box-152825_640Products Support HIPAA Compliance but may not be HIPAA Compliant

Don’t believe in HIPAA Compliant Products…or other imaginary things. As the healthcare industry prepares for its largest gathering of health IT professionals, the HIMSS conference in New Orleans, everyone should be prepared to see products advertised as ‘HIPAA Compliant.’  Too bad there is no such thing.

While products may have designs and features that support HIPAA Compliance, the products themselves are not HIPAA Compliant unless they are configured and used properly to secure Protected Health Information (PHI.) There are also some products popular with health care providers that are not HIPAA compliant and can’t be, by design. These products do not include basic security components as a way to keep their costs down.

Compliance is a cradle-to-grave process. In order for a product to be used in a HIPAA compliant way, ALL of the following must be true:

  1. The product must include design components that support HIPAA compliant use.
  2. Those features must be configured properly to ensure HIPAA compliant use.
  3. Users must be trained to properly use the product.
  4. Users must use the product in a HIPAA compliant manner, every time.
  5. The products and their supporting systems must be continually monitored and maintained to ensure that they remain compliant.
  6. At the end of its useful life, the product must be disposed of in a compliant way.

NIST Guidance

The National Institute of Standards and Technology (NIST) offers guidance for complying with HIPAA. Here are a few examples from NIST Special Publication 800-66:

  1. Audit Controls (§ 164.312(b)) HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  2. Ensure that system activity can be traced to a specific user.
  3. Ensure that the necessary data is available in the system logs to support audit and other related business functions.
  4. Do employees understand their roles and responsibilities in selecting a password of appropriate strength, changing the password periodically (if required), and safeguarding their password?

Products that Support HIPAA Compliance

In order to identify HIPAA Compliant products you just need to go back to the HIPAA Security Rule and the NIST guidance. Devices must support users who must uniquely identify themselves when accessing data.  PHI may only be accessed at the minimally necessary level. Devices must be protected against malicious software. You must be able to produce logs for auditing.

Sometimes you can add features to a product to support compliance, such as purchasing encryption or anti-virus software for a device to protect PHI.

Products that do Not Support HIPAA Compliance

I often see doctors using laptop computers that were purchased on-sale at a computer or warehouse store. These usually come with consumer operations systems lacking security features required to adequately protect data. Free on-line e-mail and calendar services do not protect health care information.  Text message through a cell phone carrier is totally inappropriate for PHI. Storing PHI on an unencrypted thumb drive or laptop is asking for a data breach and large fine if lost. With the new HIPAA Omnibus Final Rule, any device that contains unencrypted PHI that is lost and not returned is now assumed to be a data breach.

Compliance Monitoring & Maintenance

Systems that monitor and maintain technical controls are required to ensure that products remain compliant. A simple example is that HIPAA requires devices to be protected against malicious software. Endpoint protection software used to defend against viruses and other types of malware should be configured to automatically download and install updates, and to scan a device at a specific interval. Every IT technician and engineer has dealt with a situation where protection software failed, updates did not install, scans did not take place, and more. Ongoing maintenance by your IT staff or an outsourced Managed Service Provider (MSP) is required to identify and remediate problems, because failure of many protection systems will not interrupt your use or alert you. You may blindly continue to work after a security failure until your system is compromised and a data breach occurs.

End-Users, your worst nightmare

No matter what features are built into a product, no matter if the product is configured and deployed to support HIPAA compliance, no matter the investment in technology and security, end-users can always figure out a way to defeat your best HIPAA compliance efforts.

A classic example is when a user writes her password down and sticks it to her monitor, under a keyboard, on an ID badge, or another place convenient to access if she forgets it. Users should never share passwords, or access a device after someone else has logged in (remember the requirements for unique user identification and audit trails?)

Situational Awareness is also required. Recently a friend sent me an e-mail message saying he was on a flight from Los Angeles to Chicago and was reading patient information from the doctor’s laptop in the seat in front of his. Assuming all the possible security tools had been enabled, the doctor defeated all of them by deciding to review patient records while flying.

Users must be properly trained, observed, and managed to ensure they continue to follow compliant procedures. Any breaches must be reported and investigated.

HIPAA compliance is a process, not something you can buy in a box. Beware of ‘HIPAA compliant’ products, unless you also believe in the Easter Bunny.

"originally written for 4MedApproved"