Security Blanket for the HIPAA
Era:
Outsourcing Security Services
By Mike Ulicki
Norlight Telecommunications
September
17, 2003
The need to safeguard
consumer medical information to comply with the Health Insurance
Portability and Accountability Act (HIPAA) has brought a heightened
sense of urgency to the issue of network security. Now more than
ever, healthcare providers have reason to lose sleep over the
possibility that their networks will be compromised -- and to
consider curing their insomnia by turning security responsibilities
over to a managed service provider.
Outsourcing security services is an effective
answer for addressing HIPAA’s privacy rules because a provider
that specializes in information security has industry knowledge,
security-specific experience and around-the-clock resources that are
rarely available through in-house IT departments.
From having the ability to invoke new virus
definitions within minutes after their distribution to ensuring that
corporate firewalls are properly configured and troubleshooting a
user’s access problem with a Virtual Private Network (VPN),
managed security services providers are equipped to close every
known security loophole in a timely manner.
No internal IT staff member who deals with
network security on a part-time basis is likely to provide the same
protection -- or be available when problems occur at 3 a.m. or on
Christmas Day.
FIRST, A DEFINITION
Managed security services providers such as Norlight
Telecommunications (www.norlight.com)
offer a range of services that can help healthcare organizations toe
the HIPAA line in several areas. These include:
-
Risk
assessment/vulnerability testing
-
Managed
firewall service
-
Managed
intrusion detection systems
-
Managed
Virtual Private Networks (VPNs)
-
Managed
virus blocking
These providers install and configure all
necessary hardware and/or software at the customer site, then
perform ongoing maintenance and 24x7x365 monitoring conducted from
dedicated data centers. They track and address potential threats and
vulnerabilities, ensure that security configurations are accurate
and up-to-date, keep detailed logs of all activities including
intrusion attempts and frequently work with ISPs and law enforcement
agencies to bring network intruders to justice.
In addition, these outside experts offer the
vital service of keeping detailed logs of activities such as
intrusion attempts. Activity reports can usually be viewed from a
Web portal and printed out for the customer’s files.
How does this relate to HIPAA? Let’s take a quick
look at what the law does -- and doesn’t -- say about electronic
protected health information.
HUNG UP ON HIPAA
The HIPAA privacy rule designed to protect the confidentiality
of personal health information went into effect on April 14,
2003.(See http://www.hhs.gov/ocr/hipaa/) To help healthcare providers understand what is
expected of them under the law, the Department of Health and Human
Services issued a separate security rule
covering administrative, physical and technical safeguards that must
be observed to maintain the confidentiality and integrity of
individually identifiable health information that is stored and/or
transmitted electronically.
The security rule provides no step-by-step
checklists, but instead offers general directives reflecting
security best practices and procedures. In the technology arena --
the specific area where managed security services can help -- these
include access controls to limit data use to authorized individuals,
authentication strategies to verify the identity of those seeking
information access, audit controls to track information systems
activity, policies designed to prevent data modification or
destruction and transmission security when information is traveling
over an electronic communications network.
The rule contains no specific technology
recommendations. Each healthcare provider covered under the
regulation is simply instructed to choose the appropriate technology
to keep consumer information safe. But unlike other security best
practices or standards, the rule contains the full weight of federal
law and non-compliance can have severe consequences.
HIPAA violators not only face penalties of up
to $250,000 in fines and 10 years in jail, but they also may find
themselves subject to negative publicity or even civil lawsuits. The
ripple effects of non-compliance therefore have the potential to be
extremely damaging to a healthcare organization.
THE CASE FOR MANAGED SERVICES
Managed security services can reduce the risk of running afoul of
HIPAA because they provide a robust defense against two potential
antagonists: The electronic trespassers who may come knocking at a
healthcare provider’s door, and the regulators or attorneys who
may come searching for proof that the provider has built adequate
barricades against the interlopers.
In the case of the regulators and the courts, hiring
an expert to stand sentinel over a network will help establish that
the organization has done the due diligence necessary to comply with
federal mandates. Investigators can be expected to look at issues
such as whether the provider has used qualified personnel to assess
security risks and whether the IT staff is adequately trained to
implement the security program. Healthcare organizations that
outsource to a managed security expert should be able to pass both
of those tests easily.
At the same time, the activity logs and
security alerts supplied by an outside provider may supply crucial
evidence in the event of a HIPAA challenge. Having the documentation
to show action taken against attempted network intrusions may prove
to be a key element of any defense.
In the case of network protection, managed
services can help bridge the gap between the implementation of a
particular security measure and the ongoing upkeep required to
ensure that it is working. Like a diet or a New Year’s resolution,
a firewall or intrusion detection system is only as effective as
what you put into it. Cut a corner, make a mistake, or stop crossing
all the Ts and dotting all the Is, and your security perimeter can
turn into Swiss cheese.
Case in point: Firewall configuration. In one
nationwide survey of community banks, every respondent had a
firewall, but a full 90 percent of them were incorrectly configured
in a way that materially affected the banks’ security -- either
because they failed to block certain classes of traffic or because
software patches were not up to date. Healthcare organizations
certainly are not immune to these kinds of mistakes. Competent
managed services providers can be sure that their clients don’t
make them.
Consider, also, the fringe benefit. Outsourcing
security services can not only provide peace of mind vis a vis HIPAA,
but it can also relieve IT staff of security-related oversights.
That will give them more time to work on business-critical projects.
BOTTOM-LINE BENEFITS
At the end of the day, managed security services providers make it
possible to afford security experts who might otherwise be
unaffordable. The cost of recruiting, training, compensating and
retaining a single in-house network security specialist to establish
and maintain a HIPAA-worthy information security program can be
prohibitive, and those costs are multiplied if security stations
must be manned 24 hours a day, 365 days a year.
In fact, even with setup costs and monthly
fees, studies have shown that it is typically less expensive to
adopt a managed security strategy than to hire full-time in-house
security experts. This is largely because a managed services
provider is able to amortize the investment in analysts, hardware,
software and facilities over its entire client base.
Bottom line: Managed security services can
furnish an important security blanket for healthcare providers that
are dealing with HIPAA. It’s
better to be safe than sorry -- especially when the federal
government is involved.
Mike Ulicki is vice president and chief
technology officer of Norlight Telecommunications (www.norlight.com), a provider of
business-to-business telecommunications solutions ranging from
Internet connectivity and data transport to business continuance,
audio and video conferencing and managed services. |