The U.S. Department of Health and Human Services (HHS) has published the much-anticipated final security rule for the Health Insurance Portability and Accountability Act (HIPAA), offering healthcare administrators a document they can use to gauge their own facilities' security practices. With an effective date of April 21, 2003 and a compliance deadline of April 21, 2005, there’s not much time left for implementation, verification, and validation.
(Click here for a PDF version of the HIPAA final security rule; click here to download Adobe Acrobat, required to read PDF files.)
"HIPAA security best practices represent guidelines for developing or implementing information security policy practices or tools in an effort to secure information resources and comply with regulatory requirements," said Tom Walsh.
Walsh, a principal consultant on e-security practice with CTG Healthcare Solutions of Overland Park, KS, offered his insights on best-practice security implementation at the 2002 Healthcare Information and Management Systems Society (HIMSS) conference in San Diego earlier this month.
"The need for best practices are driven by limited resources for general IT (information technology), a demand for more access to information by all stakeholders in healthcare, and the perception that security is viewed as an expense with no return on investment," Walsh said.
Risk assessment and analysis
An organization's first step is to identify what needs to be protected, assess the potential threats to those items, and analyze the vulnerabilities that could be exploited by those threats, Walsh said.
An information security policy will need to be drafted by a facility. It should define the expected state of security for the organization and the technical security controls for implementation. Walsh recommended that facilities take into account limitations such as budgets and resources, and establish their risk tolerance level.
"Without policies, there is no plan for an organization to design and implement an effective security program," he said.
Administrative best practices
Walsh advocates the establishment of user accounts on role-based access rules. That is, a physician’s role will have different security provisions than those of an individual working at the reception desk. Each user account should have a unique user ID that is not based on the user’s name, department, telephone extension, or employee number. Concurrent access of a single user ID should be prohibited.
"Access privileges must be able to be quickly changed if there’s a change in a user’s role, such as a job transfer or termination," Walsh said.
He recommends that human resources departments be responsible for immediately notifying the IT department of any changes in employee status. For user accounts such as contractors, vendors, temporary workers, medical students, and residents, information security officers may want to create accounts that automatically expire after a predetermined length of time.
Account passwords should be a minimum of six to seven characters in length, and easy for the user to remember. The password should not be easy to guess, should contain both letters and numbers, and should contain a special character (such as a #,&, or *). System-wide, users should be forced to change their password approximately every four months.
"The IT department should make password-selection training part of every employee’s training package," said Walsh.
User authentication by the system should be based on a two-factor authentication protocol. This is accomplished by combining two of three methods: something a user knows, such as a password or personal identification number; something a user has, such as a token, key, or smart card; or something a user is, such as a voice scan, fingerprint, or iris scan. A user ID and a password is not a two-factor authentication, he noted.
Security audits should be conducted on a periodic basis across all systems and random users in an institution. Audit logs should be stored on a separate system and only the information security officer, not the IT department, should have access to this data.
Also, on a periodic basis, data owners will need to receive an access control list of who has access to their systems and what privileges they have. If any adjustments need to be made to either access or privilege to protected health information (PHI), the data owner must notify the IT department for implementation.
Walsh also recommends that the IT group automate its configuration management as much as possible. This includes updating virus protection programs, as well as pushing software application fixes to the desktop from a central location.
"When a system is about to be placed into production at your facility, make sure the unused services have been disabled, default system passwords have been removed, and proper testing has been done before you bring it online," Walsh said.
Physical best practices
An organization’s physical access control policy may need to be reviewed in light of the HIPAA final security rule. Areas that should be examined include an organization’s data center, media backup, media disposal, and incident response plan.
Walsh strongly recommends the use of card swipe or proximity cards to access secure areas within an institution. These products allow an organization to maintain granular access control such as date, time, and user access, and to generate access logs to restricted areas for auditing purposes.
All contractors and vendors should be provided with guest badges that clearly indicate access areas and the expiration date. If a contractor or other outside personnel are permitted in the data center, they should be monitored at all times -- by data-center personnel or by motion-activated digital cameras.
Onsite backup media should be stored in a fireproof safe away from the data center. Also, any media that stores PHI, such as laptops and personal digital assistants (PDAs), should have file-protection tools deployed as part of the user configuration.
Hard-disk drives and other read/write magnetic media should be cleaned by overwriting them with a random bit pattern at least three times before they are reused or disposed of. Paper documents need to be securely stored before they are shredded or burned. CD-ROMs will need to be destroyed by compression or pulverization.
The institution’s incident response center should probably be reviewed in light of the final security rule, Walsh said. It should be stocked with necessary supplies, equipment, and backup systems, and each position in the center should be identified by its role. In addition, experienced employees should be trained in the collection and preservation of evidence as it pertains to an incident response.
"Remember, any change in an organization’s environment will require an update of its disaster recovery plan," he said.
Technical best practices
Technical security procedures should also be benchmarked against the final security rule. Workstations that have access to PHI should have automatic time-outs without activity set for a maximum of 10 minutes. Privacy screens or anti-glare screens should be used on any workstation that displays PHI to inhibit access by other personnel.
If a facility supports telecommuting applications such as teleradiology or remote coding, those systems should have two hard drives from which to access the desktop: one installed by the facility only for work use and one for the employee’s personal use.
"Even if your organization has decided in its risk-tolerance assessment that it will not require two-factor authentication internally, to protect itself it really should require two-factor authentication from every remote user," Walsh said.
Authentication systems should be configured to lock a user account after a predetermined number of unsuccessful logon attempts are made. Walsh recommended no more than five attempts in a single session.
Intrusion-detection systems should be installed to monitor for external attacks on networks. These systems should be configured to trigger an alarm if a user account attempts to access information beyond the account’s authorization.
The network itself should be periodically scanned for vulnerabilities and open ports. As a matter of policy, "deny" rather than "allow" should be the default on every network system in an institution. If a facility provides for wireless access to PHI, that network must be encrypted, he said.
Every component of a system -- administrative, physical, and technical -- will have several best security practices that can be employed. And one department or facility may have security needs that differ from those in other areas of an institution.
"There is no such thing as 100% security," Walsh concluded. "What works as a best practice in one area doesn’t necessarily work across the board. It’s important that security administrators tailor security for every specific area and application."
By Jonathan S. BatchelorAuntMinnie.com staff writer
February 20, 2003
Related Reading
HHS issues HIPAA final security standards, February 14, 2003
Looming HIPAA rule highlights healthcare business associates, February 11, 2003
HIPAA-related courses and seminars: Worth the time, every time?, November 11, 2002
Privacy specialist offers a methodical approach to HIPAA compliance, August 30, 2002
HHS amends HIPAA privacy rule, August 13, 2002
Copyright © 2003 AuntMinnie.com
