Medical institutions have a lot of work to do to comply with the Health Insurance Portability and Accountability Act's security provisions by next April.If Chris DeVoney hustles, he can stay one step ahead of the hackers he fears are going to steal patient records. But he doesnt dare rest. He is the computing director at the clinical research center of the University of Washington Medical Center. In the past year, he has patched and installed software firewalls on 50 to 100 disparate medical deviceseverything from computers to printers to FDA-approved devices that require bridging firewalls because no software can be loaded onto them. Last month, he cleaned up after an attack by the Witty worm, which rewrote hard drives on 80 or so computers. The week before that, a notebook computer was hacked as it tracked data emanating from sensors attached to a subject who was sleeping as part of a research project. The campus had to "cut the hacker out" by turning off Internet access to the notebook so the study could be finished, says DeVoney. The research center depends on the universitys technology infrastructure, and government budget cycles make it hard for the university to buy what it needs when its needed. Right now, for example, DeVoney has no perimeter firewall. Nevertheless, in April 2005, the Medical Center and thousands of other healthcare organizations will have to comply with regulations to protect the electronic security of patients recordsrecords that keep track of their physical or mental conditions, their treatments and their healthcare insurance and payments. Violations can incur civil penalties of up to $25,000 per infraction per year, and criminal penalties of up to $250,000 in fines and 10 years in prison. (Very small organizations have an extra year to comply).
The regulations cover security in 18 areas, divided among three broad categories: administrative policies, such as who can update records; physical safeguards, such as access controls; and technical systems, such as firewalls, used to protect patient records. Organizations must specify who has access to what information, how computers are safeguarded, and how security breaches are handled.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: