Janice C. Honeyman-Buck PhD, Presenter: Nothing to Disclose

Steven Meyer PhD, Abstract Co-Author: Nothing to Disclose

Meryll Frost, Abstract Co-Author: Nothing to Disclose

S.M.: Chief engineer, HIPAAT Inc., Mississauga, Ontario, Canada.

As the HIPAA Security Rule deadline of April 20, 2005 approaches, radiology departments complete preparations to guard the security and integrity of electronic protected health information (ePHI). These departments are challenged with bringing different vendor equipment into their compliance efforts while working to meet the Rule’s audit control standard.One way to simplify implementation of the audit standard in multi-vendor departments is to follow IHE’s Basic Security Integration Profile. The Profile lists four goals: user accountability, access control, PHI data integrity and centralized audit record repository. Taking a case study approach, this report examines how a radiology department used IHE-compliant technologies to assist with Security Rule compliance. The focus is on a centralized audit repository and audit record generation.For this department, network audit is handled in two phases: 1. tracking the export and import of ePHI over the network and 2. tracking ePHI sent to media recording devices (e.g. CD-ROM) for removal from the facility. Previously, the process of searching through disparate vendor audit logs was onerous, time-consuming and expensive. Additionally, these logs could not be stored centrally, as they belonged to “incompatible” applications with different log storage schemas. Future phases of the project will concentrate on incorporating the web image distribution system and the PACS archives and display workstations, then with implementation of rigorous access control and user accountability.IHE guidelines specify an Extensible Markup Language (XML) schema for audit content, with audit triggers that include privacy and security-related events. The department has chosen to adopt this schema so that ePHI audit events (including study import and export) can be stored in a central repository, allowing better search and report capabilities. XML audit log events are generated from DICOM messages and stored in the central repository.

Attendees will understand the specific recommendations of the IHE Basic Security Integration Profile, will understand the complexities of implementing security audits in a multi-vendor environment, will be introduced to the XML requirements for implementation and will be introduced to a solution that can be used in many different environments.

Honeyman-Buck, J, Meyer, S, Frost, M, IHE Security Integration with a Centralized Audit Facility.  Radiological Society of North America 2004 Scientific Assembly and Annual Meeting, November 28 - December 3, 2004 ,Chicago IL. http://archive.rsna.org/2004/4406329.html