Do no harm: HIPAA's role in preventing ID theft

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,82051,00.html

By Marne Gordan
JUNE 12, 2003
Computerworld 

With the Health Insurance Portability and Accountability Act (HIPAA)  
privacy deadline recently passed, most health care providers and plan
companies are preparing to implement the final rule for security.  
While many of these organizations are focused on the lack of budgetary
and staff resources necessary to fulfill another unfunded federal
mandate, most have lost sight of why this level of protection is
necessary.

As organizations (known in the legal jargon as "covered entities")  
begin their risk assessments and risk management planning, it's
important to remember one of the key principles of the regulations,
and that is patient protection. The standard clearly states that the
organization must ensure the confidentiality, integrity and
availability of protected health information (PHI) and safeguard it
from threats, hazards and unauthorized disclosure, but the act
neglects to underscore why it's important to do so.

PHI is composed of the patient's most personal information, which
includes most health records and data files that typically include
name, address, Social Security number and a combination of the
following:

* Insurance information

* Payment information

* Past and present medical condition(s)

* Past and present treatments

* A variety of other individually identifiable health or personal
  information

Although not expressly stated in the privacy or security rules, HIPAA
establishes that PHI is primarily the patient's personal property and
not a corporate asset of the regulated organizations. Corporations are
therefore required by law to take precautions to protect the privacy
of patient information whenever it's used, from back-office
transactions to personal patient interactions.


Where's the harm?

Previously, industry experts have focused on harm at the individual
level, in other words, the PHI of a single patient being compromised
and made public to the specific detriment of that person.

For example, in 1998, an Atlanta truck driver lost his job after his
employer learned from his insurance company that he had sought
treatment for a drinking problem. In another example, an employee was
automatically enrolled in a mandatory "depression program" by her
employer, Motorola Inc., after her prescription drugs management
company reported that she was taking antidepressants. These cases tend
to generate sympathy from the general public, but it's frequently an
uphill battle for a victim of such exposure to prove substantial harm
in the courts and trace the source of that exposure directly back to
the health care organization.

Harm to the individual can range from simple embarrassment all the way
to financial hardship. The primary source of harm to the individual
actually exists at the aggregate level, in databases that contain the
files of hundreds or thousands of patients. These databases are
commonly held by hospitals, midsize and large health plans, billing
organizations, data warehouses, records storage facilities and even
some application service providers.

Although some industry experts tend to disagree, these covered
entities are appealing targets for identity theft, the fastest growing
crime in the U.S. today. While not as obvious or attractive a target
as financial services or e-commerce companies, these covered entities
represent a significant opportunity for enterprising thieves, by
virtue of the data that they process and store.

For example, if a large biller's database were hacked and the PHI
stolen, criminals could have access to insurance information, credit
card information and the Rosetta stone for identity thieves, Social
Security numbers. If such a case were to come to court, a plaintiff's
attorney could easily prove to a judge and jury that substantial harm
was inflicted upon the individuals whose identities were stolen, and
the organization's security controls at the time of the breach would
definitely be called into question.

Others find covered entities equally attractive, but for different
reasons. Unlike identity theft, where financial gain is the motive,
the fact that HIPAA privacy and security standards are seen as a
challenge to some hackers makes the the health care industry a target.  
These are the "altruistic" independent hackers and hacker groups, such
as Deceptive Duo, S4t4n1c_S0uls and The Bugz, who feel it's their
sacred duty to exploit and publicly expose weaknesses in the
infrastructure of various industries, or deficiencies in federal
security mandates.

This was precisely the nature of the hack at the University of
Washington Medical Center in Seattle in December 2000 (see story). A
hacker going by the name "Kane" allegedly gained access to the medical
center's network through the affiliated university network and was
able to steal 4,000 patient records containing PHI including patients'
dates of birth, Social Security numbers, height and weight and recent
medical procedures. Kane turned these records over to online
journalist Kevin Poulsen because he wanted to perform a public service
by exposing the security risks at the medical center. Kane denied
intent to sell or otherwise misuse any of the data that he had
captured.

In their zeal to "improve security" by exposing corporate weakness,
these hackers disregard any damage that may be done to an individual
whose personal information is made public. Once information is posted
to a Web site, there is virtually no way to retrieve it; it then
becomes open season on the patients and their data. Understanding the
potential threat of attack may assist some covered entities in
refining their risk assessments and risk management plans.


Implementation: some rules of thumb

When selecting controls for HIPAA security requirements, organizations
need to understand that the most expensive controls aren't always the
best for the job, and the most affordable control measures aren't
always the weakest. Often, a series of layered security controls,
working together synergistically, may provide maximum protection
without breaking the organization's budget.

In securing the data center, for example, rather than implementing a
single biometric control (retinal scan, palm-print reader, etc.), the
organization may realize more benefit from implementing a key-card
scheme that logs ingress and egress, supplemented with security
cameras at the data center doors. These two less costly measures
complement each other, and the organization isn't relying on a single
point of failure as a security control.

In addition, whether selecting individual control measures, writing
policies or reviewing standard operating procedures, the members of a
company's HIPAA implementation team should step back and imagine that
their own PHI resides within the environment. It's a simple exercise,
but it often puts cost/benefit issues into perspective. Treating the
PHI as if it were their own may also ease the temptation to cut
corners for the sake of the IT budget and ensure that the organization
selects control measures that will provide the most suitable
protection to their systems, services and data.


Marne Gordan is director of regulatory affairs at TruSecure Corp. in
Herndon, Va., and an expert on security regulatory and compliance
issues, including HIPAA and the Gramm-Leach-Bliley Act. She can be
reached at mgordan () trusecure com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.