Strengthening system security to prepare for HIPAA - HIPAA Watch - Antelope Valley Hospital, Lancaster, CA

Health Management Technology, Sept, 2002 by Ash Shehata

At Antelope Valley Hospital, a 350-bed hospital in Lancaster, CA, we take a systematic approach to solving technology challenges. We began almost two years ago to evaluate, select, test and implement security technologies to prepare for the data privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). We aimed to have all our safeguards in place by September 2002, well ahead of HIPAA's April 2003 deadline for the privacy and security regulations.

With all the uncertainties about HIPAA's final provisions, many healthcare organizations have taken a slow, wait-and-see approach. But, in contrast to the confusing privacy rules, HIPAA's basic security requirements are clear. You have to prevent, detect, contain and correct security breaches. Policies must be implemented for access control with context-, role- and user-based access rules. Identification and authentication of system users must be in place. You have to establish an audit trail to record and track who accesses your applications and data. Simply put, HIPAA requires reasonable steps to fortify the security of your networks, applications and data.

Therefore, I would argue that the responsibility of healthcare IT executives is straightforward: Adopt good security practices and implement effective technologies to secure your IT assets. That's why I moved forward to get ready for HIPAA by deploying primary and secondary firewalls, intrusion detection, and network security software with biometrics.

Critical Technology

Network security software with biometric authentication of users is the centerpiece of our HIPAA security strategy at Antelope Valley. Network security software provides practical tools to effectively implement required access control policies and create the basis for essential audit trails. Moreover, with network security software, you can move to enterprise single sign-on to strengthen security, increase convenience for users, and control IT support costs.

We balanced three factors in deciding on a method for user authentication with network security software: security strength, convenience for both users and IT support staff, and cost. In my judgment, biometrics, the technology of authenticating user identity based on unique personal characteristics, provides the right balance.

Evaluating and Selecting Solutions

Starting two years ago, I met with a variety of security vendors, big and small, and engaged in serious discussions with six different companies. Our goal was to match the best network security software with the best biometric technology to replace passwords with biometric authentication and single sign-on.

In evaluating network security software alternatives, several factors were critical. First, we wanted software that meets biometrics industry standards and is device independent. This gives us the flexibility to use different biometrics and alternative devices as the technology evolves and as our needs change. Second, we sought a solution with an easy-to-use administration tool set for my IT staff. Third, we needed software that establishes an access audit trail.

Most importantly, my team supports more than 150 Windows NT/Advanced 2000 servers, eight UNIX systems, and more than 60 different applications. Our network security software had to support all our operating systems. Since modifying application source code to accept a new authentication application interface for biometrics would cost millions of dollars, it was out of the question. Thus, we also had to find software that could apply biometric access control to all our applications without imposing the impossible burden of source code modification.

We chose network security software from BioconX, Inc. in Minneapolis. It met all our requirements. For example, the software's wizard-driven administrator tool guides IT professionals through the process of creating new users and entering applications, and enables us to create user groups that share common authorization and access profiles.

All entries are time- and date-stamped and identify the workstation and current user for each log entry, so it builds the audit trail necessary for HIPAA compliance. Significantly, the system supports a wide range of proven biometric technologies and devices for authentication and single sign-on, and was the only solution we found that would work with all our platforms and applications.

In addition, medical professionals commonly share computers. At Antelope Valley, 80 percent of our 2,000 users do so. Therefore, we wanted security software to initiate separate network sessions and invoke each user's own network profile when different people biometrically log on at a shared workstation. BioconX committed to developing this feature and delivered it with the release of version 3.6 in April 2002.

When it came to selecting biometric technology to match with the software, accuracy and reliability were our paramount concerns. We could not tolerate high rates of false negatives or false positives in the authentication process. After careful evaluation, Antelope Valley decided on the finger scan recognition sensor from Siemens. We use the Siemens chip that processes finger scans integrated into computer keyboards and into the Siemens ID Mouse Professional, a Microsoft-certified, ergonomic computer mouse with an optical mouse sensor.