|
HIPAAlert is published monthly in support of the healthcare
industry's efforts to work together towards HIPAA security
and privacy. Direct subscribers total nearly 15,000!
Do you have interested associates? They can subscribe free.
If you like HIPAAlert, you'll love HIPAAdvisory.com -- Phoenix' comprehensive "HIPAA
hub of the Internet," per Modern Healthcare magazine.
This Issue
- From the Editors: Security Moves to the
HIPAA Front-Lines
- HIPAA news: New Support of Transactions
Standards; New Need for Security
- HIPAA security: 9/11/01: The Start of
a New Era in Healthcare Security?
- HIPAA security: Our Most Critical Internet
Security Vulnerabilities
- HIPAAdvisor: How Fundraising and Marketing
Fit Into HIPAA Privacy
1 / From the Editors
Across the nation's healthcare organizations, the stepped-up
concern about terrorism, including bio-threats and cyber attacks,
is palpable. HIPAAlert is aware that hospitals in and around
Washington, DC, New York, Boston and other major cities are
quietly reviewing and upgrading internal security protections
as well as their capabilities to respond quickly to terrorist
incidents and public health threats.
It is too early to gauge how our healthcare system will respond
overall to the new realities confronting the country, but
it is clear to many security professionals that improvements
in physical and technical security should be integral to our
response.
Much of this issue of HIPAAlert focuses on security, including
some of the reasons why HIPAA's requirements include comprehensive
security provisions. Our feature article, by Phoenix' Tom
Grove, addresses how a strong healthcare system with HIPAA
security safeguards in place is necessary to the national
infrastructure. Tom's article is followed by a summary of
the timely new SANS / FBI report on the most critical Internet
security vulnerabilities.
HIPAAnews covers the surge of new support for administrative
simplification, along with the latest on the HIPAA regulatory
schedule. Our HIPAAdvisors Steve Fox and Rachel Wilson balance
out the issue with a definitive discussion of HIPAA privacy
as it relates to research and marketing.
Finally, thanks to all who participated in the Fall HIPAA
Progress Survey! Results will be announced by yours truly
at The Third National HIPAA Summit in Washington, DC next
week -- and will be published in full in our next HIPAAlert,
scheduled for the first week of November.
D'Arcy Guerin Gue, Publisher
daggue@phoenixhealth.com
2 / H I P A A n e w s
*** House Lawmakers Direct HHS to Address HIPAA Costs ***
According to an October 11 report by AHA News Now, the House
Appropriations Committee has directed the Department of Health
and Human Services to assess whether HIPAA privacy requirements
will hinder hospitals in providing patient care, and to identify
federal money sources to assist in provider compliance costs.
The
directive accompanied the panel's FY 2002 DHHS budget appropriations
bill passed October 10. AHA historically has promoted the
concept of federal financial support for HIPAA compliance
efforts, and noted in its report that it supports the Committee's
directive.
*** HHS Update: Employer ID & 3 NPRMS Likely by 12/31;
Security Coming Early 2002 ***
The Employer Identifier Rule has been drafted and sent to
DHHS for its final review, according to an October 1 report
by WEDI (Workgroup for Electronic Data Interchange). WEDI's
report, which has been confirmed by DHHS sources, also stated
that two proposed rules (NPRMs) for revising the Transaction
and Code Set standards should be published by the end of the
year. These rules will propose
making certain changes in Designated Standard Maintenance
Organizations
(DSMOs), and removing the NDC code as the drug-coding standard
for all but retail pharmacy transactions. A NPRM for Privacy
is expected to be released in December of this year and the
Security Rule and Claim Attachment NPRM may be published early
next year. The Provider Identifier and Plan Identifier are
in process, but no definitive action is anticipated this year.
*** Web Attacks Have Doubled, Survey Says ***
PCWorld reports attacks on Web servers doubled in 2001compared
to 2000, and nearly 90 percent of companies surveyed have
been infected with worms or viruses, despite having antivirus
software installed, according to the Information Security
Industry Survey. Nearly 50 percent of the companies surveyed
experienced attacks against their Web servers from external
sources in 2001, up from 24 percent in 2000. Just under 90
percent were hit with worms, viruses, or Trojans; almost 40
percent suffered denial of service attacks, and a third faced
buffer overflow attacks, the survey found.
*** FBI Warns Infrastructure Owners to Brace for Attacks
***
The FBI has issued a nationwide alert to law enforcement
agencies and private-sector owners of critical infrastructure
facilities to prepare for a new wave of terrorist attacks.
Intelligence officials have told members of Congress that
the likelihood of further attacks, either physical or cyber,
is virtually certain. A spokesperson for the FBI's National
Infrastructure Protection Center said the warnings serve to
encourage a "heightened awareness for security and safety
of critical infrastructure systems in the aftermath of the
Sept. 11 bombings, and especially since the beginning of U.S.
military strikes."
3 / H I P A A security
9/11/01: The Start of a New Era in Healthcare Security?
By Tom Grove, Director, Phoenix Health Systems
The national terrorism crisis has caused us all to spend
a significant time thinking about the safety of our nation.
Bombs, airplanes, and anthrax are the top stories everywhere,
and security measures are the order of the day. As healthcare
professionals, dealing with the aftermath of these tragic
events has been our top priority, and rightly so. Healthcare
is on the front line of our latest battles, and
there is no doubt that a strong, working healthcare system
is a key component of our national defense. Bioterrorism,
cyberterrorism and other security threats - whether directed
at the government, other industries or the healthcare system
itself - are likely to produce a ange of security problems
for healthcare providers. Any organization that has waited
to find a reason to assess its security environment and eliminate
security vulnerabilities, now has ample justification to do
so.
VULNERABILITY OF CRITICAL INFORMATION
A fundamental strength of an effective healthcare system
is the smooth and uninterrupted flow of clinical and financial
information -- having the use of accurate information when
and where it's needed. Our increasing dependence on electronic
information management and communication has made healthcare
organizations more vulnerable than ever to unauthorized access,
misuse, tampering and
destruction of data and systems. Use of E-mail and access
to the Internet has
opened the doors to "cyber" dangers unheard of two
decades ago. As
far back as 1997, the National Research Council reported that
over 40% of
healthcare organizations had experienced an intrusion or unauthorized
use that year. There are many more access points to personal
health information today - both within and outside facility
walls -- creating greater opportunity for unwanted access.
And, for those so motivated, there are many tools and technologies
available to facilitate "hacking" and other intrusions.
SECURITY -- NOT JUST ABOUT HIPAA
Providing adequate safeguards to ensure the accuracy and
availability of health information isn't simply a requirement
of the HIPAA security rules. To the extent that our healthcare
system is an essential service and a part of our national
infrastructure, protecting our healthcare data and systems
is a critical aspect of our national security.
Unfortunately, delays in the finalization of the HIPAA Security
Rule have caused the industry to spend far more time focusing
on Transactions, Code Sets, and Privacy. The most recent HIPAA
survey data from Phoenix Health Systems bears this out. Most
respondents are much farther along in their TCS and Privacy
compliance efforts, and many cite the draft status of the
Security rule as a key
reason.
BARRIERS TO BETTER HEALTHCARE SECURITY
The reluctance many CIOs express towards increasing security
protections has several causes. Healthcare IT shops operate
on a very tight budget - often half that of other industries
with similar information needs. Security measures may add
to costs, complicate operations, inconvenience users or even
interfere with
patient care. All these concerns are relevant, and should
be taken into account when planning for improved security.
However, the argument that we shouldn't do anything about
security until the final rules are published just doesn't
stand up to close scrutiny. The final security rule, when
published in early 2002, will not be significantly different
from the NPRM. William Braithwaite, M.D., senior DHHS health
information policy advisor, clarified this position in a letter
to Phoenix Health Systems in July 2001.
Among many senior managers, knowledge of the "dark
side" of computerized information systems has evolved
more slowly than appreciation of the benefits. The lack of
understanding of security issues has been the source of many
objections to increased attention (and spending) on security.
The argument? "We're a hospital, we aren't at risk. Who
would want to harm a hospital?"
Unfortunately this optimistic view of the world doesn't reflect
today's realities
or tomorrow's potential dangers.
NON-DIRECTED SECURITY THREATS
A proper understanding of security risk includes recognizing
that most cyber-attacks are non-directed. To most internet-based
attackers, your hospital ISN'T a hospital, but simply a collection
of computers to be attacked, as a test of the attacker's skills.
Teens interested in developing computer intrusion skills can
download penetration software over the Internet, and set it
loose on connected systems and dial-up lines. These attacks
require little knowledge or skill, and are focused on a range
of numeric addresses, without knowing the identity of the
target. Just having an Internet connection or dial-up lines
places you at risk with these "script-kiddies" (so-called
because of their reliance on pre-scripted attacks).
Another significant risk comes in the form of malicious
computer code. Viruses, Trojan horses, worms and macros are
all forms of code with malicious intent. Your network is most
at risk from them if it is connected to the Internet, but
can be infected by diskette as well. One recent major virus,
the W32/Sircam virus, had serious repercussions throughout
the world, and because of its three-pronged nature, was particularly
troublesome in the healthcare environment. The virus acted
to limit availability of computer systems, and presented with
code that caused loss of data integrity by deleting files
on the infected computer system. Particularly important to
healthcare organizations is that the malicious code also operated
by breaching confidentiality, and searching through hard drives
of the infected computers to E-mail potentially sensitive
files.
Virus generation is no longer only the purview of a few
knowledgeable individuals. In a recently published confession,
the author of a major virus admitted that he had no special
programming skills. Using a program called "Visual Basic
Worm Generator" to create his virus, he infected over
fifty major corporations, despite the fact that patches to
defeat this type of attack had been available for some time.
The number of such attacks is growing - Symantec, a major
vendor of anti-
virus software added protection for 26 specific malicious
code attacks during the last month alone.
RISK OF DIRECTED ATTACKS
The risks described so far are typically generic, not focused
on a specific organization. Of equal or greater concern are
attacks deliberately focused at a healthcare institution.
To a terrorist or others with criminal intent, your hospital
IS a hospital. For them, the fact that our population relies
on hospitals and other
providers for essential care may make them targets for damage,
destruction, theft, or misuse of data and systems. The same
down-loadable tools available to the "script-kiddies"
are available to those with deliberately harmful intent, along
with more sophisticated and dangerous capabilities - and,
in some cases, easy access.
Easy access is one reason why the most common "focused"
attackers are insiders. Most people perceive the outside world
to be the largest security threat, and recent media attention
on "hackers" intruding via the Internet has heightened
this perception. However, FBI studies have revealed that 80%
of intrusions and attacks come from within organizations -
from current and recent employees who
know the layout of the system, where sensitive data is stored,
and what security
precautions are in place.
In these troubling times, politically motivated cyber-attacks
are of grave concern. During the recent surveillance plane
incident with China, a number of US-based web sites, including
those of healthcare organizations, were targeted for defacement.
This and other forms of cyber terrorism - whether originating
externally or from within the organization - are real threats.
Cyber terrorism takes a certain amount of expertise, but can
be safely performed from anywhere in
the world and with a minimum of logistical support. Compared
to convincing, teaching, and financing terrorists to fly airplanes
into buildings, assembling a
band of cyber terrorists is child's play. If it makes sense
to a terrorist to inflict disease or major loss of life, surely
it must make sense to cripple our healthcare system's ability
to coordinate efforts and respond to such attacks.
NEW TIMES: A NEW ACTION TIME-LINE
What should healthcare organizations do today to protect
against this increasingly dangerous minefield of cyber hazards?
Aggressive assessment and implementation of basic security
practices is
the first step - and one that should be taken NOW. The HIPAA
security NPRM is a useful roadmap to those practices. It represents
a synthesis of basic, solid information security practices,
culled from industry standards, and practiced by our peers
in other industries for many years. Healthcare security practitioners
should also seek guidance from an abundance of Internet resources.
Key resources of interest:
- The CPRI Toolkit: Managing Information Security in Health
Care provides
how-to guidelines for integrating sound information security
practices into the everyday work of healthcare organizations.
It can be found from a link at: http://www.hipaadvisory.com/action/CPRIToolkit.htm.
- The Carnegie Mellon Software Engineering Institute's
CERT web site offers an excellent technical resource for
guiding any organization toward getting serious about security.
It can be found at:
http://www.cert.org/security-improvement.
- The HIPAA Security Summit Guidelines represents the security
recommendations of a blue ribbon task force of healthcare
industry leaders that began work in October 1999. Go to:
http://www.hipaadvisory.com/action/SecuritySummitGuidelines.htm
- NIST (National Institute of Standards and Technology)
Computer Security Resource Center includes a variety of
current security tools and resources, often used as a foundation
for "best practices" recommendations. Go to:
http://csrc.nist.gov.
Finally, nuts-and-bolts security practitioners and HIPAA
project teams must recognize that within their healthcare
organizations, a major impediment to implementing a comprehensive
security program may be a lack of knowledge among decision-makers.
Educating senior management about the information security
risks that face our institutions today is a key aspect of
our professional responsibility. The fact that we can address
those risks while meeting another key organizational imperative
- compliance with HIPAA - makes the job a little easier, and
much more important.
Tom Grove, Director, Phoenix Health Systems, is a senior
member of Phoenix' HIPAA Solutions Team and a frequent speaker
on HIPAA-related security and privacy issues.
4 / H I P A A security
Report on: SANS / FBI's Most Critical Internet Security
Vulnerabilities
The October 1, 2001 release of the SANS/FBI Most Critical
Internet Security Vulnerabilities list couldn't be more timely.
According to SANS (the prestigious
System Administration, Network and Security Institute) the
SANS/FBI Top Twenty list is valuable because the majority
of successful attacks on computer systems via the Internet
can be traced to security flaws on this list. For instance,
SANS notes that the rapid spread of the Code Red and NIMDA
worms can be traced to exploitation of unpatched vulnerabilities
on the list.
The list is broken into three categories: General Vulnerabilities,
Windows Vulnerabilities, and Unix Vulnerabilities. These comparatively
few software
vulnerabilities account for the majority of successful attacks,
according to SANS. The report notes that this is because most
attackers are opportunistic - taking the easiest and most
convenient route. They exploit the best-known flaws with the
most effective and widely available attack tools. They count
on organizations not fixing the problems, and they often attack
indiscriminately, scanning the Internet for any vulnerable
systems.
SANS reports that system administrators in the past have
not corrected many of these flaws because they "simply
did not know which vulnerabilities were most dangerous, and
they were too busy to correct them." The Top Twenty list
is designed to help by combining the knowledge of leading
security experts from federal agencies, leading security software
vendors and consulting firms, top university-based security
programs, and CERT/CC and the SANS Institute. A
list of participants along with the full report may be found
at: http://www.sans.org/newlook/home.htm.
Following is a summary of the Top Seven GENERAL Security
Vulnerabilities reported in the SANS/FBI Vulnerabilities List.
For more (technical!) detail on these, including recommended
fixes — and to view the SANS/FBI Windows and Unix Vulnerabilities
list, go to: http://www.sans.org/newlook/home.htm.
SANS / FBI Top Seven GENERAL Security Vulnerabilities:
1. Default installs of operating systems and applications
Most software comes with installation programs intended
to get the systems installed quickly and easily, with the
most useful functions enabled. Typically,
more components are installed than most users need. Although
convenient for the user, this approach creates many of the
most dangerous security vulnerabilities because users do not
actively maintain "ant patch" components they don't
use. Also, many users don't understand what is actually installed,
leaving dangerous samples on a system simply because users
do not know they are there. The report emphasizes that those
unpatched services provide paths for attackers to take over
computers.
2. Accounts with no passwords or weak passwords
Most systems are configured to use passwords as the first,
and only, line of defense. User IDs are fairly easy to acquire,
and most companies have dial-up
access that bypasses the firewall. Therefore, an attacker
who can determine an account name and password can log on
to the network. Easy to guess passwords and default passwords
are a big problem; but an even bigger one is accounts with
no passwords at all. All accounts with weak passwords, default
passwords, and no passwords should be removed from systems.
In addition, many systems have built-in or default accounts
that usually have the same password across installations of
the software. Attackers commonly look for these accounts,
because they are well known to the attacker community. Any
default or built-in accounts need to be identified and removed
from the system.
3. Non-existent or incomplete backups
When a security breach occurs (and SANS/FBI says they occur
in nearly every organization), recovery requires up-to-date
backups and proven methods of restoring the data. Some organizations
make daily backups, but never verify that the backups are
actually working. Others construct backup policies and procedures,
but do not create restoration policies and procedures. Such
errors are often discovered after a hacker has entered systems
and destroyed or otherwise ruined data. A second problem involving
backups is insufficient physical protection of the backup
medium. The backups contain the same sensitive information
that is residing on the server, and should be protected in
the same manner.
4. Large number of open ports
Both legitimate users and attackers connect to systems via
open ports. The more ports that are open the more likely it
is that someone can connect to your system. Therefore, it
is important to keep the least number of ports open on a system
necessary for it to function properly. All other ports must
be closed.
5. Not filtering packets for correct incoming and outgoing
addresses
Spoofing IP addresses is a common method used by attackers
to hide their tracks when they attack a victim. For example,
the very popular "smurf" attack
uses a feature of routers to send a stream of packets to thousands
of machines. Each packet contains a spoofed source address
of a victim. The computers
to which the spoofed packets are sent flood the victim's computer
often shutting down the computer or the network. Performing
filtering on traffic coming in and
going out of your system can help provide a high level of
protection.
6. Non-existent or incomplete logging
Once you are attacked, if you do not have logs of your system
activity, there is little chance of discovering what the attackers
did. Without that knowledge, the
organization must choose between completely reloading the
operating system from original media and hoping the data back-ups
were OK, or taking the risk
that a system is running that a hacker still controls. Logs
provide the details of what is occurring, what systems are
being attacked, and what systems have
been compromised. Logging must be done regularly on all key
systems, and logs should be archived and backed up.
7. Vulnerable CGI programs
Most web servers support Common Gateway Interface (CGI)
programs to provide web page interactivity such as data collection
and verification. Many CGI programmers don't consider that
their programs provide a direct link from any user on the
Internet to the operating system of the computer running the
web server. Vulnerable CGI programs present a particularly
attractive target to intruders because they are easy to locate
and operate with the privileges and power of the web server
software itself. Intruders are known to have exploited vulnerable
CGI programs to vandalize web pages, steal credit card information,
and set up back doors to enable future intrusions. When the
Department of Justice web site was vandalized, an assessment
concluded that a CGI hole was the probable cause. Web server
applications are similarly vulnerable to threats created by
uneducated or careless programmers.
5 / H I P A A d v i s o r : Legal Q/A with
Steve Fox, Esq., & Rachel Wilson, Esq., Pepper Hamilton
LLP
How Fundraising and Marketing Fit Into HIPAA Privacy
QUESTION: Does the Privacy standard permit the use
and disclosure of protected health information ("PHI")
for the purposes of fundraising and marketing?
ANSWER: Yes. In certain circumstances PHI may be used
for marketing or fundraising without an authorization.
Covered entities must have written authorization to use
or disclose PHI for purposes that are unrelated to the treatment,
payment, or the health care operations of the covered entity.
Originally, this requirement was applicable to all uses and
disclosures of PHI for marketing and fundraising purposes.
Under the final Privacy rule, however, certain marketing
and fundraising activities have been included in the definition
of "health care operations;" thereby allowing covered
entities to use and disclose PHI without patient authorization
in support of several limited fundraising and marketing activities.
The definition of health care operations under the proposed
rule included only those operations sufficiently related to
treatment and payment to warrant the use and disclosure of
PHI without authorization. However, in the final rule, the
definition was revised to include those general administrative
and business functions necessary for covered entities to remain
a viable business. Therefore, business management activities
and general administrative functions, such as specific fundraising
and marketing activities, are included as part of the definition
of a covered entity's "health care operations."
Covered entities, their business associates, or institutionally
related foundations (foundations that qualify as nonprofit
charitable foundations under section 501(c)(3) of the Internal
Revenue Code and that have in their charter statement of charitable
purposes an explicit linkage to the covered entity), may use
or disclose an individual's demographic information and/or
the dates that the individual received treatment without obtaining
written authorization. These uses and disclosures are permissible
as long as:
- the covered entity's notice of privacy practices state
that individuals may be contacted for the purpose of raising
funds,
- any and all fundraising materials include instructions
on how to opt-out of future communications, and (iii) the
covered entity makes reasonable efforts to ensure that individuals'
opt-out requests are honored.
The use or disclosure of PHI for marketing purposes is permissible
without an authorization in three instances:
- First, covered entities are permitted to use or disclose
PHI without authorization to make marketing communications
in face-to-face encounters. These communications may include
discussion of any services or products, including the services
or products of a third-party.
- Second, PHI may be used or disclosed without authorization
to make marketing communications involving products or services
of nominal value. This would allow for the distribution
of calendars, pens and other merchandise that is generally
considered to be of a promotional nature.
- Finally, no authorization is required for marketing communications
about health related products or services of the covered
entity or a third party, if the communication:
- identifies the covered entity as the party making the
communication,
- discloses any direct or indirect remuneration received
by the covered entity for making the communication,
- contains instructions on how to opt-out of similar future
communications, and
- explains why the individual has been targeted for the
communication in those instances where PHI was used to target
the communication to particular individuals based upon their
health status or condition.
This third type of marketing communication is restricted
to uses by covered entities or disclosures to their business
associates pursuant to a business
associate agreement.
Read past HIPAAdvisor
articles.
Steve Fox, Esq., is a partner at the Washington, D.C. office
of Pepper Hamilton LLP. This article was co-authored by Rachel
H. Wilson, Esq., an associate at Pepper Hamilton LLP.
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
Don't miss —
Securely HIPAA! Our Special Fall Audioconference Series
Oct.
17: Security Implementation for the Non-Technical Manager
Other outstanding HIPAA audioconferences and tapes available
at our HIPAAstore!
|
