The Seven Steps to HIPAA Security Compliance
The health-care industry accounts for 15 percent of the GDP of the United States and is the largest segment of the U.S. economy. The Health Insurance Portability and Accountability Act (HIPAA) directly impacts the entire health-care industry—a $1.4 trillion vertical.
HIPAA is a comprehensive piece of legislation that includes the Administrative Simplification Title. It is this Title that sets specific requirements in the areas of transactions and code sets, identifiers, privacy and security. Tied in to these legislative requirements are compliance dates and penalties for violations. The focus of this article is the HIPAA Security Rule and specifically, the critical steps that security professionals and architects can follow to assist organizations with their compliance initiatives.
HIPAA Security Rule
The HIPAA Security Rule identifies standards and implementation specifications that organizations must meet in order to become compliant. Many large organizations that access, store, maintain or transmit patient-identifiable information are required by law to meet the HIPAA Security Standards by April 21, 2005. Small health plans have until 2006. Failing to comply can result in severe civil and criminal penalties.
Health-care service providers, insurance companies and state and local government agencies need to ensure that their employees are trained and understand the HIPAA Security requirements. Many organizations are just beginning to consider steps to address these requirements. Security professionals and architects need to thoroughly understand the legislative requirements. They can follow the “Seven Steps” methodology described in this article to drive security compliance initiatives.
The Security Rule will result in a significant deployment of security technology in the health-care industry.
CIA of E-PHI
The core objective of the HIPAA Security Rule is for all covered entities such as pharmacies, hospitals, health-care providers, clearinghouses and health plans to support the confidentiality, integrity and availability (CIA) of all electronic protected health information (e-PHI).
The HIPAA security requirements should be viewed as the minimum requirements that every entity must address. The objective of each entity must go beyond the HIPAA security requirements and truly protect all vital enterprise assets and communications.
Electronic PHI Requirement
The HIPAA Transactions Rule is increasing the amount of e-PHI that flows through health-care organizations. Further, the number of threats to electronic information and systems has never been greater. The HIPAA Security Rule now requires organizations to secure all e-PHI and the systems that contain it. Organizations must create a blueprint for securing their critical assets and information. This will require several activities or initiatives, including the development of security policies and the integration of security technology within the infrastructure.
HIPAAShield: Beyond HIPAA
The HIPAA Academy’s HIPAAShield methodology recommends seven specific steps for organizations to focus on to launch HIPAA security-related initiatives. The HIPAAShield methodology is based on the requirements of the HIPAA Security Rule. The methodology has also been influenced by the domains defined in the International Standards Organization (ISO) 17799 and the British Standard (BS) 7799 security standards as well as the Control Objectives for Information and related Technology (COBIT) framework. The methodology has also been impacted by some legendary ancient works, including Sun Tzu’s “The Art of War” and Kautilya’s “Arthashastra.”
The ISO 17799 is a detailed international security standard. The standard covers 10 areas (or domains) and was published in December 2000. The BS 7799 and the ISO 17799 are very similar standards. The ISO 17799 standard includes two non-action sections at the start of the document. The standards are organized into 10 major sections, each covering a different topic or area.
The COBIT framework helps meet the multiple needs of management by bridging the gaps between business risks, control needs and technical issues. The COBIT framework is an internationally recognized framework that was developed by the IT Governance Institute.
We recommend that all organizations go beyond HIPAA Security Rule requirements to:
- Secure all confidential business information, not just health information.
- Secure information in all forms, not just electronic.
The methodology provides a road map that may be used by security professionals and architects to enable organizations to be compliant with HIPAA Security Rule requirements.
The Threat Is Dynamic
The threat from hackers is significant. There are thousands of Web sites that offer easy-to-use tools to launch malicious attacks on organizations. The hackers of today are highly determined, patient and adaptive. Vulnerability assessment is a critical aspect of risk analysis that will require the direction of the security officer.
The Seven Steps
The HIPAAShield security methodology identifies seven critical steps for an organization to implement to become compliant with the HIPAA Security Rule. The seven steps are:
- Assign Security Responsibility
- Conduct Risk Analysis
- Develop Security Strategy and Policies
- Update Business Associate Contracts
- Train All Members of the Workforce
Associated with each step are specific activities. For example, the objective of Step 3: Develop Security Strategy and Policies, includes the following activities:
- Develop information security and other security policy documents.
- Document security procedures.
- Determine contingency planning requirements.
- Develop plans for physical security.
Further, associated with activities for each step are specific recommendations. For example, to meet the requirement for activities related to Step 4: Remediation, the organization must consider the deployment of strong authentication for all of its critical systems and applications that process e-PHI or other sensitive business information.
We strongly recommend that all organizations directly or indirectly impacted by the HIPAA legislation go beyond the requirements of the Security Rule and implement appropriate solutions to protect all vital enterprise assets.
Recommendations: Getting Started
Let us now review some recommendations related to specific HIPAA Security Rule implementation specifications. These recommendations provide guidance as you plan and organize activities around the defined seven steps to bring your organization into compliance.
To meet the requirement for Person and Entity Authentication, consider the deployment of strong authentication—at least two-factor authentication—for all critical systems and applications that process e-PHI or other sensitive business information. This includes considering solutions such as authentication tokens, smart cards, biometrics and/or digital certificates.
Organizations should consider using strong encryption solutions to meet Access Control and Transmission Security requirements. Strong encryption solutions support 128-bit symmetric or 2,048-bit asymmetric encryption.
Further, organizations must consider using certificates to encrypt information that may be stored or exchanged. Encryption can also be built into the application or device that processes sensitive business information. E-mail messages and their attachments, as well as Web-based forms and other information exchanged between a client and a Web server may also be encrypted by using certificates.
To meet the requirement for Integrity Controls, organizations may consider the use of digital signatures to m