HIPAA Compliance — Get it Right, or Pay the Price

Confidentiality of patient health information is mandated under the Health Insurance Portability and Accountability Act (HIPAA) by the U.S. Department of Health and Human Services. Organizations that deal with patient records, including hospitals, research universities, health insurers, clinical research organizations, and pharmaceutical companies, are required to have HIPAA-compliant systems that ensure the privacy of patient records.

This article talks about just one aspect of HIPPA compliance; securing information when it's transmitted electronically across private network connections. It is written at a technical level, assuming the reader has a good baseline understanding of private network technology.

With violation penalties reaching a maximum of $50,000 per incident or $1.5 million annually, IT professionals have come under pressure to keep their networks HIPAA compliant.

HIPAA requires health care organizations to implement strict Access Control, Authentication, Data Encryptionand accountability practices on all Local Area Networks, Wide Area Networks and for users accessing the network remotely through a Virtual Private Network (VPN).

Access Control is part physical security as well as network security. Network access control is a way of tracking when users log-on and off of the network and the applications they connect to while on the network.

Authentication is a verification process requiring a user to enter a user name and password to access the network. Additional security measures may also include a hardware key, hardware token or security device such as USB Dongle.

Data Encryption is the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign governments. It is also now used increasingly by the healthcare industry to protect patient information transfers.

Healthcare service providers typically choose from one or more of the following protocols to secure the transmission of their patient health information over their private network connections: Virtual Private LAN Service (VPLS), Multi-Protocol Label Switching (MPLS) and IPSEC VPN. These are alternatives to legacy Layer 2 services such as frame relay or ATM.

MPLS: MPLS guarantees CoS and QoS for prioritizing data traffic. CoS and QoS settings need to match for both the customer routers and the service provider routers. When configuring MPLS, most service providers require the use of complex routing protocols (BGP) when connecting to the service provider's edge network. MPLS is highly secure; its security is equivalent to that found in traditional Layer 2 networks such as Frame Relay or ATM. This is due to the fact that a MPLS VPN provides a customer complete segmentation from other customers that may be riding over the same carrier network.

IPSEC VPN: (Internet Protocol Security VPN Virtual Private Network) is the most common choice for the growing population of individual users or small groups who need to access the corporate network remotely to perform their function. An IPSEC VPN can be used as a site-to-site VPN to connect a remote office with multiple users or as a client based access for a single user. An IP SEC VPN encrypts your private data traffic prior to sending it over a public internet connection and decrypts the data at the destination. A large number of HIPAA violations stem from weak encryption, or misuse of encryption. Anytime protected health information is sent outside of the boundaries of the network, it must be encrypted using a strong encryption methodology such as that defined by IPSec (which uses 3DES or AES encryption). SSL which uses 3DES encryption is a fine solution for application-layer encryption, but it does nothing to protect the transport layers (IPSec does this). The customer is in control of setting up and tearing down the IPSEC VPN tunnel. CoS and QoS are not guaranteed over IPSEC VPN tunnels.

Although HIPAA compliance must be an entity-wide effort, choosing a service provider who understands how HIPAA regulations impact your network is critical.

References: · 164.312(a)(2)(iv) - Encryption and Decryption, "Implement a mechanism to encrypt and decrypt electronic protected health information." · The American Medical Association, www.ama-assn.org/go/hipaa , "HIPAA Violations and Enforcement"
U.S. Department of Health and Human Services