Steps to protect security and privacy of protected health information

Gaps in the security and privacy of healthcare data still exist, even though the Health Insurance Portability & Accountability Act's (HIPAA) rules for security and privacy safeguards were extended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. For many healthcare providers, these gaps could be the cause of a major security breach, according to Raj Chaudhary, the leader of the Security and Privacy practice at Crowe Horwath LLP, one of the largest public accounting and consulting firms in the U.S.

"The HIPAA Security Rule has three sets of security standards. Each set has several safeguards, and each safeguard has one or more implementation specifications," said Chaudhary. "Providers need to assess their controls and infrastructure against these standards in order to avoid penalties."

As part of compliance with the HIPAA Privacy Rule, Chaudhary also suggests that providers evaluate their risk of compromising all forms of protected health information (PHI) for improper use or disclosure, loss of data and breach of confidentiality.

According to Chaudhary, providers should take the following steps to protect the security and privacy of PHI:

• Safeguard data from unauthorized individuals. Users often leave computers logged-in while they are away from their desks. Also, some onsite security guards and physical controls fail to prevent unauthorized access to restricted areas. A walk-through, during and after business hours, can help providers identify if unauthorized people can physically gain access to protected data.
• Monitor controls on key systems and check for inadequate logging. Every time system users access computerized records, they leave an electronic footprint, or log, on the information systems. Most healthcare organizations rely on access controls to help ensure compliance with the HIPAA Security Rule. However, security gaps occur when providers use antiquated systems that don't allow logging, update to new systems without enabling logging or simply don't adequately monitor logged activities.  
• Protect access control. Providers should confirm that passwords are required to access all of their systems, databases and applications that house PHI. All required passwords should meet complexity requirements, such as including a combination of numbers, symbols, uppercase and lowercase letters, and be reset on a regular basis. Accounts should be locked after a series of failed log-in attempts, and a log should be made of all failed log-in attempts so accounts that are being targeted for compromise can be more easily identified.  
• Create strong vendor management functions. Most providers do not maintain a comprehensive list of Business Associate (BA) agreements that include the type of data being shared with the BAs. The HIPAA Privacy Rule requires that the "minimum necessary" standard be applied to any data shared with vendors. Vendor management has a lifecycle of its own and should be viewed and managed as such in order to appropriately protect PHI.
• Develop business continuity management and incident response plans. Many providers have a disaster recovery plan that provides guidance on how patient care should continue in the event that IT systems are unavailable. This approach leaves a gap with regards to the prioritization and recovery efforts of systems in the event of an incident. An information security-specific disaster recovery plan should be part of this plan, while a computer security incident response plan should also be developed in case of a breach.

"Healthcare providers need to conduct detailed policy and implementation reviews to make sure how they handle PHI meets the standards determined by HIPAA. Once gaps are identified, they need to work quickly to remediate them," said Chaudhary.