Transcript Security Vulnerabilities and Conflicts of Interest in the

Security Vulnerabilities and
Conflicts of Interest in the
Provider-Clearinghouse*-Payer Model
Andy Podgurski and Bret Kiraly
EECS Department
&
Sharona Hoffman
School of Law
Case Western Reserve University
Cleveland, Ohio 44106
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)


Addresses both health insurance reform
and “administrative simplification”
Portability reforms protect health
insurance coverage for workers when
they change or lose their jobs
HIPAA Administrative Simplification
Provisions





Electronic Transactions and Code Sets
National Provider Identifiers
Privacy Standards
Security Standards
Civil Money Penalties
Entities Covered by HIPAA Standards



Health care providers
Health plans (payers)
Health care clearinghouses
Effects of HIPAA on Electronic Data
Interchange in Health Care Industry



Brought substantial uniformity to EDI,
though interoperability problems persist
Generated concern about compliance
with security standards
Gave rise to important new model for
interactions between covered entities
Provider-Clearinghouse*-Payer Model
Security Threats in the PC*P Model

External threats


Hacking, interception, deception, denial of
service, etc. by outsiders
Internal threats

Abuse of authorized access to electronically
protected health information (EPHI) by
covered entities, their employees, or
business associates
Meta-Threat: A Market in IllicitlyObtained EPHI

EPHI potentially has great value to outsiders, e.g.,








Marketers
Employers
Insurers
Blackmailers
Once EPHI is dispersed Internet, it cannot be
recovered
Harm is potentially unlimited
Not adequately addressed by HIPAA
Only partially addressed by other laws
HIPAA Security Standards




Intended to ensure confidentiality, integrity,
and availability of EPHI
Define administrative, physical, and technical
safeguards
Emphasize technological neutrality at the
expense of specificity
C.E. must implement “reasonable and
appropriate” policies and procedures to
comply with the standards and must
document these
Implementation Specifications




May be “required” or “addressable”
C.E. may implement an alternative to
addressable spec or choose not to
implement either spec or alternative
Decision is based on analysis of risks,
costs, available resources
Must document rationale
HIPAA Safeguards Against Insider
Threats

Administrative safeguards







Workforce security policy
Workforce sanctions
Security training
Access authorization policy
Periodic evaluation
Information system activity review
Business associate contracts
HIPAA Safeguards Against Insider
Threats (2)

Physical safeguards


Facility access controls
Device and media controls
HIPAA Safeguards Against Insider
Threats (3)

Technical safeguards






Access control
Unique user identification
Encryption
Audit controls
Integrity controls
Person or entity authentication
Limitations of HIPAA Safeguards

Employees with legitimate access to EPHI can
easily provide it to outsiders or modify it



No technical restrictions on employees’ ability to
distribute or modify EPHI are specified
Form of audit controls is not specified
Addressed primarily by deterrents




Dismissal
Employer sanctions
Fines
Imprisonment
Recommended Mandatory
Implementation Specifications



Employees must be prevented technically
from electronically distributing or modifying
EPHI except as required for essential business
reasons
Employees who normally process EPHI must
not have system administration privileges
Each transfer or modification of EPHI must be
securely and permanently logged


Actors strongly identified
Relevant items identified
Implications of the Recommendations


Most employees handling EPHI must
use restricted hardware and software
Hardware, software, and administrative
support for “dual-key” system
administration is required
Preventing Trafficking in Illicitly
Obtained EPHI


Requires combination of technical and
legal means
Proposals:


Regulate all entities that handle EPHI
Require that such entities be able to prove
the provenance and authenticity of EPHI
they have handled

Require use of strong identification and data
integrity validation
HIPAA Enforcement Provisions