| |||||||||||||||
|
Home
|
For other articles and previous issues click here. July 25, 2005 Securing
Electronic Data — People Make Procedures Work Common sense and vigilance are the most effective compliance tools for HIPAA’s security rule. As shredders have become the appliance du jour and identity theft is steadily rising, the HIPAA security rule only grows in significance. With the passing of the April 21 deadline for complying with the rule, some organizations are struggling with maintaining compliance. (Qualifying small health plans have until April 21, 2006, to comply). When implementing the specifications of the security rule into your organization, common sense is king. Regard the security rule as more of a guideline than an absolute, keeping in mind the organization’s individual goals within the rule’s restrictions. Management availability to staff and participation in the security team will promote compliance as effectively as any safety procedures you institute, according to Carol A. Quinsey, RHIA, CHPS, professional practice manager for the American Health Information Management Association (AHIMA). Shouldering the burden of maintaining compliance with the HIPAA security rule can be a daunting undertaking. Fortunately for most radiology departments, the facilities information technology (IT) staff takes the lead and the department’s primary responsibility is implementing the procedures within the department. If managing the task of complying with the rule is too much work, there are outside security organizations that can assist. Additionally, there are numerous resources available to organizations that struggle with the rule, Quinsey says. “Use the AHIMA, use security companies, and most importantly read the security rule,” she advises. Terry Callahan, managing director of HIPAAT Inc. in Ann Arbor, Mich., helps organizations secure their nodes with software that authenticates the user and gathers audit information for each authorized session. Callahan stresses that the key aspect behind his security solutions is the audit feature. “Auditing is paramount. The security officer will have a time-synchronized overview of every node, even legacy modalities, within an organization to better maintain the security of protected health information [PHI],” he says. “The 100% secure theory is a myth,” Quinsey adds. “No one can be 100% secure.” The goal of the security rule is to reduce the risk of intrusion and violation to an acceptable level the covered entity can live and feel secure with, she adds. Becoming Compliant “Notice the points of vulnerability, such as firewalls or inadequate passwords. Take measures to secure the vulnerability and document all the work that is done,” Quinsey advises. “Many organizations thought the security rule would go away, but they were wrong,” she continues. “The security rule will not disappear and it shouldn’t just be about HIPAA standards. It is simply good business to have a solid security plan in place.” The security rule involves following four safeguards: technical, administrative, physical, and organizational. Administrative safeguards consist of risk analysis, assigning a security management team, implementing security awareness training, establishing incident procedures, and addressing the language of both business associate agreements (BAAs) and any other contracts into which the organization has entered. Physical safeguards include establishing access controls, instituting a password system for workstations, and implementing device and media controls for all other machines in the organization. Technical safeguards focus on the installation of hardware and software on applicable nodes to control accessing and auditing programs. Organizational requirements necessitate the need for documentation of compliance in the organization’s BAAs. It also requires that group health plans document that appropriate safeguards have been implemented in all areas where risk was accessed. Some standards exist under the safeguards, but the individual facility can decide the way in which they are implemented, Quinsey says. “There is not one correct way to approach compliance; it is all prescribed by each individual situation,” Quinsey says. Although there are implementation specifications, she advises providers to develop compliance methods that suit their particular needs. “These specifications may or may not make sense for an organization’s particular situation. Use common sense when applying the rule, but do not ignore the specifications. Every specification must be considered,” she notes. If the organization believes a certain specification under the rule does not make sense in its circumstances, it must document why it chose not to incorporate certain guidelines into its practice, she adds. Staying Compliant She points out that the security rule is driven by patient complaints. “The HIPAA police are not monitoring or demanding updates,” she says. “The likelihood that an issue will present itself is unlikely, but it could happen.” With this realization, keep abreast of the technology and security solutions you implement. In some situations, this may involve contracting an outside security solutions company to assist in maintaining compliance. HIPAAT helps organizations become and stay compliant with security once a detailed risk analysis has been completed and a security officer has been appointed. Callahan assists in securing nodes by implementing the following three key features, according to Integrating the Healthcare Enterprise guidelines: • instituting an access control/user authentication device; • establishing node-to-node authentication; and • installing software to audit all actions on each node. “In this way, all nodes are secure and create a secure domain to satisfy the security rule,” Callahan explains. “Then, for proper audit controls, the following three key elements must be identified: Who is the user? Who is the patient? What protected health information was created or accessed?” In radiology, that focuses on following procedures established to protect computer access in the department. As Quinsey points out, organizations must apply the security rule in a way they believe is best for their particular situation. Likewise, Callahan says, “some facilities may believe that if a node is in a private space with limited access, then there are safeguards already instituted; however, this notion of privacy may not extend to an ultrasound machine in a public area.” “Because hackers are getting smarter, the technology must also get smarter and become more secure,” Quinsey says. However, common sense is important here as well, and in some organizations, it may not be sensible to upgrade the current technology. New machines will be equipped with software that already complies with the security rule, Callahan adds. However, older nodes probably cannot be upgraded by the vendor because some of the older machines have moved out of production and do not warrant the development, testing, and installation of software, he adds. Most likely, the organization would address compliance with these older machines by using an alternative security method, such as installing a third-party solution, Callahan says. Auditing and Incidents One security solution Callahan supplies to vendors is an auditing tool kit to record and send security events from any node to a central repository database where the security officer monitors the information for security incidents. “Having a repository eliminates the need for the officer to go to each individual node to compile a security incident report,” Callahan explains. To review the audit information, the security officer can search using the patient name, user name, or event. “How we audit is important, but it is not as critical as who is monitoring it,” Quinsey says. It is acceptable for the IT department or an outside company to create the auditing program but department managers and supervisors must be involved in the process in the facility’s departments she says. Additionally, the security officer, department managers, and supervisors should be involved in monitoring the data for incidents. If a security incident does arise, the staff should know to whom it should be reported, Quinsey says. “Your project team for investigating security breaches should include IT, a department manager, and human resources to manage union-related issues,” she says. “An administrator should not be included in the initial investigations because this is the person the report should go to.” Sanctions should be made depending on the severity of the infraction. In some situations, a verbal or written warning is sufficient. However, in others, immediate dismissal and notifying the police are required—especially in the case of identity theft, Quinsey says. “Take the appropriate action according to the procedures and policies that are in place,” she adds. “It is important to recognize when to first secure and then investigate the situation vs. investigating an incident then securing because some actions require different measures,” Quinsey says. For example, if a patient’s information is not secure, it is important to investigate the breach in security and then secure and act accordingly within the policies and procedures mandated, she says. A patient’s welfare is rarely threatened by a breach in secure information, but the situation could obviously be different if an outsider entered a restricted area wearing someone else’s badge. In such a case, secure the area first and then investigate. “Using common sense is essential when dealing with security incidents,” she emphasizes. “Although there are standards, policies, and procedures within the security rule, never underestimate the power of talking to your staff,” Quinsey says. “You would be surprised to hear the information that is divulged at a nurse’s station.” Knowing what questions to ask and being available to staff will promote trust. Employees will ask questions and participate in the security process. Managing staff by walking around and being visible is essential. “Become familiar and comfortable with your staff,” Quinsey says. “The more they see you, the more apt they are to trust and be forthcoming with you.” Just Shred It! To further keep track of the paper trail, she says it is important to ask how often the printer is emptied of unwanted reports. The reports are in an open forum for anyone to see; take the appropriate steps and be sure that all printed material is properly destroyed, she adds. “Revisit the language of your BAA annually and address upgrades or changes to your equipment,” Quinsey says. Determine whether the language is accurate and reflective of the technology. “A BAA can become stale if it is not reviewed annually,” she adds. Ongoing Initiatives In the aftermath of the security rule, plan for training to keep your staff vigilant of security matters. “Not only will continuous training raise security awareness, but it will also alert your staff to changes and issues that may arise,” Quinsey says. Ongoing training can be impromptu. For example, a scroll on a computer screen can be used to remind employees not to leave terminals unlocked and available for anyone to access. Also, a weekly notice of a security rule fact can be posted to keep your staff alert. Security issues should be addressed on a daily or weekly basis rather than a quarterly or annual basis, Quinsey says. “In light of the security rule, it is important to realize that no matter how strong our passwords are or how secure our firewalls are, people are the weakest links,” Quinsey says. “Although the security rule is grounded in policy and procedures, it is essential to look at the people within your organization and know who is working for you.” To further tighten security, Quinsey advocates mandatory background checks on every employee. “Managers need to know with whom they are dealing,” she says. “It is important that we are aware of a person’s background to know what type of people are reviewing confidential information.” — Kim M. Norton is a freelance writer. |
 |
|
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of Radiology Today All rights reserved. |