Protecting Electronic Health Information as Part of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) calls for standards for administrative, physical, and technical security measures to safeguard the integrity, confidentiality, and availability of health information data. This act includes civil and criminal penalties for misuse of health information. It also required Congress to pass privacy legislation or allow the secretary of the US Department of Health and Human Services to promulgate privacy regulations.

Table 1: Private Health Information.

• Names
• Addresses
• Cities and countries
• Phone numbers
• Fax numbers
• E-mail addresses
• Credit card information
• Certificate numbers
• License numbers
• ZIP codes
• Account numbers
• Birth dates


Security regulations were proposed in 1998 and finalized in 2003.1 These regulations establish requirements and implementation features, but do not identify specific standards. These regulations further state that each healthcare provider must assess potential risks and vulnerabilities to data it maintains in electronic form and develop security measures. The privacy regulation defines protected health information (PHI, Table 1) and establishes a set of boundaries within which healthcare organizations must protect health information. A review of HIPAA regulations is beyond the scope of this paper and is available elsewhere.2

The key difference between the security regulations and the privacy regulations is that privacy regulations apply to all communications of patients' protected health information, whether electronic, written, or oral. In contrast, security regulations apply only to PHI. The security regulations require that each healthcare provider do the following: (1) ensure the integrity and confidentiality of the information; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information; and (3) ensure that employees comply with the regulation.

Eighty percent of dentists have computers in their offices; 48% of these computers are connected to the Internet, and an increasing number use a variety of technologies including digital imaging, digital intraoral cameras, and electronic patient records.3 Patient information, including clinical information, is being transmitted electronically to third-party payers for preauthorization and treatment verification. Software applications for rapid electronic filing of dental insurance claims are readily available, often integrated with clinical information and practice management systems.

As dental healthcare continues to adopt digital imaging and electronic patient records, understanding security of patient-related data that is transmitted over the Internet is essential. An increasing amount of patient-related information is stored and transmitted digitally, and dentists have a responsibility to develop security procedures and monitoring measures to keep this information private. When dentists think about computer security, risks that probably come to mind are either some damaging agent like a virus or third-party eavesdropping on digital conversations.4 Sectors of society such as the military and financial markets have already studied computer security issues and developed solutions. While no system can be fully secured, a balance between security and privacy must be achieved.

Advantages of making dental information available on the Internet include improving quality of care and reducing dental healthcare costs.5 In addition, continuous access to patient records would alleviate the need to complete registration forms each time a patient visits a new provider, thus saving time and expense. The prospect of electronic dental records (EDR) also raises serious concerns about increased risk of loss of PHI. Society has rightfully attributed special sensitivity to protecting an individual's health information. An individual with a particular medical condition might want to limit access to this information. In fact, maintaining security can be an issue with all forms of health information. The danger of misuse of information will likely be intensified as more health information becomes available online.


The Internet provides unprecedented opportunities for communication and patient data sharing among dentists, third-party payers, and health service researchers. However, these advantages come with a significant amount of risk to confidentiality and integrity of the transmitted information. One impediment to universal adoption of these technologies is that digital information is subject to malicious modification and fabrication.6

The purpose of this article is to review proposed HIPAA security regulations. The intent is (1) to make the reader knowledgeable about safeguards and techniques that can be used to ensure the security of information transmitted and stored and (2) be compliant with the HIPAA security regulations. The security regulations require covered entities to adopt administrative, physical, and technical safety measures to protect electronic PHI. The first part of this paper will review the safeguards as defined by the security regulations. The second part will look at security solutions that can be implemented to comply with these regulations.

 

SAFEGUARDS

Administrative Safeguards

The administrative safeguards require covered entities to conduct a risk analysis to determine potential risks to the confidentiality and integrity of electronic PHI and to implement risk management practices to reduce the risks identified by this analysis. The administrative safeguard also requires covered entities to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. These safeguards further expect the covered entities to implement procedures to review regularly records of information system activity, such as audit logs, access reports, and security incident-tracking reports. One of the important specifications for this safeguard is the adoption of password protection for office computer systems. Furthermore, covered entities will have to implement policies for handling security incidents that involve attempted or successful unauthorized access, use, disclosure, or destruction of information maintained in the office computer system. This safeguard further requires covered entities to develop a contingency plan to deal with incidents that could damage systems containing electronic PHI. P.M. Sfikas has further explained the security regulations in detail.7

Physical and Technical Safeguards

This safeguard requires covered entities to implement policies to limit physical ac-cess to the entity's computer systems and the facility in which they are housed while ensuring that proper authorized access is allowed. As a part of the technical safeguard, covered entities will have to implement an access control standard that permits only authorized users or applications to access information systems that maintain PHI.

Security Solutions

A wide range of techniques can be adopted to ensure privacy and security of patient records and PHI. These techniques can also be used to analyze large amounts of information generated and flag suspicious patterns for further evaluation. Three aspects of information systems security exist: software security, communication security, and infrastructure security for meeting physical and administrative safeguards.

Software or Application Security

Application security involves providing security for clinical, business, and financial applications such as practice management applications. This is achieved by verifying user identity, controlling user access to resources based on user privileges, and generating activity reports of user access to patient data. To verify user identity and establish individual accountability, every staff member in a dental clinic should have a unique identifier for logging onto a software application or practice management system. Strict procedures should be established for issuing and revoking identifiers. Where appropriate, computer workstations should be programmed to log off automatically if left idle for a specified period of time.

Table 2. Management of Passwords.

• Do not write down the password.

• Do not share it with anyone. If you must do so at any given time, create a new one at your earliest opportunity.

• Do not check the ‚remember my password‚ feature without considering the
value of the data the password protects.

• Create different passwords for very secure information.

• Create passwords that are alphanumeric (example: abcd123).


Passwords can also be used to authenticate users. Passwords should be kept secret and not shared. With your password, anyone can access your confidential information. Passwords should be protected as a personal identification number protects a bankcard. Changing passwords from time to time reduces the chance that someone else will gain access to this information and entry to a protected system. Table 2 provides guidance regarding management of passwords.

Procedures should be in place to ensure that users can access and retrieve only information that they are approved to access. Using access control privileges can limit dissemination of data. If private or confidential data has been accessed on a server by an unauthorized person and copied, it may not be obvious to the authorized user. File access permissions should be administered ap-propriately for users or groups of users depending on what application is being used. Data access should be re-stricted to authorized users only. Data should be classified to appropriate levels of security. User accounts should be closed down quickly after termination or transfer of an employee. Employees must be advised not to share accounts. "Guest" access should be disabled on systems where PHI is stored.

One security problem for most computer users occurs when they are away from their desktop for extended periods of time and leave an application running. This means that someone could walk up to that desktop and gain access to information. Also, if legitimate users are still logged on to their e-mail accounts, someone else could send e-mail messages under their user ID. This can be avoided if users close and sign out of their e-mail accounts when they leave the office. To protect against security leaks further, authenti-cated users should be cautious about sending and forwarding e-mails with PHI. This can compromise security because the recipient may not have adequate measures and controls in place, and you cannot be sure that the e-mail will not be forwarded to other recipients. An e-mail-use policy with limits on forwarding should be in place to safeguard against such in-stances.8

Infrastructure Security

Infrastructure security involves physical security of desktop client systems and servers that maintain patient information. It also involves disaster recovery and assures access to patient records in the event of an emergency such as a natural disaster or a system failure. As a part of infrastructure security, dentists should limit unauthorized physical access to computer systems, displays, networks, and patient records.


Hackers use networked computers to gain access to private information such as financial records or password-protected files. One way to protect your computer against unwanted visitors is to use a firewall. Firewalls are hardware or software programs that prevent hackers from accessing your private data. Firewalls safeguard your computer by enforcing restrictions on incoming traffic. If you have a DSL or cable modem with an "always on"connection, your risk is greater. For example, when you use a dial-up connection, your computer gets a different network address (IP address) every time; however, using DSL or a cable modem, you have a static network address. If you take advantage of an "always on"connection, your computer's address is even more available to hackers. The simplest approach is to turn off your DSL or cable modem connection when not online.

Firewalls have the same deterrent effect as a home alarm system; would-be perpetrators usually look elsewhere for an easier target. There are 3 types of firewalls: personal (or software) firewalls, hardware routers, and hardware firewalls. Personal (or software) firewalls are most appropriate for small-office or home users and cost up to $50 per computer. Dentists with centralized Internet connections should install a hardware or software firewall that provides strong, centralized security and does not allow unauthorized access to patient information on computers.

Computer viruses can cause loss of critical data. This in-cludes program damage that results from efforts to re-move viruses from a system. A virus is a piece of malicious code embedded in a larger, legitimate program. It is designed to run when a legitimate program is executed. Besides picking up a virus from an e-mail attachment, viruses can be acquired from free content downloaded from a Web site or from sharing someone else's diskette. Once a program is downloaded and installed on an unprotected computer, a virus can spread, carrying a damaging payload and slowing down the computer. When a virus infects e-mail or other files, it can transmit itself to everyone else using an e-mail list or reformat the disk drive and delete files and programs on the computer. Computer files and e-mail can be kept safe by using and updating anti-virus software.

 

Table 3. Virus Protection Essentials.

• Scan incoming e-mail and attachments using antivirus software
such as McAfee or Symantec (Norton).

• Schedule weekly disk drive scans.

• Run a virus protection scan to detect infected files
automatically.

• If you suspect a virus on your computer, notify those with
whom you have shared files that their computers may be at
risk.

• Safeguard against hoaxes by verifying that a file is really a
virus before deleting it. The 2 major producers of antivirus
software have Web pages that list common hoaxes. A site
called Hoaxbusters (http://hoaxbusters.ciac.org/) also keeps
an index of hoaxes and chain letters.



When buying a new computer, make certain it has antivirus software preinstalled. If not, install and activate it before using the new computer. One should also be cautious about virus hoaxes. A hoax occurs when a fallacious e-mail or other communication is circulated, advising recipients to delete a file that is actually a program needed by the computer and not a virus. Well-intentioned forwarding of these e-mails further propagates the problem. Table 3 provides methods for effective action against viruses, including ways to check for hoaxes.

Communication Security

When a client machine contacts a server and requests a secure connection, there are 2 separate issues to address: protocol and encryption. Protocol describes a set of necessary steps to establish a secure connection and pass messages securely.9 Some security protocols that have emerged as standards are HTTPS, SHTTP, and SSL. HTTPS and SHTTP are secure Web protocols for accessing a Web server or using the Internet. Using HTTPS in an address location of your Internet Explorer instead of HTTP directs the message to a secure connection rather than an unsecure connection. SSL is another secure connection protocol known as a secure sockets layer. It facilitates a randomly generated key exchange between a server and a browser. A secure communications protocol is a protocol that encrypts and decrypts a message for online transmission. Sensitive data including patient records in transit needs to be encrypted. Encryption is a mathematical means used to disguise a message to hide its content from unauthorized viewing. Encryption is a transformation of data into a form unreadable by anyone without a secret decryption key. Its purpose is to ensure privacy by keeping information hidden from anyone for whom it is not intended, even those who can see encrypted data. Data encryption "scrambles"information sent over the Internet so that only the intended computer can read it. A hacker can still intercept your data file, but, because of encryption, any information it contains cannot be read.

Security and Wireless Technologies

Wireless technologies such as handheld devices and wireless networks have made computing and connection to the Internet more portable, convenient, and functional. They also create an additional challenge for security since data still has to be encrypted and users authenticated. Most wireless devices have an integrated wireless encryption scheme that has a degree of predictability, which could make them vulnerable. Since wireless networks are a recent phenomenon, new and improved security solutions are still in development phases, and manufacturers are using existing secure technologies to protect wireless data.10 Meanwhile, when connecting a wireless computer to the network, a password system can—and should—still be used as outlined above. If a handheld device contains PHI, locking it with a password is one way of protecting the information. Data can also be kept on secure media cards (for devices that support this option), and the cards kept in a physically protected location.

CONCLUSION

HIPAA regulations mandate specific requirements regarding security. These include the following11: developing a system to limit unauthorized use of and physical access to computer hardware; ensuring disaster response and recovery plans are in place; execution of hierarchical sec-urity information clearances based on a "need-to-know"basis; implementing protocols for personnel identification and verification during access to data; and design of protocols for security at the workstation level.

This discussion of issues and plausible solutions is meant to empower the dentist to address application, infrastructure, and communication security. Hackers, viruses, insecure operating systems, and information system evolution will be a fact of life, and as a result new security threats and breaches to patient information will constantly appear. Dentists are encouraged to exercise and enforce discipline over use of application software. At a minimum, install virus-checking programs, restrict use of computers with patient information, and secure access to these computers. Dentists must supplement technical practices with organizational procedures and staff training to provide further protection and to raise user awareness for protection of sensitive data. Dentists should also formally assess security and the vulnerabilities of their information systems on an ongoing basis. They should also install and update software to improve protection of personal data. Finally, security flaws need to be addressed and additional security features introduced. These actions will protect patient health information available on computers.


Acknowledgment

The authors would like to thank Dr. Ira B. Lamster, DDS, MMSc, dean of Columbia University School of Dental and Oral Surgery, for his valuable advice and help in the preparation of this manuscript.


References

1. Detmer DE. Letter on security standards to the secretary of the US Department of Health and Human Services, September 9, 1997. National Committee on Vital & Health Statistics Web site. Available at: http://www.ncvhs.hhs.gov/security.htm. Accessed August 1, 2002.
2. Pai SS, Zimmerman JL. Health Insurance Portability and Accountability Act (HIPAA). Implications for dental practice. Dent Today. 2002;21(10):106-111.
3. American Dental Association Survey Center. Dentists'‚ Computer Use, 1997. Survey of current issues in dentistry series. Chicago, Ill: American Dental Association; 1998.
4. Langer S, Stewart B. Aspects of computer security: a primer. J Digit Imaging. 1999;12:114-131.
5. Schleyer TK, Dasari VR. Computer-based oral health records on the World Wide Web. Quintessence Int. 1999;30:451-460.
6. Ilioudis C, Pangalos G. Development of an Internet Security Policy for health care establishments. Med Inform Internet Med. 2000;25:265-273.
7. Sfikas PM. HIPAA security regulations: protecting patients' electronic health information. J Am Dent Assoc. 2003;134:640-643.
8. Ebert M. Set limits on e-mail forwarding to outsiders to prevent security leaks. HIPAA Security Compliance Insider. April 2003.
9. Rudd A, McFarland J, Olsen S. Managing security vulnerabilities in a networked world. J Digit Imaging. 1998;11(3 suppl 1):216-218.
10. Rogoski RR. Safe and secure. With HIPAA deadlines looming and a prolific number of security choices on the horizon, healthcare organizations face a challenging future. Health Manag Technol. Dec 2002;23:14-20.
11. Goldberg A. HIPAA & Healthcare: A New Way of Sharing and Caring. Available at: http://www.ehcca.com/presentations/ehc-info3/goldberg2.pdf. Accessed July 14, 2004.



Dr. Pai is an assistant professor of clinical dentistry and director of clinical information systems at the Columbia University School of Dental and Oral Surgery in New York City. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Dr. Robinson is an assistant professor and director, department of informatics and interim director, department of multicultural affairs at Marquette University School of Dentistry, Milwaukee, Wis. She can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Dr. Zimmerman is an associate professor of clinical dentistry and assistant dean for information resources at the Columbia University School of Dental and Oral Surgery in New York City. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Banner