Publication of the long-awaited HIPAA FINAL Security Rule in February didn\u2019t exactly create the frenzy of a new Harry Potter novel hitting the bookshelves. Health-care CIOs were, after all, busy worrying about complying with the April 14, 2003, deadline for the Privacy Rule\u2014and then there is the October 2003 deadline for HIPAA Transaction and Code Standards to contend with. It would be easy for companies to put the Security Rule lower on the priority list since the government\u2019s compliance deadline is still two years away. Yet while it\u2019s tempting to ration the number of brain cells devoted to HIPAA (the Health Insurance Portability and Accountability Act of 1996), health-care CIOs can\u2019t afford to put security on the back burner for long\u2014if at all."It\u2019s true that from the perspective of the Department of Health and Human Services, the Security Rule is not enforceable until April 21, 2005. But HHS could impose penalties for security breaches based on the Privacy Rule, so by any other measure, you should\u2019ve done it yesterday," says Kate Borten, president of health-care security and privacy consultancy The Marblehead Group and author of HIPAA Security Made Simple. "Don\u2019t get lulled into thinking you have a couple of years."While HIPAA fines won\u2019t likely be levied for any security breaches that occur before 2005, should your organization suffer a breach tomorrow you can expect to find yourself on the front page of The New York Times or the target of a class-action lawsuit on behalf of patients whose data was exposed. And either of those things could make HIPAA penalties seem as harmless as drawing the "Go to jail" card in a Monopoly game. Yet so far, less than 10 percent of health-care organizations recently polled by Gartner Research have implemented the security policies and procedures required by HIPAA. And only 78 percent of health-care providers met the April deadline for Privacy Rule compliance, according to the Health Information and Management Systems Society. Many organizations are waiting to see what will happen to noncompliers. "They figure the fines are cheaper than going into HIPAA compliance," says Wes Rishel, vice president and research area director at Gartner. "That\u2019s a dangerous attitude."While enforcement may not be stringent at first, he predicts that the government, along with the Joint Commission on Accreditation of Healthcare Organizations, or JCAHO, will eventually crack down on those organizations that have "fallen to the back of the pack" in compliance. "You don\u2019t need to be the first, but you don\u2019t want to be the last," Rishel warned at a recent Gartner symposium. One major challenge in complying with HIPAA is ensuring the security of technologies that are still evolving, such as wireless PDAs. Hackers, after all, are often one step ahead of security tool developers. "With Y2K there were technologies and techniques [to help ease the transition to the new millennium] in the industry prior to the arrival of Dec. 31, 1999," says Stephanie Reel, CIO and vice president of IS at The Johns Hopkins University. "I\u2019m not as comfortable that all of the technologies will be available as needed to make the environment as secure as it should be." Still, Reel can\u2019t argue with HIPAA\u2019s goals. "Most of the HIPAA legislation is good common sense," she says. "It\u2019s the execution that gives us all a little heartburn."To help minimize HIPAA heartburn, here\u2019s a checklist to help you jump-start your Security Rule compliance plan. Do Your HomeworkThe final rule reads like a syllabus for Infosec 101: a list of best practices in information security designed to ensure the confidentiality, integrity and availability of electronic patient data. And that\u2019s good news for CIOs. "A lot of what they\u2019re telling us to do under the Security Rule are really things we needed to do anyway," says John Houston, privacy officer and director of IS for the University of Pittsburgh Medical Center (UPMC). At Johns Hopkins, Reel has already invested in intrusion detection and antivirus software, and has established audit trails, tracking, disaster recovery, data backup and emergency operations plans. With the weight of law behind it, HIPAA gives CIOs the leverage (and funding justification) they need to shore up security. The rule itself outlines some 40 best practices in administrative, physical and technical security. (Visit www.cio.com\/printlinks for links to a summary of the rule and other HIPAA resources.) It is appropriately technology neutral, since what works well for a large hospital or insurance company might not scale to a small doctor\u2019s office. And for the same reason, the rule errs on the side of vagueness versus detailed requirements. "The security regs aren\u2019t all that prescriptive," says Phil Kahn, CIO of St. Peter\u2019s Health Care Services in Albany, N.Y. "They don\u2019t tell you exactly how to solve a problem, just that you\u2019re responsible for the security of data." The final rule was watered down somewhat from the proposed rule, in part, says Borten, because of the Bush administration\u2019s laissez-faire attitude toward business. Several things that were required in the proposed rule, such as encryption, are now classified as "addressable," meaning that if organizations believe that something is not a risk to them, or take a different approach to minimizing that risk, they must document what they\u2019re doing and why it\u2019s appropriate. Addressable is not, however, a synonym for optional. At Humana, a large, Louisville, Ky.-based health benefits company with approximately 6 million members, Vice President of IT Mitzi Silliman makes no distinction between the two. "Addressable?" she says. "We read that as, You\u2019re big, you\u2019d better be secure." Prepare to Dive In The Security Rule and its April 2005 deadline should already be on the executive radar screen; if not, get it there. Executive buy-in is essential to a genuine commitment to security. You also need to craft a communication plan to raise employee awareness each step of the way. "You need to tell them what changes are coming, how it will affect them, the time frame for rollout and what training to expect," says Cynthia Smith, senior manager with PricewaterhouseCoopers\u2019 HIPAA security and privacy practice. "If the end user hasn\u2019t bought in, the best security plan in the world won\u2019t work."Organizations should also establish a HIPAA security team and are now required to appoint someone to oversee security. Chances are, you can draw on much of your HIPAA privacy compliance team for the security compliance team. But don\u2019t assume that oversight of security belongs in your bailiwick. Having the CIO in charge of security isn\u2019t necessarily in the organization\u2019s best interest. "The average CIO or director of IT does not have an information security background," says Marblehead Group\u2019s Borten. Chris Byrnes, vice president and director for security at Meta Group, recommends that CIOs use HIPAA\u2014and its requirement that organizations appoint a security officer\u2014as an opportunity to transfer overall oversight of security to someone else. "This is CIOs\u2019 big chance to reduce their own liability and to ensure that it\u2019s viewed as a corporate responsibility," he says. Classify Your DataBefore you can begin to apply the Security Rule, you first need a very clear understanding of exactly what electronic patient data in your organization is considered protected health information, or PHI. (The Security Rule only deals with electronic patient data.) You also need to know where all of that data is stored and where it\u2019s transmitted. Fred Langston, senior principal consultant at Guardent, a managed security services provider, says that many organizations skip this critical first step\u2014and that shortcut often costs them money in the long run.Health-care organizations also tend to determine which data employees can access on a case-by-case basis. This user-based access system involves setting up rights and permissions for each employee, a time-consuming proposition. Classifying data often leads organizations to establish a role-based access system, which is much more efficient. With role-based access, organizations need only to figure out access rights for each role; doctors, for example, can see an entire patient record, but claims adjusters should get access only to the information pertinent to a specific claim. Role-based access isn\u2019t mandated by HIPAA, but it\u2019s a cost-effective way of meeting the legislation\u2019s requirement that data is available only on an as-needed basis. "Role-based access is a key linchpin to successful implementation of HIPAA," says Langston.You also need to understand the value of your data. Most hospitals collect patients\u2019 Social Security numbers, yet many don\u2019t worry enough about the threat of identity theft. "The lightbulb hasn\u2019t gone on yet about the monetary value of those IDs," says Langston. They are readily traded on the black market because they can be used to establish lines of credit. And while you\u2019re thinking about data, give some thought to how you\u2019re going to handle the avalanche of audit data that HIPAA requires you to collect and save. Many electronic audit tools are built into systems, but you\u2019ve got to turn them on, and you\u2019ve got to have a plan for how to store and manage the resulting deluge of data. And someone has to look at the logs. "The analysis of the information is either going to have to be automated," or you\u2019ll need a staff of analysts combing through your data warehouse, says Meta Group\u2019s Byrnes. Assess Your VulnerabilityThe key to an effective security program is to understand the risk level in your organization and then to spend appropriately to mitigate that risk. So once you know what your protected health information is and where it lives, the next step is to audit existing security policies, practices and technologies to assess how well that data is protected. Security audit methodologies abound. Langston recommends considering either the Factor methodology, or Octave, which was developed by Carnegie Mellon\u2019s Software Engineering Institute. UPMC\u2019s Houston has been working with vendor SecureState to develop an automated self-assessment tool that he plans to roll out on his intranet to a subset of IT employees. Their answers to a series of questions (for example, Do you back up data daily? Do you store backups offsite?) will help Houston determine which areas need work to meet HIPAA standards. Houston also plans to use the tool to check ongoing compliance once the Security Rule goes into effect.Before you do your audit, make sure your staff has enough expertise to do it well. "If you don\u2019t have security expertise, get it, rent it, buy it in a consultant," says Greg Walton, senior vice president and CIO of Carilion Health System in Roanoke, Va. "You have a moral obligation\u2014forget the legal obligation\u2014to understand how totally vulnerable you are." The end result of your audit and gap analysis, which you should aim to finish by year\u2019s end, should be a list of vulnerabilities showing the areas in which your security measures fail to live up to HIPAA standards. Know the Risks to Mitigate\u2014and HowWith your list of vulnerabilities in hand, you can now figure out which are reasonable to address. To do that, you\u2019ve got to weigh the likelihood and possible resulting damage of each potential risk. Most breaches to date haven\u2019t involved hackers but instead have been low-tech thefts of hard drives or floppy disks, often by disgruntled employees. Last December, for instance, thieves stole hard drives containing more than 500,000 members\u2019 Social Security numbers from the Phoenix office of TriWest, a managed care provider serving the military. TriWest has already been hit with one class action as a result of the breach."One theft of a hard drive can bring a company to its knees with a class-action suit," says Lisa Gallagher, senior vice president of information and technology accreditation at URAC, a nonprofit health-care accreditation company.You also need to factor in the cost to implement controls that will mitigate each risk. Better physical security\u2014locks, controlled access to data storage areas\u2014would be a relatively low-cost way to foil would-be thieves. But if the cost to mitigate a risk is greater than the cost of the potential breach, you shouldn\u2019t bother with mitigation. "I\u2019m not sure everyone can afford to be like Fort Knox," says St. Peter\u2019s Kahn. To arrive at a reasonable investment level for disaster recovery, for example, consider how critical the data is to your institution. "Maybe you can\u2019t afford full 100 percent hot site recovery in four hours," says PricewaterhouseCoopers\u2019 Smith. "Maybe you bring up critical systems that support patients [right away] but billing can wait a few days."At Sentara Healthcare, Vice President and CIO Bert Reese is backing up the company\u2019s five major systems for patient records, clinical support, registration, billing and payroll processing at a remote site managed by IBM. For everything else, he and CTO Jerry Kevorkian arranged contracts with vendors to deliver replacement processors in the event of a natural disaster within one to two days. So instead of paying IBM around $650,000 a year to back up everything, Reese spends only $150,000 to back up the five critical systems, saving roughly half a million a year. Of course, that requires having well-documented manual processes to fall back on while waiting for the replacement equipment to arrive.Prioritize Your Project ListByrnes recommends tackling administrative and physical security policies and procedures first\u2014and wrapping them up by April 2004, since organizations will need at least a year to implement security technology. Borten agrees that ideally, policy should come first. But at the University of Texas M.D. Anderson Cancer Center, CISO Lew Wagner puts technical work ahead of policy documentation. "I\u2019d rather have the technology in place first, then worry about policy, rather than have a bunch of paper and still be hacked," he says. Obviously, any gaping security holes should go to the top of your HIPAA technology project list. Langston advises putting in temporary controls to patch your worst security holes until you can implement a fully developed solution. But make sure your project blueprint spells out the plan for permanent resolution. "You will have met the heart of the Security Rule if you have a road map to compliance," he says. Dive In Although the scope of what your organization needs to do to comply with the Security Rule will drive your implementation schedule, you should plan to begin the necessary technical work before next April. (And keep in mind that there\u2019s no such thing as HIPAA-compliant technology, although vendors would dearly love to convince you otherwise. Only an organization can be HIPAA-compliant.)Plenty of CIOs have been working on security for a long time. At M.D. Anderson, for example, Wagner was hired in July 2000 in part to begin HIPAA compliance work. Rather than wait for the final Security Rule, he initiated M.D. Anderson\u2019s gap analysis in the fall of 2000 and has been, as he puts it, shoring up the castle walls around the whole organization ever since. He estimates that as of April he was 60 percent to 70 percent along in his technology road map\u2014a list of 30 to 40 projects identified by the gap analysis as necessary to comply with HIPAA. For example, Wagner is working on a single sign-on system that will relieve users of having to remember multiple passwords to log in to as many as 40 applications. He\u2019s planning to use fingerprint biometrics instead of smart cards, since the latter can be easily stolen or shared. A doctor will be able to walk up to a clinical workstation (many of which are used by up to 40 people a day), type in her ID and place a thumb on the reader, which will authenticate her and give her access to all applications she is authorized to use. (An automatic time-out function will log users off after they walk away from the screen.) Since doctors and nurses are always washing their hands and have powdery fingers from using gloves, Wagner is considering only capacitance readers that use small electric charges to verify the subdermal fingerprint. Capacitance readers are also more secure than optical readers, which can be fooled with an image or an imprint in silly putty or a gel pack.At North Florida Medical Centers, a nonprofit network of nine satellite clinics, MIS Director Lynn Sims is also turning to biometrics. But he has already ruled out fingerprint recognition. First, there was the hassle factor of requiring doctors and nurses to remove their exam gloves to log on. And then there was the lotion problem. "In the winter, it gets really dry here," says Sims. "The ladies use quite a bit of hand cream to keep their hands moist and soft." A test revealed that the lotion was building up on the scanners, necessitating frequent cleaning with alcohol swabs. So Sims turned to retinal scanning and is now rolling out an iris scanning and proximity sensor system, which automatically logs users off when they walk away from a workstation. He paid roughly $250 per iris scanner and about $100 per proximity sensor, and also invested in privacy screens (about $90 each), which make text look blurred for anyone not directly in front of the monitor. Kahn at St. Peter\u2019s Health Care is using digital fobs\u2014tiny portable devices from RSA Security that display a new code every 60 seconds\u2014to protect patient data traveling over the Internet. To gain access to the hospital\u2019s network through a Web portal, a doctor must enter the six-digit code on his key fob, then type in his four-digit PIN. Then he can log in to a specific application to access, say, a patient\u2019s lab results or billing data. "It\u2019s an extra layer above signing on with an ID and password," says Kahn.Although encryption of data is not required by HIPAA, most health-care organizations would be smart to invest the relatively nominal sum needed to encrypt any patient data transmitted outside the institution. "I refused to put a wireless network out until my team assured me that it was encrypted," says Carilion\u2019s Walton. Don\u2019t Think You\u2019re DoneAfter the 2005 deadline, John Quinn, principal in Cap Gemini Ernst & Young\u2019s health consulting practice, recommends keeping an eye out for several months to see what happens with enforcement. "On April 22, 2005, no red flag will go up on your building because you didn\u2019t do the work," Quinn says. But if another organization gets in trouble for doing something similar to what you\u2019ve done, revamp your program accordingly. Like it or not, HIPAA is an ongoing process. The law requires you to periodically reassess security and make sure you stay vigilant. And for good reason. As new technologies are introduced, so are new vulnerabilities. "With security, there\u2019s not an insurance policy you can buy once a year and say, I\u2019m covered. It\u2019s something you really need to review every week," says Dr. Dick Gibson, chief medical information officer of Providence Health System in Oregon. Y2K was over on Jan. 1, 2000. But with HIPAA, the fat lady never sings.