By Joseph Goedert, News Editor
1 December 2006
A recent survey of health care providers and payers found comprehensive compliance with the HIPAA privacy and security rules remains low in some cases and stalled in other areas.
The biannual survey from consulting firm Phoenix Health Systems of Montgomery Village, Md., and the Chicago-based Healthcare Information and Management Systems Society, shows 80% of insurer respondents and 56% of providers believe they have implemented the security rule's provisions. But many of these respondents could not confirm they had implemented all major provisions required under the rule. Further, 22% of surveyed providers and 13% of payers remain noncompliant with the privacy rule.
However, more than one-and-a-half years after the HIPAA security rule's compliance date, and three-and-a-half years after the privacy rule's deadline, some health care organizations continue to work toward maintaining-and augmenting-compliance.
These organizations are filling gaps that still exist in their data protection infrastructure or are reviewing existing protections to see where they can be improved.
This past summer, for instance, John C. Lincoln Health Network in Phoenix put in software to automatically erase the hard drive of any laptop computer that may be missing.
The quick decision to use the Computrace software from Vancouver, British Columbia-based Absolute Software Corp. was made after a Veterans Administration laptop containing data on millions of patients was stolen. "We said, 'This is a huge gap, we read about it all the time, let's just fix it,'" says Robert Israel, CIO at the two-hospital delivery system.
A laptop with the Computrace software automatically dials a server at the delivery system when it makes an Internet connection and sends data indicating where it is. If the laptop is missing, the I.T. staff can send a signal to "wipe clean the hard drive," Israel explains. Use of the software and other security steps being taken long after HIPAA deadlines are part HIPAA follow-up and part "just best security practices," he adds.
For many health care organizations, maintaining a strong focus on data security also is being done to protect business continuity, says Steven Kelly, senior vice president at The Newberry Group Inc., a St. Charles, Mo.-based risk management consulting firm.
For instance, security issues are becoming part of the exit interview when an employee leaves a health care organization, he notes. "Organizations now are asking where the data the employee worked with is, on hard drives and elsewhere."
The federal government is not aggressively enforcing HIPAA privacy and security compliance, nor has Congress appropriated funds for adequate enforcement. Tens of thousands of complaints of alleged violations have resulted in only two convictions, according to Department of Health and Human Services officials. In cases where violations are not malicious in intent, federal regulators find it preferable to work with offending organizations to help them comply with the rules.
But the HIPAA rules have been successful in creating a cultural change in how organizations protect patient information, Kelly contends.
And the reason is simple, he adds. "We are rapidly approaching the point where security and confidentiality is not an option. Patients now know what HIPAA is."
As technology changes, so must change an organization's security approach. And with a growing number of employees and visitors walking around with mobile computing hardware-such as iPods, key fobs, PDAs/smart phones, modems and digital cameras-new threats to health information networks have emerged.
These devices can unwittingly introduce a virus from an employee's home computer into an organization's network, or be used to steal data.
An iPod in the wrong hands could be used to access large amounts of data from a network, says Bill Liston, I.T. enterprise administrator at ConnectiCare, Farmington , Conn. "People think an iPod is just a thing to play music," he adds. "In reality, it's a 40- or 60-gigabyte hard drive, a massive storage device."
To protect its network from portable devices, ConnectiCare in late 2005 implemented security modules from Safend Inc. of Philadelphia . The software blocks unauthorized devices from being plugged into the network, either through a wall port or from a computer already on the network. The software will shut the port and creates an audit trail of every device plugged into the network.
Vendors coming in for presentations must bring their CD, key fob or any other device holding the presentation to the help desk to scan for viruses. In October 2006, the organization implemented an updated version of Safend that records any data read from or copied to a compact disk.
ConnectiCare in recent months took further steps to protect laptops that leave the work environment. For instance, an employee cannot plug a corporate laptop into a Wi-Fi network at Starbucks without prior authorization, a policy enforced through the Safend software.
The company also uses the Spy Sweeper software from Webroot Software Inc., Boulder , Colo. , to protect PCs and laptops accessing the Internet.
Constantly updating existing security software and looking for new protections are just business as usual at ConnectiCare and should be for all health care organizations, says Keith King, I.T. manager of systems at ConnectiCare, a managed care organization in Farmington, Conn. "It all comes down to good business practices and that's what we try to focus on."
When officials at John C. Lincoln Health Network in Phoenix saw all the mobile computing devices floating around the delivery system, they knew an existing security policy needed enhancement.
That policy, says CIO Israel, prohibited saving data to such devices without prior approval. But executives needed a tool to enforce that policy, he adds. "We needed to take back control of peripherals on the desktop."
Last spring, the delivery system implemented the Sanctuary Device Control software from Herndon, Va.-based SecureWave USA to lock unauthorized mobile computing devices out of desktops and the entire I.T. network.
This not only protects information systems from viruses and other threats that come into the facilities from home computers and elsewhere, but also increases productivity. That's because some employees were using their work computers to play games or work on term papers that were downloaded from their home PCs.
Now, employees need authorization from their unit vice president to use removable computing devices at work. The employees also are given role-specific read, write or read/write access. The software also audits use of such devices; Israel has not yet detected any malicious attempts to download or upload data.
Give more notification
Before rolling out the SecureWave software, Israel sent out notification to all employees via e-mail. He also put a notice in the corporate newsletter.
The notification included a security overview on why the technology was needed and how to get authorization. Still, "We had two weeks of pain" after implementation, he recalls.
About 50 employees who needed to use removable devices and did not fill out the form to request authorization were cut off. When they called Israel , he would again explain the reasons why such device use was being restricted and then go through the authorization process.
Israel makes no apologies for tightening use of peripheral devices. HIPAA and best practices compel an organization to continually assess its security environment. "Data is so portable today, we had to do something."
Lesson learned
But if he had a do-over, Israel would send out a few more e-mail notifications before implementation. He'd also audit existing use of removable devices to identify regular, legitimate users and make sure they got authorized.
Late this year, the delivery system expected to implement a new policy to require a standard, company-authorized key fob. The expectation was that employees would bring their existing fobs to the help desk and exchange them for standard ones. "A standard type cuts down on someone with any type of key fob plugging in and getting data," Israel says.
The delivery system is using the Kanguru Micro key fob of Mills, Mass.-based Kanguru Solutions, which is password-protected when uploading or downloading and encrypts stored data. "Is that level of protection needed?" Israel asks. "Probably not, but it is nice to have for just a little more money."
More security enhancements are in the immediate future at Lincoln Health Network. The delivery system is getting ready to implement hard drive encryption for about 1,250 laptops and PCs that do not use blade technology to store data in the data center. "We just see that as best practice if computers are stolen," Israel says.
Data security policies put in place seven years ago at Southwest Washington Medical Center helped ease the pain of complying with the HIPAA rules.
Christopher Paidhrin wrote 15 policies for the 380-bed facility in Vancouver , Wash. Some of the policies covered appropriate use of information; others imposed "brushstroke constraints" on all employees, says the senior security engineer and HIPAA and information systems security officer. Paidhrin also is an employee of Dearborn, Mich.-based ACS Healthcare Solutions, which manages the hospital's I.T. functions under an 2004 outsourcing contract.
The seven-year-old policies took care of half of the requirements under the HIPAA security rule, Paidhrin says. But much work remained before the April 2005 compliance date and many gaps remained after that date. "We exhaustively documented where the hospital stood and what work remained," he says.
Ongoing compliance work continues to knock off vulnerabilities one-by-one. In recent months, the appropriate use policy was modified to include CDs and DVDs, USB devices, PDAs and Web-enabled phones. In October, funding was approved for software that will automatically encrypt e-mail that includes specific keywords, account numbers or passwords.
Last January, the hospital installed single-sign-on software from Imprivata Inc., Lexington , Mass. , to centralize workforce authorization across the enterprise via a Web portal. The authorization includes role-based access to data depending on an employee's duties. And access rights are based on a new three-prong policy covering the areas of need-to-know, minimum necessary disclosure and quality patient care.
Under the policy, an employee with a need to know will get access to necessary data. But the employee should disclose only the minimum necessary amount of information to satisfy the work being done, such as a referral to a specialist. "Don't give away the whole chart if you don't have to," Paidhrin says.
But how much data to disclose often is a judgment call and that's where the third prong of the policy kicks in. If an employee is unsure how much data to give, the policy calls for erring on the side of the patient's medical and emotional well-being. "We will not let regulations harm the patient," Paidhrin says. "We'll take the risk."
Along with the single-sign-on software, Southwest Washington Medical Center also installed 150 fingerprint biometric devices from Imprivata in busy areas such as the emergency and surgical departments. Other units in the hospital have discretionary funds for productivity improvement projects, and Paidhrin expects wide-scale use of biometrics authentication in the hospital within five years.
Checking again
Like many other health organizations, Meadville ( Pa. ) Medical Center examined its security environment before the HIPAA security rule deadline to find obvious vulnerabilities that needed immediate fixing.
Shortly before the deadline, the facility implemented technology to store data on a storage server, not on individual desktop computers. "That was a glaring gap that had to be closed before the compliance date," recalls Jeri Sample, security administrator.
After the deadline, hospital administrators did another assessment to find where gaps remained. "When HIPAA came along, there were things we had not addressed or to the degree the law required," Sample explains.
Last February, the hospital addressed another significant vulnerability by implementing secure messaging software from Proofpoint Inc., Cupertino , Calif. The software automatically encrypts outgoing e-mail that contains visit, medical record, credit card or Social Security numbers.
A daily report lists all e-mails with compliance issues, meaning they had a least one identifying number in them. Sample checks the report to ensure the message is appropriate and sent to the appropriate recipient.
The hospital could use a feature in the Proofpoint software to automatically stop transmission of e-mails containing identifying numbers, but Sample hasn't yet found problems that justify taking that step.
Recipients of the encrypted e-mail need to know how to decrypt the message, so the secure messaging program requires users to educate their regular e-mail recipients. Each encrypted e-mail requires the recipient to authenticate his or her identity; the recipient then receives instructions to decrypt the e-mail.
Meadville Medical Center last summer also implemented San Jose, Calif.-based Cisco Systems Inc.'s port security configurations to prevent unauthorized computing devices from plugging into its wired and wireless networks. Further, computer carts used by nurses only can use designated wireless access points on a specific floor. If a cart is moved to another floor, it will lose connectivity to the network.
Dual-use tools
Organizations looking to boost their HIPAA compliance sometimes find they already are using appropriate technologies for other purposes.
FFF Enterprises Inc., a distributor of plasma products, vaccines and medications to home-bound patients and other biopharmaceutical products, in June 2004 implemented database monitoring software to support an electronic pedigree system. The system tracks the lineage of a product-where it has been from manufacturing to its end point.
The SecureSphere Database Monitoring Gateway software from Foster City, Calif.-based Impreva Inc., audits database activity and checks for security vulnerabilities.
In the spring of 2006, Temecula, Calif.-based FFF Enterprises launched an intravenous treatment tracking system. In essence, the system is a personal health record enabling patients to maintain an electronic diary of their treatments, laboratory results and general health. The organization added Impreva's technology to monitor the new tracking system.
FFF Enterprises in May then added the monitoring software to its myfluvaccine.com Web portal, which provider customers use to purchase vaccine and get a guaranteed delivery date. Boosting security on the portal was important for ensuring business continuity, says Bob Coates, vice president of technology. "We'll know if someone is trying to hack into the system."
The organization also recently implemented a module of the Proofpoint secure messaging software to scan outgoing e-mails for protected health information.
Right now, the organization is only monitoring e-mail and following up messages that are flagged to make sure they are appropriate. The company also is testing the software's auto-encryption function but isn't ready to use another function that automatically stops flagged e-mails from being sent.
This "monitor and flag" phase is designed to educate administrators on e-mail usage patterns to help them draft future policies, Coates says. So far, he hasn't seen any need to stop an e-mail from being sent. "Someone might be sending themselves a file to work on at home," he explains. "If you stop the file, that has implications and you want to make sure you're doing it right."
FFF Enterprises may be cautious in its approach to e-mail security, but the organization never stops working on maintaining an environment of data protection, says Kit-Bacon Gressitt, vice president of communications.
For example, the organization publishes a magazine for clients and patients, and someone recently suggested that the mailing list would be good for marketing purposes, an idea that is anathema to the organization's data security and patient privacy policies. "It's an attitude that needs constant reminders in any organization."
Hacking for security
While FFF Enterprises recently installed database monitoring software to spot hacker activity, among other functions, Providence, R.I.-based Care New England Health System is using software to hack into its own systems.
Three years ago, the three-hospital delivery system deployed network penetration testing software to assess "Internet-facing" information systems as part of its HIPAA compliance work. The Core Impact software from Boston-based Core Security Technologies checks information systems and networks for vulnerabilities, then tries to exploit them.
The software accesses a system through a vulnerability and leaves an agent, or place marker, at the problem site. This enables I.T. staff to go to the site and hack through their own system to determine threat levels and resolutions. "I'm hacking with permission," jokes Larry Pesce, I.T. security manager.
Pesce won't say how much the organization paid for the software, but believes it is a less expensive and more thorough product than open-source penetration tools that were considered.
"Implementing Core Impact in a way that doesn't generate false positives takes a couple of hours," he explains. "Open source would have caused hundreds, if not thousands, of false positives depending on what we're scanning."
Further, he adds, deploying open source software would have required the hiring of staff skilled in resolving all the false positives.
In the past year, Care New England started to also use the software to scan-and hack-all information systems on its internal networks. "We found enough vulnerabilities to realize how valuable it was," Pesce says. "It certainly helped us tighten policies."
For instance, the delivery system found many desktop workstations were not patched properly. In some cases that was because the machines were on and off the network at various times, so they weren't getting some patch updates. In other cases, the updates didn't take effect because desktops were not rebooted. Clinicians, Pesce notes, don't like to reboot their machines. Patch schedules were changed to slower periods of activity.
Care New England also increased its schedule of regular security maintenance with considerable support from senior executives who, thanks in part to the penetration testing software, now understand the risks of not doing so.
Also in the past year, the delivery system stepped up its ongoing HIPAA and data protection education for its work force. "We didn't want people to forget," Pesce says when asked if education was expanded because the focus on security and privacy was slipping. "The more we refresh, the better. I wouldn't say the security culture was slipping. I would say we're just trying to do a better job. HIPAA isn't the only focus, but it is our guide to getting to best practices."
Source: Health Data Management
