The Road to HIPAA Security Rule Compliance

The topic of information security gets a lot of attention but can be difficult to address seriously in any organization. Developing and maintaining an effective information security system can be a challenge. However, if you understand what...


Each of these examples highlights one of three aspects of information security: confidentiality, integrity and availability. While there are other information security principles, these are the three pillars of information security, particularly as it pertains to the requirements of the HIPAA Security Rule. Understanding this is helpful because it allows us to demonstrate to our organizations that HIPAA security is not just busywork that provides no value. Rather, healthcare organizations simply cannot achieve their missions without proper management of the information in their care.

Understanding Risk
Often when people discuss security, they jump straight to safeguards, or controls, as they're often called, like locks for doors, firewalls and anti-virus software. But before we can start throwing money at equipment to reduce risk, we need to comprehend the concept of risk.

In order to understand what kind of safeguard to deploy, we need to recognize that our problems begin with a threat agent, which gives rise to a threat, which exploits a vulnerability, which leads to risk, which damages an asset, causing an exposure, which can be mitigated with a safeguard.

To ensure that we understand not just how these elements relate to one another, but also what each is, let's consider them in more detail.

A threat agent is the source of a particular threat. A threat agent could be a malicious software (malware) author, a disgruntled employee or an angry former patient whose insurance claim was rejected.

A threat is an action, something that the threat agent would do. Examples include launching a malware attack, downloading sensitive information so it can be exposed maliciously and making a fraudulent entry in an accounts receivable file.

Vulnerability is the condition that allows the threat to take place. Vulnerabilities include programs that allow e-mail attachments to install software without the user's knowledge or consent, user accounts that provide access to sensitive information, and holes in the firewall that provide external access to a system that can modify accounts receivable. Risk is the potential loss realized by a vulnerability being exploited. Note this carefully: Without an asset that can be lost, there is no risk.

An asset is what comes under threat, something that can be damaged or lost if a vulnerability is exploited. Software systems that manage information, reputation and brand image, and accounting information are examples of assets.

Exposure is the amount of the asset that would be lost if a vulnerability were exploited. For example, a software system that would be destroyed and require fresh reinstallation, reconfiguration, and reloading of data-a procedure that costs $50,000-would have a $50,000 exposure. A brand damaged by bad publicity would be exposed to loss in potential revenue from customers who send their business elsewhere, as well as the cost of the public relations campaign that attempts to restore confidence in the brand. A safeguard is the mechanism, whether administrative, physical or technical, employed to mitigate the exposure. In many cases, a safeguard is technical, such as a patch that will close the vulnerability in a piece of software. In other cases, it is administrative; you may decide to separate information into relatively small compartments and provide access only to those who need access to that compartment. It may be physical: keeping accounting systems physically disconnected from Internet-reachable hosts.

Now that we realize the need to understand risk in order to make intelligent decisions on safeguards and the role of vulnerability and threat in risk, we can proceed to the requirements of the HIPAA Security Rule.

Security Rule Overview
The HIPAA Security Rule applies to covered entities, which include health plans, clearing houses and providers that maintain or transmit health information in electronic form. If you have any questions about how the Security Rule affects your organization, speak to your legal counsel.

The Security Rule specifies several high-level objectives to guide healthcare organizations. All covered entities must use reasonable and appropriate administrative, technical and physical safeguards to

  • ensure the confidentiality, integrity and availability of protected electronic health information,
  • protect against reasonably anticipated threats to the security or integrity of such information,
  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Security Rule, and
  • ensure compliance by the workforce.