Monday, September 5, 2011

How to Evaluate a HIPAA Security Compliant Data Center




If you host your healthcare data with a data center, certain administrative, physical and technical safeguards should be in place, as defined by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Although all service providers tout their data centers as secure, how do you confirm it truly is HIPAA Security Rule compliant

HIPAA sets the standard for protecting sensitive patient data. Under HIPAA there are two designations, Covered Entity and Business Associate. The Covered Entity being the provider of medical care or any entity that transmits EPHI. The Business Associate is any entity that provides services for a Covered Entity that may involve EPHI. The Health Information Technology and Economic Clinical Act (HITECH) was enacted in 2009 and raised the stakes for Business Associates in compliance to HIPAA basically putting them on par with Covered Entities. By managing servers containing EPHI, the data center hosting company is considered a Business Associate and must ensure all the required physical, network and process security measures are in place and followed.

The Minimum Safeguards

When evaluating providers, the following safeguards must be in place:

•    Physical safeguards - include limited facility access and control, with authorized access in place. All covered entities, or business associates, must have policies about use and access to workstations and electronic media. This requirement includes transferring, removing, disposing and re-using electronic media and EPHI.
•    Technical safeguards - require access control to allow only authorized personnel to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
•    Audit reports (or tracking logs) - must be implemented to keep records of activity on hardware and software. This procedure is especially useful to pinpoint the source or cause of any security violations.  Solution providers should keep very detailed records in their building monitoring system, down to the second when somebody accessed a badge reader on a door.
•    Technical policies - should also cover integrity controls, or measures put in place to confirm that EPHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are keys to ensure any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.  A HIPAA security compliant data center must ensure crucial healthcare data it handles for providers and insurers will be safe and protected in the event of a disaster.
•    Network, or transmission, security - is the last technical safeguard required of HIPAA security compliant hosts to protect against unauthorized public access of PHI. This requirement covers all methods of transmitting data, including email, Internet, or even over a private cloud network.

Turn to Audit Reports

The rapid adoption of healthcare technology and applications such as Electronic Health Records creates new challenges for Healthcare IT planners as they must undergo costly upgrades to ensure HIPAA security compliance. Outsourcing data storage to data center hosting companies can be a cost effective alternative.  The best way to evaluate the required security is in place is to review the data center’s SAS-70 (recently changed to SSAE 16) and PCI-DSS audit reports.  The audit reports should specifically cover the processes for the data center’s physical security, network security and access control to the data on the server.

A SAS-70 (statement of auditing standards) designation confirms the data center complies with established auditing controls.  The audit is conducted by an independent, third-party CPA. SAS-70 certification includes two types of audit reports:

•    Type I – The first step in the auditing process evaluates the organization’s description of their internal controls.

•    Type II – Includes the Type I report and it evaluates how the controls were operating from when the Type I audit was first conducted to six months thereafter. 

The final deliverable for the audit is commonly called the SAS 70 Service Auditor’s Report, a lengthy document which contains a multitude of information regarding the service organization, its overall control structure, framework, test of controls (if a Type II audit), along with adjunct and supporting documentation, such as the Independent Accountant (or Service Auditor’s) Report, possible exceptions noted during testing, and any additional information provided by the service organization.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. The standards were created to prevent card holder fraud which is critical as more patients pay by credit cards. The following table shows the requirements:





















Control Objectives


PCI DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security


The Staggering Price of Non-Compliance

The HIPAA Security Rule went into effect in 2005 but its enforcement and the financial impact of violations have been hard to pinpoint in the past.  The HITECH act of 2009 changed that and recent cases show violations can be expensive.

Massachusetts General Hospital discovered Health and Human Services is getting serious about HIPAA violations. The hospital agreed to pay the $1 million to settle potential HIPAA violations.  Massachusetts General’s case involved the loss of electronic protected health information (EPHI) of 192 patients.  The loss works out to over $5000 per record.

Healthcare organizations must ensure their data centers meet the guidelines for the HIPAA Security Rule and have the required safeguards in place.  Although there is no widely accepted HIPAA Security certification program, the SAS-70/PCI-DSS certifications exceed the HIPAA security safeguard requirements and can help demonstrate compliance.  Staying well informed of regulatory changes will help meet requirements and avoid expensive penalties.

This article was originally posted at  http://ping.fm/vudUc

No comments:

Post a Comment