At the heart of HIPAA lies a set of core security tenets for which every affected organization is responsible. These fundamentals are absolutely non-negotiable – but the Security Rule as a whole actually allows for a certain degree of flexibility in how requirements are implemented. When it comes to HIPAA compliance, many organizations lose sight of the fact that they have the power to balance risk and keep costs down.
What do organizations need to know to assess their own risk tolerance and implement a balanced, efficient, and effective security strategy?
Flexible security strategies
An organization’s ability to implement security controls tends to vary according to its size, budget, and available security resources. HIPAA was designed with the recognition that there is no one-size-fits-all security solution, and different healthcare entities and business associates will optimize their resources in different ways.
HIPAA rules allow organizations to satisfy certain requirements in a manner suited to their capabilities – but it’s crucial that organizations be able to explain and justify these choices.
So what do these choices look like in practice? As an example, let’s consider one important facet of network security: session timeouts. This is the mechanism by which a user is automatically logged out of accounts containing sensitive data after a certain amount of time.
To comply with HIPAA implementation specification for Automatic Logoff, an organization’s devices with access to ePHI need to have session timeouts or a reasonable alternative like automated password protected screensavers implemented. This is an important security measure that prevents unauthorized access to sensitive data. But how long of a period of inactivity should be required before a session times out? This is a question where the answer may differ according to the circumstances.
Take, for example, workstations in exam rooms. Ideally, clinicians who use the workstation to access medical records while treating patients will remember to log off or lock the station when they leave the room. But if they forget, they may leave the patients with access to private data about themselves or others. In this scenario, it is likely most appropriate to implement quick session timeouts, so that even if clinicians forget to log off workstations, data will remain secure.
In other situations, the answer may not be so clear cut. In an exam room, it may not be difficult for a clinician to log back in if the workstation signs them out quickly. But what about in the emergency department? In this case, lost seconds could make a tremendous difference. The need for security must be balanced with the need for highly efficient, responsive care.
Finding the right balance
How do you make and justify these decisions? There are three key steps an organization’s decision-makers can take.
1. Review industry standards
First, organizations should review any relevant industry standards for guidance. HITRUST, a security framework developed collaboratively by leaders from across the healthcare industry, is typically more specific and prescriptive in its guidelines than HIPAA, giving practical recommendations for timeouts, password lengths, and other questions. Following HITRUST recommendations is generally an effective strategy to ensure compliance with HIPAA while aligning with standards that are recognized as an appropriate industry baseline.
2. Assess your own unique risk environment
Does your environment have unique needs, considerations, or risks? Formally assess your organization’s particular security situation. This will help you identify areas of particular concern. You may find that it is advisable to exceed industry standards if your environment is at higher risk. If you find that your situation is relatively low-risk, those industry standards may be more stringent than necessary for your purposes.
3. Document your decisions and justifications
However you choose to implement security controls, it is important to document both the strategy you have decided upon and your reason for doing so. Make sure it is clear why the particulars of your organization’s circumstances led you to your decision.
To return to the example of session timeouts, we might consider a healthcare provider with workstations located on rolling carts. If these machines aren’t being used or supervised, they may represent a security risk. As with the workstation in the exam room that we discussed above, a clinician could simply forget to log out – and leave sensitive data exposed to patients or passersby in the healthcare environment. That would seem to indicate a need for short session timeout periods.
However, having to repeatedly log back in may be inconvenient for healthcare providers who have to move quickly. And if the provider’s documented procedures indicate that workstation carts are always either attended by authorized personnel or stored in a supervised location, this may represent a justification for setting longer session timeouts. In this case, a provider would document both their procedures and the fact that their staff has been trained to follow the procedure.
While there are high tech proximity-based badging systems available to solve some of these problems, many organizations cannot support the cost or complexity associated with these more advanced safeguards. In this regard, the framers of HIPAA got it right by leaving the decision of how to comply with each individual organization.
For covered entities and business associates seeking to be in compliance with HIPAA requirements, the key question is how to most effectively balance risk, cost, and quality of care. By thoughtfully assessing your security environment and implementing controls based on industry standards and your own particular needs, you can find the balance that best prepares you to care for patients while protecting their data.