Preparing for HIPAA: Beef up Your Security

By Mark Hays, Senior Vice President and CTO, InfoMiners.com and Ingenix Co.

(Editor’s Note: This is the second of two articles on increasing data protection and security in physician computer systems.)

The health insurance portability and accountability act of 1996 (hipaa) promises to fuel far-ranging and costly changes in healthcare information technology. Over the next few years, the total cost of HIPAA compliance is likely to exceed the cost of Y2K updates—with significant upgrades to existing software and extensive consulting services.

Security for patient information is a key element of HIPAA, which will create a much-needed standard for confidentiality nationwide. Penalties for unauthorized disclosure of patient data start at $50,000 and/or one year in prison. If you work with patient records, these strict new laws will apply to you.

In this article, we’ll review important steps you can take today to prepare for HIPAA compliance. These solutions will also deliver immediate benefits—including improved privacy for your patients and reduced legal and financial risk for you and your organization.

Here are some steps you can take now to protect your existing computer systems and databases:

1. Install password protected "secure desktop" software on every PC. Your existing PCs are probably the weakest link in your security chain. When your staff leaves for lunch, how many systems are left behind—running, logged in, and ready for anyone who happens to walk by? If a PC is left unattended, "secure desktop" software will automatically time-out to a password protected screen-saver. Centrally managed solutions are available from a number of vendors, including the Zero Administration kit from Microsoft for Windows 98, NT, and 2000.

2. Mandate more effective password control. Passwords are often managed for user convenience, not security. Educate your users on the fundamental importance of passwords, and implement new procedures to 1) automatically create complex passwords that cannot be guessed easily, and 2) refresh all passwords frequently.

3. Explore purchase of a single sign-on system. If your users need to access a number of different systems with different passwords, take a serious look at single sign-on systems. These solutions aren’t cheap or easy to install, but without one, it’s extremely difficult and time-consuming to maintain user accounts and passwords in a secure environment. And your users will thank you for the convenience of a single password.

4. Talk to your vendors about improved security. Make sure you’ve fully implemented the security functions included in your existing systems. With HIPAA on the horizon, your vendor probably has improved security functions in the works, including central password and "rights" management. Ask about their plans for HIPAA compliance.

5. Improve protection for "open" databases. Audit your facility and find every database that contains patient information, focusing on systems that use a standard "open" database that supports SQL and/or ODBC (e.g., Microsoft Access, SQL Server, Oracle, Paradox, Informix, Btrieve, etc.). Larger organizations often find that dozens of databases have popped up here and there to support departmental applications, local reporting, etc.—and they’re rarely secure. Try to move these databases to "hardened" and secure servers that are centrally managed, and physically protected. If a database must remain in a departmental office, it should be moved to a hardened server that is centrally managed, with some form of physical security. You may also find that this a good time to retire departmental reporting systems, and create a shared data warehouse. Your users will be able to run their standard reporting tools, but the data will be stored in a more efficient and protected environment.

6. Install a central PC management system. If your organization has more than a dozen PCs, this is the most important step you can take toward effective security. Your security plan will fail if the PCs on your network are uncontrolled. Central management systems for hardware, operating systems, and software are available from a number of leading vendors, including Microsoft and Computer Associates.

For many organizations, this is a big step—your users probably treasure the independence they feel with "their" PC, and will be loath to surrender control. Your IT team should be thoroughly trained before you start. Make sure your IT department is staffed to handle new management issues, and take the time to inform and educate your user community.

7. Lock down external access routes. Find and document every modem and modem-compatible phone line that users can access. Ban any type of access that doesn’t go through your secure servers, filters, and firewalls. This should be backed by strict enforcement.

Secure your E-mail Services

E-mail is the most widely used application on the Web, and the least secure. Take immediate steps to lock down e-mail applications, and monitor e-mail traffic. Here’s how.

1. Clarify your e-mail policy. Many employers don’t have an effective e-mail policy, and recent court cases underscore the risk of inaction. Review and update your policy, notify your employees, and post a copy on your Intranet site. For an example of a good e-mail policy with legal background on key issues, see:

www.mlb.com/art61499.htm.

2. Train and remind your employees and users. Publish a weekly bulletin to every e-mail user, noting new e-mail virus threats, attachments to avoid, and e-mail policy issues. Add a similar "bulletin" section to your Intranet site, in a prominent location. This will help to keep security concerns fresh in your user community. Automated systems will help you manage this process—see the list below.

3. Require e-mail encryption, particularly for physicians working with patient data. It’s easy to make e-mail secure with off-the-shelf encryption products. This is essential for physicians who use e-mail to contact patients, consult with colleagues, etc. Solutions include add-ons for common e-mail products (e.g., Outlook and Eudora) and complete e-mail systems with secure clients and servers—see the list below.

Notify your physicians, spell out the Health Care Financing Administration requirements, and remind them with regular e-mail bulletins. If you have a Web site or an Intranet page specifically for physicians, add a prominent "security for patient data" section, with the latest information. Include the ability to download an encryption add-on for popular e-mail packages, at no charge. Offer special training sessions for physicians to explain the threats and solutions.

4. Install an automated e-mail encryption/monitoring system. This is one of the most important steps you can take to secure your entire network—every healthcare organization should install a system that will automatically encrypt e-mail, scan for attached viruses, filter spam and objectionable content, etc. Some will also help you define and your e-mail policy, train users, distribute bulletins, etc. Here are four highly rated solutions:

MIMEsweeper—www.us.mimesweeper.com/products/websweeper/index.htm

CommandView—www.elronsoftware.com/enterprise/message_inspector.htm

MailMarshall—www.cleane-mail.com/

MailGuardian—www.vguard.com/index.asp

Also take a look at a recent review of e-mail management products:

www.check mark.com/securecomputing/ 2000_03/testc/prod1.html

Secure Your Access to the Web

1. Clarify your policy for Web use. Like e-mail, many employers don’t have an updated policy for Web use. Review and update your policy, notify your employees, and post a copy on your Intranet site. The example provided on the previous page for e-mail also includes terms for Web use: www. mlb. com/art61499.htm.

2. Train and remind your employees and users. Most users are aware of viruses in e-mail, but many do not know that malicious Web sites can launch an attack directly through your Web browser—without opening an "attachment" or clicking on anything. Explain the risks and the importance of updating the version of the Web browser they use.

3. Require use of a standard "managed" Web browser, particularly for physicians working with patient data. This is one of the most important steps you can take to improve security in your organization—require the use of the latest version of your Web browser, and provide automated updates.

In larger facilities, this won’t be easy. A full update to a new browser release may require a CD—the files are typically 30+ megabytes and difficult to download. The new browser may also require end-user training. Patches to security holes must be applied regularly. Bottom line: although the Web is the most convenient and cost-effective way to provide access to patient data, management of secure Web browsing isn’t convenient. Check these support sites for the latest information on Microsoft and Netscape browsers:

Internet Explorer: www.microsoft.com/windows/ie/security/default.asp

Netscape: www.netscape.com/download/index.html

4. Install an automated monitoring and content management system for Web use. This is one of the most important steps you can take to secure your entire network—every healthcare organization should install a system that will automatically track, scan, and filter Web traffic for nonbusiness use and malicious or objectionable content, etc. Some will also help you define and update your policy for Web use, train users, distribute bulletins, etc. Note two highly rated Web content management solutions:

WebSweeper—www.us.mimesweeper.com/products/websweeper/index.htm

SurfControl—www.surfcontrol.com/products/index.html

Also take a look at a recent review of Web content issues and management products in the March 21, 2000, issue of Network Computing at: www.networkcomputing.com/1103/1103f2.html.

5. Install high-quality firewall and intrusion detection systems. You probably have a firewall system in place to protect the link between your network and the Web. When you audit your facility, make sure this system is up to date. Firewall technology is constantly changing to meet new threats, and if your firewall is more than a year old, you should take a close look at a major upgrade or replacement. Also check to see if your IT staff is fully trained on firewall management.

If you have a larger facility linked to the Web, but don’t have an "intrusion detection" system, add one immediately. Intrusion detection servers monitor the activity on your network automatically—and watch for unusual events that could signal a break-in. Although not perfect, this final line of defense should be a critical part of your Web strategy. For a review of issues and products, see this article from Network Computing magazine: www.networkcomputing.com/1010/1010r1.html.

6. Install a Virtual Private Network for links to sensitive patient data. For links to patient information, you should provide another layer of protection. Virtual Private Network systems (VPNs) create a "private line" over the public Internet. Data are encrypted during transmission, and special software is required on both ends to make a connection. This separates your links to patient information from ordinary Web traffic. VPN systems also support digital certificates and more effective user ID—both key requirements in pending HIPAA regulations.

7. Evaluate biometric ID systems. One of the basic challenges with security is the identification of the user. If the PC is inside your facility, you have greater control. If someone is dialing in via the Internet, how can you identify the person on the other end of the line? Ordinary passwords? This is hardly effective and difficult to manage. Biometric ID systems take the next step, and ID the user based on a fingerprint, iris pattern, etc. This provides much tighter control over authorized access—and eliminates the hassle and cost of password management. User ID is a key requirement with HIPAA, and biometric systems should be part of your plan.

8. Upgrade security training for your IT staff. This basic step is often overlooked. Web security is complex and changes rapidly. Your plan should include a significant amount of security training for an "IT Security Team," with refresher courses throughout the year. I recommend at least one class per quarter for each person. These courses are often costly, by the way, so make sure you leave room in your budget.

9. Consider outsourcing Web security functions. If your organization doesn’t have the resources to handle the daunting challenges of Web security, don’t despair—and don’t try to "make do." One of the beauties of the Web is the ability to outsource. Your secure Web server could be installed at your site, or 1000 miles away. Users can’t tell, and they’ll often receive faster Web access than you could provide from your own facility.

Outsourcing eliminates the need to install and maintain complex security hardware and software, hire additional staff (a real challenge in this economy), and support security technology. From a management point of view, it’s often easier for a third party to introduce and control user access—an irate physician who doesn’t want to change his or her Web browser, for example, can’t pressure your IT staff. It’s out of their hands.

Steps You can Take to Prepare for HIPAA

Here are the key steps to take to prepare for implementation of HIPAA.

1. Implement basic security improvements. All of the steps outlined previously will improve security and reduce your legal exposure today, and put you well on the road to HIPAA compliance.

2. Audit your facility. Launch a general security audit of your entire facility. As you examine your existing systems and procedures, keep HIPAA compliance in mind. Note obvious problems and potential deficiencies, and build a comprehensive plan.

3. Launch discussions with your existing vendors. Legacy information systems will be one of the most difficult areas of compliance. Many of these systems were never designed with high-level security in mind, and changes will be difficult. When patient data are transmitted, they are not well protected, databases are not encrypted, password systems are weak and typically do not include audit trails, and no authentication/non-repudiation is provided for data access. Launch discussions with your vendors as soon as possible to uncover their plans for compliance—and the costs you should expect to pay. Many will probably require major system upgrades.

4. Hire expertise. Security technology is notoriously complex, and most healthcare organizations simply don’t have the resources or training required. Hire a well-qualified security consultant now to prepare your HIPAA plan before compliance becomes a concern.

5. Keep an eye on those HIPAA Web pages. The current proposals haven’t been finalized, and the federal Department of Health and Human Services received a flood of comments from the industry. As you’ll see on the DHHS "HIPAA Schedule" site noted on page 11, the projected dates for release of the "final" rules have been pushed back. Modifications to the proposed rules are expected.

6. Focus on your current financial risk. As we noted at the beginning, don’t allow the interest in HIPAA to overshadow the basic issues: the patient data you’re responsible for are often protected by law, and you face a real risk of legal and financial liability—today. Many of the HIPAA requirements simply reflect good security practice that everyone should implement, with or without federal regulation. Get started today.

(Mark Hays has more than 15 years of experience with security technology and has coauthored a number of patents for secure software. He received a first place award from Bill Gates for the Best Healthcare Application for Windows, and a First Place in Healthcare/Biotechnology at Uniforum. He is senior vice president of product development and CTO for InfoMiners.com, where he directs development of secure Web-based data warehouse and reporting systems, and other solutions for HIPAA compliance.)

For quick access to the Web sites listed in this document, go to: www.infominers.com.