16May2011

Standards and Legal Issues

By Thomas Groshong

An audit of the Electronic Health Record (EHR) system reveals a lack of basic policies and standards to protect EHR data from misuse, abuse or theft. The He a l t h I n s u r a n c e P o r t a b i l i t y a n d Accountability Act (HIPAA) require protection of EHR data and basic security guidance to adequately safeguard this data from threats of misuse and/or t h e f t . T h o m a s J . S m e d i n g h o f f q u o t e s H P A A l a w 42 USC Section 1320d-2(d)(2) t h a t establishes three basic security principles maintain reasonable and appropriate

administrative, technical, and physical safeguard. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the HIPAA Security Guidance, National Institute of Standards and

Technologies (NIST) documents, and the SANS Institute policies. The security goal is to provide confidentiality, integrity, and availability of EHR

i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements.

A. Create three organizational policy statements:

HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover organizational policies for each of the three categories based on best practices and national standards such as NIST. a. Administrative security: A written policy stating procedures, standards, and guidelines to ensure honest and qualified people are granted access, provide levels of access, and steps to prevent unauthorized access. (U,S. Department of Health and Human Services, (2003)) Proper screening of personnel, security awareness education training, and separation of duties. Procedures for employee termination and appropriate supervision such as audits, reports and rotation of duties will be clearly stated. Each employee will complete a written request for access to be approved by their supervisor. This request will identify the system or systems requiring access and the roll or permission level required. This request must include documentation of security awareness and acknowledgment of responsibility of the employee along with penalties if these policies are violated. (Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C.D., & Steinberg, D.I., U.S. Department of Commerce, NIST (National Institute of Standards and Technologies. (2008))

File:RLHT_Task2 ByThomasGroshong

16May2011
b. Technical security: An access control policy that covers authentication processes of employees and provides a roll based access control to insure integrity of information, and provide confidentiality of the EHR system. . (S c h o l l , M . , S t i n e , K . , H a s h , J . , Bowen, P., Johnson, A., Smith, C.D., & Steinberg, D.I., U.S.

Department of Commerce, NIST (National Institute of Standards a n d T e c h n o l o g i e s . ( 2 0 0 8 ) ) A minimum of two factor authentication should be used to authenticate users. This will be accomplished with identity cards (IDs) that provide biometric information on each employee and requires employee Personal Identification Number (PIN) input for authentication. PIN lockout will be established at three attempts and must be reset by Help Desk personnel upon verification of user identify. The use of Access Control Lists (ACLs) using a system such as Microsoft Active Directory (AD) services to authenticate user accounts, group accounts and establish system permissions based on user account and rolls assigned. Employees will be assigned rolls based on employee duty description and/or organization i.e. Personnel, Customer Service, Accounting just to list a few. These are internal measures to protect EHRs from abuse or theft from inside the protected network. Remote Access (RA) users must be controlled through Web Access verification processes such as Reverse Dial-Up PIN verification and monitored closely using audit logs.

c.

Physical security: A policy to protect the physical computers, data stores, and network devices from compromise include Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), firewall, and router configuration. (S c h o l l , M . , S t i n e , K . , H a s h , J . , Bowen, P., Johnson, A., Smith, C.D., & Steinberg, D.I., U.S.

Department of Commerce, NIST (National Institute of Standards and Technologies. (2008)) These systems must be configured to prevent

unauthorized access, monitor traffic and respond to external threats. AES encryption will be mandatory for all data transmitted beyond the boundaries of the Local Area Network (LAN). EHR data copied to local machines, laptops or other devices such as USB drives must be encrypted and not stored locally in plain or clear text. Remote Users must authenticate using strong passwords based on SANS institute standards and R e v e r s e Dial-Up PIN verification. (SANS Institute, Initials. (n.d.))

In summary HIPAA regulations provide basic guidelines for the protection of EHRs. The policies provided here are to meet or exceed the HIPAA standards and provide a framework to provide confidentiality, integrity, and availability of EHRs. These policies provide a

File:RLHT_Task2 ByThomasGroshong

16May2011
reasonable attempt to safeguard data and to prevent misuse and/or theft of said data. NIST has provided a number of documents that provide guidance on this subject and this policy tries to incorporate this guidance. These policies should prevent security breaches in the future.

File:RLHT_Task2 ByThomasGroshong

16May2011

B: References
SANS Institute, Initials. (n.d.). Password Policy. Retrieved May 6, 2011, from http://www.sans.org/security-resources/policies/Password_Policy.pdf Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C.D., & Steinberg, D.I., U.S. Department of Commerce, NIST (National Institute of Standards and Technologies. (2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Information Security (NIST Special Publication 800-66 Revision 1). Gaithersburg, MD: Government Printing Office. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf Smedinghoff, T. (2008). Information Security Law: The Emerging Standard for Corporate Compliance. Ely: IT Governance Pub. U.S. Department of Health and Human Services, (2006). HIPAA Security Guidance,http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteu se.pdf U,S. Department of Health and Human Services, (2003). SUMMARY of the HIPAA PRIVACY RULE, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

File:RLHT_Task2 ByThomasGroshong