The challenges and opportunities of HIPAA

Storage Networking World - Effectiveness aside, the Health Insurance Portability and Accountability Act (HIPAA) can teach IT best practices that are extremely beneficial to health care organizations. Secure access to storage is an especially popular subject among my clients.

Given that HIPAA's main concern is the storage and handling of protected health information (PHI), it's critical that your data stores are as safe as possible. My healthcare clients usually want to talk about three key areas: identity and access management, disaster recovery (DR) planning, and smart cards.

Issue #1: Identity and access management

ID and access management is a broad term meaning a system or solution that identifies individuals within the network, and then controls their access to network resources by associating user rights, authentication, authorization, and restrictions with the established identity.

Solutions typically encompass a combination of technologies. Where multiple healthcare entities are concerned, ID management can be expanded outside the firewall to include federated identity management. Deliverables of this technology and its constituent parts include:

1. Password reset. This feature allows users to change their own passwords, often through Web browsers and e-mail-based capabilities. Standalone password reset solutions can also integrate with help desk software to automatically generate, open, and close password reset tickets. While prices vary, costs generally range from $10 to $20 per user.
2. Password synchronization. This function allows employees to utilize a single password for all applications and systems they need to access. When a password is changed, the change is propagated to all other systems. Users generally have to log into each system separately, but they only have to remember one username and password. When purchased separately, this technology ranges in price from $10 to $30 per user, depending on volume.
3. Single sign-on (SSO). Unlike password synchronization, SSO-based solutions allow users to sign in once for all applications and systems, rather than logging in individually. This technology is typically more expensive, complex, and system-invasive than password synchronization. Outside of a total ID management package, these products start at about $80 per user.
4. Password policy enforcement. Many systems also offer modules that automatically enforce multiple password policies, including the length of the password, acceptable characters, password history, and ensuring that these policies do not conflict with other policies or application requirements.

Issue #2: Disaster recovery planning

In principle, DR planning is more about business continuity than it is security. In practice, however, the security of stored data means that the data must be available as well as confidential. Since HIPAA contains specific rules for DR planning, it makes sense to talk about it within an overall security context.