Editor's Note: This two-part special report looks at how some health care companies dealt with the requirements....
In the second part of the report coming tomorrow, healthcare providers discuss the challenges of interpreting the HIPPA rules and the difficulties of becoming compliant.
At Healthcare Partners, a multi-specialty medical group in Los Angeles County, the IT staff discovered quickly that complying with HIPAA's security requirements is no small feat.
The organization boosted its perimeter defenses by formalizing its patching processes, and bought a managed firewall monitoring service to augment its staff. It also deployed host-based intrusion prevention and is encrypting disk drives on portable devices. Along with new technology and policy changes, it reorganized operations to bring change management into the security department.
But in the end, it's not so much about spending a lot of manpower and money to comply with a federal regulation. Rather, it's about mitigating risk for the business, said Leo Dittemore, director of IS security administration at Healthcare Partners.
"Patient growth is what drives business here, so if patients can't trust us and security is a matter of trust, they're not going to come to us as their provider," he said.
Since the HIPAA security requirements took effect in 2005, many health care organizations have been busy shoring up their networks with firewalls, IPSes, and access controls. The security regulations came two years after the HIPAA privacy requirements.
Many agree that HIPAA's 18 high-level standards for protecting electronic personally identifiable health care information have helped increase security awareness in the health care industry. However, measuring actual compliance is tricky. The regulations aren't specific and there hasn't been a lot of enforcement.
"HIPAA is kind of wide ranging, kind of vague," said Barry Runyon, a research director covering healthcare providers at Stamford, Conn.-based Gartner Inc. "That's what's frustrating for care delivery organizations… They're never really sure if they're compliant."
Dittemore notes that HIPAA doesn't specifically require firewalls, patching or data encryption. "It says you need to do what you think is best to protect that information."
Sixty percent HIPAA compliance
Measured subjectively, Runyon estimates that 60% of health care providers are compliant with HIPAA's security standards. A survey last summer of 220 health care providers and insurance companies by the Healthcare Information and Management Systems Society and Phoenix Health Systems showed that only 56% are complying with the security requirements.
Runyon said ambiguity was built into the HIPAA security regulations on purpose to make them less onerous and encourage adoption. But now that organizations have had a couple years to implement best practices and security technologies, he expects enforcement to increase in the next two to five years, which will "put some teeth into this rule."
Already, there's evidence that the federal government is getting more serious about enforcing HIPAA's security standards. Piedmont Hospital in Atlanta reportedly was audited by the Department of Health and Human Services' inspector general.
A Piedmont spokeswoman confirmed that an audit began in March but declined to elaborate. Don White, an HHS Office of Inspector General (OIG) spokesman, said the OIG is conducting a "pilot audit" of one hospital involving enforcement of HIPAA security requirements by Centers for Medicare and Medicaid Services (CMS), the HHS entity responsible for enforcing the standards. Depending on the results, OIG may conduct additional reviews to determine the adequacy of CMS oversight and enforcement of HIPAA security, he said.
CMS said it received 234 complaints of potential HIPAA security violations as of June 30 and closed 130 of them. The top complaints were about information access management, access controls, and security management process. Cases were closed either after an investigation showed the organization to be compliant, or the entity either fixed the problem or submitted a corrective plan.
"We try to resolve problems rather than punish mistakes," Don McLeod, a CMS spokesman said in an email. "So far, it's working."
Know your risks
The first step organizations should take to comply with HIPAA's security requirements is a risk analysis to "figure out what their major threats are, address them in the scope of their own resources, and document any residual risk," Gartner's Runyon said. HIPAA requires risk analysis and assessment.
At Healthcare Partners, executives took HIPAA's security standards as a starting point and conducted a risk assessment. The organization has more than 40 medical offices, including five urgent care centers, plus hundreds of affiliated medical offices. With a patient population that tops 500,000, it counts 3,500 employees, including 400 physicians. Healthcare Partners also works with an additional 3,000 physicians in an independent association.
"We outlined what we thought were our biggest risks -- our biggest compliance issues -- and rated those," Dittemore said. "We update that on a biyearly basis, determining what we are most at risk for technically, and which [risks] will have the most impact on the business, and the cost associated with the mitigation factors."
The initial risk assessment pointed to perimeter security issues, which led Healthcare Partners to formalize its patching processes and its antivirus and anti-spyware updates.
"We automated a lot of our patching routines so it's not somebody haphazardly going out and picking a machine to fix but missing others," Dittemore said.
Microsoft's Software Update Services -- now Windows Server Update Services -- helps streamline patching while CA Threat Manager for the Enterprise deploys and updates antivirus and malware protection. The organization uses local distribution points to send out Windows and CA updates across its multiple locations.
Healthcare Partners also implemented stricter firewalls rules and augmented its staff with a managed service from SecureWorks to monitor and manage the firewalls.
More recently, the medical group has begun addressing application vulnerabilities by deploying host-based intrusion prevention from Third Brigade. It's also encrypting disk drives on portable devices and plans to follow that up with disk encryption on desktops.
Retooling the security department
On the organizational side, HealthCare Partners last year brought its change management group, which includes help desk operations, into the security department so it can track change requests and incident resolution. The QA department also moved into the security group.
Dittemore said he didn't try to sell security projects as HIPAA requirements but rather as business needs. For example, making sure systems are patched brings value to the business by ensuring that they're available and employees can get their work done, he said.
There's still work to do. Some risk mitigation steps are either awaiting resources or haven't yet become a high enough business priority, he said.
At Roseville, Calif.-based Adventist Health, HIPAA security compliance also started with a risk assessment. The faith-based, nonprofit organization operates 19 hospitals and numerous other health care facilities throughout California, Hawaii, Oregon and Washington, and counts approximately 18,000 employees.
The risk assessment helped Adventist Health get an understanding of user behavior, IT processes, the capabilities of its applications, and how the applications were being used, said Wendell Bobst, director of IT security and HIPAA security official at the organization. Following the Facilitated Risk Assessment Process (FRAP), Adventist Health broke down its operations into eight topic areas.
"We looked at the threats and vulnerabilities for a given topic area, and then we looked at the controls and safeguards we had in place at the time -- were they effective and how would we need to augment them based on what the rule said and didn't say," he said.
The first round of projects focused on termination processes to make sure users didn't retain access rights longer than needed. Other top projects addressed auditing to ensure employee access to medical records was appropriate. This is where Adventist Health deployed Cerner Millenium for its clinical information system; Cerner later teamed with log management vendor SenSage to offer additional software that Bobst said provides enhanced auditing capabilities.
Risk assessments are done on a periodic basis and controls are also evaluated for their effectiveness. Security is balanced with business objectives.
"Because there isn't a minimum [HIPAA security] requirement, our focus is on appropriately protecting patient information," he said. "We look at additional HIPAA guidance, what our peers are doing, and make a business decision for our patients and Adventist Health," he said.