Controlling your high-tech security shopping list: does your budget for HIPAA security read like a shopping list filled with unnecessary cans of alphabet soup? You may be right

Healthcare Financial Management, Feb, 2004 by Margret Amatayakul

There may be a flawed reason that IS requests include SEM tools to manage IDS data--or perhaps not. Getting the IS0 to explain the underlying assumptions made when establishing technology needs (and define acronyms) can help healthcare financial managers offer direction during the budget-allocation process and achieve the level of security right for their organizations.

Some questions to consider when budgeting for HIPAA security include:

* What is the security policy driving the technology?

* Has a risk analysis proven the need for upgrading the policy and associated technology?

* Have all current security measures been implemented properly?

* What overall approach is being taken to address security?

* Are the resources available to use the technology?

Security policy. Security is not simply technology to be bought. Rather, it is a process enabled by technology. To start this process, providers need to have clear, enforceable, and enforced policy directives. Policies should state the desired outcome of the directive and reflect executive management's level of risk tolerance. Also, each line item should be clearly associated with a specific security policy.

Another important consideration is to ensure that the security policy driving the technology receives the appropriate involvement of management. Under HIPAA, the information security official (ISO) is responsible for developing and implementing policies and procedures for security. However, this designation does not mean executive management should abdicate responsibility for approving policy. It is important for executive management to lead by example by supporting the implementation and enforcement of security controls. Also, executive management should ensure that approval processes are timely. When gaining approval becomes unreasonably lengthy, ISOs are likely to respond by creating procedures that won't require executive approval. In such instances, executives quickly find themselves out of the information loop and unable to properly assess the budget.

Risk analysis. HIPAA clearly requires a thorough risk analysis to meet security needs--a gap analysis or vulnerability assessment None is not enough. Budget decisions should not be based solely on weaknesses in technology, but on the fact that a threat exists that is very likely to exploit the vulnerability and cause considerable harm.

When financial managers review the risk analysis in relation to technology requests, they need to balance priorities. Some executives mistakenly fear that anything but the most risk-averse position will make them potentially noncompliant. Others make the incorrect assumption that they have no choice, monetarily, but to be risk tolerant and are reluctant to articulate this position, fearing it may reflect a lack of concern for security.

Fear should not dominate decision-making when determining whether risk analysis proves the need for technology controls. Instead, financial managers should look for an explanation of threats and the harm they can produce, and balance this information with the residual risk in the control that is being requested as well as the true risk position of executive management.

Current measures. Before saying yes or no to a technology request, you should determine how the requested controls add to security measures that already exist. In many cases, security features are already available in the organization's hardware or software but simply have not been activated or have been implemented only at their default settings. To help ensure your organization's security measures are implemented properly, it is important to see whether this "hardening"--or process of configuring operating systems and applications so that they reflect needed services and controls--occurs. In many cases, these measures have a long history of going unchecked, primarily because there hasn't been an ISO to monitor implementation or information security hasn't been top-of-mind.

Another important consideration when examining current security measures is how vulnerable the technology is to social engineering, or attempts by outsiders to gain access to a system by tricking users into disclosing their password or breaching similar access controls. Too often administrative and physical safeguards included in IIIPAA are considered "soft" issues by ISOs. Yet in many ways, rewarding security-incident reporting and establishing a communal sense of accountability for security can be more powerful than any type of technical safeguard employed. What's more, IS0s need to spend as much time addressing administrative and physical safeguards as technical safeguards because these concerns represent more than half of the HIPAA security rule standards.

Overall approach. Your organization's overall approach to addressing security should reflect a layered architecture that guards against both internal and external threats. To illustrate the importance of layering for security, consider banks. Banks minimize external threats with clear physical controls, such as strong facades and armed guards on duty. Also important are added layers of protection in case a thief foils the physical controls, such as camera monitors and distress alarms. Banks then support these efforts with internal controls, including access controls, accounting procedures, and auditing. Given that a majority of threats in health care are internal--whether accidental or intentional--a layered approach to security is important to ensure that both internal and external threats are minimized.