HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Security Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Key Security Questions For Healthcare Executives:
What to Ask and Answer Before Implementing the HIPAA Security Rule

By Clyde Hewitt and Bill Miaoulis, CISA, Principals, Phoenix Health Systems

Though many healthcare executives are sighing in relief with the passing of the April 14, 2003, HIPAA Privacy Rule deadline, they now face new challenges posed by the final HIPAA Security Rule. Published in February, the long awaited security regulations require compliance by April 21, 2005. Many forward-thinking organizations have a good head start by prudently initiating security measures needed to safeguard patient privacy, but few are in a position to claim full compliance with the comprehensive new Security Rule.

To a great extent, the Security Rule puts the HIPAA spotlight back on Chief Information Officers (CIOs) and Information Systems managers to develop and implement cost-effective enterprise-wide security programs. However, the entire senior management team should play an important strategic planning role before practical measures are implemented. As healthcare organizations look toward developing annual budgets, the executive team should be asking such questions as:

"What are the security risks to my organization - and which are the highest priority?"

"What measures should be considered for our plan to reduce risk and become HIPAA Security compliant?"

"How much should we budget (money, resources) for security?"

In order to answer these questions, both the short term and long term impacts of the HIPAA Security Rule must be evaluated, with a focus on the organization's most important high risk areas. In many organizations, it is likely that twenty percent of the issues will determine eighty percent of the cost.

First Steps in Risk Analysis and Security Planning

Beginning the process of risk analysis and security planning requires a critical eye and careful planning. It is a mistake to jump to conclusions about what needs to be fixed before the problems are fully understood.

The HIPAA Security Rule requires covered entities to have a risk management program in place to evaluate the value of the assets, the potential for a loss or disclosure, and the cost of additional countermeasures. The NIST 800-30 Risk Management Guide for IT Systems outlines a process for determining the return on investment for security measures, based on the following factors:

  • The likelihood of a given threat-source's attempting to exercise a given vulnerability
  • The magnitude of the impact should a threat-source successfully exercise the vulnerability
  • The adequacy of planned or existing security controls for reducing or eliminating risk

The NIST approach may be adequate for a risk management program focusing only on IT systems, but the scope of the HIPAA Security Rule encompasses more than IT. Executives should also look at threats to all of the organization's assets including programmatic threats caused by staffing and budgeting shortfalls.

The following checkpoints can help guide senior executives through the initial phases of developing an appropriate security program for their organization. You may want to employ an external security firm to perform vulnerability and penetration studies on your network and computer systems to support this process.

What are your most important security risks?

Before developing a protection strategy, the management team must first define what is worth protecting. HIPAA and good business practices dictate that we safeguard patient information entrusted to us. To be sure, the relative importance of tangible and intangible assets depends upon the view of the ranker, but it can be argued that senior staff in most healthcare organizations will include many, if not all, of the following in their lists of important security risks:

  • Loss of financial cash flow
  • Permanent loss or corruption of electronic protected health information (ePHI)
  • Temporary loss or unavailability of medical records
  • Unauthorized access to or disclosure of ePHI
  • Loss of physical assets (computers, etc.)
  • Damage to reputation and public confidence
  • Threats to patient safety
  • Threats to employee safety

Note that the final HIPAA Security Rule follows the philosophy of the proposed rule, in that it specifically focuses on "electronic Protected Health Information." Consider for a moment the medical records stored in an MRI or CT scanner. What about the ultrasound or EEG recorders? These exemplify the many less-than-obvious areas of risk to ePHI that could be accidentally disclosed, lost, or corrupted.

> Loss of financial cash flow

Without cash, the organization cannot function. Cash flow disruption can be caused by many factors, but the inability to record charges and bill for services due to a loss of data processing capabilities is certainly a risk that all organizations face. Security has been compared to a three legged stool of integrity, availability and confidentiality. Using this definition, security includes ensuring that systems are available, and the HIPAA security rule requires contingency planning and disaster recovery plans. What would be the financial impact of a loss of data processing capabilities? Could a loss of data processing capabilities that lasted 30 days have a major impact on your financial cash flow? What other risks exist in your organization that might impact financial cash flow? Do you have a risk with regards to the HIPAA Transaction and Code Set requirements?

> Permanent loss of ePHI

Access to accurate patient information is critical in keeping a health care organization operational. Destruction or corruption of ePHI, particularly on a major scale, would be catastrophic for any healthcare enterprise. Examples of threats that could destroy or corrupt ePHI include a natural disaster such as a fire, an external hacker attack that destroys data on your computers, or a rogue programmer that creates code that corrupts not only the live data but your backup tapes as well. While downtime procedures may provide a relative short-term workaround solution, the total loss or corruption of patient data will be nearly impossible for many organizations to recover from.

Are your backup procedures adequate? How much data would be lost if a tornado completely destroyed your data center? Unless you have redundant data at another location the answer will depend on the time of day, and is likely to range from one hour to 28 hours of data. How would your organization recover from losing the last 28 hours of data such as lab results, hospital charges, radiology results, orders, etc.?

> Temporary unavailability of ePHI

The temporary loss or unavailability of medical records containing ePHI can severely delay or impair care services and business operations. Examples of this could be as simple as a hard drive crash, a snow storm knocking out power to computers or malfunctioning of an application system. When was the last time you had an unplanned downtime? Many organizations have developed downtime procedures that can be used while networks are restored or backups are reloaded. These events, while disruptive, likely will not permanently scar a healthcare organization if there has been no permanent loss of data.

However, healthcare executives need to ask what would be the impact if computers go down for 2 hours, 6 hours, 24 hours, 48 hours, 1 week, 2 weeks, 4 weeks, etc.? How would you recover and re-enter data lost since the last backup tapes were created?

> Unauthorized access to or disclosure of ePHI

Now that the HIPAA Privacy regulations are in effect, unauthorized access to or disclosure of ePHI (confidentiality) must be on the list of every healthcare organization's important security risks. Many aspects of poor security can increase this risk and the HIPAA security rule focuses on reducing this risk. Terminals that do not have adequate timeout functions could allow an unauthorized user to gain access to ePHI. Inadequate audit trails and monitoring can create an environment whereby employees have unauthorized access to the ePHI of their neighbors, family members or co-workers.

Other organizations may have adequate audit trails but refuse to enforce sanctions on employees that breach security or privacy, thereby creating major risk to patient confidentiality. Add to this the very real risk of civil and criminal penalties, and the potential loss of reputation and credibility that may result from unauthorized disclosures or access.

What has your organization done to ensure proper ePHI access and disclosures? Could you defend yourself in court? Would you be able to answer if asked what your staff is doing to protect patient privacy? Are your security policies and procedures assisting you in ensuring patient confidentiality?

> Harm to reputation and public confidence

Many organizations rank their organization's reputation and the confidence of their patient/client base as a highly valuable asset worth protecting. It is often difficult to put a dollar value on such intangibles. Further, loss in reputation presents a special security challenge, since it is normally predicated by some other loss or potential loss such as a major patient security breach that can occur from an internal (employee) or external (hacker) threat. It is also the hardest asset to reacquire once it is tarnished.

Does your organization have a process in place to minimize and/or offset damage in the event of a major security or privacy incident that could tarnish your reputation?

> Loss of or damage to physical assets

The loss of assets such as computers, routers, firewalls, laptops and other equipment can be very disruptive, but recovery may be manageable through procurement of adequate insurance and providing for contingency plans. The most important risk may be that such a loss could have a critical impact on other areas, especially the loss of data processing capabilities. What impact could the theft of a laptop have on your organization? To answer this question we must know what data is on the machine, how this data is protected (encryption, passwords) and does this equipment have dialup or VPN capabilities to access our main systems. What steps would your organization take if a laptop was stolen? What steps would you take if critical lab equipment malfunctioned?

What are you doing to protect your most important equipment? Do you know what equipment is vital to your organizations ability to deliver quality patient care and protect cash flow? Do you have documented security response procedures?

> Compromise to patient safety

Protecting the safety of patients is a critical risk that must be considered. One scary scenario would be a rogue programmer who changes lab values that physicians use to treat patients. A program that alters the potassium level of every 100th patient could create misdiagnosis that could injure or kill patients. Do you have adequate application program change control and monitoring procedures to protect against such an event? What are your organizational policies and procedures for ensuring the integrity of the data in your organization?

Physical security with regards to ePHI is an important component of the HIPAA standards. Ensuring the safety of your patients through physical means is also a security risk that your organization should consider. Do you have adequate controls in your facility? Are you located in a high crime area and have the need for metal detectors at the Emergency Department entrance? Could a gang member come to your Emergency Department to finish the job? Are you appropriately protecting newborn babies in your facility?

As required by the Privacy Rule, are your opt-out procedures adequate to ensure that an abused spouse cannot be found in your facility by her abuser? Do you have printed reports at the information desk that contain this information? Have you trained all staff including the nursing unit employees to not give this information to someone that has opted-out?

> Compromise to employee safety

One asset that is sometimes forgotten in risk management planning is physical risk to the organization's staff. Depending on the local availability of skilled labor, the impact of a loss of staff members will vary widely. Considering the growing threats of bioterrorism and weapons of mass destruction, threats to these "people power" assets must be considered.

What steps are you taking to protect your staff from physical harm? In the event of a major disaster in the area (e.g., hurricane) how could you assist your employees in safely showing up to work? Is your parking deck secure or do you need to offer escorts during certain hours?

Where are the organization's assets?

The development of a successful, HIPAA-compliant security program requires that all ePHI be located and protected. EPHI may exist throughout a provider's facilities, on individual workstations, laptops, biomedical devices, paper charts, PDAs or departmental servers. The most likely concentration of ePHI will be in the Information Systems department, resident on servers or mainframe computers. However, the search should also include biomedical engineering, radiology departments and all areas of your facility that may maintain ePHI.

Providers should also be on the lookout for external risk factors. One example might be a critical software vendor that won't meet the minimum security requirements by the compliance date.

Also consider Business Associates and other members of an Organized Health Care Arrangement (OHCA), if applicable, for assets requiring protection. If one of these businesses allows an adverse event with your organization's ePHI to occur, then it will be difficult to avoid the consequences of association. An example of this would be sending billing information electronically to a third party billing companies whose system is breached and your patient's ePHI is compromised. The HIPAA security rule adds additional language and requirements for Business Associates.

Do you know where your data is? How comfortable do you feel with regards to data you entrust to a business associate? Are your vendors committed to ensuring necessary security safeguards? Have you modified your Business Associate agreements in light of the new security requirements?

What agents will create potential threats?

An "agent" of a security threat is usually an individual who wishes to do harm against one or more of the organization's assets (or who inadvertently creates harm). An exception is natural disasters such as fire, floods, hurricanes, etc., which also act as agents of asset damage or destruction. The list of potential agents that could target your assets and take advantage of potential vulnerabilities are employees (the most common agent), ex-employees, hackers, commercial rivals, terrorists, criminals, general public, vendors, customers and visitors. Almost anyone who has the access, knowledge and motivation can act as an agent to take advantage of a vulnerability.

Which agents are you concerned with? What assets might they target? What is the probability that a specific agent will target your organization? How much damage can the agent do?

What events are most likely to occur?

In assessing risk it is important to determine the potential events that could result from current vulnerabilities. Examples would include:

  • Misuse of authorized access (an employee divulges system passwords to a marketing firm, or an errant email containing ePHI is sent to a large group of unauthorized users)
  • Financial fraud (think Enron, Worldcom, Healthsouth)
  • Natural physical events (fires, floods)
  • Unexpected systems downtime
  • Unauthorized access to systems by hackers (defaced Web pages, worms, viruses)
  • Harm to employees or patients (a gang member visits a patient to "finish the job")
  • Systems are not set up to effectively monitor security incidents
  • Staff does not know how to respond to security incidents
  • Unauthorized access (by employees, ex-employees, the general public) to facility areas that are not properly secured
  • Ineffective disposal of ePHI and other sensitive data

What adverse events could occur at your facility? What damage or harm could they cause? What is the likelihood of their occurring? Have you taken steps to prevent them or minimize their impact?

What is the current control environment?

Many healthcare organizations may have some controls in place to minimize security risks and address threats to assets. Before undertaking new security initiatives, management should understand what is currently being done to reduce risk within the organization. What steps have been implemented to minimize risk? Are they adequate - and do the meet HIPAA security standards?

What long-term factors should be considered?

While the management team's primary assessment and planning focus will be on current and short-term risks, it should also ask what long range organizational objectives may give rise to new risks. Security is an ongoing process and today's potential solutions need to be weighed against future trends as well. For example, if the organization is considering incorporation of new technology devices into its operations such as notebook computers, handheld devices, and smaller storage devices such as smartcards and USB drives, executives need to ask how existing protections - or those under consideration - are expandable to protect tomorrow's technology. Similarly, organizations moving into the e-health arena must plan how their web-enabled activities will include adequate ePHI protections.

Creating a Security Program Action Plan

Once the executive team has identified and evaluated the organization's assets, determined what agents are most likely to threaten them, estimated the level and likelihood of harm occurring, and assessed the adequacy of current security controls, it is time to coordinate with appropriate IT and security staff to create a documented action plan to reduce risk to acceptable levels. The team should examine the HIPAA requirements to determine what gaps exist between the current environment and the standards. These gaps represent risks that must be addressed, although other risks may have been identified that the organization will also want to focus on. Note that the regulations require that security-related events or circumstances that are certainties cannot be "managed" - and must be addressed. An example would be that HIPAA requires unique user identification. If your organization utilizes group user accounts, a certainty of inadequate safeguards exists, and the security plan must include measures to eliminate it.

Identified risks should be documented within specific areas, with ranking such as Very High, High, Medium or Low levels of risk. This risk ranking will assist in prioritizing activities that must be performed. Then determine what control options exist and the cost associated with each option. Using this information your organization can document decisions based on reducing risk to acceptable levels, while ensuring that resources are expended appropriately and prudently based on the risk to the organization.

Cost is clearly one of the factors in determining what security measures to implement. Cost is not, however, a reason for NOT implementing security controls that are reasonable. How much is your organization spending to ensure the security of your information and reduce risk to an appropriate level within your organization? Is the level of your security investment in line with the importance of ensuring the integrity, availability and confidentiality of your ePHI?

Now, using generally accepted risk management techniques, the organization must prioritize, budget, plan and implement controls that will limit the risk to its assets. The Security Rule requires that you document the actions you take to reduce risk to your assets. The old saying applies: "If you have not documented it, you have not done it." What documentation do you have? Is it accessible by those who need it?

Addressing complex compliance challenges requires financial resources, management commitment, and the appropriate staff mix and talent. Executives should ask if their organization's HIPAA Security project has enough financial commitment and management attention to resolve issues before the 2005 compliance deadline. In addition, executives must ask if they are giving the HIPAA management team appropriate authority to facilitate the required changes in the organization.

Is staff capable of appropriately addressing the organization's security risks? What skill sets are needed to address the challenge? How will the project affect other organizational activities?

There is a saying that if the only tool in one's toolbox is a hammer, all problems start to look like nails. The same adage applies to developing and implementing a HIPAA security program. Because ePHI may span organization boundaries, executives should ensure that the HIPAA team represents such areas as contracts administration, human resources, biomedical engineering, clinical departments, the business office, and physical facilities, as well as the obvious technical security staff.

Once the security team includes a broad spectrum of appropriate participants, necessary individual skill sets should also be identified. Look for a good communicator as a leader who can articulate problems to senior management. Also look for good project management skills to assist in the prioritization of critical tasks. Finally, staff the team with functional experts who know internal processes and organizational players. These individuals will be the facilitators who will design and implement systems and process changes.

In identifying the security team, it is prudent to ask what existing activities of participants will be affected or curtailed. Though it is tempting to "add on" security project responsibilities to team members' ongoing duties, supporting a major security program wholly with part time labor may be ineffective. Job descriptions and accountability need to be matched to ensure that enough leverage is given to the project leaders.

Summing Up

This overview is only a starting point to help executives to examine their HIPAA security efforts. As the project matures, it will be necessary to incorporate changes into many of the internal processes, work with external parties to address the risks, and change the culture of the organization. Like many enterprise-wide initiatives, achieving HIPAA Security compliance is a journey not a destination. Are you ready?

Clyde Hewitt, M.S., Principal, is a senior Phoenix Health Systems project manager for HIPAA, security, and other IT consulting engagements. He also holds leadership positions with the North Carolina Healthcare Information and Communications Alliance (NCHICA). Bill Miaoulis, CISA, Principal, is also a senior Phoenix project leader responsible for management of enterprise security projects and other HIPAA education, assessment, planning, and remediation engagements.

Go to TOP