Outsourcing for Privacy and eSecurity
From the moment of his 1999 signature approving two-thirds of the proposed HIPAA regulations, President Clinton tossed the healthcare industry a hot potato.
The Health Insurance Portability and Accountability Act (HIPAA), passed by the 104th U.S. Congress in 1996 was created primarily to preserve the portability of health insurance coverage for people who are chronically ill or who lose their jobs and group insurance. The Act tasked the secretary of Health and Human Services (HHS) with adopting national security standards for electronic transmission of healthcare transactions. Clinton's approval in 1999 also extended HIPAA's control beyond electronic transactions to include oral information and records on paper.
So now the industry is forced to start changing the way it was doing business. The regs require provider and payer organizations to implement tight control over who has access to patient information at all times. To handle access problems, options being considered by many healthcare organizations include biometric devices, such as a thumbprint reader or iris scanner. Documents that are transmitted over an open network (such as the Internet) will need to be encrypted; and, if an electronic signature is used, it will need to be a digital signature for authentication. "It's a big problem, and everybody is aware of it," says Lynn McNulty, an independent Certified Information Systems Security Professional. "The balance between what the individual citizen would like in the area of privacy, compared to what the industry would accept in terms of how it impacts business, has not yet been found."
But there's still time to try to find that balance. As McNulty points out, "The final regs haven't really come down on the table yet." The security and transaction regs have yet to be issued, and HHS recently reopened the comment period on the privacy regs for another 30 days. "With the change in administration, I think that the people on the industry side may be looking to a way to get a friendlier type of regulatory regime than would have existed if Mr. Gore had been elected," posits McNulty. After all, Congress recently overturned the Democratic administration's ergonomic regulations.
Elaine Treacy, director of vertical marketing for Baltimore Technologies, has noticed an increasing number of industry people beginning to be more and more aware of HIPAA. Hospitals are taking the lead, she says. To some extent, that's because they were already seeing the possibilities of the Internet as a means of cost-effective services for their patients; but they didn't want to be exposed to the risks of transmitting private patient information.
She is concerned that many healthcare organizations have not begun formulating their plans for compliance. "They at least need to be budgeting for purchasing solutions now so that they will have them in by next year," she warns. "As a matter of urgency, they need to begin protecting access to the information that is held in medical records. Implementation of HIPAA's standards is required within two years after enactment."
Roger Sudduth says his company, Internosis, works with clients all along the spectrum of privacy policies. One client - a hospital - currently has a good security policy in place. The hospital, he says, won't be too heavily impacted by the structural changes of HIPAA compliance. Another client has a security policy, but it's not followed. HIPAA compliance for that client will be a "fairly big step from where they are today," he says.
HIPPA is going to happen. That fact, believes Roger Sudduth, client solutions architect for security/HIPAA, at Internosis, "is a very compelling point. It should give organizations sufficient anxiety to look at where they are and what is likely to be needed and then be working toward that. That's particularly the case if they are thinking about a technology upgrade or a change in their operating systems, network architecture."
An award-winning Microsoft Gold Certified Partner for Enterprise Systems, Internosis has developed a full-service approach to meeting HIPAA standards. It starts with a Readiness Assessment, which is a standard piece of the outsourcer's infrastructure practice. Although the HIPAA regs are not yet finalized, Internosis understands the draft regs and best practices. Examining about two dozen areas during assessment, the company can give its clients a preview of where their key security vulnerabilities are. The assessment is then followed by recommendations (Design and Planning Phase) and then helping the client to meet its objectives in the Implementation/Integration Phase.
Security capabilities are the expertise of Internosis, and its clients depend on the outsourcer when they undertake migration from one operating system or application to another or when their networks need improving. What security does the new product have? Does the migration make sense? And, now, the additional assessment: What may be required because of the final version of HIPAA? "With the Readiness Assessment, clients can start migrating down the path toward compliance - as opposed to moving away from compliance and having to correct course a couple of years later," McNulty advises.
What About Third Parties?
Independent security consultant McNulty believes that, although the proposed provision making third-party beneficiaries liable for privacy breaches was rolled back, "When you interconnect systems, you are still going to need some contractual clauses that mandate third parties to follow certain security procedures. There should be some sort of a compliance review to make sure they are at a certain level and follow those practices."
Security inherently increases the architecture, Sudduth points out. "So the security issue is about risk management, risk containment, risk avoidance. Only when organizations get concerned that something may be happening that's to their detriment do they call us and start talking about security. If you address security up-front with the architecture, we can devise some very simple things that will provide some inherent protection of the data using the native capabilities of the applications and the operating systems. That's difficult to do after the fact." It's also expensive to add security later on. Up-front, security is an enabling technology; after the fact, one can run into problems.
Besides HIPAA security, Internosis handles eCommerce, customer relationship management and knowledge management. The outsourcer's Microsoft customers have the huge advantage of predictable outcomes in migration and security measures because of the company's proven process.
eSecurity in Baltimore
Baltimore Technologies, an eSecurity provider since 1996, is renowned for its public key infrastructure (PKI) products such as digital certificates and digital signatures. Digital solutions for electronic transmission of data for its 10,000+ clients were necessary to help them reach new customers and reduce operating costs via the Internet. HIPAA demands that patients' personally identifying information be protected from unauthorized disclosure and also from alteration in route or storage. Baltimore's "Mailsweeper" and "Secretsweeper" products allow clients to encrypt and protect the privacy of information flowing through a network from one organization to another; and several healthcare organizations are successfully using it.
But HIPAA's proposed regs have placed the challenges of accountability and access control to patient information onto the shoulders of healthcare organizations. HIPAA is about 80 percent process and 20 percent technology, and Baltimore is at the forefront of designing new technology solutions. "We have an exciting new product that we really believe will be a leader in the healthcare sector," says Treacy. "It will control user access to the information and make sure that only the people who are authorized will actually get access to it."
Baltimore's "Select Access" secures access to all medical records, financial information on patients, lab results, etc. It will make sure the person logging on is authorized to log on, based on user profile or rules the IT administrator has been given regarding various personnel. Select Access is currently being implemented in several clients' organizations. Users find it intuitive, and implementation takes about two weeks. Treacy advises IT administrators to first determine corporate policy and decide who has access to what information, before deploying Select Access. This enables the administrator to set up the security policy management quickly and secure the entire network from a single point.
Healthcare providers are among the early adopters of wireless technology, and many physicians already use wireless devices to transmit prescription information and access patient information or research. Baltimore has been working with wireless device manufacturers to put digital certificates and digital certificate technology onto the devices and has been modifying its own server and technology so that it can link to wireless devices. Peter Doyle, vice president of marketing, says the wireless products can be purchased or accessed through Baltimore's outsourcing service partners.
That's one of the models Baltimore presents: buy the product and do it yourself. The other, more efficient, way is to outsource it. The high-tech company hosts eSecurity infrastructure and offers that hosting option to clients as a key part of its proposition. Clients don't need to invest in the enormous expense of building a center; Baltimore has them set up and ready in Sydney, Australia; Dublin, Ireland; Boston, Massachusetts; Japan; and one in the United Kingdom. The outsourcer is flexible and enables clients to take a piece of the process in-house if they desire control over an element of the process. For instance, at the center in Australia, Baltimore signs certificates of the people who actually register, but the actual registration of medical practitioners is distributed out to the national healthcare system.
Heavily involved in a project with the Massachusetts Health Data Consortium to test the interoperability of various vendors' products for the secure transmission of email, Baltimore's expertise in the healthcare sector is a valuable asset. Doyle says the outsourcer has "rolled out major healthcare projects across the globe" and has the experience and expertise to know how to meet the special requirements of the healthcare sector and HIPAA compliance.
Organizations that use the services of Internosis and Baltimore Technologies up-front in their eSecurity initiatives find HIPAA mandates less daunting!