COLUMN

HIPAA changes force healthcare to improve data flow

By Eric Ogren 02 Mar 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money.

Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data:

• Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history.
• Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders.

These provisions alone may cause massive re-architecting of how the healthcare industry manages personal health data. Healthcare organizations need to share confidential patient data when necessary, erase copies of that data and expire access privileges when that need passes, and audit the entire process for intrusions and fraudulent activity. While healthcare organizations should take the long view when planning major projects, HIPAA expenditures can be focused to enhance this effort:

• Build real-time intelligence on the electronic flow of patient data. It is crucial to build actionable intelligence on traffic behavior -- source, destination, data, volume -- for healthcare protocols such as Health Level 7, X12, and even DICOM. Understanding the ebb and flow of health traffic allows security teams to focus removing inappropriate connections, and will make it easier to evolve electronic health record handling. There are network performance products acting on flow data or DLP products operating at application level inspection that can help.
• Minimize distribution of data; maximize view-only access. Challenge the need for affiliated organizations to retain copies of electronic health records. Those copies can only become unnecessary security risks in the future. Use virtualization for display-only access that keeps single copies of sensitive data in the protected data center, or be sure to scrub temporary buffers and files when terminating SSL sessions.
• Study how the credit card industry detects fraudulent transactions. An increase in electronic traffic of health records will surely lead to an increase in fraudulent payments. The credit card industry can teach healthcare how to rapidly detect and trace stolen identities, rogue organizations, and bogus transactions from financially motivated attackers.

The changes in healthcare and HIPAA regulations will cause daunting security challenges for the industry. While I am not convinced that the federal government can or should tell any industry how to protect electronic data, the reality is that they are. Healthcare security teams should move with a sense of urgency to totally understand information flows to be able to reduce the number of data repositories, communications lines, and individuals that must be secured.

Tags: HIPAA,  Data Privacy and Protection,  Data Analysis and Classification,  Data Loss Prevention,  Enterprise Data Governance,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements HIPAA Research Data Privacy and Protection Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Data Privacy and Protection Research Data Analysis and Classification Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Compliance in the cloud Database monitoring, encryption vital in tight economy, Forrester says Best practices for log data retention Data classification best practices: Techniques, methods and projects Can read/write access policies be put on a SAN server? Data Analysis and Classification Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary