The Road to HIPAA Security Rule Compliance

The topic of information security gets a lot of attention but can be difficult to address seriously in any organization. Developing and maintaining an effective information security system can be a challenge. However, if you understand what information security is, how others have succeeded with it and exactly what a regulation requires, you have a much greater chance of success.

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is designed to provide greater confidentiality, integrity and authorized availability of protected electronic health information through the implementation of reasonable and appropriate administrative, physical and technical safeguards. In other words, patient information needs to be safe. This article provides insight on the overall importance of the HIPAA Security Rule and outlines issues you should consider when planning a compliance strategy for your organization.

The Objective of Information Security
Information security is fundamentally about handling information appropriately. What constitutes "appropriate" handling can vary wildly, depending upon the type of information and the information owner's concept of appropriate level of risk.

Before we can understand what "appropriate level of risk" means to information, we need to step back and look at how we use information in our organizations. Everyone in the organization-whether a member of the board of directors, a security team manager or an administrative assistant-should understand the objective of the organization. The best way to achieve this organization-wide understanding is to define and publish a mission statement that is clear and easy to understand.

A hospital that provides palliative care may have a mission statement that reads, "To provide quality care for patients with advanced cancer and their families throughout the illness and during bereavement."

This simple statement means a lot of things. Providing quality care for patients and families requires that caregivers receive a great deal of support. Consider the information that needs to be managed in connection with providing such care-everything from precise diagnosis to treatment history, pre-existing conditions and current medications. Information is also required to handle billing and interactions with payers. Still other information is critical to effectively communicate with the patient's family.

Information technology, which includes paper-based management systems as well as more sophisticated electronic systems, makes it possible for physicians, nurses and administrative staff to access and update patient records quickly and accurately. The organization cannot accomplish its mission unless it takes these actions. This is where information systems, in affording greater access, provide a return on investment to the organizations that purchase them. Are there any actions that would prevent the organization from accomplishing its mission? Consider the following three examples:

  • What if a system designed to provide billing information to a third-party payer (such as an insurance company) revealed the information incorrectly, perhaps making it available to any Internet user who happened to look in the right place? Would the hospital be able to state that it provides quality care, or would it be giving patients and families more to worry about?
  • Imagine a system that, when asked to retrieve allergy information for one patient, displays information about another patient. How would that affect treatment? Would it result in quality care?
  • What if a physician could not access a patient's medical records at a critical moment, when a decision must be made on whether to administer a particular type of treatment? If the physician must guess whether similar procedures have worked for the patient in the past, what kind of care would the patient receive?

Each of these examples highlights one of three aspects of information security: confidentiality, integrity and availability. While there are other information security principles, these are the three pillars of information security, particularly as it pertains to the requirements of the HIPAA Security Rule. Understanding this is helpful because it allows us to demonstrate to our organizations that HIPAA security is not just busywork that provides no value. Rather, healthcare organizations simply cannot achieve their missions without proper management of the information in their care.

Understanding Risk
Often when people discuss security, they jump straight to safeguards, or controls, as they're often called, like locks for doors, firewalls and anti-virus software. But before we can start throwing money at equipment to reduce risk, we need to comprehend the concept of risk.

In order to understand what kind of safeguard to deploy, we need to recognize that our problems begin with a threat agent, which gives rise to a threat, which exploits a vulnerability, which leads to risk, which damages an asset, causing an exposure, which can be mitigated with a safeguard.

To ensure that we understand not just how these elements relate to one another, but also what each is, let's consider them in more detail.

A threat agent is the source of a particular threat. A threat agent could be a malicious software (malware) author, a disgruntled employee or an angry former patient whose insurance claim was rejected.

A threat is an action, something that the threat agent would do. Examples include launching a malware attack, downloading sensitive information so it can be exposed maliciously and making a fraudulent entry in an accounts receivable file.

Vulnerability is the condition that allows the threat to take place. Vulnerabilities include programs that allow e-mail attachments to install software without the user's knowledge or consent, user accounts that provide access to sensitive information, and holes in the firewall that provide external access to a system that can modify accounts receivable. Risk is the potential loss realized by a vulnerability being exploited. Note this carefully: Without an asset that can be lost, there is no risk.

An asset is what comes under threat, something that can be damaged or lost if a vulnerability is exploited. Software systems that manage information, reputation and brand image, and accounting information are examples of assets.

Exposure is the amount of the asset that would be lost if a vulnerability were exploited. For example, a software system that would be destroyed and require fresh reinstallation, reconfiguration, and reloading of data-a procedure that costs $50,000-would have a $50,000 exposure. A brand damaged by bad publicity would be exposed to loss in potential revenue from customers who send their business elsewhere, as well as the cost of the public relations campaign that attempts to restore confidence in the brand. A safeguard is the mechanism, whether administrative, physical or technical, employed to mitigate the exposure. In many cases, a safeguard is technical, such as a patch that will close the vulnerability in a piece of software. In other cases, it is administrative; you may decide to separate information into relatively small compartments and provide access only to those who need access to that compartment. It may be physical: keeping accounting systems physically disconnected from Internet-reachable hosts.

Now that we realize the need to understand risk in order to make intelligent decisions on safeguards and the role of vulnerability and threat in risk, we can proceed to the requirements of the HIPAA Security Rule.

Security Rule Overview
The HIPAA Security Rule applies to covered entities, which include health plans, clearing houses and providers that maintain or transmit health information in electronic form. If you have any questions about how the Security Rule affects your organization, speak to your legal counsel.

The Security Rule specifies several high-level objectives to guide healthcare organizations. All covered entities must use reasonable and appropriate administrative, technical and physical safeguards to

  • ensure the confidentiality, integrity and availability of protected electronic health information,
  • protect against reasonably anticipated threats to the security or integrity of such information,
  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Security Rule, and
  • ensure compliance by the workforce.

The Security Rule establishes 18 standards to provide a uniform framework for information security. Nine of these standards are administrative, four are physical and five are technical.

These standards are either straightforward in their requirements (e.g., "Assigned Security Responsibility") or contain implementation specifications that are considered "required" and "addressable." Although they are not optional, organizations may assess whether an addressable specification is a reasonable and appropriate safeguard for the organization. If not, it may choose a reasonable alternative.

The Security Rule is summarized in a table known as the Implementation Matrix, a copy of which can be downloaded from www.cdva.ca.gov/hipaa. Before organizations grapple with the details, they should understand the framework and take the first step toward effective compliance.

The Road to Compliance
Because Security Rule compliance deals with administrative, physical and technical standards, it is best for most organizations to handle implementation through a committee representing expertise in each of these areas. Including a member of your legal counsel on the implementation committee can be invaluable for understanding the risks and benefits of one implementation strategy in comparison to another. Effective counsel can help your committee avoid making the same mistakes as other organizations and potentially avoid litigation and costly fines. Finally, executive support is critical, not just because compliance is mandated, but because the organization needs to understand how information security will help everyone achieve the common mission.

Risk analysis is the primary implementation specification of the first standard in the rule. It is perfectly positioned: All determination of "reasonable and appropriate" safeguards must flow from that assessment of risk.

The National Institute for Standards and Technology, part of the U.S. Department of Commerce, has a series of publications that provide a great deal of information on information security. In its commentary on the HIPAA Security Rule, the U.S. Department of Health and Human Services recommended that entities look to NIST for guidance on technical matters.

NIST's Risk Management Guide for Information Technology Systems (Special Publication SP 800-30) provides a straightforward system for assessment that can satisfy the Security Rule's requirement for risk assessment, as well as a second part on risk mitigation that can help entities satisfy the second Security Rule Implementation Specification.

Compliance with the Security Rule can be a straightforward process. First, understand what information security is about and why your organization needs it. Second, understand what risk is, and use existing mechanisms to assess it. Creating your own methodology might seem easy at first but could quickly turn into a nightmare if you find yourself answering an inquiry by an oversight agency. Third, know what the rule says and use the Implementation Matrix as a checklist to help you achieve compliance without performing the same work twice. Finally, assemble your compliance team, including legal counsel, and get to work. After all, you only have until April 20, 2005 to make sure your organization is compliant.

C. Matthew Curtin, CISSP is founder and CEO of Interhack Corporation, an information assurance, data forensics and technology outsourcing provider. Peter M. Hazelton is an attorney with the law firm of Mallory & Tsibouris.