Protecting Against Five Common Gaps in Healthcare Data Security and Privacy

OAK BROOK, Ill., Feb. 1, 2011 /PRNewswire/ -- Gaps in the security and privacy of healthcare data still exist, even though the Health Insurance Portability & Accountability Act's (HIPAA) rules for security and privacy safeguards were extended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. For many healthcare providers, these gaps could be the cause of a major security breach, according to Raj Chaudhary, the leader of the Security and Privacy practice at Crowe Horwath LLP, one of the largest public accounting and consulting firms in the U.S.

(Logo:  http://photos.prnewswire.com/prnh/20090902/CL69632LOGO )

"The HIPAA Security Rule has three sets of security standards. Each set has several safeguards, and each safeguard has one or more implementation specifications," said Chaudhary. "Providers need to assess their controls and infrastructure against these standards in order to avoid penalties."

As part of compliance with the HIPAA Privacy Rule, Chaudhary also suggests that providers evaluate their risk of compromising all forms of protected health information (PHI) for improper use or disclosure, loss of data and breach of confidentiality.

According to Chaudhary, providers should take the following steps to protect the security and privacy of PHI:

• Safeguard data from unauthorized individuals. Users often leave computers logged-in while they are away from their desks. Also, some onsite security guards and physical controls fail to prevent unauthorized access to restricted areas. A walk-through, during and after business hours, can help providers identify if unauthorized people can physically gain access to protected data.
• Monitor controls on key systems and check for inadequate logging. Every time system users access computerized records, they leave an electronic footprint, or log, on the information systems. Most healthcare organizations rely on access controls to help ensure compliance with the HIPAA Security Rule. However, security gaps occur when providers use antiquated systems that don't allow logging, update to new systems without enabling logging or simply don't adequately monitor logged activities.  
• Protect access control. Providers should confirm that passwords are required to access all of their systems, databases and applications that house PHI. All required passwords should meet complexity requirements, such as including a combination of numbers, symbols, uppercase and lowercase letters, and be reset on a regular basis. Accounts should be locked after a series of failed log-in attempts, and a log should be made of all failed log-in attempts so accounts that are being targeted for compromise can be more easily identified.  
• Create strong vendor management functions. Most providers do not maintain a comprehensive list of Business Associate (BA) agreements that include the type of data being shared with the BAs. The HIPAA Privacy Rule requires that the "minimum necessary" standard be applied to any data shared with vendors. Vendor management has a lifecycle of its own and should be viewed and managed as such in order to appropriately protect PHI.
• Develop business continuity management and incident response plans. Many providers have a disaster recovery plan that provides guidance on how patient care should continue in the event that IT systems are unavailable. This approach leaves a gap with regards to the prioritization and recovery efforts of systems in the event of an incident. An information security-specific disaster recovery plan should be part of this plan, while a computer security incident response plan should also be developed in case of a breach.

"Healthcare providers need to conduct detailed policy and implementation reviews to make sure how they handle PHI meets the standards determined by HIPAA. Once gaps are identified, they need to work quickly to remediate them," said Chaudhary.

For more information on HIPAA compliance, please visit www.crowehorwath.com/hipaa.

About Crowe Horwath

Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of "Building Value with Values®," Crowe assists public and private company clients in reaching their goals through audit, tax, advisory, risk and performance services. With 26 offices and 2,400 personnel, Crowe is recognized by many organizations as one of the country's best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest networks in the world, consisting of more than 140 independent accounting and management consulting firms with offices in more than 400 cities around the world.

SOURCE Crowe Horwath LLP