This often leads to oversight of major security risks associated with e-mail and instant messaging systems, since...
electronic protected health information (ePHI) inevitably finds its way into the messaging environment.
The HIPAA security rule states, in no uncertain terms, that any ePHI determined to be at risk must be properly secured. This includes ePHI transmitted via e-mail or instant messaging correspondence.
When assessing the big picture, you've got to ask yourself if ePHI is at risk in e-mails and instant messages. I say no; it's not likely. Putting insecure 802.11-based wireless systems aside, most data in transit is not at risk of being compromised. That's the common argument. Unfortunately, there's more to messaging security than just data in transit. You also need to think about the e-mails and instant messages containing ePHI that spend 99.9% of their time sitting in message stores or log files. Further complicating matters, traces of insecure ePHI are usually on at least two systems (the sender's and receiver's), and often more if you consider all the servers in between.
When you start looking for solutions to HIPAA's secure messaging requirements, you might be convinced that all you need is one of the thousands of vendor solutions on the market. However, remember that HIPAA compliance doesn't come in a box. Neither does messaging security. An e-mail encryption solution or instant messaging firewall isn't going to bring you complete security. After working with many of these messaging security products, I'm convinced they're necessary to make the duties of e-mail administrators, regulatory compliance managers and information security executives easier to fulfill -- but they're not the entire solution.
So what else do you need to do? Is true messaging security possible? First of all, I do believe that adequate messaging security (i.e., reasonably secure in the eyes of the Feds, which is all you really need) is possible without having to spend half of this year's IT budget -- and it's actually a pretty simple process. You simply must figure out where your messaging vulnerabilities exist, add or tweak your security policies and add new security safeguards where needed.
Before taking the "my messages are encrypted, therefore I'm secure" route, focus your efforts on vulnerabilities in your operating systems, your messaging servers and your messaging clients. If you're running Windows, Exchange and Outlook, I guarantee there are ways for a hacker or other internal miscreant to compromise ePHI long before he could ever capture it off wire using a network analyzer. (A hacker capturing data off the wire is a common security vulnerability misconception that never ceases to bug me … but I digress.)
Look at the basics: passwords, access controls, application security -- and physical security, if you have a mobile workforce. Also look at your business processes, like adding and removing users to and from your messaging environment, and policies, such as how often awareness training and security assessments occur. When you find and plug the security holes in these areas, keep doing it over and over again, and upgrade to the latest secure applications, you'll undoubtedly have a more secure messaging environment. After you've done all the above, and only if it makes sense, consider securing your messages in transit using a perimeter-, server-, or client-based technology solution such as SSL/TLS, S/MIME, or PGP.
After the April 21, 2005 compliance deadline, the "HIPAA police" won't likely come knocking on your door asking to inspect your messaging security setup. Just don't ignore messaging security best practices -- you're expected to address the basics. Look at the security big picture, implement basic security best practices, and find out what other HIPAA covered entities are doing. You'll be much better off in the middle of the "herd," doing what the majority is doing, than you will by standing out as a non-conformist convinced that high-dollar security technology equals a highly-resilient messaging environment -- or, even worse, that no messaging vulnerabilities exist at all.
About the author:
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He has authored and co-authored several books related to the topic of HIPAA readiness and messaging security including "The Practical Guide to HIPAA Privacy and Security Compliance" (Auerbach), "The Definitive Guide to Email Management and Security" (Realtimepublishers.com), and "Hacking For Dummies" (Wiley). Kevin can be reached at kbeaver @ principlelogic.com.