National Committee on Vital and Health Statistics

(Testimony for August 5 & 6, 1997 in Washington, D.C.)

To the Subcommittee on Health Data Needs, Standards, and Security

by

Randolph N. Sanovic
Director, Information Security
United HealthCare Corporation
MN010-W116
P.O. Box 1459
Minneapolis, MN 55440-1459
www.unitedhealthcare.com

National Committee on Vital and Health Statistics/Subcommittee on Health Data Needs, Standards and Security

Hearing to receive input from the health care industry on recommendations for security standards

Statement by Randolph N. Sanovic, Director, Information Security, United HealthCare Corporation

August 5, 1997

Mr. Chairman, Members of the Subcommittee: Thank you for the opportunity to offer a statement about this important concern.

Background

My name is Randolph (Randy) Sanovic. I am Director, Information Systems Security at United HealthCare Corporation. United HealthCare is a national leader in health care management, serving purchasers, consumers, managers and providers of health care since 1974. The company provides a broad continuum of health care programs and services, including health maintenance organizations (HMO’s), point of service, preferred provider organizations (PPO’s) and managed indemnity programs; as well as managed mental health and substance abuse services; utilization management; workers’ compensation and disability management services; specialized provider networks; third-party administration (TPA) services; employee assistance services; Medicare and managed care programs for the aged; managed Medicaid services; health care evaluation services; information systems; and administrative services. Over 75,000 employers offer our products to millions of Americans. Our networks include 3,000 hospitals, 50,000 pharmacies and 265,000 health care providers.

In my position at United, I am responsible for the corporations overall information systems security posture. I have over 18 years of professional, management level experience in information security with two major multinational corporations. I am a certified information systems security professional (CISSP) and a member of the National Computer Systems Security and Privacy Advisory Board.

On behalf of the management of United HealthCare, I’m happy to be a part of this session and to assist in any way I can.

Specific answers to many of the questions posed in preparation for this session are noted in the attached:

1. What policies and procedures should be employed to safeguard information? How should these policies and procedures be communicated to external users as well as consumers? How frequently are policies reviewed?

United HealthCare has consistently supported the incremental market reform principles underlying The Health Insurance Portability and Accountability Act of 1996. Overall, the Act is a victory for Americans and it’s passage demonstrates that good faith by all parties has led to meaningful compromise in the country’s best interest.

In general, the Federal reforms espoused by the Act will help stabilize and sustain the private market by ensuring that all market players compete under the same high standards. United HealthCare views protecting our member’s confidential information to be of the utmost importance. We have explicit information security policies and standards that are mandated by executive management and widely disseminated for compliance within the corporation. As appropriate, external users are informed that to connect with United HealthCare’s information systems they must comply with our information security policies and standards. These policies and standards are formally reviewed on an annual basis and revised/updated within annual review periods as necessity dictates.

2. Do employees, agents, independent contractors, medical staff, and vendors sign confidentiality statements? What are the consequences of a security breach by an individual? What type of disciplinary action is taken?

We take care to ensure that employees, agents, and independent contractors, agree to confidentiality requirements as a condition of employment or contracting. We also monitor compliance with our published information security policies and procedures, and if and when a security breach occurs we take the appropriate disciplinary action, including termination.

3. How do you protect backups? What abilities do you have to recover files that become corrupted or lost?

Formally structured, documented, and tested business continuity and disaster recovery plans help insure that we can recover our business operations. Our business users assist in this process by participating in a formal exercise to identify and prioritize their business applications so they can be recovered in a timely fashion. Our backups are physically protected and stored at secure locations sufficiently distant from their production processing systems. United HealthCare has purposely staffed distinct corporate level departments that have as their sole responsibility the continued enhancement of our business continuity and disaster recovery plans and processes.

4. What approaches have been successful in your organization in obtaining upper management commitment to data security? What approaches have been less successful? Who is accountable to manage the information security program in your organization? Has your organization assigned staff dedicated to information security?

Fortunately, at United HealthCare we consistently have top management support and commitment to data security. Top executive management from the CEO on down formally signs-off, at least annually, on revised and new information security policies.

As Information Security Director for United HealthCare, I am responsible to upper management for the corporation’s overall information security posture. I don’t, however, perform such responsibilities alone. I am fortunate to be assisted by five very effective directors/managers who report to me, and in turn focus their staff’s on the issues and projects that compose United HealthCare’s Information Security Programs.

5. Has cost been a factor in limiting your information security program? How would you determine the appropriate cost of security? What factors should be considered in assessing the costs and benefits of security?

At United HealthCare, the various business requirements for user identification, access control, confidentiality, integrity, availability, and in general secure network computing determine which and how security measures are designed, developed, and implemented. As new applications, programs, and business opportunities arise, security recommendations become part of the projects through direct participation by our security directors, managers, internal security consultants, and security administration supervisors. In other words, security is embedded in the business driven development process and is included as a cost factor in the overall cost of the business project, and balanced against the business projects benefits and corporate priorities. Risk assessment processes also help the business units determine and specify their requirements for specific security mechanisms and procedures.

6. Based on your experience, what are the impediments to implementing health information security measures? How would federal legislation or regulation requiring the protection of health information affect the information security program at your organization?

The health care industry is most definitely very interested in ensuring information security and protecting the confidentiality of the information in its trust. That is why companies such as United HealthCare have committed staffing and resources to hire an information security director and an information security staff. As information security issues receive more attention in the general press, Americans are becoming better educated and demanding greater security for their personal information, in health care as in other industries. United HealthCare and other companies want to be responsive to those concerns.

In recognition of this, United HealthCare supports uniform federal standards for electronic data transactions, including privacy of individually transmitted health records and payment information, that are applicable to all health plans. It is good to keep in mind however, that most health insurers/plans are primarily transmitting payment information today, not actual medical records. Certainly security is no less important when dealing with personally identifiable data, but do the standards need to respect the type of data (e.g., payment vs. clinical data)?

As with many other industries, health care is driven by ever changing external business requirements. As a result, it is important to educate the business segments of the health care industry so that everyone is cognizant of important security issues and privacy considerations, and educated as to industry standards and federal and state law. Also, we are learning a great deal from the current security implications of the Year 2000 changeover.

Two issues that we believe need greater industry attention are the appropriate use of the internet and dealing with unsecured telecommunication networks.

7. What are the objectives of your data security training program? Who receives training in information security? How is training delivered? Is training customized to user class? How often is training repeated?

Information security training at United HealthCare begins with a very comprehensive module included in the Employee Handbook and is covered at the management level in the United HealthCare Manager’s Guide. Specialized information security training is provided to our data security administration staff who are also cross-trained so they can support each other. In support of these training programs we also conduct annual company-wide security awareness expositions which remind employees and contractors of their security responsibilities.

8. Are unique passwords used? Is access control handled through technology or through policy? Is encryption used for internal or external transmissions? Do you transmit or plan to transmit patient identifiable information over the Internet? What physical security measures do you use?

United HealthCare’s information systems are equipped with internal mechanisms that safeguard the information contained in these systems on a need-to-know basis. Each individual with "clearance" to access confidential information is responsible for the security, integrity and confidentiality of that information. Only authorized individuals are permitted to access private information concerning clients, patients, customers or insureds. Additionally, unique passwords and user IDs must be changed regularly and are not to be disclosed or used by anyone other than the user. United HealthCare also uses electronic "firewalls" to further restrict external access to its computer systems and networks. We also use encryption very selectively (e.g., SSL, PGP) with some of our internal and external applications. We do not, and will not, transmit patient identifiable information over the internet unless it is suitably protected.

United HealthCare uses several standard physical security mechanisms to protect its information assets. These protection measures include card access systems for personnel entry control, hardened sites for our main computer centers, and locked facilities for our distributed production servers and telecommunications equipment. Additionally, reports that contain confidential or personal information are destroyed in a secure, approved method.

9. SDO’s/Accreditation Organizations

We depend heavily on external standard organizations, and vendors to recommend and implement universally accepted standards in their products which we in turn evaluate and implement to provide prudent and reasonable security protection for our information assets.

We also depend on professional certification organizations such as the International Information Systems Security Certification Consortium (ISC)² to test and provide us with certified information security professionals that are broadly enough experienced, both technically and operationally, to contribute significantly to enhancing our Information Security Programs.

United HealthCare endorses the Subcommittee’s charter and invites further discussion in any area of concern. Thank you again for this opportunity.

Randolph (Randy) Sanovic
Director, Information Systems Security
United HealthCare Corporation
MN010-W116
P.O. Box 1459
Minneapolis, MN 55440-1459
www.unitedhealthcare.com
(612)797-4314
(612)797-4333 (fax)