How to Manage HIPAA Security

I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.

My general recommendation is that you should forget about HIPAA at first (because it’s a toothless, generally unenforceable, regulation that will never improve security because it is a bureaucratic compliance tool). Instead, you should concentrate on good security practices, good security policies, follow recommended NIST guidance, and then come back and tie in the HIPAA regulations to make sure you don’t miss anything from the privacy side.

Also, don’t worry about finding “HIPAA auditors” initially — instead, focus on finding white hat hackers that can help you with penetration testing and hack attempts to truly focus on your threats and not on perceived HIPAA threats. Once you get beyond HIPAA as a security goal you’ll end up with much better security and then you can tie HIPAA into your privacy policies to make sure you’re not missing any major regulations.

Here’s how to proceed:

Get a security policy in place — start with http://www.informationshield.com/ or http://www.instantsecuritypolicy.com. Both of these sites help you think about all the really difficult questions and options you have and help you construct a single document that would come out better than you can do on your own (initially). You can generate a pretty decent document within about 30 to 40 hours of work.
As you’re getting your security documentation in place, take a look at the NIST 800-53 Information Security Policies for Federal Agencies guidance document. Why a federal agency guidance document? Because it’s thorough; most of it will be applicable to healthcare and is worth reviewing to make sure you don’t miss anything when you’re laying out your security policies and controls. Another reason to know about it is that there are lots of consultants out there that know NIST 800-53 and can help you out. Set aside about 8 to 12 hours to really get a good overview of this guidance document.
Just to complete your understanding of the NIST security guidance, check out the other NIST special publications.
Armed with a starter document from step #1 and a basic understanding of the NIST guidance, contact guys who are not HIPAA guys but are security policy experts (contact me privately and I can put you in touch with some) that can review your document. In less than 8 hours of work you can have the document improved in ways that you never imagined (assuming you’re talking to a security expert, not a compliance person).
With a proper policy document now in place, get in touch with a security company that can help you with penetration testing and evaluating your policies in excruciating detail. HIPAA auditors are not what I mean here; I mean guys that can try to break into your system and tell you whether the policies will work and what holes you need to fill in — the “white hat” crowd. This might take as little as 20 to 30 hours or hundreds of hours, depending on the state of your security policies and actual security tools in place.
Go back to the tools in step #1 and plug in all your real security holes with either policies or security tools recommended by the testing firm(s) and consultant(s) and iterate over your document.
With a near-final security document in place, schedule a quarterly test and evaluation and a change control process for how you will keep your documents, real security tools, and policies in good shape. You will need to review your own logs daily, weekly, and monthly and have the experts come in no later than quarterly (monthly is even better). To see one approach to how the feds recommend doing this (again, it’s completely applicable to healthcare) check out the FedRAMP program.
With your documentation now ready and a good change control process in place, now you’re (finally!) ready for the HIPAA auditors; they can now concentrate on the compliance activities and you won’t be fooled into thinking that HIPAA compliance means you’re more secure.