I'm Doing Time in a Maximum Security Twilight Home

Read this:

"If you're impacted by HIPAA, you must have a comprehensive security program -- including risk assessment, policy development, controls, and monitoring and responses processes -- in place. But if the main concern is SOX, you'll be strictly responsible only for security around particular, auditable processes. Here's an opportunity to act broadly, extending SOX-driven security infrastructure and consulting spending to categories not covered by the audit.
In other words, spend once on developing a risk management and control infrastructure for security and then derive multiple benefits, for example by meeting compliance and catching low-level, non-SOX fraud at the same time.
After taking the right approach, says Hellman, there will scarcely be a distinction between compliance and security success: "It's incredibly intertwined. Compliance is an overlay over your security processes."

As the writer points out, this is an approach, not a solution, but the whole idea of integrating your security and compliance efforts makes so much sense. Too many systems have a network, with some kind of database tacked on, and glued to that some security that accreted through responses to the last five attacks, and then some sort of compliance procedure melded together by the IT and legal department. When they finally call someone like me, the mare's nest is nearly inpenetrable, filled with sacred cows, and the whole thing has cost 3 times what it should.

Garden of Simple

Another free webcast, "How to simplify and automate your compliance procedures" from SearchSecurity:

"The growth of government mandates has caused an increase in manually intensive, compliance-related tasks that reduce IT efficiency. And according to AMR Research, the total tab for compliance-related spending will exceed $6 billion over the next 5 years. At this webcast, learn firsthand from Charles Kolodgy of IDC about how you can simplify, automate and reduce the cost of achieving IT security and regulatory compliance. Get tips on how you can get away from using manual methods to ensure compliance and how to reduce the complexity and burden on your IT infrastructure."

There is a lot of good stuff out there lately, but making time to learn and apply all of it is nearly impossible for those in small practices, or with limited IT budgets. My suggestion? Find a hired gun to put your compliance house in order, train a current staff memeber to keep up with things, then make sure they have a few hours a week to do so.

Going Up To The Country, Paint My Mailbox Blue

If you make a system easy enough to use, or even user-transparent, there will be far fewer problems with compliance. For many IT people this is axiomatic. When we are talking users who don't really care about all of our fancy high-tech equipment, it goes double. Securing e-mail doesn't have to be a nightmarish ordeal:

"Secure messaging is sort of a serendipitous technology," Osterman says. "If you ask somebody if they need to encrypt e-mail, a lot of people will say, 'No, not really.' But put an easy-to-use encryption capability in front of them, and they find more uses for it."

If it is hard to use, they won't use it. If it takes a lot of time, they won't use it. If it seems to interfere with proper care of their patients, they won't use it.
And if they won't use it, why bother?
Let's make these systems and policies transparent and user-friendly.
Or they won't use it.

In the Air Tonight

Sometimes things seem to come together, or maybe something is in the air. This weekend I had a long conversation about email security, and this morning I find a quite excellent (though rambling) rant from Jeff over at HIPAA Blog:

"That's what gets people going, though. Encryption of emails. I've pooh-poohed it because of the relative risk question, but there's another reason to pooh-pooh it: you don't encrypt your phone messages, do you? Is there a greater risk of your emails being intercepted than your phone calls being intercepted? Not much of one; presumably phone circuits are more closely controlled than internet circuits (you never know what route your email will take, really), but wouldn't someone have to be involved in criminal conduct as great as wiretapping to intercept your email?"

And there is this from USNews:

"Compliance with rules like HIPAA (which governs the use and release of medical information) prompted Rochester, N.Y.-based Sutherland Global Services to install E-mail security software this year. The outsourcing firm often handles sensitive information like credit cards and medical records; company heads wanted to ensure that this information remained private. Sutherland now has a system in place that checks outgoing E-mail for key phrases or words, putting a quarantine on any message that may contain private information."

And from way back in 1999, an article from CNN with a quote from Jeff LePage (who by the way didn't hire me a few years back for a pretty cool sounding job--- but who seemed like a decent guy nonetheless---which would have had the added bonus of letting me work with an IT guy who is quoted in national publications) on keeping track of what your email is used for.

"I didn't really realize how much of a problem I had until I started using (monitoring software)," said Jeff LePage, director of MIS at American Fast Freight Inc. in Kent, Wash.
At American Fast Freight, a year after putting monitoring software in place, the software is now capturing only two or three inappropriate e-mails per week from the company's 330 employees -- requiring only a quick once-per-week check, LePage said."

Gonna Teach You to Love Me

Do you need to be a tech to understand and supervise compliance? This entry in Computer World chronicles the frustrations of a manager trying to deal with a non-technical person in the role of compliance officer.

"We were at an impasse created by that long-ago misunderstanding about the nature of the ISO position. When the HIPAA security rule went into effect, covered entities such as my agency were required to designate someone to handle ISO responsibilities. Many covered entities noticed that roughly 80% of the policies and plans required by the HIPAA security rule are categorized as "administrative," only 5% or so are categorized as "technical," and the rest are categorized as "physical."

Here's the misunderstanding: Even though the bulk of the policies are deemed administrative, implementing the policies is primarily a technical exercise. I believe -- and many may argue with me -- that writing a good policy requires a solid understanding of what technologies are available to implement the plan. You need some technical knowledge to be able to visualize the plan. You can't say, "Thou shalt do thus" and not be able to "do thus."

I believe that compliance management can be done by non-technical people, but it is difficult, and the same sort of flexibility and trainability that makes for a good employee in every other role is indispensable here. If your compliance officer isn't technical, they need to be willing and able to get at least a foundation of technical understanding. Just as anyone else would be expected to grow into their position, so should the non-technical compliance officer make every effort to at least learn the basics. It sounds like this one was given the opportunity, and failed to step up to the plate.

My Baby Said

From the Fort Wayne News Sentinal comes this amusing and actually informed article:

"Just when I thought common sense was prevailing, my daughter, six months pregnant, told me of her recent experience at a Fort Wayne hospital. When going there for an outpatient test, the registration clerk asked her to sign a form stating she AND her baby had been informed of their privacy rights under HIPAA.
“My baby hasn’t been informed about anything,” my daughter said.

Both attorneys, she and her husband first thought the request “was a joke,” they said. But in all seriousness the clerk said the hospital had instituted the policy after another pregnant patient complained her unborn child had not been made aware of his or her privacy rights."

Most of the time, stuff like this is a training issue. When it isn't, there is always a back story. Sadly, to the patient, it just looks like more weird regulation.

The Last in Line

Good thing we are all HIPAA compliant, huh! Seriously, though, that .5% number is pretty danged impressive.

"HIPAA Compliance Required McClellan on Thursday also announced that CMS after Oct. 1 no longer will process claims that are not HIPAA-compliant for Medicare reimbursement, according to CQ HealthBeat. In a news release, CMS said that about 0.5% of Medicare fee-for-service providers submitted non-HIPAA-compliant claims as of June 2005. After Oct. 1, such claims will be returned to the filer for resubmission, according to CMS. "We are firmly committed to an interoperable electronic health care system, and the close-to-100% compliance with HIPAA standards for claims shows that the health care industry shares this commitment," McClellan said (CQ HealthBeat [2], 8/4). "

Communication Breakdown

David J. Brailer, the National Coordinator for Health Information Technology at the Department of Health and Human Services actually seems like a pretty together kind of guy--- his recent testimony in front of congress brought up a lot of issues, and his perspective seemed... well, to have perspective.

"The challenge here is how to adapt security/privacy issues with sharing information," Brailer said in response to a question posed by Rep. Pete Stark, D-Calif., about his opinion of the Health Insurance Portability Accountability Act.
"We can't impose multi-million dollar practices on a small practice," Brailer added, explaining that a large practice could use biometrics in its computers while a small practice only used a password, making interoperability impossible between the two systems.

For a lot of CE's, the Security Rule has been a brand new set of headaches. I should note that, even with the above scenario, though, there are solutions to secure communication between dissimilar systems. You do it everytime you bank online, and your WinXP desktop talks to the bank's AS/400.

Don't Leave Me Now

A lot of information loss seems to be from poorly secured documents, and bad document storage. This is especially dangerous when the record is at end of life. You can't just haul your old records to the dump, and handwritten notes are one of the blindspots for many organizations. It does no good to secure your electronic records, if the notes that they were based on can be gotten by simple dumpster diving.

Here is a brief piece from the Boston Herald that covers the high points of shredding.

"MetroWest Medical Center in Framingham also uses shredders at each nurse's station, and a HIPAA compliance team regularly "audits" the regular trash cans to ensure medical records have not been placed there, said spokesman Beth Donnelly. And when the hospital needs to purge computerized records, it locks the hard drives in a secure location and hires an outside company to "de-gouse," or strip, them with magnetic equipment. "

OT: Extra points for anyone who catches the fairly obscure reference in the title of this post. *And I am pretty sure that they mean "degauss"--- "de-gouse" sounds like a fairly unpleasant office procedure involving harsh chemicals and minor surgery.

Searching for Artificial Happiness

"29% of companies purchased a solution for SarBox, 26% - for HIPAA by ZDNet's ZDNet -- More than 26% of customers surveyed by Network Intelligence are using the solution for HIPAA, 29% for Sarbanes-Oxley (SOX) and 5% for Payment Card Industry Standard (PCI). "

This is a vendor related study--- not much more than a press release, but it is interesting in that it shows that there are folks out there, like you, who are looking around for some sort of integrated solution to data handling and compliance.

The problem with this is always going to be that one size doesn't always fit all, and when you combine functions, the failure of one often causes the failure of all.

Two Rooms at the End of the World

So here it is, from RedNova--- the beginning of the apocolypse:

"Who could have ever imagined seeing former Speaker of the House Newt Gingrich standing side-by-side with former first lady and now senator from New York Hillary Rodham Clinton announcing their shared plan for the nation's healthcare system?
And yet there they were this past May, holding a joint press conference and describing how they would drag health care, kicking and screaming if need be, into a future filled with new IT and communication systems.
The Gingrich-Clinton announcement was not an isolated event. It was followed immediately by the introduction of the 21ist Century Health Information Act of 2005 in the House, jointly sponsored by Reps. Tim Murphy (R-Pa.) and Patrick Kennedy (D-R.I.). A companion Senate bill came a week later introduced by Sens. Mel Martinez (R- FIa.) and Clinton. "

Well, not really the apocolypse. Actually a logical next step, that properly done will make HIPAA compliance much easier, by further automation of the system.
More as I learn more.

Knock Three Times

There has been a rash of reportings of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.
The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.
So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.

Unintended Lyrical Befuddlement

Here is a report from the First Amendment Center on a HIPAA conference in Nashville that reads like a laundry list of misconceptions about HIPAA-- reporters whining about the public's right to know (a wonderful thing, the first amendment, designed to protect individuals and groups from being silenced, and its corallary of the public right to know is to keep the big shots in control from hiding stuff from us-- NOT to make reporters jobs easier), a hacker named "Mudge" who boasts he could bring down the internet in 30 minutes, and an anti-HIPAA crusader from here in Washington State who claims that HIPAA is less about privacy than it is about discrimination.

I like this one a lot:

"James Hudnut-Beumler, dean of Vanderbilt Divinity School and an ordained Presbyterian minister, brought an often-overlooked effect of HIPAA to light: how hard it is has become for clergy to see members of their congregations in the hospital or even get any information about them. Churches must now be very careful what they reveal about patients to their congregations, particularly in church bulletins, he said.

“It has turned us (clergy) into social engineers,” Hudnut-Beumler said. “It gets hard to do the work that you are supposed to do and that the family expects you to do.” He proposed a “good Samaritan provision” to apply to HIPAA that would protect medical personnel in the case of “well-intended disclosure,” an idea many attendees received favorably."

Of course, we all know that Vanderbilt Divinity School is not a covered entity, and I sincerely doubt that most Presbyterian congregations need to worry about the HIPAA cops inspecting their church bulletins.

Man, I wish I was at that conference, sounds like it was a blast.

Protect Ya Neck

I hereby declare July as Security Compliance Month-- we'll have a parade, an award show, and a Security Rule Film Festival. While I work out the details, entertain yourself with this from Ramon Padilla Jr. at Tech Republic:

"However, as it is now, the temptation is there for others to gamble on not getting caught—and, in the process, to gamble with your career. When it comes time to request funding for HIPAA compliance, it might go like this: "Well Bob, I see your budget request for us to comply with the HIPAA security standards is pretty large. I'm afraid we can't handle that. "Do the best that you can."
But whose head will be on the chopping block once a security complaint is filed and it is leaked to the press? You can bet it won't be the person who denied your funding!"

Good points from Ramone--- remember, Ken Lay is still playing golf with his cronies while his Enron underlings are all residents at the Gray Bar Inn.

I've Just Seen a Face

A pretty good white paper in Information Week from Citrix about security compliance:

"...some of the common top-of-mind topics that CIOs in this industry face include:

• Patient Safety.
• Loss of cash flow from an inability to bill because the network is down.
• Unauthorized release or use of PHI from external or internal threats.
• Temporary unavailability of data to critical systems that impairs patient safety.
• Growth in the number of users with wired and wireless access devices.
• Installing the latest patch upgrades.
• Integrating new systems with legacy systems.
• Rapid identification and response to problems.
• Monitoring patient data for early signs of potential terrorist or bio-terrorism events.
• Interpreting and adopting new information technology compliance mandates."

Vendor white papers are usually about pushing their own product, so read between the lines. This one has some good info, though, so it is worth your scan.

Save the Population

A good general concept-level piece on data storage from IT Observer:

"Information Lifecycle Management (ILM) is one strategy for managing and storing data, according to its evolving business value and access requirements over time. Data must remain accessible on demand for compliance and audit inquiries."

Storage is going to be a very hot issue in the next little while, as folks begin to understand the ramifications of the security rule. Having a plan now is so much better than having an emergency later.

Moonlight in Vermont

From the Bennington (Vermont) Banner comes a story of a defense attorney arguing that HIPAA prohibits the disclosure of mental health records from the state prison in this case:

"Prosecutors are seeking a Burlington murder suspect's medical records from the Vermont Department of Corrections to determine if he is mentally fit to stand trial.
The Corrections Department records, which date back eight years, are critical to supporting or disproving whether Gerald Montgomery is mentally incompetent, Mary Morrissey, a deputy Chittenden County state's attorney, told Vermont District Court Judge Michael Kupersmith on Tuesday.
"This is a man charged with murder and kidnapping," Morrissey said."

An independant, court-appointed psychiatrist says that Montgomery hears voices, but could be faking, so the state wants to see his records from prison to see if there is anything that would support this.

"Brenner also argued that Montgomery's health records are private and their confidentiality protected by state and federal law -- specifically the Health Insurance Portability and Accountability Act, or HIPAA."

Well.... no. The Privacy rule specifically lists this sort of disclosure as allowed when requested by court order. State law I don't know about, but I suspect it also has this as an exception.

In the Navy

Military providers come online: from the National Naval Medical Center Journal, at dcmilitary.com

"Although he says he does not envision identifier codes replacing everything, or solving all problems, Fennewald said he envisions it limiting record losses and unauthorized access to records. "

If You Have to Ask

Wow! This is really cool: a searchable HIPAA database from Ask Sam. Definitely something to add to your favorites.
http://www.asksam.com/ebooks/HIPAA/

Key to the Gate

Jeff over at HIPAA Blog gets all the best comments. Right now he is involved in a dialog with Diva of Disgruntled that points up a number of issues. From what I can tell, there is plenty of wrong to spread around, and some foolishness and poor judgment on both sides. The situation makes a good example of what can happen when an employer (in this case Kaiser) exposes themselves to an unhappy ex-employee. Some important points here:
Your biggest threat is from within. We spend tons of time building defenses against the uber hacker when most of the time he really isn't all that interested in us. These defenses are important, though because part of why he isn't interested in us is that we are hard to crack, and there are so many other easy targets out there. Anyone who wants to understand how most hackers work should read a good history of the campaigns of Caesar Borgia, Lucretia's older brother, and the man that Machiavelli based The Prince on. Borgia conquered most of Italy in a very short time, mostly by not conquering it. If a city was a hard nut to crack, he bypassed it, knowing that there were plenty of easier targets. If he really wanted a city, and the defenses were strong, he bribed someone inside to let him in.
Think about it. Who knows your defenses and systems? The folks who work with them, or in this case someone who used to work with them. And who is most likely to want to do you harm? Some joyriding script-kiddy out to show his buddies how good his kung fu is, or someone who feels they have been done wrong, and who has little to lose?
So what do you do to minimize your exposure here? Like everything else it is way better to prevent fires than to be a fireman. Screen your employees carefully. Treat them well. Monitor their activities. And make sure that you terminate them with dignity. Fighting with someone over a few dollars of unemployment insurance may save you some pennies in the short term, but you will make an enemy of someone who has the keys to the postern gate, a map to the stronghold, and the secret password that opens the citadel.