HITECH Requires a Health Check on Data Protection

We’re pleased to publish this guest blog post written by Steve Hardwick, partner manager, Mobile Armor.  Panasonic works with Mobile Armor to provide security solutions for mobile devices.

HIPAA legislation has been in place for some time now, however, recent developments from the American Recovery and Reinvestment Act (ARRA) of 2009 are forcing many in the healthcare industry to re-evaluate their compliance to HIPAA regulations. Included in this legislation was the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. Its major goal is to advance the use of health information technology (HIT).  A key provision of the HITECH is the move to digital health records – i.e. Electronic Health Records (EHR) and Electronic Medical Records (EMR). These changes require new ways of doing business and create new challenges for protecting the privacy and security of digital information.

Another element of HIPAA legislation is the applicability to both large and small providers. The Department of Health and Human Services (HHS) has stipulated that any loss of unprotected personal health information (PHI) must be reported. Plus if the number of lost records is above 500 individuals, then it must be publically reported. An annual study conducted by the Ponemon Institute found the average compromised record results in $144—$204 of indirect costs and $60 of direct costs. As a result, information systems being converted to digital format should review HIPAA regulations and determine four things:
1) Where will PHI be stored and accessed?
2) How will the information be protected when it is either stored or exchanged?
3) Who has authorized access to the information?
4) How will the paper records be handled (HIPAA has regulations concerning the disposal of PHI)?

The proliferation of mobile devices and storage options has tremendously compounded the problem of tracking the location of electronic personal health information (ePHI).  A recent study by the Health Information Trust Alliance (HITRUST) analyzed 108 reported breaches affecting over 4 million individuals and health records. The analysis found that 77%, or over 3 million records, were due to loss or theft of laptops or removable media. Add this to the diverse physical locations where information can be stored (e.g. teleworker) and data security becomes a significant challenge to any IT department.

The HITECH act set clear guidelines regarding the protection that must be afforded to stored data. HITECH specifies that if government recommendations for data encryption (NIST SP800-111) are met, then the ePHI has been “rendered unusable, unreadable, or indecipherable to unauthorized individuals”. As such, the risk to the individuals is low and a reportable breach has not occurred.

Failure to protect ePHI will result in fines and the requirement to notify and provide ID theft protection for all impacted individuals. As mentioned earlier, if the number of unprotected lost records exceeds 500, then public media must be notified of the breach. Not only does this incur a lot of expense, but requires a significantly amount of effort. The Ponemon study found that the average time the 65 surveyed organizations IT departments took to fully resolve a single security breach was 161 days.

With these types of challenges, what solutions are available to combat the threats? One of the simplest solutions is to stop the usage of certain devices, e.g USB Flash drives or other removable media. Software solutions exists, called Data Leakage Prevention (DLP), which prevent information from being transferred to removable storage. Locking the data to a single physical location can hamper a user’s workflow so much that the impact to productivity may not justify the approach. It can also lead to the creation of “special users” that are allowed to use removable mobile devices which ultimately defeats the intent.

A second approach is to remove the data from the endpoint device. This can be done by using a virtualized infrastructure approach. In this type of solution the application is executed on a central server and the endpoint simply provides a user interface. These solutions are ideal if the application can be run in a virtualized environment and the endpoint client does not leave any data remnants on the device. Unfortunately, in some cases only a small number of applications can be run in a virtualization mode, which is not the ideal solution for many healthcare facilities. A second challenge for this type of solution is the need for a network connection to the server, which may be difficult in some usage scenarios.

Finally there is endpoint encryption. As mentioned earlier, NIST SP800-111 specifies the configurations to be used. For example if the endpoint is a laptop that will be taken off premise, then full disk encryption with pre-boot authentication is recommended. This will ensure that all the data on the disk is protected. If this is coupled with a central policy and logging server, then a consistent security model can easily be established. Plus by having a centralized logging capability, a report can be generated on any lost or stolen device. The report will show the protection status on the device prior to its loss. This will meet the HITECH requirements for secured ePHI.

Once the data has been protected it must be integrated into an authentication solution. In many organizations this will translate into a centrally managed domain. Any protection solution, virtual or client will need to integrate into this existing infrastructure. Furthermore, in many cases the ePHI will need to be shared, one of the drivers behind digitization. When looking at any solution it is important to ensure that there is the capability to limit access to a preselected group. If not, this can lead to either sharing unprotected information or password sharing. Neither is an acceptable outcome.

One final point regarding implementation challenges. Although not overly covered in HITECH, HIPAA does have some clear mandates regarding the storage and disposal of paper records. So as information is converted from paper records to EHR/EMR, care must be taken regarding the disposal of the paper records.

Due to the ARRA legislation, Healthcare IT organizations are in a unique and difficult position. On one side there are considerable incentives to move to digital information systems. On the other, there are now considerable risks if the information is exposed. As healthcare organizations move forward to take advantage of the financial incentives that HITECH provides, these efforts must include a review of current information protection measures that are in place. The financial gains that are made from deploying an EHR/EMR system could easily be cancelled out by a single data breach.

How does Mobile Armor address these challenges?

Mobile Armor provides a wide range of data protection and encryption solutions for securing electronic and mobile data. The Mobile Armor Data Protection Suite™ protects information and enforces policies throughout an organization. With pre-boot authentication, the protection extends beyond the security environment and protects lost or stolen devices. The Mobile Armor solution is FIPS 140-2 Level 2 certified and, properly implemented, exceeds HHS guidelines. The Data Protection Suite simplifies the protection of healthcare data by providing:

  • FIPS certified AES 256-bit full disk encryption and file-level encryption options.
  • Data encryption for laptops, desktops, notebooks, toughbooks, netbooks, and all types of removable storage devices including external hard drives, CD/DVD and USB flash drives.
  • Centralized policy administration and management to enforce the encryption of sensitive information to meet HITECH Act safe harbor requirements.
  • Pre-boot authentication that enforces policy-driven access control that prevents unauthorized users from logging onto a device.
  • Reporting and auditing to show and verify the current status of encryption deployment enterprise wide or by department, employee and/or serialized device.
  • A “remote kill switch” that, should a device that contains health information be lost or stolen, permits the customer to remotely wipe the crypto keys, rendering the data on the device completely inaccessible.
  • Multiple forms of authentication including fixed passwords, ColorCode, PIN, CAC, and Active Directory domain password.
  • Individual, group and enterprise authentication for removable storage media.
  • Robust port and device control that restricts various forms of removable media as well as restricts who uses what devices on the network.
  • Tamper proof and security measures that detect and protect stolen devices.

The Mobile Armor Data Protection Suite has been designed for use by the most stringent/security conscious organizations such as the United States military for information protection due to its FIPS 140-2 Level 2/3 validation, ISO/IEC 15408 and other elite security certifications, providing even greater levels of mobile data information protection than required in the HITECH Act. And, because of the breadth of device protection (laptops, desktops, flash drives, CD/DVD), ease of use and deployment of the Data Protection Suite, an organization of any size is able to quickly benefit from the superior levels of data protection offered in the Mobile Armor solution.

For more information on Mobile Armor go to: http://www.mobilearmor.com/