| |||||||||||||
|
Home
|
For other articles and previous issues click here. February 25, 2002 TO
THE RESCUE: OUTSOURCING TO MEET HIPAA SECURITY REQUIREMENTS When the privacy provision of the Health Insurance Portability and Accountability Act (HIPAA) became effective on April 14, 2001, administrators at health plans, healthcare clearinghouses, and many healthcare providers were confronted with the need to master and implement the intricacies of modern-day data security. Compliant healthcare organizations (HCOs) are expected to meet current HIPAA requirements by April 14, 2003—with a one-year extension for smaller health plans (those with annual receipts totaling $5 million maximum). When the final HIPAA Security Rule is published, it will provide even more motivation for organizations to address and increase data security measures. The Administrative Simplification Act, or Title II of HIPAA, requires healthcare administrators to address health information security with a focus on electronically transmitted data. While HCOs may not be targeted by hackers as frequently as other high-tech industries, many organizations in the industry need to address security issues that may be exposing them to possible exploitation, according to Mark Higgins, director of healthcare strategy at Riptech Inc. in Alexandria, Va. According to Higgins, during a recent analysis of cyberattacks launched against their client base over the past six months, Riptech determined that 59% of HCOs experienced at least one attack that would have resulted in a security breach if intervention had not occurred. Whether for the sake of HIPAA compliance or for the sake of mitigating actual risks that exist today, he believes that implementing risk-appropriate security solutions should be a priority for every healthcare administrator. Monetary concerns are a key component of any HIPAA-compliance effort because, historically, tight information technology (IT) budgets limit an IT administrator’s ability to address information security concerns. Fortunately, there is a significant amount of flexibility built in to the regulations, which allows healthcare organizations to implement solutions that they determine to be risk-appropriate for their company, Higgins notes. What this means, he adds, is that HCOs can select which technologies and services are necessary to establish compliance with the HIPAA Security Rule based on their unique risk profile and financial resources. Once the necessary technologies and services are in place, many administrative policies can be addressed internally. “I don’t think the costs of meeting the HIPAA requirements are out of line with reality, provided that healthcare organizations conduct their due diligence to understand their risk profile and develop an information security posture that is ‘risk appropriate,’” Higgins states. “From what I have seen, there is no doubt that the steps that healthcare organizations need to take are beyond their current capabilities. That said, I also believe that most healthcare organizations are fully capable of funding the cost of compliance with the data security standards.” Exactly what kind of costs are healthcare administrators looking at? Taking a company’s current infrastructure into consideration, most medium to large organizations could end up spending more than $200,000, according to Klaus Schleicher, senior director of product management for CONSUL Risk Management Inc. in Acton, Mass. “If they already have security measures in place, such as auditing, firewalls, and encryption, then it’s simply going to be a matter of proving they have all of these in place.” While becoming HIPAA compliant may be a costly venture, HCO administrators need to understand the costs of not being compliant, which include substantial federal fines and potentially costly civil lawsuits, Schleicher adds. “The cost of noncompliance is often incurred less in government-imposed fees than in damage to a firm’s reputation and the loss of trust that can result from a single information leak,” he says. “If patients don’t trust their records will be kept secure, they will find other healthcare providers they do trust.” Though a potential loss of trust is a primary concern, federal fines for organizations that fail to comply with HIPAA requirements are hefty enough to warrant a reminder. In the event of violations, HCOs face fines of $250 per incident and up to $250,000 per year for each violation type, as well as possible criminal penalties, according to Higgins. Compromises of patient information could also result in civil lawsuits and pose a threat to patient care should successful hackers alter databases containing patient records and lab results. While preventing attacks from outside their organizations, administrators must also keep a watchful eye on their own employees, warns Peter J. Schmidt, director of healthcare industries for Oracle Corp. in Reston, Va. Schmidt estimates that 80% of the risk associated with healthcare data security is associated with internal users who are able to gain access to private information. “These internal users are able to ferret out information on a wide variety of things,” he says. If, for example, an employee at a healthcare insurer wanted to check a new boyfriend or girlfriend’s medical history, he or she could have access to those records, he explains. “This is one of the largest risks—individuals working for one of the larger payor organizations who may be able to obtain information that should be kept private.” There are several areas of vulnerability that could lead to internal or external information leaks, including inadequate Internet gateway border protection, Web servers in need of patching or replacement, and misconfigured or improperly installed systems and applications. These areas of weakness are especially attractive to hackers who simply scan the Internet searching for systems that have vulnerabilities that they know how to exploit, Higgins explains. “Hackers often attack organizations that have minimal protection in place simply because they can. An Internet gateway that lacks a firewall or Web servers that have not been patched in years are certainly open to exploitation if they haven’t been exploited already. In our experience, network perimeter vulnerabilities such as these are significantly more common between HCOs than in most other industries.” With impending deadlines, government fines, and a potential breakdown in patient trust at stake, outside firms specializing in providing solutions for HIPAA compliance may be the best answer for HCO administrators whose resources and staff are already spread thin. “Outside contractors or organizations can be of vital assistance in at least two areas,” explains Sayan Chakraborty, vice president of engineering for Sigaba Corp. in San Mateo, Calif. “They can provide technology and consultative expertise, including auditing and evaluating an HCO’s security policies and procedures.” While Sigaba does provide some consulting services, he adds that the company’s primary focus is on developing technology to solve specific problems, such as security of data-in-motion. Although many administrative policies and procedures can be implemented internally with a minimal amount of guidance, outsourcing to meet data security regulations offers several benefits to busy, budget-driven administrators. “There is a certain level of sophistication that comes with using an outsourcing arrangement,” says Schmidt. “You can usually achieve a contractual understanding to meet your minimum security requirements, regardless of the HIPAA legislation.” By addressing those issues through an outsourcing arrangement, he adds, administrators may, in some situations, mitigate some of the risk involved with becoming HIPAA compliant. To assist in an often difficult decision-making process, Oracle provides processes that enable HCOs to create business-case scenarios to determine when and when not to outsource, according to Schmidt. At a large New England-based health insurance organization that already had an outsourcing agreement in place for data processing and claims systems, administrators felt they possessed the technical prowess to build a data warehouse internally, he notes. The company accepted bids from their internal and external providers. “It developed into a very competitive environment, which resulted in some cost savings for the insurance company,” says Schmidt. While many HCOs may have similar capabilities, Chakraborty believes experts in the field can best handle the development and implementation of data security features. “In some ways, a poorly implemented security solution is worse than none at all,” he explains. “If you have a noncompliant or unsecured system, you may believe you’re secure and compliant, even though you aren’t.” If an organization has not yet addressed the issues of electronic data security, he continues, they at least have the benefit of knowing that they have work to do. The real legwork—determining what is appropriate for the organization, what solutions you may need, and whether or not you use consultants—is an aspect of entering an outsourcing arrangement that should remain within the HCO, according to Chakraborty. “I’m not recommending that you call a consultant and say, ‘Tell us what to do.’ It needs to be a much more active process than that.” The development of a consulting relationship should be a process, he suggests, in which the HCO determines the problems they need to solve, where they stand in relation to these problems, what kind of budget they are working with, and what their priorities are. “Only a healthcare company can truly know its own business,” he adds. Data security experts have many solutions to offer harried administrators who seek their assistance, including advice about policies and procedures to products and features specifically designed to enhance network security. With so much to choose from and so little time and money at hand, the best way to approach an outsourcing arrangement is through a systematic approach, according to Schleicher. “Healthcare organizations need to check their inventory, know what data they have on hand, and be aware of their requirements,” he says. Next, health information managers (HIMs) need to find out what security systems they currently have in place and determine what they need to add in order to be HIPAA compliant. Finally, they need to get a summary to make sure they have achieved compliance. “The first stage is identifying their security needs,” he says. “Then they can ask, ‘Where do we go from here?’” Among the solutions HIMs are likely to encounter on the current market are outsource services that monitor network security devices and provide real-time feedback, one of the services provided at Riptech, Higgins says. “We monitor the security technologies that HCOs have in place and analyze the data they produce in real time to detect intrusions as they occur.” While real-time monitoring can be vital on a perimeter system, it is also important to consider its uses for internal systems, he adds. Administrators may also find outsourcing practical when they are seeking to ensure the privacy of corporate e-mail and data transmissions, Chakraborty advises. “At Sigaba, we have a gateway product that stands between the e-mail stream inside your company and the outside world,” he explains. Any messages going through the gateway are referred to policy-driven software to determine if the data should be transmitted, encrypted for privacy purposes, or virus scanned. The issue of authentication is also key, he adds. “I need to be able to know that you’re you. Our system is very flexible and does high-strength authentication, but it can work with the existing infrastructure that a company has already put in place for authenticating users, such as passwords, biometric scanning, or smart cards.” When people leave the organization, he adds, administrators can quickly unplug them from the system to prevent disgruntled employees (or ex-employees) from having continued access to accounts and data. Security technologies provide a greater level of control over access to and transmission of vital information. In an outsourcing arrangement, however, a certain amount of control is often sacrificed out of necessity. “You basically lose control of both the data and the applications,” Schmidt explains. “If you have a HIPAA audit done by a third party and it shows you are seriously out of compliance, you have to work together to come up with compliance standards. That can be very expensive.” By carefully screening companies before entering an outsourcing agreement, the levels of trust and comfort can be raised, enhancing the relationship on both sides. When entering into a consulting situation, healthcare administrators should be familiar with the consultant being assigned to the task, Higgins recommends. “They should also be very careful about ensuring that the quality of the product and the people are what they expect.” To that end, healthcare administrators are looking for reliable, well-rounded companies, says Larry Barnett, information security analyst for Blue Cross/Blue Shield of Tennessee. “Anytime you allow a nonemployee to gain access into your computer system, there is a tremendous risk involved. Whoever is performing the compliancy validation is going to have to have run of the system in order to make sure everything is locked down as it should be.” If, after careful consideration, outsourcing appears to be the best solution, Barnett suggests healthcare administrators assign members of their staff to work closely with employees from the outside company. “That way, once an organization is compliant, it will be able to remain compliant in the future.” Despite the potential consequences of noncompliance, many HCOs have not begun to address data security issues in earnest, Chakraborty says. Many small providers who are looking to larger affiliates or industry leaders have not received much direction, he adds, which leads him to expect a two-tier, Y2K-like crunch over the next two years, with the most important, standard-setting activity occurring this year. “As large organizations make implementations this year, the smaller organizations, who have until 2004 to comply, will read about the things that went well—and the horror stories—and we’ll see a similar crunch in the fall of 2003.” HIPAA requirements may not be the only motivating factor in alerting the healthcare industry to the importance of data security, Higgins adds. HCOs seem to be less aware of exposure to internal and external threats than other industries, he says. Many budgets don’t allow for increased expenditures for security solutions; however, Higgins predicts this may change in the near future because of HIPAA deadlines or for more sinister reasons. “If something drastic happens in the healthcare industry—if someone breaks into a hospital and causes tremendous damage where people’s lives and well-being are affected—that, along with HIPAA, may be the only thing that can drive budgets and awareness to increase.” — Hannah Fiske is a staff writer at For the Record. |
 |
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of For the Record All rights reserved. |