HIPAA security: IHE guidelines help ensure compliance

Nov 25, 2004

With the Health Insurance Portability and Accountability Act (HIPAA) Security Rule deadline approaching rapidly, radiology departments are working to define and implement measures -- technical, physical, and administrative -- to safeguard electronic protected health information (ePHI).

Under the security rule, covered entities are required to comply with various standards. They must be able to identify and address known or suspected security incidents, such as attempted unauthorized access to, or destruction of, ePHI. They are required to have audit controls in place to monitor ePHI network activity. They must also implement measures to ensure that only authorized individuals or programs can access ePHI, and ensure that the individual or entity attempting to access a system is authentic.

Overcoming HIPAA security hurdles

Complying with the security rule can be particularly challenging for multivendor radiology departments. The required standards for the security rule -- security incident procedures, audit controls, person or entity authentication, and access control -- are closely intertwined.

To effectively monitor and address security incidents, it is necessary to audit ePHI activity in the department. Auditing requires verification of everyone who is attempting to access the ePHI to ensure that only authorized users can access the information requested.

Meeting the standards can be difficult for multivendor radiology departments, as audit log data may or may not be transparent from one vendor to another. The audit logs generated in a multivendor radiology environment are typically in a proprietary format and contain different sets of information. Recording, searching, and reporting security incidents from incompatible logs can be costly and onerous, and result in information gaps.

Access control and user authentication mechanisms are typically nonexistent at some modalities in a department. Although PACS workstations may have such controls, other areas such as ultrasound, MRI, or CT may not. Security controls may be limited to simply locking a room and providing authorized staff with access to the equipment.

Many closed workstations, such as ultrasound systems, have no access control or authentication measures. These factors further complicate audit efforts, making it impossible to make a record of the individual who generated or accessed a patient's ePHI, when they did it, and what they did with the information.

How does a radiology administrator effectively report on security incidents, pulling information from existing audit logs while trying to fill in holes where equipment doesn't track user activity?

The key is to implement centralized auditing, user authentication, and access control across the department.

Putting the pieces together

Centralized auditing enables a radiology administrator to search common audit content from all equipment, regardless of the manufacturer, via a central database. Once the common denominator of required audit information has been established and implemented, the database can generate consistent reports on security incidents and other audit events. The automatic process saves an administrator considerable time, eliminating the need to sort through reams of data from various audit logs in an attempt to accurately document activity.

User authentication mechanisms serve to verify that the individual or entity attempting to access ePHI is the one claimed. Authentication is often achieved with a user identifier, such as a pass card and a confidential personal identification number.

In departments where some equipment doesn't require logging in, or where a single login serves multiple users, it is impossible to audit user-specific activity with any degree of accuracy. Adding authentication capabilities to the equipment enables audit messages to be generated for security events (such as attempted unauthorized access) and tagged to the appropriate user. The message is then sent to a central repository.

Access control capabilities ensure that only authorized users can access ePHI. Such capabilities and role-based permissions are controlled via a user database. Although locked doors and limited access within a department provide a certain level of physical security, these measures do nothing to track user-specific ePHI activity (such as a user attempting to access ePHI when it is not permitted by their role).

Implementation

The security rule preamble encourages professional associations to establish compliance guidelines to help organizations implement technical safeguards. Examples of such guidelines include the Integrating the Healthcare Enterprise's (IHE) Basic Security Integration Profile (BSIP) and its successor, currently under trial implementation, the Audit Trail and Node Authentication (ATNA) profile. The IHE BSIP is found in the IHE Technical Frameworks, Vol. 1, Integration Profiles, section 10. The ATNA Profile is accessed through the same link.

IHE, jointly sponsored by the Radiological Society of North America (RSNA) and the Health Information and Management Systems Society (HIMSS), developed the BSIP as a technical implementation specification to assist organizations with security compliance. The BSIP provides implementation tools that are useful for enterprises working to comply with privacy and security regulations, including HIPAA.

"The Basic Security Profile establishes security measures which, together with the Security Policy and Procedures of the enterprise, provide patient information confidentiality, integrity, and user accountability," the IHE wrote.

Healthcare organizations and its vendors can look to the BSIP, or other guidelines, to assist with security rule compliance. There are also comprehensive, vendor-independent solutions available that follow IHE guidelines to help facilities with compliance efforts.

IHE Basic Security Integration Profile

IHE describes implementation requirements in detail so that healthcare imaging and information systems vendors can support industry conformance. The BSIP focuses on four goals: user accountability, access control, centralized auditing, and ePHI data integrity. In support of these goals, it provides details for implementing user authentication, node authentication, and audit-record generation capabilities.

The BSIP identifies an extensible markup language (XML) schema for audit record content. To assist with generating audit records, it provides audit triggers for security-related events such as instances deleted. Audit messages for the identified triggers are to be generated in XML format, and stored in a central repository.

Bringing vendors on board

Although centralized auditing is recommended by IHE and is the most practical solution, many vendors have not yet adopted the IHE-specified XML audit schema to support it. These vendors typically include some level of auditing support in their products, but not to the extent necessary for comprehensive HIPAA security event reporting.

Radiology professionals should encourage suppliers to:

  1. Modify the audit log format in new equipment to send the industry-accepted IHE XML schema from all equipment that generates and accesses ePHI.
  2. Equip legacy equipment with access control, user authentication, and auditing capabilities.
  3. Provide a central repository to record, search, and report security incidents and activity from the equipment.

These measures will enable robust auditing capabilities for the upcoming security rule requirements, for other compliance efforts, and for general best practices.

By Terry Callahan and Christine Callahan
AuntMinnie.com contributing writers
November 26, 2004

HIPAAT is a Mississauga, Ontario-based firm that offers technology-based solutions to meet the healthcare industry's privacy and security compliance challenges. For further information, HIPAAT can be contacted at (905) 405-6299 or via the Web at www.hipaat.com.

Related Reading

HIPAA compliance encountering rocky road, August 30, 2004

Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004

HIPAA security and privacy compliance concerns, October 23, 2003

HIPAA TCS standards float in compliance limbo, October 17, 2003

HIMSS offers advice on CMS contingency plan, September 25, 2003

Copyright © 2004 HIPAAT

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
Merge
IS
Merge eFilm
Ris
IS
Clinical specialization, connectivity keep RIS vital
Witt
IS
Witt Biomedical
Netris
IS
net-RIS
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page