Editor's Note: This is the first of a two-part series on the work that Pacific Medical Centers did to prepare for HIPAA regulations by following the government's DITSCAP requirements. The two participants in this interview, CIO Don Lewis and consultant Wayne Mackert, presented on this topic at the HIPAA X Summit in Baltimore earlier in 2005. Part two will run the week of Aug. 15.

By Robert N. Mitchell

Pacific Medical Centers in Seattle used the Department of Defense's standard for protecting and securing information systems -- the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) -- to address HIPAA compliance.

Don Lewis, CIO at Pacific Medical Centers, said that the DITSCAP regulations were more specific than the HIPAA requirements. "We found that if we went through the DITSCAP process, which we were required to do because of our work with the federal government, we ended up with specific recommendations and things that had to be done. By following DITSCAP, we answered most, if not all, of the HIPAA requirements, which we considered to be very vague," Lewis said. "DITSCAP gave us more direction than HIPAA."

Wayne Mackert, managing partner at iTM Healthcare/iTech Management, LLC, based in Bellevue, Wash., and former interim-CIO at Pacific Medical Centers prior to Lewis' arrival, said that there are both required and addressable items in the HIPAA regulations. "DITSCAP actually comes with a roadmap of how to approach this: Nothing was left to the organization. All mitigation and remediation plans were reviewed and the Department of Defense (DoD) security team had final approval of any approach - and the DoD definitely required that best practices be followed," he added. 

A closer look
The DITSCAP process took Pacific Medical Centers through a four-phase process: definition, verification, validation and post-accreditation. "As you go through each phase, you are mandated to create specific documentation along the way," Mackert said. By following the DITSCAP process, Pacific Medical Centers satisfied the overwhelming majority of the documentation requirements under HIPAA. For example, a system security authorization agreement had to be instituted between the health care organization and the federal government, as well as a description of the organization's network parameters, Mackert said. "Pacific Medical Centers had to show a security design -- what DITSCAP calls a Concept of Operations -- including a diagram of all system security features and a users' guide. Pacific also had to provide a security policy and process manual," he said. This manual includes the organization's staff controls and technical security procedures. It also includes any established rules of security behavior, not only for the organization's IT systems, but also for the users of the systems.

Lewis said that all of the required documentation in DITSCAP mapped closely to the HIPAA requirements. "A lot of the language is actually very similar regarding the physical controls. However, DITSCAP is much more specific on what has to be done and how it must be accomplished," Lewis said. 

In addition, DITSCAP contains a strong enforcement aspect. "The federal government will audit us on a regular basis; it's not a one-time event. In contrast, with HIPAA, there has not been a clear definition of how enforcement will be handled," Lewis said.

Most health care CIOs may not be familiar with DITSCAP if their organization doesn't regularly work with the federal government. Nonetheless, CIOs can learn things from the DITSCAP process that Pacific Medical Centers followed, Lewis and Mackert said. "This process makes the typical third-party security assessment seem like a walk in the park," Mackert said.

"If they aren't holding any government data or connecting to government systems, they aren't required to go through this process," Mackert said. "Pacific Medical Centers had to go through this process because it had placed a bid and had been awarded one of seven U.S. Family Health Plans (USFHP) geographic franchises, administered by the DoD to compete with TRICARE, the health care program for active-duty and retired uniformed service personnel and their families.

DITSCAP requirements
Lewis said that most of the DITSCAP requirements are publicly available, and information is located on various government Web sites. Any organization could use the methodology to enhance its information and internal security stance, Lewis said. "As an organization goes through the assessment process, the basic requirements apply to any organization. Most of the requirements got their start in other areas of the federal government, outside of the DoD," Lewis said. Some started within the National Security Agency, while others came out of the National Institute of Standards and Technology (NIST). "Those agencies created points of reference/checklists that describe which security controls must be in place," Lewis said.

DITSCAP requirements are highly detailed and specific, Lewis noted. "The requirements specify which best practice to follow, and tell the organization how to create a setting. They provided us with tools that combine commercially available software from companies and some government, proprietary tools," Lewis said. "Because we are a franchisee of USFHP and have to undergo this process, they provided Pacific Medical Centers with the tools so that we can maintain our ongoing security posture. We receive monthly updates on policy sets, which physically check the settings internal to the hardware and software (Windows, mainframe, network device), as well as the software (applications and databases). They check things such as whether the password list is regularly cleaned out and are strong passwords are in place."

In addition to the security work that was done, Pacific Medical Centers' electronic medical record system (EMR) was also certified by iTM Healthcare on behalf of Pacific Medical Centers. "As we were going through our due diligence of the EMR system, Mackert's company, iTM Healthcare, performed an in-depth security assessment and remediation for the vendor on behalf of Pacific Medical Centers. We provided documents to Pacific Medical Centers from NIST that are used by the government (i.e., checklist) that had specific information about the new database used in the vendor's solution," Mackert said.

Differences between DITSCAP and HIPAA must also be considered. "HIPAA says that you must have passwords, but they don't specify that you must have a four-way password that has to be changed every 30 days. DITSCAP, for instance, says that you have to have a specific password format and indicates how often it must be changed. Under DITSCAP, users are forbidden from sharing user IDs and passwords, and if they share them, there must be a "break-the-glass" audit capability, Mackert said. For example, in a hospital emergency room -- where there has to be ready access to systems and where sharing passwords and user IDs is more common -- the federal government considers the business continuity perspective and allows some mitigating factors.

"We had to document everything and the federal government had to review our request," Lewis said. "What's missing in the HIPAA regulations is an enforcement authority charged with looking at this to define what is an acceptable amount of risk for the organization."

Some difficulties
"The DITSCAP process, at times, was onerous, because it asked the organization to jump through some pretty high hoops in a short period of time, which was unexpected from a budgetary and staffing perspective," Mackert said. "However, we believe that in the end it was worth it. The future of health care has to include certification of security and privacy practices of all health care organizations by a third-party reviewer." Mackert said that health care solution vendors should undertake third-party security assessment and certification for their standard deployment environment. "It doesn't make sense that every vendor's customer has to incur the cost to assess and remediate a vendor's HIPAA-compliant solution," he said.

Under DITSCAP, Pacific Medical Centers was required to follow a formal checklist throughout the entire process and have a third party assessment performed. "They were looking for glass breakage detection security, security of devices, sign-in lists. They were also checking the telephone and communications closets to make sure that someone couldn't crawl in through a suspended ceiling and patch into the panels or modify settings. This parallels the HIPAA physical security rules. The review also looked at fire and safety issues, and whether privacy screens were installed on PCs. The medical center spent more than $18,000 just for PC screen privacy filters (3M privacy filters)," Mackert noted.

Mr. Mitchell is managing editor of ADVANCE for Health Information Executives.