You can drown in too much security | Behavioral Healthcare Executive Skip to content Skip to navigation

You can drown in too much security

August 1, 2008
by Kevin Baughman, MBA
| Reprints
IT security is important, but it shouldn't prevent staff from effectively doing their jobs

Two longtime college rivals found a genie's bottle and both were granted a wish. One said that he was tired of people who didn't share his devotion for his alma mater passing through town. He wished for a large, solid wall around the town to keep people out, and the genie built the wall. After thinking for a moment, the rival made his wish: “Fill it up with water.” The moral of the story: You can drown in too much security.

Behavioral healthcare provider organizations are required to have a number of IT security policies, procedures, and practices. For example, Joint Commission standard IM.2.1 requires that “the organization determines the need for and appropriate levels of security and confidentiality of data and information.” HIPAA guideline 164.306(b)(1) states that covered entities may use “any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified.” Yet rigidly focusing on security standards without respect to the “reasonableness” of their implementation can result in an organization effectively “securing itself from itself.” Have you ever hidden a present for someone and then forgot where you stashed it? The same principle applies to IT.

For example, one of the HIPAA technology safeguards requirements, 164.312(a)(2)(iii), requires an “auto-log-off” feature so unattended workstations will automatically exit a program after a specified idle time. It seems like a simple rule. However, determining a “reasonable” time interval before triggering auto-log-off may depend on who makes the decision.

We have had differences of opinion within my organization. Technical staff, typically more focused on security, initially believed ten minutes was an appropriate interval. It didn't take long until clinical staff said that they seemed to spend as much time logging in and out of the system as they spent documenting patient care. As a result, the idle interval swung to the other extreme, allowing clinicians to remain in the system from morning log-in until the day was done. Thus, the HIPAA-compliant auto-log-off feature existed, but it was seldom triggered. Eventually everyone agreed on a reasonable and appropriate idle interval (four hours), allowing clinicians to do their work while maintaining security levels that reasonably keep unauthorized users from accessing an unattended computer.

Password policies are another necessary requirement (HIPAA Standard 164.312[d]) that can foster inefficient and detrimental operational and security processes. A common security policy requires “strong” passwords that use upper- and lower-case letters, numbers, and punctuation. Strong passwords must contain at least eight characters, and users must routinely change them. A random hacker will find it difficult to access a system implemented with strong passwords.

However, strong passwords can create practices that decrease security effectiveness. Legitimate users tend to have trouble remembering strong passwords, so they often write them down, commonly placing them underneath a keyboard, inside a center desk drawer, or even on a sticky note attached to the computer itself. The security policy is being met by using strong passwords, but the actual security objective is compromised.

What is the reasonable and appropriate action? An organization can elect to change the strong password requirement or allow users to write down their passwords with the understanding that the issue of security is not with the password anymore; it is with the paper on which the password is written. As is the case in many of the HIPAA, Joint Commission, and CARF information management standards, educating and communicating with system users are as important, if not more so, than the policy itself.

Netsmart's Scalia becomes SATVA chair

Kevin scaliaKevin Scalia, executive vice-president of corporate development at Netsmart Technologies, became chair of the Software and Technology Vendors' Association (SATVA) last month. He succeeded Mike Morris, president of Anasazi Software, Inc., whose term had ended. “Healthcare in all sectors is undergoing unprecedented change at exponential rates. With the trend towards interoperable systems and connected care, my vision is to have SATVA be at the forefront of addressing these changes on behalf of consumers,” says Scalia. “This means bringing SATVA members from companies of all sizes together to define what the industry needs both in conjunction with and on behalf of our customers.” Scalia's term will end in July '09, when Marlowe Greenberg, CEO of Foothold Technology, will assume the chairmanship. —Douglas J. Edwards

As a HIPAA covered entity, how does a provider organization comply with the HIPAA Security Rule as well as accreditation standards yet not make it painful for staff to do their jobs? First and foremost is to communicate effectively. Staff need to make clear what they need to do their jobs. Management must respond with effective organizational policies. Executive management must ensure the process occurs without internally damaging power struggles. It isn't easy.