Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

And so, one cold morning in January, shortly after 6 a.m., Moroses threw the switch on a set of network architecture changes that would grant him global control of things like screen saversthus setting the stage for the 705-bed hospital in Brooklyn, N.Y., to become HIPAA compliant. The screen savers, it turns out, were the easy part.

"Previous to this, everyone was focused on making [systems] as easy for caregivers as possible," Moroses says. "Then HIPAA comes along and says it's not so much ease of use but making sure the correct people have access to information. Those are two competing ideas, and you have to reconcile that. That's where the gap exists."

Consider, for instance, access to Maimonides' electronic medical records. When the electronic medical record (EMR) system went live, it was originally set up to save doctors time when they logged on to the network. Instead, computers had generic network log-ons, but doctors typed in unique user names and passwords for the EMR system, which restricted the information that any given user could access and provided audit capabilities as well. That was great for convenience, but it meant there was no way to track who was accessing other network resources.

Before Moroses and his group could replace the generic network log-ons in patient care areas with unique user names and passwords, however, they had to get approval from clinical leadership: a hospital information systems advisory committee, which includes all the clinical chairmen plus the chief operating officer, senior vice presidents and vice presidents; and a physician task force, a subcommittee working group chaired by a doctor.

"Everything we do comes through that committee," Moroses says. "They can either recommend it or shoot it down."

At first, they shot it down.

When Moroses' group approached the chairman of the emergency department about the change, "He said, 'We can't do itno way,'" Moroses recalls. ER doctors couldn't spend an extra 80 seconds logging on without negatively affecting patient care. So the groups went back and forth until they found a solution that everyone could live with: The 230 computers in the emergency department would be separated from the rest of the network and have access only to EMR data. Nonclinical care computers would require both network and EMR system unique user names and passwords.

Compliance is a game of compromise.

Now that the technical framework is in place, Moroses is focusing on processes. For instance, if someone in the accounting department has left the hospital but is still collecting vacation pay, her network privileges need to be revoked on her last day of work. Or if a nurse fills in for a colleague in another department, Moroses needs a process to cut off temporary access rights once he returns to his old job.