ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N

®

SearchHealthIT.com

I N F O R M A T I O N

Q

HIPAA Complianceand Data ProtectionStrategies

E S S E NT I A L G U I D E TO

I N S I D E

Performing a Security Risk Assessment

Encrypting Hardware, Infrastructure to Achieve Safe Harbor

Automating and Streamlining Identity Management

Accounting Disclosure Requirements Set to Change

Effectively addressing the new HIPAA privacy and security rules introduced in the HITECH Actrequires an assessment of your organization’sbiggest vulnerabilities as well as the deployment ofthe right technology to reduce the risk of data loss.

The UlTimaTe enTerprise ThreaT and risk managemenT plaTform.The ArcSight ETRM Platform is the world’s most advanced system for safeguarding

your company against data theft, complying with policies and minimizing internal

and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight

ETRM Platform gives you better visibility of real-time events and better context for

risk assessment, resulting in reduced response time and costs.

ArcSight Headquarters: 1-888-415-ARST | © 2011 ArcSight. All rights reserved.

Learn more at www.arcsight.com/etrm

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES3

Data Protection Requires a Coordinated Effort5 EDITOR’S NOTE By strengthening HIPAA, the HITECH

Act makes patient data protection an even higher priority for HIPAA covered entities. Addressing this requires a mix of risk analysis, encryption technology and, above all, awareness. BY BRIAN EASTWOOD

Performing a Security Risk Assessment8 SECURITY POLICY The coming wave of digital data

may leave some health care environments unprotected. A security risk assessment, which reviews existing administrative, technical and physical controls, can identify the gaps that must be filled. BY JACK DANIEL

Encrypting Hardware, Infrastructure to Achieve Safe Harbor13 HIPAA COMPLIANCE If data is encrypted, health care

providers are not subject to new, strict data breach notification laws. Server, storage and network encryptionadds yet another layer of protection. So why do so manyorganizations avoid encryption? BY AL GALLANT

Automating and Streamlining Identity Management20 ACCESS CONTROL Automated employee identity

management systems can improve data security, reduce vulnerable access points and close security loopholes. That improves workflow and addresses newHIPAA rules that aim to combat data breaches and maintain patient privacy. BY DON FLUCKINGER

Accounting Disclosure Requirements Set to Change27 DISCLOSURE The HITECH Act of 2009 mandated

changes to the requirements for accounting of personal health information disclosures under the HIPAA Privacy Rule. Under the proposed changes, electronic PHI is no longer exempt. Some say this will be a problem. BY STEPHEN GANTZ

32 SPONSOR RESOURCES

contentsHIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES

SecuringaperimeterthathaSnoparameter.

SoLVeD.

More mobile devices mean more threats. There are breaches to worry about. People, too. We get it, and in partnership with Symantec, we can help safeguard your patient data from threats inside and out. From file system and network protection to content discovery and HIPAA compliance, our certified experts are here to help you sleep a little better at night.

peaceofmindavailableatcDW.com/communit

©2011 CDW LLC. CDW®, CDW•G® and PEOPLE WHO GET IT™ are trademarks of CDW LLC.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES5

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

i

Data Protection Requires a Coordinated Effort By strengthening HIPAA, the HITECH Act makes patient data protection an even higher priority for HIPAA covered entities. Addressing this requires a mix of risk analysis, encryption technology and, above all, awareness.

BY BRIAN EASTWOOD

IT’S BEEN NEARLY two years since the new data breach rules introduced by the Health InformationTechnology for Economic and Clinical Health (HITECH) Act have gone into effect.

The rules do three things. They make HIPAA business associates subject to the same standardsas HIPAA covered entities. They beef up those standards by prohibiting the sale of personalhealth information and payments to patients for the use of PHI in marketing communications.Most importantly, they take data breaches seriously,with fines significantly higher—up to $1.5 millionper violation per year—and notification of theDepartment of Health and Human Services (HHS)required if a breach affects more than 500 people.

Unfortunately, many health care providers stilldon’t get it. As of August, nearly 300 data breaches had been reported to HHS. Four affected more than 1 million people. All received negative press.

Why is this still happening? This edition ofInformation Security magazine aims to solve themost prominent problems.

“Performing a Security Risk Assessment” suggests that health IT owners simply haven’tgrasped all the risks associated with the processes, technologies and stakeholders within theirorganization.

“Encrypting Hardware, Infrastructure to Achieve Safe Harbor” notes that the HITECH Act does not consider the loss of encrypted data to be a data breach and points out the manyparts of the health care organization where encryption technology can be deployed. In light of increased data breach fines, investing in such technology is a bargain.

“Automating and Streamlining Identity Management” looks at what hospitals are doing totrack who is using the clinical applications that contain PHI—and whether or not they should be.

Finally, “Accounting Disclosure Requirements Set to Change” isn’t a how-to so much as itis a warning that organizations must be ready to account for disclosures of electronic PHI. Itmay be an administrative burden, but it’s a critical step to ensuring that, as the health care

EDITOR’S NOTE

As of August, nearly300 data breaches hadbeen reported to HHS.Four affected more than1 million people. Allreceived negative press.

industry finally embraces electronic health record technology, patient data remains in safehands.w

Brian Eastwood is the site editor of SearchHealthIT.com. Send comments on this column to feedback@infosecuritymag.com.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES6

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

“The knowledge I gained was

immediately applicable and

improved my abilities as a

significant contributor at a

leading healthcare organization.”

Jennifer, Class of 2010

success starts here.

N o r t h e a s t e r n H e a l t h I n f o r m a t i c s : A n E d u c a t i o n f o r t h e F u t u r e

Northeastern University Health Informatics Graduate Program

Study online or evenings on campus

Secure a position in the growing field of health informatics. The Health Informatics Privacy and Security Graduate Certificate blends your IT experience with the business and clinical process acumen, preparing you with the skills necessary to capture, analyze, share, and act upon healthcare data. Students may complete this graduate certificate in as little as eight months, and credits from this program can be applied to the Master of Science in Health Informatics.

Now accepting applications. Learn more at

www.northeastern.edu/online/HI

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES8

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

HEALTH IT OWNERS are faced with the challenge of a growing demand to create and operatea solid electronic health record (EHR) security ecosystem. The security risk assessmentneeded to begin this undertaking is the cornerstone in creating a strong information security program. It provides an organization with insight into its walled and non-walledsecurity postures, and enables the organization to make informed security decisions.

SECURITY

PERFORMING ASECURITY RISK

ASSESSMENTThe coming wave of digital data may leave some

health care environments unprotected. A security riskassessment, which reviews existing administrative,

technical and physical controls, can identify the gaps that must be filled. BY JACK DAN I E L

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES9

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

But do health IT owners understand the security status along every perimeter, includingpractices? Do they know how to “stay out of the headlines”?

The majority of health IT owners focus on securing data inside their data centers, but manychief information officers and chief medical information officers don’t clearly understand orfocus on the threats and issues that exist outside thedata center. What measures are in place to deal withdata breaches, hacker attacks and theft? What person-nel, processes and technologies are needed to addressthese and other external factors?

Vision is one of the largest challenges facing healthIT owners trying to secure their organizations. With-out properly enumerating all their processes,technologies and stakeholders—and the associatedrisks—they will find it nearly impossible to designand implement proper controls. The population ofa small to mid-sized health care organization cannumber in the hundreds or the thousands. Factor in thenumber of processes and technologies that that popula-tion uses, and the situation becomes overwhelming.

If a clear view can be established, control, designand implementation—as well as information securitydecision-making—become easier, and the risks toprotected information assets decrease significantly.

A security risk assessment reviews existing admin-istrative, technical and physical controls within and outside the organization. It requires analyzingthese controls against best practices frameworks, and quantifying risks and gaps to create aprogram roadmap.

Properly followed, the outcome of the process is a comprehensive assessment of an organiza-tion’s security program, a set of recommendations, and a clear roadmap and remediation plan.An assessment ensures that an organization is secure inside and out, aligns compliance andbusiness drivers, and provides a critical view of the organization’s security posture. Further-more, a risk assessment is required to satisfy criteria for the meaningful use to receive federalincentives. To complete a risk assessment, follow this four-step process:

STEP 1: DISCOVERYThere are a multitude of drivers and objectives in every organization. Identifying these early inthe security risk assessment will ensure the results are tailored to fit the organization.

Such elements as fiscal responsibility, staffing, regulatory drivers, business objectives andoperational drivers are must-have knowledge when security risk is being assessed. The discoveryphase is where all this information—as well as any existing documentation pertinent to people,process and technology—will be collected. Once the documentation has been collected, it iscritical that the person doing the assessment sit down with data owners or other stakeholders to

The majority of healthIT owners focus onsecuring data insidetheir data centers, butmany chief informationofficers and chief med-ical information officersdon’t clearly understandor focus on the threatsand issues that existoutside the data center.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES10

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

understand the processes and the lifecycle of the information they use.Discovery should be the longest phase of the risk assessment process. Ensuring that all infor-

mation is collected, processes are acknowledged, and that the drivers and objectives behindthese processes are understood—these provide the groundwork for a solid risk assessment withoptimal value.

STEP 2: ASSESSMENTHere a framework is used to analyze and quantify allthe collected information. Many best practices frame-works—authored as agnostic or as regulatory driv-ers—are available, most notably those provided bythe International Standards Organization, or ISO;National Institute of Standards and Technology, orNIST; and the Information Systems Audit and Control Association, or ISACA. The use ofthese risk management frameworks will help a CISO identify assets and threats, evaluate controlsand, ultimately, create an estimate of the risk magnitude.

A best-of-breed framework is recommended for risk assessment rather than a best practicesframework. A best-of-breed framework ensures that applicable regulatory drivers aremapped to the chosen best practices framework. In this way, regulatory compliance can besomething that is monitored and reported painlessly. Collected information is compared againstthe control objectives or statements within the chosen framework, and the result is a quantifiedcurrent state of an organization’s security posture and pertinent compliance states.

STEP 3: RECOMMENDATIONThe output of the assessment phase will be a pointed, point-by point list of the good, the bad andthe ugly for an organization’s security posture. During the recommendation phase, it is importantto align any gaps and weaknesses with the drivers and objectives identified in the discovery phase.From there, draft the applicable recommendations to close the gaps and correct weaknesses.

Recommendations should be phased according to such categories as tactical (six to eightweeks), mid-term (two to six months), and strategic (six to 18 months or longer). Phasingrecommendations this way ensures quick-fix and low-effort items are remediated immediately.Longer-term items that involve purchasing technologies or reengineering processes can beplanned well and involve all the proper stakeholders. For security officers who would prefer notto see a full report on all vulnerabilities, recommendations can be limited to, say, complianceissues related to HIPAA or state data privacy laws.

STEP 4: REVIEWFinally, once all recommendations are drafted, they should be reviewed with business units andstakeholders to ensure they are suitable and aligned with the business vision and operations.

A best-of-breed frame-work is recommendedfor risk assessmentrather than a best practices framework.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES11

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

A well-planned security risk assessment provides vision and key decision-making informationto stakeholders, ensuring the protection of critical information assets. In addition, a risk assess-ment helps organizations determine which threats must be addressed first and which resourceswill be required to do so. Security initiatives that are not aligned correctly with business driversare tactical in nature and ultimately will fail. A strategic security program evolves with updatedstandards and legislation, organizational goals and emerging technologies.

A risk assessment needs to go beyond regulatory expectations to ensure an organization istruly protecting its sensitive information assets. Using a best-of-breed framework lets an organi-zation complete a security risk assessment that identifies security, not regulatory, gaps and con-trols weaknesses. If information assets are secured—rather than simply made to comply withregulations written hastily and with little regard for remediation—emerging legislation willbecome a checkbox instead of a tactical financial black hole.w

Jack Daniel is the security team leader and principal consultant for North Chelmsford, Mass.-based

Concordant Inc.

Ensure the success of your compliance program and reduce your risk today.

Are you struggling with endpoint* visibility and compliance due to HIPPA requirements?

See, Analyze, and Fix with

*servers, desktops, and laptops

Promisec Agentless Endpoint Management for Healthcare Compliance

HIPPA

www.promisec.com

Manual processes to identify risk and conserve energy are at the forefront of the initiative.Manual processes to identify risk and conserve energy are at the forefront of the initiative. Man

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES13

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

ENCRYPTING HARDWARE,INFRASTRUCTURE TO

ACHIEVE SAFE HARBORIf data is encrypted, health care providers are not subject to new, strict data breach notification laws. Server, storage and network

encryption adds yet another layer of protection. So why do so many organizations avoid encryption? BY AL GALLANT

aALMOST 40 YEARS AGO, the federal government instituted an anti-kickback law to protect patientsand the federal health care programs against fraud. Under the law, “knowingly and willfully”receiving or paying money to influence the referral of federal health care program business,including Medicare and Medicaid, is a felony punishable by up to five years in prison, fines up to$25,000, administrative penalties up to $50,000, and exclusion from federal health care programs.

The law’s broad scope raised many issues with health care providers who believed that somestandard clinical activities would be prohibited by the anti-kickback law. In 1987, Congress

COMPLIANCE

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES14

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

designated specific “safe harbors” for various business practices that had been prohibited by theanti-kickback law. The term safe harbor is now being used by electronic health record (EHR)vendors and health care organizations to avoid fines and penalties defined within the HITECHAct regarding breaches to patient health information, also referred to as protected health infor-mation (PHI).

The HITECH Act stipulates that health careorganizations, health plans, other health careservice providers and their business associatesare required to issue notifications if PHI isbreached. However, the act also applied anexemption for information that is “renderedunusable, unreadable, or indecipherable throughtechnologies or methodologies recognized byappropriate professional organization or stan-dard-setting bodies to provide effective security for the information.”

The Department of Health & Human Services (HHS) regulates the safe harbor and databreach rules for all institutions subject to HIPAA compliance. (Vendors not subject to HIPAAcompliance must abide by Federal Trade Commission, or FTC, rules.)

In August 2009, HHS issued its first regulation on this issue, indicating that “[e]ntitiessubject to the HHS and FTC regulations that secure health information as specified by the guid-ance through encryption or destruction are relieved (exempt) from having to notify in the eventof a breach of such information.” That regulation went into effect one month later.

WHY HASN’T ENCRYPTION CAUGHT ON?Nearly 300 data breaches, each involving the loss of data for 500 or more patients, have beenreported to the HHS since those rules went into effect. Most of the reported incidents wereunintentional breaches, such as the loss of PCs, laptops or storage media with unencrypted PHI.

If encryption is the only safe harbor in the eyes of the law, why aren’t health care organizationsdoing all they can to achieve it?

Most health care CIOs will tell you the cost makes it difficult to encrypt PHI. I disagree. Forstarters, there are many freeware encryption software packages available, so it’s very reasonablefor any health care institution to encrypt PHI data on its entire PC inventory. Even if an institu-tion did purchase a software encryption package, it would be far less costly than paying a finefor the breach of PHI. Encrypting 1,000 laptops at $50 per license seat for a standard encryptionlicense comes to $50,000. Under The HITECH Act’s new health care data breach laws, institutionscan be fined up to $50,000 per violation, with maximum yearly fines of $1.5 million. Remediation,which includes investigating the cause of the breach and notifying each person whose personaldata has been affected, can be equally costly.

Some CIOs will tell you they need more time to complete enterprise-wide encryption. This is a better, or at least a more accurate, truth. For my organization, it took four months to deployan entire disk software encryption system for 6,000 personal computers and laptops. We aggres-sively performed this encryption task because we believed it was the correct thing to do to pro-

If encryption is the onlysafe harbor in the eyes ofthe law, why aren’t healthcare organizations doing allthey can to achieve it?

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES15

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

tect the PHI data if a laptop or PC was stolen. We use highly rated encryption software that pro-vides central management, though it should be noted that freeware encryption systems won’tprovide central management features. Most of this work was performed transparently, withoutimpact to end users.

Now, if any of our PC systems are stolen, our health care institution will be exempt becausewe can prove that the entire disk was encrypted, rendering the data “unusable, unreadable orindecipherable.”

HARDWARE ENCRYPTION MUST INCLUDE PERIPHERALSEncrypting hardware with a high risk of loss or theft is the best place to begin. The largest riskfor exposed medical record information for health care organizations comes from lost andstolen laptops. In our technologically advanced mobile society, laptops are stolen every hour of every day, and the data on these laptops is potentially more valuable than the hardware itself.

The smartest thing a health care CIO can do is hardware encrypt all the laptops and PCs in ahealth care organization. This will reduce the risk of stolen medical record information. Whenhe laptop is stolen, the medical information on the stolen system is unusable.

Don’t forget peripheral devices whenencrypting PC hardware. (Don’t forget thatperipheral device encryption is a separateprocess and, therefore, a separate expense toyou.) This includes USB drives, thumb drives,memory sticks, CDs and DVDs. In June 2010,several media outlets reported that LincolnMedical and Mental Health Center in the Bronxhad to notify more than 130,000 patients thattheir EHR information may have been breachedwhen a billing contractor shipped seven CDs full of unencrypted data by FedEx and the CDswere lost in transit. Lincoln Medical had to report this breach to the HHS. The institution isworking on a remediation process that will likely be very costly.

For PC hardware encryption, here are a few basics to remember:• Hardware encrypt the entire disk drive on the PC—not just the data area.• Encrypt any peripheral device on a PC.• Use 128-bit encryption or higher.• Use an encryption product that provides multiple keys—one for systems administrators

and one for users.• Use an encryption product that can be centrally managed.• Secure the encryption keys separate from the PC and peripheral devices.

Encrypting PCs gets health care CIOs one step closer to a good night’s sleep, free fromworrying about loss of PHI data. The work should not stop there, though. Fortunately,encryption at multiple layers within a health care organization’s EHR system is not a difficult task.

The smartest thing a health care CIO can do ishardware encrypt all thelaptops and PCs in a healthcare organization.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES16

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

DON’T OVERLOOK THE SERVERSHardware shouldn’t be the only focal point of an encryption strategy. Just because the server islocated in a secured data center, many health care CIOs don’t worry about PHI breaches there.But it can happen—and it can be expensive.

A server obviously will contain significantly more PHI data than a PC or laptop, and HHSdata breach fines are based on the number of patients whose PHI data has been compromised.For example, a breach at a private practice in Wilmington, N.C., in December affected approxi-mately 2,000 patients.

It’s important to remember these three levels of encryption on any servers containing PHI:• Many software encryption systems for PCs and laptops cannot be used on servers. Make

sure when purchasing a software encryption solution that you verify how it can be implemented. Consider “on-the-fly encryption” for servers; using this process, data is automatically encrypted or decrypted before it is loaded or saved, transparent to the user’s actions. PHI stored on an encrypted volume can be accessed only by using the correct password/encryption keys. The PHI at rest on the server’s disk is completely encrypted. If a hacker obtains unauthorized access, the data is unreadable.

• To prevent unauthorized server access, a health care institution should encrypt its entire network, both wired and wireless. Doing so ensures that hackers attempting “sniffing attacks” will not see any PHI in transmission.

• Database encryption is by far the most overlooked encrypting solution in health IT. Every major database vendor has a transparent data encryption (TDE) solution, and most have done so since 2005—Oracle Corp. with its version 10g, InterSystems Corp. with its Caché v5 database and Microsoft with SQL Server 2005. If you have purchased an EHR system that uses one of these listed databases, verify that TDE is actually enabled within the application. Just because the database is capable of TDE doesn’t mean the vendor auto-matically uses it. Finally, remember it is an encryption best-practice policy for TDE in databases to make sure that the encryption keys are kept on a different server than the server where the database resides.

BACKUP TAPES ALSO NEED ATTENTIONIn 2008, the University of Utah reported that a container of backup tapes with billing records of some 1.7 million patients was stolen from the vehicle of a courier of the university’s off-sitestorage vendor. These tapes contained names, demographic information and Social Securitynumbers of patients of the University of Utah Health Care Hospitals & Clinics.

Health care CIOs must be aware of the risks associated with unencrypted backup media. If thetapes were encrypted, the person who stole the tapes would have useless media—there would beno breach of medical information, and there would be no fines, penalties or restitution require-ments.

If tapes are not encrypted, however, then the HITECH Act’s data breach compliance require-ments kick in, and the organization could pay millions in federal fines, on top of the millions that must be spent on breach notification, consumer credit monitoring and other fees.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES17

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

For backup media encryption, here are a few tips to keep in mind:• Hardware-encrypted tapes are the best media to use. They do not use CPU cycles to

encrypt while they are backing up data, and they can encrypt at hardware speed. Many of the newest hardware-encrypted backup storage offerings on the market are also the fastest to provide backup services.

• Don’t lose the encryption keys. Otherwise, you can’t retrieve the data.• Store the keys separate from the tapes. Storing the keys with the tapes is like printing the

combination of the office safe on the safe’s front door.• Use the highest level of encryption available for the hardware-encrypted tapes. Trust me:

It’s worth the money.

ENCRYPT THE NETWORK, TOOSome health care CIOs forget about encrypting their wired and wireless networks. This is animportant physical encryption best practice that should not be overlooked, for there are somany ways that the bad guys can sniff a network and pull the data as it goes by.

In February 2010, the Federal Trade Commission (FTC) notified more than 90 organizationsthat personal information was taken from the organizations’ computer networks. The primarymethod of the data breach was through peer-to-peer (P2P) file-sharing networks.

The following network encryption basics will help you protect data:• Be sure the routing works before trying to do encryption. A remote peer may not have a

route for the interface, which means you will not be able to have an encryption sessionwith that peer.

• Encrypt your network at the endpoints. Encrypting routers redundantly, so that youdecrypt and re-encrypt all traffic, really just wastes CPU cycles.

• Pay attention to network bottlenecks. Low-end routers should not be used in main network cores. You will get a “CPU hog”-type message, because the volume of traffic uses all the router’s CPU cycles to encrypt the traffic.

• If you need to encrypt traffic other than IP, use a tunnel.• Remember, network encryption encrypts only the data in transmission. The data doesn’t

stay encrypted when it lands at the destination. If the destination server is breached, thenthe data is stolen, and all the work to encrypt the transmission is for naught.

• Guard against P2P network applications. If they are allowed to run on your health carenetwork, then EHR data will be compromised.

REMEMBER WHERE YOU PUT YOUR KEYSOne thing to keep in mind as you encrypt is that the process will require different encryptiontools for different types of hardware, storage and infrastructure. This, in turn, will leave youwith thousands of encryption keys. Further complicating the matter is the fact that, until veryrecently, a lack of industry standards has limited the interoperability of these encryption toolsand their keys.

Generally speaking, the key management process should be equally secure and transparent,

confined to a small group with clearly defined responsibilities, and applied to all encryptiontools that have been used, even if it means using several key management systems. Additionalguidance is available from the National Institute of Standards and Technology, or NIST, whichhas published its recommendations for key management in Special Report 800-57.

Overall, infrastructure encryption is worth the investment. Though it can never be consideredthe “silver bullet” of securing medical record information, it is one of the best practices forsecuring EHR data, if used appropriately and at multiple hardware levels.w

Al Gallant is director of technical services at Dartmouth-Hitchcock Medical Center in Lebanon, N.H.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES18

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

Identify intruders and other unauthorized activity on your network. Security Intelligence solutions from Q1 Labs help you detect anomalies, both internal and external, while demonstrating HIPAA compliance.

Learn more at q1labs.com/healthcare

1800+ worldwide customers have chosen QRadar as the most intelligent, integrated and automated security intelligence solution available.

Audits are coming.Are you ready?

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES20

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES iIN LIGHT OF RECENTLY STRENGTHENED PATIENT PRIVACY LAWS and bigger penalties for healthcare data breaches, many health care providers are looking to automate the provisioning ofemployee access to applications and patient data on the network.

Hospitals and ambulatory provider networks typically manage identities and credentialson paper or with a manual workflow that involves a combination of software applicationsand, possibly, electronic forms. Automating the process gives IT staff the ability switch anidentity on and off across the network, instantly bringing staffers online when hired orshutting them out of the network when their time with the company is through, disablingall network passwords, logins, badge accesses and so on.

IT leaders in charge of identity management have their hands full in this era of health

AUTOMATING ANDSTREAMLINING

IDENTITYMANAGEMENT

Automated employee identity management systems can improvedata security, reduce vulnerable access points and close

security loopholes. That improves workflow and addresses new HIPAA rules that aim to combat data breaches and

maintain patient privacy. BY DON F LUCK I N G E R

ACCESS CONTROL

care staffing models that features temporary workers, per diem staffers used on an as-neededbasis, interns who work at a hospital but technically aren’t employed by it and full-time“floaters” whose network privileges change as they move from building to building or departmentto department.

“The challenge with access management—when you’re managing multiple facilities and people at multiple locations—is streamlining the flow of the data from the initial knowledgethat someone’s going to be hired to grantingthem access,” said David Sheidlower, chief infor-mation security officer for Health Quest. Theupstate New York provider includes three hospi-tals and several multi-specialty ambulatory grouppractices. This adds up to about 5,000 identitiesto manage.

Automation makes the process of managingup to 5,000 identities quicker and more accuratethan the manual processes it replaced, he said.Manual workflows invariably have holes, andduplicate identities bred from typos and old-but-still-active identities can represent health caredata breaches waiting to happen.

“We’re able to automate that data flow without anyone filling out forms or there being any lagtime or delay,” Sheidlower said. “Taking away access, from a security perspective, is almost moreimportant. When someone is leaving the organization and is no longer a member of the work-force, you want to see that access is terminated as soon as possible.”

DEFINE USERS, ROLES TO EASE ACCESS MANAGEMENTThe question isn’t finding a vendor—Microsoft, Imprivata Inc., Citrix Systems Inc., CATechnologies Inc. and Novell Inc. are a few of the many offering health care-specific systems—but narrowing the choice. That starts with assessing the complexity of your organization’s staff.A health care provider’s two complications are usually the number of locations an identity man-agement system will serve—One building, several campuses or multiple states?—and thecredentials to privilege—physician, nurse and so on.

Typically, automating identity management involves plugging into a human resourcesmanagement application such as Lawson (from Lawson Software Inc.) or PeopleSoft (fromOracle Corp.) to get a solid grasp of who is employed by an organization and what they do,cross-referenced with information from the provider’s credentialing department that tracksrights, such as who can prescribe medications and access different departmental systems.Sheidlower said the key to limiting security problems through identity management is buildingan accurate list of staff and creating a least-privilege model based on each staffer’s role.

“The health care professional’s job is to focus on the patient, not to have to think about

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES21

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

“The challenge with accessmanagement—when you’remanaging multiple facilitiesand people at multiplelocations—is streamliningthe flow of the data fromthe initial knowledge thatsomeone’s going to be hiredto granting them access.”

—DAVID SHEIDLOWER, chief informationsecurity officer, Health Quest

computer systems,” said Sheidlower, who uses Novell software to manage identities for HealthQuest. “You need to be providing access in a role-based manner so that health care professionalshave what they need. The only way to do that in a secure manner is the least-privilege model,”which gives employees access to only the information or applications they need to do their job,and nothing else.

Citrix customer Todd Bruni, director of iden-tity and configuration management for ChristusHealth (which runs 40 hospitals in six U.S. statesand Mexico), said he and his coworkers had the“what they do” part down well because they cre-ated what he called a “high-level map” of roleswithin the company before plugging employeesinto it. He and his team started by dividingChristus into two halves—its acute and subacutebusinesses—and then mapping privileges tophysicians, nurses and the rest of the stafferswithin the two halves based on their locations.

That’s a good way to start when preparing to implement an identity management system,Bruni said. After that, make a map of what your different software systems can do and under-stand how they plug into the identity management system via Active Directory. Think of ways to make things less complicated, such as the use of self-serve password resetting, and to dealwith mandatory complications, such as employees who need remote access and regulatorytracking/reporting.

Christus’ main challenge is getting a better grasp on “who’s who” across its geographically scatteredworkforce. To that end, the company is implementing a centralized identity human resources andcredentialing system that will “totally change everything” for the better, Bruni said.

CHOOSE VENDORS WISELYBruni said health care IT leaders charged with choosing an identity management system mustunderstand that, because it’s such a complex undertaking, there is no right answer. Start with thequickest wins that secure the most systems in the least amount of time and require the smallestcost investments.

“There are so many different buckets about how you can go about it—it’s just figuring outwhat brings that organization the biggest value and start there,” Bruni said. “You can alwaysgrow into the other buckets.”

Sheidlower added that, when moving to more complex identity management systems, it paysto determine how much effort and training it will take to bring the system online and maintainit following installation. You and your team will ultimately be left with the care and feeding ofthe system—if it’s too complex, the identity management could be an epic failure.

Finally, before flipping the switch on an automated identity management system, prepare thenetwork by performing a grand housecleaning. Search for and delete obsolete IDs while rootingout duplicates caused by typos or created when passwords were lost.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES22

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

“The health care profes-sional’s job is to focus on the patient, not to haveto think about computersystems.”

—DAVID SHEIDLOWER, chief informationsecurity officer, Health Quest

“The cleaner…[the] structures you use to regulate network access, the more successful yourimplementation will be,” Sheidlower said. “Most of the problems you have when you first imple-ment an identity management system [are] just from bad data.”

REGULATING THE FLOW OF PROTECTED INFORMATIONIdentity management systems are more than just knowing who’s who. They are a key tool for HealthInsurance Portability and Accountability Act (HIPAA) compliance, giving employees access to onlythe patient data they need to do their jobs—a bedrock tenet of the regulation. They also help protecthealth care providers’ networks from security breaches when employees leave.

CIOs are looking for ways to comply with the objectives of this coming decade’s health careIT infrastructure expansion, which has seeminglycontradictory regulatory mandates. On onehand, federal health care reform and health ITleaders are forcing CIOs to open up patient andprovider access to information online. On theother, HIPAA rules, sharpened by the HealthInformation Technology for Economic andClinical Health (HITECH) Act, require ever-tightening security and increase accountabilityfor breaches when that security fails.

In this regulatory climate, identity manage-ment systems are growing in importance to helphospitals regulate the flow of protected informa-tion, said Chris Bidleman, director of health careat Novell Inc., which offers several applications toauthenticate hospital employees and manage their access to confidential patient data on thenetwork. Other vendors in the space include Oracle Corp. and CA Inc.

Both the HITECH Act and health care reform laws bring much focus on the privacy andsecurity of information within electronic health record systems, Bidleman said. “Finding ways tosecure that is one of [providers’] highest priorities.” (See Chapter 4 for additional informationabout the disclosure of electronic patient data.)

To that end, hospital employee identification systems offer reports about who received carefrom which provider and when. Meanwhile, specific information about those sessions, includingwhich doctor, nurse or other provider was seen, appear in the patient’s electronic medical record.The systems also secure communication among staff, and between providers and patients, bylimiting access.

IMPROVING HIPAA COMPLIANCE WHILE CUTTING COSTSHIPAA compliance was the main driver for upgrading the identity management system at St.Vincent Health in Indianapolis, said Stephen Whicker, the health system’s manager of security

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES23

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

CIOs are looking for ways to comply with the objectives of this comingdecade’s health care ITinfrastructure expansion,which has seemingly contradictory regulatorymandates.

compliance and HIPAA security officer. The process, which began in 2005, spanned the enterprise,integrating Novell software with existing PeopleSoft human resource applications and the variousnetwork systems requiring login and authentication.

“We had a very manual process,” Whicker said. “We wanted to reduce costs by automating theprovisioning of network accounts and other accounts within our systems in order to reduce themanpower requirement.”

The system upgrade blended four networks—and two access points—into a single networkunder the new identity management system. That, combined with the software integration, hassaved $250,000 and freed two full-time staffers to tackle less mundane IT issues such as systemsmanagement and expansion, he added.

Beyond technology, Whicker and his colleagues also fixed workflow problems by developingwhat they called an “identity management roadmap” in planning sessions before setting upthe software.

For example, Whicker and his team improvedprivilege validation, which confirms that a per-son really needed a particular login and ensuresthat the right supervisor really granted thataccess. Previously, there had been no point person or automated response to let employeesknow they had been granted a login to a particu-lar application or system.

During workflow analysis, Whicker’s team alsoestablished a procedure for decommissioning IDs.This closed a loophole that allowed an employee tobe given multiple IDs, not all of which were deacti-vated when the employee left the company.

Six years later, the roadmap for the identitymanagement system is almost complete. All thatremains, Whicker said, is finishing up role-basedaccess control to applications, based on role definitions and job codes. Such a scheme connectsand integrates applications so employees use a single ID and password for multiple systems.

AUTOMATION MEANS FASTER STARTS, STOPSAn automated identity management system can add other benefits beyond cost savings andfaster reporting, Whicker said.

There are fewer opportunities for manual data-entry errors, it is harder to accidentally createduplicate accounts for networks and services, and employees can reset their own passwords. As aresult, employee data is more accurate, security loopholes are closed and the help desk can focuson more pressing issues, Whicker said.

In addition, employee accounts are quickly authorized and de-authorized. This gets oldemployees locked out of multiple systems across the facility almost instantly—and it improvesnew-hire productivity.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES24

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

“We wanted to reducecosts by automating theprovisioning of networkaccounts and otheraccounts within our systemsin order to reduce the manpower requirement.”

—STEPHEN WHICKER, manager of security compliance and HIPAA security officer,

St. Vincent Health

“[We wanted to give] people the IDs and the accesses they needed to do their job on the firstday they were here, instead of on the 21st day, which was the average time it was taking to getpeople fully provisioned with the ID that they needed,” Whicker said.

That not only increased productivity and efficiency, but it also boosted data integrity withinthe medical record, he added. Staff members no longer need to share IDs to complete routinework while new hires wait for access to the network tools they need to provide patient care.w

Don Fluckinger is features writer for SearchHealthIT.com. Write to him at dfluckinger@techtarget.com.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES25

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

Your One Stop Shop for All Things Security

Nowhere else will you find such a highlytargeted combination of resourcesspecifically dedicated to the success oftoday’s IT-security professional. Free.IT security pro's turn to the TechTarget Security Media Group for the information they require to keeptheir corporate data, systems and assets secure. We’re the only information resource that providesimmediate access to breaking industry news, virus alerts, new hacker threats and attacks, securitystandard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused securitynewsletters and more — all at no cost.

Feature stories and analysis designed to meetthe ever-changing need for information onsecurity technologies and best practices.

Learning materials geared towards ensuringsecurity in high-risk financial environments.

UK-focused case studies and technical advice onthe hottest topics in the UK Security industry.

Information Security strategies for theMidmarket IT professional.

www.SearchSecurity.com www.SearchSecurity.com

www.SearchSecurity.co.UKwww.SearchFinancialSecurity.com

www.SearchSecurityChannel.comwww.SearchMidmarketSecurity.com

Technical guidance AND business advicespecialized for VARs, IT resellers andsystems integrators.

Breaking news, technical tips, security schoolsand more for enterprise IT professionals.

sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1

ACCOUNTING DISCLOSURE

REQUIREMENTS

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES27

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) has released a long-anticipatedNotice of Proposed Rulemaking (NPRM) that would implement the changes to account-ing of disclosures requirements under the HIPAA Privacy Rule. The changes, specified inthe Health Information Technology for Economic and Clinical Health (HITECH) Act of2009, would expand the types of transactions and uses of data that must be included in

DISCLOSURE

ACCOUNTING DISCLOSURE

REQUIREMENTSSET TO CHANGE

The HITECH Act of 2009 mandated changes to the requirements foraccounting of personal health information disclosures under the HIPAA Privacy Rule. Under the proposed changes, electronic PHI

is no longer exempt. Some say this will be a problem. BY STE P H E N GANTZ

accountings of disclosures, reduce the time period for which organizations must maintain thedisclosure information, and modify the set of information that must be recorded for eachdisclosure.

Under the current provisions of the HIPAA Privacy Rule, codified at 45 CFR §164.528,covered entities are required to maintain records on disclosures of protected health information(PHI) for a period of six years, and to furnish that historical record of disclosures (the “account-ing”) to individuals who request them. The Privacy Rule included an exemption for disclosuresfor the purposes of treatment, payment, health care operations and a variety of other specialcircumstances, including disclosures to the individual of their own PHI.

Collectively, the excepted purposes constitutethe vast majority of activity involving disclosure.The current rules also cover all PHI, whether inpaper or electronic form.

The HITECH Act shortens the accounting peri-od to three years but removes the exemptions fortreatment, payment and health care operationswhen the disclosure of information is from anelectronic health record (EHR). HHS is alsoproposing to explicitly list the types of disclo-sures that are subject to the accounting require-ment, rather than the prior approach of generallyrequiring inclusion but enumerating specificexceptions.

When the HITECH Act passed, many HIPAA-covered entities expressed concerns aboutthe increased administrative burden they would face by essentially having to track all disclo-sures, rather than the more limited set currently required under the law. Some have alsopointed out that many EHR systems currently on the market do not provide the built-infunctionality to record the information about each disclosure that is required under therevised rule.

As part of the rules promulgated under the EHR Incentive Programs, the Office of the NationalCoordinator of Health IT (ONC) last year adopted a new standard and EHR certification criterionfor recording accounting of disclosure information. When it published its final rule for standardsand certification criteria, however, ONC chose to make the accounting criterion optional, pendingfurther analysis and discussion on the potential impact of the new requirements to covered entitiesand business associates.

In parallel, HHS issued a request for information (RFI) in May 2010 seeking input from theindustry and other interested parties about the potential burden of complying with the newaccounting of disclosure rules, the technical capabilities available in the market to facilitate orautomate this process, and evidence about the relative interest among individuals in requestingaccountings of disclosures.

The proposed rule includes some summary data about the comments received in response tothe RFI—perhaps most interestingly noting that a large number of respondents reported no orvery few requests for accountings since the Privacy Rule went into effect in 2003.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES28

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

The HITECH Act shortensthe accounting period forPHI to three years butremoves the exemptionwhen the disclosure ofinformation is from anelectronic health record.

GIVING MORE RIGHTS TO PATIENTSHHS’ new proposed rule divides individual rights in two, providing for separate rules that giveindividuals the right to an accounting of disclosures and to an “access report” that, in contrast to disclosures, would provide details about who has electronically accessed the individual’s PHI.The access report provision includes accesses both by employees of covered entities and businessassociates and by those external to the organization.

There is no comparable provision in the current law, but the proposed rule notes that, sincethe rule applies only to electronic access, covered entities should already be collecting the rele-vant information about accesses under practices required in the HIPAA Security Rule. It seemslikely that at least part of the justification for this new right is the heightened attention focusedon the need for such a record of even routine accesses, following a series of well-publicized inci-dents where hospital employees apparently abused their authorized access by viewing the healthrecords of celebrities or other public figures.w

Stephen Gantz is an associate professor in the University of Maryland University College (UMUC) Graduate

School of Management and Technology.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES29

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

http://www.searchhealthit.com

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA COMPLIANCE AND DATA PROTECTION STRATEGIES31

CONTENTS

EDITOR’S DESK

PERFORMING A SECURITY RISK

ASSESSMENT

ENCRYPTING HARDWARE, INFRASTRUCTURE TO

ACHIEVE SAFE HARBOR

AUTOMATING ANDSTREAMLINING

IDENTITY MANAGEMENT

ACCOUNTING DISCLOSUREREQUIREMENTS SET

TO CHANGE

SPONSOR RESOURCES

ECURITYSI N F O R M A T I O N

®

SITE EDITOR Brian Eastwood

ART DIRECTOR OF DIGITAL CONTENTLinda Koury

CONTRIBUTING WRITERS Jack Daniel, Al Gallant, Stephen Gantz

EXECUTIVE EDITOR Jean DerGurahian

ASSOCIATE SITE EDITOR Anne Steciw

ASSISTANT SITE EDITOR Craig Byer

FEATURES WRITER Don Fluckinger

FOR SALES INQUIRIESASSOCIATE PUBLISHER Stephanie Corby

scorby@techtarget.com(617) 431-9354

EDITORIAL DIRECTORMichael S. Mimoso

SENIOR SITE EDITOR Eric Parizo

EDITOR Marcia Savage

MANAGING EDITOR Kara Gattine

NEWS DIRECTOR Robert Westervelt

SITE EDITOR Jane Wright

ASSOCIATE EDITOR Carolyn Gibney

ASSISTANT EDITOR Maggie Sullivan

ASSISTANT EDITOR Greg Smith

UK BUREAU CHIEF Ron Condon

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

COLUMNISTSMarcus Ranum, Bruce Schneier,

Lee Kushner, Mike Murray

CONTRIBUTING EDITORSMichael Cobb, Eric Cole,

James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer,

Ed Skoudis, Joel Snyder

TECHNICAL EDITORSGreg Balaze, Brad Causey,

Mike Chapple, Peter Giannacopoulos, BrentHuston, Phoram Mehta,

Sandra Kay Miller, Gary Moser, David Strom, Steve Weil,

Harris Weisman

USER ADVISORY BOARDPhil Agcaoili, Cox Communications

Richard Bejtlich, GESeth Bromberger,

Energy Sector ConsortiumChris Ipsen, State of Nevada Diana Kelley, Security Curve

Nick Lewis, ACMRich Mogull, SecurosisCraig Shumard, CIGNA

Marc Sokol, Guardian Life Gene Spafford, Purdue University

Tony Spinelli, Equifax

INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS

Amy Cleary

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENT SusanShaver

DIRECTOR OF MARKETING Nick Dowd

SALES DIRECTOR Tom Click

CIRCULATION MANAGER Kate Sullivan

PROJECT MANAGER Elizabeth Lareau

PRODUCT MANAGEMENT & MARKETINGCorey Strader, Andrew McHugh,

Karina Rousseau

SALES REPRESENTATIVESEric Belcher ebelcher@techtarget.com

Patrick Eichmann peichmann@techtarget.com

Sean Flynn seflynn@techtarget.com

Jennifer Gebbie jgebbie@techtarget.com

Jaime Glynn jglynn@techtarget.com

Leah Paikin lpaikin@techtarget.com

Jeff Tonello jtonello@techtarget.com

Vanessa Tonello vtonello@techtarget.com

George Whetstone gwhetstone@techtarget.com

Nikki Wise nwise@techtarget.com

TECHTARGET INC.CHIEF EXECUTIVE OFFICER

Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENTKevin Beam

CHIEF FINANCIAL OFFICERJeff Wakely

EUROPEAN DISTRIBUTIONParkway Gordon

Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie Brown

Phone 781-657-1336 Fax 781-657-1100

Essential Guide to HIPAA Compliance and Data Protection Strategies is produced by Health IT Media, © 2011 by TechTarget, 275 Grove Street, Newton, MA02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.

All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or Health IT Media.

TECHTARGET SECURITY MEDIA GROUP

SPONSOR RESOURCES

See ad page 2

• Read how Weill Cornell Medical College drove down asset vulnerabilities by about 50%

• Priority Health makes ArcSight their primary security partner

See ad page 4

• Your Healthcare I.T. Data Loss Protection Source

• CDW Healthcare’s Customer Case Study: Healthcare I.T. Infrastructure

• E-commerce 101: A Guide to Successful Selling on the Web

• Choosing a Cloud Provider with Confidence

SPONSOR RESOURCES

See ad page 7

• Master of Science in Health Informatics Online information

• Master of Science in Health Informatics Admissions Information

• Master of Science in Health Informatics Career Outlook

See ad page 12

• Large University Health Sciences Center Depends on Promisec

• Leading British Hospital Chooses Promisec to Secure Internal Network

See ad page 19

• Arkansas Children’s Hospital case study

• Prioritizing Security and Compliance Management for Healthcare Organizations (webinar)