Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Tuesday, November 23, 2010

Healthcare entities leary of new government policy extending beyond HIPAA

As the Health IT Policy Committee's Privacy and Security "Tiger Team" continues its work to provide recommendations and suggested policy guidance on health information exchange, there appears to be some concern among hospitals and other HIPAA-covered entities that the recommendations, if implemented in federal rulemaking, would go add to the security and privacy requirements already in effect under the HIPAA Security Rule and Privacy Rule, and would go beyond the strengthened federal regulations included in the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to a report from Modern Healthcare's Joseph Conn, a representative of the Federation of American Hospitals raised such concerns during the public comment period of the Health IT Policy Committee's November 19 meeting. The comments offered at the meeting related specifically to still-pending recommendations on patient privacy and, especially, consent. Previous briefings by Tiger Team leaders have both acknowledged the applicability of HIPAA and other relevant laws in specifying situations in which consent is not required, but in the face of potentially expanded health data sharing through the adoption of electronic health record (EHR) and health information exchange (HIE) systems, committee members have suggested that current regulations do not adequately reflect patient expectations about controlling the use and disclosure of their personal health information, especially when that information is shared via HIE. With so much attention focused on the government's meaningful use incentive program to encourage EHR technology adoption, the lack (so far) of any privacy provisions in meaningful use rules and standards has prompted Tiger Team discussions about ways to do more to protect patient privacy rights.

During the November 19 meeting, Tiger Team co-chairs Deven McGraw and Paul Egerman presented a set of proposed recommendations for provider authentication in health information exchange, intended in part to address a perceived gap in the HIPAA Security Rule, which requires that HIPAA-covered entities implement policies and procedures to authenticate individual users or entities seeking access to protected health information (45 CFR §164.312(d)), but does not stipulate the means by which such authentication should occur. The Tiger Team advocates mandating the use of digital certificates for entity authentication for all entities involved in health information exchange. Adopting such an approach would require not only the technical capability to implement and use digital certificates among entities participating in HIEs, but also the establishment of a formal process for validating would-be participants (to ensure they are legitimate organizations) and for issuing credentials to approved entities. The authentication model for the Nationwide Health Information Network (NHIN) has long been envisioned to use a single, centralized certificate authority to issue credentials and manage certificate validity, revocation, and related maintenance processes. The most recent recommendations from the Tiger Team suggest that instead of relying on a central authority, the Office of the National Coordinator should establish an accreditation program (perhaps similar to the one used for accrediting EHR testing and certifying bodies under the meaningful use program) to authorize multiple certificate issuers. While a federated or distributed model for credentialing would almost certainly be more scalable than a single-issuer model, there remain unaddressed aspects of governance and oversight related to how ONC can ensure that organizations seeking approval as certificate issuers conform to all relevant technical and governance criteria, and are sufficiently trustworthy to handle entity identity proofing and issue authentication credentials.

Even though some changes to federal health data privacy and security regulations included in HITECH have not yet been implemented, HIPAA remains established law, and additional changes to the provisions in the Security Rule and Privacy Rule cannot be made simply through rulemaking by an executive agency like HHS. While specific changes to the law must be made by the legislature, the Office of the National Coordinator and the HHS Office for Civil Rights generally have the authority to impose additional criteria or specific requirements on HIPAA-covered entities associated with audit standard used to assess compliance, or as conditions for receiving federal funds, whether under meaningful use or one the various federal grant programs intended to promote or expand the adoption of health IT. There seems to be some renewed emphasis on HIPAA compliance, based in part on the expectation that OCR will soon begin to proactively audit covered entities and business associates for compliance with the Security and Privacy Rules. In this environment, it is perhaps understandable that covered entities would object in advance to the prospect of any further changes in the regulatory requirements for which these entities will be held accountable. The fact remains, however, that the law as enacted was not primarily intended to encourage health IT adoption, and if widespread use of such technology is going to be achieved, some of the regulatory areas that leave room for interpretation may need to be augmented with more specific guidance or requirements.

Wednesday, November 3, 2010

Consider risks, business impact when making tradeoffs between security and productivity

Reported findings from a recently released survey of federal government executives on Cybersecurity in the Federal Government suggest that the increased emphasis on information security and corresponding protective measures put in place by government agencies are negatively impacting productivity among those surveyed, particular with respect to access to information, computing functionality, and mobility. The survey, conducted in May 2010 via email by the Government Business Council in conjunction with Citrix and Intel, included 162 respondents selected from among subscribers to Government Executive. The focus of the survey was specifically to address issues of access, functionality, and mobility and the executives' perceptions of the role of security as a help or hindrance to performing job-related functions.

It should be noted that the survey did not seek to evaluate the relative effectiveness of information security programs or cybersecurity initiatives in achieving any of their intended objectives, such as making government systems and information more secure, but instead only looked at the impact security measures have on routine business operations. Media reports of the survey results, such as a summary of responses to four questions printed in the October 25 issue of Federal Computer Week, seem to emphasize the negative impact many government executives reported due to security measures, but without any indication of whether such measures are succeeding according to any other metrics, it's hard to identify a clear set of implications from the survey. The only substantive recommendation proposed in the survey report is to include additional considerations as factors that help determine security policy, with the largest proportion of respondents putting "agency's mission" at the top of their list of priorities. This implies that many government executives believe that less restrictive security measures should be used where security inhibits productivity-enhancing behaviors, such as accessing data from home or other non-agency locations.

The tension between business objectives and security is not new, and CIOs, CISOs, and other information security program managers are continually challenged with arriving at the right balancing point between protection and productivity — too little security is likely to result in more frequent and more significant security incidents, while too much security pits workers against security officers and threatens to brand the security team as a barrier to business. Even with additional oversight and attention from the administration on security, agencies are still expected to apply risk-based management principles to their decisions about what security measures to implement. If risk-based decision makers only consider the potential impact due to security breaches and the proposed security controls' ability to reduce those risks, they're not looking at risk from an enterprise level. Any calculation of the anticipated reduction in the risk of bad things happening due to the implementation of security controls should take into account the loss in business productivity or efficiency as part of the cost of security. The over-simplified basis of security management is, don't spend more protecting an asset than the loss or damage to the asset is worth to you. Reductions in productivity due to security-imposed obstacles to standard business practices should be explicitly included in the cost vs. benefit equation. In some cases it seems quite likely that mitigating the risk outweighs the loss of productivity, and where true that business determination should not be lost on executives. An interesting question not asked on the survey would be how much insecurity (i.e., greater risk of breaches, outages, or other incidents) government executives would be willing to trade for uninhibited access to information.