Margret Amatayakul

Does your budget for HIPAA security read like a shopping list filled with unnecessary cans of alphabet soup? You may be right.

There may be a flawed reason that IS requests include SEM tools to manage IDS data-or perhaps not. Getting the ISO to explain the underlying assumptions made when establishing technology needs (and define acronyms) can help healthcare financial managers offer direction during the budget-allocation process and achieve the level of security right for their organizations.

Some questions to consider when budgeting for HIPAA security include:

  • What is the security policy driving the technology?
  • Has a risk analysis proven the need for upgrading the policy and associated technology?
  • Have all current security measures been implemented properly?
  • What overall approach is being taken to address security?
  • Are the resources available to use the technology?

Security policy. Security is not simply technology to be bought. Rather, it is a process enabled by technology. To start this process, providers need to have clear, enforceable, and enforced policy directives. Policies should state the desired outcome of the directive and reflect executive management's level of risk tolerance. Also, each line item should be clearly associated with a specific security policy.

Another important consideration is to ensure that the security policy driving the technology receives the appropriate involvement of management. Under HIPAA, the information security official (ISO) is responsible for developing and implementing policies and procedures for security. However, this designation does not mean executive management should abdicate responsibility for approving policy. It is important for executive management to lead by example by supporting the implementation and enforcement of security controls. Also, executive management should ensure that approval processes are timely. When gaining approval becomes unreasonably lengthy, ISOs are likely to respond by creating procedures that won't require executive approval. In such instances, executives quickly find themselves out of the information loop and unable to properly assess the budget.

Risk analysis. HIPAA clearly requires a thorough risk analysis to meet security needs-a gap analysis or vulnerability assessment alone is not enough. Budget decisions should not be based solely on weaknesses in technology, but on the fact that a threat exists that is very likely to exploit the vulnerability and cause considerable harm.

When financial managers review the risk analysis in relation to technology requests, they need to balance priorities. Some executives mistakenly fear that anything but the most risk-averse position will make them potentially noncompliant. Others make the incorrect assumption that they have no choice, monetarily, but to be risk-tolerant and are reluctant to articulate this position, fearing it may reflect a lack of concern for security.

Fear should not dominate decision-making when determining whether risk analysis proves the need for technology controls. Instead, financial managers should look for an explanation of threats and the harm they can produce, and balance this information with the residual risk in the control that is being requested as well as the true risk position of executive management.

Current measures. Before saying yes or no to a technology request, you should determine how the requested controls add to security measures that already exist. In many cases, security features are already available in the organization's hardware or software but simply have not been activated or have been implemented only at their default settings. To help ensure your organization's security measures are implemented properly, it is important to see whether this "hardening"-or process of configuring operating systems and applications so that they reflect needed services and controls-occurs. In many cases, these measures have a long history of going unchecked, primarily because there hasn't been an ISO to monitor implementation or information security hasn't been top-of-mind.

Another important consideration when examining current security measures is how vulnerable the technology is to social engineering, or attempts by outsiders to gain access to a system by tricking users into disclosing their password or breaching similar access controls. Too often administrative and physical safeguards included in HIPAA are considered "soft" issues by ISOs. Yet in many ways, rewarding security-incident reporting and establishing a communal sense of accountability for security can be more powerful than any type of technical safeguard employed. What's more, ISOs need to spend as much time addressing administrative and physical safeguards as technical safeguards because these concerns represent more than half of the HIPAA security rule standards.

Overall approach. Your organization's overall approach to addressing security should reflect a layered architecture that guards against both internal and external threats. To illustrate the importance of layering for security, consider banks. Banks minimize external threats with clear physical controls, such as strong facades and armed guards on duty. Also important are added layers of protection in case a thief foils the physical controls, such as camera monitors and distress alarms. Banks then support these efforts with internal controls, including access controls, accounting procedures, and auditing. Given that a majority of threats in health care are internal-whether accidental or intentional-a layered approach to security is important to ensure that both internal and external threats are minimized.

Resource availability. Highly sophisticated tools, such as intrusion detection systems (IDSs), often require big budgets and immense amounts of time to use. It is not to say that the tools are not appropriate, but the resources they can potentially consume if every alert is investigated and every patch is applied can rapidly consume all of the ISO's time-leaving none for equally important security tasks, such as communicating the value of security efforts with staff. Because IDS data are time-consuming to analyze, security-event management (SEM) tools have been created to serve as a central repository that collects and correlates security-incident and alarm information from various IDS and vulnerability-assessment tools. A very large corporate structure with multi-vendor security tools may benefit from the use of an SEM tool, but for many moderate-sized providers, not only is the SEM tool overkill, but the IDS may not be totally necessary either.

A Better Budget Proposal

Could your organization's approach to HIPAA budgeting best be characterized as lacking commitment to security controls? If so, it's time to position your communications to build greater support. A thoughtful approach to the budget approval process is likely to not only generate a better budget proposal from the outset, but also demonstrate that the organization cares enough about security to ensure that it meets organizational policy directives.

Margret Amatayakul, RHIA, CHPS, FHIMSS, is president, Margret\A Consulting, LLC, Schaumburg, Ill.

Questions or comments about this article may be sent to the author at

Did You Know?

The need for security layering is often why a budget request for two firewalls may be more prudent than a budget request for one large, heavy-duty firewall. That's because a firewall works by providing a shell around resources (typically deployed at the perimeter of a network) to block intruders. That shell can be broken, and another shell may be needed to block users who have already gained access. 

Publication Date: Sunday, February 01, 2004

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead