Your roadmap for HIPAA safeguards

September 1, 2004

The Administrative Simplification section of HIPAA consists of a trioof regulations that address privacy, transactions and security. Implementationof the final Security Rule and its mandated security practices must be ineffect as of April 20, 2005, for most covered entities. Although the PrivacyRule requires the presence of "adequate safeguards" for ProtectedHealth Information (PHI), the Security Rule details more than 40 separateaudit points within the categories of technical, administrative and physicalsafeguards. While the Security regulation addresses what must be done, itdoes not provide a road map for how to do it.

The Administrative Simplification section of HIPAA consists of a trioof regulations that address privacy, transactions and security. Implementationof the final Security Rule and its mandated security practices must be ineffect as of April 20, 2005, for most covered entities. Although the PrivacyRule requires the presence of "adequate safeguards" for ProtectedHealth Information (PHI), the Security Rule details more than 40 separateaudit points within the categories of technical, administrative and physicalsafeguards. While the Security regulation addresses what must be done, itdoes not provide a road map for how to do it.

Understanding the "how to" of the Security Rule is at the coreof this compliance challenge. Organizations can optimize the HIPAA complianceeffort by drawing guidance from frameworks, standards and other sourcesof accepted, good security practices.

Applying a "best practice" approach helps organizations alignwith a broader set of practices and standards that will lead to a strongerinformation security posture. Building this strong foundation will enhancethe organization's ability to remain compliant.

Technical safeguards

HIPAA regulation today remains at such a high level that it can be verydifficult to determine the tactical, technical controls necessary for compliance.

For instance, with the safeguard category of Access Control, HIPAA requires"unique user identification." Individual organizations are expectedto interpret the level of authentication appropriate for them given thecriticality of their data, size and resources. It is generally consideredgood practice, for instance, to require strong authentication for any remoteaccess to the network. But does this mean tokens, smart cards or maybe digitalcertificates? Or are strong passwords enough? Organizations must answerthese questions for themselves.

Access control is a key consideration for HIPAA. At its simplest level,this means identifying the types of employees (possibly by role) need accessto specific types of PHI. This may be an arduous task for organizationswith disparate platforms and operating systems performing authentication,but this level of accountability represents a "best practice."

Administrative safeguards

Compliance with the administrative safeguards required by HIPAA is stronglydependent on the existence and strength of the security program itself.A key goal for complying with administrative safeguards is to develop andmaintain a security organization backed by strong policies and proceduresthat are communicated effectively and understood by the organization. ISO17799 helps identify topics that should be covered in an effective informationsecurity policy and addressed with employees. ISO 17799 provides guidanceacross 10 general domains of security and can be used to ensure that securityefforts and spending are spread adequately across the major areas of informationsecurity.

 

Specified within the administrative safeguards section of HIPAA, andof critical importance to all organizations, is the concept of "assignedsecurity responsibility" to develop and implement required policiesand procedures. Sources of good security practice suggest that it is essentialto create a functional security organization built on collaborative administration.Information security requires cooperation across IT and the business, effectivelytouching everyone in the organization.

After implementing technical and non-technical controls, organizationsare required by HIPAA to do periodic evaluations to ensure that those controlscontinue to protect Electronic Protected Health Information (EPHI). Sourcesof good practice suggest organizations should perform assessments of technicalvulnerabilities and alignment with HIPAA requirements for non-technicalcontrols at least once a year. It is key to review ISO 17799 and CobIT andpick the elements that make sense for a specific organization

Physical Safeguards

HIPAA regulations also attempt to set expectations concerning the levelof physical security appropriate to protect EPHI. HIPAA focuses on the physicalsecurity of facilities, workstations, devices and media. For example, personnelmust tightly control facility access in terms of logging entrances and exits.Facility security plans should also be addressed.

HIPAA gives some direction for physically protecting workstations, includingthe proper selection of locations and controlling access to computers thathold sensitive information. "Best practices" indicate that locationsfor certain devices should be carefully chosen. For example, placing readilyaccessible PCs with patient data in hospital hallways or at central administrationdesks is not advisable.

The challenge of complying with HIPAA can be turned into an opportunityif an organization focuses on creating a strong security program. Focusingon compliance alone potentially leaves large gaps in the overall program.At the most fundamental level, organizations need to ensure that criticalpatient data is kept confidential, is accurate and is available when needed.These are the key tenets of any effective security program, especially onethat drives compliance.

 

Evan Tegethoff is principal consultant of security solutions for Forsythe.