In an interview (transcript below), he offers details on the following action items, which will help organizations comply with HIPAA:
- Safeguard data from unauthorized individuals with appropriate log-in methods and other steps;
- Monitor controls on key systems and check for inadequate logging;
- Review all access controls at both the network and application levels;
- Continually manage relationships with business associates that have access to protected health information;
- Develop comprehensive business continuity management and incident response plans.
Chaudhary leads the security and privacy practice at Crowe Horwath. He is a certified professional engineer with certification in the governance of enterprise IT and is a member of ISSA, ISACA, IIA and ASIS.
HOWARD ANDERSON: Today we are speaking with Raj Chaudhary about his top five tips for protecting health information. The first tip you offer is to safeguard data from unauthorized individuals. So what are some of the best ways to do that?
CHAUDHARY: Well let's make sure that when we assign user accounts to individuals that their role matches the access they are provided to the systems. That is definitely one of the key elements of HIPAA -- to make sure that only the people that need access to that information have a user ID or a user account.
Second would be to make sure that when the user sets up their password, the password complexity should be such that nobody else can easily guess it. A lot of the time, the default password may be set as your last name or a number, or whatever is easily guessable. So we recommend that as soon as a person logs in the first time that they are forced to change the password.
ANDERSON: You also suggest that healthcare organizations monitor controls on key systems and check for inadequate logging. Please explain how best to accomplish that.
CHAUDHARY: One of the requirements of the HIPAA security rule is to monitor who is accessing what part of the protected health information. Most systems today that are implemented have the logging capability. So based on the requirement ... make sure that the IT staff turns on the logging capability so you can collect who accesses what type of information 24/7.
Just logging by itself is not sufficient. What you want to do is make sure that somebody looks at that data as it's collected. There are so many different systems in a given hospital, and there's a lot of logged data that is accumulated. But somebody should put together a set of rules that helps them sift through the data and look for exceptions. That is what I call monitoring. So you are turning the log on to begin with and then monitoring the data to make sure that only the appropriate individuals have access to that data. ...
ANDERSON: You also suggest reviewing access controls. So what steps does that include?
CHAUDHARY: ... You have a user ID on the network level and you have the appropriate password at that level. So at that layer this is typically controlled by IT. ... Second ... is when the applications are accessed by the user. A lot of times, you may have a separate password for that ... you want to make sure that you have proper control at the application layer level. How do you make sure that is monitored on an ongoing basis and that it is secure? Again the complexity of the password at both of these layers is critical.
We also recommend that you make sure that if a non-authorized person tries to log in using a user ID or password on either layer, after a certain number of log-in attempts that person is locked out. So, as an example, if somebody externally breaks in through your firewall to get to your systems and is now trying to guess the password, you've got to make sure that you have some sort of a lock-out after a few of these attempts. I typically recommend that after 10 failed attempts, one should be locked out.
ANDERSON: Now you advocate creating strong vendor management functions. So tell us some of the best ways to manage business associate relationships so that privacy and security are protected.
CHAUDHARY: ... So the first step ... is you need to make sure that legal counsel is involved. You must have a standard business associate agreement that is signed. Second, before you release the data or allow access to the systems, we recommend that the "minimum necessary" rule is applied to the data. IT will either ship the data out or allow business associates to access that data. Then the third is to go beyond that and do some sort of a performance review, making sure that the business associate ... has got the right kind of controls to protect the data. And the fourth step is, on an annual basis, get assurance from the business associate that they are still following the rules that you expect them to follow.
What I find is a lot of covered entities ... don't have a good inventory of all the business associates agreements in place. The agreements are not all consistent and not updated on a regular basis. And most likely, people don't apply the "minimum necessary" rule and they provide more information than is necessary to perform that series of tasks that they were hired to do.
So to prevent that ... do an annual review and make sure that if a business associate is not performing that work any more for you that you terminate the agreement, and cut off any access or any shipping of data that is happening. ... If there is no centralized contract management system this becomes to a big challenge. ...
ANDERSON: Finally, you suggest developing business continuity management and incident response plans. What are the key elements to each of those?
CHAUDHARY: Business continuity management ... has multiple elements to it. Number one is a business impact assessment. Number two is, once you've done a business impact assessment; you try to develop what I call a business continuity plan. And the third element is doing a disaster recovery plan. What we find, in most instances, is that the IT department will prepare a disaster recovery plan. ... But when you go back to looking at whether they have a business continuity plan or even a business impact analysis done, typically those two are not very robust. IT may go through and do a test on an annual basis (to check that they can) bring the systems back up from the disaster recovery process... But who's got the responsibility to be in the command center? That part typically is missing. Systems are only one piece of the entire puzzle when you are trying to bring the system back up. ...
A business impact assessment, if it's done right, tells you what are the most critical systems and what kind of recovery time objectives you have to have to ... optimize the total cost of a business continuity management function. So those are the key elements that need to be included when you look at business continuity management and incident response planning.