A brief note on Data Security Issues in HIPAA
Rajaram Pejaver, CISSP
May 3, 2006
While European legislators have been actively supporting consumer privacy rights for many years, American lawmakers have only recently warmed up to that cause. The Gramm-Leach-Bliley act [1] applies these concerns to the Financial and Securities industry and seeks to control the disclosure of nonpublic personal information of consumers. At about the same time, the Department of Health and Human Services (HHS) has developed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) [2]. More recently, there is the Sarbanes Oxley act (SOX [3]). All of these regulations are very similar, though they differ in focus. They all mandate a strong Information Security program that covers
HIPAA's original goal was to permit health insurance portability when an employee changed jobs. However, a lot of consideration was given to consumer privacy while accomplishing HIPAA’s objectives. The main objectives of HIPAA are:
· Administrative Simplification
The "Administrative Simplification" component was added with the following key intents:
· Reduce paperwork
Standards are defined to ensure the security and confidentiality of electronically maintained and transmitted data. Protected health information (PHI) is the HIPAA term for health information in any form (i.e., paper, electronic or verbal) that personally identifies a patient. This includes individually identifiable health information in paper records that have never been electronically stored or transmitted. It does not include data that have been "dis-identified" by removal of identifying information, such as name, address, ZIP code, etc. Generally, the proposed security regulations will apply only to PHI.
HIPAA applies to 3 types of covered entities: (1) health plans; (2) health care clearinghouses; and (3) health care providers who transmit any health information in electronic form in connection with one of the HIPAA standard transactions.
The standard impacts all areas of computer use, including:
There are three main parts to Administrative Simplification:
The Privacy Rules in HIPAA provides comprehensive protection for the privacy of health information. In general, these are policies and procedures, not IT Security. The rule restricts entities that collect, maintain, or distribute health information (in either electronic or paper form) to a set of limitations on how that information can be used or distributed. These entities must be compliant with the Privacy Standards by April 2003.
HIPAA applies to anyone that deals with individual consumer’s health information, including the following entities:
Failure to comply with HIPAA regulations can cause an entity to lose its ability to work with its business partners. Conversely, an entity that complies with HIPAA is prohibited from sharing covered information with any other non-complying entity. If it does so, it risks losing its own compliance rating.
The use of Digital Signatures for signing HIPAA related forms and for transmitting HIPAA related information is currently optional. We believe that it will remain optional given the enormous difficulties associated with deploying Public Key Infrastructures, which are required for most forms of Digital Signatures. Digital Signatures are expected to provide the following functions:
Besides security, HIPAA also improves interoperability within the health care industry by requiring commonality of processing.
Affected organizations are required to use these standards as the “language” for common transactions such as plan enrollment, premium payments, and claims status. Organizations must be compliant with the Electronic Health Standards by October 2002, or by October 2003 with a valid extension. Obtaining an extension is easy, since it only involves filing a plan for how compliance will be accomplished.
The Security Rules for HIPAA [4] were finalized in February 2003. The rules define IT security standards, access control, administrative procedures, and physical security guidelines. However, they do not specify specific technical solutions like firewalls or encryption. They require compliance by most health care organizations by April 21, 2005. As currently written, parties must (at least) do the following traditional IT security related tasks to stay in compliance:
Non traditional tasks:
Unlike the HIPAA Privacy Rule, which applies to protected health information (PHI) in "any form or medium," the Security Rule covers only PHI that is electronically stored or transmitted by covered entities. (Hence the common abbreviation ePHI or EHI.)
Regardless of what vendors may advertise, no magic formula exists to ensure compliance.
What companies seem to be doing is to watch what their peers are doing about HIPAA. The general feeling is that as long as they make some effort towards HIPAA compliance, the axe will not fall on them too heavily if a problem occurs.
The first step in achieving HIPAA compliance is to accurately assess the organization’s current security stance. This can be done by constructing an inventory of current written policies, procedures, ongoing security programs, and security products that have been deployed. A list of recommended policies is shown in Appendix A. The areas that should be covered include the network infrastructure, all host platforms, and applications. It will be useful to create a high-level flow diagram of how PHI is created, stored, transmitted and disposed of from the time patients enter the system, through the course of treatment and during the referral and payment processes. For example,
The next step will be to form a “Gap Analysis” that compares the current state with the security level required by HIPAA. The Gap Analysis leads to a list of tasks that must be completed to remedy the current shortcomings. This list can be prioritized based on several factors:
Next, the task list is executed and various projects are started. It will be noted that automation is essential in a number of ways, both to improve security and for containing costs:
Finally, an audit is required to verify compliance. Preferably, the audit should be performed by an independent external party. HIPAA compliance is an ongoing process. There is no end to compliance. The effort needs to evolve with new threats, new business partners and procedures, etc. A detailed documentation of the project plan will help in proving compliance. A more detailed description of this phase can be found at [7].
[1] http://www.ftc.gov/privacy/glbact/
[3] SOx reference
[4] http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
[5] http://aspe.hhs.gov/admnsimp/nprm/seclist.htm
[6] http://www.ins.state.ny.us/acrobat/r173ftxt.pdf
[7] http://www.pejaver.com/Papers/Methodology.pdf
[8] Charles Cresson Wood: http://www.informationshield.com/hipaa.html
[9] http://www.schneier.com/blog/archives/2005/06/us_medical_priv.html -> “Gutted”
|
HIPAA Policy Area |
HIPAA Section |
|
|
|
|
Administrative Safeguards |
|
|
Security Management Process |
164.308(a)(1) |
|
Assigned Security Responsibility |
164.308(a)(2) |
|
Workforce Security |
164.308(a)(3) |
|
Information Access Management |
164.308(a)(4) |
|
Security Awareness and Training |
164.308(a)(5) |
|
Security Incident Procedures |
164.308(a)(6) |
|
Contingency Plan |
164.308(a)(7) |
|
Evaluation |
164.308(a)(8) |
|
|
|
|
Physical Safeguards |
|
|
Facility Access Controls |
164.310(a)(1) |
|
Workstation Use |
164.310(b) |
|
Workstation Security |
164.310(c) |
|
Device and Media Controls |
164.310(d)(1) |
|
|
|
|
Technical Safeguards |
164.312 |
|
Access Control |
164.312(a)(1) |
|
Audit Controls |
164.312(b) |
|
Integrity |
164.312(c)(1) |
|
Person or Entity Authentication |
164.312(d) |
|
Transmission Security |
164.312(e)(1) |
|
|
|
|
Policies and Procedures and Documentation Requirements |
164.316 |
|
Policies and Procedures |
164.316 (a) |
|
Maintain policies |
164.316 (b) |
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act, was passed by Congress in November 1999 to ensure the financial services industry responded to new developments in technology, global competition, and the changing demand for financial services with measures that protect the privacy and integrity of customer accounts. The Act applies to all kinds of financial institutions including non-traditional types including those lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.
HIPAA
Most people think of the healthcare industry when they think of the Health Insurance Portability and Accountability Act (HIPAA), but in reality anyone who handles patient health information (PHI) must comply, including the HR departments of most organizations. Passed by Congress in August 1996, it requires security standards to protect the confidentiality and integrity of all "individually identifiable health information."
Sarbanes-Oxley Act
The Sarbanes-Oxley Act (SarbOx or SOX) is a post-Enron legislation passed by Congress in July 2002 to improve the accountability of public companies. The legislation holds the CEOs and CFOs of public companies personally responsible for the accuracy and security of financial reports. DATA INTEGRITY ISSUES
California Senate Bill 1386
In July 2003, California's Database Security Breach Notification Act (Senate Bill 1386, or SB 1386) went into effect and applies to all organizations who conduct business or have offices in the State of California. In order to protect California residents from identity theft, organizations that have had computer security breaches must notify all affected California residents.
FDA Title 21 CFR Part 11
Used by Pharmaceuticals, it includes regulations for Food and Drugs. Chapter 1 (parts 1 through 1299) include the U.S. Food and Drug Administration (FDA) part of the U.S. Department of Health and Human Services. Part 11 established the criteria under which electronic records and signatures will be considered equivalent to paper records and handwritten signatures in manufacturing processes regulated by the FDA.
NY State Insurance Dept. Reg. 173 (also Reg. 169)
Privacy Regulations
Patriot Act
Waste of time…
SEC Rules 17a-3 and 17a-4
Rule 17a-3 and 4 says brokerages, dealers and transfer agents must preserve electronic data generated from the time of the 1998 revision on nonrewritable, nonerasable media (WORM drives) for a period of not less than six years. Companies must keep logs of when the data is accessed and modified. These logs must show that the data, including that contained in e-mail and instant messages, has not been altered or deleted. Data relating to a particular transaction must be capable of being retrieved quickly for a period of two years from whatever media it is stored on, so a complete record of the transaction can be readily available should the SEC ask for it.
Note: Refer to Wikipedia (http://en.wikipedia.org/wiki/Main_Page) for a good introduction to many of these standards.
ISO 17799
http://www.iso.ch/iso/en/ISOOnline.frontpage
Common Criteria (Product certification), ISO 15408
http://niap.nist.gov/cc-scheme/
COBIT (Control Objectives for Information and Related Technology)
SAS 70 II
Basel 2 Accords (banking)
Balances risk with assets. Also helps tighten up the required reserves so companies will have more available assets to invest… Similar to European Solvency Act. 2008 deadline.
http://www.bis.org/bcbs/publ.htm
http://www.bis.org/bcbs/publ_10.htm
VISA PCI / Cardholder Information Security Program
Visa CISP establishes standards for protecting cardholder data in storage or in transit for all Visa payment channels, including retail, mail and telephone order and e-commerce.
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
NIST 800-16
http://csrc.nist.gov/index.html