How to Perform a Large Scale HIPAA Security Gap
Analysis as a Means of Performance Improvement
Roy G. Clay III, BSCS, CDPHIPAA Security Project Coordinator
Louisiana State University Health Sciences CenterNew Orleans, LA
Louisiana State University
A Hybrid Entity
Louisiana State University
A Hybrid EntityCovered Component
Health Sciences CenterPennington Biomedical
Research CenterDefinity Health Plan
Non-Covered ComponentAgricultural & Mechanical
CollegeLaw SchoolAgricultural CenterLSU at EuniceLSU at AlexandriaLSU at ShreveportUniversity of New Orleans
LSU Health Sciences Center
LSU Health Sciences Center
S h re v ep or t C a m p usU n iv e rs i ty Ho sp ita l
S cho o ls o f M e d ic ine , G M EG rad ua te S tu d ie s , A llie d H ea lth
H e a lth C are S e rv ices D iv is ion(H C S D )
9 Ho sp ita ls
N e w O r lea n s C a m p usM ed icin e , D en tis try
N u rs ing , G rad u ate S tud iesA llie d He a lth
V ice P res ide n to f He a lth A ffa irs
Health Care Services Division
(Large Scale)
Health Care Services Division
(Large Scale)5000+ Inpatient
Admissions/mo.30000+ Outpatient
visits/mo.600+ Deliveries/mo.1,000,000 Lab tests/mo.14,000 Prescriptions
filled/mo.
3000+ Surgical Procedures/mo.
28000 ED visits/mo.32,000+ Diagnostic
Radiology procedures/mo.2000+ Medical Staff
members10000+ Employees
ChallengesChallenges
Large multi-entity organization.Distributed authority.Heterogeneous infrastructure.Budget. (What budget?)Poor organizational communication.Lack of computer literacy.Good practices in some areas but other areas
overlooked.Little (if any) documentation.
Gap Analysis ProcessGap Analysis Process
Appoint Security Officer and Give Him the Authority to Perform the Gap Analysis.
Iterative Discovery Process.Compile Results and Make Recommendations.
Educate Your New Security Officer
Educate Your New Security Officer
Security NPRM - http://aspe.hhs.gov/admnsimp/bannerps.htm#security
AAMC Guidelines - http://www.aamc.org/members/gir/gasp/hipaaresources.htm
WEDI SNIP Whitepapers - http://snip.wedi.org/public/articles/index.cfm?Cat=17
Iterative Discovery Process
Iterative Discovery Process
Where is the data?Surveys.Interviews.
Where is the Data?Where is the Data?
LSUHSCTulane
C entrally Adm inis teredSystem s
PatientM anagem ent LIS
A u g u s t 8 , 2 0 0 1
LSUHSC HCSD HIPAA Gap Analysis ProjectApplication Adm inistration
H ospitalAdm inisteredSystem s
N ovell N etw ork
Vendor Adm inisteredSystem s
M edical T ranscription
N ew Pharm acy System
H L7 Interface
Vendor Adm inisteredSystem s
C learinghouseVendor Blue C ross
W indow s N T N etw ork
LH NLSU H SC C linics
D epartm entAdm inistered System s
PAC S/R M S Biom edM edical R ecordsStorage
Academ ic System s
C oding
Top Down SurveysTop Down Surveys
A pp lica tionL ev e l
S ite /C a m p usL ev e l
E n te rp riseL ev e l
InterviewsInterviews
Five Targeted GroupsExecutive Staff (Including Medical)Human ResourcesTrainingInformation TechnologySystem Users
Use responses from surveys to guide your interviews.
Results and Recommendations
Results and Recommendations
Don’t wait to complete your surveys and interviews to begin compiling recommendations.
Provide management with alternatives wherever possible.
Make sure your recommendations are supported by your results.
RememberRemember
Be prepared to go over things again and again. Plan for items to be late.Know how to escalate. Make every step educate as well as collect
information.
Caveat Emptor!Caveat Emptor!
“20% of HIPAA attorneys are passing incorrect information to their clients.” – Alan Mertz, Executive Vice-President, Healthcare Leadership Council
HIPAA is new. Most of the consultants got to be experts on HIPAA by reading about it.
Vendors probably know less about HIPAA Security than you do.
Performance ImprovementPerformance Improvement
Security Management ProcessPolicies, Standards, and Procedures (PSP Not
P&P)Change ManagementMeasurements
Security Management Process
Security Management Process
Include other areas essential to the security process. (Facilities, Hospital Police, etc.)
This group is the primary security policy making body.
Recommends security projects to be included in overall project list.
Policies, Standards, and Procedures
Policies, Standards, and Procedures
P roced ures
S tan d ards
P o licies
Policies, Standards, and Procedures
Policies, Standards, and Procedures
Policies are developed from the security management process.
Policies should be simple and concise. Standards are set and revised by the appropriate group
(usually IT) as specified in the policy. Procedures are developed to meet the requirements of
policies and standards as needed. http://www.iso-17799.com/iso.htm
StandardsStandards
As few as possible but sufficient to cover all situations.
Must be written.All projects, grants, construction, etc. must be
checked for adherence to standards.
Change ManagementChange Management
Communications Tool.Automate workstation patches.Keep logbooks on servers. Use request form to initiate and track changes.
MeasurementsMeasurements
Identify and track critical statistics. Make sure your measurements make sense from
the users’ perspective. Scan your network.
FinallyFinally
Gap analysis provides a database than can be mined for performance improvement.