It's not an uncommon scenario. A frantic manager learns via security audit that the company is non-compliant with HIPAA as it relates to handling EPHI — Electronic Protected Health Information. "But we JUST bought a new firewall that does Intrusion Prevention and VPN, so we should have been OK... right?" The answer is, "Maybe and maybe not." Below are key areas of the HIPAA regulation that have to do with perimeter and desktop-based security systems, including the exact text of the HIPAA regulation and a security/IT interpretation, followed by thoughts on how to determine if your network security infrastructure is helping --or hurting-- your chances for a clean HIPAA audit.
Administrative Safeguards (Section 164.308)
164.308(a)(5)(ii)(B) - Protection From Malicious Software
HIPAA Text: "[Organization must have] procedures for guarding against, detecting and reporting malicious software."
There are many forms of malicious software that can impact data and networking systems. Viruses, Worms and Trojans are the most prolific threats and are usually introduced via infected email attachments. Newer threats such as SQL injection attacks and even Spyware can affect data and systems. To protect against the predominant delivery mechanisms of malicious software, the security schema must provide: (1) Virus and Worm protection through Gateway and Desktop Anti-virus systems; (2) Trojan identification and mitigation, as well as FTP, IM and P2P threat mitigation through Intrusion Prevention (IPS) systems; and (3) Web Content Filtering to prevent malware delivered over the web (e.g. ports 80/443).
Security Safeguards (Section 164.312)
164.312(a)(1) - Access Control
"Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)"
A helpful tool for enforcing information access is Email Content Filtering where an administrator enters keywords or regular expressions that would allow outgoing emails to be scanned for signs of inappropriate content. For example, scan for patient ID information by searching on "*PAT-[0-7]*-****" and scan all outbound non-encrypted emails that would otherwise inappropriately send out confidential, HIPAA-protected content.
164.312(a)(2)(iv) - Encryption and Decryption
"Implement a mechanism to encrypt and decrypt electronic protected health information."
This aims to prevent unauthorized users from accessing PHI. Any time PHI is sent outside of the boundaries of the network, it must be encrypted using a strong encryption methodology such as that defined by IPSec (which uses 3DES or AES encryption). SSL (which uses 3DES encryption) is a fine solution for application-layer encryption, but it does nothing to protect the transport layers (IPSec does this).
164.312(b) - Audit Controls
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
It is important to be able to audit data records and make corrections. Because documentation lies at the heart of the HIPAA rules, one could say "if you can't log it, you can't document it." Any detailed security/IT audit begins with the log files. While audit reports are important, the security appliance is also a necessary tool for capturing critical event data that support and feed into security audits.
164.312(c)(2) - Mechanism to Authenticate EPHI
"Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner."
This standard applies to data transmitted internally and externally. Unfortunately, there are many "degrees of solution" to meet this standard, ranging from simple file checksums and use of digital signatures in email, to full anomaly detection and file protection programs. By implementing Intrusion Prevention, Email Anti-Virus and Anti-Spyware in addition to use of digital signatures for email, the standard should be easily met.
164.312(e)(2)(i) - Integrity Controls
"Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of."
This is a critical standard of HIPAA. Because there are many ways of transmitting data, each must be addressed individually.
- For E-mail, the Email Content Filtering application described in "164.312(a)(1) - Access Control" will help prevent protected data from leaving the network.
- For Instant Messaging and P2P, most Intrusion Prevention applications provide simple mechanisms for turning off access to these applications.
- For FTP or other protocols, it is critical that a filtering application be in place that intercepts (or 'proxies') all transmissions to ensure that they are well-formed and sent/received by legitimate parties.
164.312(e)(2)(ii) - Encryption
"Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
This functionality was described fully in the "164.312(a)(2)(iv) - Encryption and Decryption" section above.
When considering how the perimeter network security appliance can help ensure HIPAA compliance, a few clear trends emerge. First, there needs to be core Firewall and IPSec VPN functionality, where the VPN provides strong encryption and authentication functionality for data in transit. Second, there needs to be strong email controls in the form of Anti-Spam (which will reduce risk due to Phishing attacks) and Email Content Filtering (which will help prevent protected data from inadvertently being sent outside the network). Third, both Desktop and Gateway Anti-Virus systems must be in place to prevent Viruses and Worms from altering and/or destroying data. Fourth, a Web Filtering application should be in place to prevent users from accessing known Spyware and hacker sites, and also to monitor and enforce employee Internet usage. Finally, an IPS must be in place that protects against Trojans, FTP threats, and that enforces access to risky IM and peer-to-peer file-sharing applications.
With HIPAA, the penalties can be steep, so indeed "an ounce of prevention is worth a pound of cure." The problem is that not all security solutions are created equal. The prudent IT manager needs to ask a lot of questions of their vendors. This article should serve as a simple guide.
Scott Lukes is vice president of marketing and product management, Broomfield, Colo.-based eSoft Inc.
