HIPAA: The Digital Identity Frontier

 

January / February 2008

HIPAA


The Digital Identity Frontier

Standards and protocols that make-up today’s Internet — such as Transmission Control Protocol (TCP) and the Internet Protocol (IP) — were invented in universities more than 30 years ago. Today, these standards and protocols make up the networks we use everyday to check the weather online or log on to a web service, like Gmail. These networks, both local area networks and the Internet, were initially designed to work without any overarching management or control. They were completely open to any user (Internet Research Group, 2006).

The beauty of TCP/IP networks is that they allow any computing device to connect to a network and communicate freely with any other network or computer connected to that network. They work like a spider’s web with millions of interconnecting threads. No one is in charge. No permissions are required.

While there are obvious security problems with this kind of network, the free-for-all TCP/IP was critical to the development of today’s Internet. This TCP/IP network connectivity that “just happens” made it possible to develop a worldwide set of interconnected networks that, remarkably, connect to everything. But computational “free love” is a two-way street. The same connection that lets an employee work from home a couple of days a week can also make it easy for hackers to attack a network, or for a nasty worm to propagate. But, when sales reps need on-demand access to customer records, or physicians want to access their patients’ hospital records from their private practice offices, the importance of easy network access and security is obvious.

In truth, we shouldn’t have designed the TCP/IP protocols to be quite so easy to access. Hindsight is 20/20. Now, we have to live with the problems of the existing design, mainly security issues. So, how do we improve on TCP/IP networks to best respond to modern-day working and security needs?

Regulatory Compliance: Big Brother or Divine Intervention?
It’s not just the design of the TCP/IP network that’s a problem. The work-a-day world has radically changed since the initial design of computer networks. Today, many users exist outside the company building — they access data and applications from other offices, from home, and from all around the world.

This massive shift in work culture gives us more flexibility, but opens a can of worms when it comes to network security. With anywhere/anytime access comes the challenge and the pain of regulatory compliance. Regulatory compliance is mandated by the government and requires that IT systems are protected from both internal users and network “outsiders.” It forces organizations to put significant resources towards fully understanding how their networks operate, and controlling precisely who gets access to the corporate network. As you can imagine, this is not an easy task.

HIPAA: The Healthcare Compliance Initiative
HIPAA — the United States Health Insurance Portability and Accountability Act — is the primary healthcare compliance regulation. HIPAA was introduced in 1996 and established mandatory regulations that changed the way healthcare providers in the US do business.

Before HIPAA, every organization freely used its own IT systems to manage patient and employee information. Some had legacy systems inherited from the olden days of computing, while others developed new IT systems based on their own criteria. With the introduction of HIPAA, the days of ad hoc IT systems in healthcare came to an abrupt end.

There are two parts to the HIPAA Act. The first deals with protecting health insurance coverage for people who lose or change jobs. The second mandates standardized IT systems. The reason for unifying the way electronic data is managed and exchanged is to put security mechanisms in place for every healthcare organization to ensure both confidentiality and data integrity. HIPAA also stipulates that organizations use unique ID numbers — known as digital identity — for each healthcare worker, employer, and health plan.

Not surprisingly, the introduction of HIPAA elicited a collective groan from healthcare professionals. Of course, most clinicians respect their patients’ privacy rights, but they couldn’t help but wonder if HIPAA privacy regulations would add a cumbersome layer of complexity to providing healthcare.

While HIPAA created a headache for healthcare IT workers across the country, the impetus behind its implementation was legit. In an example from the year 2000, a hacker downloaded medical records, health information, and social security numbers of more than 5,000 patients at the University of Washington Medical Center just to expose how vulnerable electronic medical records were. By introducing HIPAA, the government was trying to prevent incidents like that one from happening:

Under HIPAA, an open and imperfectly understood network that doesn’t regulate data is unacceptable. In fact, it was the introduction of strict compliance regulations like HIPAA that initiated the development of policy networking.

What Is Policy Networking?
Simply put, policy networking regulates who can access private computer networks. In a perfect world, a policy-based network follows these guiding principles:

 

  • It defines identity and trust policies for an organization. These policies define who gets access to the corporate network.
  • The network stores the identity of every user in a directory.
  • It authenticates a user’s identity before allowing them to access the network.
  • It compares the user’s computer to the network’s software security policies to make sure the computer joining the network has up-to-date virus protection and won’t infect the corporate network.
  • It provides connectivity depending on the user’s identity and system profile. For example, in a healthcare setting, if the user only has permission to access email, then they won’t be able to retrieve patient data or physician’s schedules. Additionally, if something within the organization changes — an employee is fired, a remote device is infected with a worm, a new software application comes online, etc. — policy-based networks automatically reconfigure to modify access.

 

How does this satisfy regulatory compliance? Policy networking provides meaningful security parameters for accessing the network.

Scenario #1: Sharing Data with Hospital Partners
As already discussed, more and more users are telecommuters and remote staff who want to access the network from outside company headquarters. In some cases, third-party vendors and partners also want access to the network.

An example of this is at the Temple University Health System (TUHS) where collection agencies access the hospital’s accounts payable database in order to help the hospital track down and collect overdue payments. If TUHS randomly opened up firewall ports to admit partners, they could be inviting hackers, viruses, or worms into the network. And that’s not all. Giving collections agencies full access to patient records can’t guarantee patients’ privacy. Instead, TUHS uses a policy-networking model that gives limited access to collections agencies so that only the relevant patient information they need to do their job is viewable and accessible.

Scenario #2: Keeping Software Safe
One of HIPAA’s requirements is that healthcare institutions carefully control access to their internal resources, which almost always include software applications.

The Higashi-Matsuyama Medical Association Hospital in Japan has more than 250 hospital beds. It put a policy networking strategy in place in 2006 to make sure its network isn’t exposed to the hospital’s entire user base. To make this happen, IT administrators set user permissions and network policies to limit access to certain software applications for specified users.

The hospital uses a relatively inexpensive technology called a Secure Sockets Layer Virtual Private Network (SSL VPN) to implement the permissions and secure delicate patient information, specifically results processed by the hospital’s bio-inspection equipment. They configured the network so that only 10 physicians have permission to access the software application that processes and stores bio-inspection results. No one else can get access to that data.

As at the Higashi-Matsuyama Medical Association Hospital, IT staff in any hospital using a policy networking model can assign levels of authority and trust to physicians, nurses, and administrative staff. Levels of authority differ for each user. For example, an accounting clerk can get access to accounting applications that hold insurance records, but only physicians can use software applications that store sensitive medical records and lab results. When every user is assigned a level of authority in combination with a unique identifier (such as a password or security token), network access becomes defined and traceable — two requirements for HIPAA compliance.

HIPAA Side-Effects: The Good, the Bad, and the Ugly
Regulatory compliance doesn’t just impact security. Plus, it doesn’t always create IT headaches. There are cases where upgrading technology to comply with HIPAA has considerably improved everyday life for medical staff, patients, and even IT departments.

Two years ago, the Medical Associates of the Lehigh Valley in Pennsylvania undertook a major project to begin using digital medical records and automated billing. It set up a robust policy-networking infrastructure to secure these new digital patient records to HIPAA standards. The new, centralized infrastructure would ensure that only authorized users could access software applications and patient health records.

According to Bryce Bowman, IT coordinator at the Medical Associates of the Lehigh Valley, the greatest challenge was to provide physicians with real-time access to electronic patient data while maintaining an extremely high level of security. Also, they didn’t want to implement a system so complex that physicians and administrative staff wouldn’t buy in.

For administrative staff, doctors, and the IT group, digitalizing patient records simplified day-to-day activities. Before changing to this model, doctors made handwritten notes or dictated recordings during patient sessions. The notes and dictated recordings were then transcribed and added to the patient’s paper chart, which was stored in a single location. This could be time consuming and inconvenient.

The system upgrade has replaced paper charts with tablet PCs that physicians carry with them to each appointment. The digital system secures electronic patient records according to HIPAA standards, plus physician members can also access this information from their offices, homes, or other locations.

While the Medical Associates of the Lehigh Valley’s tale is a successful one, not all HIPAA stories have a happy ending.

There’s the story of Kaiser Permanente in northern California. Kaiser left the names, addresses, phone numbers, and lab results of approximately 150 patients posted on a publicly accessible web site for up to 4 years. The site was developed without patient consent. It was not until a disgruntled employee linked to the web site from her blog in 2005 that the breach became public. Still, Kaiser did not remove the site until federal civil-rights authorities learned about it. The state Department of Managed Health Care levied a fine for a privacy violation to Kaiser in the amount of $200,000.

What’s Next?
Predictions for IT Security in Healthcare

Though network security technologies continue to evolve and improve, many healthcare organizations still lag behind. In an annual survey conducted by the American Health Information Management Association in 2006, fewer health plans and providers considered themselves to be “mostly compliant” with the HIPAA’s privacy regulations than a year before. Although 91% said in 2005 that they were mostly compliant, that number dropped to 85% in 2006. More than half of the respondents cited some difficulties in complying with the HIPAA provision.

The introduction of policy-based networking should provide a way for healthcare organizations still trying to try to meet HIPAA requirements to secure their networks.

Looking towards the future, the next step in securing networks may be to merge physical security systems and the policy-networking model into a single security system. As it is, most organizations already use both physical and digital security systems, so there’s an obvious demand to merge the two.

What does this look like? There will likely be a hefty emphasis on biometrics — retina scanners, fingerprinting, and voice recognition. In some cases, systems will grant or refuse network access based on a physical location, user role, or status. Until this futuristic vision becomes commonplace, most healthcare organizations will achieve security and HIPAA compliance with policy networking.

HIPAA Checklist:
Are You Compliant?

  • Ensure the integrity and confidentiality of the information.
  • Protect against any reasonably anticipated threats or hazards to the security of the information; as well as unauthorized uses or disclosures of the information.
  • Ensure compliance of these requirements by the officers and employees.


Reginald Best is chief operating officer of network security company AEP Networks. As an engineer and entrepreneur, Reggie has pushed the boundaries of network technology for almost 30 years. AEP Networks provides organizations with comprehensive policy networking computer security solutions. AEP has helped healthcare organizations including the Temple University Health System, the Higashi-Matsuyama Medical Association Hospital, and the Medical Associates of the Lehigh Valley secure their networks to HIPAA standards. Best may be contacted at reginald.best@aepnetworks.com.

References

Internet Research Group. (2006, September). Introduction to ensuring security and compliance through policy-based networking