HIPAA Insecurity

If Chris DeVoney hustles, he can stay one step ahead of the hackers he fears are going to steal patient records. But he doesn’t dare rest. He is the computing director at the clinical research center of the University of Washington Medical Center. In the past year, he has patched and installed software firewalls on 50 to 100 disparate medical devices—everything from computers to printers to FDA-approved devices that require bridging firewalls because no software can be loaded onto them.

Last month, he cleaned up after an attack by the Witty worm, which rewrote hard drives on 80 or so computers. The week before that, a notebook computer was hacked as it tracked data emanating from sensors attached to a subject who was sleeping as part of a research project. The campus had to “cut the hacker out” by turning off Internet access to the notebook so the study could be finished, says DeVoney.

The research center depends on the university’s technology infrastructure, and government budget cycles make it hard for the university to buy what it needs when it’s needed. Right now, for example, DeVoney has no perimeter firewall. Nevertheless, in April 2005, the Medical Center and thousands of other healthcare organizations will have to comply with regulations to protect the electronic security of patients’ records—records that keep track of their physical or mental conditions, their treatments and their healthcare insurance and payments. Violations can incur civil penalties of up to $25,000 per infraction per year, and criminal penalties of up to $250,000 in fines and 10 years in prison. (Very small organizations have an extra year to comply).

The regulations cover security in 18 areas, divided among three broad categories: administrative policies, such as who can update records; physical safeguards, such as access controls; and technical systems, such as firewalls, used to protect patient records. Organizations must specify who has access to what information, how computers are safeguarded, and how security breaches are handled.

Institutions, for instance, will have to track every time a patient record is transferred electronically, by any means—or medium. In other words, a hospital will have to document not only when information is transferred from one department’s electronic files to another’s, online, but also when and how the data is moved on foot, using a magnetic tape, disk or other physical medium. In addition, the hospital will have to specify what kind of card readers or other devices are installed, to make sure only authorized workers can get to workstations or servers. They must even specify how devices or disks are checked out from work areas.

The regulations are part of HIPAA—the Health Insurance Portability and Accountability Act passed in 1996—and are just the latest in a series of rules the law will generate for years to come. But the cost of complying—ranging from $20,000 to $1 million for security alone, according to Jon Bogen, founder of West Chester, Pa.-based HealthCIO—is being borne by the organizations themselves.