hipaa, privacy, security, and good business

Stepen Cobb, CISSP Rainbow Technologies, Spectria Division

1 of 18

HIPAA, Privacy, Security,& Good Business

Stephen Cobb, CISSP

Dir. Research & Education

Rainbow Technologies, Spectria Division

Employers' Summit on Health Care

March 21 - 22, 2001


2 of 18

HIPAA, Privacy, Security, & Business

• HIPAA is about privacy, but not just privacy.• HIPAA is also about systems and security.• Privacy is not the same as security, but• Without security, you can’t deliver privacy.• HIPAA is not the only privacy legislation.• HIPAA is not the only security legislation.• Privacy is not the only reason for security.• Businesses that “get” privacy and security today will

do better than those that don’t.


3 of 18

HIPAA is about privacy

• 164.502 Uses and disclosures of protected health information: general rules. – (a) Standard. A covered entity may not use or disclose

protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.

• 164.530 Administrative requirements. – (c)(1) Standard: safeguards. A covered entity must have

in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.


4 of 18

HIPAA is not just about privacy

• Paraphrase: “appropriate safeguards to protect the privacy of health information.”

• That is, to ensure privacy you need security.• But HIPAA 160 is not specific about security:

– Implementation specification: safeguards.

– A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.


5 of 18

HIPAA may become more specific

• HIPAA 142 describes “a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure.”

• “we are designating a new, comprehensive standard...which defines the security requirements to be fulfilled to preserve health information confidentiality and privacy as defined in the law.”– 45 CFR Part 142, Security & Electronic Signature

Standards, Federal Register, Vol. 63, No. 155, 8/12/98


6 of 18

If 142 follows160, then HIPAA will:

• require each health care entity engaged in electronic maintenance or transmission of health information

• to assess potential risks and vulnerabilities to the individual health data in its possession in electronic form,

• and develop, implement, and maintain appropriate security measures.

• 142 stresses that these measures must be documented and kept current.


7 of 18

We can call this the writing on the wall.

• We are looking at a Federally mandated standard for security practices within companies involved in healthcare or handling health-related information.

• Note that these are considered:– practices necessary to conduct business electronically

in the health care industry today.

• In other words, normal business costs,– things you should be doing today, possibly pre-empting

arguments over the cost of such standards.


8 of 18

Security practices in the proposed standard are divided into two categories

• Organizational Practices – Security and confidentiality

policies

– Information security officers

– Education and training programs, and

– Sanctions

• Technical Practices and Procedures – Individual authentication of users

– Access controls

– Audit trails

– Physical security

– Disaster recovery

– Protection of remote access points

– Protection of external electronic communications

– Software discipline, and

– System assessment.

Use these as a check list for comparison with your current security practices.


9 of 18

We can see that HIPAA is also about systems & security

• As we get to grips with 164.530(c)(1)– “appropriate administrative, technical, and

physical safeguards to protect the privacy of protected health information.”

• We have to anticipate what 142 will consider appropriate, and plan accordingly.


10 of 18

But privacy is not the same as security

• Privacy is a value, and, to differing degrees, in different cultures, a right.

• Security is a discipline, a methodology and a technology.

• Security is neutral– it can serve privacy or hinder it.

– e.g. security technology such as biometrics, which can prevent unauthorized persons from accessing data, can also be used to track people without their consent, often considered an invasion of privacy.


11 of 18

But without security, you can’t deliver privacy

• You need to make sure the vital ingredients of security are in place:– Policies, procedures, classification, officers,

training, awareness, sanctions.– Strong, granular authentication, access controls,

intrusion detection.– Software methodology, discipline, testing,

penetration testing.


12 of 18

HIPAA not the only privacy legislation

• Right to Financial Privacy Act • Children's Online Privacy Protection Act • Bank Secrecy Act • Fair Credit Reporting Act • Identity Theft and Assumption Deterrence

Act of 1998 • Fair Debt Collection Practices Act • Financial Institution Data Match • Title V, Gramm-Leach-Bliley Act


13 of 18

G-L-B affects wide range of companies

• Joint Final Rule of OCC, FRB, FDIC, OTS Privacy of Consumer Financial Information.

• Requires a financial institution to provide notice to customers about its privacy policies and practices;

• Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and

• Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure.


14 of 18

HIPAA not the only security legislation

• require that each bank implement a comprehensive written information security program that includes administrative, technical and physical safeguards for customer records and information appropriate to the size and complexity of the bank and the nature and scope of its activities;

• require the bank's board of directors, or an appropriate committee of the board, to approve and oversee the development, implementation and maintenance of the bank's information security program; and

• requires banks to exercise appropriate due diligence in selecting and monitoring service providers, and that service providers implement appropriate security measures to meet the objectives of the guidelines.


15 of 18

Privacy not the only reason for security

• If you do security right, you also get protection from:– Malicious hackers, disgruntled employees.– Malicious code, viruses, Trojan Horses.– Industrial and government espionage.– Stupid user errors and omissions.– Allegations of negligence and shareholder

lawsuits if something does go wrong.


16 of 18

Businesses that “get” privacy & security today will do better than those that don’t

• Privacy is about respect for individuals, many of whom are your customers.

• Security is about the quality of your company in the age of information.

• Tomorrow’s top companies will be those that figure out today, how to respect privacy and protect information systems while efficiently marketing and delivering goods and services.


17 of 18

And this is not just my opinion

• Companies must take a whole-view approach to privacy– To survive mounting consumer anxiety and the

growing labyrinth of US and foreign regulation, firms need to institutionalize their commitment to protecting and managing their customers’ privacy by taking a comprehensive, whole-view approach to privacy.

– Anyone today who thinks the privacy issue has peaked is greatly mistaken. As with environmentalism [in the 60s] we are in the early stages of a sweeping change in attitudes that will fuel years of political battles and put once-routine business practices under the microscope.

• Forrester Report, February 2001


18 of 18

Thank You!

Stephen Cobb

hipaa, privacy, security, and good business

Healthcare

protected health information

health information

financial institution

rainbow technologies

covered entity

stepen cobb

view approach

privacy legislation