Title: Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model
1Security Vulnerabilities andConflicts of
Interest in theProvider-Clearinghouse-Payer
Model
- Andy Podgurski and Bret Kiraly
- EECS Department
-
- Sharona Hoffman
- School of Law
- Case Western Reserve University
- Cleveland, Ohio 44106
2Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
- Addresses both health insurance reform and
administrative simplification - Portability reforms protect health insurance
coverage for workers when they change or lose
their jobs
3HIPAA Administrative Simplification Provisions
- Electronic Transactions and Code Sets
- National Provider Identifiers
- Privacy Standards
- Security Standards
- Civil Money Penalties
4Entities Covered by HIPAA Standards
- Health care providers
- Health plans (payers)
- Health care clearinghouses
5Effects of HIPAA on Electronic Data Interchange
in Health Care Industry
- Brought substantial uniformity to EDI, though
interoperability problems persist - Generated concern about compliance with security
standards - Gave rise to important new model for interactions
between covered entities
6Provider-Clearinghouse-Payer Model
7Security Threats in the PCP Model
- External threats
- Hacking, interception, deception, denial of
service, etc. by outsiders - Internal threats
- Abuse of authorized access to electronically
protected health information (EPHI) by covered
entities, their employees, or business associates
8Meta-Threat A Market in Illicitly-Obtained EPHI
- EPHI potentially has great value to outsiders,
e.g., - Marketers
- Employers
- Insurers
- Blackmailers
- Once EPHI is dispersed Internet, it cannot be
recovered - Harm is potentially unlimited
- Not adequately addressed by HIPAA
- Only partially addressed by other laws
9HIPAA Security Standards
- Intended to ensure confidentiality, integrity,
and availability of EPHI - Define administrative, physical, and technical
safeguards - Emphasize technological neutrality at the expense
of specificity - C.E. must implement reasonable and appropriate
policies and procedures to comply with the
standards and must document these
10Implementation Specifications
- May be required or addressable
- C.E. may implement an alternative to addressable
spec or choose not to implement either spec or
alternative - Decision is based on analysis of risks, costs,
available resources - Must document rationale
11HIPAA Safeguards Against Insider Threats
- Administrative safeguards
- Workforce security policy
- Workforce sanctions
- Security training
- Access authorization policy
- Periodic evaluation
- Information system activity review
- Business associate contracts
12HIPAA Safeguards Against Insider Threats (2)
- Physical safeguards
- Facility access controls
- Device and media controls
13HIPAA Safeguards Against Insider Threats (3)
- Technical safeguards
- Access control
- Unique user identification
- Encryption
- Audit controls
- Integrity controls
- Person or entity authentication
14Limitations of HIPAA Safeguards
- Employees with legitimate access to EPHI can
easily provide it to outsiders or modify it - No technical restrictions on employees ability
to distribute or modify EPHI are specified - Form of audit controls is not specified
- Addressed primarily by deterrents
- Dismissal
- Employer sanctions
- Fines
- Imprisonment
15Recommended Mandatory Implementation
Specifications
- Employees must be prevented technically from
electronically distributing or modifying EPHI
except as required for essential business reasons - Employees who normally process EPHI must not have
system administration privileges - Each transfer or modification of EPHI must be
securely and permanently logged - Actors strongly identified
- Relevant items identified
16Implications of the Recommendations
- Most employees handling EPHI must use restricted
hardware and software - Hardware, software, and administrative support
for dual-key system administration is required
17Preventing Trafficking in Illicitly Obtained EPHI
- Requires combination of technical and legal means
- Proposals
- Regulate all entities that handle EPHI
- Require that such entities be able to prove the
provenance and authenticity of EPHI they have
handled - Require use of strong identification and data
integrity validation
18HIPAA Enforcement Provisions