Writing: IT Compliance Institute About | Clips | Photography | Writing | Updates

IT Compliance Institute, September 13, 2005:

Best Practices

Acute Care: HIPAA, a Hospital, and Database Security

If you want to secure databases containing protected health information, the first big challenge is to find them.

By Mathew Schwartz

Want to secure and audit databases containing electronic protected health information (EPHI)?

First you have to find them. Ochsner Clinic Foundation learned that hard lesson a year and a half ago, when it began efforts to bring its information security into HIPAA compliance. Ochsner, a not-for-profit healthcare organization based in New Orleans, includes a 580-bed acute care hospital and a 71-bed sub-acute care facility, plus 24 clinics located across southeast Louisiana.

"One of the first things we realized we had to do was come up with some policies and standards. And one of the first things I tried to determine was where our databases actually [were]," says Mark Maher, the administrator at Ochsner responsible for database security. Still, Maher lacked a surefire way of doing that. As a result, Ochsner couldn't guarantee that database passwords were strong, that database access had been terminated for former employees, or whether unsecured databases contained EPHI. The company's external auditor, Deloitte & Touche, was not thrilled.

Ochsner's challenge is a common one. Implementing and documenting information security audit controls continues to be a challenge for many healthcare organizations. More than half of healthcare providers rated audit controls as the most difficult-to-implement part of the HIPAA security standard, according to a January 2005 survey conducted by HIMSS and Phoenix Health Systems.

In 2004, however, Ochsner began looking for database security auditing help, ultimately adopting a vulnerability scanner, AppDetective, from Application Security, Inc. "This tool actually allowed us to scan all of the Ochsner network, which is sizable and extends throughout the entire state," Maher says. "This was important because quite a few databases are being managed by people outside of IT."

Scanning Databases for Vulnerabilities

The first full-network scan found multiple Oracle, Sybase, DB2, and MySQL databases the IT department didn't know about. Ultimately, "we identified three to four databases that did contain EPHI that we didn't know existed," Maher recalls. Most databases still used default passwords, which are well-known and thus a security risk. The IT department immediately stepped in to change them. Being able to do that "was really big, and that's one of the strengths of this tool," Maher states.

Scanning database passwords to ensure they're strong enough to withstand dictionary-style attacks is another feature. "Over the years, I've been to some security seminars and accumulated scripts to identify weak passwords, but they wouldn't check everything," says Maher. Now, using AppDetective, Maher regularly runs password penetration scans. These take a few minutes and hit all the known Oracle and SQL Server databases, which have thousands of users.

Ochsner's security policy specifies that passwords must have eight alphanumeric characters, not be part of a person's name, and not contain common words. When insecure passwords are found, IT e-mails the employee and tells them they have a limited amount of time to improve their password, or risk losing access. "Most people clean it up," Maher notes.

Moreover, Maher uses the software to reconcile user departures with database authorization. Between residents, medical students, contract nurses, visiting physicians, and the like, the organization sees a lot of monthly turnover that makes manual permissions maintenance difficult. The software allowed Maher to start running monthly keyword searches on the databases. That "really cleaned up an area that was a big issue with a lot of external audits," he notes.

Every couple of months, Maher also scans for unknown databases, a process that takes five or six hours. Then, quarterly or whenever there's a vulnerability announcement, Maher runs a full AppDetective scan, which looks for all known vulnerabilities. "By running a full audit, you get a really good view of how secure your Oracle and SQL Server databases really are," he states.

Documenting Fixes for HIPAA

Not all vulnerabilities are remediated immediately, since some databases cannot be remotely accessed. "All that stuff is protected by our main corporate firewall, then we subnet where those databases are, and we also protect those subnets," says Maher. "Hopefully, I don't think anyone can get around our perimeter defenses to get in." Thus, DBAs have some flexibility when dealing with patches—especially since patches sometimes crash databases. Regardless, in case of a HIPAA audit, Maher maintains a paper trail that documents identified vulnerabilities, his department's response, and the response rationale.

Automated scanning helps Ochsner deal with yet another issue: IT doesn't control all databases containing EPHI. Thus when Maher finds an unknown and unsecured database, he can't just show up and pull the plug. Instead, he presents results from the vulnerability scanning engine to the database owners. "Without snooping, we were able to say, 'We ran some scans, so what is this database?'" he says. As a result, in fact, most unsecured databases end up being shut down, since departments find maintaining them securely is too time-intensive.

While automated scanning is useful, there are always things it won't find, such as EPHI that's been copied out of a database. To handle that, Ochsner's compliance department has backed up the automation with communication—specifically, e-mails to all employees asking whether they store sensitive information in Access databases or Microsoft Excel files. "We realize a lot of things are important" for doing their jobs, says Maher. But "as far as those go, now we start dealing with laptop- or desktop-level security," to ensure EPHI is protected when it's out of the database.

Today, one testament to Ochsner's database security success is that Maher doesn't worry about what he doesn't know about the databases. Simply put, thanks to solid processes, procedures, and relevant tools, the security of Ochsner's databases "is probably one of the least of our concerns—even though our databases are extremely important, and contain EPHI and confidential information," Maher asserts.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.