is to ensure that our customers have maximum access and use of those applications."

McKessonHBOC is proactively preparing its customers - including major health care providers, hospitals and homecare clinics - for the tightened security requirements and tough new financial penalties for breaching the confidentiality of electronic health records that will come into effect under the U.S. Health Information Portability and Accountability Act (HIPAA).

"HIPAA changes the whole landscape of security for health care, and it's happening at the same time that our clients are making increasing use of the Internet to access the applications we provide," says Alvarez. "Together, those two factors make Internet protocol (IP) security one of the big IT priorities for the health care industry today."

Until about a year ago, McKessonHBOC's IP security solutions were built around traditional firewall implementations: IP security software running on a dedicated server.

"Since then, we have deployed at least a dozen major security implementations using the Nokia IP440 and IP650 Security Platforms," reports Marco Alvarez.

"These solutions come pre-packaged and locked down from the factory, an advantage over the traditional alternative of building a server-based, standalone firewall," says Marco Alvarez. "There's no development time up-front, and the cost of ownership is reduced."

IP Security Platforms by Nokia, Mountain View, Calif., are purpose-built solutions that integrate Firewall-1 software from Check Point Software Technologies on Nokia platforms. These platforms allow McKessonHBOC to offer its clients solutions that integrate carrier-class IP security that is quickly and easily implemented. The platform integrates with virtually any network infrastructure, increases Internet connectivity performance, features browser-based management and remote upgrades - all at a lower cost to McKessonHBOCs clients.

"We have customers using the public Internet, Intranets and virtual private networks (VPNs) to access thin client applications running on our servers," says Marco Alvarez.

McKessonHBOC counts redundancy and ease of system recovery and restore as key features offered by the Nokia solutions. "Uptime is especially essential in the health care industry, where the availability of network resources is extremely critical," notes Marco Alvarez. "If a firewall goes down, authorized users are denied access - which can significantly impact the response and quality of patient care."

Implementing Nokia IP Security Platforms has been easy, says Alvarez. "For our customer, it reduces the overall management complexities and the amount of integration."

Nokia is a mobile phone supplier and supplier of mobile, fixed and IP networks, related services as well as multimedia terminals. Nokia Internet Communications (NIC) develops and markets products for the enterprise and managed service provider markets.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue