The bad news is that the government still hasn't issued the final version of the rules, leaving healthcare companies to figure out exactly which mix of security products and practices will provide the "reasonable safeguards" called for under HIPAA, the Health Insurance Portability and Accountability Act. And even when off-the-shelf technology does the trick, healthcare companies still need to do the hard work of changing business processes and attitudes to safeguard how patient information is stored, transmitted and shared.
Although healthcare companies must comply by April 14, 2003, the government hasn't released the final version of the security rules underlying the HIPAA requirements that only the proper people see patient data. "The industry is faced with trying to implement privacy without a security rule to back it up," says William Braithwaite, national director of HIPAA Advisory Services for PricewaterhouseCoopers in Washington, D.C.
Even when the final rule is released, it will contain a list of requirements (such as providing "unique user identification") but won't tell companies specifically how to meet those requirements. User identification, for example, could be done with just a user ID and password, says Braithwaite, or if
Encryption is "the most important technology people are employing to protect patient data," says Fred Langston, principal consultant with Guardent Inc, a Waltham, Mass.-based managed security services firm. For smaller organizations such as doctors' offices, encrypted e-mail is easy to use and deploy on remote computers such as those in a doctor's home, he says. Low-cost or even free e-mail encryption tools based on the PGP (Pretty Good Privacy) protocol is easily available over the Web. Larger organizations may opt for VPNs that encrypt all data moving over the network, or SSL encryption running on a Web server.
Langston is also seeing healthcare companies using role-based access control systems such as Oblix Inc.'s NetPoint and Netegrity Inc.'s SiteMinder, which he calls "probably the most mature offerings" at this point. Companies with large concentrations of Microsoft applications can use Active Directory as the basis for such role-based access, he says, but that's less feasible for organizations that also run other platforms such as Digital Equipment Corp. VAX or Unix servers. "We had a few people ask us to help them tie this stuff together," he says. "The only way we found to do this is to cobble things together with hand-coding."
Other tools that can be used in HIPAA compliance include File-Aid/Data Solutions from Compuware Corp., which can randomly change names or dates in actual patient records to provide test data that can safely be used by contract programmers or in test systems. Healthcare IT consultant HospITech Solutions and software provider Managed Care Solutions offer HIPAAKey, a Web-based tool for determining an organization's HIPAA compliance and what further steps it needs to take.
Neither Langston nor Braithwaite are seeing much adoption of biometric security, which Braithwaite says some vendors are falsely claiming is required by HIPAA. Langston sees more potential in smart cards, which he says can provide not only a user's authentication credentials but also the digital certificates they need to encrypt and decrypt data.
The biggest challenges lie not in technology, but in convincing both management and users (such as doctors) that they need to pay more attention to data security, says Langston. Cost used to be the main objection to beefing up security, he says, but now the focus has shifted to ease of use. Users "are going to want to fight you all the way when you say 'You have to carry this security token; or you have to log in twice'" to reach certain data. Guardent tries to overcome such objections with security awareness and training programs for both top management and for network administrators and IT staff.
"It's my belief that most environments will not have to implement any new technology whatsoever to meet the requirements in the (final) security rule," says Braithwaite. But healthcare companies "have to think, for a change, about all the different aspects of security in their environments, and make reasoned, documented decisions" about how much security they need to -- and can afford to -- provide for patient data.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org
This was first published in December 2002