HIPAAnotes Volume Two, January 2002

No. 1 HIPAA Tech: Passwords: How to select passwords with muscle!

We all know that HIPAA requires strong passwords, along with effective password training. Here’s how to select strong passwords that are easy to remember and fun to create.

Does your password training currently go something like this?

• Select a password that is easy to remember, but hard to guess
• Do not use your name, your children’s, animal’s, or parent’s names
• Do not use a word found in the dictionary
• Include alpha and numeric characters
• Password minimum is 7 characters
• Do not write your password down
• Do not share your password with anyone

Not bad…these are all valid, common rules you may have seen for choosing passwords. However, selecting quality, easy-to-remember passwords requires a little more effort -– and can be a whole lot more fun!

Remember your favorite song. Is it “The Wheels On The Bus Go Round and Round” or “In a Gadda Da Vida”? Use either song -– or any other favorite -- to create a password that is more difficult to crack. Take the first letter of each word and then add a special character or number and you will have a good password. “The Wheels On the Bus Go Round And Round” becomes TWOTBG$. “In a Gadda Da Vida” becomes IAG8DV.

If you and music don’t mix, consider something about you, your friends or family. “My Daughter Attends Trinity Presbyterian School”. That becomes MDATPS –- or, add a special character or number and statistically it gets even stronger, MD@TPS. “I Took My Son To See Shrek”, becomes ITMS2SS.

Your button still isn’t pushed? Another technique for creating passwords that aren’t in a dictionary or easily guessed is to combine words to create new words. Examples would include Party Animal, which becomes PARANI%. Happy New Year becomes HAPNEWY*.

No password is perfect, and even the best system can be broken with enough time, money and computing power. But by using creative techniques like these, you will create better passwords. This will strengthen security and help ensure patient confidentiality.

It’s your turn. Be creative -- and select a first-class password. It may even be fun!

William M. Miaoulis, Principal
Phoenix Health Systems

No. 2 HIPAA Terms: Risk Assessment, Risk Analysis, Risk Management

There is a lot of confusion between the terms Risk Assessment, Risk Analysis and Risk Management with regards to what is required by the HIPAA proposed security standards. Let's discuss your Security Management Program and how these basic components will help ensure that it is cost effective, documented and allocates security resources appropriately.

Risk is the possibility of something adverse happening. Risk assessment is not defined by HIPAA; however, it is commonly accepted as the process of defining deficiencies or "gaps" in your current security program. We prefer the term GAP analysis or Impact Analysis. This analysis is the first component of becoming HIPAA compliant.

Security Management includes both Risk Analysis and Risk Management. This risk-based Security Management process allows you the ability to ensure that your HIPAA security solutions reflect a balance between risk and cost. This balance will enable you to ensure that risks are minimized in the most cost effective manner possible.

• Risk Analysis is a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.
  
  
• Risk Management is the process of assessing risk, taking steps to reduce the risk to an acceptable level and maintaining that level of risk.

After performing an Impact Analysis of systems and networks, a documented process to determine the best method for remediation must be completed. This is where Risk Analysis and Risk Management come into the picture. To perform Risk Analysis/Risk Management, first determine the risk to the organization and to the Patient Data. List the possible remediation steps, timeframes and resources required (people, money, etc.) Then determine what are the best steps to take to reduce risk to an acceptable level. HIPAA does not require security and risk reduction at any cost; it DOES require documented risk-based decisions.

Here's an example: Let's assume that you determine that your current Disaster Recovery Plan is not adequate. The impact of a loss of data processing capabilities creates an unacceptable risk. The threats of fire, tornado, or floods are real threats. The probability of the risk (threats) is low, but the impact is high. You research your best options and find that you can:

1. utilize a vendor to provide a hot-site location for $10,000 per month, OR
2. build a redundant data center at a cost of $2,500,000.

You can then make a documented decision to utilize the hot-site as a reasonable cost effective step to reduce the risk to an acceptable level.

Here's another example: A primary clinical system in use does not provide audit trail. You determine that this creates an unacceptable risk (Threat) to patient data, as unauthorized users can view patient records without detection. The probability of this occurring is high and the impact is also high. Action is required. You determine your options are to:

1. await a vendor release at a cost of $100,000, OR
2. replace the system with a HIPAA security compliant version for $3.5 million.

Now you must make a documented, defendable decision as to which option is in your organization's best interest. The decision may be complicated by additional factors, e.g., resources in the first year for one of the options will not include audit trail due to vendor resources being focused first on other greater risk-reduction areas.

Risk analysis/risk management allows the institution to review its options to mitigate the risk and choose the best fit for the organization. Document all decisions which will assist in showing due diligence with regards to minimizing risk to acceptable levels. Use these techniques to create a prioritized action plan with acceptable timeframes. Execute this plan and ensure that resources are expended in the most cost-effective method while reducing risk to acceptable levels.

Go to more information on risk assessment.

Go to more about the security regs and risk analysis/risk management.

William M. Miaoulis, Principal
Phoenix Health Systems

No. 3 HIPAA Terms: Implementing Effective HIPAA Policies - Part I

It is often said that policies are the key to security and privacy. Why? What's the difference between a "policy" and a "procedure?" In this HIPAAnote, we'll address these questions - and next week in Part II, we'll look at the characteristics of an effective policy, and the steps required to develop one.

The primary objective of any policy is to change user attitude and behavior. Security and privacy policies officially point the workforce in the right direction - towards protecting patient privacy and the confidentiality of patients' personal health information -- and serve as the foundation and rationale for the procedures that will follow. Further, policies clearly demonstrate management's commitment to privacy and security and its intention to make sure patient information is properly protected. In addition, documented policies can serve as strong evidence that an organization is exercising due diligence with regards to security and confidentiality. Finally of course, a reason for privacy and security policies is that HIPAA legislation requires them.

The terms "policy" and "procedure" are often confused. But each has a different purpose and different characteristics, and should be used in a different way.

Policies are written decisions made by those in authority -- typically management -- to direct the actions of others. Policies contain guidelines to govern, and they set limits within which individuals are expected to operate. Policies can be viewed as the "WHAT" that management expects. Procedures, on the other hand, reflect the "HOW." Procedures are standardized, documented administrative practices -- the step-by-step processes by which policies are implemented.

When creating policies it is important to remember this "WHAT" versus "HOW" distinction. Why? Combining procedures into a policy has several negatives: first, it often dilutes the desired impact of what should be a concise, clear policy statement. Further, the longer the document, the less likely that it will be read in full. Finally, to become effectively institutionalized, policies should be able to stand the test of time. Unlike hands-on procedures which may require frequent updating as a result of technological developments and operational changes, policies should stand on their own, independent of such factors. Mixing the "apples and oranges" of policies and procedures will shorten the life of any policy. And, in the long run, such
bundling will require covered entities to recreate new policies and start all over again on incorporating them into their organizational fabric.

More on the final privacy rule.

Read an overview of the proposed security rule.

William M. Miaoulis, Principal
Phoenix Health Systems

No. 4 HIPAA Terms: Implementing Effective HIPAA Policies - Part II

In the last HIPAAnote we discussed why privacy and security policies are critical to HIPAA compliance, and the difference between a "policy" and a "procedure." This HIPAAnote looks at the characteristics of effective policies, and steps needed to implement them.

Effective policies should:

• be sanctioned, published, promulgated, and given visible support by top management.
• cover all the pertinent requirements of management concerning the subject matter.
• not include operational details that may vary from time to time.
• meet the test of uniformity (apply consistently across all affected areas).
• meet the test of observance (workforce knows of them and follows their prescriptions).
• meet the test of longevity (should seldom have to be changed), but are revisable as requirements change.

Because policies will affect most, if not all, the organization's workforce, stakeholder representatives should be part of the process of policy development and endorsement. One approach is to utilize a committee (Security and Confidentiality), making sure it includes your Privacy Officer and Security Officer.

To create policies:

• Establish a formal project to develop policies.
• Obtain support and involvement of management.
• Read and understand the original HIPAA regulatory text on the issue at hand.
• Research the issue and how others have addressed it. Don't assume you must re-invent the wheel. Sample approaches abound at the Web sites of many industry associations (AHIMA, AHA, AAMC), government agencies (NIST, NIH, and state HIPAA sites), other HIPAA-focused organizations (WEDI-SNIP and regional HIPAA initiatives) and private sector sites (e.g. security and law firms). But, a word of caution. Every covered entity is unique, and policies must reflect its particular needs, environment, and culture. Tailor your policies to your organization.
• Draft the policies for committee review and approval. Make them short (one to two pages), and written in plain language that anyone can read
  and understand.
• Follow your organization's review and approval process (including Legal).

Set a timetable for announcing approved policies PRIOR to relevant compliance dates. Announcements should come from senior management, and should reference the procedures to come that will facilitate compliance.

If policies are to become an integral part of the organizational fabric, they must be included in employee orientation and staff training programs. This is not just a "good idea;" the framers of HIPAA were so aware that behavioral change takes time and reinforcement that training of every workforce member on HIPAA policies is a requirement. And, should violations occur, it is equally necessary that enforcement and sanctions follow.

Learn more about implementing privacy and security policies and procedures.

William M. Miaoulis, Principal
Phoenix Health Systems