privacy & security in heath care it

Transforming Lives. Inventing the Future. www.iit.edu

I ELLINOIS T UINS TI TOF TECHNOLOGY

ITM 578 1

HIPAA - Privacy & Security in Heath Care IT

Ray TrygstadITM 478/578 Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development

ITM 578 2

ILLINOIS INSTITUTE OF TECHNOLOGY

Learning Objectives:Upon completion of this lesson the

student should be able to:– Discuss information security implications of

the Health Insurance Portability and Accountability Act (HIPPA)

– Discuss information security impact of the HIPAA Privacy Rule

– Describe key components and implemetation of the HIPAA Security Rule

ITM 578 3


What is HIPAA? Health Insurance Portability and

Accountability Act (HIPAA)– Signed into law August 1996

Part of this Act, Administrative Simplification, intends to reduce administrative costs and burdens in the health care industry

Requires Department of Health and Human Services to adopt national uniform standards for electronic transmission of certain health information

ITM 578 4


Who is Affected? (“covered entities”)

All healthcare organizations

All health care providers (even 1-physician offices)

Health plans Employers Public health

authorities Life insurers

Clearinghouses Billing agencies Information

systems vendors Service organizations Universities with

health care curricula or even just student health services

Anyone that transmits any health information in electronic form in connection with healthcare transactions

ITM 578 5


Standards for Electronic Transactions Standards for electronic health information

transactions Within 18 months HHS Secretary required to adopt

standards from among those already approved by standards organizations for certain electronic health transactions including:– Claims– Enrollment– Eligibility– Payment– Coordination of benefits

Standards also must address security of electronic health information systems.

ITM 578 6


(18 Months?)

It’s now been six years and standards are still not fully in place!

Will not go into full effect until 2005!

Isn’t government wonderful?)

ITM 578 7


More on the HIPAA Bill Providers and health plans required to use

standards for specified electronic transactions 24 months after adoption

Plans and providers may comply directly or use a health care clearinghouse

HIPAA supersedes state laws except state laws that impose more stringent requirements

HIPPA imposes civil money penalties and prison for certain violations

ITM 578 8


Penalties for Violations

Fines up to $25,000 for multiple violations of the same standard in a calendar year

Fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

!!!

ITM 578 9


HIPAA Privacy

HIPAA Privacy Rule went into effect in April 2003

Restricts how covered entities may use and disclose individually identifiable health information

Requires security for such dataGrants individuals certain rights to

access and correct their personal health information

ITM 578 10


HIPAA Privacy Requirements HIPAA requires covered entities to:

– Have written privacy procedures, including • Description of staff granted access to protected

information• How it will be used • When it may be disclosed• Business associates (including IT vendors!) with access

to protected information must agree to same limitations on use and disclosure of that information

– Train employees in privacy procedures– Designate someone responsible for ensuring

procedures are followed (the “HIPAA czar”)

ITM 578 11


HIPAA Privacy Requirements Rule permits covered entities to disclose health

information for specific public responsibilities:– emergency circumstances– identification of the body of a deceased person, or the cause

of death– public health needs– research that with limited data or independently approved

by a Review Board or privacy board– oversight of the health care system– judicial and administrative proceedings– limited law enforcement activities– activities related to national defense and security

Equivalent Requirements exist for Government

ITM 578 12


HIPAA Security Rule

First government-mandated framework for an information security policy covering non-governmental entities

Published in February 2003 Covered entities (CEs) must be in compliance

April 21, 2005 Portions of Security Rule that implement the

Privacy Rule were effective last April

ITM 578 13


HIPAA Security Rule

Covered entities required to observe Privacy Rule requirements with respect to all Patient Health Information (PHI) in any form, electronic or not, but the Security Rule only applies to PHI in electronic form

ITM 578 14


Requirements of HIPAA Security Rule Maintain reasonable & appropriate

administrative, technical and physical safeguards to – Ensure the integrity and confidentiality of

information– Protect against

• any reasonably anticipated threats or hazards to the security or integrity of the information

• unauthorized uses or disclosures of the information, i.e. any reasonably anticipated uses or disclosures not permitted by Privacy Rule

– Otherwise to ensure compliance with this part by officers & employees

ITM 578 15


Three Categories of Safeguards

The rule outlines 3 categories of safeguards to establish a minimum level of protection: – Administrative safeguards– Physical safeguards– Technical safeguards

ITM 578 16


Three Categories of Safeguards Administrative safeguards: Ensures that

formal policies for overseeing implementation and management of security measures are established and implemented

Physical safeguards: Ensures facilities where electronic information systems are stored are protected from intrusions and other hazards

Technical safeguards: Ensures only authorized access to electronic personal health information is permitted, through implementation of firewalls, passwords, and other measures

ITM 578 17


Principles of the Security Rule Scalability

– Any size healthcare entity must be able to comply with the rule

Comprehensiveness– Meant to result in a unified system of protection

for PHI– CEs must use a defense in depth security

approach Technology neutral

– No specific technology recommendations (e.g., specific type of firewall, IDS, access control system).

– Each CE must choose appropriate technology to protect PHI.

ITM 578 18


Principles of the Security Rule Internal and external security threats

– Must protect PHI against both internal and external threats

Minimum standard– Defines the least that CEs must do to protect

PHI (they may choose to do more) Risk analysis

– Requires CEs to conduct thorough & accurate risk analysis that considers “all relevant losses” that would be expected if specific security measures are not in place

– “Relevant losses” include losses caused by unauthorized use and disclosure of data and unauthorized modification of data

ITM 578 19


Security Rule Key Concepts Principle based

– Presents a series of security best practices and principles with which CEs must comply

– Step by step checklists not provided Reasonableness

– CEs must do everything appropriate to avert all reasonably anticipated risks to PHI

– CEs must balance resources and business requirements against risks to PHI

Full compliance– All CE staff, including management and those

working at home, must comply

ITM 578 20


Security Rule Key Concepts Developed from multiple security guidelines and

standards– Those creating the rule found no existing single security

standard or best practice that described how to comprehensively protect PHI

– Therefore the rule is based on many different security guidelines, standards, and best practices

Documentation– CEs must document a variety of security processes, policies,

and procedures– CEs must document Security Rule implementation decisions

Ongoing compliance– CEs must regularly train employees– CEs must revise security policies and procedures as needed

ITM 578 21


Standards & Specifications Rule breaks down into 18 standards and

36 implementation specifications A standard explains what a CE must do An implementation specification explains

how to do it 12 standards have associated

implementation specifications; 6 do not 14 implementation specifications are

required; 22 are addressable

ITM 578 22


Requirements & Structure

Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)

StandardsStandardswithwith Implementation Implementation Specifications (12)Specifications (12)

witho utwitho ut Implementation Implementation Specifications (6)Specifications (6)

Implementation SpecificationsImplementation SpecificationsRequired (14)Required (14)

Addressable (22)Addressable (22)

Source: Weil, Steven HIPAA Consensus Research Project SANS Institute, 2003; http://www.sans.org/projects/hipaa.php

ITM 578 23


Required and Addressable Required specifications are, well, required

and must be implemented Addressable implementation specifications

leave CEs with three possible choices– Implement specification if reasonable and

appropriate – Implement an alternative security measure to

accomplish purposes of the standard– Implement nothing if specification is not

reasonable & appropriate and the standard can still be met

ITM 578 24


Addressable Specification Choices

If implementation specification is reasonable & appropriate, CE must implement it

If implementation specification not reasonable & appropriate, but standards cannot be met without an appropriate security measure, CE must– Document why it would not be reasonable &

appropriate to implement – Implement & document alternative security

measure(s) that accomplishes the same purpose

ITM 578 25



If implementation specifications not reasonable & appropriate, but standards can be met without an appropriate security measure, CE must– Document decision not to implement – Document why it would not be reasonable &

appropriate to implement – Document how the standard is being met

ITM 578 26



Factors to take into account when deciding how to respond to addressable specifications: – Size, complexity, & capabilities of the

organization

– Existing technical infrastructure, hardware, and software security capabilities

– Costs of security measures

– Likelihood & seriousness of potential risks to PHI

ITM 578 27


Implementing HIPAA

Specifications can be implemented in any order, as long as standards are met by the deadline

May use any security measures allowing the CE to reasonably and appropriately implement the rule

ITM 578 28


Breakdown of Specifications

Administrative Safeguards (55%)– 12 Required, 11 Addressable

Physical Safeguards (24%)– 4 Required, 6 Addressable

Technical Safeguards (21%)– 4 Requirements, 5 Addressable

ITM 578 29


Administrative Safeguards

Security management process– Risk analysis (R)– Risk management (R)– Sanction policy (R)– Information system activity review (R)

Assigned security responsibility– One individual (not an organization)

with responsibility (R)

ITM 578 30


Risk Assessment / Analysis

Each CE must:– Assess security risks– Determine risk tolerance or risk aversion– Devise, implement, and maintain appropriate

security to address business requirements• Does not imply that organizations are given complete

discretion to make their own rules

– Document security decisions

ITM 578 31


Assigned Security Responsibility

Chief Information Security Officer (CISO) or Information Security Officer (ISO)

Large organizations may have site-security coordinators working with CISO/ISO

Security standards extend to CE employees even if they work at home as do many transcriptionists

ITM 578 32



Workforce Security– Authorization and/or supervision (A)– Workforce clearance procedure (A)– Termination procedures (A)

Information access management– Minimum necessary rule

ITM 578 33


Workforce Security

Authorization controls verify identity of employees permitted to access PHI

Clearance procedure describes types of background checks that will be conducted for employees

Termination procedures include collecting access control devices or changing door locks, etc.

ITM 578 34



Security Awareness and Training – Security Reminders (A)– Protection from Malicious Software (A)– Log-in Monitoring (A)– Password Management (A)

Security Incident Procedures – Response and Reporting (R)

ITM 578 35



Contingency Plan – Data Backup Plan (R)– Disaster Recovery Plan (R)– Emergency Mode Operation Plan (R)– Testing and Revision Procedure (A)– Applications and Data Criticality

Analysis (A)

ITM 578 36


Awareness & Training “Security awareness training is a critical

activity, regardless of an organization’s size.” Training, Education and Awareness (TEA)

– Awareness training for all personnel (including management)

– Periodic security reminders– User education concerning virus protection– User education in importance of monitoring login

success or failure, and how to report discrepancies– User education in password management

ITM 578 37


Security Incident Procedures

Provides methods for users to report unusual security occurrences or breaches to patient confidentiality

Goals:– Identify – Contain– Correct– Prevent

ITM 578 38



Evaluation– Periodic review of technical controls and

procedural review of the security programBusiness Associate contracts

– Written Contract or Other Arrangement (R)• Identify business associates who receive or

have access to PHI • Tie efforts with Privacy initiative• Establish rules for vendor remote access

ITM 578 39


Physical Safeguards

Facility Access Controls– Contingency operations (A)– Facility Security Plan (A)– Access Control and Validation

Procedures (A)– Maintenance Records (A)

Workstation Use– Includes portable devices

ITM 578 40


Facility Access Control

Goal is to protect buildings, systems, and data media from natural and environmental hazards and unauthorized access or intrusions

Ensure records are kept of all maintenance, especially locksmith work

ITM 578 41


Physical Safeguards

Workstation SecurityDevice and Media Controls

– Disposal (R)– Media re-use (R)– Accountability (A)– Data backup and Storage (A)

ITM 578 42


Workstation Use & Security

Both standards could be covered in one policy

Ensure workstation locations will not allow casual viewing by unauthorized personnel

Audit systems to ensure all PCs/laptops have latest version of virus definitions installed

ITM 578 43


Device & Media Controls

“Device” was included to address storage devices such as PDAs

Media re-use requires sanitization of media using DOD-style standards (overwriting an entire disk with ones and zeros repeatedly)

ITM 578 44


Technical Safeguards

Access Control– Unique user identification (R)– Emergency access procedure (R)– Automatic logoff (A)– Encryption and decryption (A)

Audit Controls

ITM 578 45


Technical Safeguards

Integrity – Mechanism to Authenticate Electronic

PHI (A)Person or entity authenticationTransmission security

– Integrity controls (A)– Encryption (A)

ITM 578 46


Access Control

Unique user identification for accountability is critical for clinical applications– Disallows use of Windows 98/ME

(weak user identification & controls) Automatic logoff permits an equivalent

measure to restrict access (Password protected screen saver? XP user switching?)

Encryption serves as an access control method for data at rest

ITM 578 47


Audit Controls

Risk assessment and analysis can be used to determine necessary intensity of audit trails

Audit trail trigger events must be jointly determined by the data owners and the Privacy and Security Officers

Store audit logs on a separate server Do not allow system administrator access

to audit logs

ITM 578 48


Transmission Security“…When electronic protected health

information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.”

There is no simple, interoperable solution to encrypting e-mail containing PHI; hopefully HIPAA compliance will drive better solutions

ITM 578 49


Organizational Requirements

Business Associate (BA) Agreements– Contractual agreements required before

BAs can access PHI– BAs must follow HIPAA Business

Associate rules (next slide)– Applies to subcontractors of BAs as well

A CE may require a business associate to meet even higher security standards

ITM 578 50


Rules for Business AssociatesImplement safeguards that

reasonably and appropriately protect the confidentiality, integrity and availability of PHI they access on behalf of the CE

Ensure that anyone else to whom they provide PHI agrees to implement reasonable and appropriate safeguards

Report any security incident to the CE

ITM 578 51


Rules for Business Associates

Make policies, procedures and required documentation relating to the safeguards available to HHS to determine CE compliance with the security rule

Authorize termination of the BA contract by the CE if the CE determines that the BA has violated a material term of the contract

ITM 578 52


Policy & Procedure Documentation

Implement reasonable and appropriate policies and procedures

Documentation– Retain documents for 6 years– Make documents available– Review and update documentation

periodically

ITM 578 53


Resources Works used in the preparation of this lecture:

– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf

– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule could affect IT” Computerworld April 30, 2003, accessed at http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html

– Higher Education Information Technology (HEIT) Alliance (undated) Privacy. Accessed at http://www.heitalliance.org/issues/privacy.asp

– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule. Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html

– New Hampshire Developmental Disabilities Services System, Information Technology Initiatives (undated) HIPAA Overview. Accessed at http://www.nhdds.org/nhddsit/HIPAA/overview.html

– Walsh, Tom (2001) Developing an Effective Information Security Training and Awareness Program. Healthcare Computing Strategies, Inc. , accessed at http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf

– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint presentation) Tom Walsh Consulting LLC

– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute, accessed at http://www.sans.org/projects/hipaa.php

ITM 578 54


The End…

Questions?

privacy & security in heath care it

Internet

department of health

health care providers

health care curricula

health care industry

health insurance portability

student health servicesanyone

hipaa security rule

healthcare transactions