Editor's Note: This two-part special report looks at how some health care companies are dealing with the requirements.
Adam Le had his work cut out for him when he joined Alliance Imaging last October as director of IT infrastructure. Coming from the financial services industry, Le was accustomed to advanced IT systems. But Alliance, like some other health care companies, wasn't exactly on the cutting edge of technology -- or security, for that matter.
To complicate things, the Anaheim-Calif.-based provider of diagnostic medical imaging services is a highly distributed, very mobile company. Of its 2,500 employees, only 400 sit inside one of its six offices; the rest are mobile, working from more than 80 fixed-site imaging facilities that are hosted inside hospitals, or at 400 mobile imaging centers that travel across the U.S.
With HIPAA security requirements and other regulations to comply with, Le implemented initial access controls by creating Microsoft Active Directory security policies. Devices from ConSentry Networks, which provide centrally-managed NAC and identity-management capabilities, enhance and enforce Alliance Imaging's access controls. Shifting to a Citrix environment further increased security by reducing the amount of data on employees' PCs and RSA tokens strengthened authentication.
The work has paid off. External auditors are pleased with the new security measures and Le is confident that the company is complying with HIPAA's security mandates. Still, he wants to do more, but additional projects require resources and business coordination: "Some of it's time, some of it's effort, some of it's budget," he said.
Two years after HIPAA's security requirements went into effect, many organizations in the health care industry continue to improve their security. For some, like Alliance Imaging, it's been a major overhaul. But while the HIPAA rules have driven security improvements, their lack of specifics and a dearth of enforcement leaves much room for interpretation, making compliance hard to gauge.
HIPAA demands layered security
Some organizations make the mistake of thinking they must have perfect security, which is impossible, said Barry Runyon, a research director covering healthcare providers at Stamford, Conn.-based Gartner Inc. They need to take a risk-based approach to HIPAA compliance that takes into account their individual circumstances and resources, he said.
"Tailor the HIPAA security rule to your organization so you don't break the bank … It comes down to being able to prove you've taken due diligence," he said, adding that documenting the reasons why a HIPAA provision can't be implemented usually is sufficient for auditing purposes.
At the University Health Center at the University of Georgia, administrators took a layered approach to HIPAA security compliance, installing a UTM, roles-based access control, secure messaging tools, and four antivirus products.
"Reading over the rules and looking at best practices in health care, the defense-in-depth approach looked to be the best for us to follow," said Jeff Pentz, the center's associate IT director. "We looked for products that would help us meet those goals but be relatively easy for us to manage."
The center, which services 105,000 patient visits annually, has a five-member IT staff that oversees more than 300 PCs and 24 servers. The UTM provides firewall, IPS, antivirus, and anti-spam capabilities plus VPN connectivity, and has a single interface to reduce management complexity. Additional antivirus technologies protect desktops, the email server, and a messaging system for secure external communications.
UHC enacted role-based access controls with the electronic health records system it rolled out over two years ago, and implemented policies that prohibit employees from storing protected health information on their local hard drives. Staff began receiving annual privacy and security training on an annual basis, and the center's disaster recovery plan was updated.
UHC hasn't had a specific HIPAA security audit, but it's been audited for security by the university's security office and also by the Board of Regents of the University System of Georgia, which has security requirements. Pentz said he feels confident in UHC's HIPAA compliance efforts, but adds that he and his staff are always looking out for any news of how HIPAA complaints are handled nationally.
Keeping the auditors happy
For Gundersen Lutheran Health System, an identity management system boosted HIPAA security compliance and impressed external auditors.
Before installing Novell Identity Manager and Novell eDirectory, managing user accounts was a time consuming, manual chore, said Dawn Comeau-Johnson, technical systems administrator at Gundersen Lutheran. The health care system has medical practices, clinics, hospitals, nursing homes and other services in Wisconsin, Iowa and Minnesota and counts more than 9,000 network users, including employees, contractors and volunteers.
The manual process relied on information from managers about new users that sometimes contained name misspellings and incorrect access requirements. Now, all the user accounts are stored in Novell eDirectory and Novell Identity Manager automatically synchronizes user information with multiple applications, including Lawson human-resources software, Lotus Notes, and a badge system for physical security.
The system streamlines account management for new hires, terminations and job changes, ensuring that access levels are correct.
HIPAA security compliance has been a team effort at Gundersen Lutheran, Comeau-Johnson said. "Everyone realizes how secure things have to be. Not only does IS worry about security, but so does the rest of the population," she said.
Some would rather lag behind
But while many organizations take HIPAA's security requirements seriously, others lag when it comes to compliance. Pentz said he's heard of some organizations that would rather pay a penalty rather than invest in compliance.
And the lack of enforcement makes some security professionals question the overall effectiveness of the security rules. Joseph Granneman, CTO/CSO of Rockford Health System in Rockford, Ill., has called HIPAA a toothless law and suggested that a mix of enforcement and financial incentives would help.
"Not just the big stick but the big carrot approach might be a good idea," he said.
Gartner's Runyon believes there will be more HIPAA enforcement in the next few years. However, health care organizations have other reasons to implement security, including protection from breaches and inadvertent disclosures of protected health information that could lead to bad press and liability suits.
"Brand problems -- that's what you really have to worry about," he said.