HIPAA regulations force hospitals to tighten up on identity management

Rethink IT, Sept, 2004

Few industries have to be as sensitive about security and personal data as healthcare, and now hospitals in many parts of the world are facing stringent new regulations on the way they acquire, store, share and protect patient records. Notable among these are the HIPAA (Health Information Portability and Accountability Act) laws in the US, but similar rules are being introduced in many other countries. One technology that is becoming critical in addressing the requirements is identity management, also a key tool in electronic business (see page 10 for the technical lowdown on this rapidly developing area of technology).

New government regulations such as HIPAA have a dramatic impact on business processes as well as IT infrastructure and often require significant process and technology changes for any healthcare company that manages and processes private health information. The goal of the HIPAA regulations is to ensure the security and privacy of any private health information (PHI) for any individual that is collected, processed, and transmitted between healthcare organizations.

Many companies and organizations will be impacted by new laws. These include healthcare providers (hospitals, group practises), payers (insurance carriers) as well as claims clearing houses, pharmacies and others. It is therefore important that the specific requirements of HIPAA be widely understood, as well as how technology can help achieve conformance.

HIPAA specifies a control environment where organizations can manage their relationships with internal and external users throughout their lifecycle with the company, from initial creation of the user's identity to final access termination. Since most of the information is managed electronically, how this digital information and the related identities are managed becomes a key component of overall HIPAA compliance.

Specialist products such as Netegrity's Identity Management can help manage user identities, control access to protected applications and information, and ensure that data is available only to properly authorized individuals. As standards such as those from the Liberty Alliance mature, it will become increasingly easy to exchange data among different organizations and systems, using different products--vital for efficient monitoring and referral of patients among different healthcare providers, and support for cost effective and streamlined treatment programs.

The main challenges for a healthcare provider in terms of identity management are:

* Ensuring that every user is strongly authenticated, and is granted access to only those resources and information that they are authorized to access.

* Protecting the confidentiality of patient information, and ensuring that it is kept private.

* Auditing access policies, to determine who has been granted access to specific applications or information.

* Creating workflow processes so that appropriate management approval is required whenever a user requests access to confidential information.

* Ensuring that access to confidential information is terminated immediately when an employee leaves the company.

* Protecting confidential information, even across the boundaries of business units within a large corporation, or between corporations themselves.

* Creating procedures for creating and changing passwords, so that the environment has stronger security.

CHILDREN'S HOSPITAL CASE STUDY

One large hospital that has recently implemented identity management is the Children's Hospital in Boston, using the Identity Management Suite from Courion.

The main function of the system is to handle password resets and account provisioning, since inefficient password management and multiple authentication authorities were causing problems in the security infrastructure.

In addition to treating more than 300,000 patients each year, Children's is the world's largest pediatric research facility. As such, it deals with unique challenges, including 300 new interns each spring, each of whom must be provided passwords and system accounts; a highly mobile work force that needs to access information from surgical units, inpatient floors and offices; researchers and surgical chiefs who are not employees of the hospital but need to access its resources; legacy systems and applications; departmental IT groups that run their own account management systems; and the need to comply with strict government regulations such as HIPAA.

As it told eWeek, the hospital also faced many of the same password management problems that other organizations do, such as account sharing and passwords written on sticky notes.

Before Courion was implemented in late 2002, many authentication systems were in place, including those in PeopleSoft's HRMS, Netscape email, the Oracle database, and several vertical healthcare and internally built applications. This led to many orphaned accounts and bad passwords.

Making matters worse was the inefficiency of Children's old account creation process. Users would send a fax requesting an addition or a change to an account, and a helpdesk staffer would enter this request by hand into the hospital's helpdesk system. New users would then be created in each of the different authentication areas.