Security Vulnerabilities and Conflicts of Interest in the

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona Hoffman School of Law Case Western Reserve University Cleveland, Ohio 44106

Health Insurance Portability and Accountability Act of 1996 (HIPAA) n n Addresses both health insurance reform and “administrative simplification” Portability reforms protect health insurance coverage for workers when they change or lose their jobs

HIPAA Administrative Simplification Provisions n n n Electronic Transactions and Code Sets National Provider Identifiers Privacy Standards Security Standards Civil Money Penalties

Entities Covered by HIPAA Standards n n n Health care providers Health plans (payers) Health care clearinghouses

Effects of HIPAA on Electronic Data Interchange in Health Care Industry n n n Brought substantial uniformity to EDI, though interoperability problems persist Generated concern about compliance with security standards Gave rise to important new model for interactions between covered entities

Provider-Clearinghouse*-Payer Model

Security Threats in the PC*P Model n External threats n n Hacking, interception, denial of service, etc. by outsiders Internal threats n Abuse of authorized access to electronically protected health information (EPHI) by covered entities, their employees, or business associates

Meta-Threat: A Market in Illicitly. Obtained EPHI n EPHI potentially has great value to outsiders, e. g. , n n n n Marketers Employers Insurers Blackmailers Once EPHI is dispersed Internet, it cannot be recovered Harm is potentially unlimited Not adequately addressed by HIPAA Only partially addressed by other laws

HIPAA Security Standards n n Intended to ensure confidentiality, integrity, and availability of EPHI Define administrative, physical, and technical safeguards Emphasize technological neutrality at the expense of specificity C. E. must implement “reasonable and appropriate” policies and procedures to comply with the standards and must document these

Implementation Specifications n n May be “required” or “addressable” C. E. may implement an alternative to addressable spec or choose not to implement either spec or alternative Decision is based on analysis of risks, costs, available resources Must document rationale

HIPAA Safeguards Against Insider Threats n Administrative safeguards n n n n Workforce security policy Workforce sanctions Security training Access authorization policy Periodic evaluation Information system activity review Business associate contracts

HIPAA Safeguards Against Insider Threats (2) n Physical safeguards n n Facility access controls Device and media controls

HIPAA Safeguards Against Insider Threats (3) n Technical safeguards n n n Access control Unique user identification Encryption Audit controls Integrity controls Person or entity authentication

Limitations of HIPAA Safeguards n Employees with legitimate access to EPHI can easily provide it to outsiders or modify it n n n No technical restrictions on employees’ ability to distribute or modify EPHI are specified Form of audit controls is not specified Addressed primarily by deterrents n n Dismissal Employer sanctions Fines Imprisonment

Recommended Mandatory Implementation Specifications n n n Employees must be prevented technically from electronically distributing or modifying EPHI except as required for essential business reasons Employees who normally process EPHI must not have system administration privileges Each transfer or modification of EPHI must be securely and permanently logged n n Actors strongly identified Relevant items identified

Implications of the Recommendations n n Most employees handling EPHI must use restricted hardware and software Hardware, software, and administrative support for “dual-key” system administration is required

Preventing Trafficking in Illicitly Obtained EPHI n n Requires combination of technical and legal means Proposals: n n Regulate all entities that handle EPHI Require that such entities be able to prove the provenance and authenticity of EPHI they have handled n Require use of strong identification and data integrity validation

HIPAA Enforcement Provisions