privacy & security in heath care it
TRANSCRIPT
Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Security in Heath Care IT
Ray TrygstadITM 478/578 Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:Upon completion of this lesson the
student should be able to:– Discuss information security implications of
the Health Insurance Portability and Accountability Act (HIPPA)
– Discuss information security impact of the HIPAA Privacy Rule
– Describe key components and implemetation of the HIPAA Security Rule
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
What is HIPAA? Health Insurance Portability and
Accountability Act (HIPAA)– Signed into law August 1996
Part of this Act, Administrative Simplification, intends to reduce administrative costs and burdens in the health care industry
Requires Department of Health and Human Services to adopt national uniform standards for electronic transmission of certain health information
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Who is Affected? (“covered entities”)
All healthcare organizations
All health care providers (even 1-physician offices)
Health plans Employers Public health
authorities Life insurers
Clearinghouses Billing agencies Information
systems vendors Service organizations Universities with
health care curricula or even just student health services
Anyone that transmits any health information in electronic form in connection with healthcare transactions
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Electronic Transactions Standards for electronic health information
transactions Within 18 months HHS Secretary required to adopt
standards from among those already approved by standards organizations for certain electronic health transactions including:– Claims– Enrollment– Eligibility– Payment– Coordination of benefits
Standards also must address security of electronic health information systems.
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
(18 Months?)
It’s now been six years and standards are still not fully in place!
Will not go into full effect until 2005!
Isn’t government wonderful?)
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
More on the HIPAA Bill Providers and health plans required to use
standards for specified electronic transactions 24 months after adoption
Plans and providers may comply directly or use a health care clearinghouse
HIPAA supersedes state laws except state laws that impose more stringent requirements
HIPPA imposes civil money penalties and prison for certain violations
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Penalties for Violations
Fines up to $25,000 for multiple violations of the same standard in a calendar year
Fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information
!!!
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy
HIPAA Privacy Rule went into effect in April 2003
Restricts how covered entities may use and disclose individually identifiable health information
Requires security for such dataGrants individuals certain rights to
access and correct their personal health information
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements HIPAA requires covered entities to:
– Have written privacy procedures, including • Description of staff granted access to protected
information• How it will be used • When it may be disclosed• Business associates (including IT vendors!) with access
to protected information must agree to same limitations on use and disclosure of that information
– Train employees in privacy procedures– Designate someone responsible for ensuring
procedures are followed (the “HIPAA czar”)
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements Rule permits covered entities to disclose health
information for specific public responsibilities:– emergency circumstances– identification of the body of a deceased person, or the cause
of death– public health needs– research that with limited data or independently approved
by a Review Board or privacy board– oversight of the health care system– judicial and administrative proceedings– limited law enforcement activities– activities related to national defense and security
Equivalent Requirements exist for Government
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
First government-mandated framework for an information security policy covering non-governmental entities
Published in February 2003 Covered entities (CEs) must be in compliance
April 21, 2005 Portions of Security Rule that implement the
Privacy Rule were effective last April
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
Covered entities required to observe Privacy Rule requirements with respect to all Patient Health Information (PHI) in any form, electronic or not, but the Security Rule only applies to PHI in electronic form
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements of HIPAA Security Rule Maintain reasonable & appropriate
administrative, technical and physical safeguards to – Ensure the integrity and confidentiality of
information– Protect against
• any reasonably anticipated threats or hazards to the security or integrity of the information
• unauthorized uses or disclosures of the information, i.e. any reasonably anticipated uses or disclosures not permitted by Privacy Rule
– Otherwise to ensure compliance with this part by officers & employees
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
The rule outlines 3 categories of safeguards to establish a minimum level of protection: – Administrative safeguards– Physical safeguards– Technical safeguards
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards Administrative safeguards: Ensures that
formal policies for overseeing implementation and management of security measures are established and implemented
Physical safeguards: Ensures facilities where electronic information systems are stored are protected from intrusions and other hazards
Technical safeguards: Ensures only authorized access to electronic personal health information is permitted, through implementation of firewalls, passwords, and other measures
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule Scalability
– Any size healthcare entity must be able to comply with the rule
Comprehensiveness– Meant to result in a unified system of protection
for PHI– CEs must use a defense in depth security
approach Technology neutral
– No specific technology recommendations (e.g., specific type of firewall, IDS, access control system).
– Each CE must choose appropriate technology to protect PHI.
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule Internal and external security threats
– Must protect PHI against both internal and external threats
Minimum standard– Defines the least that CEs must do to protect
PHI (they may choose to do more) Risk analysis
– Requires CEs to conduct thorough & accurate risk analysis that considers “all relevant losses” that would be expected if specific security measures are not in place
– “Relevant losses” include losses caused by unauthorized use and disclosure of data and unauthorized modification of data
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts Principle based
– Presents a series of security best practices and principles with which CEs must comply
– Step by step checklists not provided Reasonableness
– CEs must do everything appropriate to avert all reasonably anticipated risks to PHI
– CEs must balance resources and business requirements against risks to PHI
Full compliance– All CE staff, including management and those
working at home, must comply
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts Developed from multiple security guidelines and
standards– Those creating the rule found no existing single security
standard or best practice that described how to comprehensively protect PHI
– Therefore the rule is based on many different security guidelines, standards, and best practices
Documentation– CEs must document a variety of security processes, policies,
and procedures– CEs must document Security Rule implementation decisions
Ongoing compliance– CEs must regularly train employees– CEs must revise security policies and procedures as needed
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards & Specifications Rule breaks down into 18 standards and
36 implementation specifications A standard explains what a CE must do An implementation specification explains
how to do it 12 standards have associated
implementation specifications; 6 do not 14 implementation specifications are
required; 22 are addressable
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements & Structure
Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)
StandardsStandardswithwith Implementation Implementation Specifications (12)Specifications (12)
witho utwitho ut Implementation Implementation Specifications (6)Specifications (6)
Implementation SpecificationsImplementation SpecificationsRequired (14)Required (14)
Addressable (22)Addressable (22)
Source: Weil, Steven HIPAA Consensus Research Project SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Required and Addressable Required specifications are, well, required
and must be implemented Addressable implementation specifications
leave CEs with three possible choices– Implement specification if reasonable and
appropriate – Implement an alternative security measure to
accomplish purposes of the standard– Implement nothing if specification is not
reasonable & appropriate and the standard can still be met
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specification is reasonable & appropriate, CE must implement it
If implementation specification not reasonable & appropriate, but standards cannot be met without an appropriate security measure, CE must– Document why it would not be reasonable &
appropriate to implement – Implement & document alternative security
measure(s) that accomplishes the same purpose
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specifications not reasonable & appropriate, but standards can be met without an appropriate security measure, CE must– Document decision not to implement – Document why it would not be reasonable &
appropriate to implement – Document how the standard is being met
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
Factors to take into account when deciding how to respond to addressable specifications: – Size, complexity, & capabilities of the
organization
– Existing technical infrastructure, hardware, and software security capabilities
– Costs of security measures
– Likelihood & seriousness of potential risks to PHI
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Implementing HIPAA
Specifications can be implemented in any order, as long as standards are met by the deadline
May use any security measures allowing the CE to reasonably and appropriately implement the rule
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Breakdown of Specifications
Administrative Safeguards (55%)– 12 Required, 11 Addressable
Physical Safeguards (24%)– 4 Required, 6 Addressable
Technical Safeguards (21%)– 4 Requirements, 5 Addressable
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security management process– Risk analysis (R)– Risk management (R)– Sanction policy (R)– Information system activity review (R)
Assigned security responsibility– One individual (not an organization)
with responsibility (R)
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment / Analysis
Each CE must:– Assess security risks– Determine risk tolerance or risk aversion– Devise, implement, and maintain appropriate
security to address business requirements• Does not imply that organizations are given complete
discretion to make their own rules
– Document security decisions
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Assigned Security Responsibility
Chief Information Security Officer (CISO) or Information Security Officer (ISO)
Large organizations may have site-security coordinators working with CISO/ISO
Security standards extend to CE employees even if they work at home as do many transcriptionists
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Workforce Security– Authorization and/or supervision (A)– Workforce clearance procedure (A)– Termination procedures (A)
Information access management– Minimum necessary rule
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Workforce Security
Authorization controls verify identity of employees permitted to access PHI
Clearance procedure describes types of background checks that will be conducted for employees
Termination procedures include collecting access control devices or changing door locks, etc.
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security Awareness and Training – Security Reminders (A)– Protection from Malicious Software (A)– Log-in Monitoring (A)– Password Management (A)
Security Incident Procedures – Response and Reporting (R)
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Contingency Plan – Data Backup Plan (R)– Disaster Recovery Plan (R)– Emergency Mode Operation Plan (R)– Testing and Revision Procedure (A)– Applications and Data Criticality
Analysis (A)
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Awareness & Training “Security awareness training is a critical
activity, regardless of an organization’s size.” Training, Education and Awareness (TEA)
– Awareness training for all personnel (including management)
– Periodic security reminders– User education concerning virus protection– User education in importance of monitoring login
success or failure, and how to report discrepancies– User education in password management
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Incident Procedures
Provides methods for users to report unusual security occurrences or breaches to patient confidentiality
Goals:– Identify – Contain– Correct– Prevent
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Evaluation– Periodic review of technical controls and
procedural review of the security programBusiness Associate contracts
– Written Contract or Other Arrangement (R)• Identify business associates who receive or
have access to PHI • Tie efforts with Privacy initiative• Establish rules for vendor remote access
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Facility Access Controls– Contingency operations (A)– Facility Security Plan (A)– Access Control and Validation
Procedures (A)– Maintenance Records (A)
Workstation Use– Includes portable devices
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Facility Access Control
Goal is to protect buildings, systems, and data media from natural and environmental hazards and unauthorized access or intrusions
Ensure records are kept of all maintenance, especially locksmith work
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Workstation SecurityDevice and Media Controls
– Disposal (R)– Media re-use (R)– Accountability (A)– Data backup and Storage (A)
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Workstation Use & Security
Both standards could be covered in one policy
Ensure workstation locations will not allow casual viewing by unauthorized personnel
Audit systems to ensure all PCs/laptops have latest version of virus definitions installed
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Device & Media Controls
“Device” was included to address storage devices such as PDAs
Media re-use requires sanitization of media using DOD-style standards (overwriting an entire disk with ones and zeros repeatedly)
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Access Control– Unique user identification (R)– Emergency access procedure (R)– Automatic logoff (A)– Encryption and decryption (A)
Audit Controls
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Integrity – Mechanism to Authenticate Electronic
PHI (A)Person or entity authenticationTransmission security
– Integrity controls (A)– Encryption (A)
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Control
Unique user identification for accountability is critical for clinical applications– Disallows use of Windows 98/ME
(weak user identification & controls) Automatic logoff permits an equivalent
measure to restrict access (Password protected screen saver? XP user switching?)
Encryption serves as an access control method for data at rest
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Controls
Risk assessment and analysis can be used to determine necessary intensity of audit trails
Audit trail trigger events must be jointly determined by the data owners and the Privacy and Security Officers
Store audit logs on a separate server Do not allow system administrator access
to audit logs
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Transmission Security“…When electronic protected health
information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.”
There is no simple, interoperable solution to encrypting e-mail containing PHI; hopefully HIPAA compliance will drive better solutions
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Requirements
Business Associate (BA) Agreements– Contractual agreements required before
BAs can access PHI– BAs must follow HIPAA Business
Associate rules (next slide)– Applies to subcontractors of BAs as well
A CE may require a business associate to meet even higher security standards
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business AssociatesImplement safeguards that
reasonably and appropriately protect the confidentiality, integrity and availability of PHI they access on behalf of the CE
Ensure that anyone else to whom they provide PHI agrees to implement reasonable and appropriate safeguards
Report any security incident to the CE
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Make policies, procedures and required documentation relating to the safeguards available to HHS to determine CE compliance with the security rule
Authorize termination of the BA contract by the CE if the CE determines that the BA has violated a material term of the contract
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy & Procedure Documentation
Implement reasonable and appropriate policies and procedures
Documentation– Retain documents for 6 years– Make documents available– Review and update documentation
periodically
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Resources Works used in the preparation of this lecture:
– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf
– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule could affect IT” Computerworld April 30, 2003, accessed at http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html
– Higher Education Information Technology (HEIT) Alliance (undated) Privacy. Accessed at http://www.heitalliance.org/issues/privacy.asp
– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule. Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html
– New Hampshire Developmental Disabilities Services System, Information Technology Initiatives (undated) HIPAA Overview. Accessed at http://www.nhdds.org/nhddsit/HIPAA/overview.html
– Walsh, Tom (2001) Developing an Effective Information Security Training and Awareness Program. Healthcare Computing Strategies, Inc. , accessed at http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf
– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint presentation) Tom Walsh Consulting LLC
– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute, accessed at http://www.sans.org/projects/hipaa.php
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?