In March 2007, the U.S. Department of Health and Human Services audited the information security practices of Atlanta's Piedmont Hospital to determine whether the facility met HIPAA requirements. The audit revealed several areas in which the hospital failed to comply. That was just the beginning; recent HIPAA-related fines imposed on Providence Health & Services and CVS Caremark Corp. have caused many organizations, hospitals, healthcare clearinghouses and business associates to take HIPAA compliance more seriously.
However, for a great many of these organizations, whose main business is health care and not information technology, building a set of processes and systems that enable the business to meet the requirements of the Health Insurance Portability and Accountability Act can be a challenge. This tip discusses the important organizational and technical steps health care companies can take to achieve compliance.
The importance of data governance
The difficulty most organizations have in complying with HIPAA results from the lack of well thought-out IT governance. In other words, many companies do not establish clear organizational responsibility for ensuring the security of the protected health information. According to requirements, there must be an individual assigned the responsibility for HIPAA compliance. Furthermore, NIST's guidance on the subject suggests that the individual be authorized to establish controls and accept business risk. This means that management must have ownership of both the sensitive information and the policies defined to protect it. Once a clear business owner is established, HIPAA compliance requires coordination of a cross-disciplinary group, including business and technical management, legal departments and human resources to ensure that the policies are defined appropriately, implemented correctly, disseminated to employees and enforced. While technology plays a significant role in compliance, organization and governance can either support or undermine the best technical controls.
Transparency and accountability
HIPAA, like all regulations, requires transparency, and all activities associated with the regulated data and systems are subject to an audit. By establishing the appropriate policies and organizational structure, companies can put the controls and the associated checks and balances in place to comply. Simply put, the overall goal is to ensure that electronic protected health information (EPHI) is:
- Only accessible to those who have a business need
- Stored and processed on systems that are strictly controlled and backed up
- Monitored during all access
- Only moved to authorized locations and is encrypted in storage and while transmitted on unprotected networks
How to handle today's security regulations
Make sure to check out more lessons in our Compliance School.
The requirements above reflect four security principles respectively: identity and access management, system and environment configuration, monitoring and information flow control and encryption. These practices are central to HIPAA compliance and give rise to many critical process and technical controls, including network configuration, data loss detection and backup. The key to remember is that each of these important elements of compliance is part organizational process and part technology. Technology, by itself, cannot succeed. Let's take a closer look:
Identity management and access controls
A good example of the need for process and technology is evidenced when ensuring appropriate access controls. The organizational process requires that information owners, custodians and supervisors be involved in approving access to EPHI. While there is no explicit requirement for a technological remedy to this problem, many organizations address the need by deploying identity and access management tools. Without such technological help, it is difficult to maintain the discipline necessary (and the records of requests and approvals) to ensure that only appropriate users have access. These systems also can automate account and privilege recertification, a requirement in HIPAA and many other regulations.
Conversely, lack of discipline and formality in access management is one of the most common reasons for compliance failures. Interestingly, even if there is no inappropriate access allowed, the lack of formality in and of itself is a compliance violation.
System and environment configuration controls
Systems that store protected data must follow strict configuration guidelines. The underlying principle in controlling configuration is the need to know the state of the critical systems in the regulated environment at any time. This involves more than just monitoring; it requires control. The requirement for tight systems control suggests that an organization should isolate each of them, configure them strictly for their purpose, maintain strict vulnerability controls and software version controls, and ensure that the systems are administered securely.
When the hammer falls
In an interview, Dick Mackey talks about how organizations can be prepared as HIPAA regulations toughen up.
There are several organizational and design processes involved in achieving these goals. First, the organization must establish responsibility for managing the systems and networks. Second, the organization should establish a clear demarcation separating systems containing EPHI from those that do not. This isolation reduces the number of systems to tightly manage, cuts down on the monitoring burden, and demonstrates good practices to an auditor. Third, the organization needs to establish strong vulnerability management practices for the environment.
Once the organizational processes are in place, technology can be a real boon. Firewalls can establish boundaries, vulnerability management systems can track operating system and application versions and help to deploy fixes, while change control systems can keep tabs on all the administrative activities affecting the regulated environment.
An important part of maintaining control over PHI is knowing who has had access to the information. HIPAA requires that all access to protected information be monitored. This means that systems and applications that provide the access need to be instrumented to capture access events. Further, an organization needs to look at its captured log information regularly.
Here again, establishing that someone is responsible for monitoring and log review is of primary importance; deploying technology is secondary. The one additional requirement is that the responsible party be separate from those entrusted to use or manage the systems. One need only look at the failures in compliance to understand why monitoring is so important. Many organizations look at logs only as a forensic tool, inspecting them solely after a suspected breach has occurred. This approach does not meet the intent of the security rule. The goal should be to know, at any time, who exercised the privilege to access sensitive data.
While smaller organizations may be able to manage log and event review with manual processes, event correlation and consolidation tools can help facilitate this difficult job tremendously. They can combine events from multiple systems, applications and environments, enabling the enterprise to concentrate on critical activities that might otherwise be lost in the noise.
Information flow control and encryption
The fourth element of compliance described above involves ensuring that protected information only moves to safe locations, and only moves when authorized. It is just as critical for the data to be protected in motion and at rest.
Of course, there must be assigned responsibilities for controlling the data and a process for authorizing its movement. HIPAA also requires deployment and administration of a variety of technologies.
Organizations should assemble a data catalog, detailing the type, sensitivity and assigned owner of all protected information. Processes should also be defined to track where information moves. The procedures can aid in identifying when encryption will be necessary and provide guidance when employing technologies where appropriate. Technologies like data loss prevention (DLP) can catch information with a defined signature if it moves over the network to some unauthorized location. DLP tools can also help catch when data has been copied to unapproved devices like thumb drives. While also being good for key management, encryption products, too, can help meet the in-place data encryption requirement.
Achieving HIPAA compliance is no easy task. Keeping in mind the fundamental elements of compliance, however, can make the goals understandable and help your organization meet the challenge more effectively. Remember to establish the organizational processes first and then employ technology to facilitate them. You can refine both your processes and your technology practices as you go, but be sure that your organization is clear on who's responsible, what needs to be protected, and how it needs to be protected.
Richard Mackey has advised leading Wall Street firms on security architecture, VPNs, enterprise wide authentication, and intrusion detection. Prior to joining the consultancy SystemExperts, he was the director of collaborative development for The Open Group. Mackey is an original member of the DCE Request for Technology technical evaluation team and was responsible for the architecture of the Distributed Computing Environment Releases 1.1 and 1.2. Mackey has been a frequent speaker at major conferences and has taught tutorials on developing secure distributed applications.
This was first published in March 2009