A Medley of State Healthcare Data Laws: Insurance Encryption & 2FA for E-Prescriptions
Some states are upping the ante when it comes to specific healthcare data protection laws, as the U.S. Dept. of Health & Human Services’ healthcare legislation proves to be not enough. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines some loose guidelines around securing patient data for healthcare organizations and their vendors (referred to as business associates).
But critics have found the rules to be a bit too loose, prompting state legislators to create and enforce their own specific mandates - whether or not that comes in conflict or supersedes federal law is unclear to me, but it’s reassuring to see real information security initiatives outside of mandatory compliance regulations.
NJ Healthcare Insurance Carriers: Encryption Required
One example is New Jersey’s recently passed law that requires all health insurance carriers, including health, hospital and medical service corporations, to encrypt sensitive patient data. The legislation requires insurance carriers to encrypt identifiable health information, including names, Social Security number, driver’s license or State ID number or address, as well as any data that could possibly ID them.
And as SCMagazine.com reports, password protection software isn’t enough in this case for compliance, unless the computer program renders data unsuable or unreadable after an unauthorized person bypasses the security mechanism. However, a lot of attackers can steal passwords and appear to be legitimate users, going undetected in systems.
Is encryption mandatory under the federal HIPAA Security Rule? The answer is no - HHS.gov’s Health Information Privacy FAQ states that the use of encryption is an ‘addressable implementation specification,’ meaning it’s only required if the organization deems that it’s a reasonable and appropriate safeguard that would keep ePHI protected.
So that means your own company can conduct a risk assessment and decide not to encrypt as long as you implement an ‘equivalent alternative measure,’ whatever that means. Also, document it all. That’ll be enough to meet the HHS’s guidelines for patient data security.
Another interesting loophole in the law lets healthcare organizations off the hook when it comes to data breach reporting, as long as the data stolen, lost, destroyed or accessed was encrypted.
Securing E-Prescriptions in New York State
Aside from encryption, another healthcare data concern is the challenge of securing e-prescriptions, the act of generating and transmitting prescriptions of controlled substances electronically (faxed prescriptions are not considered e-prescription).
Using electronic prescriptions has the potential to minimize medication errors; integrate prescription records directly into patients’ electronic medical records; and reduce prescription theft and forgery.
New York State has instituted mandatory e-prescribing, effective March 27, 2015 as part of their I-STOP (Internet System for Tracking Over-Prescribing) legislation passed in efforts to keep e-prescribing safe from fraudulent use, including the misuse of prescription drugs.
And for companies that need to meet data security requirements for e-prescribing, the U.S. Drug Enforcement Administration (DEA) is the federal entity overseeing compliance. The agency allows e-prescribing only if companies have certain safeguards in place when it comes to the software used to conduct e-prescriptions.
Some of those guidelines include:
- Third-party audits of all e-prescription software, with guidance from the NIST (National Institute of Standards and Technology) Special Publication 800-53A
- Signing of e-prescriptions must be protected by two-factor authentication or digital certificates
- Two-factor authentication should include something you know, have, or are - tokens, if used, must be cryptographic devices or a one-time password device that meets FIPS 140-2 Security Level 1
- Identity-proofing of individual prescribing practitioners must meet standards outlined in the NIST Special Publication 800-63-1 Assurance Level 3
- Setting access controls, whether name or role-based; if role-based, each role should be limited to only authorized individuals for e-prescription
- Policies around revoking e-prescribing capabilities for certain individuals, including when an employee leaves, DEA registration expiration, etc.
- Pharmacy application safeguards must follow the requirements outlined in 21 CFR 1311.205
Others include registering certified EPCS (Electronic Prescription of Controlled Substances) software applications with the Bureau of Narcotic Enforcement (BNE).
Much of the focus when it comes to securing e-prescriptions is placed on authentication and access security, as the two-factor authentication requirement reveals. The reasoning behind using the security solution is that “authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.”
Using your smartphone is one way to carry out secondary authentication, and relies on something that you have, not something that you know; making it a contender for both convenient and effective security. Learn more about using an authentication mobile app and push notifications. And find out more about e-prescription security in Securing E-Prescription Applications & Identity-Proofing.
As individual states roll out their own security and compliance standards for certain areas of healthcare, it may be a good reminder to other states to stay up-to-date with the quickly advancing healthcare technology, and all of the different software used by healthcare organizations.