Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model

1
Security Vulnerabilities andConflicts of
Interest in theProvider-Clearinghouse-Payer
Model

• Andy Podgurski and Bret Kiraly
• EECS Department
• Sharona Hoffman
• School of Law
• Case Western Reserve University
• Cleveland, Ohio 44106

2
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)

• Addresses both health insurance reform and
  administrative simplification
• Portability reforms protect health insurance
  coverage for workers when they change or lose
  their jobs

3
HIPAA Administrative Simplification Provisions

• Electronic Transactions and Code Sets
• National Provider Identifiers
• Privacy Standards
• Security Standards
• Civil Money Penalties

4
Entities Covered by HIPAA Standards

• Health care providers
• Health plans (payers)
• Health care clearinghouses

5
Effects of HIPAA on Electronic Data Interchange
in Health Care Industry

• Brought substantial uniformity to EDI, though
  interoperability problems persist
• Generated concern about compliance with security
  standards
• Gave rise to important new model for interactions
  between covered entities

6
Provider-Clearinghouse-Payer Model
7
Security Threats in the PCP Model

• External threats
• Hacking, interception, deception, denial of
  service, etc. by outsiders
• Internal threats
• Abuse of authorized access to electronically
  protected health information (EPHI) by covered
  entities, their employees, or business associates

8
Meta-Threat A Market in Illicitly-Obtained EPHI

• EPHI potentially has great value to outsiders,
  e.g.,
• Marketers
• Employers
• Insurers
• Blackmailers
• Once EPHI is dispersed Internet, it cannot be
  recovered
• Harm is potentially unlimited
• Not adequately addressed by HIPAA
• Only partially addressed by other laws

9
HIPAA Security Standards

• Intended to ensure confidentiality, integrity,
  and availability of EPHI
• Define administrative, physical, and technical
  safeguards
• Emphasize technological neutrality at the expense
  of specificity
• C.E. must implement reasonable and appropriate
  policies and procedures to comply with the
  standards and must document these

10
Implementation Specifications

• May be required or addressable
• C.E. may implement an alternative to addressable
  spec or choose not to implement either spec or
  alternative
• Decision is based on analysis of risks, costs,
  available resources
• Must document rationale

11
HIPAA Safeguards Against Insider Threats

• Administrative safeguards
• Workforce security policy
• Workforce sanctions
• Security training
• Access authorization policy
• Periodic evaluation
• Information system activity review
• Business associate contracts

12
HIPAA Safeguards Against Insider Threats (2)

• Physical safeguards
• Facility access controls
• Device and media controls

13
HIPAA Safeguards Against Insider Threats (3)

• Technical safeguards
• Access control
• Unique user identification
• Encryption
• Audit controls
• Integrity controls
• Person or entity authentication

14
Limitations of HIPAA Safeguards

• Employees with legitimate access to EPHI can
  easily provide it to outsiders or modify it
• No technical restrictions on employees ability
  to distribute or modify EPHI are specified
• Form of audit controls is not specified
• Addressed primarily by deterrents
• Dismissal
• Employer sanctions
• Fines
• Imprisonment

15
Recommended Mandatory Implementation
Specifications

• Employees must be prevented technically from
  electronically distributing or modifying EPHI
  except as required for essential business reasons
• Employees who normally process EPHI must not have
  system administration privileges
• Each transfer or modification of EPHI must be
  securely and permanently logged
• Actors strongly identified
• Relevant items identified

16
Implications of the Recommendations

• Most employees handling EPHI must use restricted
  hardware and software
• Hardware, software, and administrative support
  for dual-key system administration is required

17
Preventing Trafficking in Illicitly Obtained EPHI

• Requires combination of technical and legal means
• Proposals
• Regulate all entities that handle EPHI
• Require that such entities be able to prove the
  provenance and authenticity of EPHI they have
  handled
• Require use of strong identification and data
  integrity validation

18
HIPAA Enforcement Provisions