User Access Relevance in a HITECH Age-Imprivata

David Ting
Feb 03, 2012

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today.

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.” This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out. Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so. Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.” There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system. In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence. This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return. It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk. Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule. The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds. To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI

These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems. These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches. Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems. Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.

There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices. It’s a tremendous guide to a significant HIPAA compliance requirement. With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role.

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance. It’s a great asset out there for public consumption, and can help drive best practices worldwide.