You are on page 1of 29

Everything You

Needed to Know
About HIPAA Security
You Learned as a
Child!
Written by Terri B. Stamm, Director Quality & Compliance, NovoLogix, Inc.
ClipArt available at Microsoft Office ClipArt Gallery
© 2008

2
Everything You Needed to Know About HIPAA Security You Learned
as a Child!

It’s amazing how many stories are in the news lately about security breaches
in healthcare. Thousands of patient records are jeopardized because of stolen
laptops, unauthorized access to restricted areas, and several other episodes
of lack of common sense. The HIPAA Security Rule requires some basic
safeguards for electronic protected health information, also referred to as e-
PHI. As an employee, you play a critical role in the company’s security
program. This training document provides an overview of the HIPAA Security
Rule and explains how easy it really is for you to comply.

The Security Rule provides basic standards for protecting e-PHI and organizes
these standards into three main categories:

1. Administrative Safeguards – policies, procedures, training, awareness,


and preparedness.
2. Physical Safeguards – physical protection of e-PHI.
3. Technical Safeguards – technology-based practices for protecting e-PHI
as it is stored or transmitted electronically.

You’ve probably read stories as a child that taught you everything you
needed to know to comply with the HIPAA Security Rule. Let me explain.

3
4
ADMINISTRATIVE SAFEGUARDS

1. Security Management Process

a. Risk Analysis
b. Risk Management

This is a basic standard that we have been practicing since we were


children. Remember what you mother always told you? “Look both
ways before you cross the street.” Well, that is the fundamental basic
of any risk assessment. Check for potential danger. What would you do
if it was a busy street? Use the crosswalk. That’s risk management in a
nutshell. For HIPAA Security, an organization is required to “look both
ways before they cross the street.” Check for all the potential dangers
that could jeopardize the integrity, confidentiality, and availability of e-
PHI. Once the risks are identified, “use the crosswalk.” Implement
policies, procedures, and systems that avoid, eliminate, or manage the
risks that pose a threat to the security of e-PHI.

Remember, you never quit “looking both ways” because the risk never
really always go away, but rather changes from time to time. Just as
when you were a kid, it didn’t matter which street you planned to cross
and who was with you; you always looked both ways before you
crossed the street and chose the safest route, such as the crosswalk.
Risk assessment might occur formally or organization-wide on an
annual basis, but you should always be watching for potentials hazards
and threats. If you identify a potential risk, notify your supervisor and
the Security Officer.

5
6
c. Sanction Policy

Remember the story of the three little kittens that lost their mittens?
Well, that’s a sanctions policy. If you do something wrong, you won’t
get any pie. Should you violate the company’s security policies and
procedures, you will be disciplined, and the details of the sanctions
policy are in your employee handbook. However, the company applies
the practice found in the rest of the storybook. When the kittens found
their mittens, they were able to have some pie. The company
recognizes employees that do the right thing and help correct
deficiencies identified.

d. Information System Activity Review (Monitoring)

The HIPAA Security Rule requires monitoring of activity and access to


PHI. Just like moms who watch their kids on the playground to ensure
they are playing safely on the equipment and nicely with the other
kids, IT monitors your activities at work and users’ activities as they
access our various systems and networks. Many electronic records
have their own audit logs to track exactly who did what and when.

7
2. Assigned Security Responsibility (Security Officer)

As children, we often participated in role playing activities. Whether it


was Cowboys and Indians, Pirates, School, Camelot, etc., there was
usually someone in charge – the Sheriff, the Captain, the Teacher, the
King or Queen. They got to make the rules and were responsible for
making sure everyone playing followed them. That’s the Security
Officer. He/she is responsible for making sure everyone in the company
knows the rules and follows them.

3. Workforce Security

a. Authorization and/or Supervision

8
To comply with this standard, a company simply needs to have an
organizational structure in place that ensures supervision of employees
accessing e-PHI. Similar to the need for parents to monitor what their
kids watch on television or sites they visit on the Internet, supervisors
must ensure their staff is acting in a safe and compliant manner with e-
PHI.

b. Workforce Clearance Procedure

Employees need to have the correct level of access to do their jobs


while the company sets appropriate restrictions to safeguard e-PHI. If
an employee cannot access a file that is necessary to do their job, the
company may meet one standard of protecting e-PHI, but has failed to
meet this one because the employee does not have an appropriate
access level. However, if the company does not restrict employees’
access to e-PHI appropriately, they are putting the information at risk.
An easy way to comply with this standard is to create access levels
based on one’s assigned job description/position in the company.

c. Termination Procedure

9
Companies are required to have a procedure in place to terminate an
employee’s access to e-PHI when the employee is no longer a member
of the company.

4. Information Access Management


a. Access Authorization
b. Access Establishment and Modification

I remember my brother having a really cool tree house in the backyard.


I wasn’t allowed to go up and play in the tree house because there was
“No Girls Allowed.” He had a sign almost as big as the trunk of the tree
hanging from a crooked branch just next to the ladder. To make sure I
couldn’t get in, he would even take the ladder down and hide it when
he and his friends weren’t there. Once I was allowed to go up in the
tree house, but I couldn’t open any of the boxes or play any of the
games they played because it was restricted to boys only.

This is access management – restricting access to e-PHI to authorized


personnel only. Whether it was a tree house, clubhouse, diary, closet,
or a locked drawer in your desk, you probably had some place you
stored secret information and went to great lengths to make sure no
one got a hold of it. The company is required to do the same thing with
e-PHI. As an employee, you can help by making sure no one obtains
unauthorized access to e-PHI. Protect your login information. Only give
user accounts to authorized parties. When in doubt, seek guidance
from your supervisor and the Security Officer.

10
5. Security Awareness and Training

a. Security Reminders

How many times did your mom tell you to wash your hands, look both
ways before you cross the street, brush your teeth, don’t talk to
strangers, etc.? She was trying to protect you from risks that could
harm you or make you ill. Security reminders are the same thing.
Whether it’s an article in the company newsletter, a poster on the
employee bulletin board, an e-mail, or even training such as this
document, security reminders are essential to ensure ongoing
compliance with the company security program and continued
protection of PHI.

11
b. Protection from Malicious Software

Many of us have a strange circular scar on our upper arm. Do you


remember why? It is from your smallpox vaccine. We received shots
throughout childhood to protect us from potentially life-threatening
viruses. As adults, we continue to protect ourselves from these health
hazards by getting a flu shot every year, Hepatitis B vaccine if our work
environment increases our risk of exposure, and multiple vaccines if we
are going overseas. Well, our IT department is doing the same thing to
protect PHI stored in our system. They routinely update virus protection
software and restrict access to potentially harmful Internet sites.

Remember the story of Snow White and the poison apple? Well, you
can help protect the company from “poison apples” (malicious
software) by avoiding potentially harmful sites, refraining from

12
downloading any file or program unless approved by the Security
Officer, and limiting the use of company computers and network access
to only authorized activities as defined in the employee handbook and
security policy.

c. Log-in Monitoring
d. Password Management

The HIPAA Security Rules requires that a company monitor login


attempts, require periodic changing of passwords, and reporting
discrepancies to reduce unauthorized access to e-PHI. It also requires
employees to protect their password so that unauthorized parties
cannot use it to access the system. This reminds me of my brother’s
“secret” tackle box. He had this tackle box to keep specials things safe,
such as baseball cards, my grandfather’s pocketknife and other things
that are priceless to a 10-year old boy. He had a combination lock on it
and wouldn’t let anyone know the combination, not even my dad. To
this day, I have no idea where he hid the combination. I tried several
times to figure it out and open his treasure chest. If he caught me
trying to break into his tackle box, he would tattle on me and tell my
mom. Naturally, I would get punished (there’s that sanction policy

13
again). If someone attempts to break into one of the company’s
systems, IT will find out and take appropriate action. It is important that
you protect your login and password information to prevent
unauthorized access to e-PHI.

6. Security Incident Procedures

a. Response and Reporting

This was explained in the previous scenario, but it is important to


remind everyone to report security incidents and work collaboratively
with the Security Officer to respond to the incident, take appropriate
action, and implement policies and procedures to prevent
reoccurrence. My brother was successful at this by rigging his tackle
box with a mouse trap. Needless to say, I never tried breaking into it
again.

7. Contingency Plan

a. Data Backup Plan

You can’t tell a client “the dog ate my homework.” Simply put, make
sure you have a plan to backup data so that it is retrievable, useable,
and accessible to authorized parties.

14
b. Disaster Recovery Plan

Don’t be a Humpty Dumpty. Have a disaster recovery plan. Also, make


sure that everyone knows what to do in the event of a disaster. If
employees don’t know what actions are necessary to recover from a
disaster, then they will be just like all the King’s horses and all the
King’s men and do nothing but sit their looking at a mess.

c. Emergency Mode Operation Plan

Sometimes it takes time to recover from a disaster or other type of


system outage. In the event you cannot restore everything to fully
operational as quickly as you need to respond to customer needs, have
a plan in place to continue servicing customers (internal and external).
Such is the case in the story The Three Little Pigs. The first two were

15
able to continue business by utilizing the third pig’s facilities
temporarily.

d. Testing and Revision Procedures

Make sure your disaster recovery plan actually works. In the story,
There Was an Old Lady Who Swallowed a Fly, she activated a disaster
recovery plan that proved to be detrimental. However, in The Three
Little Pigs, the first two pigs were able to actually recover from the Big
Bad Wolf’s destruction because the third pig was prepared.

Test your disaster recovery plan regularly. Remember the song, There’s
a Hole in the Bucket? Had Liza and Henry tested their plan once in
awhile, they would have been able to fix the hole and would have been
able to continue business as usual.

e. Applications and Data Criticality Analysis

16
The HIPAA Security Rule requires a company to prioritize applications
and data and have a plan to restore them in an order that meets the
most critical needs of customers first.

17
8. Evaluation

Companies are required to perform periodic assessments of their


security plans and their ability to comply with the HIPAA Security Rule
then make adjustments as necessary. Children often have to take
standardized tests in school to determine if they are able to complete
the work at their assigned grade level. Adjustments to the child’s
curriculum may be made based on the assessments completed. Some
kids may have to go to summer school, while others may be placed in
advanced classes. It is important to routinely evaluate how the
company is doing in regards to security to prevent unnecessary
breaches.

9. Business Associate Contracts and Other Arrangements

The HIPAA Security Rule requires organizations to have contracts in


place that ensure business associates and vendors agree to comply
with the standards, implementation specifications, and requirements of
the HIPAA Security and Privacy Rules. We did the same thing as kids
when we agreed to comply with the Boy Scout Oath or the Girl Scout
Promise - we agreed to comply with the rules of the organization and

18
laws that governed its operations. HIPAA requires that we get that
same agreement from those handling e-PHI on the company’s behalf.

19
PHYSICAL SAFEGUARDS

1. Facility Access Controls

a. Contingency Operations

It is important to maintain security of the facility during emergency


mode operations. Controlling facility access during emergency mode
operations can vary significantly from normal processes.

b. Facility Security Plan

There is a great example of a poor facility security plan, and it can be


found in the story The Three Little Bears. Goldilocks was able to waltz
right into their home, eat their food, destroy their furniture, and get all
the way up to their bedroom and crash before they even noticed.
Hopefully, you are working with your company and the Security Officer
to implement a more effective facility security plan.

20
c. Access Control and Validation Procedures

HIPAA requires organizations to implement policies and procedures to


ensure only authorized personnel access the facility and areas of
operation. In Little Red Riding Hood, Grandmother didn’t do a very
good job of this and allowed the Wolf to enter her home; as a result the
wolf gobbled her up. Another example is the story The Three Billy
Goats Gruff. Each goat was able to trick the troll and cross the bridge.
Snow White paid a terrible price when she allowed the wicked queen
disguised as an elderly lady into the Dwarfs’ home, and we all
remember what happened with The Cat in the Hat! Don’t let intruders
reap havoc on your company. Comply with the company’s policies and
procedures on facility security.

d. Maintenance Records

Covered entities are required to maintain records of repairs and


modifications to the physical components of a facility which are related
to security. There should be documentation explaining the changes
made, when they were completed, and who authorized the
modifications.

2. Workstation Use

HIPAA requires organizations to specify what functions can be


performed at each workstation (computer) because inappropriate use
of computer workstations can expose a company to risks – malicious
attacks, security breaches, etc. A classic example of this is Wile E
Coyote and his numerous attempts to catch the Road Runner. He failed
to use the Acme products correctly and suffered the consequences

21
each and every time. While your workstation won’t blow up or result in
your fatal flaw from a cliff in the desert, your actions can result in a
security breach or other potentially disastrous event for the
organization.

3. Workstation Security

This applies to the physical security of workstations as the access


management standard applies to the actual user accounts. It is
important to have several layers of security to truly protect the
organization in case one level or perimeter is breached. As in the story
Aladdin, it was an internal threat that Aladdin failed to protect himself
against. Unfortunately, the lamp (workstation) was accessed by the
wrong person and created mayhem for everyone. Don’t let your magic
lamp end up in the wrong hands. Protect your workstation from
unauthorized access.

22
4. Device and Media Controls

a. Disposal

Do you remember passing notes in class? Do you remember what


happened if the teacher or someone else would get a hold of them?
Public humiliation, after-school detention, and possibly the end of any
chance of the boy with the sandy brown hair and dreamy blue eyes two
rows over ever liking you. Well, a more adult version of public
humiliation could occur if you don’t destroy unwanted PHI correctly.
Just think what would happen if a CD containing all the patient records
you accessed that day fell into the hands of an identity thief. Paper PHI
is easy to dispose of – toss it in the shredder. Electronic PHI may be
more difficult, so ask your supervisor and Security Officer for guidance.

b. Media Re-use

Some of us are old enough to remember our first mixed tape of our
favorite songs. It was really cool if your boyfriend made one of all the
songs that reminded him of you. Unfortunately, things happen and
relationships don’t always work out. So, you need to erase that mixed
tape and put songs from your new boyfriend on them.

Just like the songs on that mixed tape from your ex, so must PHI be
completely erased from removable media before reusing it. Also, never
save PHI to a flash drive unless authorized to do so by the Security
Officer.

23
c. Accountability

The HIPAA Security Rule requires organizations to maintain records of


the movements of hardware and electronic media and any person
responsible for them. You need to know where everything and anybody
is at all times to ensure protection of sensitive information such as PHI.

Why is it so important to know where everything and everyone is? Just


read the nursery rhyme Little Bo Peep. Bad things happen when things
get lost and fall into the wrong hands.

d. Data Backup and Storage

HIPAA requires that organizations create a retrievable, exact copy of e-


PHI, when needed, before movement. Similar to the data backup plan
requirement, this standard requires the company to maintain the ability
to continue business regardless of what may happen. Two ways an
organization can comply with the standard is to make backup copies of
e-PHI stored on hard drives before moving them OR the company can
restrict where e-PHI can be stored to reduce the need to create such
backup files.

24
The ability to retrieve data when something happens can prove to be
extremely rewarding. Remember Cinderella? Had she not had an exact
copy of the infamous lost glass slipper, she may still be scrubbing
floors for snooty people and talking to rodents in an attic.

TECHNICAL SAFEGUARDS

1. Access Control

a. Unique User Identification

Everyone needs to have his/her own user account in order for the
Security Officer or designee to monitor access to e-PHI. Just like in
school when you had to put your name on your homework, your test, or
anything else you turned into the teacher, so must you use a unique
account when accessing e-PHI.

b. Emergency Access Procedure

In the event of an emergency or disaster, there needs to be a way to


access e-PHI and the company’s systems. Remember the Superfriends?
All of them had special powers to help in an emergency situation. Well,
the Security Officer has the same super powers in a sense. He/she
maintains a process for accessing the company’s systems during an
emergency.

25
c. Automatic Logoff

Automatic logoff prevents unauthorized access to e-PHI should you


have stepped away from your workstation and failed to lock or log off
the system. It’s the same as in the story, The Poky Little Puppy. If you
don’t appear to be present, you will be locked out to keep everyone
else in the house safe.

d. Encryption and Decryption

The HIPAA Security Rule requires protection of e-PHI as it is transmitted


from one place to another electronically as in e-mail, Internet
applications, file transfers, etc.

My favorite example of encryption and decryption is R2D2’s message


from Princess Leah to Obi Wan Kenobi. Had that message not been so
well protected during travel, Luke may still be stuck in the desert
tinkering with junk with his uncle. It serves as a great reminder to us all
the importance of protecting data as it is transmitted from one to
another.

2. Audit Controls

26
This standard states that covered entities must implement hardware,
software, and processes that record and examine activity in systems
that contain or use e-PHI.

It’s important to monitor the use of and access to e-PHI to prevent


inappropriate and even illegal activity. Take the case of Little Red
Riding Hood. No one was monitoring Grandma’s house, so the Wolf was
able to deceive his way into the house and steal her identity, which
could happen if you don’t protect one’s e-PHI. Fortunately, Red
understood the importance of authentication and security incident
reporting. She asked the Wolf a series of questions, confirmed he was
NOT Grandma, and notified the woodsman with her screams, thus
preventing further tragedy.

3. Integrity

a. Mechanism to Authenticate e-PHI

The HIPAA Security Rule requires organizations to implement policies


and procedures to prevent wrongful alteration or destruction of e-PHI. A
great example of this is the story of Alice in Wonderland. Alice’s

27
adventures were a result of alterations of information and strange
events.

4. Person or Entity Authentication

This standard simply states that a company needs to have a method of


verifying persons or entities seeking access to e-PHI is the
person/entity they claim to be. As stated before, Snow White suffered
the consequences of not authenticating visitors and fell victim to
someone not being who they claimed to be. The same thing happened
to Little Red’s Grandma and the lamb in the fable The Wolf in Sheep’s
Clothing. On a lighter note, Bugs Bunny actually made us laugh at the
many ways he was able to deceive people and cause havoc in their
lives; too bad they didn’t have the HIPAA Security Rule back then.

5. Transmission Security
a. Integrity Controls
b. Encryption

HIPAA requires the protection of e-PHI while it is being transmitted. It


doesn’t matter if you and your business associate can protect e-PHI
within your network if you leave it exposed to potential danger as it

28
travels from point A to point B. Companies need to have a way to
protect e-PHI as it travels through cyberspace from one place to
another. Do you remember the story The Legend of Sleepy Hollow?
Everyone was safe when they were at home or in the tavern, but it was
on the road travelers met their tragic fate with the headless horseman.
Don’t let your e-PHI become victim of a psychopath riding a horse and
throwing pumpkin heads. Protect your e-PHI as it travels the roads of
cyberspace.

The HIPAA Security Rule is a series of practical, common sense practices that
should be implemented to protect sensitive data. While we rely on our
systems and IT departments to carry most of the burden of complying with
the Security Rule, all of us play a vital role in the company’s plan to protect
e-PHI. Remember to follow company policies and procedures and protect
patient information when using, disclosing, storing or transmitting it in any
way.

For more information regarding the HIPAA Security Rule, please visit the CMS
Education Materials web site:

http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp

29