Most healthcare organizations have one more month to meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Will they make it? SearchSecurity.com interviewed IT, security and compliance professionals across the United States over a two-month period. What we found is the massive patient privacy law is a bitter pill for some to swallow and the best prescription for others to follow.
Diane McQueen is one of the lucky ones.
A systems engineer for Perot Systems, which manages IT security for the nonprofit Northern Arizona Healthcare hospital chain, she's blessed to be in an operation with strong upper management support and a strong security officer. Both are critical ingredients for an enterprise with 150,000 annual patient visits, 300-plus beds, 200 doctors on staff and 1,000 staff affiliates.
"We've had more success than others," said McQueen, who started as a Northern Arizona Healthcare employee but shifted to Perot Systems when it was contracted to manage security. "Just the fact that it brought Perot Systems in shows that they've taken HIPAA security seriously. The organization also has a very good legal team and Perot designated one of our staff members as security officer. He's done an outstanding job."
That has left McQueen's team free to phase out the outdated, ragtag network of machines between departments and hospitals. The chain now uses Cerner Millennium, a Unix/Oracle-based hospital information system she said brings every piece of the enterprise under one roof.
"That was a huge undertaking for us," she said. "Before Cerner there were different systems for all these different departments. In the old days hospitals had many generic accounts where one would be shared by everyone in a department. With Cerner every staffer now has a unique account, a very important step in meeting HIPAA's security rules."
And through different steering committees, upper management is making sure departments are doing what HIPAA requires, McQueen said. So while some employees have found it hard adjusting to strict individual passwords and the need to log back on every few hours, they have largely adjusted.
That's not the scenario in every hospital, however.
Compliance consultants who travel from hospital to hospital to help them grasp HIPAA security said the overall picture is mixed.
One common problem, especially in some of the more cash-strapped hospitals, is that upper management has a tendency to hand all the HIPAA responsibility off to someone in the IT department and then walk away. "Privacy and security are not just problems for IT," said Kate Borten, president of The Marblehead Group Inc. "Many of the security requirements are read-between-the-lines-type material, and if you don't have a strong security background you're not going to understand the intent of the law."
Borten said some hospitals understand and work very hard to do right by HIPAA. But in many nonprofit organizations the financial culture isn't geared toward security. So if you're the person responsible for HIPAA, security tends to be a tough sell.
"It's very common to go into a hospital and find that no one has much of a security background beyond firewalls and antivirus," she said. "Hospitals that struggle financially are not inclined to invest in a security specialist, so they hand it off to someone in IT who may not be the best fit. It's very distressing when an organization picks the wrong person."
Lisa Gallagher, a consultant with Maryland-based Javelin Technology Group, has seen the same problem. "I think there's still a lot of focus on the IT risk, but a big problem is the inadequate policies and the lack of policy enforcement," she said. "Someone might allow file downloads to laptops that might then go missing. That's a serious problem. Hospitals lose PDAs and laptops all the time. One even told me they lose PCs."
Gallagher tries not to tell people they can't use PDAs or laptops because it's an unrealistic demand. "But," she added, "they can have strict rules with consequences if that happens. The point I try to make is that the risk needs to be managed. You need to train people on the policies you adopt. By not enforcing your own policies, you're violating the rules."
Gallagher said things haven't changed much since April 2004, when URAC, a Washington D.C.-based nonprofit that promotes health care quality through accreditation and certification programs, issued a report showing most healthcare organizations weren't complying with HIPPA security.
URAC reviewed the practices of hundreds of different health care organizations, including hospitals, and found:
- Incomplete or inappropriately scoped risk analysis efforts.
- Inconsistent and poorly executed risk management strategies.
- Limited or faulty information system activity review.
- Ineffective security incident reporting and response.
Kevin Beaver, president of Atlanta-based security consulting firm Principle Logic and co-author of The Practical Guide to HIPAA Privacy and Security Compliance, said like any other organization, hospitals must step back and see the big picture. "Don't look at this as a HIPAA compliance issue," he said. "Look at this from the perspective of what's best for your organization; what's best for information security."
His advice: "Establish a security mission within the organization. Establish goals to fulfill that mission. If you have upper management verbiage on the importance of information security and how the organization is responsible for various requirements, you can develop tangible, reachable goals from there."