Partners HealthCare’s CISO, Jennings Aske, isn’t losing any sleep over recent changes to the Patient Protection and Affordable Care Act (PPACA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. “There were minimal changes, really, in terms of our overall security program and the controls we implement”, says Aske, who is also Partners’ corporate director of information security and privacy. Protecting patient privacy and security should be done on a regular basis anyway for ethical reasons, he observes. “From my perspective, laws or a regulation merely reinforce that concept.”
The main changes, industry observers note, involve a new set of standards around breach notification, how healthcare providers account for disclosure of patient information and risk assessment, according to the US Department of Health and Human Services (HHS). The regulations continue to reinforce the original Health Insurance Portability and Accountability (HIPAA) Act of 1996 requirements around electronic health records, they say.
Since HIPAA has been in effect, “covered entities” have been required to perform security risk assessments, says HHS Privacy Officer Joy Pritts. The requirement has widespread impact; some three million affected entities are defined by HIPAA as a payer, provider, clearing house, and now business associates, or subcontractors.
|"Privacy and security of a patient’s healthcare record should really be at the top of the list…If you have lackluster security and authentication protocols and those systems get hacked, it undermines the systems and people won’t trust them"|
|Michael Ebert, KPMG|
Now, healthcare information security professionals need to consider the fact that some privately funded studies have shown that covered entities “are fairly regularly not performing risk assessments”, Pritts says. When the HITECH Act was enacted in 2009, it made available about $20 billion to upgrade medical IT systems from paper-based to electronic, and physicians would be paid to upgrade and purchase electronic medical records systems, notes Michael Magrath, director of business development for Government and Healthcare at digital security provider Gemalto, who is also a chairman of the Smart Card Alliance’s Healthcare Council.
In order for providers – including hospitals and physicians – to receive incentive payment for upgrading or deploying what Pritts calls a “meaningful electronic health records system”, they have to show proof of a set of criteria, including a security risk assessment. “So this is very real to them now”, she observes. “If they want to get their money they have to swear they’ve done it.”
Also under the act, a privacy and security workgroup was formed to come up with recommendations to the Office of the National Coordinator (ONC) within HHS. In mid October, the workgroup put forth recommendations for stage two of “meaningful use”, so that “if [physicians] get the money to put the system in place, they have to use it – they can’t go back to paper. They have to use it in a way that conforms to any standards that come out from HHS, like encrypting data”, Magrath advises. If the physicians still don’t migrate to an electronic medical records system by 2015, they will incur financial penalties, he adds.
The HHS requirements are being put forth in different stages, Magrath says, so that by the end of 2015, “our health care system should be interoperable and everyone should have a medical record.”
In July 2010, the US federal Office of Civil Rights issued an interim final rule that requires covered entities to notify individuals when their healthcare information was breached. The latest change to the HITECH Act is a section stating that if 500 or more patients’ identities and protected information are breached, the provider has 60 days to notify them, as well as HHS, OCP and, in some cases, the press. The OCR is still digesting all the comments and considering whether to make it a final rule, notes Michael Ebert, a partner in the Information Security Practice at KPMG.
“All laws apply back to the original HIPAA Act – all they’re doing is reinforcing that providers and third-party entities need to follow the original requirements, such as what to do in the event of a breach of information, with new guidance around how you manage and report that breach and account for disclosure of information”, Ebert relays. HITECH focuses on knowing where a consumer’s healthcare data is, who has accessed that data in a defined period of time, and presenting this information to a consumer on demand who has seen their data in normal healthcare operations.
“The primary issue information security professionals at healthcare organizations have to worry about is changing the way their systems work”, says Ebert. They will have to restrict employee access to the systems and networks used for electronic records. “If I’m a provider, I need to think about what is appropriate access”, he adds, “and does a billing clerk need to understand all the treatments a person has had – or just the total bill?” The main issue is “there needs to be a mutual understanding among all parties as to what constitutes appropriate access”, he says, in addition to accounting for breaches of patient information.
The PPACA reinforces HITECH, Ebert advises, and calls for regular assessment of how well healthcare systems comply with security. “You have to have risk enforcement of your systems done and assess where risks are for privacy of information on a regular basis.” The OCR is now starting to define what a regular basis means, he continues, and that most likely a third party will do the assessment.
The way Partners’ Aske sees it, security professionals should build programs that go beyond the specific HIPAA security requirements. “I recommend that organizations not focus on the law”, he says. “I don’t build my programs based on what’s in HIPAA – that’s only the tip of the iceberg. I always try to build standards-based security programs…I always tell people that a standards-based security program will always map back to the legal requirements.”
|"The physician community tends to not like change, and they see [two-factor authentication] as an inconvenience and an interruption in workflow"|
|Michael Magrath, Gemalto|
Like Ebert, Aske says new requirements from OCR provide guidance on how to treat a breach. Further, HIPAA’s encryption standards were made more granular. Patient records must be encrypted with a minimum 128-bit key so they can be considered undecipherable, meaning that it is not technically data that can be breached.
Likewise, Massachusetts General Law 93H also states that if data is encrypted with a 128-bit or higher key, it is considered secure, and a breach does not have to be reported, he says. Healthcare organizations must go through an analysis when there is a ‘security incident’ so essentially, security professionals must analyze the key strength used to encrypt a lost or stolen device.
One of the complicating factors for a large hospital system like Partners is that it has patients from around the country and even around the world, so it has to look at a variety of privacy laws in different states. The HITECH requirements, Aske points out, do not supersede those of state laws.
In terms of cost, he says enforcing the new requirements should not be significant “if you’re baking it into what you do every day in selecting your systems. If you haven’t been doing anything over the past six years, and if all of sudden you have to implement intrusion detection and encryption, there’s a cost because those are things you have to do to manage and protect the data.”
One vs. Two
Other recent recommendations the Health IT Standards Committee sent to the ONC deal with authentication and encryption, including when a doctor accesses or edits an electronic medical record or shares it with another physician – such as a specialist – to get a second opinion on a diagnosis, Magrath says. The committee also looked at consumer access to medical records, such as when an individual makes a doctor’s appointment through a health provider’s web-based portal. The recommendations are highly disappointing, he laments.
“They don’t provide the security that should be required to protect patient records”, Magrath observes, because the group only recommended single-factor authentication for consumers accessing their own medical records. “That means just using a user name and password, and that’s how hackers get into systems.”
Magrath says Gemalto has been advocating for a two-factor authentication requirement, which would include the need for a consumer to authenticate their identity with a combination of something they know, such as a PIN or password, with something they have, such as a hard token, a USB, smartcard or a one-time password. “Passwords are stagnant and can be shared and cracked”, he notes. “Studies have been done analyzing what people use for a password and having a very simple [one] that can be easily guessed can compromise the whole system and bring it down.”
Magrath points to the fact that the single-factor authentication recommendation comes on the heels of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which President Obama announced in April 2011 and would create an identity ecosystem. “This would be a private/public partnership where I, as a consumer, would go to a certified/trusted broker to obtain a credential to log in to certain websites to access certain applications”, as a stronger method of authentication, he says. This strategy calls for two-factor authentication, Magrath adds. “So you have the White House and the Department of Commerce promoting this for consumers, but then you have a HHS workgroup promoting single-factor authentication” for electronic records. “So there’s a disconnect…What makes me scratch my head is the federal CTO is on the committee.”
"I recommend that organizations not focus on the law…I always try to build standards-based security programs"
Jennings Aske, Partners HealthCare
The Gemalto director believes two-factor authentication was not recommended because “the physician community tends to not like change, and they see it as an inconvenience and an interruption in workflow.”
As for whether the legislative changes will have an impact on multinational corporations that partner with healthcare providers in the US, Magrath believes – for the time being – they won’t, because one-factor authentication is still the requirement for accessing a medical system. “So a physician in France can access a US healthcare system if they were called upon for consultation…with a username and password – it’s very simple. Moving forward, as those networks are tightened up, that [healthcare] organization would have to issue that physician overseas some stronger credentials.”
Multinational providers must be compliant with the US healthcare privacy laws, KPMG’s Ebert confirms, but adds that security professionals are responsible for doing a risk analysis of any third-party partners they work with as the originator of that patient information. “You can contractually obligate them to be responsible, but I have to assess if they’re treating information ethically”, he says.
Creating a Culture of Greater Awareness
An important issue that came out of HITECH, Aske believes, is a heightened awareness that the US federal government cares about patient privacy, and it is now clear the act is being enforced. “It helps me to work with management and prioritize the information security program” at Partners, he says. “When you see that regulations are being enforced and civil and criminal penalties are part of that, it makes people pay more attention.”
HHS has a website that lists all the health institutions that have had breaches affecting more than 500 individuals in a calendar year. “So you don’t want to find yourself on that list”, Aske warns.
|"The primary issue information security professionals at healthcare organizations have to worry about is changing the way their systems work"|
|Michael Ebert, KPMG|
Magrath concurs. “Privacy and security of a patient’s healthcare record should really be at the top of the list. What frustrates me…as a patient is that what’s being recommended and presented is not the best. You have to do it right the first time. The healthcare industry wants us as consumers and patients to use the web because it reduces costs for them. If you have lackluster security and authentication protocols and those systems get hacked, it undermines the systems and people won’t trust them.”
Anyone with access to patient records needs to understand the ramifications and parameters of downloading and emailing information, says Ebert. The onus, he contends, is on the security professional to determine whether there are enough policies, procedures and controls in place and proper safeguards to ensure loss prevention.
“The message is not just setting compliance, it’s making sure there is a culture; that the people involved in handling healthcare understand the ramifications of downloading [information] to thumb drives and how the implications [of a breach] affect the psyche of the organization”, Ebert concludes.