RX for Patient Privacy and Security: HIPAA
| FOR IMMEDIATE RELEASE | CONTACT: Abby Park, +1 614 545 4225 |
The Race for Compliance
Columbus, Ohio (Dec. 3, 2002) As the clock ticks away, the health care industry needs to turn to external privacy and security professionals to achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA), especially those regulations concerning patient privacy. Compliance with HIPAA guidelines on patient privacy is required by April 14, 2003.
Since Congress enacted the law in 1996, HIPAA has pushed hospitals and other health care organizations to shift from older, mainframe technology and paper-based processes to more efficient and secure systems that improve patient privacy and confidentiality. Yet, a recent survey, conducted by Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), an organization representing more than 13,000 health care institutions, revealed that less than 50% of affected health care systems have completed an assessment of the effect that HIPAA will have on their organizations.
"Internet privacy has always been a hotly debated topic," explains Matt Curtin, Internet security expert and chief executive officer of Interhack Corporation, a world-class leader in data security. "There was a time when our medical records lived in a dusty old file cabinet in the doctor's office, but now our private health care information is being collected, shared, analyzed and stored with few legal safeguards. The privacy and security rules ensure that our sensitive health information is not released to someone it should not be, as it is transmitted over non-trusted paths such as the commercial Internet."
The Company is no latecomer to the privacy and security arena. Interhack's Privacy Project has demonstrated time and time again how Web sites can unexpectedly leak information about users to sites that have not been authorized to receive this kind of information. Their research has shown how some systems have been implemented such that privacy erodes over time.
"Often, we see that advances made in research have a natural application for solving critical business challenges," states Curtin. "Back in 1998, we were in the midst of developing sound security policies and operating procedures, and now these methodologies are specifically applicable to HIPAA."
Privacy issues are among the least understood areas of HIPAA. Many organizations find themselves hampered by the interpretation of the regulations, and just don't have the time or expertise to put a plan into action.
Basically, there are three levels of information assurance services: assessment, evaluation, and penetration tests. To determine the current degree of HIPAA readiness, a company begins by conducting an assessment of all its systems, policies, procedures and practices, and accompanies this with a security risk analysis. At Interhack, the Company assesses the organization's information security posture, in support of HIPAA's privacy and security rules, as defined by the U.S. National Security Agency's (NSA) INFOSEC Assessment Methodology (IAM).
In addition to NSA's guidelines, the U.S. Government's National Institute for Standards and Technology (NIST) is also developing standards for performing security assessments, evaluations and system certification. Interhack is actively working with NIST by reviewing all of their proposals and providing feedback.
"Patients must trust their health care providers and any breach of confidence erodes that trust," says Curtin. "Because of our understanding of privacy and security, our services help our clients not only comply with HIPAA, but also keep them worthy of their patients' trust."
Interhack Corporation is an Information Technology firm dedicated to computer trustworthiness that specializes in research, development and consulting. Practice areas include Security Policy Development, Privacy Assurance, System Security Audits, Development Services, and Forensic Data Analysis. Founded in 1997 by computer and information science researchers in Columbus, Ohio, Interhack now helps clients all over North America build and maintain systems worthy of trust, in a time of unprecedented connectivity.
Interhack's research led to discoveries such as Netscape's "What's Related" privacy problems, Double Click's Opt-Out system failures, Toys `R' Us's site visitor profiling, TRUSTe's privacy policy failure, Bank One's On-line insecure account number handling as well as the defeat of the U.S. Government's then-standard for data encryption, DES. Interhack's work has been favorably cited in NIST for its recommendations made for firewalls and securing Web servers.