HIPAA Security Rule Compliance Checklist

Publication of the long-awaited HIPAA FINAL Security Rule in February didn’t exactly create the frenzy of a new Harry Potter novel hitting the bookshelves. Health-care CIOs were, after all, busy worrying about complying with the April 14, 2003, deadline for the Privacy Rule—and then there is the October 2003 deadline for HIPAA Transaction and Code Standards to contend with. It would be easy for companies to put the Security Rule lower on the priority list since the government’s compliance deadline is still two years away. Yet while it’s tempting to ration the number of brain cells devoted to HIPAA (the Health Insurance Portability and Accountability Act of 1996), health-care CIOs can’t afford to put security on the back burner for long—if at all.

“It’s true that from the perspective of the Department of Health and Human Services, the Security Rule is not enforceable until April 21, 2005. But HHS could impose penalties for security breaches based on the Privacy Rule, so by any other measure, you should’ve done it yesterday,” says Kate Borten, president of health-care security and privacy consultancy The Marblehead Group and author of HIPAA Security Made Simple. “Don’t get lulled into thinking you have a couple of years.”

While HIPAA fines won’t likely be levied for any security breaches that occur before 2005, should your organization suffer a breach tomorrow you can expect to find yourself on the front page of The New York Times or the target of a class-action lawsuit on behalf of patients whose data was exposed. And either of those things could make HIPAA penalties seem as harmless as drawing the “Go to jail” card in a Monopoly game.

Yet so far, less than 10 percent of health-care organizations recently polled by Gartner Research have implemented the security policies and procedures required by HIPAA. And only 78 percent of health-care providers met the April deadline for Privacy Rule compliance, according to the Health Information and Management Systems Society. Many organizations are waiting to see what will happen to noncompliers. “They figure the fines are cheaper than going into HIPAA compliance,” says Wes Rishel, vice president and research area director at Gartner. “That’s a dangerous attitude.”

While enforcement may not be stringent at first, he predicts that the government, along with the Joint Commission on Accreditation of Healthcare Organizations, or JCAHO, will eventually crack down on those organizations that have “fallen to the back of the pack” in compliance. “You don’t need to be the first, but you don’t want to be the last,” Rishel warned at a recent Gartner symposium.

One major challenge in complying with HIPAA is ensuring the security of technologies that are still evolving, such as wireless PDAs. Hackers, after all, are often one step ahead of security tool developers. “With Y2K there were technologies and techniques [to help ease the transition to the new millennium] in the industry prior to the arrival of Dec. 31, 1999,” says Stephanie Reel, CIO and vice president of IS at The Johns Hopkins University. “I’m not as comfortable that all of the technologies will be available as needed to make the environment as secure as it should be.”

Still, Reel can’t argue with HIPAA’s goals. “Most of the HIPAA legislation is good common sense,” she says. “It’s the execution that gives us all a little heartburn.”

To help minimize HIPAA heartburn, here’s a checklist to help you jump-start your Security Rule compliance plan.

Do Your Homework

The final rule reads like a syllabus for Infosec 101: a list of best practices in information security designed to ensure the confidentiality, integrity and availability of electronic patient data. And that’s good news for CIOs. “A lot of what they’re telling us to do under the Security Rule are really things we needed to do anyway,” says John Houston, privacy officer and director of IS for the University of Pittsburgh Medical Center (UPMC).

At Johns Hopkins, Reel has already invested in intrusion detection and antivirus software, and has established audit trails, tracking, disaster recovery, data backup and emergency operations plans. With the weight of law behind it, HIPAA gives CIOs the leverage (and funding justification) they need to shore up security.

The rule itself outlines some 40 best practices in administrative, physical and technical security. (Visit www.cio.com/printlinks for links to a summary of the rule and other HIPAA resources.) It is appropriately technology neutral, since what works well for a large hospital or insurance company might not scale to a small doctor’s office. And for the same reason, the rule errs on the side of vagueness versus detailed requirements. “The security regs aren’t all that prescriptive,” says Phil Kahn, CIO of St. Peter’s Health Care Services in Albany, N.Y. “They don’t tell you exactly how to solve a problem, just that you’re responsible for the security of data.”

The final rule was watered down somewhat from the proposed rule, in part, says Borten, because of the Bush administration’s laissez-faire attitude toward business. Several things that were required in the proposed rule, such as encryption, are now classified as “addressable,” meaning that if organizations believe that something is not a risk to them, or take a different approach to minimizing that risk, they must document what they’re doing and why it’s appropriate. Addressable is not, however, a synonym for optional. At Humana, a large, Louisville, Ky.-based health benefits company with approximately 6 million members, Vice President of IT Mitzi Silliman makes no distinction between the two. “Addressable?” she says. “We read that as, You’re big, you’d better be secure.”

Prepare to Dive In

The Security Rule and its April 2005 deadline should already be on the executive radar screen; if not, get it there. Executive buy-in is essential to a genuine commitment to security. You also need to craft a communication plan to raise employee awareness each step of the way. “You need to tell them what changes are coming, how it will affect them, the time frame for rollout and what training to expect,” says Cynthia Smith, senior manager with PricewaterhouseCoopers’ HIPAA security and privacy practice. “If the end user hasn’t bought in, the best security plan in the world won’t work.”

Organizations should also establish a HIPAA security team and are now required to appoint someone to oversee security. Chances are, you can draw on much of your HIPAA privacy compliance team for the security compliance team. But don’t assume that oversight of security belongs in your bailiwick. Having the CIO in charge of security isn’t necessarily in the organization’s best interest. “The average CIO or director of IT does not have an information security background,” says Marblehead Group’s Borten. Chris Byrnes, vice president and director for security at Meta Group, recommends that CIOs use HIPAA—and its requirement that organizations appoint a security officer—as an opportunity to transfer overall oversight of security to someone else. “This is CIOs’ big chance to reduce their own liability and to ensure that it’s viewed as a corporate responsibility,” he says.

Classify Your Data

Before you can begin to apply the Security Rule, you first need a very clear understanding of exactly what electronic patient data in your organization is considered protected health information, or PHI. (The Security Rule only deals with electronic patient data.) You also need to know where all of that data is stored and where it’s transmitted. Fred Langston, senior principal consultant at Guardent, a managed security services provider, says that many organizations skip this critical first step—and that shortcut often costs them money in the long run.

Health-care organizations also tend to determine which data employees can access on a case-by-case basis. This user-based access system involves setting up rights and permissions for each employee, a time-consuming proposition. Classifying data often leads organizations to establish a role-based access system, which is much more efficient. With role-based access, organizations need only to figure out access rights for each role; doctors, for example, can see an entire patient record, but claims adjusters should get access only to the information pertinent to a specific claim. Role-based access isn’t mandated by HIPAA, but it’s a cost-effective way of meeting the legislation’s requirement that data is available only on an as-needed basis. “Role-based access is a key linchpin to successful implementation of HIPAA,” says Langston.

You also need to understand the value of your data. Most hospitals collect patients’ Social Security numbers, yet many don’t worry enough about the threat of identity theft. “The lightbulb hasn’t gone on yet about the monetary value of those IDs,” says Langston. They are readily traded on the black market because they can be used to establish lines of credit.

And while you’re thinking about data, give some thought to how you’re going to handle the avalanche of audit data that HIPAA requires you to collect and save. Many electronic audit tools are built into systems, but you’ve got to turn them on, and you’ve got to have a plan for how to store and manage the resulting deluge of data. And someone has to look at the logs. “The analysis of the information is either going to have to be automated,” or you’ll need a staff of analysts combing through your data warehouse, says Meta Group’s Byrnes.

Assess Your Vulnerability

The key to an effective security program is to understand the risk level in your organization and then to spend appropriately to mitigate that risk. So once you know what your protected health information is and where it lives, the next step is to audit existing security policies, practices and technologies to assess how well that data is protected.

Security audit methodologies abound. Langston recommends considering either the Factor methodology, or Octave, which was developed by Carnegie Mellon’s Software Engineering Institute. UPMC’s Houston has been working with vendor SecureState to develop an automated self-assessment tool that he plans to roll out on his intranet to a subset of IT employees. Their answers to a series of questions (for example, Do you back up data daily? Do you store backups offsite?) will help Houston determine which areas need work to meet HIPAA standards. Houston also plans to use the tool to check ongoing compliance once the Security Rule goes into effect.

Before you do your audit, make sure your staff has enough expertise to do it well. “If you don’t have security expertise, get it, rent it, buy it in a consultant,” says Greg Walton, senior vice president and CIO of Carilion Health System in Roanoke, Va. “You have a moral obligation—forget the legal obligation—to understand how totally vulnerable you are.”

The end result of your audit and gap analysis, which you should aim to finish by year’s end, should be a list of vulnerabilities showing the areas in which your security measures fail to live up to HIPAA standards.

Know the Risks to Mitigate—and How

With your list of vulnerabilities in hand, you can now figure out which are reasonable to address. To do that, you’ve got to weigh the likelihood and possible resulting damage of each potential risk. Most breaches to date haven’t involved hackers but instead have been low-tech thefts of hard drives or floppy disks, often by disgruntled employees. Last December, for instance, thieves stole hard drives containing more than 500,000 members’ Social Security numbers from the Phoenix office of TriWest, a managed care provider serving the military. TriWest has already been hit with one class action as a result of the breach.

“One theft of a hard drive can bring a company to its knees with a class-action suit,” says Lisa Gallagher, senior vice president of information and technology accreditation at URAC, a nonprofit health-care accreditation company.

You also need to factor in the cost to implement controls that will mitigate each risk. Better physical security—locks, controlled access to data storage areas—would be a relatively low-cost way to foil would-be thieves. But if the cost to mitigate a risk is greater than the cost of the potential breach, you shouldn’t bother with mitigation. “I’m not sure everyone can afford to be like Fort Knox,” says St. Peter’s Kahn.

To arrive at a reasonable investment level for disaster recovery, for example, consider how critical the data is to your institution. “Maybe you can’t afford full 100 percent hot site recovery in four hours,” says PricewaterhouseCoopers’ Smith. “Maybe you bring up critical systems that support patients [right away] but billing can wait a few days.”

At Sentara Healthcare, Vice President and CIO Bert Reese is backing up the company’s five major systems for patient records, clinical support, registration, billing and payroll processing at a remote site managed by IBM. For everything else, he and CTO Jerry Kevorkian arranged contracts with vendors to deliver replacement processors in the event of a natural disaster within one to two days. So instead of paying IBM around $650,000 a year to back up everything, Reese spends only $150,000 to back up the five critical systems, saving roughly half a million a year. Of course, that requires having well-documented manual processes to fall back on while waiting for the replacement equipment to arrive.

Prioritize Your Project List

Byrnes recommends tackling administrative and physical security policies and procedures first—and wrapping them up by April 2004, since organizations will need at least a year to implement security technology. Borten agrees that ideally, policy should come first. But at the University of Texas M.D. Anderson Cancer Center, CISO Lew Wagner puts technical work ahead of policy documentation. “I’d rather have the technology in place first, then worry about policy, rather than have a bunch of paper and still be hacked,” he says.

Obviously, any gaping security holes should go to the top of your HIPAA technology project list. Langston advises putting in temporary controls to patch your worst security holes until you can implement a fully developed solution. But make sure your project blueprint spells out the plan for permanent resolution. “You will have met the heart of the Security Rule if you have a road map to compliance,” he says.

Dive In

Although the scope of what your organization needs to do to comply with the Security Rule will drive your implementation schedule, you should plan to begin the necessary technical work before next April. (And keep in mind that there’s no such thing as HIPAA-compliant technology, although vendors would dearly love to convince you otherwise. Only an organization can be HIPAA-compliant.)

Plenty of CIOs have been working on security for a long time. At M.D. Anderson, for example, Wagner was hired in July 2000 in part to begin HIPAA compliance work. Rather than wait for the final Security Rule, he initiated M.D. Anderson’s gap analysis in the fall of 2000 and has been, as he puts it, shoring up the castle walls around the whole organization ever since. He estimates that as of April he was 60 percent to 70 percent along in his technology road map—a list of 30 to 40 projects identified by the gap analysis as necessary to comply with HIPAA.

For example, Wagner is working on a single sign-on system that will relieve users of having to remember multiple passwords to log in to as many as 40 applications. He’s planning to use fingerprint biometrics instead of smart cards, since the latter can be easily stolen or shared. A doctor will be able to walk up to a clinical workstation (many of which are used by up to 40 people a day), type in her ID and place a thumb on the reader, which will authenticate her and give her access to all applications she is authorized to use. (An automatic time-out function will log users off after they walk away from the screen.) Since doctors and nurses are always washing their hands and have powdery fingers from using gloves, Wagner is considering only capacitance readers that use small electric charges to verify the subdermal fingerprint. Capacitance readers are also more secure than optical readers, which can be fooled with an image or an imprint in silly putty or a gel pack.

At North Florida Medical Centers, a nonprofit network of nine satellite clinics, MIS Director Lynn Sims is also turning to biometrics. But he has already ruled out fingerprint recognition. First, there was the hassle factor of requiring doctors and nurses to remove their exam gloves to log on. And then there was the lotion problem. “In the winter, it gets really dry here,” says Sims. “The ladies use quite a bit of hand cream to keep their hands moist and soft.” A test revealed that the lotion was building up on the scanners, necessitating frequent cleaning with alcohol swabs. So Sims turned to retinal scanning and is now rolling out an iris scanning and proximity sensor system, which automatically logs users off when they walk away from a workstation. He paid roughly $250 per iris scanner and about $100 per proximity sensor, and also invested in privacy screens (about $90 each), which make text look blurred for anyone not directly in front of the monitor.

Kahn at St. Peter’s Health Care is using digital fobs—tiny portable devices from RSA Security that display a new code every 60 seconds—to protect patient data traveling over the Internet. To gain access to the hospital’s network through a Web portal, a doctor must enter the six-digit code on his key fob, then type in his four-digit PIN. Then he can log in to a specific application to access, say, a patient’s lab results or billing data. “It’s an extra layer above signing on with an ID and password,” says Kahn.

Although encryption of data is not required by HIPAA, most health-care organizations would be smart to invest the relatively nominal sum needed to encrypt any patient data transmitted outside the institution. “I refused to put a wireless network out until my team assured me that it was encrypted,” says Carilion’s Walton.

Don’t Think You’re Done

After the 2005 deadline, John Quinn, principal in Cap Gemini Ernst & Young’s health consulting practice, recommends keeping an eye out for several months to see what happens with enforcement. “On April 22, 2005, no red flag will go up on your building because you didn’t do the work,” Quinn says. But if another organization gets in trouble for doing something similar to what you’ve done, revamp your program accordingly. Like it or not, HIPAA is an ongoing process. The law requires you to periodically reassess security and make sure you stay vigilant. And for good reason. As new technologies are introduced, so are new vulnerabilities.

“With security, there’s not an insurance policy you can buy once a year and say, I’m covered. It’s something you really need to review every week,” says Dr. Dick Gibson, chief medical information officer of Providence Health System in Oregon. Y2K was over on Jan. 1, 2000. But with HIPAA, the fat lady never sings.