Legally defensible security: Covering your bases on HIPAA, CMR 17

HIPAA and HITECH compliance is not necessarily the same as Mass 201 CMR 17 compliance, but there are common procedures to achieve "legally defensible" security.

Compliance challenges are nothing new in the healthcare sector. For years, hospitals, insurers and related suppliers have been grappling with the likes of HIPAA and, in cases where credit card data is used, PCI DSS. Meanwhile, Mass 201 CMR 17 has made compliance even more complex for anyone doing business in and with companies in Massachusetts.

IT security practitioners and compliance officers have generally settled into a process that provides what the data security regulations and privacy standards require. But at a compliance workshop in the Boston offices of Mintz Levin Tuesday morning, legal, privacy and security experts noted that some challenges remain particularly vexing -- especially when it comes to figuring out differences between regulations and carving out a security plan that covers all the bases.

"Even though these things are not new, there is still confusion over whether you have to worry about one set of regulations if you already comply with another set," said Mike Spinney, senior privacy analyst at the Ponemon Institute and owner of the SixWeight consultancy.

A panel consisting of Spinney, Cynthia Larose of Mintz Levin, Matt Pettine of MFA Cornerstone Consulting LLC and Nagraj Seshadri of security vendor Sophos, sought to untangle the confusion and present the common building blocks of a plan that will at least ensure "legally defensive security."

Also see "The Mass. 201 CMR 17 Survival Guide"

Larose offered the legal perspective, noting that there is some overlap between HIPAA and CMR 17. But there are also some distinct differences, and HIPAA compliance does not free an organization from having to heed the requirements of CMR 17. One specific difference in the regs is that encryption isn't required outright under HIPAA, but it is under CMR 17.

Though HIPAA has been criticized in the past for a lack of enforcement, HITECH has added teeth to the things HIPAA first outlined. In an article for CSO, Rick Kam of ID Experts noted the following examples of what HITECH adds to the mix:

  • New requirements around managing Protected Health Information (PHI) information, including extending accountability from healthcare providers to their business associates;
  • New federal rules for data breach notification, including specific notification thresholds, timelines and methods; and
  • Effective immediately, increased and sometimes mandatory penalties with maximum fines ranging from $25,000 to as much as $1.5 million.

As for the penalties, Larose, said, the worst thing an organization can do is fail to act the second a breach is discovered. Companies that fail to act and notify within 30 days face the stiffest penalties. She also noted that under HITECH, the authorities notify the public of a breach within 60 days of an incident. The list keeps growing and examining the most common points of failure on the list can be enormously useful, she said.

"The list keeps growing and it's quite shocking," she said. "Most incidents involve lost laptops and USB drives."

Often overlooked are the rules for physical security; specifically those involving paper. "The loss of paper is a very big problem, as we saw with the recent case where medical records were found in a landfill," she said. "I can't say it enough: Protect your paper records."

Such protection includes locks on file cabinets and restrictions for who can and can't access the room where paper records are kept. Larose said CMR 17 is as clear about the need to protect paper records as it is about electronic records.

Panelists frequently mentioned the growing issue of security between an organization and its business partners. As the most recent Global Information Security Survey points out, IT security practitioners are increasingly worried about what their business partners are doing to ensure security on their end.

One point of confusion is around what happens if a storage company loses your data tapes. "Back-up tapes in transit remain your responsibility, not that of the third-party company handling it," she said. "If a driver leaves tapes in a box on the corner, there may be contractual violations on the vendor's part, but it's still YOUR breach."

To that end, she said, here's a tip: When entering into a partnership with third-party vendors, make them sign an agreement that outlines all the specific security requirements they will heed, in keeping with the likes of CMR 17.

Seshadri focused on the technological needs for meeting all the various regulations. He recommended people check out the The National Institute of Standards and Technology (NIST) website, which outlines the common technologies organizations must have. When thinking about encryption, whatever the regulation, Seshadri advised the audience to be thinking about removable media as well as the more obvious areas like data via e-mail and data at rest on the network.

"NIST has a nice template for what you need in terms of tech controls and covers many of the common needs for the various regulations," he said.

Pettine presented the auditor's perspective, focusing heavily on the importance of risk assessment and gap analysis. His first tip: Write down and keep a record of EVERYTHING you are collecting, what kind of data is stored and what you are doing to secure it.

"Doing a risk assessment starts with an inventory," he said. "You need to inventory your electronic data and your paper. Write down everything you do so you can then compare it to the regulations. That's a gap analysis. Finding gaps between what you do and the different regulations require, and making a manageable list of action items."

Of course, none of these things will help if the organization fails to pay attention to what their logs are trying to tell them. Pettine and Larose noted that if your IDS starts to report unusual activity and no one has looked at it, that is technically when the breach started.

And, you only get 60 days from when the breach started to notify the proper authorities.

Copyright © 2010 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.