|
Bsafe Addresses HIPAA with Field Masking for i5/OS Apps
Published: December 5, 2006
by Alex Woodie
The 1996 passage of the Health Insurance Portability and Accountability Act (HIPAA) is heralded as a major breakthrough in the protection of patient data. And although it helps soothe the possibility of identity theft or other wrongful use of sensitive data, HIPAA can be a major headache for the IT staff charged with implementing its processes. One of the software companies helping hospitals, doctor's offices, and insurance companies to comply with HIPAA is Bsafe Information Systems, an Israeli developer of security software for i5/OS, z/OS, and Linux computers.
As a patient, it's tough to not notice the new rules that HIPAA has forced onto American medicine. The additional paperwork, the extra authentication steps, and the white lines painted on the ground that we're supposed to stand behind, are all changes that were implemented following the passage of the act. But there are scores of other changes as a result of this law, including modifications to the computer systems healthcare and insurance workers use on a daily basis.
Unfortunately, many of these computer systems co-mingle the relatively bland and innocuous data about patients--such as names, addresses, and telephone numbers--with the down-and-dirty health status, lab results, and medical histories that HIPAA specifically forbids anybody but the patient and the doctor from seeing. This presents a real problem for secretaries and other customer service professionals who need access to some patient data, but who are now prohibited from viewing sensitive data types.
Merav Bohr, Bsafe's marketing manager, came up with this hypothetical example showing how current computer systems are ill-suited for HIPAA. Consider what might happen if a husband knew his wife went to visit a doctor, and called up the doctor's office to see why. The secretary, upon pulling up the wife's file, answers "Congratulations, your wife is pregnant."
While the pending arrival of a baby is good news for the family--and something the husband will most likely find out anyway--this accidental disclosure of private medical information is a violation of HIPAA, and if the doctor is aware of what has happened, he is at liberty to fire his secretary, who could also be prosecuted for revealing the information.
The doctor has some difficult choices to make if he wants to comply with HIPAA, according to Bohr. "For example, does the busy doctor have to call up all of her patients and set up appointments? How can the secretary call up patients if she can not access their files? Would the busy doctor have to do all the scheduling work, or keep separate files for patient's medical and contact data, something that can bring extra work load and confusion?"
As Bohr notes, neither of these options are particularly attractive. As you might have guessed, Bsafe has a solution to this problem, and it's called field masking.
Field masking is one of the components of Bsafe/Enterprise Security, the company's suite of i5/OS security tools. The other modules include exit point access control, application and network monitoring, system and database auditing and reporting, SNA and IP network control and alerting, object access and control, and user profile management.
Field masking can be a boon to HIPAA compliance. In the example given above, field masking could be used to enable the secretary to pull up a patient's file to get contact information without exposing the sensitive medical data to her unauthorized eyes. In this way, the application and database do not need to be rewritten or modified to create separate, but parallel, data repositories.
One of the handy features of Bsafe's field masking module lets some users see more information on the screen than other users, which the product implements by using "private zones" and "public zones," and synchronizing data between the two. Administrators can control which user profiles are allowed to see certain fields, ensuring a doctor's ability to view all of his patient's data, while restricting certain fields from being displayed to other users.
Field Masking was first introduced with Bsafe/Enterprise Security version 4.2, which shipped earlier this year, according to Bohr. The company is currently working on version 5.0, which will bring new field masking features, including the capability to have multiple public libraries for each private file, and more flexibility in "tuning" field synchronization during additions and updates, Bohr says.
Version 5, which is due out this month, will also address other regulatory mandates, including the Sarbanes Oxley Act. The new version will boost the auditing capability of Bsafe/Enterprise Security's Central Audit module, which some corporations use to collect and store a year's worth of audit data, a section 802 requirement.
With Bsafe/Enterprise Security 5.0, users will gain the capability to offload audit data from the System i server to a Windows server. The company wants to let users do this due to the enormous amount of disk space used up when the Central Audit module is allowed to run for an extended period of time.
RELATED STORIES
Bsafe Boosts OS/400 Auditing with Enterprise Security 4.1
Bsafe Enterprise Security 4.0 to Ship January 15
Bsafe Steps Forward with New OS/400 Security Tools, Partners
Bsafe Bolsters OS/400 Security Software with New Logging, Alerts
|
