TRUST US.

Aug 1, 2003 12:00 PM, By JIM CRUMBLEY

When President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, it was envisioned as a means to provide patients with greater flexibility or “portability” in their health care insurance coverage and treatments. While politicians, patient's rights advocates, and the media were debating the merits of the proposed legislation, Congress became aware of gaps in the way the medical community was safeguarding patient information. Then they wrote privacy protections into the bill. The act provides for severe civil and criminal penalties, including but not limited to fines up to $250,000 and imprisonment of up to 10 years for failure to comply with its privacy requirements.

Historically, methods used to ensure patient confidentiality were as varied as the health care services offered around the country. Some hospitals provided excellent security for patient records but had no consistency in the way that patient information was released to “family members” over the phone. Also, IT security measures were weak. Many doctor's offices, clinics and urgent care centers would routinely discard unneeded patient records in the trash. It was not uncommon for those seeking to steal someone's identity to obtain social security, date of birth, address and other needed information. More importantly for patient advocate groups, an individual's medical history could be used to deny employment or health care coverage. Congress felt strongly that the proposed legislation should include measures to ensure confidentiality of information and strong civil and criminal sanctions against those failing to safeguard this information.

Like most federal legislation, the exact meaning of “privacy” and “security” are left up to the courts. Undoubtedly, court decisions are coming in the next few years that will outline unforeseen concerns regarding security of information. Until that time, there are only conflicting opinions from so-called “HIPAA experts” — attorneys, trade groups and the media. While some hospitals have gone overboard in the quest to safeguard patient information — for instance, a hospital recently refused to inform the victim's family of an auto accident that he was comatose since he could not sign a release — most facilities are taking the middle ground. They are using established norms, formulating workable policies, training staff and enhancing physical security.

While the merits of HIPAA may be debated for years, the bottom line is that patient information must and should be safeguarded. This takes us to the concept of physical security as it relates to HIPAA. Physical security is simply safeguarding assets. These assets might be personnel, production material, supplies, manufactured goods, proprietary information and liability concerns relating to any and all of these assets. In relation to HIPAA, information is the asset that needs protecting. Information is stored in three basic ways: electronically, on paper and anecdotally.

Electronic

On the surface, other than access control of the data center, a security professional might wonder what can be done to provide physical security protection for electronic information. The basic concept of IT security is the same as protection for any other commodity — controlling access. When assessing the physical security of electronic information, the security expert should review the following:

• Who has access to the information?

• Is patient information available electronically only on a “need to know basis?”

• How are passwords generated?

• Are passwords required to be both alpha and numeric?

• Does policy and/or software programs allow for sequential numbers or reuse of password schemes (jim123, jim321, jim123, etc.)?

• Are passwords posted on computer screens and shared with fellow staff members?

• Does the software have some type of automatic shutdown that is reasonable (probably no more than 5 to 10 minutes of no activity)?

• When staff members no longer need access to patient information, are their access privileges revoked?

• Has an independent audit team reviewed the IT security program for compliance with industry best practices?

• Does IT have a semi-annual probe test of their network designed to look for gaps in their firewalls and Intrusion Detections Systems?

• How are the back-up data tapes stored and transported?

• Does the agreement with the data storage company include a rider mandating physical security measures and privacy expectations relating to HIPAA?

Paper

Physical security of paper-based patient records falls more into the traditional role of physical security. While television dramas create an image of computer experts obtaining information by hacking into systems, the truth is that most confidential information is compromised when someone simply walks out of a facility with a file or rummages through the dumpster. This is as true for corporate America as it is for health care, as corporate security directors long ago become involved in the physical security of confidential information. Too often, day-to-day protection of patient information is left to the medical records departments and the individual units.

However, the security of patient records does not begin and end with the medical records departments. Patient fact sheets, test results and doctor's dictation records are routinely located in a variety of areas to include emergency, lab, radiology, nursing stations and even risk management and quality control. While all of these departments have a legitimate need to review patient information, they still have responsibility to safeguard it. When assessing the physical security of patient records, several concerns should be considered, including:

• Is access carefully controlled and CCTV coverage adequate for the medical records departments?

• Does the hospital have and consistently enforce a policy mandating the wearing of hospital IDs for all staff, contractors, and physicians?

• Are individual units appropriately secured?

• Are copies of patient records, files, and test results secured in locked cabinets?

• Are discarded records (due to errors, etc.) appropriately shredded?

• Are shredding storage containers locked and are the containers stored in a non-public area?

• Are old records stored either off site or in a basement area appropriately protected with access control and CCTV?

• Does the agreement with the storage company include a rider mandating physical security and privacy measures relating to HIPAA?

It has become obvious that the computer revolution will not automatically decrease the amount of paper records. Security experts should continue to be concerned with the protection of paper-based information.

Anecdotal

Anecdotal records are simply the verbal sharing of patient information. This information can be culled from a variety of sources to include intentional and unintentional observation of patients and records in treatment areas. Physical security measures can prevent access to this information and reduce the likelihood of compromise from anecdotal reports.

A trip through many hospitals, clinics and doctor's offices will likely showcase a variety of ways for those without a “need to know” to become aware of medical treatment issues. For instance, the modern design of a hospital is open and inviting. While this has proven benefits to patient recovery, there are legitimate privacy concerns. If an Emergency Department or other treatment unit is not properly secured, visitors and non-departmental staff can use the halls as a “shortcut” and possibly become aware of treatment issues. Most emergency treatment room doors are at least partially open and patients are in full view of those walking the hall. It is obvious that their privacy is impacted with possible HIPAA repercussions. While this type of privacy compromise is not as easily defined as paper and electronic security, the guidelines outlined below will positively impact security of these records.

Physical security of units and departments from a privacy perspective has similar requirements as protection concerns. Remember, information is, at its simplest form, an asset to be protected. To protect this information in units, check the following:

• Is access to the unit or department appropriately secured?

• Are controls in place to monitor access so that only those with a verifiable need have access to the unit or department?

• Do staff members who no longer need access have their privileges revoked?

• Has consideration for CCTV monitoring been made?

• Has “piggy-back” access been prevented to the extent possible through the use of double entry points or staff training?

Team Approach

Physical security measures in health care present some of the greatest challenges to the protection professional — none more so than access to emergency units. Security has to be balanced with the need for quick access due to urgent patient care issues. For these reasons, it is important that physical security considerations relating to HIPAA be a team-based program. All of the general recommendations and considerations outlined above should be reviewed by a team made up of representatives from security, safety, nursing, emergency, medical records, risk management, IT and facilities. Guests from other units and departments can be invited as needed. By taking a team approach, security issues can be balanced with patient care concerns and a workable solution can be found.

Assessment

The final aspect to a successful implementation of physical security measures as related to HIPAA is an ongoing assessment. Again, information is simply an asset to be secured. Security of an asset requires a three-pronged assessment. The security team should have an ongoing review of the following:

Criticality — How critical is the asset that is being protected? HIPAA clearly outlines the criticality of patient information protection.

Vulnerability — Is the asset vulnerable to compromise? What is secured today may be open tomorrow. Departments are reorganized and units change. Expansion issues can arise that allow for a new access point into a unit. These considerations should be addressed on an ongoing basis and problem areas corrected as quickly as possible.

Probability — When it comes to “investing” in security, the team should look at the probability of asset loss. It may not make sense to invest in electronic access control in a lab when there are limited staff and doors. A mechanical lock can be just as effective if key control is properly managed. Conversely, a review of traffic patterns might indicate that unauthorized persons often walk through the Emergency Department. This would indicate that the probability for compromise of information in this area is high and necessitates investment in an electronic and monitored access control system.

FOR THE RECORD

About The Author

JIM CRUMBLEY, CPP, PPS, is a senior security analyst for Amsec International, Winchester, Va. Formerly, he managed security at Scottish Rite Children's Hospital in Atlanta.

HIPAA FOCUS

Creating a Secure Mobile Environment At Integris Health

Using mobile and wireless devices in health care has its advantages. It can give timely access to the latest information, improve data collection and speed up reimbursement. However, as valuable as the devices have become to the physicians and staff personnel that use them, they function in an extremely vulnerable environment and pose new threats to the privacy of health information.

The privacy rules recently published under the Health Insurance Portability and Accountability Act (HIPAA) mandate that any health information that identifies an individual and is transmitted or maintained by a health care provider must remain confidential, not be altered nor accessed without authorization and be readily available to authorized users. The rules do not differentiate whether that information is transmitted over wired or wireless networks or maintained on a networked computer system or mobile device.

For many hospitals and health care systems, the HIPAA privacy rules have posed significant barriers to the greater adoption of mobile and wireless technologies. Oklahoma City-based Integris Health, however, has found success using mobile devices. Consisting of 12 major facilities across Oklahoma, the Integris Health network is the state's largest not-for-profit health care organization.

At Integris Health, physicians, nurses and staff personnel use mobile devices to access, transmit and store information such as patient lab results, health records and clinical decision support information. However, if a mobile device were lost or stolen, it would present a major threat to the privacy of patient records.

Despite the risk, William Woloszyn, Integris director of privacy and security, was not willing to restrict mobile computing use, nor was he willing to take a reactive approach to its mobile security.

“Embracing mobile and wireless is like shooting at a moving target — it is changing so fast,” Woloszyn says. “I was looking for a mobile security and management solution with security controls that would satisfy HIPAA regulations with applicability across all types of mobile technologies.” Clear on his objectives, Woloszyn chose the Mobile Guardian mobile security and management software platform from Credant Technologies, Dallas.

Knowing that there is a mix of hospital-, physician-, and staff-owned devices used to access information from the network, Woloszyn's first priority was to understand the magnitude of device use. He used the software to create an inventory of the number and types of mobile and wireless devices being used.

Once users and device types were identified, administrators were able to centrally control policy settings and device use for both PDA and laptop users from a secure Web-based interface using existing organization, group or user profiles. The software detects device use every time synchronization occurs and automatically pushes new or updated security settings and software to the device. Audit logs track mobile device inventories as well as changes in security policies to ensure traceability and accountability. “The fact that our administrators can centrally manage the deployment and updates of policies, as well as monitor compliance, greatly reduces the burden of administration,” Woloszyn says.

The software mandates the use of a PIN/password and encrypts data based on policies set by the administrator. In addition, after a specified number of unsuccessful password attempts, the software automatically invokes multiple levels of fail-safe actions including shutting down access to the device, deleting secured data from the device, and even performing a hard reset to wipe out all data and applications. “For users, the implementation process was self-defining,” Woloszyn explains. “Since security controls on the device are virtually transparent, feedback is positive and users say that it doesn't affect their personal productivity.”

Physicians rely heavily on mobile devices for accessing up-to-date information related to patient care. However, on the occasion when they forget their PIN or password, they have to rely on other, less efficient means of obtaining that information. With its self-service password reset capabilities, the software's access recovery policies allow physicians to reset their own access code. In addition, the software allows administrators to restore device access and recover encrypted data in the event a user leaves the company.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue