New HIPAA rules portend sweeping changes in medical data security

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) will bring major expenses for healthcare providers, but could also be a business boon for information technology vendors, according to a prominent PACS expert.

Speaking at this month’s Symposium for Computer Applications in Radiology, Samuel Dwyer, PhD, of the University of Virginia radiology department, said HIPAA's impact in the U.S. will reflect the enormous number of organizations that must comply. "We're dealing with about 1.2 million healthcare providers, and more than four million health plans," he said. Complying with its data security requirements will cost the average radiology department about $310,000 a year, he said.

Beginning this fall, healthcare organizations across the U.S. will have two to three years to implement the wide-ranging federal legislation. An outgrowth of the Clinton administration's 1993 healthcare reform efforts, HIPAA was passed in 1996 in order to improve access to health insurance, cut fraud and abuse, and lower healthcare costs through administrative simplification.

The latter goal has engendered tough new standards for storing, accessing, and transmitting medical data, with far-reaching implications for radiologists and imaging vendors. The new rules will apply broadly -- to any health plan, clearinghouse, or provider that processes or maintains any health information used in an electronic transmission.

HIPAA's data privacy requirements effectively mandate the development of a national key for encryption and decryption of such information, and identifiers to facilitate a standardized electronic medical record. Both Internet and intranet security are required under the plan, which covers both image data (PACS) and patient medical data (HIS-RIS).

HIPAA contains five major sections, Dwyer said, each designed to safeguard the "integrity, confidentiality, and availability," of medical data, including:

  • Administrative procedures
  • Physical safeguards
  • Technical security services
  • Technical security mechanisms
  • Electronic signatures

Data encryption is the only practical way to ensure security, Dwyer said, which means all patient data will need to be encrypted before it’s transmitted, using techniques such as public key cryptography combined with a digital signature.

Administrative procedures

Administrative requirements begin with certifying all users of a healthcare information technology network, Dwyer said. A "chain-of-trust partner agreement" ensures that every person who handles the information is certified to receive it, he said. The provider must also have a contingency plan for data-loss events. There must be a formal mechanism for records processing and access control, and internal audits to verify that planned security procedures are taking place.

Physical safeguards

Physical data safeguards include security personnel, locked doors, and other physical barriers between healthcare data and unauthorized users, Dwyer said. Other physical access controls include need-to-know rules for personnel access, visitor sign-in and escort procedures, equipment control, and procedures to verify authorization prior to physical access.

Equipment access can require anything from a password to biometric authorization, such as matching a stored image of the user's retina or hand. However, every method has its strengths and drawbacks. For example, access based on weight proved problematic when users would return from a big lunch to find they could no longer log into their workstations, Dwyer said.

Technical security services and mechanisms

Technical security services include role- or user-based access, data authentication, and entity authentication procedures such as automatic logoff, biometric controls, PINS and passwords, and telephone callback schemes, among others.

Technical mechanisms also guard against unauthorized access via alarms, audit trails, encryption, entity authentication, abnormal-event reporting, integrity controls, and message authentication.

Other issues

Even after the HIPAA final rules are published in late summer or early fall (Title 45 Part 142, Code of Federal Regulations), the work needed to fully implement them will be far from complete. Several organizations are still developing data security standards needed for implementation, Dwyer said. These include the Digital Imaging and Communications in Medicine (DICOM) standards committee.

In addition, the CPRI-HOST consortium is working with the National Information Assurance Partnership and others to develop common criteria and protection profiles. The National Institute of Standards and Technology in Gaithersburg, MD, is developing common criteria to describe the security requirements and profiles to measure system security in healthcare organizations.

Congressional hearings were held this month to address security for medical data moving across the Internet. Several industry leaders have testified about the solutions needed in light of HIPAA; by all estimates it will be expensive.

"Medicaid has estimated a cost of $1 million per state to implement the requirements," Dwyer said. Two new full-time personnel will be needed in the average institutional radiology department. With software, hardware, and consultant costs, the total annual bill comes to about $310,000 for a department.

As soon as a facility connects to the Internet, "it opens a whole new can of worms," Dwyer said. New security components must be added, software protected, hardware secured, and firewalls built. Many medical centers circumvent the whole issue by hiring external providers who guarantee security as part of their service, Dwyer said.

Firewalls reduce risk to network servers by filtering services, providing access control, and watching for viruses spread via e-mail. The importance of virus monitoring cannot be overemphasized in the wake of the recent ILOVEYOU and Melissa virus fiascoes, Dwyer said.

Institutions need to be flexible in applying security measures, he said. It’s important to get the support of workers, and avoid having security procedures get in the way of work. But a lack of security can be even more serious, Dwyer noted, citing the case of a healthcare services employee who brought her 15-year-old to work one day.

"Her daughter was a computer wizard who was able to look up all the patient names and arrange to send them letters saying they had AIDS," he said.

By Eric Barnes
AuntMinnie.com staff writer
June 27, 2000

Related Reading

HIPAA survival manual available on the Web, June 19, 2000

HIS executives to focus on HIPAA, e-health, April 10, 2000

Page 1 of 603
Next Page