HIPAA Security Rule Compliance Checklist

Publication of the long-awaited HIPAA FINAL Security Rule in February didn’t exactly create the frenzy of a new Harry Potter novel hitting the bookshelves. Health-care CIOs were, after all, busy worrying about complying with the April 14, 2003, deadline for the Privacy Rule—and then there is the October 2003 deadline for HIPAA Transaction and Code Standards to contend with. It would be easy for companies to put the Security Rule lower on the priority list since the government’s compliance deadline is still two years away. Yet while it’s tempting to ration the number of brain cells devoted to HIPAA (the Health Insurance Portability and Accountability Act of 1996), health-care CIOs can’t afford to put security on the back burner for long—if at all.

"It’s true that from the perspective of the Department of Health and Human Services, the Security Rule is not enforceable until April 21, 2005. But HHS could impose penalties for security breaches based on the Privacy Rule, so by any other measure, you should’ve done it yesterday," says Kate Borten, president of health-care security and privacy consultancy The Marblehead Group and author of HIPAA Security Made Simple. "Don’t get lulled into thinking you have a couple of years."

While HIPAA fines won’t likely be levied for any security breaches that occur before 2005, should your organization suffer a breach tomorrow you can expect to find yourself on the front page of The New York Times or the target of a class-action lawsuit on behalf of patients whose data was exposed. And either of those things could make HIPAA penalties seem as harmless as drawing the "Go to jail" card in a Monopoly game.

Yet so far, less than 10 percent of health-care organizations recently polled by Gartner Research have implemented the security policies and procedures required by HIPAA. And only 78 percent of health-care providers met the April deadline for Privacy Rule compliance, according to the Health Information and Management Systems Society. Many organizations are waiting to see what will happen to noncompliers. "They figure the fines are cheaper than going into HIPAA compliance," says Wes Rishel, vice president and research area director at Gartner. "That’s a dangerous attitude."

While enforcement may not be stringent at first, he predicts that the government, along with the Joint Commission on Accreditation of Healthcare Organizations, or JCAHO, will eventually crack down on those organizations that have "fallen to the back of the pack" in compliance. "You don’t need to be the first, but you don’t want to be the last," Rishel warned at a recent Gartner symposium.

One major challenge in complying with HIPAA is ensuring the security of technologies that are still evolving, such as wireless PDAs. Hackers, after all, are often one step ahead of security tool developers. "With Y2K there were technologies and techniques [to help ease the transition to the new millennium] in the industry prior to the arrival of Dec. 31, 1999," says Stephanie Reel, CIO and vice president of IS at The Johns Hopkins University. "I’m not as comfortable that all of the technologies will be available as needed to make the environment as secure as it should be."

Still, Reel can’t argue with HIPAA’s goals. "Most of the HIPAA legislation is good common sense," she says. "It’s the execution that gives us all a little heartburn."

To help minimize HIPAA heartburn, here’s a checklist to help you jump-start your Security Rule compliance plan.

Do Your Homework

The final rule reads like a syllabus for Infosec 101: a list of best practices in information security designed to ensure the confidentiality, integrity and availability of electronic patient data. And that’s good news for CIOs. "A lot of what they’re telling us to do under the Security Rule are really things we needed to do anyway," says John Houston, privacy officer and director of IS for the University of Pittsburgh Medical Center (UPMC).

At Johns Hopkins, Reel has already invested in intrusion detection and antivirus software, and has established audit trails, tracking, disaster recovery, data backup and emergency operations plans. With the weight of law behind it, HIPAA gives CIOs the leverage (and funding justification) they need to shore up security.

The rule itself outlines some 40 best practices in administrative, physical and technical security. (Visit www.cio.com/printlinks for links to a summary of the rule and other HIPAA resources.) It is appropriately technology neutral, since what works well for a large hospital or insurance company might not scale to a small doctor’s office. And for the same reason, the rule errs on the side of vagueness versus detailed requirements. "The security regs aren’t all that prescriptive," says Phil Kahn, CIO of St. Peter’s Health Care Services in Albany, N.Y. "They don’t tell you exactly how to solve a problem, just that you’re responsible for the security of data."

The final rule was watered down somewhat from the proposed rule, in part, says Borten, because of the Bush administration’s laissez-faire attitude toward business. Several things that were required in the proposed rule, such as encryption, are now classified as "addressable," meaning that if organizations believe that something is not a risk to them, or take a different approach to minimizing that risk, they must document what they’re doing and why it’s appropriate. Addressable is not, however, a synonym for optional. At Humana, a large, Louisville, Ky.-based health benefits company with approximately 6 million members, Vice President of IT Mitzi Silliman makes no distinction between the two. "Addressable?" she says. "We read that as, You’re big, you’d better be secure."

Prepare to Dive In

The Security Rule and its April 2005 deadline should already be on the executive radar screen; if not, get it there. Executive buy-in is essential to a genuine commitment to security. You also need to craft a communication plan to raise employee awareness each step of the way. "You need to tell them what changes are coming, how it will affect them, the time frame for rollout and what training to expect," says Cynthia Smith, senior manager with PricewaterhouseCoopers’ HIPAA security and privacy practice. "If the end user hasn’t bought in, the best security plan in the world won’t work."

Organizations should also establish a HIPAA security team and are now required to appoint someone to oversee security. Chances are, you can draw on much of your HIPAA privacy compliance team for the security compliance team. But don’t assume that oversight of security belongs in your bailiwick. Having the CIO in charge of security isn’t necessarily in the organization’s best interest. "The average CIO or director of IT does not have an information security background," says Marblehead Group’s Borten. Chris Byrnes, vice president and director for security at Meta Group, recommends that CIOs use HIPAA—and its requirement that organizations appoint a security officer—as an opportunity to transfer overall oversight of security to someone else. "This is CIOs’ big chance to reduce their own liability and to ensure that it’s viewed as a corporate responsibility," he says.

Classify Your Data

Before you can begin to apply the Security Rule, you first need a very clear understanding of exactly what electronic patient data in your organization is considered protected health information, or PHI. (The Security Rule only deals with electronic patient data.) You also need to know where all of that data is stored and where it’s transmitted. Fred Langston, senior principal consultant at Guardent, a managed security services provider, says that many organizations skip this critical first step—and that shortcut often costs them money in the long run.

Health-care organizations also tend to determine which data employees can access on a case-by-case basis. This user-based access system involves setting up rights and permissions for each employee, a time-consuming proposition. Classifying data often leads organizations to establish a role-based access system, which is much more efficient. With role-based access, organizations need only to figure out access rights for each role; doctors, for example, can see an entire patient record, but claims adjusters should get access only to the information pertinent to a specific claim. Role-based access isn’t mandated by HIPAA, but it’s a cost-effective way of meeting the legislation’s requirement that data is available only on an as-needed basis. "Role-based access is a key linchpin to successful implementation of HIPAA," says Langston.

You also need to understand the value of your data. Most hospitals collect patients’ Social Security numbers, yet many don’t worry enough about the threat of identity theft. "The lightbulb hasn’t gone on yet about the monetary value of those IDs," says Langston. They are readily traded on the black market because they can be used to establish lines of credit.

And while you’re thinking about data, give some thought to how you’re going to handle the avalanche of audit data that HIPAA requires you to collect and save. Many electronic audit tools are built into systems, but you’ve got to turn them on, and you’ve got to have a plan for how to store and manage the resulting deluge of data. And someone has to look at the logs. "The analysis of the information is either going to have to be automated," or you’ll need a staff of analysts combing through your data warehouse, says Meta Group’s Byrnes.

Assess Your Vulnerability

The key to an effective security program is to understand the risk level in your organization and then to spend appropriately to mitigate that risk. So once you know what your protected health information is and where it lives, the next step is to audit existing security policies, practices and technologies to assess how well that data is protected.

Security audit methodologies abound. Langston recommends considering either the Factor methodology, or Octave, which was developed by Carnegie Mellon’s Software Engineering Institute. UPMC’s Houston has been working with vendor SecureState to develop an automated self-assessment tool that he plans to roll out on his intranet to a subset of IT employees. Their answers to a series of questions (for example, Do you back up data daily? Do you store backups offsite?) will help Houston determine which areas need work to meet HIPAA standards. Houston also plans to use the tool to check ongoing compliance once the Security Rule goes into effect.

Before you do your audit, make sure your staff has enough expertise to do it well. "If you don’t have security expertise, get it, rent it, buy it in a consultant," says Greg Walton, senior vice president and CIO of Carilion Health System in Roanoke, Va. "You have a moral obligation—forget the legal obligation—to understand how totally vulnerable you are."

The end result of your audit and gap analysis, which you should aim to finish by year’s end, should be a list of vulnerabilities showing the areas in which your security measures fail to live up to HIPAA standards.

Know the Risks to Mitigate—and How

With your list of vulnerabilities in hand, you can now figure out which are reasonable to address. To do that, you’ve got to weigh the likelihood and possible resulting damage of each potential risk. Most breaches to date haven’t involved hackers but instead have been low-tech thefts of hard drives or floppy disks, often by disgruntled employees. Last December, for instance, thieves stole hard drives containing more than 500,000 members’ Social Security numbers from the Phoenix office of TriWest, a managed care provider serving the military. TriWest has already been hit with one class action as a result of the breach.

"One theft of a hard drive can bring a company to its knees with a class-action suit," says Lisa Gallagher, senior vice president of information and technology accreditation at URAC, a nonprofit health-care accreditation company.

You also need to factor in the cost to implement controls that will mitigate each risk. Better physical security—locks, controlled access to data storage areas—would be a relatively low-cost way to foil would-be thieves. But if the cost to mitigate a risk is greater than the cost of the potential breach, you shouldn’t bother with mitigation. "I’m not sure everyone can afford to be like Fort Knox," says St. Peter’s Kahn.

To arrive at a reasonable investment level for disaster recovery, for example, consider how critical the data is to your institution. "Maybe you can’t afford full 100 percent hot site recovery in four hours," says PricewaterhouseCoopers’ Smith. "Maybe you bring up critical systems that support patients [right away] but billing can wait a few days."

At Sentara Healthcare, Vice President and CIO Bert Reese is backing up the company’s five major systems for patient records, clinical support, registration, billing and payroll processing at a remote site managed by IBM. For everything else, he and CTO Jerry Kevorkian arranged contracts with vendors to deliver replacement processors in the event of a natural disaster within one to two days. So instead of paying IBM around $650,000 a year to back up everything, Reese spends only $150,000 to back up the five critical systems, saving roughly half a million a year. Of course, that requires having well-documented manual processes to fall back on while waiting for the replacement equipment to arrive.

1 2 Page 1
Page 1 of 2
Download CIO's Roadmap Report: 5G in the Enterprise