The Impact of Governmental Regulations on the Field of Information Security
by Sarah Michelle Ragle
In recent years, electronic information security related disciplines have seen exponential growth in health-related industry, largely due to governmental regulatory requirements. The scramble to comply with legislated security initiatives such as the Final Rule of the Health Insurance Potability and Accountability Act (HIPAA), which protects the confidentiality of both stored and transmitted electronic health information, is arguably a significant driving force behind the field of information security. HIPAA, as well as other government regulations, have caused national implementation of electronic security standards among covered health entities. HIPAA’s Final rule covering three categories—Administrative Safeguards, Physical Safeguards, and Technical Safeguards—and containing 34+ electronic security requirements, went into effect as of April 2005 for large covered entities. These requirements have, and will continue to, impact security-related technology markets, IT funding, and the future of the information security field. The question then, becomes, is health information safer as a result the governmentally imposed security standards? Do the benefits reaped by regulations such as HIPAA really outweigh the costs?
The first mandate of HIPAA’s Final Rule, the so-called Administrative Safeguards, covers management level information security issues. Security management on the administrative level includes nine specific standards, ten requirements, and numerous discretionary recommendations. Many of these requirements include generic security issues such as assigned security responsibility, access controls, password management, and sanction policies for employee non-compliance, that any corporation with limited access data must address. The influence of regulation on these considerations is, therefore, negligible. The requirements may push some of the smaller, “borderline” entities to implement these safeguards sooner than prior to the mandates, but the scope of influence is limited. This is not to down play the influence potential of the other administrative security directives. The administrative safeguards such as comprehensive risk analysis, audit logs, access reporting, incident tracking logs, data backup measures, and emergency operating procedures force more forward-thinking IT management by requiring contingency against future necessity. It also allows the standardization of health information security practices analogous to the clinical standards of care.
To be in accordance with the legislated requirements, a healthcare entity must also put into place a series of Physical Safeguards to limit physical access to electronic information systems. Of the 8 physical safeguards addressed, only two are compulsory. The remaining 6 are left to the considerations of the entity. As with the Administrative Safeguards, many of the Physical Safeguards seem intuitively obvious for secure business practices. Issues such as preventing non-authorized individuals from accessing protected information and preventing the theft of electronic equipment are difficulties faced by any corporation that employs electronic devices during the course of business. There are, however, addressable issues that could easily go unnoticed by non-technical management. Keeping extensive maintenance records and creating procedures that allow for the restoration of data restoration for the procedures records, are concerns easily overlooked by many smaller entities. In this sense, the HIPAA requirements hold entities to higher physical security standards.
The technical level safeguards mandated by HIPAA have the most potential for influencing health-related electronic security, particularly in the case of smaller health entities, which outsource their IT needs. The required Audit controls, that record and examine activity in information systems that contain or use protected health information, hold entities to a higher standard of security. Other concerns, such as the encryption and decryption of transmitted data and preventing, on the electronic level, the improper alteration or destruction of information, may not have been considered due to cost concerns. The regulatory requirements, while allowing for some flexibility of standard based upon the size of the entity in question, impose a level of security continuity among health systems by ensuring that they comply to minimum technical considerations.
The Costs of Compliance
The primary difficulty with the HIPAA legislation is that it specifies a set of administrative, physical, and technical information security standards, without detailing how to accomplish them. The Department of Health and Human Services (DHHS), which HIPAA falls under, has indicated in publications the desire to be “committed to the principle of technology neutrality” (Melczer 3). While maintaining fair market practices is inarguably important to a capitalistic system, this policy leaves healthcare entities fending for themselves. Determining the best methods for obtaining compliance has proved elusive for many entities. The primary areas of difficulty include meeting the data backup specifications and a lack of access and audit controls. Full compliance requires availability of data for all providers which proves problematic for many small practices, where data backup consists of a tape drive connected to the main computer. Other practices still lack the mandated two-step system logon and have yet to implement a system for recording user data alteration (Tammen 1). Other entities are meeting the requirements, but inherited other technical issues as a result. According to Rob Rhodes, technical consultant at Kindred Healthcare: “We were facing issues with application performance, because employees logon to our system over varying bandwidth connections” (Drug Week 269). Many end-users are also displeased with the compliance efforts. Eweek reported nurses feel “the bulk of IT efforts ignore their needs” (Ziff 1).
The costs of compliance are staggering, with the IDC projecting health-related software market to reach nearly 156 billion by 2009. The IDC also estimates that “healthcare organizations spend an average of 41% of their budgets on IT” (Destination CRM 1). In addition, these costs are ongoing. Full compliance with HIPAA’s transaction rules will require additional investments to support transactions. According to William Gillespie, CIO at WellSpan Health, non-profit center located in York, Pennsylvania, “this [HIPAA compliance] takes continuing investments” (Information Today 15). Private sector health organizations are not alone in feeling the bite of compliance. In 2004, the US government spent 900 billion on health IT (Government Health IT 1).
Not all industry is adversely affected by the costs of HIPAA compliance. The Healthcare IT products and services market is expected to exceed 38 billion by 2009, growing by a rate of 11% per year. Scott Gordon, a marketing VP at SenSage, estimates the security information management market alone at 250 million as of November of 2005 (Shread 1). Budgets for Health Information Systems are also swelling as a result of the security regulations. 58% of Private Practices and 52% of Hospitals polled by InfoTec research group expected budgetary increases over the course of the fiscal year.
Complaints and Compliance
The extensive investments in personnel, process, and technology necessary to meet the HIPAA specifications, coupled with what is viewed in many quarters as weak enforcement, has resulted in widespread non-compliance. In a June 05 survey of 282 healthcare providers, 57% reported failure to meet the mandated security standards (Robezneiks 33).
HIPAA enforcement is primarily complaint-based and is thus dependent upon consumer and self-reporting, causing many entities to opt for a wait-and-see approach to compliance: “I’m not sure that any healthcare organization is ever going to be fully complaint,” said William Gillespie of Wellspan Health (Information Today 15). The Office of Civil Rights (OCR) reports 13,700 complaints filed as of June 2005, with 67% of those cases closed (Zablocki 68). Of the pursuable cases, 33% reflected inadequate safeguards, 17% concerned data access, and 50% involved disclosure of protected information (Zablocki 68). According to Amith Viswanathan, a healthcare industry analyst at Frost and Sullivan, private practices “rely heavily on their venders to be complaint” (Ziff 1) as opposed to actively pursuing compliance themselves. Penalties for HIPAA violations range from $100 per offense, capped at $25,000 per calendar year in Civil cases, and $250,000 in Criminal fines (Zablocki 68). Another possible cause of indifference lays in the informal methodology for resolving complaints. In some cases, the OCR settles violations with phone calls and letters (Zablocki 68).
With the recent rash of high profile security breeches and the high level of non-compliance, is health information any safer than prior to government regulation? According to a Federal Trade Commission report in February 2005, medical related identity theft consisted of 2.2% of nationwide identity theft incidents, up .2% from 2003 (Federal Trade Commission 3). While .2% is a negligible increase, it is a trend in the wrong direction. The HIPAA legislation attempts to protect health information from exploitation. Any increase in health information service security breaches implies a failure of governmental regulation to achieve the specified goals. The argument could be made that organizations with fully compliant security strategies are, for the most part, protected from these types of incidents. Never-the-less, a perception of HIPAA failure, even a slight one, could make the inflated IT budgets necessary for compliance difficult to justify. This is particularly true in the case of small practices, which may be wavering on the edge of implementation.
A Continuing Process
The seemingly endless barrage of governmentally induced security regulations, as well as the constant need for malicious software protection, is likely to have a continuing impact on health information systems and, not so incidentally, future IT technology. In addition to the need for data storage and aggregation services and products, concerns such as access controls, audit trails, and firewall protect are likely to provide ongoing markets for software companies.
The very unique need of many Health Savings Account (HSA) providers for transaction capture at the point of service introduces a host of new technology potential and, not so incidentally, new security and compliance concerns. Many providers support the concept of using a single card to verify eligibility, benefits, and medical payments. One potential solution includes cardswipe terminals coupled with webportals for transaction tracking. The use of smartcards also has the potential to prevent unauthorized access to protected patient information, while at the same time allowing for the necessary per transaction monitoring (Destination CRM 1). Other governmental initiatives to promote interoperability between hospital systems and provide remote access to electronic patient records have the potential to rival the human genome project in breadth and scope.
The recent wave of natural disasters has inspired renewed government interest in a national system for electronic medical record exchange. HIPAA compliance in such a vast information network could prove problematic leaving some industry professionals concerned with the future of health related IT. Gartner research director Wes Rishel worries that the hype generated by this issue could lead to disillusionment with health IT: "The government is certainly leading in the creation of hype. There's a huge amount of attention to the issue, but the benefits are overblown and there's little understanding"(Lawerence 1). According to a recent PC Magazine article, some state networks have demonstrated “some technological, organizational and fiscal successes” (Lawerence 1).
In addition to system interoperability issues, the list of potential security problems is endless; however, compliance with the HIPAA mandates could simplify the implementation process. While implementation nationwide electronic medical record system is still a distant goal, resolving the numerous security related issues on a regional basis, as well as compliance with HIPAA regulations should be a health IT focus in coming years.
Business Wire. “Network Appliance Unveils Uncompromised Security Initiative; Vision Challenges Industry to Redefine Data Security; Aims to Deliver New Standard to Enterprises.” November 9, 2005.
Destination CRM. “Healthcare IT To Drive Software Industry’s Growth.”
www. Epaynews.com August 18, 2005.
Drug Week. “HIPAA compliance assured with technology.” www.Newsrx.com
Jan 30, 2004 p269.
Federal Trade Commission Publication. “Identity Theft Victim Complaint Data.”
www. Consumer.gov January 1-December 31, 2004.
Government Health IT. “HIPAA Compliance To Drive New IT Investment.” http://www.epaynews.com/index.cgi?survey=&keywords=healthcare&optional=&
&block= Nov 08 2005.
Information Today, Inc. “Which of the following compliance mandates: is your company addressing at this time?” Sept 2005 v28 i9 p15(1).
Lawerence, Stacy. PC Magazine. “Feds To Push Health IT Forward in 2006.” http://www.pcmag.com/ November 27, 2005.
Melczer, Andrew. Health Insurance and Portability Act of 1996 Administrative Simplification 45 CFR Part160—General Administrative Requirements and 45 CFR Part 164 Security and Privacy. www.dhhs.gov Feb 20, 2003.
Robeznieks, Andis. Modern Healthcare. “Noncompliant and unconcerned; Survey finds many not meeting HIPAA security rules.” August 8, 2005 v35 i32 p33.
Shread, Paul. Storage News. “Compliance Creates New Storage Needs.” www.enterpriseitplanet.com November 23, 2005.
Tammen, Christopher. AMR Researcg Market Analytix Report. “HIPAA Regulatory Alert: Many are unprepared for April 20 security deadline.” 2005
Vijayan, Jaikumar. Computerworld. “Progress is slow on HIPAA security rules: data mandates aren't driving health care companies to comply.” Sept 12, 2005 v39 i37 p1(2).
Zablocki, Elaine. Family Practice News. “HIPAA complaints: is strategy in place?” August 15, 2005 v35 i16 p68(1).
Ziff Davis Media Inc. eWeek. “HIPAA Costs Said to Curtail Health IT Spending.” August 24, 2004.
[ Back To TMCnet.com's Homepage ]