What three types of safeguards must health care facilities provide and what do they do?

4.2.1.3 Technical Safeguards

Technical safeguards are defined in HIPAA that address access controls, data in motion, and data at rest requirements. A covered entity must implement technical policies and procedures for computing systems that maintain PHI data to restrict access to only those persons that have been granted access rights. Each user is required to have a unique user identification (ID). This ID is used for identifying and tracking the activities of the user while accessing PHI. Audit controls must be implemented to record and provide the ability to examine PHI access and processing activity. To protect the user account from being left unattended, automatic logoff must be implemented to terminate a user’s session after a predetermined time of inactivity.

HIPAA requires that a mechanism to encrypt and decrypt PHI must be implemented. It does not directly specify when data is to be encrypted/decrypted, except when it is “reasonable and appropriate” to do so. Given this flexibility, PHI should be encrypted while in motion and at rest. Encryption directly addresses the data confidentiality requirement of PHI as is transmitted, received, maintained, and stored. The selection of an encryption algorithm, implementation details, and use are left to the covered entity.

To ensure PHI data integrity, the covered entity must implement policies and procedures to protect PHI from improper alteration or destruction. It must also establish emergency access procedures for obtaining and accessing PHI during an emergency (HIPAA 164.312 Technical Safeguards, 2003).

The Department of Health and Human Services developed a security matrix that provides an overview of HIPAA security requirements. It also has references to specific sections of the law that provide detailed information. Appendix A to Subpart C of Part 164—Security Standards: Matrix is shown in Table 4.1.

Table 4.1. Appendix A to Subpart C of Part 164 – Security Standards: Matrix

HIPAA Security Rule

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

•

Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

•

Identify and protect against reasonably anticipated threats to the security or integrity of the information;

•

Protect against reasonably anticipated, impermissible uses or disclosures; and

•

Ensure compliance by their workforce.

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

•

Its size, complexity, and capabilities,

•

Its technical, hardware, and software infrastructure,

•

The costs of security measures, and

•

The likelihood and possible impact of potential risks to e-PHI.

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. [3]

Customer information

In accordance with the Gramm-Leach-Bliley Act (GLBA) of 1999, financial institutions are required to have administrative, technical and physical safeguards for sensitive customer information. As such, safeguarding the confidential financial information concerning the Company’s customers is essential to maintaining the public trust. It is the policy of the Company that such confidential information acquired by a staff member through his or her employment must be held in the strictest confidence. Such information is to be held for Company purposes only and not as a basis for personal gain by any staff member. Such information must also be protected from misuse that could result in identity theft. Aside from routine credit inquires, information regarding a customer may generally only be released to private persons, organizations or governmental bodies that request it with the consent of the customer involved or upon receipt of legal process, such as a subpoena or court order. Information obtained about any Bank customer from any record of the Bank shall not be disclosed. This provision continues regardless of whether the individual who obtains the information ceases employment with the Bank.

Confidential customer information should never be discussed with anyone outside the Company, and only with those within the Company who have a legitimate business need to know. Such information should never be discussed in public places, even within the Company’s offices. Staff members should be sensitive to the risk of inadvertent disclosure resulting from open doors, speakerphones, cellular phones, and when transmitting confidential information by fax or other electronic media.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 seeks to protect personal healthcare information by providing administrative, physical, and technical safeguards for this type of information. The Act provides guidance in the requirements for storing, processing, transmitting, and handling personal healthcare data. NIST has developed SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, to assist in correctly implementing HIPAA security rule requirements. This publication explains not only the requirements, but also generally explains the HIPAA legislation itself and provides detailed information on the security rule that focuses on electronic protected health information (EPHI). Table C-6 provides a mapping to the correct section of the HIPAA security rule for security controls defined in the security controls catalog.

NIST SP 800-66 details the procedure for correct compliance with HIPAA, including using the Risk Management Framework to ensure compliance with the required law. The use of the RMF for the security of HIPAA data provides an integrated methodical, repeatable, risk-based approach for selecting, specifying, and implementing security controls to adequately protect EPHI. In developing a program that secures HIPAA data, replace the controls selected in phase 1 of the basic RMF process with those controls required by the Act. The remainder of the framework remains the same.

Information Management

The Privacy Act requires agencies to safeguard personally identifiable information contained in systems of record against threats to confidentiality and integrity. The law refers generally to “appropriate administrative, technical, and physical safeguards” [40], all of which can be addressed using the reference set of security controls contained in Special Publication 800-53 [23]. With respect to the integrity of PII contained in agency systems of records, the language in the Privacy Act focuses on the correctness or validity of the information, which should be accurate, complete, current, and relevant to the purposes for which the information was collected and will be used [51]. It is important for system owners and information system security officers to identify and incorporate privacy protection requirements and objectives during the process of selecting appropriate security controls for the system, as agencies can be held accountable for failing to comply with the provisions of the Privacy Act due to insufficient or ineffective security controls to protect privacy [52].

Citrix and HIPAA, Sarbanes-Oxley, FERPA

Application virtualization provided by Citrix products is functioning in all aspects of our information technology environment, including many organizations that are governed by federal and/or state guidelines. We will only cover the most well known to provide you with examples of how measures are being taken to secure information technology infrastructures.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. This act requires the establishment of a national set of standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

The act also addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange.

The Privacy Rule of the act requires that reasonable steps must be taken by health care providers to ensure the confidentiality of communications with individuals. The Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic.

The Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance:

Administrative Safeguards

Physical Safeguards

Technical Safeguards

For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:

Administrative Safeguards Policies and procedures designed to clearly show how the entity will comply with the act. These are your written documents providing direction for anyone using the information technology infrastructure, whether as an administrator or as a user.

Physical Safeguards Controlling physical access to protect against inappropriate access to protected data. Are the servers in a secured location?

Technical Safeguards Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. This act applies to all schools and educational institutions that receive funds under an applicable program of the U.S. Department of Education.

The Sarbanes-Oxley Act of 2002 (SOX or Sarbox) is a federal law that was enacted in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and others. These scandals, which cost investors billions of dollars when the share prices of the affected companies collapsed, shook public confidence in the nation's securities markets.

The legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. It does not apply to privately held companies.

Security Requirements

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Security requirements are closely associated with privacy and can typically be derived based on the classification of data. Once an organization is assigned an appropriate classification based on the confidentiality, integrity, and availability of the data, appropriate administrative, physical, and technical safeguards can be identified to ensure the data are protected.

Data Retention and Destruction

Data retention and destruction policies and procedures involve the healthcare organization’s specifications for retaining and destroying data in accordance with legal, regulatory, and business requirements. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form. This applies to the disposal of such information when the data are no longer required or a specific data retention period has expired. Additionally, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of EPHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of EPHI from electronic media before the media are made available for reuse.

Since both the HIPAA Privacy and Security Rules address data retention and destruction, healthcare organizations must implement the appropriate safeguards to protect PHI and comply with HIPAA requirements.

Asset Identification and Valuation

The second concept to understand involves asset identification and valuation. An important component to a risk management methodology is the identification and inventory of information assets. Without an accurate asset inventory, it will be difficult to assess risk and ensure appropriate administrative, physical, and technical safeguards are implemented to protect the organization’s assets. For example, as the HIPAA Security Rule mandates protection for electronic protected health information, the organization must understand where this type of information is stored, received, maintained, or transmitted to ensure it receives appropriate protections and the organization maintains compliance with the law. Asset valuation is another important factor in identifying the importance of assets to an organization. Value can be derived in both tangible and intangible forms and associated with risk (e.g., low, medium, high). Tangible forms involve direct (real) value of physical assets including revenue and server or facility costs. Intangible forms involve indirect value such as brand, reputation, and loss of prospective customers and intellectual property. For example, let us say a healthcare organization has an online prescription filling system that generates $5000 per hour in revenue. If the system goes offline unexpectedly for 3 hours and leaves the organization unable to take new orders or fill prescriptions, the organization would have $15,000 in tangible (direct) revenue losses. The organization might also incur intangible losses associated with media coverage of the outage impacting brand and reputation or customers filling prescriptions with a competitor. An inventory of information assets and their associated value will enable organizations to leverage a risk-based approach to protecting only those assets with the greatest need of protection. Otherwise organizations will be left wasting resources and likely failing to protect all information assets equally based on the highest set of requirements.

Risk Treatment Plan

Risk is related to the probability of the compromising event and the impact of the event on the team. If the probability is high and the impact is high, then the risk is likely to be high. A coach can provide an owner with an independent view of the risks faced by the team and can recommend a risk treatment plan with controls to reduce the risks. A risk treatment plan identifies and documents safeguards and controls that treat risks.

Risk treatment is a decision-making process whereby risks are treated by selecting and implementing measures to address the specific risks identified in the risk assessment and subsequent risk analysis. Risk treatment options typically include the following:

Reduce the risk. Implement specific administrative, physical, and technical safeguards that protect data and manage information security risks.

Transfer the risk. Use insurance, outsourcing, and the like so another party accepts the risk.

Avoid the risk. Sometimes the risk is greater than the benefits gained by performing an activity. One of my clients decided not to keep a web server operational because it was rarely used and the maintenance costs of upgrading the server to current standards were too great. By shutting down the server, my client avoided risks.

Accept the risk. In some instances, the potential negative impact of a vulnerability is minimal or the cost of implementing the required security controls is too high. In these situations, organizations may accept the risk but use monitoring systems to ensure the risk remains within acceptable levels.

Many teams do not have the skills or resources needed to perform the initial risk assessment, subsequent risk analysis, and preparation of a risk treatment plan. An information security consultant acting as a coach can provide the services needed as well as evaluate the organization’s level of risk tolerance and recommend security controls to treat risks.

The importance of information confidentiality and availability may vary from one team to another. Most teams find data integrity an essential element of information security. Without data integrity, information is of little value to the team. The coach helps the team win by ensuring that important assets have been identified and the controls are in place to reduce risks to acceptable levels.