Protecting Private Health Information With Role-Based Authorization
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by Congress to improve the efficiency and effectiveness of the health care system, protect patient privacy, and reduce the incidence of fraud. These efficiency improvements will require increasing automation of patient records and electronic health care information transfers. Doctors, nurses, hospital personnel, insurance agents, and others can provide more efficient administration to patients by accessing health information expediently and ensuring that it's correct. But standardization and computerization of patient information, combined with increasing transfers of that information between relevant parties, poses many new security and privacy risks that never existed before. In recognition of this increased risk, several procedural and technical guidelines are set forth to achieve these goals.
The HIPAA includes many requirements for establishing rules for managing and protecting "individually identifiable health information." Such information refers to any electronic health information that can reasonably be identified with a specific individual.
With the issuance of final HIPAA rules by the Health Care Financing Administration (HCFA), maintaining privacy of medical records is a legal requirement — all health care organizations that maintain or transmit electronic health information must comply by April 2003.
The technical requirements of the HIPAA's Security Standard focus on protecting individually identifiable health care information through: authentication, which governs access to the health care system network; authorization, which governs access to specific data within that system; and an audit trail (accountability), which keeps track of who has accessed what within the system.
Guidelines for the Health Care Industry
Health care organizations must provide a secure infrastructure around access to patient information through a combination of procedures, technical solutions, and policies. Medical records often contain information that individuals would like kept secret from others. For example, a woman may not want her employer to know that she's undergoing fertility treatments, or a patient may not want anyone to know how many HIV tests he has had. Implementing this type of secure access has become a major concern for health care providers; strict penalties can be levied on providers who fail to comply. Although specific technologies are not mentioned, the United States Department of Health and Human Services (DHHS) and the HCFA standards and guidelines follow the lead of the Privacy Act of 1974, stating that individuals must maintain confidence that their information is kept secure.
HIPAA also lays out several administrative and procedural guidelines, as well as physical safeguards designed to enhance security. HIPAA compliance is achieved through adherence to these policies and procedures in conjunction with the above technical guidelines.
What Is AAA Security?
In order for secure access to be effective, three basic elements must be in place: authentication, authorization, and accountability, collectively known as AAA security. AAA security ensures that the only people who gain access to individuals' health information are the right people. AAA security is mandated by the HIPAA guidelines.
Authentication makes sure that only the proper people can gain access to a network, system, or server. Authentication can be performed with a user name and memorized password, smart card, or digital certificate, by using a software or hardware token, or by using a biometric device such as a fingerprint reader.
Authorization makes certain that once users are inside the system, they can access only the information and resources that are appropriate for them. For example, in "role-based authorization," an obstetrics nurse would have access only to the records of patients on her station.
Accountability ensures that people are held responsible for their actions by keeping detailed records, or "audit logs." By tracking which users are making requests, which resources they are requesting, and where they are being given or denied access, organizations can detect inappropriate behaviors and reduce the risk of security violations or fraud.
Authentication: The Crux of Secure Access
Suppose Phoebe Physician wants to view her patients' medical records from her home computer. Phoebe opens her browser and goes to the health care provider's Web site to access the records. The system knows that it's Phoebe through authentication. The HIPAA requires automatic logoff, unique user identification, and at least one of the following: biometrics, passwords, PINs, telephone callback, or tokens. Telephone callbacks are a special case in that they do not so much authenticate an individual as associate each individual with a telephone number; as such they can be implemented regardless of your security platform. The HIPAA does not specify any one authenticator; rather, it gives you a range of options. Your authentication solution should let you assign different types of authenticators to different users, depending on what strength of authentication has been deemed appropriate to access a particular resource.
Memorized Passwords
One of the most common authentication methods is the use of a user name and memorized password. In fact, Phoebe accesses her Web-based free email account by typing in her name and password. This solution is usually inexpensive to deploy, and is relatively convenient for the end user. In cases where only minimum security is required, a memorized password authentication system may be acceptable, although it is not appropriate for data such as individually identifiable health care information.
Memorized passwords have serious vulnerabilities. They can be easily stolen or guessed using a "dictionary attack" or "sniffer" software. Another risk is that sometimes users forget their passwords, meaning they can't access information successfully until the password is remembered or a new one has been set up — both of which are time-consuming.
Digital Certificates
Digital certificates are user-specific files that contain a user's public key in a form that can be used to verify the identity of that particular user. While the user's certificate and public key is available to everyone, the corresponding private key is known only to the holder. Digital certificates and public and private keys are often supported by a public key infrastructure (PKI).
Unfortunately, the private key is often stored on the user's hard drive, where it is not secure from insider attacks or from various high-level external attacks. For instance, if Allan Attacker has physical access (or access over a network) to Phoebe Physician's PC, he can install a "key-grabber" program that will obtain Phoebe's private key and any of her passwords the next time they are used. He can then masquerade as Phoebe and perform all the functions that Phoebe is allowed to perform, including forging her digital signature on medical orders.
Validating a user with a digital certificate must be accompanied by some technique to positively identify the user. One way is through physical safeguards, mandated by the HIPAA guidelines, such as restricted access to workstations, as well as technological access controls. The best solution is to store the user's private keys on a small, portable device that connects to the computer when in use and is easy to detach when the user leaves the workstation.
Securely Storing Digital Certificates and Private Keys
Phoebe's private key can be stored on a small, removable device such as a smart card, which is a device the size of a credit card with an embedded microprocessor to perform encryption and decryption and memory to store keys. The HCFA has included smart cards as acceptable for authentication. A smart card reader connected to Phoebe's PC authenticates her with two-factor authentication, combining something she knows (her PIN number) with something she possesses (the smart card). Besides smart cards, digital certificates and private keys can also be stored in other portable devices that plug directly into a USB port.
A software alternative to the physical device, in the form of a "virtual" smart card, is another option. A virtual smart card stores digital certificates and private keys on a physically inaccessible, secure central server that can be accessed from any Web browser. Virtual smart cards can be protected by different methods, including memorized passwords or tokens.
Regardless of whether a smart card, other hardware device, or a software-based "virtual" smart card is used, the private key remains safe because it is never stored on the hard drive — always within the device itself — and is never transmitted to anyone.
Verifying Digital Certificates
When digital certificates are used, health care providers make sure each digital certificate is valid through a certification authority (CA). CAs are trusted entities that issue and maintain certificates. Organizations may choose to operate their own CA, or they can use trusted third parties to provide certificate services or software. Some of the major digital certificate vendors are Baltimore Technologies, VeriSign, and Entrust. Ideally, your authentication system should offer both options; offering CA server software so companies can locally manage their own certificates if they wish, while also interoperating with third-party CAs and standards-based (X.509) certificates.
Hardware and Software Tokens
Alternatively, systems can also require the use of a hardware or software authentication token. Hardware tokens are small, and are designed to fit in a shirt pocket or on a key ring. Software tokens, on the other hand, run on PCs, PDAs, or certain Web-enabled wireless phones.
Suppose Phoebe Physician has been given a hardware token for secure access. When Phoebe requests her patients' medical records, she types in her user name, then activates the token by entering her PIN. The token generates a one-time password (which is different every time Phoebe activates the token). This time, the token generates "p45a63ch" and displays it on its screen. Phoebe types "p45a63ch" into her computer to gain access to the information she's requesting.
Since, by definition, one-time passwords can't be reused, these tokens provide the most secure authentication available. Even if Allan Attacker manages to intercept the password it is useless to him because it's no longer valid.
In systems using tokens, no one — not even system administrators — have "master" tokens. Not only does this lower the risk of internal attacks, it also assures that attackers can't somehow get a single master key to unlock every file in the system. Such a key doesn't exist. Because of the highly secure nature of token-based authentication, the HCFA has included tokens in its list of acceptable authentication approaches for HIPAA compliance.
Biometrics
Biometric authentication devices convert unique biological information into a digital representation for the purposes of identification. Devices such as the Sony FIU-700 and the NEC SecureFinger identify users with unique fingerprint information. CyberSign has developed a signature system, which identifies users based on their unique written signature. BioID is a combination of voice and face recognition, used in conjunction with a small, inexpensive camera.
Although not new to the field of security, biometric technology has historically been difficult, inaccurate, and expensive. Recently, however, it has made significant advances and offers a fairly secure and generally accurate form of authentication. In recognition of this, the HCFA has included biometric authentication in its guidelines.
Authorization: Once You're In, Where Can You Go?
After successfully using one or more of the HIPAA-compliant authentication methods, Phoebe is now permitted to enter the system's electronic patient record server. She pulls up Peter Patient's record and checks out the medications Peter should be taking and the last time he had a tetanus shot.
Suppose Allan Attacker is a patient in the same system as Phoebe. Allan, who can legitimately request his own patient records, authenticates securely onto the system. Once he's in the system, however, he requests Peter Patient's health information. If Allan were able to access Peter's information, then the system would be in violation of HIPAA requirements. The HCFA specifies that context-based, role-based, or user-based access control must be implemented to ensure that the above scenario can't happen.
Authorization technology must not stop at the "gatekeeper" security level. Once Allan is inside the network, he should be able to gain access only to those files that he's authorized for. Authorization can be set up in a variety of ways, based on user names, roles, or authentication methods. Authorization is a highly personalized process and should guarantee that every single person within your organization can get access to exactly what they need — no more and no less.
Role-Based Authorization
The HIPAA guidelines specify role-based authorization as one of the recommended methods of secure access. In a large enterprise, role-based authorization is virtually a necessity. Role-based access control allows the administrator to set access controls for the many roles each individual may have within the organization, instead of having to manually configure access controls for each individual. The level of access an individual is granted exactly matches that which is needed to fulfill the various roles that individual may have. This approach not only simplifies administration, it also provides the maximum amount of flexibility for each individual, since an individual's unique set of roles translates into a unique set of access privileges.
Accountability: Where Have You Been?
The HCFA requires health care organizations to put in place audit control mechanisms to record and examine system activity. With appropriate accountability technology in place, when Allan Attacker tries to access Peter Patient's records, the request will be denied and the event logged. The log can be reviewed periodically, or your authentication/authorization solution can be configured to send an automatic alert to system administrators that someone may be trying to steal information.
In addition to fulfilling the government requirement for audit control, implementing accountability features can significantly reduce the risk of fraud. Employees, partners, patients, and everyone else who is authorized for network access may be far less likely to attempt to steal data or alter information if they realize that their every move is being logged.
Conclusion
The HIPAA is a far-reaching piece of legislation that will have a major impact on the health care industry. There are comprehensive products on the market, such as SafeWord Premier Access from Secure Computing that combine authentication, flexible authorization, and accountability and audit features that address the multiple security requirements specified by HCFA and HIPAA.
Yet, because this legislation involves sweeping changes in administrative procedures, no one piece of software can automatically bring you into compliance; rather, compliance is achieved through a combination of technology implementation, updates in policies and procedures, and adherence to new standards.
While the standard was created to be "technologically neutral," with no specific technology or product mandated, as a practical matter the best way to move toward compliance is by implementing a firewall solution combined with a system that controls access through authentication and authorization. This system should achieve AAA security, which addresses authentication, authorization, and accountability. While the act allows for some variation and customization within the AAA implementation, a solution involving the elements outlined above and based on "role-based access" methods provides the most ideal solution for any environment requiring access control.
While compliance must be carefully considered and documented, and may require steps to be taken in several discrete areas, it need not be difficult. In most cases, if you adhere to best practices in information security, confidentiality, and patient privacy and take the necessary steps that any prudent organization would, you are already well on your way to compliance.
