Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

Three blocks north of Union Station in Washington, D.C., on the seventh floor of an ordinary brick building, a small office of the U.S. National Archives and Records Administration churns out a publication known as the Federal Register. This newspaper of sorts, which runs to hundreds of pages per business day, is the public record of rules, proposed rules, and notices that have been issued by federal agencies and executive orders from the president. In the office's library, there are shelves upon shelves of blue-green books that hold past issues of the Federal Register, a bureaucratic archive stretching back to 1935. And if you look up Volume 68, No. 34, Appendix A to Subpart C of Part 164, you'll find a 169-word security standards matrix that tells you everything you ought to be doing to protect your electronic data.

There are no surprises here, just the elegant obvious. Administrative safeguards. Physical safeguards. Technical safeguards. In all, three dozen specific action items, from data backup to password management to encryption, are pulled together on a one-page chart that summarizes a security rule laid out in the preceding 46 pages. And for all its brevity, this security matrix is an unexpected runaway success, the My Big Fat Greek Wedding of federal documentation, if you willa work that no one thought would have a particular impact but that was so accessible it took on a life of its own.

Two-thirds of an early-screening audience requested that the security matrix make its way into the final version of this security rule. It has provided the structure for countless security audits and gap assessments, for task forces and toolkits.

And it's just as important for what it's missing as for what it contains. You see, despite the fact that what we're talking about here applies only to companies in the health-care industryit was issued under the Health Insurance Portability and Accountability Act, or HIPAAit could apply to any company in any industry. First and foremost, this section of HIPAA documentation is about security.

"These are simply good practices," says Kate Borten, CISSP, who is president of health-care consultancy The Marblehead Group. "There's nothing specific to health care in the rule. This is textbook security 101."

"The regulation in general is highlighting good security practices that most security professionals agree on anyway," echoes Paul Scheib, CISO of Children's Hospital Boston. "The term EPHI [electronic protected health information] isn't relevant to other industries, but you could substitute 'business-critical information,' because any business is trying to protect its most critical information."

For the past half decade, legions of newly minted security officers in the health-care industry have been scrambling to meet first a privacy rule and now this security rule, which were both hammered out by the U.S. Department of Health and Human Services under the mandate of HIPAA, passed by Congress in 1996. (The compliance date for a third rule, which involves electronic transactions and code sets and is intended to streamline how health-care organizations process payments, was October 2003.)

CISOs in other industries have mostly yawned their way through the show. But, like it or not, an increasing number of them will soon be participants in, rather than observers of, the government's efforts to improve information security.

The Gramm-Leach-Bliley Act already has had an impact on financial services companies. Federal agencies are grappling with the Federal Information Security Management Act. Publicly held companies are looking at what role information security will play in assuring their internal controls, as required by the Sarbanes-Oxley Act's Section 404. Companies that do business in California are sorting out SB 1386, which requires them to have processes in place to notify customers whose personal information has been compromised. There are even rumblings of mandatory Securities and Exchange Commission disclosures about information security.

Yet no other industry has done as much to comply with such regulationsor been as open about their compliance effortsas the health-care industry.

Halfway between the April 2003 deadline for the HIPAA privacy rule and the April 2005 deadline for the security rule, we spoke with health-care CISOs about the gritty details of compliance. Here, they share what they're learning on their way down a road that you too may be destined to travel.

And at least one CISOwhose organization is working to comply not only with HIPAA but also with California's SB 1386 and, voluntarily, Sarbanes-Oxley Section 404thinks that it's about time.

"If all the regulations had come out 20 years ago," says Pacific Life Insurance Assistant Vice President and CISO Micki Krause, whom (ISC)2 named in 2003 as its top information security professional, "we'd all be in a better state."You Are Where?Rita Aikins isn't sure just yet what will be involved with bringing the Providence Health System into compliance with HIPAA's security rule. But she knows the process has to start with a risk assessment. Aikins is busy amassing a huge database of department, host/server and application surveys, which compare the requirements of the security rule with the realities at Providence, the Seattle-based nonprofit organization where Aikins is system director of privacy and information.

"[The database] is huge. It's a ton of data," says Aikins. Her group already has compiled 139 application surveys for Oregon alonetheir starting point in the audit process because the capital budget process for Providence's Oregon region occurs earlier than in the other three states where the organization operates. At the end of January, Aikins was wrapping up this security audit in Oregon, and she hoped to have Washington, then Alaska and finally California done by June 30.

Aikins decided it would be more productive to conduct the audit in-house rather than hire a consultant. "I thought it would help if the people who were doing the risk assessment were the ones responsible for implementing the rule," she says. But until the security audit is done, her team can do little else. "The risk assessment gives us the gap analysis"the action items that will put the organization in compliance with the regulation. "Without the risk assessment, you are just kind of spinning."

The final security rule makes that much clear. In an earlier version of the security rule, the requirements were democratically unprioritized. But in the final version, HHS decided to make this risk analysis first on the list of administrative safeguardsthe top line on the security matrix. "We believe this forms the foundation on which all of the other standards depend," the rule states.

And that's how most health-care organizations rang in the new year, says Cindy Smith, senior manager with PricewaterhouseCoopers' HIPAA security and privacy practices. "Organizations are in the throes of their risk assessments," she says. "It's never going to be trivial. Everyone is realizing it's a lot of work, but it's not rocket science. It's standard risk assessmentidentifying what assets you have and what the risks and vulnerabilities are."

This risk assessment process is a component of Sarbanes-Oxley compliance as well. A few companies are integrating the process and doing a thorough enough assessment to meet both regulations, Smith says. Most, however, aren't. "Some people are saying, I don't want to bite off what I can't chew."

Either way, once the security assessment is complete, the real gnashing and gnawing begins.Nuts and BoltsScreen savers. Two thousand, four hundred of them in all, which must lock up and blank out the EPHI on any device at Maimonides Medical Center left unattended for three minutes. "I can't go to 2,400 workstations to do things like set up screen savers," says Mark Moroses, security officer and senior director of technical services. "That's trench warfare."

And so, one cold morning in January, shortly after 6 a.m., Moroses threw the switch on a set of network architecture changes that would grant him global control of things like screen saversthus setting the stage for the 705-bed hospital in Brooklyn, N.Y., to become HIPAA compliant. The screen savers, it turns out, were the easy part.

"Previous to this, everyone was focused on making [systems] as easy for caregivers as possible," Moroses says. "Then HIPAA comes along and says it's not so much ease of use but making sure the correct people have access to information. Those are two competing ideas, and you have to reconcile that. That's where the gap exists."

Consider, for instance, access to Maimonides' electronic medical records. When the electronic medical record (EMR) system went live, it was originally set up to save doctors time when they logged on to the network. Instead, computers had generic network log-ons, but doctors typed in unique user names and passwords for the EMR system, which restricted the information that any given user could access and provided audit capabilities as well. That was great for convenience, but it meant there was no way to track who was accessing other network resources.

Before Moroses and his group could replace the generic network log-ons in patient care areas with unique user names and passwords, however, they had to get approval from clinical leadership: a hospital information systems advisory committee, which includes all the clinical chairmen plus the chief operating officer, senior vice presidents and vice presidents; and a physician task force, a subcommittee working group chaired by a doctor.

"Everything we do comes through that committee," Moroses says. "They can either recommend it or shoot it down."

At first, they shot it down.

When Moroses' group approached the chairman of the emergency department about the change, "He said, 'We can't do itno way,'" Moroses recalls. ER doctors couldn't spend an extra 80 seconds logging on without negatively affecting patient care. So the groups went back and forth until they found a solution that everyone could live with: The 230 computers in the emergency department would be separated from the rest of the network and have access only to EMR data. Nonclinical care computers would require both network and EMR system unique user names and passwords.

Compliance is a game of compromise.

Now that the technical framework is in place, Moroses is focusing on processes. For instance, if someone in the accounting department has left the hospital but is still collecting vacation pay, her network privileges need to be revoked on her last day of work. Or if a nurse fills in for a colleague in another department, Moroses needs a process to cut off temporary access rights once he returns to his old job.

"There are a lot of little quirks that weren't addressed in the past, but now you have to deal with it. It's that kind of process change that's going to be the largest work," Moroses says. "An oil tanker needs about five miles to turn left. Health-care institutions are like that."Spread the WordOnce the policies are in place, the education challenge begins. In this instance, at least, health-care institutions have experience with the HIPAA privacy rule to guide them. At Carilion Health System in Roanoke, Va., Tom Newton, information security officer, remembers that it took four months to educate 10,000 staff members about the changesboth in terms of what the rule entailed, why it was important and how it should be applied correctly in an everyday environment.

The questions were far-ranging: What information can be left on an answering machine? When can a receptionist tell a caller whether an individual has a doctor's appointment that afternoon? How does a nurse identify a patient calling in for lab results? Where can patient names and room numbers be posted? All of these questions needed to be answered with policy and then passed on to employees.

If it sounds like employees get fire-hosed with rules, then you're right. "Oh, it's awful," Newton says. "It just inundates them with things."

In September, Carilion will begin the training process for the security rule. It will be easier this time around. The privacy rule applies to all kinds of protected health information, electronic and otherwise, but the security rule covers only electronic PHI.

Newton decided to rework existing policies to include new sections resulting from the security ruleas he did for the privacy compliance.

1 2 Page 1
Page 1 of 2
Security Smart: 4 Common Password Myths ... Debunked!