With the Health Insurance Portability and Accountability Act (HIPAA) Security Rule deadline approaching rapidly, radiology departments are working to define and implement measures -- technical, physical, and administrative -- to safeguard electronic protected health information (ePHI).
Under the security rule, covered entities are required to comply with various standards. They must be able to identify and address known or suspected security incidents, such as attempted unauthorized access to, or destruction of, ePHI. They are required to have audit controls in place to monitor ePHI network activity. They must also implement measures to ensure that only authorized individuals or programs can access ePHI, and ensure that the individual or entity attempting to access a system is authentic.
Overcoming HIPAA security hurdles
Complying with the security rule can be particularly challenging for multivendor radiology departments. The required standards for the security rule -- security incident procedures, audit controls, person or entity authentication, and access control -- are closely intertwined.
To effectively monitor and address security incidents, it is necessary to audit ePHI activity in the department. Auditing requires verification of everyone who is attempting to access the ePHI to ensure that only authorized users can access the information requested.
Meeting the standards can be difficult for multivendor radiology departments, as audit log data may or may not be transparent from one vendor to another. The audit logs generated in a multivendor radiology environment are typically in a proprietary format and contain different sets of information. Recording, searching, and reporting security incidents from incompatible logs can be costly and onerous, and result in information gaps.
Access control and user authentication mechanisms are typically nonexistent at some modalities in a department. Although PACS workstations may have such controls, other areas such as ultrasound, MRI, or CT may not. Security controls may be limited to simply locking a room and providing authorized staff with access to the equipment.
Many closed workstations, such as ultrasound systems, have no access control or authentication measures. These factors further complicate audit efforts, making it impossible to make a record of the individual who generated or accessed a patient's ePHI, when they did it, and what they did with the information.
How does a radiology administrator effectively report on security incidents, pulling information from existing audit logs while trying to fill in holes where equipment doesn't track user activity?
The key is to implement centralized auditing, user authentication, and access control across the department.
Putting the pieces together
Centralized auditing enables a radiology administrator to search common audit content from all equipment, regardless of the manufacturer, via a central database. Once the common denominator of required audit information has been established and implemented, the database can generate consistent reports on security incidents and other audit events. The automatic process saves an administrator considerable time, eliminating the need to sort through reams of data from various audit logs in an attempt to accurately document activity.
User authentication mechanisms serve to verify that the individual or entity attempting to access ePHI is the one claimed. Authentication is often achieved with a user identifier, such as a pass card and a confidential personal identification number.
In departments where some equipment doesn't require logging in, or where a single login serves multiple users, it is impossible to audit user-specific activity with any degree of accuracy. Adding authentication capabilities to the equipment enables audit messages to be generated for security events (such as attempted unauthorized access) and tagged to the appropriate user. The message is then sent to a central repository.
Access control capabilities ensure that only authorized users can access ePHI. Such capabilities and role-based permissions are controlled via a user database. Although locked doors and limited access within a department provide a certain level of physical security, these measures do nothing to track user-specific ePHI activity (such as a user attempting to access ePHI when it is not permitted by their role).
Implementation
The security rule preamble encourages professional associations to establish compliance guidelines to help organizations implement technical safeguards. Examples of such guidelines include the Integrating the Healthcare Enterprise's (IHE) Basic Security Integration Profile (BSIP) and its successor, currently under trial implementation, the Audit Trail and Node Authentication (ATNA) profile. The IHE BSIP is found in the IHE Technical Frameworks, Vol. 1, Integration Profiles, section 10. The ATNA Profile is accessed through the same link.
IHE, jointly sponsored by the Radiological Society of North America (RSNA) and the Health Information and Management Systems Society (HIMSS), developed the BSIP as a technical implementation specification to assist organizations with security compliance. The BSIP provides implementation tools that are useful for enterprises working to comply with privacy and security regulations, including HIPAA.
"The Basic Security Profile establishes security measures which, together with the Security Policy and Procedures of the enterprise, provide patient information confidentiality, integrity, and user accountability," the IHE wrote.
Healthcare organizations and its vendors can look to the BSIP, or other guidelines, to assist with security rule compliance. There are also comprehensive, vendor-independent solutions available that follow IHE guidelines to help facilities with compliance efforts.
IHE Basic Security Integration Profile
IHE describes implementation requirements in detail so that healthcare imaging and information systems vendors can support industry conformance. The BSIP focuses on four goals: user accountability, access control, centralized auditing, and ePHI data integrity. In support of these goals, it provides details for implementing user authentication, node authentication, and audit-record generation capabilities.
The BSIP identifies an extensible markup language (XML) schema for audit record content. To assist with generating audit records, it provides audit triggers for security-related events such as instances deleted. Audit messages for the identified triggers are to be generated in XML format, and stored in a central repository.
Bringing vendors on board
Although centralized auditing is recommended by IHE and is the most practical solution, many vendors have not yet adopted the IHE-specified XML audit schema to support it. These vendors typically include some level of auditing support in their products, but not to the extent necessary for comprehensive HIPAA security event reporting.
Radiology professionals should encourage suppliers to:
- Modify the audit log format in new equipment to send the industry-accepted IHE XML schema from all equipment that generates and accesses ePHI.
- Equip legacy equipment with access control, user authentication, and auditing capabilities.
- Provide a central repository to record, search, and report security incidents and activity from the equipment.
These measures will enable robust auditing capabilities for the upcoming security rule requirements, for other compliance efforts, and for general best practices.
By Terry Callahan and Christine Callahan
AuntMinnie.com contributing writers
November 26, 2004
HIPAAT is a Mississauga, Ontario-based firm that offers technology-based solutions to meet the healthcare industry's privacy and security compliance challenges. For further information, HIPAAT can be contacted at (905) 405-6299 or via the Web at www.hipaat.com.
Related Reading
HIPAA compliance encountering rocky road, August 30, 2004
Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004
HIPAA security and privacy compliance concerns, October 23, 2003
HIPAA TCS standards float in compliance limbo, October 17, 2003
HIMSS offers advice on CMS contingency plan, September 25, 2003
Copyright © 2004 HIPAAT