10 Steps to Hipaa Security

8/6/2019 10 Steps to Hipaa Security

1/7

10 STEPST O H IPAASECUR ITYCOMPL IANCE

Pro tecting your patients' h ea lthinfo rmatio n is more d ifficu ltand m ore im portant than ever.The auth or's strateg y w ill h elpyou m eet this m onth's deadline.

David C. Kibbe, MD, MBA ~C o v e r e d in F P M Q u i z

The final rule adopting HIPAA standards for the security of electronic health information waspublished in the Feder-al Register on Feb. 20, 2003 [and goes into effect April 21, 2005J. This final rule specifies a series of administrative,technical and physical security procedures for covered entities to use to assure the confidentiality of electronicprotectedhealth information. The standards are delineated into either required or addressable implementation specifications.

- Statement on the Centersfor Medicare 6-Medicaid Services Web siteregarding the Health Insurance Portability and Accountability Act]

A familY physician Dan Brewer, MD, once wroteon an e-mail discussion list, "I believe I wouldrather eat live cockroaches than learn aboutH1PAA security." Nothing, it seems, couldbe more boring and less related to the practice of familymedicine than computer security.But don't be fooled into complacency. Youand your

patients are probably more familiar with security risks

and the costs or hassles associated with inadequateprotection than you realize.Consider these examples: Have you ever been the victim of a computer virus,

or do you know someone who has? Are you concerned about what would happen if

the computer hard disk storing your patients' medicalinformation failed?

Dr. Kibbe isdirector o/the AAFPsassistance on this article. Conflicts o/interest: none reported.

Health Information Technology (CHiT). He thanks Steven E. Waldren, MD, CHiTs assistant director, for his

Apri12005. www.a afp.o rgZfpm w FAM ILY PRACT IC E M ANAGEM ENT .43D ow nlo ad ed fro m th e Family Practice Management W eb site a t www.aafp.org/fpm. Copyright 20 05 A me rican A ca de my o f

F am ily P hys icia ns . F or th e p riv ate , n on co mm erc ia l u se o f o ne in divid ua l u se r o f th e W eb site . A ll o th er rig hts re se rv ed .
http://www.aafp.org/fpm.http://www.aafp.org/fpm.


2/7

S P E E D B A R "

You are probably morefamiliar with securityrisks than you think.

To learn whether yourcomputer securitymeets HIPAA require-ment, you should per-form a "gap analysis"of your current setup.

As you move towardHIPAA compliance,it is important todocument the entireprocess.

The goal of computersecurity in most casesis to prevent personalhealth informationfrom being stolen,altered or destroyed.

Do you worry that someone might eaves-drop on your wireless communications? Were you concernedwhen amajor phar-

maceutical company unintentionally distribut-ed the e-mail addressesof hundreds ofpatientstaking an antidepressant rnedicationj"In addition to helping raiseyour aware-

ness of what's at stake, this article will makecomputer security more understandable andrelevant to your practice, and put you onthe path toward complying with the HIPAAsecurity standards.After reading through these 10steps,

you should be able to compare your office'scurrent computer security, or lack thereof,with that required by HIPAA. This type ofcomparison is known as a "gap analysis" andis an important component of meeting theHIPAA requirements.Also be aware that HIPAA security com-pliance is like a clinical encounter: If it's not

documented, then it didn't happen. There-fore, document everything and make it partof a security manual.1Understand why computer securityis important. If you need a simple answerto the question, "Why is computer securitynecessary and important?" the answer is"because everyone cares about the privacyand integrity of their health information."In most cases, the point of computer securi-ty is to prevent personal health informationfrom falling into the wrong hands or beinginadvertently altered or destroyed.The HIPAA security standards apply to

protected health information (PHI) that iseither stored or transmitted electronically.PHI is health information in any form thatpersonally identifies a patient. (For more onPHI, see an earlier security article I wrotefor FPM: ''A Problem-Oriented Approachto the HIPAA Security Standards," July/August 2001, page 37.)These security standards will apply to

you onApril 21 if any of these situationsexist in your practice: You use computers in the office to

store and manage administrative or clinicalinformation; You have a computer or network

connected to the Internet; You use e-mail or other forms of

electronic messaging inside and outsidethe practice.The widespread use of computers, soft-

44. FA MIL Y P RAe TIC E MAN AGE MEN T www.aafp.org/fpm April2005

K EY P O IN T S Practiceswill needto ensurethat their currentcomputer security complieswith the HIPAAstandards that take effect April 21.

Physiciansshould take responsibility for under-standing how health information technology isused in their practice

Bytaking a proactive approach to your computersecurity now,you will beable to detect andprevent trouble later.

Thereis no one-size-fits-all approach forcomputer security.

ware and networks to exchange digitizeddata creates new vulnerabilities. Italsoreveals new dimensions to old risks. Muchof the problem with computer security is ofour own making, the result of our love ofconvenience and our drive to be more effi-cient. Computers automate routine, mun-dane tasks. Bystoring compacted, bite-sizedinformation inside machines, we are able tocollect data more easilyand cut down onstorage costs.But computer storage devices can be

broken or damaged, and the informationin them can be erased or corrupted, expos-ing the data to unexpected change or loss.It is possible to steal thousands ofmedicalrecords by downloading them onto a smallstorage device, which can easily be hiddenin a pocket.Similarly, we find networks of computers

wonderfully convenient for sending mes-sages across any distance at almost the speedof light. We delight in e-mail, file downloadsand instant messaging. But the Internet hasno borders or natural boundaries, making iteasyfor attackers to strike from a distanceand to hide their whereabouts. Any time weconnect our computers to the Internet, weinstantly become vulnerable to new kinds ofattacks, such as viruses and worms that canliterally get inside our computers and alter,destroy or release confidential information.One problem merits special mention.

Computers have made the issue of identitymuch more problematic. People have alwaysbeen able to use someone else'sidentity forcriminal purposes, but the problem is exac-erbated when we can't use a person's face,signature or other physical means to confirmtheir identity. How do you know the person
http://www.aafp.org/fpmhttp://www.aafp.org/fpm


3/7

sending you e-mail is truly the person he orshe claims to be? How do you know the per-son whose name is attached to an electronichealth record (EHR) entry really made it?It's difficult. Hackers use computer virusesto get into e-mail programs and propagatetheir nastiness by sending new c-rnails thatappear to come from a friend. As the publicdoes more online shopping, identity theftusing computers has become a common wayfor criminals to steal money and goods.The bottom line is this: Computer secu-

rity is a requirement for any sound business,including your medical practice. Computersecurity is needed to protect the privacy ofthose whose information you store and man-age. It is also needed to protect you and yourpractice from the risk of penalty and legalliability if private information is used orreleased by your practice.You have two choices: Either delay learn-ing about computer security and risk playingcatch-up when an attack or accident causesharm to a patient or your practice, or beproactive and begin to install protectionsthat will allow you to detect and preventtrouble down the road.2 Make certain your colleagues andstaff take security as seriously as you do.The HIPAA security standards require yourpractice to havewritten security policiesand procedures, including those that coverpersonnel training and sanctions for securitypolicy violations. Your office staff and col-leagues must truly understand basic secu-rity logic and take their role in protecting

a computer or monitor and seewhat's on thescreen. Do you want everyone in the office,including patients, family members or yourcleaning crew to be able seewhat is dis-played on a computer screen? Of course not.But you probably work in a busy, sometimeshectic, environment that makes it difficultto closelymonitor the How of people andinformation at all times.This means two things. First, you

should carefully consider the location anddesign of display devices in your office.Don't place monitors in busy corridors, andensure that the display image has a 30-sec-ond time-out feature. Second, employeesand staff must have a heightened awarenessregarding access to computers, monitors,printers, fax machines and other displaydevices. They should strive to avoid creat-ing insecure situations.Password management is another areathat requires staff to be security conscious.Passwords and IDs allow computers tocontrol access to personal health informa-tion based on a person's role, authority orneed to know. They identify or authenticatea computer user via a secret password.Obviously, passwords should be kept secretto avoid unauthorized access to or manipu-lation of protected information. But pass-words are clumsy to use and difficult toremember, especially as they become morecomplicated (thus increasing their secrecy).It's tempting for users in small offices toshare passwords or keep them written on apiece of paper tucked into the top drawernext to the computer station. I've even

Y our com puter security is only as good asthe w eakest hum an link in your office.

patients' privacy very, very seriously. Mostsecurity breeches occur when insiders - peo-pleworking for the organization - exercisefaulty judgment or fail to follow protocols inwhich they've been trained.Consider two highly people-dependent

areas of computer security: physical accessand password management.Physical access to computers and software

is a foundation of computer security. Physi-cal accessmeans that someone can approach

found passwords on sticky notes attachedto computer monitors!These actions completely undermine the

security system. Why pay for a softwaresystem that uses passwords if you don't takethe protection they provide seriously?Sowhile it does make sense to worry

about hackers and intrusions from outsideyour officewalls, remember that yourco-workers pose the most likely securityrisk. Your computer security is only as

H IPAA SECUR ITY COM PLIAN CE

S P E E D B A R "

In addition to protect-ing important data,computer security isalso needed to protectyou and your practicefrom the risk of legalliability.

Most computer secu-ri ty breaches occurwhen insiders exercisebad judgment or failto follow establishedprotocols.

Monitors should notbe placed in hightraffic areas, andtime-out featuresshould be used.

Computer passwordsshould never beshared or kept nearthe computer, even insmall offices.

Apri12005. www.a afp.o rg Zfpm w FAM ILY PRACT ICE M ANAGEM ENT .45


4/7

SPEEDBAR"

HIP AA requ i remen t sin clu de a d et aile ddescrip tion of h owyo ur hardw are, so ft-w are an d n etw orkc om p o ne nts c olle ct,access, store a ndtr an sm i t p a tie nth ea lt h i nf o rma t io n .

T h e H I PAA s ec ur itys ta nd ard s a ls o re qu ireyo ur p ractice toa pp oin t a s ec uritymanager .

E ven if som eone else isnam e d as the secu ritym a n ag er, p h ys ic ia nsn ee d to u nd ers ta ndcom p lete ly ho w healthin fo rm a t io n t ec hn ol-ogy is used in theirpractices.

T he m o st im p orta ntp art of p rep aring fora d isaste r is h avin ga backup system inplace.

good as the weakest human link inyour office.3 Catalog all the information systemcomponents that interact with protectedhealth information in your office. Toassessyour office's current security risk,you have to know, in detail, the capabili-ties and weaknesses of your informationsystems. No two medical practices haveexactly the same information system com-ponents, nor do they manage the How ofinformation precisely the same way. Somepractices still manage most information onpaper and have a single computer for billingand accounting purposes. However, mostpractices, even small ones, have complicatedinformation technology environments thatinclude multiple components. These mightinclude the following: Hardware - Computer workstationsin the front office, tablet computers in theclinical areas, printers in the back office,server in the computer closet, personal digi-tal assistants, scanning devices and modemsused to connect to the Internet. Software - Operating systems, billing

software, practice management software,browsers, e-mail client software, EHR soft-ware, and database and officeproductivitysoftware. Network components - Routers and

hubs, dedicated phone or cable lines, wire-less systems, firewall software and firewallhardware.Youshould make a detailed list of all of

the components that playa role in either

and procedures on this analysis, which mustbe specific to your practice. Second, it's theonly reasonable way to assessyour risk ofsecurity breeches in your current systemsand protocols. Finally, this exercisecan bevaluable in the acquisition and use of EHRsystems ifyour practice ismoving in thatdirection.The HIPAA security standards requireyour practice to appoint someone as thesecurity manager, soyou might want toassign these tasks to that person. However,I can't stress enough the need for physiciansto take responsibility for understanding howhealth information technology is used intheir practice, especially small and indepen-dently owned ones.4 Prepare for disaster before it occurs.An important aspect of computer securityinvolvesprotecting electronic data from lossor corruption - that is, ensuring its integrity.Although there are many ways data integ-rity can be affected, the most common islossof data from some sort of emergency ordisaster, including human error, mechanicalhard disk failure, equipment damage due toHooding, or computer virus infection.A solid computer-system contingency

plan is composed of a number of steps,including performing backups, preparing forcontinued operations in an emergency andrecovering from a disaster.The most important part of a contin-

gency plan ishaving a backup system. Abackup system is a combination of hardwareand software that lets you retrieve exact cop-

T he m ost im portant part o f a contingency p lanis having a backup system .

storing patient health information or trans-mitting it within the practice or to outsidesettings. Youthen need to create either a Howdiagram or a detailed description of how thiscollection of hardware, software and networkcomponents collects, accesses,stores andtransmits patient health information.This detailed examination of your entire

system is an important step for three rea-sons. First, it's required. HIPAA requiresyou to carry out such a risk analysis andbase your new computer security policies

46 FA MIL Y P RAe TIC E MAN AGE MEN T www.aafp.org/fpm April2005

ies of information if the originals becomelost or damaged. There are several kinds ofcommonly used backup systems, includingthose that store data to tapes, compact discsor off-site devices. The equipment and ser-vice can cost from hundreds to thousands ofdollars, and the best method for your prac-tice can only be determined after you knowhow much data needs to be backed up. Yourchoice alsowill be influenced by cost, conve-nience and ease of use.At a minimum, your practice's backup


5/7

system should store all of the critical dataneeded to run the practice in the event of adisaster. Practices should conduct an analy-sis to identify these critical data.5 Make sureyour network and com-munications safeguards are intact androbust. It is increasingly difficult to find acomputer that is not attached to some sortof network. Most computers in your practice

and Web browsing. In terms of risk to yourcomputer's data, connecting to the Internetisthe most dangerous activity in which youcan engage.Malicious software, sometimes called

malware, has become a familiar form ofcomputer attack. Viruses, worms and "Tro-jan horses" are among the most commonforms ofmalware that your computer secu-rity must protect against.

T here is no single solu tion to the problem ofcompu te r v iruses. V ig ila nce is essen tia l.

are connected to the Internet, a particularkind of public network that has its specialrisks. Although network security is a com-plex subdomain of computer security, thebasic threats and protective devices are notdifficult to understand.Networks work by routing packets of

information among and between users atvarious computers. Generally, networks usedevices known as routers to send the packetsto correct addresses. Therefore, networksneed to defend themselves against attacksfrom unauthorized users and from infiltra-tion of unauthorized information packetsthrough the routers.Firewalls are hardware and software

devices that protect an organization's net-work from intruders, such as hackers ordata thieves. Think of firewalls as sentriesat the boundaries of private networks andthe public networks they are connected to:They check credentials, permit passage ofauthorized parties and communications,and keep a record of what crosses theboundary. Firewalls deny access to unau-thorized users and applications, and theycreate audit trails or logs that identify whoaccessed the network and when. Firewallsmay also issue alarms when abnormal activ-ity occurs, such as a repeated unsuccessfulattempt to enter the network.6 Be certain that you have anti-virussoftware and keep it up to date. Even ifyou are in solo practice and use only onelaptop computer for all your data capture,storage and transmission - and thereforemay not require a network firewall - youprobably connect to the Internet for e-mail

Viruses can attach themselves to c-rnails,program files and data files.They caninfect all your hard disks and change orerase data while spreading to Hoppydisksand c-rnails to infect other machines.Worms are self-replicating programs thatattack networked computers. The nowinfamous Nimda virus was aworm spreadvia e-mail attachments named README.EXE. It affected a wide variety of operatingsystems, including several versions ofWindows. Nimda was responsible for tensofmillions of" denial of service" eventsthroughout the Internet, in large partbecause it was able to attack keyWebservers that direct traffic across the Internet.It is estimated that worms like the Nimdacost u.s. companies billions of dollars eachyear in repairs and lost productivity.The solution to malware is installing and

updating anti-virus software, available fromspecialized software companies, on all ofyour computers. Anti-virus software worksby scanning digital data, such as incomingc-rnails, files, hard disks and CDs, and thenautomatically deleting or isolating viruses.Anti-virus software programs are great atdetecting known viruses but not so good atdetecting new ones. New malware appearsall the time, so anti-virus software needs tobe updated frequently.Viruses, especially e-mail worms, are the

price we pay for universal connectivity andcommunications over open networks, espe-cially over the Internet. There is no singlesolution to the problem of computer viruses,and the problem seems to be getting worseasmore information is delivered over theInternet all the time. Vigilance is essential.


S P E E D B A R "

If your computer isattached to a network,you need to make surethat network ispro-tected bya firewall.

Firewalls are hardwareand software devicesthat protect an organi-zation's network fromunauthorized users.

Evenif you are in asolo practice and don'trequire a network fire-wall, you most likelystill need to installanti-virus software.

Anti-virus softwareneeds to be updatedfrequently.



6/7

SPEEDBAR"

Th e H I PAA s ta nd ar dsd o n ot req uire e -m a ilsto b e e nc ry p te d.

H o w ev er, th e s ta n-dards do require youto assess w hether yourp r ac ti ce 's u n en c ry p te dtra ns m is sio ns ofh e al th i nf o rma t io nare at risk .

E n cry pting e -m a il c anbe tricky because bothp arties of the e-m a ilexchange need tob e u sin g c om p a tib lee nc ry p ti on p r od uc ts .

T h e H I PAA s ta nd ar dsr eq uir e y ou r p ra ct ic eto o bta in a ss ura nc esf ro m b us in es s a ss oc i-ates that they w ills ec ure th e e le ct ro ni ch e al th i nf o rma t io nth ey c re ate , m a in ta inor transm it on behalfo f y ou r p r ac ti ce .

7 Understand what encryption willdo and when it is necessary. Contrary towhat many people are saying, the HIPAAsecurity standards do not require e-rnails,or any other transmission from a doctor'soffice, to be encrypted. The standards dorequire your practice to assesswhether itsunencrypted transmissions of health infor-mation are at risk of being accessed byunauthorized entities. If they are, youshould consider some form of encryption.The basic idea behind cryptography,

of which electronic data encryption is abranch, is that a group needs to keep amessage secret from everyone else andtherefore encrypts it. Encryption is thetransformation of a message from plaintext into nonsensical cipher text beforethe message is sent. Anyone who stealsthe cipher text messagewill not be able tounderstand it. Only those who have thecode used to encrypt the message can con-vert it back from cipher to plain text andreveal its meaning.For several reasons, encryption is gener-

ally not employed for information stored ona computer's hard disk or transferred withinan office's local area network. First, the riskof disclosure to unauthorized parties is smallin the closed environment. Second, encrypt-ing data is costly. Third, encryption general-ly slows down the movement of informationwithin software applications and databases.Here is a list of electronic data transfers

and communications commonly used ina medical office that could be consideredfor encryption: Patient billing and administrative

information exchanged with payers andhealth plans; Utilization and casemanagement data,

including authorizations and referrals thatare exchanged with payers, hospitals andutilization management organizations; Patient health information gathered

from or displayed on aWeb site or portal; Lab and other clinical data electroni-

cally sent to and received from outside labs; Word-processing files used in transcrip-

tion and other kinds of patient reports thatare transferred electronically; E-mails between physicians and

patients, and between attending and refer-ring physicians and their offices.Encryption of e-mail messagesmerits

special attention because e-mail is so com-48. FA MIL Y P RAe TIC E MAN AGE MEN T www.aafp.org/fpm April2005

monoMany patients enjoy direct onlinecommunications with their physicians via e-mail. The problem, of course, is that e-mailis the digital equivalent of a postcard. Any-one handling the message can easily read itscontents. Itdoesn't even have an envelope!And c-rnails are susceptible to forgery. Howdo you know for sure that the person listedin the "from" field of an e-mail is the personwho actually mailed the message?The problem with encrypting e-mail is

that both parties of the e-mail exchangeneed to be using compatible e-mail encryp-tion products. This is clumsy and, so far,rarely used. More commonly, encryptede-mail message exchanges occur when bothparties agree to use a secure server or por-tal system that requires both parties to usepasswords and IDs to log on. The AAFP hasa partnership with Medfusion that permitsAAFP members free use of such a secureportal system for messaging with patients.For more information, seehttp://www.aafp.org/x23273.xml.8 Consider chains of trust and yourbusiness relationships. Your practiceshares security concerns with any businessesthat are involved in the electronic transmis-sion of your patients' information. In effect,the security capability of insurance com-panies, transcription and billing services,hospitals, labs and Internet service providersIS your concern."Chain of trust" is a concept used in the

computer security field to describe the con-tractual agreements made between parties toassure that the confidential information theyshare remains secure throughout its journey.There isno standard set of obligations forchain-of-trust agreements. However, suchagreements obligate both parties to adopt aform of strong authentication such that datatransmissions are attributable and nondeni-able. (Otherwise, one party or the othercould claim not to have received an impor-tant piece of information sent electronically.)The HIPAA security standards require

your practice to obtain assurances frombusiness associates that they will implementthe necessary safeguards to protectthe confidentiality, integrity and availabilityof the electronic health information theycreate, maintain or transmit on behalfof the practice.The important issue here is to "know thy


7/7

business partner." Every entity with whichyou share information electronically is anextension ofyour practice, whether youwant them to be or not.9 Demand that your vendors fullyunderstand the HIPAA security stan-dards. As you become better informedabout computer security and the HIPAAsecurity standards, you will realize theextent to which compliance makes youdependent on hardware, software, networkand other information technology (IT)vendors. Their products and services,whether out-of-the-box computer hardwareor hands-on-in-the-office IT services, willenable you to meet many of the securitystandards - or not.A good example is the requirement for

audit controls. Audit controls that permityou to record and examine activity in infor-mation systems can require a combinationof hardware, software, network and proce-dural mechanisms to act in concert. If thesecomponents have been purchased from sepa-rate vendors, it might be necessary to coor-dinate their setup and configuration to meetthe audit control requirement of the HIPAAsecurity standards. Who will perform thiscoordination in your office?

work more closelywith the vendor to ensurethat all the facets of your computer systemsatisfy your practice's HIPAA security plan.Some EHR vendors will even help you do agap analysis aspart of their purchaseprogram. But because most EHR vendorsdon't install the hardware and networkingcomponents, your choice of a local contrac-tor for these services should be made withHIPAA in mind. Be certain that your localcontractor is fully aware of the HIPAAsecurity standards and iswilling to assistyou before you proceed.10 Start with a plan - and the end -in mind. My hope is that after reading tothis point you have a much better idea ofthe breadth and scope of the HIPAA secu-rity standards, and that you are better pre-pared to tackle the task of assessingyourpractice's current state of computer security.There are some excellent tools that can assistyou in performing a gap analysis for thispurpose without having to hire a consultant.(One place to start is the Needs Assessmentpage on the CHiT Web site, available athttp://www.centerforhit.org/x69 .xml.)Remember that there is no cookbook

or one-size-fits-all approach for computersecurity. What counts is being "reasonable

It m ight be a fortunate coincidence that theH IP A A security standards have been m andated just

as m any fam ily physicians are acquiring E H R s.Itmight be a fortunate coincidence that

the HIPAA security standards have beenmandated just as many family physiciansare acquiring EHRs for their practices.Many are choosing integrated EHR systems- that is, products that include billing,scheduling and clinical information soft-ware from the same vendor. This integrationcan greatly simplify meeting the HIPAAsecurity challenge - if you select the rightEHR vendor. (To see EHR reviews byyourcolleagues, check out the AAFP's Centerfor Health Information Technology (CHiT)Web site at http://www.centerforhit.org/x290.xml.)A single-vendor solution for small and

medium medical practices allows you to

and appropriate" when matching securitymeasures with the level of risk that pertainsto your situation. These 10steps shouldhelp you recognize a number of placeswhere your organization's computer securitycould be improved and where some deficien-ciesmight be easily addressed. GDSend comments to [email protected].

1.Available at: http://www.cms.hhs.gov/hipaa/hipaa2 /regulations/ security/ default. asp. AccessedMarch 4, 2005.2. O'Harrow R Jr. Prozac maker reveals patiente-mail addresses. Washington Post. July 4, 2001 :E1.


S P E E D B A R "

The in teg ra ti onoffe red by som e E HR sc an s im p lify y ou rp ra ctic e's e ffo rt tocom ply w ith the H IP AAs e cu r it y s ta n d ard s.

S om e E H R v en do rsw ill he lp you do a gapanalysis.

I f y ou a re th in kin gab ou t c on ve rtin g toan E HR , be sure thatyo ur h ard ware an dn et wo rk in g c on tr ac to ris aw are of the H IP AAs ta nd a rd s b e fo reproceeding.

T he re is n o o ne -s iz e-fits -a ll p la n fo r c om -p u te r s e cu r it y.

http://www.centerforhit.org/x69http://www.centerforhit.org/mailto:[email protected]://www.cms.hhs.gov/hipaa/http://www.cms.hhs.gov/hipaa/mailto:[email protected]://www.centerforhit.org/http://www.centerforhit.org/x69

Documents

10 Steps to Hipaa Security