July 2017

Why Windows Workgroups can be a HIPAA Headache?

By Karl Muhlbach

Workgroup HIPPA HeadachesBefore I can explain the concern with Windows Workgroups, as they pertain to HIPAA compliance, allow me a moment to explain what a Windows Workgroup is in the first place. A Windows Workgroup is Microsoft’s most fundamental way of networking two or more computers together. When you purchase a computer, connect all the accessories and join it to a network, it is by default, part of a WORKGROUP. Taking the necessary steps, you can share printers, file storage, and other network resources. You’re probably saying by now, “OK, Sounds Great! What’s the big deal”. Well…the concern is, problems can ensue when you must abide by the HIPAA Privacy and Security Regulations.

The HIPAA Privacy and Security Regulations are an extensive list of rules that medical practices and those that handle ePHI (Electronic Patient Health Information) must adhere to. One of the issues involved in complying with the Privacy and Security Rules of HIPAA, deals with ePHI; a practice must maintain and, when called upon, produce an audit trail of all the users that access the practice’s network. An audit trail is an activity log that details user activities, from the point they sign on to the network until they log off that same network (and everything they access in between). This is challenging to do when each computer is in a WORKGROUP, each with its own set of user credentials. That means USER1 on COMPUTER1 is fundamentally a different USER1 on COMPUTER2. Maintaining synchronization with regards to ePHI access, permissions, and incorporating practice policies and procedures can be an administrative nightmare, even for the smallest of practices.

HIPAA Data SecurityMaintaining cohesiveness within the organization with regards to “rights” management, data access controls, upholding business policies and procedures and retaining an audit trail of usage is typically implemented through Group Policies. Each computer has its own Group Policies that govern the proper usage and access of the computer. So, what are Group Policies? Let me explain it this way…Imagine an orchestra. Now envision each section of that orchestra; woodwind section, percussion section, brass section, etc. Each section, like a computer in a WORKGROUP, has rules and procedures governing how that section will perform. Each section, like the other computers in the WORKGROUP, should have the same rules and procedures they engage in to produce any sort of appreciable sound; but they could do their own thing, resulting in a chaos of noise. Similarly, each section or computer, has its own set of Local Group Policies. They can work in harmony, but they can easily get out of sync with each other if not properly maintained. This can become an administrative nightmare and produce some detrimental results in maintaining security as well as HIPAA compliance; leaving a practice vulnerable to potential security breaches and subject to substantial fines.

So, what’s the answer to this potential problem? Active Directory Services. Active Directory is like the conductor of the orchestra. Active Directory maintains control of all the computers who are members of its domain. Through Active Directory services, each user is maintained with uniqueness. They can log into any computer in the domain with the same unique username and password. Access controls can be put in place to monitor and maintain what they have permission to access and an audit trail can be produced easily and seamlessly for the entire organization. Moreover, Active Directory Services provides Group Policies for the entire organization; users, devices, access controls, etc. Like the conductor of the orchestra, Active Directory Services keeps the organization working in harmony toward satisfying the Privacy and Security Rules of HIPAA compliance. Sadly, too many practices or organizations that deal with ePHI take the easy path of WORKGROUPS creating the potential for chaos, security breaches and fines.

Karl Muhlbach is the owner of Eukairos Technologies Corp and a Compliance IT Coordinator for the resource group, Medical Office Resources of Florida, LLP. He can be reached at kmuhlbach@eukairostech.com