Best Practices in Healthcare

Information Security and Compliance

Successful healthcare
information security
starts with strong
organizational
leadership

Internal risk
management is the
key for ensuring
information
confidentiality,
business process
availability, and data
integrity

The ability to adapt to

continuously-evolving
security threats can
lead to enduring
competitive
advantage

6450 Via Real, Suite3

Carpinteria, CA 93013

WHITE PAPER
800-721-9177
805-684-6858
 TABLE OF CONTENTS
1 Executive Summary

2 Best Practice: Robust Organizational Leadership

3 Best Practice: Build Organizational Competency

4 Best Practice: Risk Classification and Proactive Preparation

5 Best Practice: Collaborate

6 Best Practice: Stay up to Speed

7 About Redspin

Page 1 | www.redspin.com 2010 | White Paper

 Executive Summary
The healthcare industry today is undergoing
revolutionary changes in the management
of healthcare information. Increasingly this
information is in electronic form, also known
as electronic protected healthcare information
(EPHI). Healthcare providers, health insurers,
and health information service companies are
moving faster than ever to implement IT systems
to electronically capture, manipulate, share,
and warehouse EPHI. Ensuring the security
of EPHI is both a regulatory and a business
competitiveness issue. Certainly not all efforts
to safeguard EPHI are equally successful.
It is common This paper examines in detail best practices
we recommend for healthcare organizations
for healthcare to effectively and efficiently manage EPHI
organizations to security and to remain compliant with the
Health Insurance Portability and Accountability
be simultaneously Act (HIPAA) laws.
compliant with the This report is sectioned into five key Best
Practices. The first and perhaps most important
laws and vulnerable regards the need for strong organizational
to EPHI security leadership. Leading healthcare organizations
know that excellent EPHI management can be
lapses. a competitive advantage. The best managers
emphasize the process of data security over
the often illusionary benefits of installing
cutting-edge technologies. Ensuring executive-
level awareness of EPHI security performance
through specific job roles and reporting
mechanisms is important. The best healthcare
organizations actively link EPHI security
spending decisions to both (1) the creation of
business value; and (2) the reduction of risks.
The second section involves the construction
of information security competency. Security
competency includes a deep knowledge
of the regulatory landscape, but regulatory
compliance alone is not sufficient for
ensuring EPHI security. It is common for
healthcare organizations to be simultaneously
compliant with the laws and vulnerable to
EPHI security lapses. Therefore healthcare
organizations may be advised to focus first on
a comprehensive EPHI security program, with
Page 2 | www.redspin.com
the rationale that such a program will usually
overlap with all areas of compliance. The
buildup of knowledge regarding EPHI security
management is itself a valuable asset that
should be protected and institutionalized.
The third section covers the steps to successful
risk management of potential EPHI security
issues, and the development of impact-adjusted
mitigation plans for security threats. Efficient
and effective EPHI management requires
excellent organizational preparation. Risks to
EPHI security should be carefully evaluated
and prioritized based on their likelihood and
their business impact, with resources and
technology applied accordingly. Developing
business continuity plans can help a healthcare
organization respond to security threats more
efficiently, and minimize the impact of security
incidents to the organization.
The fourth section deals with the concept of
security collaboration. The best healthcare
organizations often collaborate with their
vendors, business associates, industry contacts,
and even competitors in implementing EPHI
security programs. Collaboration sometimes
involves oversight via contractual obligations.
Other times collaboration involves coordinating
security efforts across affiliated organizations
that exchange EPHI.
The fifth and final section explores the
importance of continuous process improvement
Threats to EPHI are continually developing—
therefore, safeguarding EPHI requires constant
vigilance. The IT security environment is also
becoming more complex: new IT security
tools, technologies, and applications are just
a few of the items that add complexity—and
therefore risk—to a company’s EPHI security
program. Leading healthcare organizations
take specific actions to manage this evolving
threat landscape.
2010 | White Paper
 Best Practice: Robust Organizational Leadership
One of the strongest indicators of a successful healthcare information security program is an
organizational attitude that highly values security across the entire enterprise. The healthcare
organizations that are the most successful at safeguarding EPHI tend to be those that implement a
complete Information Security Program (ISP). A comprehensive ISP covers not only IT security, but
also items such as facilities management, business continuity, disaster preparedness, employee
safety, and human resource privacy. The most effective ISPs receive (1) executive-level attention and
support, from budgeting to reporting; and (2) independent assessments of program effectiveness.
A recommended approach is to empower a Chief Information Security Officer to verify adoption
of EPHI security procedures and to regularly update senior executives on the compliance of both
internal policies and regulatory requirements.

EPHI Security as a Competitive Advantage

Savvy healthcare industry leaders understand that securing EPHI is more than a cost center: effective
The healthcare EPHI management contributes to business value and provides competitive advantage. Increasingly
the heart of any enterprise is found in the proper collection, storage, manipulation, availability,
organizations integrity, and protection of electronic data. Effective EPHI management can lead to many business
that are the most benefits for healthcare organizations including:

successful at • Faster, more collaborative care and service.

• More accurate data transfer and sharing (fewer mistakes and their related consequences).
safeguarding EPHI
• Lower administration costs.
tend to be those • Lower vendor and business associate transaction costs.
that implement a • Faster revenue collection and reimbursement.
• Highest possible Medicare reimbursement (HITECH Act Compliance).
complete Information
Effective EPHI management also helps healthcare organizations avoid the damaging consequences
Security Program of successful attacks and other security breaches such as:
(ISP). • Large monetary penalties from regulators.
• Revenue loss from downtime of mission-critical IT systems including web applications,
business associate networks, and internal networks.
• Breach notifications to customers, patients, and media outlets (reputation damage).
• Legal action by affected customers, business associates, and vendors.
• Theft and/or misuse of the data itself.

Emphasize Process Management Over Capital Expenditures

It is common for healthcare organizations to simultaneously over-invest in IT equipment and cutting
edge technologies and to under-invest in fundamental security policy management and process
control. The most technologically secure organizations are not necessarily those that have the best
array of security gear, but rather are those that carefully document comprehensive security policies
and procedures, and then ensure that these policies and procedures are followed, measured,
and updated. It is certainly possible for a healthcare organization with solid security policies and
procedures, yet only middle-of-the-road security tools, equipment, and gear, to be well protected
against an EPHI security incident. On the other hand a similar organization that has the most
sophisticated security equipment but is lacking in comprehensive security policies and process
documentation is much more susceptible to an EPHI security incident.

There are many reasons why healthcare organizations might over-invest in technology and under-
invest in process management. Some of the most common include:

Many healthcare organizations, through basic organizational structure and reporting hierarchy,
lack executive-level knowledge of (1) information technology solutions; and (2) the importance
of EPHI security issues and regulations. This lack of knowledge at the executive level manifests
itself in at least two unfortunate ways:

• The tendency of organizations to under-invest in critical IT systems—both capital and

operational—because they lack the understanding and awareness of the issues.

Page 3 | www.redspin.com 2010 | White Paper

 • The tendency of lower-ranking IT managers to push the IT budget in a favored direction,
which may not include the best solutions for linking IT spending to business value and
risk reduction. Lower-ranking IT managers may be unduly influenced by misplaced
knowledge or vendor/product-driven knowledge that does not necessarily speak to
the healthcare organization’s key business goals and security risks.

Many managers mistakenly believe—or are sold on the idea—that more equipment under
the data center roof makes an organization more secure. In fact the opposite is often true.
The addition of more sophisticated technology solutions typically introduces complexity into
the organization. Complexity adds unnecessary risk and can actually make a healthcare
organization’s data LESS secure.

Buying equipment and implementing cutting-edge technology is more fun and exciting for
managers and staff than anything else. In stark contrast is the relatively mundane and disciplined
process of documenting an EPHI security program, training staff to implement the program,
monitoring the program’s success, and consistently working to maintain EPHI security.
The best healthcare
Enhance Executive-Level Awareness of EPHI Security Performance
organizations Building executive-level awareness of EPHI security processes and regulations and awareness
actively link EPHI of the organization’s performance in safeguarding EPHI is important. Redspin recommends that
healthcare organizations have a Chief Information Security Officer (CISO) who reports to the
security spending executive management team and who is operationally independent from all other IT groups. This
independence will help prevent conflicts of interest which may occur if the person responsible for
decisions to both installing and configuring IT systems is the same person responsible for managing the security risk
1) the creation of introduced by those same IT systems. Ideally the CISO is responsible for the security of EPHI by:

business value; and • Ensuring compliance with internally-developed security policies through ongoing oversight
and regular review of controls. This review should include an evaluation of the effectiveness
2) the reduction of EPHI security tools, applications, and operational procedures.
of risks. • Reporting the results of internal and third-party EPHI security assessments, linking
security issues to potential business impact, and making business-justified budgetary
recommendations to executive-level management.
• Ensuring organizational compliance with HIPAA law and all other applicable regulations.

Budget Appropriately for EPHI Security

The best healthcare organizations actively link EPHI security spending decisions to both 1) the
creation of business value; and 2) the reduction of risks. Furthermore, effective IT governance
requires that business value contribution and risk management be reviewed on a regular basis, with
course correction where necessary.

Safeguarding EPHI is a dynamic endeavor—significant investment and constant vigilance are

required. New security threats frequently materialize. Regulations are expanded and modified over
time. Periodic, independent assessments of EPHI security and corrective action plans are warranted.
Staying current with this dynamic environment requires an ongoing investment in an organization’s
skilled resources and financial capital. Budgeting for these inevitable changes can help healthcare
organizations remain disciplined in following EPHI security plans and avoid resource constraints
when proactively managing the changing threat landscape.

Best Practice: Build Organizational Competency

A successful information security program requires not only organizational awareness of the issues
but also the organizational competency to build a program that mitigates risks and takes advantage
of opportunities to generate business value and gain competitive advantage. Competency starts
with a comprehensive security program that goes far beyond the scope of regulatory compliance.
That is because regulatory compliance alone does not necessarily safeguard EPHI. It is possible
for a healthcare organization to be simultaneously compliant and insecure regarding EPHI. The
knowledge of how to properly safeguard and manage EPHI is itself a valuable asset that should be
protected and institutionalized.

Page 4 | www.redspin.com 2010 | White Paper

 Go Beyond Compliance for Greater IT Security
Being in compliance with EPHI security laws is a mission-critical step, but we caution that being
compliant with HIPAA and other health information security laws will not necessarily make a
healthcare organization’s information technology secure. It is possible—even common—for an
organization to be both compliant and insecure when it comes to protecting information.

Consider the example of a health insurance company that has encrypted its EPHI and managed its
encryption keys adequately, but has failed to properly configure the firewall that protects its internal
network. While the EPHI data may be indecipherable to a hacker, the improper configuration of
the firewall could still compromise the organization’s security. An attack on the internal network
could disable information systems and/or require that the network be taken off-line for repair. In
either case, the EPHI and all other data may be temporarily unavailable, in violation of HIPAA law
and causing immense disruption to the business.

Knowledge of EPHI
security regulations,
policies, controls,
and measurements
is a valuable
organizational asset.

Make Compliance a Non-issue

The protection of EPHI is highly regulated at the federal level of government, and many states impose
their own data security regulations as well. The U.S. Federal Government mandates enforcement
of laws related to healthcare IT security, most notably the Security Rule under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule specifically focuses
on safeguarding EPHI, requiring that covered healthcare organizations ensure the confidentiality,
integrity, and availability of EPHI at all times.

Knowing the letter of the laws for safeguarding EPHI, ensuring organizational compliance with
these laws, and being aware of the significant consequences of non-compliance are important
endeavors for all healthcare organizations. For more details about the HIPAA Security Rule
and the consequences of non-compliance, see the Redspin publication Trends in Healthcare IT:
Understanding HITECH, the HIPAA Security Rule, and How to Safeguard your Electronic Protected
Health Information (EPHI).

Build Institutional Knowledge

Knowledge of EPHI security regulations, policies, controls, and measurements is a valuable
organizational asset. This asset should be protected like all others. Imagine the disruption to a
healthcare organization if this knowledge one day walked out the door and the organization had
to start from square one. This worst-case scenario could happen if an organization relies too heavily
on the knowledge and expertise of individuals to implement EPHI security programs. Well-run
organizations seek to institutionalize this knowledge by:

Meticulously developing, documenting, and disseminating EPHI security goals.

Creating implementation plans and training guides that anyone in the organization can learn
and follow.
Organize and empower a technical team whose purpose is to safeguard EPHI and to manage
regular security assessments.

If an organization succeeds in building institutional knowledge of EPHI security programs, the loss
of one or two key employees familiar with these programs need not be debilitating.

Page 5 | www.redspin.com 2010 | White Paper

 Best Practice: Risk Classification and Proactive Preparation
The processes of risk identification, threat prioritization and proactive preparation follow
organizational awareness and organizational competency in safeguarding EPHI. Ongoing EPHI
risk management requires excellent organizational preparation. First, an organization must invest
in EPHI classification—the task of identifying the location, specific content, and business value
of all protected health data. Next, risks to EPHI security should be evaluated based on threat
probability and business impact. Not all potential threats should be treated with equal vigor.
Finally, developing plans for business continuity in the event of a major service interruption will help
healthcare organizations respond effectively to the less catastrophic security incidents that are more
likely to occur.

Classify and Manage EPHI

It is vital that all healthcare organizations know precisely where EPHI is processed, stored,
accessed, and transmitted. It is common for healthcare organizations to share EPHI with business
associates and other healthcare providers. The responsibility for protecting EPHI, by law, rests with
all organizations that have access to the protected data. A breach of EPHI security anywhere in the
chain may result in consequences for all organizations with access to the data.

Therefore all EPHI data, both internally and externally within each healthcare organization, should
be classified based on business impact. Detailed EPHI data flows should be developed and updated
as needed. Frequently a thorough EPHI mapping can help an organization identify inefficiencies or
weaknesses which can be corrected to strengthen EPHI security.

Assess and Prioritize Security Threats and Vulnerabilities

Strong healthcare organizations realize that not all EPHI security threats are equal. Well-run
organizations make the effort to identify all EPHI security threats and vulnerabilities, and then
manage the issues based on business impact and probability. It may not be practical or cost-
efficient to address all security issues at once. By managing threats and vulnerabilities according to
urgency, a healthcare organization can prioritize its action plans.

Redspin works with healthcare organizations to evaluate security controls, to identify EPHI security
vulnerabilities, and to develop action plans for addressing these issues. Redspin categorizes the
impact of security issues based on the potential impairment of an IT system, facility, or procedure if
a given vulnerability were exercised. See the following table.

Impact Level Description And Necessary Actions

Critical Corrective measures are required immediately. The existing system

should be separated from the network and considered for forensic
analysis if a malicious service has been identified.

High There is a strong need for corrective measures. An existing system may
Redspin Healthcare continue to operate, but a corrective action plan must be put in place as
soon as possible.
Security Impact
Medium Corrective actions are needed and a plan must be developed to
Definitions incorporate these actions within a reasonable period of time.

Low Management must determine whether corrective actions are required,

or decide to accept the risk.

Informational The issue does not indicate a material violation but is something for
management to consider for enhancing the overall security posture.

Table 1. — Redspin Healthcare Security Impact Definitions

Page 6 | www.redspin.com 2010 | White Paper

 Develop Business Continuity Plans

Healthcare organizations should consider developing a mission-critical Business Continuity Plan

(BCP) as part of their overall information security program. A proper BCP starts with a Business
Impact Analysis of all IT systems and applications. Once the criticality of individual systems and
applications is determined, the business impact of the potential loss or disability of these systems
can be measured. At that point the importance of safeguarding these systems and applications
becomes apparent. Safeguarding systems and applications may take many forms, such as:

• Separation of critical system components from non-critical components (i.e., segmentation).

• Stronger security tools and stricter access controls for mission-critical components.
• Implementation of redundant systems and/or robust data backup procedures.

In order to recover from a catastrophic interruption of information systems, healthcare organizations

are advised to develop a BCP that documents specific actions for bringing systems and applications
back on line, starting with the highest priority items and data sources.
With so much riding
on the successful
protection of EPHI, it Best Practice: Collaborate
is not surprising that The best healthcare organizations recognize the benefits of collaborating with their vendors,
business associates, industry organizations, and sometimes even their competitors when it comes to
leading healthcare EPHI management and security. Collaboration sometimes takes the form of oversight via contractual
organizations often obligations. Other times collaboration involves coordinating EPHI security strategies and programs
across affiliated organizations.
work as a team to
Implement Coordinated EPHI Security Programs
evaluate the breadth The HIPAA Security Rule specifies that EPHI security is the responsibility of all organizations that
and depth of each have access to the protected healthcare information. A breach of EPHI security has consequences
for all affiliated organizations, regardless of where the breach occurs. With so much riding on the
other’s EPHI security successful protection of EPHI, it is not surprising that leading healthcare organizations often work as
a team to evaluate the breadth and depth of each other’s EPHI security processes and programs.
processes and Such coordination also facilitates stronger and more frequent communication between business
programs. associates across a whole host of business matters.

Institute Business Associate Oversight Measures

Although EPHI security coordination is encouraged, non-binding coordination is not a substitute
for close oversight of business associates when significant organizational reputation is at stake. It
is common for leading healthcare organizations to structure business contracts with vendors and
other business associates to protect against and/or recover the costs of EPHI breaches. Examples
of contractual obligations related to EPHI security include:

Requirement of annual assessments by an independent security assessment firm.

Development and maintenance of an EPHI security program that satisfies HIPAA law and any
other applicable regulations, including breach notification requirements.
Commitment to correct in a timely manner any identified security issues of a certain severity.
Financial obligation to compensate for any penalties, fees, and mitigation costs in the event of
an EPHI security breach judged to be the responsibility of the business associate.

Benchmark EPHI Security Programs

It is not advisable for a healthcare organization to operate an EPHI security program in a vacuum.
A better approach is to share and solicit ideas for improving security processes, procedures and
tools. The security threat landscape is evolving and there is greater safety in sharing strategic
program information with associates and colleagues. Strong organizations often measure the scope
of their own programs against those of other leading organizations. Whether sharing and soliciting
ideas comes in the form of a tradeshow presentation, an industry conference, a business associate
meeting, or in contract discussions, the more collaboration there is, the stronger all entities will
become.

Page 7 | www.redspin.com 2010 | White Paper

 Best Practice: Stay up to Speed
Threats to EPHI are continually developing whether these threats are targeted at a particular
organization, or materialize silently in the form of undetected mismanagement. In addition, the IT
security environment is becoming more complex: new IT security tools, software updates, wireless
infrastructure, web application development, workstation upgrades, off-site data storage/recall, and
vendor/business associate network development are just a few of the items that add complexity—
and therefore risk—to a company’s goal for EPHI confidentiality, integrity, and availability. Leading
healthcare organizations must take specific actions to manage this evolving threat landscape.

Conduct Independent Security Assessments

HIPAA law requires qualified healthcare organizations to conduct routine evaluations of the
effectiveness of EPHI security programs, policies, and procedures. An independent security
assessment that evaluates EPHI security against potential security risks--in a format accordant with
HIPAA Security Standards--is recommended. Independent security assessments may also include the
HIPAA law requires evaluation of business associates with whom health data is exchanged. A high quality EPHI security
assessment will do the following:
qualified healthcare
• Pinpoint specific vulnerabilities to EPHI security by evaluating internal security policies,
organizations to management process controls, and optimal infrastructure configuration. A thorough EPHI
conduct routine security assessment will evaluate all standards of the HIPAA Security Rule.
• Identify the impact to the organization if a vulnerability is exploited.
evaluations of the
• Provide specific recommendations on how to effectively mitigate EPHI security issues.
effectiveness of EPHI • Follow a repeatable pathway so that EPHI security risks can be efficiently reassessed after
security programs, changes are implemented.

policies, and Take Aggressive Corrective Action

procedures. When significant EPHI security issues are identified, taking aggressive corrective action is the best
practice. In the event of an EPHI security breach, a healthcare organization should immediately
respond to the cause of the incident, review current policies and procedures to determine what
additional measures should be taken to avoid similar incidents, quickly institute any necessary
revisions to policies and procedures, send out revised polices, and retrain employees and business
associates as applicable. All corrective measures undertaken including training materials should be
documented and actively revised if necessary.

Any time security policies and procedures are updated, these changes should be institutionalized.
By aggressively managing the security threat landscape, leading healthcare organizations remain
better positioned to safeguard EPHI.

Page 8 | www.redspin.com 2010 | White Paper

About Redspin
Redspin delivers the highest quality, independent Information Security Assessments
through technical expertise, business acumen, and objectivity. Redspin customers
include leading companies in industries of healthcare, financial services, hotels,
casinos and resorts, as well as retailers and technology providers. Some of the
largest communications providers and commercial banks rely on Redspin to
provide effective technical solutions tailored to their business context, allowing
them to reduce risk, maintain compliance, and increase the value of their business
unit and IT portfolios.

WEB
WWW.REDSPIN.COM

PHONE
800-721-9177

EMAIL
INFO@REDSPIN.COM

Redspin, Inc.
6450 Via Real, Ste. 3, Carpinteria, CA 93013