Checklist for Healthcare IT Security Compliance Webinar - Q&A

Last week, ecfirst's CEO, Ali Pabrai joined me for a live webinar that discussed a checklist for healthcare IT Security compliance. If you missed the webinar, you won't want to miss this -- we've gone ahead and transcribed our answers from the Q&A session.

Question 1:
Where can I go to find out exactly which set of rules / regulations apply to my business? There are so many different ones which change often that it's difficult to stay current.

  • Answer: That is one of the areas that must be addressed in a comprehensive risk analysis activity. It’s critical to keep up with HITECH Act changes. The best source is the OCR site at Also, it’s important to keep up with State regulations, especially CA, Massachusetts, etc.

Question 2:
Is encryption required under HITECH? There seems to be so much conflicting information out there.

  • Answer: The HITECH act by itself does not require organizations to encrypt the protected health information that the organization comes into contact with. However, the guidance document published that ties directly into the HITECH act strongly recommends that organizations look at encryption. Obviously, there is strong motivation for organizations to encrypt because if the data is encrypted, they would not need to report the breach to federal authorities. Although, this may not be the case with state authorities. My general recommendation is that organizations today should be looking very seriously at least at encrypting all data across all laptops, portable devices, backup media, and wireless infrastructure.

Question 3:
Does Imprivata OneSign provide audit reports?

  • Answer: Yes, Imprivata OneSign provides pretty extensive auditing, giving you information on who accessed what, where, how, and when. It also shows the type of login they used, such as fingerprint and what applications they accessed when they were in. It provides extensive auditing, which is one of the real value points aside from the access and functionality it provides on the front end. It’s the back end that is just as critical with the auditing and reporting.

Question 4:
We have a small physician’s office; can we get an example of a very simple procedure for information breach management?

  • Answer: Number one, you need to put together a breach management policy. Tied into the policy would be a couple of procedures. One would be for the management of that breach. The management of that breach needs to clearly identify what the processes are that your physician practice steps through when you discover the breach. The breach may have occurred within your practice or at a firm that could be a business associate that provides a service to you. So, that procedure needs to clearly articulate what happens from the point that you discover the breach to the point where you make a determination whether that breach has to be reported. And even if that breach does not have to be reported, you do need to document and create an internal report, an incident report tied into that breach. So, that’s what the procedure would be addressing.

Question 5:
What do the Imprivata OneSign customers do for remote access where a prox or biometric device is not available for authentication?

  • Answer: There are some other options as well, such as token with a one-time password, to get into the system. We actually will soon have the ability to use other solutions as well, where it might call back a phone. If they have a cell phone, it will dial back the cell phone and give them a one-time password there and allow remote access. There are certainly needs for that. We have some today, and we’re implementing some additional ones. Remote access is a unique requirement, not unique in that not many people have it, but unique in terms of the requirements around it, especially with security. We are actually looking at possibly some of those strong authentication devices like fingerprint or bio prox from remote systems. We don’t have that today, but those are some of the areas that we’re looking at. For now, there are certainly one-time passwords with tokens and soon to be call back with SMS text or from a phone to provide access into the system that way.