HITECH Compliance: IBM's Lauren Kovach
In an interview, Kovach advises hospitals and clinics to:
- Amend existing business associate contracts to include the latest HITECH provisions, which require business associates to report breaches to their healthcare partners;
- Prepare for upcoming federal HIPAA compliance audits by conducting "pre-audits" to identify and address problem areas;
- Update their risk assessments at least annually or when acquiring new applications; and
- Use encryption as one of many components of a broad risk management strategy.
Kovach, who is responsible for business security solutions for IBM, has more than 26 years of systems integration and security services experience.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Lauren Kovach of IBM Security Services, where she is responsible for business security solutions. Thanks for joining us today Lauren.
LAUREN KOVACH: Thanks Howard.
ANDERSON: Chief information security officers are now tackling the task of complying with the beefed-up HIPAA privacy and security regulations under the HITECH Act. What specific steps should hospitals and clinics be taking to comply with the HITECH breach notification rule?
KOVACH: Well first I would like to begin with just a little bit of background....The Healthcare Information Technology for Economic and Clinical Health Act is what is known as the HITECH Act, and it is part of the larger American Recovery and Reinvestment Act, which is sometimes referred to as ARRA, which was the whole stimulus package that was put out there about a year ago. It was enacted Feb. 17, 2009, and most of the provisions became effective this February, so that is why we are seeing a lot of interest in that right now.
The changes included are significant in that, for the first time, they start to begin to define terms like privacy and breach notification. And HITECH also expands coverage (for breach notifications) to businesses that are associated with healthcare organizations....
The first step that hospitals and clinics would need to take is to review their enacted policies and compare them against what is the new legislation. You can't really know how to improve unless you take a hard look at what you currently have: not only what is documented but what is the understanding of the people as far as what does it entail. One of the most frequently overlooked components in complying with this is that you could have these great documents, but if everybody doesn't really understand what the intent is, that can kind of be your weakest link in terms of security.
With a few exceptions, the notifications on these breaches must be made to individuals, the media and regulators within 60 days of discovery of that actual or suspected breach if over 500 people are affected.
ANDERSON: Business associates now must report breaches to their partners who are covered entities, such as hospitals and clinics. How should covered entities make sure that their associates fully understand the breach notification requirements? Should they rewrite their business associates contracts to spell out security provisions in more detail?
KOVACH: Business associates, again for those that may not know, are defined as any entity that has an ongoing business relationship with a covered healthcare organization....HHS has issued guidance to help organizations understand all of these new responsibilities....
So covered healthcare organizations really do need to ensure that their business associates understand the changes and that their policies are amended to meet those new mandates. Amending existing contracts is really a great way to communicate exactly what the new changes are and formalize that information.
ANDERSON: Are there specific questions that hospitals and clinics should be asking their business associates regarding how they are preparing to handle breach notification reporting?
KOVACH: You just want to start with educating them and then take a look at what their policies and practices are...and can you be assured that all of these are going to find their way into their business practices.
ANDERSON: Soon the federal Office for Civil Rights within HHS will be ramping up its audits of organizations to check for compliance with the HIPAA privacy and security rules. What is the best way to prepare for such an audit?
KOVACH: Well in my experience, the best way to prepare for any kind of an audit is to do a pre-audit of yourself, so that way you really take a good, hard look while nobody else is really recording the results. We have used this quite often. For instance, we used this approach when PCI credit regulations came out just a few years ago and everybody was trying to figure out what the credit card folks were looking for and, of course, they had mandatory audits. It's just a great tool to go through a pre-audit...to really get your hands around where are your documents on all of this, pulling in all of the right people, looking at your business not only from the IT aspect but from the personnel, the policies, and even the physical aspects of security.
Once you have pulled all of these together, consider getting a third-party security professional to come in and give you an unbiased look; someone who is very knowledgeable about security, but also about healthcare. Then consider how you would fare in an audit and start to identify where any gaps are and work out a plan as to how you close the gaps.
ANDERSON: The new breach notification rule includes a safe harbor stating that organizations that encrypt data using a specific method don't have to report major breaches. So what is your advice on how widely hospitals and clinics should apply encryption?
KOVACH: Healthcare organizations really do need to protect the integrity of both the patient's personal as well as their financial data, and encryption can be a really powerful tool in that effort. Used in conjunction with other security measures, encryption is really important. There is no such thing as a silver bullet when it comes to security, but encryption can definitely protect sensitive data both at rest and in motion. So this type of security is particularly important, and it is strategic for endpoints (laptops for example) or removable media. We see a lot of those flash drives, for instance, being of great concern to folks today, and encryption, again, is a very powerful tool there....But encryption definitely needs to be part of a larger effort.
ANDERSON: Speaking of larger efforts, in addition to focusing on compliance issues, what other advice would you offer to hospitals and clinics in terms of taking a broader risk management approach, and how often should a risk analysis be conducted?
KOVACH: Well when healthcare organizations start to think about their risks, their concerns, of course, go way beyond what is happening today with just the data center or the IT department. Managing risk is getting to be a larger, business-oriented issue, and it means protecting the business itself.
So to have an effective risk management program, IT managers need to create a program that is integrated into the business to make sure that it goes beyond just the pencil exercise and the compliance, but that you really have a strong security structure. The first thing you want to do is establish a baseline. You can't really improve security until you know where you are today....Once you have done that baseline and you have moved forward in terms of closing security gaps, I would recommend that risk assessments be conducted at least annually, and that new risk assessments also be triggered if you have had any sort of a major event, maybe a merger, maybe a new application that you have installed. Any of these things, of course, can open up a hole in terms of your security, so it is very important to go back in and recheck.
And your risk assessments...need to be both internal as well as external. So you are looking at things that would be an entryway to a hacker and using things like an application penetration test or a web penetration test. All of those tell you what somebody could potentially get at from the outside. And then internally, you are looking at factors like policies and privileged users.....
ANDERSON: What is the best way to win the support of the board of directors and senior management for ramped up risk management efforts aimed at keeping patient health information private and secure?
KOVACH: Well that is a great question and one that sometimes people don't think about until much later. The best way is first to educate them on both the potential risks for noncompliance as well as sharing with them the results of an internal/external risk assessment.
Consider bringing in an outside professional, somebody who can give an unbiased look as far as how they match up against others within the industry....The final step in the process is to...maybe even outline some budget areas so that they understand just what this is going to entail further out.
ANDERSON: Okay thanks very much Lauren. We have been talking to Lauren Kovach of IBM. This is Howard Anderson of Information Security Media Group.