One of the questions that I get asked a lot is;  What does it take to be compliant with the HIPAA Security Rule?

And when I start to answer the question, inevitably the person’s eyes glaze over.  So to prevent your eyes from glazing over I will give the simple answer: A lot.

OK, that might be too simple so I will give a list of things that need to be done to be compliant.  Before I get started I want to point out that the Security Rule has items that are required and items that are addressable.  For this article I am going to list the items that a medical practice SHOULD do regardless of whether they are required or addressable.

1. Write detailed Policies and Procedures that address each one of the below items.
2. Perform a Risk Assessment on systems that contain electronic protected health informaton (ePHI).
3. Implement the suggested security recommendations that are identified in the Risk Assessment.
4. Create a Sanction Policy that addresses what to do if someone is in violation of your Policies and Procedures.
5. Assign the Security Officer rule to an individual.
6. Develop a procedure to ensure that access to ePHI is only given to employees that need access to perform their job.
7. Make sure that employee access to ePHI is limited to the information needed to perform their job.  (i.e. make sure they don’t have too much access)
8. Make sure employee access to ePHI is terminated when they no longer need access.  This can be when they are terminated or when they switch to another job within the practice.  Create an employee termination procedure.
9. Train your employees on the best practices to secure ePHI.
10. Issue security reminders to employees after the training.  Items include best practices, malware alerts, security warnings, etc.
11. Implement anti-virus / anti-malware on all systems.  Ensure that the anti-malware is automatically updated and kept current.
12. Implement a procedure to report, document and respond to security incidents that effect ePHI.
13. Implement a data backup procedure that ensures ePHI is properly backed up.  This can be to a backup tape, off-site backup, etc.  Ensure that your tape backups or off-site backups are encrypted.
14. Implement a disaster recovery plan to ensure access to ePHI in the event something happens to your systems.  This includes a fire, flood, power outage, hardware crash, etc.
15. Implement a procedure to operate in an emergency mode if there is a disaster.  Make sure you have a plan to use your disaster recovery plan and make sure you don’t lose ePHI during the disaster.
16. Implement a procedure to regularly review your HIPAA Security Policies and Procedures.  During the review make appropriate changes to strengthen your protection of ePHI.  At a minimum do this annually and definitely after your have a security incident.
17. Locate your systems that contain ePHI in a secure room.  In other words, make sure your server room is locked and restrict access to it.  This includes unauthorized employees, patients, visitors, maintenance workers, etc.
18. Keep track of all people that enter the server room including IT staff, maintenance workers, etc.
19. Create and distribute a Computer Use Policy that let’s employees know what is acceptable use of the practice’s computers.  This addresses email, restricted websites, posting information on social networks, conducting illegal activity, etc.
20. Implement procedures that ensure that all servers, desktops, laptops and mobile devices are secure.  This includes applying security patches, vendor updates, etc.
21. Implement procedures to protect ePHI stored on portable devices.  This includes smartphones, laptops, USB drives, tape backups, etc.  MAKE SURE YOU ENCRYPT ALL OF THESE DEVICES.
22. Implement procedures to ensure you delete all ePHI on devices when you are discarding, recycling, donating, returning them.  This includes laptops, desktops, servers, smartphones, USB drives, copy machines, x-ray machines, tape backups, etc.  NOTE:  Deleting the information is not enough.  Use special software that ensures the data is permanently deleted and can not be restored.
23. Implement procedures to track portable devices that that contain ePHI.  Track them so you know where they are, who has them and if they are lost or stolen.
24. Ensure that each employee that accesses ePHI is assigned a unique username and password.
25. Ensure that employees do not share usernames and passwords.
26. Ensure that passwords are complex and not easily guessed.  (i.e. minimum of 8 characters, lower and upper case letters, numbers and special symbols – MsMi1@yo).
27. Implement a procedure that forces employees to change their passwords on a regular basis (i.e. every 90 days).
28. Implement a procedure that locks a user account after a certain number of failed password attempts (i.e. a user account will be locked and must be reset if the account is accessed with an incorrect password 5 times).
29. Develop a procedure that in the event of an emergency, there is a way to access systems with ePHI to provide patient treatment.  In other words, make sure that the lack of knowing certain passwords does not affect patient treatment.
30. Implement a procedure that locks workstation screens after a predetermined time (i.e. after 15 minutes of inactivity, a workstation automatically locks and can not be accessed.  This is applicable if an employee walks away from their desk).
31. Implement a procedure that automatically logs people off of systems that contain ePHI after a predetermined time.  (see above).
32. Ensure that all systems that contain ePHI are located securely behind a Firewall.
33. Ensure that any remote access solution is secure and encrypted.
34. Ensure that any wireless access to the network is secure and encrypted.
35. Implement procedures that ensure all systems with ePHI have auditing turned on (i.e. record the username, date, time, action, etc when accessing ePHI.  Think system log files).  Make sure your employees know that all actions involving ePHI are recorded and logged.
36. Implement procedures to review all system log files on a regular basis.  You are looking for events or notifications that there has been an attempt or an actual breach of ePHI.
37. Make sure all smartphones have startup passwords and are encrypted.
38. Implement procedures that ensure all email that contains ePHI are encrypted.  Implement email encyption.
39. Implement procedures that all laptops and smartphones  are encrypted.  Implement full disk laptop encryption.  Implement encryption on smartphones (yes I realized that I have mentioned this at least 3 times – it is that important!!)
40. Implement procedures that ensure any transmission of ePHI is encrypted.  That includes email, FTP, etc.
41. Ensure that all Business Associates (BA) sign a BA agreement.  Ensure that BAs understand their role in protecting ePHI.

As you can see, there are a lot of steps needed to be compliant with the HIPAA Security Rule.  Keep in mind that compliance is an on-going process.  You can implement some of the steps as you work towards compliance with the ultimate goal of implementing all of them.

Security doesn’t have to be hard or expensive.  There are simple things that a practice can do to further protect patient information.  I was reading a few articles over at DataBreaches.net and I was struck by the breaches that occurred due to lost backup tapes.  A few examples include:

The Mercer Health & Benefits breach involving a backup tape lost in transit after being shipped by FedEx is one of those multi-client breaches that comes out in dribs and drabs. But if Mercer hoped to keep the total number affected under wraps, one of their clients may have spilled their beans.

On August 12, Idaho Power Health Plan posted an FAQ on their site that I just came across. It says, in part:

2. What happened and what data information was lost?
A data breach was reported by Mercer to Idaho Power on June 16, 2010. According to Mercer, on March 26, 2010 a package containing a server back-up tape was sent via FedEx from Mercer’s Boise office to their Seattle office and is presently unaccounted for.

The tape contained personal demographic information (not medical or health-related data). The lost information included names, addresses, dates of birth, and Social Security numbers for approximately 5,000 Idaho Power employees and dependents and approximately 375,000 other individuals whom Mercer services through their client base.

Another example includes:

Approximately 1,000 current and former Saint Alphonsus employees are being notified that a computer back-up tape containing their personal information has gone missing.

Saint Alphonsus Regional Medical Center and its parent company Trinity Health have learned that a computer backup tape created by the consulting firm Mercer was lost in transit to a Mercer storage facility sometime between March 26 and March 29, 2010.

Mercer said that the missing tape contains the personal information for associates of several companies, including St. Al’s employees who were covered by some of the hospital’s medical plans between 2004 and 2006. The personal information that is missing includes names, addresses, birth dates and Social Security numbers.

These as well as many other breaches could have easily been avoided if the backup tapes used encryption.  I know encryption is one of the magical words that most people don’t fully understand.  I won’t go into the specifics other than saying that if your data is encrypted it is a safe harbor from having to report a data breach.  Furthermore, almost all modern tape backup software (Symantec Backup Exec, CA ArcServe, etc.) all support encryption.  It is simply a setting that you turn on and give an encryption password.  It doesn’t cost extra to use the encryption and it is no harder then clicking a check box and giving the password.  If you are not using encryption on your tape backup I recommend that you start immediately.  If you are unsure or you outsource your IT support, then make sure your IT company is encrypting your backup tapes.

Tape backup encryption is one of the cheap and easy security solutions that you can do to protect patient information as well as avoid costly data breaches.

An ex-employee of UPMC Shadyside Hospital in Pittsburgh was charged in a 14 count indictment.  According to United States Attorney’s Office Western District of Pennsylvania:

According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital,  disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of federal HIPAA laws, and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers in violation of federal law.

The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.

There have been very few case of HIPAA violations that have resulted in prison terms.  If he is found guilty and does receive a prison term, it will send a powerful message.  HIPAA violations are serious offenses. Accessing and selling Electronic Protected Health Information (EPHI) for personal gains should be prosecuted.  With the changes to HIPAA as a result of the HITECH Act, we may see more enforcement, higher penalties and more prison terms for offenders.  All would be good steps in the right direction to protecting patient information.

I come across a lot of useful information regarding Health Information Technology.  The most interesting information I try to write a blog article about but there is a lot of other information that I never get around to sharing.  So with some feet dragging and some friendly pushes by colleagues and family I have embraced Twitter.  I am hoping to use it to share information that I find useful and think that others might find useful.  With a little bit caution, due to the newness of it for me, I now embrace Twitter!  I will still maintain the Entegration Blog for more in-depth articles.

You can follow me at:  http://twitter.com/EntegrationBlog @EntegrationBlog

Do you have any suggestions of good resources that I can following to stay abreast of Health Information Technology?  If you do please let me know.  I am already following John Lynn from EHR and HIPAA @ehrandhit and HISTalk @histalk.  Two of the most useful sources of information in my opinion.

The Verizon Business RISK team in cooperation with the United States Secret Service (USSS) released a report on data breaches.  The breaches were across all industries and were not specific to the Healthcare industry.  The report came out in July but I just got around to reading it.  A few interesting points in the report include:

Who is behind Data Breaches?
70% resulted from external agents
48% caused by insiders
11% implicated business partners
27% involved multiple parties

Driven largely by organized groups, the majority of breaches and almost all data stolen (98%) in 2009 was still the work of criminals outside the victim organization  Insiders, however, were more common in cases worked by the USSS, which boosted this fgure in the joint dataset considerably This year’s study has by far improved our visibility into internal crime over any other year Breaches linked to business partners continued the decline observed  in our last report and reached the lowest level since 2004.

How do breaches occur?

48% involved privilege misuse
40% resulted from hacking
38% utilized malware
28% involved social tactics
15% comprised physical attacks

Related to the larger proportion of insiders, Misuse sits atop the list of threat actions leading to breaches in 2009 That’s not to say that Hacking and Malware have gone the way of the dinosaurs; they ranked #2 and #3 and were responsible for over 95% of all data comprised  Weak or stolen credentials, SQL injection, and data-capturing, customized malware continue to plague organizations trying to protect information assets  Cases involving the use of social tactics more than doubled and physical attacks like theft, tampering, and surveillance ticked up several notches

What commonalities exist?

98% of all data breached came from servers
85% of attacks were not considered highly difficult
61% were discovered by a third party
86% of victims had evidence of the breach in their log files
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI DSS had not achieved compliance

As in previous years, nearly all data were breached from servers and applications  This continues to be a defining characteristic between data-at-risk incidents and those involving actual compromise The proportion of breaches stemming from highly sophisticated attacks remained rather low yet once again accounted for roughly nine out of ten records lost  In keeping with this fnding, we assessed that most breaches could have been avoided without difficult or expensive controls  Yes, hindsight is 20/20 but the lesson holds true; the criminals are not hopelessly ahead in this game The more we know, the better we can prepare  Speaking of being prepared, organizations remain sluggish in detecting and responding to incidents  Most breaches are discovered by external parties and only then after a considerable amount of time

Some interesting points from the data above:

• 98% of all data breached came from servers.  Needless to say that servers are where you want to spend your time, money and effort on securing.
• 86% of victims had evidence in their log files.  Log monitoring is essential.  Without it, you have no idea what is happening to your data.
• 38% of breaches used malware.  Malware isn’t just about popping up porn pictures anymore.  Malware is about stealing data and profiting from that data.
• 96% of breaches were avoidable through simple controls.  That is an amazing figure that tells me with some proper security in place it is possible to avoid a majority of data breaches.