EPHI Crib Notes | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

EPHI Crib Notes

September 1, 2007
by Scott Lukes
| Reprints
With proper security, safeguards and tools in place, the threat of a looming audit may not be so scary

Scott Lukes

Scott Lukes

It's not an uncommon scenario. A frantic manager learns via security audit that the company is non-compliant with HIPAA as it relates to handling EPHI — Electronic Protected Health Information. "But we JUST bought a new firewall that does intrusion prevention and VPN, so we should have been OK ... right?" The answer is, "Maybe and maybe not." Below are key areas of the HIPAA regulation that have to do with perimeter and desktop-based security systems, including the exact text of the HIPAA regulation and a security/IT interpretation.

164.308(a)(5)(ii)(B) - Protection from malicious software

HIPAA Text: "(Organization must have) procedures for guarding against, detecting and reporting malicious software."

There are many forms of malicious software that can impact data and networking systems. Viruses, Worms and Trojans are the most prolific threats and are usually introduced via infected e-mail attachments. Newer threats such as SQL injection attacks and even Spyware can affect data and systems. To protect against the predominant delivery mechanisms of malicious software, the security schema must provide: (1) Virus and Worm protection through gateway and desktop anti-virus systems; (2) Trojan identification and mitigation, as well as FTP, IM and P2P threat mitigation through intrusion prevention systems (IPS); and (3) Web content filtering to prevent malware delivered over the Web (e.g. ports 80/443).

164.312(a)(1) - Access control

"Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)"

A helpful tool for enforcing information access is e-mail content filtering where an administrator enters keywords or regular expressions that would allow outgoing e-mails to be scanned for signs of inappropriate content. For example, scan for patient ID information by searching on "*PAT-[0-7]*-****" and scan all outbound non-encrypted e-mails that would otherwise inappropriately send out confidential, HIPAA-protected content.

164.312(a)(2)(iv) - Encryption and decryption

"Implement a mechanism to encrypt and decrypt electronic protected health information."

This aims to prevent unauthorized users from accessing EPHI. Any time EPHI is sent outside of the boundaries of the network, it must be encrypted using a strong encryption methodology such as that defined by IPSec (which uses 3DES or AES encryption). SSL (which uses 3DES encryption) is a fine solution for application-layer encryption, but it does nothing to protect the transport layers (IPSec does this).

164.312(b) - Audit controls

"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

It is important to be able to audit data records and make corrections. Because documentation lies at the heart of the HIPAA rules, one could say, "If you can't log it, you can't document it." Any detailed security/IT audit begins with the log files. While audit reports are important, the security appliance is also a necessary tool for capturing critical event data that support and feed into security audits.

164.312(c)(2) - Mechanism to authenticate EPHI

"Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner." This standard applies to data transmitted internally and externally. Unfortunately, there are many "degrees of solution" to meet this standard, ranging from simple file checksums and use of digital signatures in e-mail, to full anomaly detection and file protection programs. By implementing intrusion prevention, e-mail anti-virus and anti-spyware in addition to use of digital signatures for e-mail, the standard should be easily met.

164.312(e)(2)(i) - Integrity controls

"Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of." This is a critical standard of HIPAA. Because there are many ways of transmitting data, each must be addressed individually.

For e-mail, the e-mail content filtering application described in "164.312(a)(1) - Access Control" will help prevent protected data from leaving the network. For instant messaging and P2P, most intrusion prevention applications provide simple mechanisms for turning off access to these applications. For FTP or other protocols, it's critical that a filtering application be in place that intercepts (or 'proxies') all transmissions to ensure that they're well-formed and sent/received by legitimate parties.

164.312(e)(2)(ii) - Encryption

"Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate." This functionality was described fully in the "164.312(a) (2)(iv) - Encryption and Decryption" section above.

When considering how the perimeter network security appliance can help ensure HIPAA compliance, a few clear trends emerge. First, there needs to be core firewall and IPSec VPN functionality, where the VPN provides strong encryption and authentication functionality for data in transit. Second, there needs to be strong e-mail controls in the form of anti-spam (which will reduce risk due to phishing attacks) and e-mail content filtering (which will help prevent protected data from being sent outside the network). Third, both desktop and gateway anti-virus systems must be in place to prevent viruses and worms from altering and/or destroying data. Fourth, a Web filtering application should be in place to prevent users from accessing spyware and hacker sites, and to monitor and enforce employee Internet usage. Finally, an IPS must be in place that protects against Trojans and FTP threats.

With HIPAA, the penalties can be steep, so indeed "an ounce of prevention is worth a pound of cure." The problem is that not all security solutions are created equal. The prudent IT manager needs to ask a lot of questions of their vendors. This article should serve as a simple guide.

Scott Lukes (slukes@esoft.com) is vice president of marketing and product management at eSoft Inc., Broomfield, Colo.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


See more on

betebet sohbet hattı betebet bahis siteleringsbahis