Buyer's Guide: HIPAA Compliance Products

'Ain't No Particular Way'

HIPAA is big, and no single vendor has a silver bullet for total compliance (see "Legal Eagle: Wanna Buy the Brooklyn Bridge?"). To borrow from a Shania Twain song, there "ain't no particular way" to satisfy the act's security standards. Congress made HIPAA technology-neutral not only to allow for new systems as technology advanced, but also because it knew no two health-care providers are exactly alike.

Health-care providers differ from one another in terms of their security risks and the strategies needed to mitigate those risks. A provider's security setup will depend largely on the product's cost and the technical capabilities of the provider's record systems to maintain PHI.

But size matters, too. For example, a solution that's well-suited to a large hospital may not be reasonable for a small office to implement. An identity-management system would make sense for the hospital with multiple users to authenticate, but not for the solo practitioner who employs only one knowledge worker.

HIPAA security standards may include "required" or "addressable" implementation specifications. Whereas required specs must be implemented, addressable specs come into play only if they are reasonable and appropriate in light of the organization's risk analysis and overall mitigation strategies.

The four standards for physical safeguards involve facility access control, workstation use, workstation security, and device and media controls. Translated, these standards require an organization to implement policies and procedures that:

For small providers, locks and keys can limit access to computers, information systems and their facilities. And computers may have only one function--to connect to a mini- or midrange computer containing the provider's data, for instance. Finally, a paper audit log can govern the receipt and removal of equipment and media from a small office.

As soon as a provider starts increasing in size and complexity, technology can be a lifeline to HIPAA compliance. For example, a magnetic-stripe card system can relieve the burdens of issuing and tracking keys. A card system can detail the rights and privileges of staff to access rooms within a facility, as well as maintain an audit trail of all room access. Also, many offices now use multifunctional PCs that may require a desktop-management program to dictate features and functionality for employees. Finally, an asset-management program can track transient equipment and media that house PHI.

Two of the four standards for physical safeguards--one dealing with facility access controls, the other with device and media controls--include implementation specifications. The remaining two standards--concerning workstation use and physical security, respectively--have no specs and therefore require no further instructions.

Organizations must implement policies and procedures to limit physical access to their electronic information systems and facilities. The implementation specifications include procedures to safeguard a facility from unauthorized physical access, tampering and theft, as well as role-based access to a facility.For large health-care providers like hospitals, facility access control will go beyond issuing and tracking keys. Magnetic-card systems like Magek's Access Control, or even smart-card systems from RF Ideas, monitor employees' access to sensitive areas containing information systems.

In deciding which type of card system fits your needs, consider whether you want a contactless or proximity card that can be read at a distance from a card reader. Determine how much data must be stored on the card as well. Smart cards can provide more than employee information, and they have microprocessors and memory on board to track personal data.

Perhaps you can't be bothered with distributing and managing cards. In that case, tell the vendor you want biometrics for access control.

Smart cards and biometric systems can provide access not only to facilities, but also to workstation, LAN and WAN applications. Implementing physical safeguards for workstation security can be as simple as putting machines behind a locked door. But for large health-care providers, the cost of giving each knowledge worker his or her own office with a lock and key is prohibitive. A better solution is to use smart cards or biometric devices to authenticate users and give each of them access to a computer, the network and, perhaps, network applications.

Note that we don't cover video surveillance in this article, though we've discussed the topic elsewhere (see, for example, Axis Communications' Axis 210 Network Camera and Wireless IP Video Secures Lots ). Although such monitoring helps identify intruders and may reduce tampering and theft, it doesn't prohibit illicit activity and unauthorized access.Workstation Use

Implementing policies and procedures that specify workstation functions and how they'll be performed is the stuff of desktop-management products like those from Altiris and LANDesk Software, as well as Novell's ZENworks (see our "Desktop Management Roundup"). When choosing a package, make sure it exceeds your current personnel requirements so you have room to expand.

Such systems can authenticate users to a centralized directory scheme, dictate which applications appear on the desktop and specify which data those apps can access. In addition, they offer application delivery, patch management, backup and rollback to a previous working configuration.

These packages also can provide asset management to track workstations and their devices, including disk and tape media. But you may need more asset-management features to comply with the last HIPAA standard for physical safeguards: device and media controls.HIPAA's standard for devices and media provides for policies and procedures to manage and track the receipt and removal of hardware and electronic media containing PHI. This standard, unlike the others, includes required implementation specifications.

First, an organization must address the final disposition of electronic PHI and/or the hardware or media in which it is stored. Asset-management systems that come with desktop-management packages may do the job if they can track individual components like hardware disks to workstations and add items for backup media. Otherwise, look into Peregrine Systems' IT Asset, as well as point products from Altiris and LANDesk.

Although manual tracking of assets may be feasible, it can quickly get out of hand if you move, add or change a facility, or do backups every night where tapes are loaded, unloaded and stored off-site. Asset-management systems take inventory of network hardware and software, and let you manage end-of-life and other system replacement.

You may not need the software tracking that comes with many of these systems, but make sure they can do the basics--like integrate with your directory schema, autodiscover network resources, and track assets from company to department to user, right down to the work requests.The second required implementation specification is aimed at removing PHI from electronic media before it's reused. If the media stays in-house, you may not have a problem simply reformatting a drive with operating system tools like format or fdisk. But if the media is recycled outside the organization, you may want a tool that complies with the Department of Defense's NISPOM (National Security Program Operating Manual) DoD 5220.22 M standards for safeguarding classified information--LSoft Technologies' Active@ KillDisk or Active Data Security Solutions' Active@ Eraser, for example.

In addition to having two required implementation specs, the device and media standard includes two addressable specs. The first of these deals with accountability and maintaining records of the movements of hardware and electronic media; this can easily be satisfied with the asset-management applications discussed above. The second addressable spec aims to create a retrievable copy of electronic PHI if the device housing the PHI is relocated; this objective can readily be met using your current backup system.

If you don't have a backup system, you have more than HIPAA to worry about. If data is lost on account of a disk crash or natural disaster, your inability to restore it may put you out of business. Although neither the data subject to mandatory backups nor the operations facilitating those backups are part of HIPAA's physical-safeguard standards, they are included in its Administrative Safeguards (45 CFR §164.308). The scope of the backup plan is determined by the organization's risk analysis and management process.Any backup system in place or under consideration should offer both disk-to-disk and disk-to-tape options. It should support the operating systems you use for the management console, tape libraries and client workstations, and should integrate with or support a database to index backed-up data. Finally--like Computer Associates' BrightStor and Veritas' NetBackup with its Bare Metal Restore add-on--it should be capable of restoring not only data, but also the bootable operating system.

Sean Doherty is a senior technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at [email protected].