Three blocks north of Union Station in Washington, D.C., on the seventh floor of an ordinary brick building, a small office of the U.S. National Archives and Records Administration churns out a publication known as the Federal Register. This newspaper of sorts, which runs to hundreds of pages per business day, is the public record of rules, proposed rules, and notices that have been issued by federal agencies and executive orders from the president. In the office's library, there are shelves upon shelves of blue-green books that hold past issues of the Federal Register, a bureaucratic archive stretching back to 1935. And if you look up Volume 68, No. 34, Appendix A to Subpart C of Part 164, you'll find a 169-word security standards matrix that tells you everything you ought to be doing to protect your electronic data.
There are no surprises here, just the elegant obvious. Administrative safeguards. Physical safeguards. Technical safeguards. In all, three dozen specific action items, from data backup to password management to encryption, are pulled together on a one-page chart that summarizes a security rule laid out in the preceding 46 pages. And for all its brevity, this security matrix is an unexpected runaway success, the My Big Fat Greek Wedding of federal documentation, if you will -- a work that no one thought would have a particular impact but that was so accessible it took on a life of its own.
Two-thirds of an early-screening audience requested that the security matrix make its way into the final version of this security rule. It has provided the structure for countless security audits and gap assessments, for task forces and toolkits.
And it's just as important for what it's missing as for what it contains. You see, despite the fact that what we're talking about here applies only to companies in the health-care industry -- it was issued under the Health Insurance Portability and Accountability Act, or HIPAA -- it could apply to any company in any industry. First and foremost, this section of HIPAA documentation is about security.
"These are simply good practices," says Kate Borten, CISSP, who is president of health-care consultancy The Marblehead Group. "There's nothing specific to health care in the rule. This is textbook security 101."
"The regulation in general is highlighting good security practices that most security professionals agree on anyway," echoes Paul Scheib, CISO of Children's Hospital Boston. "The term EPHI (electronic protected health information) isn't relevant to other industries, but you could substitute 'business-critical information,' because any business is trying to protect its most critical information."
For the past half decade, legions of newly minted security officers in the health-care industry have been scrambling to meet first a privacy rule and now this security rule, which were both hammered out by the U.S. Department of Health and Human Services under the mandate of HIPAA, passed by Congress in 1996. (The compliance date for a third rule, which involves electronic transactions and code sets and is intended to streamline how health-care organizations process payments, was October 2003.)
CISOs in other industries have mostly yawned their way through the show. But, like it or not, an increasing number of them will soon be participants in, rather than observers of, the government's efforts to improve information security.
The Gramm-Leach-Bliley Act already has had an impact on financial services companies. Federal agencies are grappling with the Federal Information Security Management Act. Publicly held companies are looking at what role information security will play in assuring their internal controls, as required by the Sarbanes-Oxley Act's Section 404. Companies that do business in California are sorting out SB 1386, which requires them to have processes in place to notify customers whose personal information has been compromised. There are even rumblings of mandatory Securities and Exchange Commission disclosures about information security.
Yet no other industry has done as much to comply with such regulations -- or been as open about their compliance efforts -- as the health-care industry.
Halfway between the April 2003 deadline for the HIPAA privacy rule and the April 2005 deadline for the security rule, we spoke with health-care CISOs about the gritty details of compliance. Here, they share what they're learning on their way down a road that you too may be destined to travel.
And at least one CISO -- whose organization is working to comply not only with HIPAA but also with California's SB 1386 and, voluntarily, Sarbanes-Oxley Section 404 -- thinks that it's about time.
"If all the regulations had come out 20 years ago," says Pacific Life Insurance Co. Assistant Vice President and CISO Micki Krause, whom (ISC)2 named in 2003 as its top information security professional, "we'd all be in a better state."
You are where?
Rita Aikins isn't sure just yet what will be involved with bringing the Providence Health System into compliance with HIPAA's security rule. But she knows the process has to start with a risk assessment. Aikins is busy amassing a huge database of department, host/server and application surveys, which compare the requirements of the security rule with the realities at Providence, the Seattle-based nonprofit organization where Aikins is system director of privacy and information.
"(The database) is huge. It's a ton of data," says Aikins. Her group already has compiled 139 application surveys for Oregon alone -- their starting point in the audit process because the capital budget process for Providence's Oregon region occurs earlier than in the other three states where the organization operates. At the end of January, Aikins was wrapping up this security audit in Oregon, and she hoped to have Washington, then Alaska and finally California done by June 30.
Aikins decided it would be more productive to conduct the audit in-house rather than hire a consultant. "I thought it would help if the people who were doing the risk assessment were the ones responsible for implementing the rule," she says. But until the security audit is done, her team can do little else. "The risk assessment gives us the gap analysis" -- the action items that will put the organization in compliance with the regulation. "Without the risk assessment, you are just kind of spinning."
The final security rule makes that much clear. In an earlier version of the security rule, the requirements were democratically unprioritized. But in the final version, HHS decided to make this risk analysis first on the list of administrative safeguards -- the top line on the security matrix. "We believe this forms the foundation on which all of the other standards depend," the rule states.
And that's how most health-care organizations rang in the new year, says Cindy Smith, senior manager with PricewaterhouseCoopers' HIPAA security and privacy practices. "Organizations are in the throes of their risk assessments," she says. "It's never going to be trivial. Everyone is realizing it's a lot of work, but it's not rocket science. It's standard risk assessment -- identifying what assets you have and what the risks and vulnerabilities are."
This risk assessment process is a component of Sarbanes-Oxley compliance as well. A few companies are integrating the process and doing a thorough enough assessment to meet both regulations, Smith says. Most, however, aren't. "Some people are saying, I don't want to bite off what I can't chew."
Either way, once the security assessment is complete, the real gnashing and gnawing begins.
Nuts and bolts
Screen savers. Two thousand, four hundred of them in all, which must lock up and blank out the EPHI on any device at Maimonides Medical Center left unattended for three minutes. "I can't go to 2,400 workstations to do things like set up screen savers," says Mark Moroses, security officer and senior director of technical services. "That's trench warfare."
And so, one cold morning in January, shortly after 6 a.m., Moroses threw the switch on a set of network architecture changes that would grant him global control of things like screen savers -- thus setting the stage for the 705-bed hospital in Brooklyn, N.Y., to become HIPAA compliant. The screen savers, it turns out, were the easy part.
"Previous to this, everyone was focused on making (systems) as easy for caregivers as possible," Moroses says. "Then HIPAA comes along and says it's not so much ease of use but making sure the correct people have access to information. Those are two competing ideas, and you have to reconcile that. That's where the gap exists."
Consider, for instance, access to Maimonides' electronic medical records. When the electronic medical record (EMR) system went live, it was originally set up to save doctors time when they logged on to the network. Instead, computers had generic network log-ons, but doctors typed in unique user names and passwords for the EMR system, which restricted the information that any given user could access and provided audit capabilities as well. That was great for convenience, but it meant there was no way to track who was accessing other network resources.
Before Moroses and his group could replace the generic network log-ons in patient care areas with unique user names and passwords, however, they had to get approval from clinical leadership: a hospital information systems advisory committee, which includes all the clinical chairmen plus the chief operating officer, senior vice presidents and vice presidents; and a physician task force, a subcommittee working group chaired by a doctor.
"Everything we do comes through that committee," Moroses says. "They can either recommend it or shoot it down."
At first, they shot it down.
When Moroses' group approached the chairman of the emergency department about the change, "He said, 'We can't do it -- no way,'" Moroses recalls. ER doctors couldn't spend an extra 80 seconds logging on without negatively affecting patient care. So the groups went back and forth until they found a solution that everyone could live with: The 230 computers in the emergency department would be separated from the rest of the network and have access only to EMR data. Nonclinical care computers would require both network and EMR system unique user names and passwords.
Compliance is a game of compromise.
Now that the technical framework is in place, Moroses is focusing on processes. For instance, if someone in the accounting department has left the hospital but is still collecting vacation pay, her network privileges need to be revoked on her last day of work. Or if a nurse fills in for a colleague in another department, Moroses needs a process to cut off temporary access rights once he returns to his old job.
"There are a lot of little quirks that weren't addressed in the past, but now you have to deal with it. It's that kind of process change that's going to be the largest work," Moroses says. "An oil tanker needs about five miles to turn left. Health-care institutions are like that."
Spread the word
Once the policies are in place, the education challenge begins. In this instance, at least, health-care institutions have experience with the HIPAA privacy rule to guide them. At Carilion Health System in Roanoke, Va., Tom Newton, information security officer, remembers that it took four months to educate 10,000 staff members about the changes -- both in terms of what the rule entailed, why it was important and how it should be applied correctly in an everyday environment.
The questions were far-ranging: What information can be left on an answering machine? When can a receptionist tell a caller whether an individual has a doctor's appointment that afternoon? How does a nurse identify a patient calling in for lab results? Where can patient names and room numbers be posted? All of these questions needed to be answered with policy and then passed on to employees.
If it sounds like employees get fire-hosed with rules, then you're right. "Oh, it's awful," Newton says. "It just inundates them with things."
In September, Carilion will begin the training process for the security rule. It will be easier this time around. The privacy rule applies to all kinds of protected health information, electronic and otherwise, but the security rule covers only electronic PHI.
Newton decided to rework existing policies to include new sections resulting from the security rule -- as he did for the privacy compliance.
One thing he does know for sure: It was a waste of money last time to offer Web-based training because less than 15 percent of employees used the Web modules, and it was, Newton believes, less effective than in-person training. For the security rule, employees will be able to attend a live session or read the handbook on their own.
A matter of interpretation
Even as organizations chip away at HIPAA compliance employee-by-employee, a bigger question remains: How will HHS interpret and enforce the HIPAA security rule once next April's deadline passes? This, perhaps most of all, is something for other CISOs to watch because it could have a tremendous impact on how future information security regulations are crafted and enforced.
The security rule, by design, leaves plenty of room for interpretation. In particular, it was written to be technology-neutral, to allow diverse entities to comply and also to keep it from going out-of-date. "Any kind of federal regulation, I think by definition, is going to be fairly high-level," explains Borten of The Marblehead Group. "If you get too specific, you'll shoot yourself in the foot."
It remains to be seen what kind of specifics the HHS Centers for Medicare and Medicaid Services, which is in charge of enforcing the security rule, will expect when it begins enforcement. But if it's anything like the privacy rule, compliance will be all over the board. While some organizations are not yet in compliance, others are taking HIPAA to ridiculous extremes. Just before Christmas, a hospital in Wisconsin announced that a 13-year-old leukemia survivor would no longer be allowed to make her annual toy delivery to young patients, on the grounds that patient privacy would be violated. And in New York state, one hospital recently decided that it would no longer send out birth announcements to local newspapers because of HIPAA concerns. (Other hospitals in the state still send the announcements but require a parent's signature.)
PWC's Smith, for her part, thinks legal departments are running scared. "A lot of them don't know what compliance is going to mean. They're worried about who might sue them," she says. "Some of my CSOs are saying, I've been doing this. It's the legal departments coming in, fearful, saying, Can we prove what we're doing? They're dotting their I's and crossing their T's."
But it's not the way the HIPAA privacy rule is being enforced that's prompting them to act. In 2003, in fact, HHS's Office of Civil Rights -- which is in charge of enforcing the privacy rule -- received only 3,745 complaints from patients. (HHS does not as a rule instigate investigations of violations; the process is primarily complaint-driven.) Of those, 40 percent had been resolved, and a small number -- HHS spokesman Craig Palosky wouldn't say how many -- had been passed on to the Department of Justice for criminal investigation.
Congress established civil penalties of up to US$100 per violation, up to $25,000 for violations of the same standard in a calendar year. (Criminal penalties, for violations such as selling PHI for commercial advantage, go up to $250,000. Violators could also face up to 10 years in prison.)
In theory, the civil fines are small in comparison with what organizations are spending on compliance. But in reality, they're nonexistent. In 2003, a grand total of zero dollars in fines had been levied against anyone for HIPAA violations.
But for Pacific Life's Krause, at least, that's beside the point. It's incentive enough that auditing and rating agencies are including security and privacy questions in their surveys. Besides, she says, none of these regulations are so onerous if you have good security processes in the first place.
About two years ago, the Newport Beach, Calif.-based company launched a comprehensive, companywide information security program. Now all that Pacific Life's group health insurance division really has to do to comply with the HIPAA security rule is complete a final security audit, just to make sure nothing slipped through the cracks.
To comply with California's SB 1386, the company has processes and procedures to identify potential security breaches and communicate them to customers. The company has even decided to undergo a voluntary Sarbanes-Oxley 404 exercise, in which the business units will document and validate the company's controls over key financial processes, including security safeguards and controls. (Pacific Life is privately held, so it is not required by law to comply with Sarbanes-Oxley.)
So how can Krause stay cool in the face of HIPAA compliance and much, much more? Well, why not? In the end, she has found, none of the regulations are so different after all.
"The HIPAA security rule, the HIPAA privacy rule, SB 1386, Sarbanes-Oxley -- they all really play into supporting privacy and confidentiality of customer information," she says. "If you do your security program based on best practices, then you are most likely going to comply with any regulations attempting to support privacy and confidentiality."