Industry Update: Why Has the HIPAA Security Rule Not Been a Dazzling Success?

by Rick Link, Director, Coalfire

However, the Rule’s lack of clarity and specificity of how a covered entity would achieve the goal has been well documented and debated in many forums.  

The Rule’s technical safeguards section includes five specific standards, paraphrased as follows:

  • Establish procedures to authorize and control access to ePHI.
  • Establish procedures to audit activity in information systems that process ePHI.
  • Protect ePHI from improper viewing, modification or destruction.
  • Authenticate the identity of those seeking access to ePHI .
  • Protect ePHI that is "being transmitted over an electronic communications network".

The Rule’s brevity for discussing these technical safeguards has made it difficult for covered entities to develop and implement the necessary automated controls and processes to ensure ePHI is protected and secure. Specific examples of critical topics not sufficiently discussed and/or addressed in the Rule include encryption and decryption mechanisms, perimeter firewalls, intrusion detection systems/intrusion prevention systems (IDS/IPS), security implications of wireless technology for health information systems, virtualization technologies, and the risks associated with the development, operations and maintenance of computer software that provides the basic functionality of the ePHI systems.  Each of these security topics are complex in itself and the covered entities were forced to identify other sources and guidelines by the major government, professional and standards organizations.         

HIPAA’s answer to these shortcomings in specificity and anticipation of future technological development was to also include among the administrative safeguards, the requirement to periodically perform a risk analysis or risk assessment.  It is true that, in a perfect world, a thorough, thoughtful risk analysis of the threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI would point back to the specific examples of critical topics cited above, and result in the implementation of commensurate risk management activities and controls.  However, as we well know, we don’t live in a perfect world so it is unlikely that the risk analysis will be as thorough and thoughtful as it needs to be.

So you say, “What else is new”?

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) portion of the American Recovery and Reinvestment Act of 2009 (ARRA) contained these four significant changes:

  • Extended the scope of the original HIPAA Rules (Privacy, Security, and Breach Notification) to include the business associates of previously covered entities.
  • Renewed the push to adopt Electronic Health Records (EHRs) by providing billions in incentive funding for the “meaningful use” of EHRs .
  • Established the Breach Notification Rule, which provides stiff penalties and publication of PHI exposure incidents, holding the covered entity responsible for the actions (or inactions) of their business associates.
  • Provided direction and funding for audits of HIPAA compliance.

For additional information on these specific changes, you may view The Coalfire Standard newsletter article entitled “HIPAA/HITECH - Audits, Notifications, and Penalties - Oh My!”, published in May, 2011.  

Organizations need help interpreting HIPAA and HITECH requirements, and supplementing their shortcomings to ensure ePHI is protected. You need a partner that recognizes the importance of having the technical healthcare expertise, resources and tools to help manage your information security and compliance healthcare program to protect your ePHI. Whether you need a HIPAA IT Security Compliance Assessment, Healthcare IT Vulnerability Assessment and Penetration Test, business associate assessment, and/or advisory services to provide leadership and direction for your compliance program, Coalfire can help you with a tailored approach that meets your budgetary requirements. Our healthcare assessment methodology uses a common controls framework that combines the HIPAA requirements with other industry best-practice standards. This unique framework aligns with the HIPAA Security Rule, the HITECH Act requirements, the NIST SP 800 series, and ISO 27002 to provide the most comprehensive assessment.

To further expand our healthcare service offerings to help clients with industry-accepted frameworks and compliance tools, Coalfire has been approved by the Health Information Trust Alliance (HITRUST) to be a Common Security Framework (CSF) Assessor. The HITRUST CSF is the most widely adopted and recognized compliance framework focused on information security in the healthcare industry. While the CSF is not a formal component of HIPAA, HITECH, or ARRA; it is rapidly becoming the de facto industry standard as it is the only framework built to provide scalable security requirements based on different risks and exposures of organizations.

The CSF was developed with three levels of implementation requirements for each control, increasing in restrictiveness. This allows the organization to focus on critical security issues based on the specific business circumstances, such as business impact and risk, which was missing from the HIPAA Security Rule. The HITRUST CSF Assurance Program, which leverages the CSF, allows organizations to choose either a CSF Validated or CSF Certified assessment based on risk. Both options utilize the same CSF processes, tools, and requirements but vary in the degree of assurance provided to the organization. CSF Validated allows organizations to be measured and report their progress against the CSF, as well as provide valuable information such as standardized corrective action plans. CSF Certified provides additional assurance by verifying that an organization has met all of the industry-defined certification requirements of the CSF.

As a CSF Assessor, Coalfire has the trained resources to help healthcare organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF Assurance Program. HITRUST created the assurance program to streamline the information security challenges and inefficiencies associated with existing third-party assessment standards and proprietary approaches. The HITRUST program helps healthcare organizations to focus their attention and resources on improving information security and not the compliance process itself. To learn more about HITRUST, the CSF, and the Assurance Program, click here.

Coalfire is committed to developing and providing you the leadership, resources and tools for dealing with the HIPAA/HITECH security complexities and understanding how to help you meet these regulatory requirements so you, your business associates and your customers can be a dazzling success.  
For more information about data security and compliance issues that affect the healthcare industry, click here to view our recent webinar, "HIPAA Modifications & HITECH Rules: What are the Security Essentials?".