Closing the security gap

by Amy Helen Johnson

June 27, 2001 —

When it received a gap-analysis report detailing what steps it needed to take to comply with the security and privacy regulations in HIPAA, eMed Technologies Corp. found that for the most part it was in pretty good shape, says Kelly Pickard, director of strategic alliances at the radiology image-management service.

But that didn't mean the IT department was home free. After receiving the report from security consulting firm Guardent Inc. in Waltham, Mass., eMed's IT personnel found themselves beefing up security measures at the Lexington, Mass., company's network operations center, going to security training classes and upgrading the firm's main product, eMed.net, Pickard says. Some of these tasks were unexpected, but that's the whole point of a gap analysis, he says. "What you hire these folks for is to find the surprises," he says.

A gap analysis is becoming an essential tool in an IT manager's arsenal as new state and federal privacy and security regulations seek to protect personal information about customers contained in companies' databases. The analysis can pinpoint holes that IT departments need to fix and can protect the company from expensive penalties for breach of confidentiality.

Today, the immediate concern is the Health Information Portability and Accountability Act (HIPAA), but consumer privacy advocates have the attention of legislators, who are passing new electronic security laws that could affect many industries. While health care organizations are facing deadlines for compliance with HIPAA, the need for gap analysis is growing in all sectors of the economy. For example, banks and other financial institutions are working on following similar rules in the Gramm-Leach-Bliley Act.

Some companies are keeping the gap-analysis task in-house, but many others are choosing to hire outside consulting firms. In either case, practitioners say, IT must be involved at every step.

For HealthNet Inc., a Kansas City, Mo.-based managed health care plan, handing over the gap analysis to an outside firm was the best decision, says Lori Sayre, the plan's director of HIPAA programs. The company's small IT department has only 40 to 45 people, she says, and adding a gap-analysis project to their regular workload would have been a "big burden."

Marcel Blanchet, CIO at Branford, Conn.-based The Connecticut Hospice Inc., a hospital facility for terminally ill patients, took the opposite view. His IT department conducted an internal gap analysis because he thought his group could do it well and the in-house option would save the nonprofit organization money, Blanchet says.

Sayre says that for a company the size of hers, which has one location and a few hundred employees, $70,000 and up is the going price for compliance with HIPAA. Remediation costs can also increase the total tab. At CareGroup Healthcare System in Boston, a gap analysis by El Segundo, Calif.-based Computer Sciences Corp. resulted in a yearlong effort to move into compliance, says CIO John Halamka. The project will cost about $1 million a significant chunk of the IT department's $26 million budget.

Regardless of who has responsibility for the analysis, IT personnel need to be involved in the preparation for the audit, the conduct of the audit and the plans for addressing any gaps found.

Even when a company outsources gap analysis, the IT department must still collect the relevant documentation on security and privacy policies and procedures, plus any engineering-level documents that outline technical security specifications. This paperwork must be turned over to the consulting firm so it can understand the company's current practices. At eMed, consultants also interviewed the engineers, says Pickard. If any internal systems testing involved, as was the case with eMed, an IT administrator needs to create an account that the consultants can use to log on to the network. But that's a minor level of IT involvement compared with the tasks faced by IT departments once the report is in.

Forcing Change

When consultants from Novell Inc. submitted a security assessment to Capital Region Health Care Corp. in Concord, N.H., Mark Starry, the company's enterprise architecture manager, launched an internal audit of the rights and permissions granted to more than 3,000 users for access to hundreds of shared directories and approximately 400 applications. This was in direct response to the privacy portion of HIPAA, which directs companies to limit access to patients' records in certain situations.

Gap Analysis 101

Whether you hire contractors to conduct your security gap analysis or keep the job in-house, the steps to follow are the same, say practitioners.

- Obtain a copy of the regulations with which you must comply or write a set of standards that will define your goal.

- Define the scope of the analysis. Consider conducting several analyses that focus on different parts of your operation.

- Collect all of the relevant documents that describe your current practices, including privacy policies, security procedures and hardware and software documentation.

- Take a physical inventory of systems. Auditing software can tell you what machines and software are on your network. Use automated inbound dialing to discover unauthorized modems.

- Conduct interviews to find out what procedures employees actually use.

- Examine your systems for proper implementation of security measures, paying attention to common problem areas such as configuration settings.

- Compare current security practices and tools against the standard you're using.

- Prioritize the gaps you've found, then implement remedies.

Starry says he's given Novell the job of redesigning Capital Region's Novell Directory Services implementation. He's also putting in audit trails to back up the redesign of the company's permissions scheme, allowing him to track access to confidential information in case there's ever a problem.

Rather than retrofitting systems based on a gap analysis, some IT leaders are rebuilding security from the ground up for compliance.

After an analysis led by Cap Gemini Ernst & Young and in-house IT staff at Centura Health, Senior Vice President Elaine Callas chose to consolidate the Englewood, Colo.-based health-care organization's operating systems. By moving to a single-vendor architecture, with servers running Windows 2000 and Windows-based desktop machines, Centura can use Windows distributed security to solve many of its HIPAA concerns, she says.

At CareGroup, paying attention to security fundamentals is also the first line of HIPAA security, says Halamka. One such priority is ensuring that the firewall is doing its job, he says. This includes closing down ports so that there aren't holes through which patient information can leave. Halamka also configured servers with digital certificates for authentication.

HIPAA is also pushing the IT department to take subtler security steps. CareGroup is going through its applications to remove unnecessary identifying information, says Halamka. For example, a user of an accounting program doesn't need to know a full diagnosis of someone's condition in order to bill him for a test, Halamka says.

The Connecticut Hospice is making physical changes in response to HIPAA, says Blanchet. The in-house gap analysis it performed uncovered places where nearby employees or visitors could see protected information when it was displayed on a monitor. So the hospice is building higher counters at secretarial and nursing stations and putting blinders along the sides of monitors to shield the screen from passersby, he says. IT staffers have also installed screen savers on desktop systems so that they blank out and protect confidential information at the touch of a key, Blanchet says.

IT managers say that although a gap analysis helps them clarify the weaknesses in their security efforts, it also reveals that their existing efforts are pretty strong. Capital Region hasn't had to change its privacy and security practices much because it's already doing the right things to protect patient information, says Starry. "HIPAA just gives the government a mechanism to enforce what a lot of good hospitals have been doing all along," he says.

Computerworld