Tuesday, January 24, 2006

Sustain You

I love the title of this article: Sustainable Compliance.

Generally, input as to what would be required for the organization to be in compliance came from outside regulators and auditors who probably knew less about IT, and certainly knew less about the business, than the organization itself did. A somewhat natural response was to push back on these requirements, deny that they had validity, and hope that they would go away. By the time many organizations finally got around to doing something, the time was running short. So they did the minimum needed to comply, or more pragmatically, to pass an audit.

Almost every day, I talk to someone who is in this boat. But compliance is not a one-time fix, and so many folks are starting to come apart under the pressure, or have gone the other route and given up, hoping that they will get lucky, and no one will notice. There is a middle ground, though, which involves a more long-view, user-centric approach, that while it certainly is not painless, it can be a lot easier than many make it.

Wednesday, January 18, 2006

Work All Day

Here is a great story from UPI about the efforts of some folks in California to provide healthcare to migrant farm workers. Because many of them have poor english skills and because, legally here or not, they still fear INS trouble, many are unable or unwilling to seek medical help.
One of the unintended side-effects of HIPAA is that the workers do not need to fear the INS when they seek medical attention. And the required technology has made it easy for the folks running the program to connect to the hospital remotely via wireless VPN.
So the workers get healthcare, which goes a ways toward solving the public health issues of having a migrant population, and they can get it with a reasonable expectation of privacy.

Protect and Survive

Data Protection seems to be the word floating around in the air this year. Making certain that your data is secure is the main thrust of the Security Rule, and as the author of this piece in NewsFactor points out, the key is in having your IT ducks in a row.

By asking a few simple questions, an SMB can determine if it is meeting some of the basic compliance elements; identify compliance areas that it needs to address; and establish a starting point for action.
Do you know what will happen to your business operations if parts of your networks or systems fail?
Are your systems and networks protected against viruses and other malware?
Do you have ways to authenticate everyone who accesses your information systems and data?
Can you monitor how your I.T. network is used and by whom?
Do you have the means to track security incidents?
Is your data tamper-proof?
Is your key data backed up off-site?
Have you protected "unstructured" data -- that is, the e-mails, spreadsheets, and other documents on your employees' desktop systems?
Do you have companywide e-mail archiving capability?
How long does your data need to be archived and how quickly must you be able to retrieve it?
Can you show/prove that you are in compliance?

Now, I am an IT guy, and the solutions that come to mind when I am asked about compliance tend to be fairly technological in nature. But I also spend a lot of time speaking to various groups about HIPAA compliance, and most questions I am asked involve more Social Engineering than Computer Science.
As I constantly am nagging about, you must build your systems so that they are as close to transparent to the user as possible. Make a backbone of compliance out of technical solutions, but flesh it out in a pleasing, user friendly fashion.

10 O'clock Postman

From Search Security comes this piece on e-mail encryption. As the writer points out, there is really no longer any excuse:

Given the availability and affordability of encryption technology today, it is difficult for a healthcare organization to justify not using some form of it when transmitting PHI. A number of vendors offer a variety of reasonably priced encryption hardware and software, as well as outsourcing options.

For a smaller practice, there are a number of free or nearly free options, and for larger enterprises, if you don't already have some way to encrypt your e-mail, you better not be sending PHI. Though this is an adressable, I would find it difficult to defend any decision concerning PHI sent over e-mail that doesn't include encryption.

Wednesday, January 11, 2006

Back That Thing Up

Okay, so I am not a big one on cautionary tales, or big time fear-mongering when it comes to HIPAA. Too many front-line healthcare workers have been traumatized by scary HIPAA presentations, and that is a big part of why there is so much push-back. But for IT people there is no excuse. All of us know about back-ups and archiving, and all of us should be aware of what is compliant and what is not. That is why studies like this one are so frustrating to read:

Dowling told Datamation that 42 percent of respondents said there was 'no need' for compliance processes. That comes, according to Bridgehead, despite the fact that Sarbanes-Oxley affects half of U.S. companies and HIPAA regulations affect about a quarter.
''Someone somewhere is going to get sued or charged and the federal government will start to punish folks not in compliance,'' says Dowling. ''And there will be a realization that to be compliant you need to do more than you've been doing.''

If you are simply hoping that your back-up software is going to take the place of having a proper archiving system, there is a very good chance that you will be very unhappy someday. Maybe someday soon.

Tuesday, January 03, 2006

Locked Down

Here is an answer to a question I am often asked about the security of USB devices:

Ecora, Portsmouth, NH, has brought out a new version of its endpoint security system, Ecora DeviceLock V 5.73, which allows administrators to "white list" select USB devices and assign the white listed devices to users and groups while locking out all other devices...
Devices in the white list can now be assigned to users and groups providing more granular control over which users have access to what USB devices on their computers. One user can be allowed to use a certain device, while another user can't use it on the same computer.

You will still have to control what goes on them, and it is still a favorite nightmare that a Geek Stick left in a lab coat will end up at the cleaners where some felon working out his work-release can get his hands on all of the PHI accessed by that doctor over the last six weeks. It is still important to encrypt those handy little doo-dads.

Doctor, Doctor (Give Me the News)

Here is a very interesting collision at the intersection of HIPAA privacy and the Patriot Act:

Robin Moore, practice administrator for the group, said the language in their pamphlet is not unusual, and it complies with HIPAA and the Patriot Act. Sentara Healthcare's policy says the system might release medical information to authorized federal officials for national security activities. By contrast, Bon Secours Hampton Roads Health System, which operates Mary Immaculate Hospital in Denbigh, doesn't mention national security or federal authorities at all in its privacy pamphlets, but it does say information may be released when required by law.

So far, the government has never requested anyone's medical files.

The Department of Justice long has maintained the law is so narrow that a person's medical records would almost never be requested to combat terrorism. John Nowacki, spokesman for the department, said the law only allows the government to search for information pertaining to foreign intelligence that does not concern an American citizen.

"The law specifically provides that it can't be used against a United States person," Nowacki said. It also means that the law cannot be used to investigate "ordinary crimes or domestic terrorism," Nowacki said.


You know, I hadn't even thought of HIPAA in terms of domestic spying, but recent current events are making me think that there may be some conflict between the government's perceived need for information and the provisions set in place to insure privacy. Every spying program in history has been abused. The reassurance by Mr. Nowacki, above that "it can't be used against a United States person" flys in the face of recent disclosures.
I am all for HIPAA, in spite of the nuisances and irritations, the inconsistances and vague interpretations, because I believe in the fundamental right of all of us to keep private those things we ourselves choose to consider private. That some bureaucrat can bypass HIPAA at a whim, without anything more than an administrative warrant (if that, and then signed, not by a judge, but by that bureaucrat's boss) and it is illegal for me to be informed, even when nothing of national security interest is found, makes me very nervous.
There is nothing very interesting in my medical records. No employer is going to hesitate hiring me because of my health--- no insurance company is going to deny me coverage, no enemy or business rival is going to be able to leak my shameful past. But there are many of us whose records are not deadly dull, as mine are.