Sunday, February 6, 2011

Technical Safeguards for Legal regarding HIPAA

In February 2010 the Legal Industry got hit with a pretty big compliance issue when the HI-TECH Act made changes affecting HIPAA Business Associates. The legal world gets directly affected by these changes because Law Firms that work with Covered Entities through their Health Care, Litigation, and perhaps other practices, become Business Associates. I will not go any further into details of the actual specifications of the law. Instead, I will focus on what you could do to implement Technical Safeguards to protect Electronic Protected Health Care Information, ePHI. Meanwhile, I will refer you to ILTA’s HIPAA Rules for Law Firms article enclosed in the Peer to Peer edition of March 2010. Notice that I am only dealing with Electronic PHI here, and hard copies of this form of data deserve attention as well.
Protecting that pesky ePHI and THE FIRM
HIPAA brings new Information Management and Information Security challenges to the legal industry and its technology practitioners but it is also a good opportunity to protect your firm as a whole, which I have been preaching since engaging in the HIPAA project because of my background on security. Any regulatory compliance requirement that your firm is going through is an opportunity for the Technology Department to build a strong security program around it. You may not need to apply specific HIPAA safeguards to the whole firm, but I can assure you that there are other regulations that you need to comply with, and if that is not the case, it is just common sense, especially with new regulations around Personal Identifiable Information around the nation.

Since we are focused on HIPAA here, let’s take care of the Health Care practice and the HR area that deals with ePHI and problem solved you may be thinking. Wrong! Expect MANY folks outside the Health Care practice to be BAs because involvement in different Matters. I encourage you to conduct a survey asking who handles any type of PHI, whether electronic or not. I bet you will be astonished with the results.
BUT WHERE IS THAT DATA? I mean, really. Do you know where all the ePHI is? If you do, then I salute you. Oh, and I know that you are thinking about your Document Management System, DMS, your Financial Systems, and your File and Print servers. Is that it? Can you probe it? How about laptops, desktops, and other servers? This is an ongoing process and the stepping stone of any implementation that follows. You can’t protect something that you are not aware of. It is important to understand that you must be able to log and audit your systems in order to probe compliance. Thus, my inclination for systems that meet that critical requirement.
Today there are tools that can scan your network and leverage built-in dictionaries and rules that help you identify compliance specific data. They are often referred as DLP tools (Data Leak/Loss Prevention tools) however, don’t rely on them completely. Talk to the data owners and users as well. I have found over the years that users are the best resource that you can use while building your security program.
We found the data, let’s build the Fort
Let’s start with Access Control. Make sure you understand your network as a whole, especially your Active Directory (AD) Security Groups and other security elements of it. I am sure that you follow industry best practices, but can you audit and probe that? Implement a strong Security Information and Event Management tool, SIEM, which goes beyond traditional Log Aggregation. Products such as TriGeo, and LogRythim have built-in “intelligence” that not only can help you log and audit, but also aid your Change Management strategy, something I am big on as stated in my last post. You will gain visibility into any changes made into your security groups. There are also AD specific auditing tools that can aid on this area and may be more accessible such as ManageEngine products.
Additionally, take a look at your Ethical Walls approach and see if you can extend it beyond your Records department. It is extremely important that there is ongoing communication and collaboration between IT and Records during this process so that you can expand your strategy to areas of IT such as DMS, and Financial systems through software like RBRO, WincWall or IntApp, in addition to Risk Management built-in features in your DMS or Financial systems.
Data in Motion is not only email
We often think of Data in Motion as email, so let’s start there. My background in Health Care taught me one thing: securing ePHI moving through your messaging system could become a nightmare if not thought thoroughly. In my experience I’ve found that the first thing to mind is TLS, which is a great encryption method, yet unmanageable in mid-size and large environments. The same applies to a Certificate based PKI approach. In both cases, the challenge is managing all those certificates and keys. Furthermore, you’ll have to deal with those smaller Health Care practices that don’t have an IT Department capable of setting up managing their end.
A third solution includes full email encryption products that deliver encrypted messages to the recipient’s inbox. Products such as Cisco’s IronPort, ProofPoint, or the very well-known in the Legal vertical Mimecast deliver messages either as encrypted attachments or with a link that will redirect you to a secure site where you can read your messages and take action on them. I highly favor this approach because they are centrally managed, more scalable, and have stronger logging and reporting capabilities. However, be prepared to provide clients with the other two alternatives. You will come across end-users that will hate having to go through an extra step to “just read an email”.
Then there is the new world of mobility, which includes Laptops in all forms, USB drives and other removable media, Smartphones, tablets and the list keeps growing.
You can address issues around laptops and removable media with Encryption tools such as those offered by Check Point, PGP, or Credant, or the free, yet extremely strong TrueCrypt. You will have to pick “your pain” when it comes to encryption. If you choose to go with a Full Disk Encryption approach then you are going to have to deal with pre-boot authentication, which can become a pain when performing trivial tasks such as troubleshooting a system that needs to be rebooted, or deploying software upgrades (in addition to the adoption opposition). If you go with just File Level Encryption only, your devices may still be exposed to Brute Force attacks. And then, there’s Credant’s interesting approach, which encrypts at the file level, yet, it protects the machine’s registry that deal with AD Security database and swap files, which protects the device against access attacks. I really like this approach.
Encryption tools also protect removable media such as USB drives and even SIM cards in Smartphones by deploying policies that can limit device access, white list them so that only approved devices are allowed, and encrypt data in a similar way as previously described. Just make sure that you are aware of what your mobile device float looks like and that you set expectations with regards to client involvement, meaning, what to do when you send data and devices to each other.
Smartphones are also a concern, and although most people think of the problem in regards to email I think that we need to look further and create a strategy that address security concerns around it as a whole, just like you handle laptops. As stated in 2010 ILTA Conference session, Strategies for Managing Disparate Devices in Your Mobile Fleet, these devices are PLATFORMS, so you must threat them as such. I will dedicate a different post to this topic, but for now, know that there are tools that can help you manage these devices by separating corporate data from personal data and in turn, encrypt and control the business data and take action such as deny access or remote wipe the firm’s data. Examples include Good Technologies, MobileIron and Zenprise. McAfee and TrendMicro among others, are also coming up with AV Software for these devices, which in my opinion, will be a must have by the end of this year.

If your firm is dealing with HIPAA, then take this an opportunity to enhance your Information Security program, which in my opinion, has been traditionally too loose in the Legal sector. I will be blogging later on Information Security Policies and Procedures, as well as Disaster Recovery, which are important areas to achieve HIPAA compliance.
What is your firm doing to protect Electronic Protected Health Care Information? Moreover, what other regulations are hitting your firm?

No comments:

Post a Comment