HIPAA Security The Reverse Loophole

1
HIPAA Security The Reverse Loophole

• infotex
• Purdue University
• Rich Skinner and Gram Ludlow
• 3/5/04

2
Practicum

• Information Security Consulting in Healthcare
  Practicum
• Formed by partnership between Purdue University
  and Infotex
• Graduate Level Credit
• Focused on HIPAA Issues

3
Introductions

• Rich Skinner
• M.S. Information Security - CERIAS
• B.S. Computer Networking Purdue
• Fort Wayne, IN
• Has lived in North Carolina, West Virginia,
  Indiana (Dual Citizen of US and Canada)
• Interested in Business Goals and Processes of
  Information Security

4
Introductions

• Gram Ludlow
• M.S. Information Security CERIAS
• B.S. Computer Science Purdue
• Noblesville, IN
• Can juggle and ride the unicycle, but not at the
  same time
• Interested in Enterprise-wide Information Security

5
HIPAA Security

• Final Ruling Established February 20, 2003
• Draft of procedures listing fundamental
  requirements for security compliance
• HIPAA Security covers all protected health
  information in electronic form that is
• Received
• Created
• Maintained
• Transmitted

6
HIPAA Security

• Deadlines
• April 21, 2005 - Security Standards - all covered
  entities except small health plans
• April 21, 2006 - Security Standards small
  health plans

7
HIPAA Security

• HIPAA Security is composed of four areas
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• This last part is at the center of our project of
  our project

8
HIPAA Security

• Security Management Process
• Risk Analysis
• Risk Management
• Sanction Policy
• Information System Activity Review
• Assigned Security Responsibility

9
HIPAA Security

• Workforce Security
• Authorization and /or Supervision
• Workforce Clearance Procedure
• Termination Procedures
• Information Access Management
• Isolating Healthcare Clearinghouse Function
• Access Authorization
• Access Establishment and Modification

10
HIPAA Security

• Security Awareness and Training
• Security Reminders
• Protection from Malicious Software
• Log-in Monitoring
• Password Management
• Security Incident Procedures
• Response and Reporting

11
HIPAA Security

• Contingency Plan
• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode Operations Plan
• Testing and Revision Procedure
• Applications and Data Criticality Analysis
• Evaluation

12
The Reverse Loophole

• What?
• Business Associate Contract
• The covered entity must obtain satisfactory
  assurances form the business associate that it
  will appropriately safeguard the information in
  accordance with these HIPAA security
  standards. (164.308b)
• No distinction would be made between internal
  corporate entity communication or communication
  external to the corporate entity. (164.302b)

13
The Reverse Loophole

• Bottom line
• For a hospital to be HIPAA compliant, all
  business associates must also be HIPAA compliant.
  
• However, small clinics do not have to be
  compliant until 2006.
• How will hospitals be compliant before 2006 if
  their associates are not?

14
The Reverse Loophole

• Business Associate Contracts
• a contract between a covered entity and a
  business associate must provide that the business
  associate must
• Implement safeguards that reasonably and
  appropriately protect
• Confidentiality
• Integrity
• Availability

15
Why is security important?
Figure 1 - CSI / FBI 2003 - Unauthorized Use of
Systems
16
Why would you care?

• In December of 2002, thieves physically broke
  into an office of TriWest Healthcare Alliance in
  Phoenix and stole computer hard drives
  containing Social Security numbers and addresses
  of about 562,000
• The recent incident at the University of
  Washington Medical Center highlights the
  sensitivity and vulnerability of healthcare data
  systems connected to the Internet to outside
  threats. A hacker called "Kane" downloaded
  admission records for 4,000 heart patients in
  June/July 2000.

17
What do you have?

• Employee Records
• SSN
• Addresses
• Payroll
• Patient Data
• What would happen should this information be
  compromised?

18
Project Phases

• Phase I Research HIPAA Security Rulings and
  Regulation
• Phase II Conduct Interviews
• Phase III Analyze Results / Write Final Report

19
Phase I - Research

• Analyze final rulings
• Assess requirements for small and large
  healthcare organizations
• Associate events with basic security matrix

20
Phase II - Interviews

• Phase II Conduct Interviews with small and
  large organizations
• Hospital CIO, IT Managers, Compliance Manager,
  End Users
• 2 or more Clinics Doctors, Practice Managers,
  End Users

21
Phase III Final Report

• Produce deliverable report for healthcare
  organization
• HIPAA Security
• Interview Results
• Identify Potential Problem Areas
• Recommendations

22
Project Phases
Phase 1 HIPAA Research
Phase 2 Interviews
Hospital Interviews
Clinic Interviews
Phase 3 - Final Report Phase
Analyze Responses
Write Final Report
01/26
04/01
04/18
05/02
02/25 03/25
23
Questions..