Toward a Mature Security Model
HIPAA Administrative Simplification intends to do what other industries have successfully achieved by sitting down with competitors standardize common electronic transactions to reduce healthcares overhead cost.While not a surprising piece of legislation, Administrative Simplifications companion privacy and security regulations have jolted just about every corner of the industry.
HIPAAs privacy rule has been controversial, and it is subject to unpredictable changes making it either more privacy-sensitive or less, depending on the current administration, industry pressure and public opinion. Some parts of the rule continue to plague organizations struggling to interpret its nuances, for example, when it is permissible to use protected health information for marketing purposes. Nevertheless, healthcare organizations generally report they are in compliance with privacy requirements.
On the other hand, HIPAAs security rule, first proposed in 1998, was long predicted to require nothing more than industryneutral InfoSec 101 or reasonable business-level security practices. The final rule published in early 2003 bore this out. While this rule, too, is likely to change, the conventional wisdom is that it will only become more stringent over time and in relatively predictable ways. In spite of the industrys lengthy lead time, security rule compliance levels among covered entities are a big disappointment to many observers.
Security Program Maturity Levels
Security programs vary widely in level of maturity. One way to view this phenomenon is to consider the motivation behind each organizations security program. Here are three organization profiles ranging from the least mature to the most mature security environment:
The Government Says We Have To.
At the least mature level of a security program, an organization
views security mainly as a requirement imposed by an external
regulatory body, a necessary evil. Although the weakest motivator,
this may be the most common reason for initiating a security program
in healthcare. The organization follows avoidance strategies:
It implements policies and procedures to avoid penalties, bad
press and financial fallout. People working in this environment
are told that they have to do certain things such as not share
user IDs and passwords because of the potential for penalties.
There is not a strong sense that management is fully behind the
program. In fact, in this organization individuals can frequently
cite lax security behavior that is tolerated by management. Some
individuals may resent security controls and go so far as to openly
defy them. The threat of regulatory penalties is a very weak motivator
for workforce compliance with security policies and procedures
since it seems remote. And the organizations own management
may not feel compelled to comply when the likelihood of
government sanctions is low.
A number of covered entities frankly acknowledge that they are not yet compliant with security regulations that became enforceable for most organizations in April 2005. A primary reason appears to be that many organizations pushed hard for privacy rule compliance by April 2003, only to find that Health and Human Services (HHS) enforcement of that rule is weak. More than three years after the compliance deadline, HHS is still maintaining its kinder, gentler stance, and no monetary penalties have been assessed despite the thousands of complaints filed. While that stance may have been appropriate in the early days, it now undermines compliance efforts. The implicit message is, The government says we have to, but we wont get in trouble if we dont. Parents know that that kind of
Resource/Data Owners
Resource owners are commonly recognized in organizations as
the person to approach when there is a question about a particular
system. Owners should be formally identified and receive periodic
training in their specific responsibilities such as access role
development, user authorization and user access review.
For everyone involved in security, not just the ISO and security staff, acceptance of security responsibilities and training in the organizations expectations of how the individual will carry out those responsibilities are prerequisites for accountability. Once individuals understand their role, they can and should be held accountable for violating security policies and procedures that put the organization, its information assets and potentially its patients at risk.
Why Care About Moving Toward a More Mature Security Model?
There are practical reasons to invest in our security programs. First, due to public concerns about security breaches, there is a growing body of federal and state laws and regulations with privacy and security aspects. Instead of reacting to each new law in a patchwork fashion, organizations with a comprehensive and mature program that meets accepted standards and best practices will be positioned to comply more easily with new requirements.
At the same time that these new privacy and security protections are imposed, the government is pressing forward with health information technology (HIT) initiatives. Proposed legislation calls for further standardization of health records terminology and interoperability of systems to create a longitudinally linked electronic health record for each of us. HIT is expected to enable the U.S. healthcare system to provide better patient care, to support research and to lower costs.
But HIT development may be hampered by privacy and security issues and a lack of public confidence.Witness the frequent news reports of lost backup tapes, stolen laptops, misdirected faxes and other security snafus.
In November 2005, the California Healthcare Foundation (www.chcf.org) reported the results of a survey:
Conducted by Forrester Research, the survey reveals that despite federal protections under HIPAA two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.
In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health.More than half (52 percent) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.
As efforts to develop a nationwide health information network proceed, unaddressed concerns about personal privacy could have major implications.
There is always risk, and the healthcare industry cant completely eliminate the possibility of privacy and security breaches. But the industry can do much more to reduce the frequency and impact of such breaches just as it is taking dramatic steps to reduce the number of avoidable deaths. In both instances the solution involves new and better technology. But, more importantly, the effective solution includes commitment and culture change that places a high value on quality processes including security.
The FTC Enforces Security Protections
For a stark contrast to HHS enforcement of HIPAA privacy and security, note what the Federal Trade Commission has done with BJs Wholesale Club after stolen customer information was used for millions of dollars of fraudulent purchases. The FTC chairman stated, Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers sensitive information.
The FTC said BJs did not employ reasonable and appropriate measures to secure personal information collected at its stores.
The FTC said that [BJs]:
- did not encrypt the information while in transit or when stored on the in-store computer networks;
- stored the information in files that could be accessed anonymously that is, using a commonly known default user id and password;
- did not use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- failed to employ sufficient measures to detect unauthorized access or conduct security investigations; and
- created unnecessary risks to the information by storing it for up to 30 days when it no longer had a business need to keep the information, and in violation of bank rules. As a result, a hacker could have used the wireless access points on an instore computer network to connect to the network and, without authorization, access personal information on the network.
The consent agreement requires BJs to implement a comprehensive security program with administrative, physical and technical safeguards. It requires that BJs designate security responsibility and accountability and implement and monitor security controls.
