HIPAA has sounded a wake-up call throughout the health care industry: Patient data is an asset and must be protected. For the past several years, health care departments have been facing the challenge of evaluating their procedures that relate to HIPAA's three administrative simplification provisions -- electronic data interchange (EDI) transactions, privacy and security.
According to Dennis Melamed, editor of the Utilization Review Accrediting Commission's three HIPAA handbooks, the rules are clear for EDI, but there aren't any final rules for security or privacy. "So, some CIOs have had to struggle to convince senior management that HIPAA isn't about compliance, but security and privacy initiatives make for good business practice, anyway."
Staying on top of best business practices in IT has become a hallmark for the CIO at one of Boston's largest health care organizations. John Halamka, MD, has combined his training as a medical doctor with a thorough understanding of computer networking.
Halamka oversees the IT needs for CareGroup's three Boston-area hospitals--Beth Israel Deaconess, Mount Auburn and New England Baptist--and three community hospitals.
The six CareGroup facilities have about 12,000 employees, including 3,000 doctors who see approximately 1 million patients a year. Halamka is also an associate dean at the Harvard Medical School, where he spearheads technology programs.
Halamka recently answered questions about what he has done with EDI, security and privacy, and what concerns him about these issues.
Q: Can you summarize the high points of your network infrastructure?
Halamka: About 225 employees maintain the IT infrastructure consisting of 8,000 desktops, 20 terabytes of storage, and 25,000 network ports throughout the 45 miles of wide area network (WAN).
Q: How much have you budgeted for planning for HIPAA areas of security and privacy?
Halamka: In 2001, we budgeted about $250,000. For 2002, we budgeted about $1 million, mostly for security initiatives. One-quarter of the budget for 2003 will go for privacy training and policymaking.
Q: What kinds of initiatives do you have in place for privacy?
Halamka: Since the early 1980s, we've been auditing every transaction that goes through any one of our clinical systems. We have a Web site where patients who have received the appropriate authentication credentials can review a security audit online. We can also give a patient a printout of the security audit.
We've a strict no-tolerance policy for confidentiality violations. About three or four employees are terminated each year because of these violations.
Q: What have you been doing to increase the privacy awareness?
Q: You can't have privacy unless you have security. Unfortunately, HIPAA doesn't have a hard-and-fast security rule right now. How do you decide what best practices to use for something that doesn't exist?
Halamka: You need to sort of make them up. In other words, ask yourself: What are those security elements that are absolutely required to meet privacy regulations in April.
We have had security best practices for many years. For example, every Internet transaction always has 128-bit secure sockets. All strong authentication passwords must have a minimum of six characters, consist of alphanumeric characters and must expire in 90 days. Because there's no security rule, we're not sure if 128-bit secure sockets are good enough.
Q: Is there any special device you use to handle authentication?
Halamka: We use a device for both our wireless and wired networks. The device hits the LDAP directory. We think the wired equivalent privacy protocol isn't sufficient. It uses a single key for all clients. Once someone cracks the key, then your security is compromised. With the device, you need to specify your user name and password in order to access an application.
Q: When it comes to HIPAA, you have two things going for you: carrying out best practices proactively and getting necessary funding. What challenges do some CIOs still face?
Halamka: CIOs must compete with other senior leaders for capital. Competition for HIPAA capital can be challenging. I justify it by telling folks that you need to have best practices for privacy and security because they make for good business. I don't want a major metropolitan newspaper saying that my organization takes security lightly.
Elizabeth M. Ferrarini is a free-lance writer in Boston.