Critical Care Plus-HIPAA and Security: New Risks, Rules, and Solutions
Critical Care Plus-HIPAA and Security: New Risks, Rules, and Solutions
By Mark Hays, Senior Vice President, InfoMiners.com
(Editor’s Note: This is the first of a two-part series on increasing data protection and security in physician computer systems.)
Computers are liberating healthcare data—we can find information quickly, store it easily, deliver records where they’re needed, automate the payment process, improve quality, and reduce costs. The World Wide Web is an ideal pipeline, allowing us to share patient information from any location, in a universal format. Rapid access to critical data can mean life instead of death for a patient in need.
Lurking in the shadows, however, is a Pandora’s box of security risks. As your patient data become computer driven and linked to the Internet, new doors will open to security issues and threats—from every corner of the globe. Digital data can be sorted and searched from 1000 miles away. A roomful of patient records can be "published" in a second and distributed around the globe—by a single person.
In Michigan, for example, a student recently found thousands of patient records on the Web. Names, addresses, phone numbers, social security numbers, treatment details—available to anyone on the Internet, no "hacking" required. As more healthcare facilities become computerized and linked to the Web, the risk grows.
In response to patient complaints, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Part of this bill will create a national standard for secure patient data. Over the next few years, strict rules will be enacted for data encryption, user ID, authentication, and access logs. These new rules will affect every healthcare provider.
Common Security Problems in Healthcare Information Systems
HIPAA highlights an embarrassing problem: many healthcare information systems don’t meet basic security requirements. Is your system vulnerable? Probably. Look for seven common security problems:
1. Always-on terminals and PCs: You probably have dozens or hundreds of PCs and/or terminals scattered across your facility. Do all of them automatically go into a password-protected "safe" mode if they’re left unattended? If not, this is an open door for security failure.
2. Weak passwords: Many organizations do not strictly manage passwords. Common words like "password," "manager," the user’s name with one trailing digit, etc., are allowed—and they change rarely, if at all. Few organizations require security tokens or key cards.
3. No single sign-on with central management: Many facilities have a jumble of information systems, and different passwords are required to log on to each system. This places a burden on users, and blocks effective password management. Has your organization implemented a "single sign-on" solution that can effectively manage passwords and rights for each user?
4. Weak security groups and limits: The annual FBI study of IT crime shows that most break-ins are committed by people within the organization—a disgruntled employee, a curious student working part-time, etc. Many systems allow any authorized user to launch any application, search for any record, and print a copy. "User groups" that limit rights are often nonexistent or difficult to maintain. When these functions are available, many organizations don’t bother to implement them.
5. Open databases: Your last request for a proposal probably required the vendor to provide a standard "open" database, accessible via SQL and ODBC. This key feature is also a key weakness. Open databases are easy to access with off-the-shelf reporting tools, and typically have no security or data encryption. In larger facilities, many departments also have a number of local databases, built with Microsoft Access or other reporting tools. You may have a dozen scattered across your organization, with no protection.
6. Weak PC management: The Achilles heel of most healthcare networks is the same tool that improves worker productivity—the PC. Without stringent management, users can download applications from the Web, bring disks in from home, reset their security settings, etc. This is the most common path for viruses, Trojan Horse applets, and other security breakdowns.
7. Poor modem and Internet security: How many PCs in your organization have their own modems, linked to a phone line? Is every connection protected by a firewall? Do some users have laptops that they take on the road or home at night? Without central management of all "points of access," security is impossible to maintain.
New Security Threats from the Internet
E-mail Vulnerability. Let’s start with the most widely used tool on the Web. Most healthcare organizations have an internal e-mail server, and every employee has access to e-mail applications and services. Many of your employees, allied physicians, and patients also have private e-mail accounts that can send and receive messages across your network to your internal server. This creates an open highway for privacy violations and security failure. There are eight key issues.
1. No Message Security: Most users and managers are not aware that e-mail messages can be copied, read, and modified as they move from server to server across the Internet. Many physicians, for example, send notes about their patients via e-mail—with zero security. This violates HCFA regulations and creates a significant risk of liability.
2. Ownership: Many employees do not know that employers own all of the e-mail sent and stored on the employer’s network, and have the right to read and monitor every message. Without effective policies and notification, this can create significant conflicts in the workplace, disputes between employees, and legal costs.
3. Discovery in a Lawsuit: E-mail has become a golden target for attorneys, as highlighted by the Microsoft trial. Every e-mail message stored on your server (and back-up tapes) can be used against you.
4. Offensive Content: Employers can be sued if employees send offensive messages via e-mail, including sexual or racist content. Four female employees of Microsoft sued for alleged sexual harassment, which included pornographic e-mail messages. Microsoft denied the charges, but settled for $2.2 million plus costs. In a similar case, a sexual harassment claim was filed against a subsidiary of Chevron Corporation when a list of "why beer is better than women" jokes circulated on the company’s e-mail system. The claim was also settled for $2.2 million. (Have you seen similar "joke" lists on your company’s e-mail system?)
5. Spam: Unsolicited commercial messages consume bandwidth and storage on your systems and sap employee productivity. Spam is often linked to financial scams that can rob unsuspecting users, and pornographic sites that can lead to claims against your company. Often treated as an annoyance, spam is actually a serious problem.
6. Viruses and Security Bombs: E-mail messages can carry attached documents, HTML pages, and applications that contain viruses and programs designed to blow holes in your security system. E-mail messages are easily broadcast and replicated, so infections can spread quickly. E-mail can also be stored on local PCs, making it difficult to track down and completely eliminate a problem.
7. Weaknesses in E-Mail Servers: Because e-mail is the most widely used Web function, e-mail servers are an obvious target for hackers. Significant holes have been found in every leading e-mail system; your server may have "back doors" that you’re not aware of.
8. Threats from Every Corner of the Globe: E-mail messages can be sent by anyone, from anywhere. The ILOVEYOU e-mail virus was apparently launched from the Philippines, for example—and caused an estimated $10 billion in damage worldwide. Even if you filter incoming messages to your e-mail server, the address of the sender can be "spoofed" with off-the-shelf utilities to fool your system and your users. People with portable PCs may access e-mail at home, with no protection, and carry a Trojan Horse into your network. This makes e-mail an unusual threat that’s hard to pin down.
New Risks from Internet Access
When you connect to the Web, it’s one big party line. This creates a valuable channel for communication and a host of security risks.
Browser Security: Web technology is new and changing rapidly. A stream of security problems continues to appear in leading Web browsers—and many users have not installed the patches needed to plug these holes. For an eye-opening review of issues, click on the Microsoft (www.microsoft.com/windows/ie/security/default.asp) and Netscape (www.netscape.com/download/index.html) sites, and read through the list of bugs and fixes.
Browser flaws also affects your e-mail systems. Many people don’t know that HTML display functions in OutLook, Eudora, etc., are driven by the Internet Explorer browser object. Every weakness in Explorer is "imported" into the e-mail system. Without strong and automated management of the browser on every PC in your system, you may have hundreds or thousands of holes in your security plan.
Personal Web Surfing on the Job: The Web offers a world of distraction—from stock quotes to pornography. Users can spend hours clicking away on Web sites that have nothing to do with healthcare or your business. Is this a significant problem? From recent studies of on-the-job Web use:
• 50% of employees browse the Web for personal reasons.
• One in eight men and one in nine women regularly visit sex-oriented sites.
• 33% of people frequently download unauthorized software from the Web.
• Average time spent per month on Web surfing: 20.3 hours.
Clearly, personal Web use by employees is more significant than many business managers expect—consuming valuable time and exposing employers to security risks and legal liability.
Malicious Content: Web sites can intentionally "attack" a visitor and copy confidential files from a PC or your network—with HTML tags, Javascript functions, and ActiveX objects that compromise security.
Offensive Content: Like e-mail, employers can be sued if employees cruise pornography sites or view other offensive material. The entire content of the Web, good and bad, becomes a legal concern for your organization.
Deliberate Attacks on Your Network: One of the beauties of the Web is the standard "highway" that it builds for information. Any computer can "talk" to any other, despite different operating systems, software, and architecture. This common highway also creates a roadmap for attacks.
In the classic "cracker" attack, someone breaks into your system remotely, via a standard Web port on your server. They look for vulnerabilities, holes, and trapdoors that have been found in every leading Web system. Automated "sniffers" constantly cruise the Web, looking for systems with an open door or known weakness. As the recent rash of "Denial of Service" attacks highlighted, a brute force assault can shut down your system 1) without penetrating your firewall, 2) from any of the millions of computers on the Web, and 3) can be driven by hundreds of third-party servers that don’t even know they’re part of the attack!
Should you worry? Yes. Proposed HIPAA rules include strict penalties, starting with a year in jail and/or a $50,000 fine. But you don’t have to wait for HIPAA. Your patient records are currently covered by seven federal laws, with additional regulations in 43 states. You also face a serious risk of civil liability. Imagine the claim that could be filed if one sensitive patient record is released without authorization—for a politician, business executive, actor, etc. Attorneys could name everyone involved with the patient, the record, and management. Your liability could easily run into the millions of dollars per incident. The risk is here today, long before HIPAA rules become law.
Steps You Can Take to Improve Security
To reduce risks today and prepare for HIPAA, the first step is a detailed review of your existing security environment and process, which will probably lead to significant changes.
1. Make sure management is committed. The senior management of your organization must be convinced that privacy and security are significant and growing problems—strategic to survival and worth their investment of time and money.
2. Make security a requirement. Many security problems are caused by lack of authority. If your IT staff is in charge of password management, for example, they may be reluctant to go toe-to-toe with powerful physicians and department heads. Make sure your security managers have the authority they need to enforce unpopular requirements.
3. Appoint an enterprise privacy manager. Many organizations have a technical manager of security-related software, hardware, and network access. It’s also important, however, to appoint a senior person to manage overall privacy policy, with the authority required to ensure compliance throughout your organization.
Your privacy manager should be backed by technical, administrative, and legal resources, and should have primary responsibility for all privacy-related issues. For a useful job description, see the article recently published by the American Health Information Management Association (www.ahima.org/inconf/private.matters.0200.html).
4. Review and refresh your security policies and procedures. You probably have a security policy of some kind—probably a section in your employee handbook, and a binder in your IS department. Compare it to the latest laws and standards, and make updates as required. Publish your updated policy on your intranet, with hyperlinks to current laws, and frequent updates to handle new threats. CPRI has put together an excellent no-cost toolkit to help you update your security policies and procedures, including basic training materials at http://healthcare.3com.com/securitynet/hipaa/4_1.html.
The Health Privacy Project at Georgetown University also offers a review of healthcare privacy issues, with suggestions for improved privacy policies. You can download these at no charge at www.healthprivacy.org/latest/Best_Principles_Report.pdf.
5. Spread the word. The first step toward security is awareness and buy-in. Security solutions are often inconvenient, and may seem unnecessary to many users. Your team needs to believe that the threats are real and worth their attention. Set up a privacy and security page on your intranet. Include a link to www.infominers.com to give them online access to all of the resources in this document. Start a privacy bulletin, with weekly updates via e-mail.
6. Audit your organization. Your privacy manager should take a frank and detailed look at security across your organization. Compare current law to your current practice, and audit for compliance. Seriously consider hiring an outside security firm to perform an independent audit, which will usually be more thorough and professional. If your audit is successful, you should find more problems than you expect. If you’re surprised and worried by the audit report, the audit was a success.
7. Prepare to invest in expertise and technology. Some risks can be eliminated with policy and procedure changes. Others will require sophisticated technology and expertise, including encryption, firewalls, and management systems. Even if you have a large organization with lots of resources, you’ll need advice and tools from people who make security a daily business.
You’ll also need to boost your budget for security hardware and software, including technical training for your team. To see where you stand compared to the current "best practices" across the IT industry, see the March 2000 write-up in Network Computing magazine at www.nwc.com/1105/1105f2.html.copyright 2000. infominers.com. all rights reserved.
Next Month: How to improve protection for existing information and databases, and secure your e-mail services and access to the Internet.
(Mark Hays has more than 15 years of experience with security technology and has coauthored a number of patents for secure software. He received a first place award from Bill Gates for the Best Healthcare Application for Windows, and a First Place in Healthcare/Biotechnology at Uniforum. He is senior vice president of product development and CTO for InfoMiners.com, where he directs development of secure Web-based data warehouse and reporting systems, and other solutions for HIPAA compliance.)
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.