The challenges and opportunities of HIPAA

April 25, 2006 (Storage Networking World) Effectiveness aside, the Health Insurance Portability and Accountability Act (HIPAA) can teach IT best practices that are extremely beneficial to health care organizations. Secure access to storage is an especially popular subject among my clients.

Given that HIPAA's main concern is the storage and handling of protected health information (PHI), it's critical that your data stores are as safe as possible. My healthcare clients usually want to talk about three key areas: identity and access management, disaster recovery (DR) planning, and smart cards.

Issue #1: Identity and access management

ID and access management is a broad term meaning a system or solution that identifies individuals within the network, and then controls their access to network resources by associating user rights, authentication, authorization, and restrictions with the established identity.

Solutions typically encompass a combination of technologies. Where multiple healthcare entities are concerned, ID management can be expanded outside the firewall to include federated identity management. Deliverables of this technology and its constituent parts include:

1. Password reset. This feature allows users to change their own passwords, often through Web browsers and e-mail-based capabilities. Standalone password reset solutions can also integrate with help desk software to automatically generate, open, and close password reset tickets. While prices vary, costs generally range from $10 to $20 per user.
2. Password synchronization. This function allows employees to utilize a single password for all applications and systems they need to access. When a password is changed, the change is propagated to all other systems. Users generally have to log into each system separately, but they only have to remember one username and password. When purchased separately, this technology ranges in price from $10 to $30 per user, depending on volume.
3. Single sign-on (SSO). Unlike password synchronization, SSO-based solutions allow users to sign in once for all applications and systems, rather than logging in individually. This technology is typically more expensive, complex, and system-invasive than password synchronization. Outside of a total ID management package, these products start at about $80 per user.
4. Password policy enforcement. Many systems also offer modules that automatically enforce multiple password policies, including the length of the password, acceptable characters, password history, and ensuring that these policies do not conflict with other policies or application requirements.

Issue #2: Disaster recovery planning

In principle, DR planning is more about business continuity than it is security. In practice, however, the security of stored data means that the data must be available as well as confidential. Since HIPAA contains specific rules for DR planning, it makes sense to talk about it within an overall security context.

In particular, HIPAA requires that all healthcare organizations:

1. Create a data backup plan. This means ensuring that all information can be retrieved from an electronic copy or a backup. Whatever cannot be retrieved (such as paper documents) will be addressed in the organization's DR planning. Here are a few things to consider, even though HIPAA does not outline the considerations surrounding backup plan structure
• Figure out how much and/or what data your organization can afford to lose.
• Determine the best times for backups to take place.
• Ensure that the backups are being sent off-site regularly, and are easily accessible.
2. Establish and implement a DR plan. The DR section of HIPAA states that procedures need to be established and implemented, as needed, to restore lost data. This requirement is relatively open to interpretation, but from a best practices standpoint, here are a few things to get you started:
• Establish technical procedures to recover the data from the last available off-site backup.
• Implement procedures that will verify whether the data has been recovered as needed.
• Create verification procedures for the recovered configurations to ensure restoration of functionality.
• Set up procedures that will facilitate re-entry of the lost data between the last backup and the interruption in service. These procedures will depend on the existence of manual transactions to re-enter the data.
3. Ensure ongoing compliance when in emergency mode. According to HIPAA, "The emergency mode operation plan requires procedures that facilitate the continuation of business processes, and safeguards the security of electronically protected health information, while operating in the emergency mode." Emergency mode is defined as "a process enabling an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure." HIPAA has expanded on DR planning to ensure that proper security measures are in place to protect manual recording processes that must continue to function during a technology outage. These measures include procedures:
• For controlled creation of manual records (old or new).
• That ensure secure and timely storage of records, as well as appropriate destruction of records.
• That control physical access to manual records (safe, locked filing cabinet).
4. Conduct incremental PHI backups on a daily basis, complemented by a full backup once per business week.
• Store backup media in a fireproof/waterproof safe, or in a secure off-site location.
• Conduct periodic testing of backup media to ensure recoverability.
• Retain a complete archival index of all applications and e-mail files.

Issue #3: Smart Cards

Smart-card technology is a natural fit with health care security, particularly as the technology matures and data stores grow. Key uses for embedded-chip smart cards by health care institutions include storage of vital statistics, medical history and other medical information for emergency care use.

Smart cards also allow for quick registration and admitting, and storage of information for health plan and health insurance purposes. Here are some issues to consider when looking at smart card access control:

1. Identify requirements. For example, clinicians and physicians could use the patient's card to retrieve or record a current medical history, status of diagnostic tests, allergies and contra-indications to treatments or medications and coverage rules. Smart cards could also allow pharmacists to have access to the cardholder's drug plan and payment options, physician prescriptions and a list of the patient's current medications. This information enables the pharmacist to better prevent adverse drug interactions.
2. Data privacy is always a concern. Some smart cards are equipped with contact-less chips that can interact with proximity sensors to identify an individual approaching a workstation or passing through a doorway. Any information collected at this time must be treated as private and confidential.
3. Be sure to monitor equipment costs. The costs associated with smart cards and supporting technology have come down over the last couple of years and are now within reach of more healthcare providers. Consider the following:
• Both cards and readers qualify as computer equipment, and can be capitalized and depreciated over time.
• The price of cards can vary depending upon the quantity ordered and the capabilities desired.
• The cost of readers will vary also, depending on how many you need and whether they require biometric capabilities.
• Replacement costs. A smart card's average useful lifetime is about five years.

Conclusion:

Securing access to stored information — as well as ensuring data availability — puts considerable pressure on health care IT to conform to HIPAA requirements. It also presents an opportunity to establish best practices that will serve the organization for years to come.