Wireless security entangles HIPAA

Centers for Medicare and Medicaid HIPAA Web site

Although most health organizations still have another 22 months to comply with new federal security standards, securing wireless networks may pose a problem as they near the deadline.

"There are so many security issues around wireless and the [security] rule gives you no substantial guidance on how to secure wireless," said Marne Gordon, director of regulatory affairs at TruSecure Corp., referring to the Health Insurance Portability and Accountability Act of 1996 guidelines on security.

HIPAA, as it's known, is a far-reaching federal law that, among other things, is supposed to strengthen privacy procedures involving personal patient health and medical information, simplify administrative codes and standards for electronic data interchange and improve security of networks handling such data.

"Privacy is all about the rights to use information and how information is used. Security is about how to protect the confidentiality, availability and integrity of the information," said W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance Inc., a nonprofit consortium of public- and private-sector groups working on HIPAA issues.

"The really hot buttons in security right now are secure e-mail and wireless. So we'll be spending a lot of time in the next couple of years as the security regulation gets ready for April 2005. But it's really kicking into gear now because people need some of the security measures to implement privacy and they're still implementing those," he said, adding the consortium has developed a gap analysis tool for security.

The final published security rule was issued in February and does not provide specific solutions to affected health care agencies because they are varied in terms of their technology.

Gordon, whose company provides consulting on HIPAA-related practices, said wireless wasn't even a factor when standards were being considered several years ago.

"I know a lot of doctors in their own hospitals are looking to see what steps wireless can save them. There are so many security issues around wireless and the rule gives you no substantial guidance on how to secure wireless. A lot of organizations are looking for 'How do I secure that,' because that's the weakest link," she said.

Aldona Valicenti, chief information officer for Kentucky, said states also have to consider whether their cybersecurity measures will be compliant with what they need to do for HIPAA.

"You've got to understand we're making security investments now," she said. "What I think we don't want to happen is make security investments now that are inappropriate.

"So that's really sort of our challenge right now," she continued. "We are in a very depressed fiscal situation, we're going to lose workers or positions or both, and we have a continued requirement to. . .beef our security up, make sure that we're compliant, make sure we deal with homeland security, and by the way, what we're doing is going to comply with HIPAA."