HIPAAlive FAQ (Security)

Questions

• What is Cryptology?
  
  
• What data do I need to encrypt?
  
  
• Phone calls - what's the security picture with them?
  
  
• Faxes - what's the security picture with them?
  
  
• PDA's (e.g., Palm Pilots) what's the security picture with them?
  
  
• What is an audit trail and what does HIPAA require? Do we have to track everyone who ever saw any PHI?
  
  
• Who should conduct the audits?
  
  
• Does HIPAA require every user to have their own password? How often does HIPAA require passwords to be changed?

Answers

What is Cryptology?

Bruce Schneier describes this very well in Applied Cryptography, Second Edition, Wiley & Sons, page 1:

"The art and science of keeping messages secure is cryptography, and is practiced by cryptographers. Cryptanalysts are practitioners of cryptanalysis, the art and science of breaking ciphertext; that is, seeing through the disguise. The branch of mathematics encompassing both cryptography and cryptanalysis is cryptology and its practitioners are cryptologists."

Go to TOP

What data do I need to encrypt?

You need to encrypt any Protected Healthcare Information (PHI) that travels over an open network - the Internet is an open network. All PHI must be encrypted between "safe havens." This includes email that contains PHI, FTP file transfers, billing, telnet communications - and basically anything that moves over an open network.

You may also have to encrypt internally if your company has two or more business components that share an intranet, and are Covered Entities that would at times need to be careful about exchanging PHI between each other. For instance, if one entity were a hospital and another entity an insurance company, these two - if they shared an intranet (called in this case an extranet) would probably have to encrypt. VERY few companies will need to encrypt data inside their intranets.

Go to TOP

Phone calls - what's the security picture with them?

Phone calls are considered secure under HIPAA. This includes voice, modem and FAX communication.

Go to TOP

Faxes - what's the security picture with them?

While faxes that contain PHI should be carefully guarded within the office, just as any other paper containing PHI should, Faxes are excluded from the requirements for other forms of electronic communication. Treat faxes as you would paper you sent by courier.

More on electronic communications.

Go to TOP

PDA's (e.g., Palm Pilots) what's the security picture with them?

PDA's do not specifically require encryption. Instead, either through training or other measures, there must be a reasonable assurance that the PDA will not be lost or otherwise accessed by unauthorized personnel. While encrypting a PDA is perfectly okay under HIPAA, it is not required if it is reasonable to assume that other methods are being employed to protect the data.

More information on wireless technology in healthcare.

Go to TOP

What is an audit trail and what does HIPAA require? Do we have to track everyone who ever saw any PHI?

The proposed security rule's administrative standards require an internal audit process, defined as a review of the records of system activity like logins, file accesses, and security incidents. The technical sections of the rule require the mechanisms to gather this audit data.

Most health care organizations already have the capability to capture the kind of security data described above. Modern network operating systems typically provide the means to collect log files containing data about login failures and successes, and attempts to access specific files (such as applications or data files of applications that contain health information). Though many organizations have chosen not to implement these features, believing them to be a resource drain, inexpensive upgrades are readily available to offset such problems. Further, most performance problems associated with auditing are the result of auditing too much information. Selecting more refined audit parameters resolves this issue.

Go to TOP

Who should conduct the audits?

Ordinarily, IS staff conduct these reviews. Examining the login failure log should be a daily task of one member of the security administration team. Examining other logs can be done on a more relaxed schedule, and in fact, many of the patterns to be examined make more sense when viewed on a weekly basis. For larger institutions, forensic software packages can be used to examine the data for patterns and changes in patterns (such as a user who never works at night suddenly logging-in at 2 AM).

The best value of the audit process comes with proactive auditing - examining the logs before you are aware of a problem. Waiting until a security breach to examine the logs is a high tech example of locking the barn door after the horse has bolted. The purpose of security is to prevent breaches, not to prosecute them after the fact.

Read an overview of the proposed security rule.

Learn more about the technical aspects of security.

Go to TOP

More HIPAAlive FAQs:

• General
• Identifers
• Privacy
• Transactions