Identity 360 - An Imprivata Blog

User Access Relevance in a HITECH Age

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. 

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.”  This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so.  Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system.  In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence.  This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return.  It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk.  Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule.  The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds.  To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems.  These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches.  Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems.  Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.

There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices.  It’s a tremendous guide to a significant HIPAA compliance requirement.  With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role. 

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance.  It’s a great asset out there for public consumption, and can help drive best practices worldwide.

Tags: HIPAA_compliance user_authentication security_risk secure_authentication password_policy security_breach biometrics_authentication data_security password_sharing healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Guest Post: The New Need for Auditing: Privacy and Breach Notification Mandates

The HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.

HITECH Audit Preparedness
Organizations need to take compliance mandates for HIPAA, HITECH and State regulations seriously. Compliance requirements establish the minimal capabilities that organizations must manage and maintain. To be audit-ready, organizations must at a minimal:

• Ensure a robust life cycle is maintained for account access, modification and termination
• Enable proactive audit and monitoring capabilities are used to track and detect unauthorized access  
• Establish Role-Based Access Control (RBAC) to manage job roles and associated access rights (this requires Human Resources to work closely with the Information Technology department)

With the new world order in healthcare driven by privacy and data breach mandates, secure authentication to access patient information is directly in the sights of state AGs and Federal agencies across the country in a concerted effort to tighten data security and ensure patient privacy. As such, effective user authentication is a critical component to avoiding potential breaches and it should enable quick reporting capabilities to prove compliance and appropriate actions taken should anything happen.

More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question – “is the organization compliant with HIPAA and HITECH mandates?” Are you?

Ali Pabrai, chief executive of ecfirst is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.

Tags: user_authentication secure_authentication data_security HIPAA_compliance

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

• As such, here are our seven habits of highly-effective healthcare security:
  Ensure adequate password complexity across systems and applications logons to protect PHI
• Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
• Rely on technology that is easy to implement (for you) and support (for your users)
• Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
• Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
• Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
• Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!

--David

Tags: Fingerprint_biometrics data_breach healthcare_access_management password_sharing HIPAA_compliance strong_authentication biometric_authentication healthcare_single_sign_on

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Guest Post: ecfirst CEO, Ali Pabrai, on HITECH’s Meaningful Use and Compliance

There’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.

For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved.  At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve.  For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.

In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:

• Establishing user access for new and existing employees
• List of secure authentication methods for users authorized to access EPHI
• Monitoring systems use - authorized and unauthorized
• Granting, approving, and monitoring systems access (for example, by level, role, and job function)
• Termination of systems access

Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated. 

Ali Pabrai, chief executive of ecfirst, is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.

Tags: HIPAA_compliance secure_authentication security_risk

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Live from the National HIPAA Summit

Greetings from the Eighteenth National HIPAA Summit in Washington, DC!  It’s turned out to be an interesting event pulling in an array of people as it is co-located with the National Health IT Summit for Government Leaders, the National Health Information Exchange (HIE) Summit and the International mHealth Networking and Web Conference.

Mid-way through the week-long event, there are some notable highlights from the conversations I’m having, and from the chatter on the floor and the breakout rooms.  In no particular order:

·         Federal vs. State in a Vivid Debate: There are a number of tracks focused on the impact of healthcare reform on federal and state agencies, driven by conversations trying to figure out if responsibility will ultimately fall either way.  With many guidelines already established, there still remains ambiguity as to how HITECH responsibility will play out.

·         The Term of the Event is ‘Breach’:  HITECH mandates are largely-focused on data breach notification, with new stringent requirements for healthcare organizations to quickly report on when patient information may be/is compromised.  The central questions here are two-fold: Will HITECH truly have enough teeth?  And, will efforts be in the form of a Federal response or will action, lawsuits, penalties and fines fall on the state AGs to pursue?

·         Collaboration is Brewing: Increasing collaboration between public and private sector organizations is in great demand.  Between the uses of new tools, more openness and greater transparency all focused on facilitating information sharing and efficiencies, increased public-private collaboration is a key desire from attendees.

·         EMRs isn’t as easy as A.B.C.: As expected, Electronic Medical Records (EMRs) is the hot topic here.  From standards and technologies to business processes and data security to intra- and inter-organizational ownership, EMRs continue to be a focal point as organizations migrate their records to digital format and seek the security and efficiencies necessary for clinicians and staff to embrace.

·         A Herd of HIPAA Privacy Officers:  Overwhelmingly, but not surprisingly, a large majority of attendees have roles/titles such as HIPAA privacy officers, many of whom are working towards getting HIPAA compliance certification by attending sessions earlier in the week.  Surprisingly, I thought there would be more attendees from the IT manager/director or CIO levels. 

Overall, there is a tremendous amount of information being passed around that attendees are trying to digest – what’s pertinent for them to take away and act upon, and what is not pertinent to their daily jobs.  Most are speaking with vendors to understand their role in the overall HITECH/HIPAA ecosystem in regards to healthcare reform and legislation as it directly applies to their organizations, beyond the bells and whistles of features and functionality.

--Tom McDermott

Tags: data_breach data_security HIPAA_compliance

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

From HIPAA Compliance to HITECH – Reforming Healthcare Security

Khalid Kark of Forrester Research recently issued a useful whitepaper that outlines the security reforms needed to improve patient data security in the healthcare industry. A complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” can be downloaded from the Imprivata website.

The whitepaper highlights four key reasons why healthcare organizations are failing behind on security. Khalid provides a comprehensive set of recommendations to help healthcare organizations address these challenges – these are near and dear to what we do here every day. I thought I would share some of the insights gathered from work with our many healthcare customers.

I’ll tackle two of these issues in today’s post, and address the remaining ones in a subsequent posting.

1. Basic security technologies and processes are missing:
Kark correctly states that many CISOs struggle to get management’s attention on security issues and are limited in the resources they have to address the critical security risks they face. Bill McQuaid, CIO for Parkview Adventist Medical Center, recently spoke about how they were able to achieve Stage 6 HIMSS Analytics status, despite their relatively small size. Deploying strong authentication technologies, like fingerprint biometrics, considerably increases clinician productivity, while ensuring that only properly credentialed users have accessing sensitive information. This combination of security along with greater user productivity is sure to gain the attention of any manager.

2. Security spending lags behind other leading industries

As Khalid notes in his whitepaper, higher spending doesn’t necessarily equate to stronger security. What matters is using the dollars and resources you do have wisely. The days of enterprise-wide projects that take years to complete are over. By identifying the immediate areas of risk and implementing projects that yield immediate results, you can protect your organization, while demonstrating a quick ROI – this can come in handy when fighting for more dollars to spend on additional projects.

What are the main obstacles you’re facing in securing your organization? Share your story.
David

Tags: Fingerprint_biometrics HIPAA_compliance data_security security_risks strong_authentication

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Reaching Stage 6 Status with Imprivata

Thanks David.

We’re very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status, especially when you consider our relatively small size compared to the many other bigger hospitals with larger IT departments trying to accomplish the same thing. Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians.

As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.

Training for Success
To address the concerns simultaneously, we knew that we had to come up with a solution that would get immediate buy-in from our clinicians. If you don’t have people internally using the systems and championing them for you with their colleagues and peers, it makes the road to full scale EMR a very difficult one.

This has been one of the secrets to our success – we haven’t forced any of our doctors to use the systems we implement. Instead, we work with the people who want to be worked with, and then let the rest come to us once they see how easy and successful it is.

A great example of this is when we started asking doctors to do computerized physician order entry (CPOE), which requires all doctors to do their own ordering using a computer. There was some hesitancy on the part of the doctors when we asked them to do their own ordering. The chief concern was accessing the necessary systems – doctors kept telling us “there’s no way we can log in – we won’t be able to remember all the passwords.”

To address these concerns, we used Imprivata OneSign to create a zero sign-on environment through the use of biometric authentication. We went live and gave access to a few people – when other clinicians saw how well it worked, they all wanted to use it. But here’s the key – we made them sign up for training and went through the whole process with them individually. By providing a quick and easy tutorial on the technology, we were able to mitigate any concerns of using the technology. The result is that the doctors loved it, and we use this technology in all of the physician practices now.

Not only did we get a groundswell movement on the part of clinicians to use the technology, but we also solved our core data security issues. Biometric authentication considerably increases productivity, but also ensures that only the properly credentialed users are accessing sensitive information. This level of strong authentication meant that clinical staff now had the ability to walk up to any workstation and securely log into the network, providing the real-time, secure access needed to provide superior care to our patients.

In fact, it’s worked so well, we’re rolling it out to secure remote access as well. We’ve set up virtual desktops for some doctors, so when they log in remotely, they log in once and get the security of single sign-on. So now, no matter where they are, they get their own desktop – they can print orders and do what they need to do from anywhere in the country.

The road to Stage 6 status can be a tough journey. What we’ve learned along the way is that technology alone isn’t the solution – educating the staff on the value of the technology is the most powerful tool in your arsenal.

If you’re currently working on similar projects, I’d love to hear your thoughts on how the project is progressing and if you have great tips to share for others too.

Tags: Single_Sign_On HIPAA_compliance biometric_authentication strong_authentication data_security

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Medical ID Theft and Tying Patients to Electronic Records with Strong Authentication

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.

Medical ID theft is an issue that can impact anyone. From a financial standpoint, if your identity is stolen and then used to receive emergency care, the insurance payments and collections can follow you around for years – without the victim even knowing it. This can destroy credit ratings or create a situation where insurance benefits limits are exceeded at a time when a legitimate claim is made.

More important than the financial impact is the potential impact on the healthcare or treatment a victim receives. Once a medical ID is stolen and used to receive treatment, the medical records can now contain erroneous medical history information. This can lead to a fatal mistake in an emergency care situation.

I’ve blogged about some of the data security and strong authentication concerns that come with accessing electronic patient records from the clinician point of view. Some healthcare providers I’ve spoken to are looking to strong authentication to solve the medical ID theft problem as well, using technologies like biometric authentication to securely and uniquely tie patients to their records.

This would create a seamless environment where clinicians are authenticated for access to applications and information, while the patients are authenticated to their medical records. This will be a critical component of the success of EMRs as these systems begin sharing information between healthcare providers. Strong authentication will be critical not only from a data security perspective, but could also prevent a situation where a patient receives improper care.

Tags: HIPAA_compliance EMR medical_records strong_authentication healthcare

Comments (2)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Stimulating Strong Authentication

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.  

So where do we start?  From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance,  as well as from other countries that have embraced a similar approach to digital medical records.    

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry.  OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy.  Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password. 

Controlling the access is only part of the equation.  Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted.  While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position?  And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.   

What are your thoughts?   Email me and let me know.

Tags: Single_Sign-On HIPAA_compliance security_breach data_security security_risk

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Who’s Really Afraid of HIPAA?

Tags: authentication_management HIPAA_compliance access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

MUSE Musings

Tags: Single_Sign-On HIPAA_compliance strong_authentication

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS