HIPAA Security provisions represent best practices for security management and operations and as such pertain primarily to the manner in which confidential data is accessed, stored, transmitted, and manipulated recovered, and secured. (Athena Soft ware, 2006) A TESS managed by StorageTek’s ASM software solves data management; security and disaster recovery problems created by information islands in a healthcare enterprise, permits more efficient planning and support good data management practices for healthcare in the HIPAA era.
Periodic fine-tuning of the system prevents performance degradation and facilitates upgrades that prevent data from being compromised. (Baune and Galsso, 2004) Another impact, without cash, the organization cannot function. Cash flow disruption can be caused by many factors, but the inability to record charges and bill for services due to a loss of data processing capabilities is certainly a risk that all organizations face. Security has been compared to a three legged stool of integrity, availability and confidentiality.
Using this definition, security includes ensuring that systems are available, and the HIPAA security rule requires contingency planning and disaster recovery plans. (Hewitt, 2006) Permanent loss of ePHI There is a tendency of Permanent loss of ePHI. Access to accurate patient information is critical in keeping a health care organization operational. Destruction or corruption of ePHI, particularly on a major scale, would be catastrophic for any healthcare enterprise.
Examples of threats that could destroy or corrupt ePHI include a natural disaster such as a fire, an external hacker attack that destroys data on your computers, or a rogue programmer that creates code that corrupts not only the live data but your backup tapes as well. While downtime procedures may provide a relative short-term workaround solution, the total loss or corruption of patient data will be nearly impossible for many organizations to recover from. (Hewitt, 2006) Temporary unavailability of ePHI
In addition, there are cases of Temporary unavailability of ePHI, the temporary loss or unavailability of medical records containing ePHI can severely delay or impair care services and business operations. Examples of this could be as simple as a hard drive crash, a snow storm knocking out power to computers or malfunctioning of an application system. When was the last time you had an unplanned downtime? Many organizations have developed downtime procedures that can be used while networks are restored or backups are reloaded.
These events, while disruptive, likely will not permanently scar a healthcare organization if there has been no permanent loss of data. However, healthcare executives need to ask what would be the impact if computers go down for 2 hours, 6 hours, 24 hours, 48 hours, 1 week, 2 weeks, 4 weeks, etc.? How would you recover and re-enter data lost since the last backup tapes were created? (Phoenix Health System, 2006) Unauthorized access to or disclosure of ePHI
Now that the HIPAA Privacy regulations are in effect, unauthorized access to or disclosure of ePHI (confidentiality) must be on the list of every healthcare organization’s important security risks. Many aspects of poor security can increase this risk and the HIPAA security rule focuses on reducing this risk. Terminals that do not have adequate timeout functions could allow an unauthorized user to gain access to ePHI. Inadequate audit trails and monitoring can create an environment whereby employees have unauthorized access to the ePHI of their neighbors, family members or co-workers.
Other organizations may have adequate audit trails but refuse to enforce sanctions on employees that breach security or privacy, thereby creating major risk to patient confidentiality. Add to this the very real risk of civil and criminal penalties, and the potential loss of reputation and credibility that may result from unauthorized disclosures or access. (Hewitt, 2006) Harm to reputation and public confidence Many organizations rank their organization’s reputation and the confidence of their patient/client base as a highly valuable asset worth protecting. It is often difficult to put a dollar value on such intangibles.
Further, loss in reputation presents a special security challenge, since it is normally predicated by some other loss or potential loss such as a major patient security breach that can occur from an internal (employee) or external (hacker) threat. It is also the hardest asset to reacquire once it is tarnished. (Hewitt, 2006) Loss of or damage to physical assets Loss of The loss of assets such as computers, routers, firewalls, laptops and other equipment can be very disruptive, but recovery may be manageable through procurement of adequate insurance and providing for contingency plans.
The most important risk may be that such a loss could have a critical impact on other areas, especially the loss of data processing capabilities or damage to physical assets. (Phoenix Health System, 2006) Compromise to patient safety Protecting the safety of patients is a critical risk that must be considered. One scary scenario would be a rogue programmer who changes lab values that physicians use to treat patients. A program that alters the potassium level of every 100th patient could create misdiagnosis that could injure or kill patients.
(Phoenix Health System, 2006) Compromise to employee safety One asset that is sometimes forgotten in risk management planning is physical risk to the organization’s staff. Depending on the local availability of skilled labor, the impact of a loss of staff members will vary widely. Considering the growing threats of bioterrorism and weapons of mass destruction, threats to these “people power” assets must be considered. (Hewitt, 2006) The above is the risk factors facing the healthcare professional and providers who are directly affected with the implementation of HIPAA.
Taking the risk and training is the only alternative. Security is an ongoing process and today’s potential solutions need to be weighed against future trends as well. Public and private research and development efforts have produced a variety of security technologies for encryption, authentication, access control, key management and anomaly detection. However, security is not primarily a technology problem; rather, it is a core infrastructure design problem that can most effectively be resolved by a disciplined architectural approach to systems procurement and deployment.
Health informatics developers and operators need to come to terms around a balanced solutions approach that permits reliable implementation of consistent security policy throughout a system’s lifecycle. A critical part of a complete security solution—along with sensible security policies and robust mechanisms—is a rational and uniform assurance method for ensuring that security designs and implementations continuously meet the objectives of the security policy.
Assurance is measured and sustained by the uniform application of a rational risk assessment methodology. (Nolan, 2002) Provider organizations have a clear responsibility to themselves and to their patients to require informatics vendors to step up to a higher level of technical security performance in the area of developing, maintaining, and furnishing the information necessary to implement technical controls on systems and network elements on which the vendor’s application(s) depends.
In the age of HIPAA compliance and with increasing threats from the wily hacker, this is a new standard of performance that both healthcare suppliers and vendors will need to begin to adopt if they are to realize a disciplined and cost effective approach to security that does not rely overly much on security products that are a corollary to but not replacement for an architected infrastructural approach to security. (Nolan, 2002)