hipaa 203: security an introduction to the draft hipaa security regulations

HIPAA 203: HIPAA 203: SecuritySecurityAn Introduction to the Draft HIPAA Security Regulations

First Consulting Group

Presentation Agenda

Security Introduction

Security Component Requirements and Impacts– Administrative Procedures– Physical Safeguards– Technical Security Services– Technical Security Mechanisms

Summary


Presentation Objectives

At the end of this presentation, you should:

Understand the background for the security regulations

Understand the specific HIPAA security components

Understand the business and technology impacts of the HIPAA security components

Begin to understand the gaps between the current environment and the HIPAA security requirements

Security Introduction

DefinitionOrganizational ThreatsPrinciplesKey Points of Security RuleStructureCategories


Definition

“The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.” –draft Security Rule

Security also protects information from alteration, destruction or loss

Security should reasonably ensure the confidentiality, integrity and availability of health care information


Type of Threat Description Examples

Accidental

No intent; usually carelessness, low awareness or lack of training

Employee leaves application logged on to patient record and walks away

Employee leaves patient charts in open area in clear view of patients

Employee discards confidential information in regular trash receptacle where others can access

Abuse of privileges

Authorized access for unauthorized purpose with no malicious intent or personal gain

Employee accesses colleague’s medical record with concern about his recent hospitalization In

tern

al

Intentional

Malicious intent or personal gain

Authorized access for unauthorized purpose with malicious intent or for personal gain

Supervisor accesses employee’s medical record to determine mental health status so that she can potentially be fired

Targeted

Unauthorized access by accessible means

Terminated employee whose password was never deleted from the system uses access privileges to uncover confidential information about former boss

Employee imposter steals PC database containing HIV patients E

xte

rnal

Random Unauthorized access by pure technical means

Hacker breaks into network and accesses confidential information

Organizational Threats


Principles

Healthcare security is about risk mitigation– Operational risk– Financial risk– Regulatory risk– Fraud risk

“The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” –draft Security Rule


Key Points of Security Rule:Source Security requirements were taken from the National

Research Council’s report For the Record: Protecting Electronic Health Information

“This report presents findings and recommendations related to health data security, and…concludes that appropriate security practices are highly dependent on individual circumstances…

“It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another.”


Key Points of Security Rule:Standards

Organizations must therefore establish a reasonable “defensible position” for security compliance– Develop specifications for security requirements– Determine what technologies to implement to meet

those specifications– Balance usability and cost with risk

We can set the community standard for these practices in the Pacific Northwest


The standards are not only scalable, but technology neutral as well

Covered entities must establish and maintain reasonable and appropriate…safeguards

Healthcare organizations must ensure the protection of all electronic PHI– Final rule may also cover PHI in paper format to

align with final HIPAA Privacy rule

Policies and procedures must be developed to implement both the Privacy and Security Rules

Key Points of Security Rule:Standards (cont.)


Business processes related to security functions within the organization must be formally documented, implemented, and enforced throughout the organization

Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately

The final Security Rule will be harmonized with the final Privacy Rule

Key Points of Security Rule:More Standards


Structure

The current HIPAA Security standards are organized into five categories:

1. Administrative Procedures2. Physical Safeguards3. Technical Security Services (applications)4. Technical Security Mechanisms (networks)5. Electronic Signatures *

* For the purposes of this discussion only the first four categories will be addressed


Administrative Procedures: formal policies and procedures to address operating procedures, management controls, personnel requirements, audit mechanisms and disciplinary procedures

– Security management/maintenance– Security training– Internal system certification– Procedures upon employee hire, transfer, or termination– System security audits– Chain of trust partner agreements– Contingency plan– Information access control– Security incident procedures

Administrative Procedures


Physical Safeguards

Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access

– Security responsibility and accountability– Media control– Physical access to data– Workstation use and location– Security awareness training


Technical Security Services

Technical Security Services: measures to control and monitor information access

– Employee access controls, such as passwords– System audits– Intrusion and detection alarms– Automatic logoffs– Telephone callback procedures– Message authentication– Integrity contols– Data authentication


Technical Security Mechanisms

Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network

– Employee access controls– Entity authentication– Message authentication– Integrity contols– Encryption– Alarms– Audit trail– Event reporting

Security Requirements and Impacts

Administrative ProceduresPhysical SafeguardsTechnical Security ServicesTechnical Security Mechanisms

Administrative Procedures

RulesImpacts


Administrative Procedures – Rules

Certification: technical evaluation certifying that systems and network meet pre-defined criteria– Example: Annual certification audit

Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties– Example: Claims processing

Contingency Plan: Includes application and data criticality analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures– Example: Business continuity plans

Formal Record Processing Mechanisms: Policies and procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information– Example: PC hard drive disposal


Administrative Procedures – Rules (cont.) Information Access Controls: Policies and procedures for

granting different levels of access to health care information– Example: Application profile documentation

Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents)– Example: Proactive, defensible review of PHI activity

Personnel Security: Granting of access to health information via an authorization process– Example: Card key access systems to file rooms, background

checks maintenance of security personnel

Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses– Example: Routine pre- and post-implementation procedures


Administrative Procedures – Rules (cont.)

Security Incident Procedures: Documented instructions for reporting and reviewing security breaches– Example: Reporting pathways (anonymous if necessary)

Security Management Process: Processes to ensure the prevention, detection, containment and correction of security breaches. Includes risk analysis, risk management, sanction policy and security policy– Example: Annual risk level reviews

Termination Procedures: Procedures for securing systems upon employee termination– Example: Exit interviews and checklists

Training: User education and awareness training– Example: Incorporated awareness training with existing programs


Administrative Procedures – Impact

Most organizations have inadequate security policies and procedures

This requires additional resources for updates and development efforts

Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels

Integration of chain of trust partner agreement language may require new contracts with third parties

Providing security awareness training for all employees requires a detailed training program with ongoing maintenance

Physical Safeguards

RulesImpacts


Physical Safeguards – Rules

Assigned Security Responsibility: Security responsibility assigned to a specific individual(s) – Example: Security committee

Media Controls: Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal– Example: Property accountability documentation

Physical Access Controls: Limiting physical access to systems. Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification, maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components– Example: Data center restrictions


Physical Safeguards – Rules (cont.)

Workstation Use: Instructions and procedures delineating secure use of computer workstations– Example: Acceptable workstation usage guidelines

Workstation Location: Safeguards for secure location of computer workstations– Example: Monitor position in public areas

Security Awareness Training: Security awareness training for all employees, agents and contractors– Example: Incorporated awareness training with existing programs


Physical Safeguards – Impacts

In order to properly address security issues organizational charts and individual responsibilities may need review

Workstation use must be addressed through employee education and consistent enforcement of policies and procedures

Physical access controls and secure workstation locations may affect current business practices

Technical Security Services

RulesImpacts


Technical Security Services – Rules

Access Control: Restricted access to health information by need-to-know– Example: Application access based on job description

Audit Controls: Audit control mechanisms to record and examine system activity– Example: Turn on network event logs to allow for appropriate audits

Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information– Example: Application functionality which allows “flagging”

Data Authentication: Ability to corroborate that data have not been altered or destroyed– Example: Use or check sum, double keying or digital signature to assure

the data are not altered

Entity Authentication: Ability to corroborate that user is who he claims he is – Example: Biometric ID or unique usernames and passwords


Technical Security Services –Impact

Some systems in use today may not have adequate security controls to comply

Implementation of access controls for systems must be an integrated effort between business and IT

System processing and storage requirements may increase to support enhanced auditing capabilities

Group ID’s and shared passwords will not be permitted

Technical Security Mechanisms

RulesImpacts


Technical Security Mechanisms – General Rules

For all systems:

Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored– Example: Approved/unapproved network protocols

Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent– Example: Verification that data packet sent is received

Access Controls or Encryption: Protection of sensitive communications over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient ORtransforming confidential plaintext into ciphertext to protect it– Example: VANs may eliminate the need for certain encryption technologies


Technical Security Mechanisms – Network Rules

If using a network for communications:

Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality– Example: Devices that sense abnormal conditions

Audit Trail: The data collected and potentially used to facilitate a security audit– Example: Audit log retention


Technical Security Mechanisms – Network Rules (cont.)

If using a network for communications:

Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes– Example: Unique identification

Event Reporting: A network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information– Example: Network messages indicating operational abnormalities


Technical Security Mechanisms – Impacts

Implementation of access controls to the network must be an integrated effort between the business and IT

Use of new network security technologies (e.g. encryption) will require significant end user training

Group ID’s and shared passwords will not be permitted

Network alarms, audit trail, and event reporting requirements may require additional resources and technologies to ensure compliance

Summary

SummaryThe Bottom LineQuestions


Summary

Areas of impact on health care organizations will be:– Development, documentation and training of policies

and procedures– Assignment and operation of security responsibility– Identifying and contracting chain of trust agreements

with trading partners– Training workforce members on information security

and altering the confidentiality culture– Implementing access controls, authorization controls

and entity authentication for all systems– Identifying and implementing the “right” technical

solutions


The Bottom Line

The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002

Compliance is 26 months after the final rule is published

At the present time, there is no indication who will be the enforcement agency, when enforcement will be effective, and how enforcement will be conducted

Questions and Discussion

?????

???

Resources


Resources

Association for Electronic Health Care Transactions (AFEHCT):

–Impacts of HIPAA (particularly EDI)–Security Self-Evaluation Checklist

http://www.afehct.org

American Health Information Management Association (AHIMA):

–Benchmark information and case studies–Interim Steps for Getting Started

http://www.ahima.org/hipaa.html

American Society for Testing and Materials (ASTM):–Standards guides for security

http://www.astm.org

Center for Healthcare Information Management (CHIM):–Up-to-date industry perspective on proposed rules and their status

http://www.chim.org

Computer-Based Patient Record Institute (CPRI):–CPRI Security Toolkit

http://www.cpri-host.org

Department of Health and Human Services HIPAA Administrative Simplification:

–Latest News on Regulations–Current proposed and final rules

http://aspe.hhs.gov/admnsimp/index.htm

Electronic Healthcare Network Accreditation Commission (EHNAC):

–Certification Program for HIPAA Compliance (under development)

http://www.ehnac.org


Resources (cont.)

For the Record: Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242

–Full Report

http://www.nap.edu

Health Privacy Forum–Comparison of Privacy proposed and final rules–Comparison of state privacy laws

http://www.healthprivacy.org

HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998)

–Articles

http://www.himss.org

HIPAA Home Page http://www.hcfa.gov/hipaa/hippahm.htm

HIPAA Transaction Implementation Guides from the Washington Publishing Company

http://www.wpc-edi.com

Joint Healthcare Information Technology Alliance (JHITA)–Summary of Privacy rules–Upcoming HIPAA conferences

http://www.jhita.org

Links to other HIPAA sites http://www.hcfa.gov/medicare/edi/hipaaedi.htm

Medicare EDI http://www.hcfa.gov/medicare/edi/edi.htm


Resources (cont.)

National Uniform Billing Committee http://www.nubc.org

National Uniform Claims Committee http://www.nucc.org

Washington Publishing Company–ANSI ASC X12N HIPAA Implementation Guides

http://www.wpc-edi.com/hipaa

Subscribe to email release of HIPAA documents (such as notice of proposed rule making)

http://www.hcfa.gov/medicare/edi/admnlist.htm

Workgroup for Electronic Data Interchange (WEDI):–Details of SNIP effort (Strategic National Implementation Pilot)

http://www.wedi.org

hipaa 203: security an introduction to the draft hipaa security regulations

Documents

draft security rule

security regulations

loss w security

security compliance

security needs

purpose of security

source w security requirements

hipaa security requirements