- Implementing the right blend of technology and policy is easier said than done for a healthcare organization, as there are myriad complications to each side of the security equation. But having a strong understanding of what the Department of Health and Human Services (HHS) wants organizations to focus on as they build and develop their security programs can help streamline the process.
Last week, HealthITSecurity.com broke down some key elements of HIPAA Security Rule administrative safeguards. This week, in Part 2 we will review the HIPAA Security Rule’s technical safeguards along with questions to ask via the NIST HIPAA Security Rule Guide. HIPAA refers to technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Within the Security Rule’s technical safeguard language, healthcare organizations should have a variety of controls in place, including access controls, audit controls, integrity controls, authentication controls, and transmission security controls.
To comply with HIPAA standards, healthcare organizations must implement technical policies and procedures for electronic information systems that maintain electronic protected health information (ePHI) to allow access only to those persons or software programs that have been granted access rights. When considering user access, organizations should take these items into account:
- Determine the access control capability of all information systems with EPHI.
- Ensure that system activity can be traced to a specific user.
- Establish a formal policy for access control that will guide the development of procedures.
- Implement a mechanism to encrypt and decrypt EPHI: Is encryption appropriate for storing and maintaining EPHI (“at rest”), as well as while it is transmitted?
HIPAA audit control standards include implementing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. In deciding what the scope of an organization’s audit controls should be, according to the NIST Guide, it should ask some of these questions:
- Where is EPHI at risk in the organization?
- What systems, applications, or processes make data vulnerable to unauthorized or inappropriate tampering, uses, or disclosures?
- What activities will be monitored (e.g., creation, reading, updating, and/or deleting of files or records containing EPHI)?
In addition to documenting and communicating audits procedures and protocols, a covered entity will want to review how often audits will take place, the results will be analyzed, the organization’s sanction policy for employee violations, and where audit information will reside.
It’s critical for organizations to institute policies and procedures to protect ePHI from improper alteration or destruction. They need to look at the ways outside sources may be able to jeopardize information integrity and, more to the point, how to secure the data while it’s at rest. The NIST Guide refers to these electronic mechanisms for authentication: error-correcting memory; magnetic disk storage; digital signatures; and check sum technology.
Person or entity authentication
There are a few different ways to verify that a person or entity seeking access to ePHI is who they say they are, but at the very least an organization must ensure a transmission source and/or access privileges to patient data are valid. From authentication methods to costs to training, it’s important to take a comprehensive view of confirming user identities.
The security of data in motion is extremely important given the propagation of healthcare information exchanges (HIEs) and mobile usage. HIPAA mandates organizations to implement technical security measures to guard against unauthorized access to ePHI in motion. In addition to identifying methods of transmission, tools and techniques and procedures, it’s an absolute must that organizations encrypt ePHI in motion and ask these questions, according to the NIST guide:
- Is encryption reasonable and appropriate for EPHI in transmission?
- Is encryption needed to effectively protect the information?
- Is encryption feasible and cost-effective in this environment?
- What encryption algorithms and mechanisms are available?
- Does the covered entity have the appropriate staff to maintain a process for encrypting EPHI during transmission?
- Are staff members skilled in the use of encryption?