1 / 38

HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa)

HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa). David S. Finn. Health IT Officer. Agenda. Introduction & Background It isn’t just about the headlines This is Real and You are Completely Unprepared Real Threats in Healthcare

aulani
Download Presentation

HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security Risk Assessment:  The Real RisksOR Compliance Is Not Security (and vice versa) David S. Finn Health IT Officer VA HIMSS 2012

  2. Agenda • Introduction & Background • It isn’t just about the headlines • This is Real and You are Completely Unprepared • Real Threats in Healthcare • The Data is the Patient • Q & A VA HIMSS 2012

  3. Introduction & Background • Recovering healthcare CIO • Unable to hold a job (treasurer for theatrical production company; real estate controller; world’s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations - healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer) • CISA, CISM, CRISC • 2 degrees in Theatre VA HIMSS 2012

  4. It Isn’t Just About the Headlines Anymore • Blue Cross/Blue Shield reaches $1.5 million settlement • Cignet assessed $4.3 million penalty • $1 million penalty against Mass General • 2011 - - 3 individual breaches impacting 5 million, 4.3 million and 1.8 million individuals • HHS Issues $100,000 Fine to Small Phoenix Practice, Warning to Physicians VA HIMSS 2012

  5. Symantec Internet SecurityThreat Report* *Symantec Corp., Internet Security Threat Report, Vol. 17. • In 2011, Symantec blocked more than 5.5 billion attacks. An increase of 81% over 2010. • Number of unique malware variants increased to 403 million. • Mobile vulnerabilities increased by 93% in 2011. 2011 was the first year that mobile malware presented a tangible threat to business and consumers. • 2011 saw 232 million identities stolen. Hacking accounted for 187 millions of those thefts. 18 million identities exposed through lost or stolen devices. Increasing focus on gathering information through social engineering. VA HIMSS 2012

  6. Symantec Internet SecurityThreat Report* *Symantec Corp., Internet Security Threat Report, Vol. 17. VA HIMSS 2012

  7. *Symantec Corp., Internet Security Threat Report, Vol. 17. VA HIMSS 2012

  8. HIPAA and HITECH Securing Patient Information and Protecting Privacy since . . . NOW! VA HIMSS 2012

  9. VA HIMSS 2012

  10. From the HHS publication . . . Cybersecurity: The protection of data and systems in networks that connect to the Internet “Good patient care means safe record-keeping practices. Never forget that the electronic health record (EHR) represents a unique and valuable human being: it is not just a collection of data that you are guarding. It is a life.” VA HIMSS 2012

  11. It’s ten o’clock. Do you know where your ePHI is? The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security* *The Financial Impact of Breached Protected Health Information, 2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance

  12. The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security* *The Financial Impact of Breached Protected Health Information, 2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance

  13. Presentation Identifier Goes Here

  14. Risk = Threat x Vulnerabilities x Consequences • Patient Safety/Care • Fines • Loss of reputation • Class action suits • Prison • Patients leaving Potential for a particular threat-source to successfully exercise a particular vulnerability Potential Damage; possibility of suffering harm or loss A flaw or weakness in system security procedures, design, implementation, or internal controls that could result in a security breach or violation of policy VA HIMSS 2012

  15. Medical Device Cyber Security and Management OS Patch Deployment Example: Conficker FDA, CE IT, BioMed Malware Volume & Sophistication Device Lifecycle Regulatory Mandates Management Complexities Challenge Diagnostics &Specialty Patient Care Imaging On-Device PHI Exposure Sneakernetattack PHI Leavingon Device Device-basedattack on Network PHI TransmissionIntercept Networkattack Loss of System & Device Functionality Enterprise PHI Exposure HIS Archive EMR Device-based Cyber Security Network Security Architecture Risk Management Discovery & Compliance Management Remedy Example: HIPS VLAN, Firewall IEC 80001 MDS2, CMDB Patient Care Devices (PCD) Medical Equipment Management (MEM) Medical Device Cyber Security – AAMI 2011, San Antonio, TX

  16. CHIME online survey on Risk Management • July/Aug 2012 (released at CHIME Oct 12) • Total of 74 respondents • 64% hospitals > 250 beds • 85% CIO/CTO/CISO/CMIO • Objective: Assess state of risk management and risk management practices. • What we think we learned: • RA’s are not done properly/timely • No proper RA -> risk, security holes, inconsistencies, audit risks • In this age of HIPAA, HITECH, Meaningful Use, Consumerization and the issues around assessing risk, prioritizing those risks, mitigating and controlling them are becoming more complex. VA HIMSS 2012

  17. Questionnaire Results Q3: Which trends driving privacy & security risk in healthcare are you most concerned about? (choose all that apply; 74 responses, 0 skip) VA HIMSS 2012

  18. Q3 Discussion: Privacy and Security Risks VA HIMSS 2012

  19. Questionnaire Results Q4: What is driving your need to do risk assessments?(choose all that apply; 69 responses, 5 skip) VA HIMSS 2012

  20. Questionnaire Results Q5: What challenges do you have with your organization’s privacy and security practice(s)? (choose all that apply; 68 responses, 6 skip) VA HIMSS 2012

  21. Questionnaire Results Q8: How are risk assessments used at your organization?(choose all that apply; 67 responses, 7 skip) VA HIMSS 2012

  22. Questionnaire Results Q9: What do you consider the most positive impact of these risk assessments? (choose all that apply; 67 responses, 7 skip) VA HIMSS 2012

  23. Security vs Compliance • Check lists lead to compliance. • Compliance is not security. • Risk management process leads to real security and privacy. • Starts with repeatable risk assessments done on a regular basis and remediated across the business - - not by IT. VA HIMSS 2012

  24. How Meaningful Use relates to HIPAA/HITECH Security Rule 45 CFR 160 45 CFR 162 45 CFR 164 Sec Stnds: Gen Rules Admin, Technical, Physical Safeguards P&P and documentation req’d • Health Insurance Portability and Accountability Act (1996) • Transactions & Code Sets • Security Rule • Privacy Rule HIPAA HITECH American Recovery and Reinvestment Act (Health Information for Economic and Clinical Health) (2009) HIPAA Security Rule + New civil money penalties CEs and BAs must comply Breach notification starting after Sept 2009 Meaningful Use Risk Analysis 45 CFR 164.308(a)(1) Core Measure Meaningful Use (2010) VA HIMSS 2012

  25. How Meaningful Use Relates to Thanksgiving VA HIMSS 2012

  26. MU Stage 2:Protect Electronic Health Information • Measure: Conduct or review a security risk analysis in accordance with requirements of HIPAA Security Rule • Specifically requires addressing encryption/security of data at rest • Does not require use of encryption, but assessment of data at rest • Not limited to data at rest • Must also implement security updates and correct deficiencies • Review must be updated for each reporting period • Becomes annual update process to meet MU annually • The intent, all along, to create an on-going Risk Management Process VA HIMSS 2012

  27. Risk Analysis under MU and HIPAA • Risk Analysis is required under both MU and HIPAA • HIPAA requires risk analysis for all PHI, not just the EHR • MU Stage 2 measure emphasizes analysis of encryption of EHR data at rest • Under HIPAA, don’t forget about the non-EHR ePHI on mobile devices • Comply with the HIPAA Security Rule! VA HIMSS 2012

  28. Portals and Security • Risk Analysis and Risk Management (45 C.F.R. 164.308(a)(1)(ii)(A) and (B) • What is the risk of interception in transit? • What is the risk that portal user is not authorized user? • What is the risk that information is corrupted in transit? VA HIMSS 2012

  29. Portals and Security • Integrity (45 C.F.R. 164. 312(e)(2)(i)) • Is it reasonable to ensure that information is not modified or destroyed during transmission? • Encryption (45 C.F.R. 164.312(3)(2)(ii)) • Is it reasonable and appropriate to encrypt the portal information in transit? • Unique user identifiers (45 C.F.R. 164.312(a)(2)(i)) • Should family members or patient representatives get separate IDs? VA HIMSS 2012

  30. Portals and Security • Authentication (45 C.F.R. 164.312(d)) • Implement procedure to verify identity • What is reasonable and appropriate for patients? • Audit logs (45 C.F.R. 164.312(b)) • Review of audit logs (45 C.F.R. 164.308(a)(1)(D)) • CE is not responsible for information on patient’s end VA HIMSS 2012

  31. MU Stage 2 Objective:Send Patient Reminders (EPs) • Step 1 – Reasonable, appropriate safeguards: • Encryption? • Correct Address? • Step 2 – Accommodate reasonable patient requests • Patient may prefer unencrypted email VA HIMSS 2012

  32. Secure Messaging with Patients • MU focuses on patient-initiated communications, while HIPAA focuses on provider-initiated communications • Provider-initiated communications should be addressed in risk analysis • Consider likelihood of risk (wrong address, interception) • Consider impact of risk (will vary depending on content) • Some communications may not require “secure” system VA HIMSS 2012

  33. Security and HIE • Have potential threats and vulnerabilities been addressed in risk analysis? • Is transmission encrypted if reasonable and appropriate? • Are systems in place to avoid misdirection? • If partnering with HIE, is Business Associates Agreement in place? • Does BAA permit disclosure to public health authorities? • Exchange between different systems increases risks • CE is not responsible for security of recipient • But it is still your patient and their information if breached VA HIMSS 2012

  34. HIPAA Audit Success Equation Policies + Processes + Tracking Mechanisms =  Visible Demonstrable Evidence = Culture of Compliance. VA HIMSS 2012

  35. Defining the variables A policy statement that reflects an organization's intentions:  the what; A definition of a process by which the policy is implemented:  the how; and Suggested tracking mechanism(s) for capturing process results:  the measurement. VA HIMSS 2012

  36. Outcomes & Conclusions Do Meaningful Risk Analysis. The risks are real, your understanding and protection against them need to be real. It is a requirement but it is also a powerful tool to protect your patients and yourself. A breach is more a question of “when” than “if” in this day and age. VA HIMSS 2012

  37. Other Resources Health and Human Services http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204 Health Information Management and Systems Society http://himss.org/ASP/index.asp American Health Information Management Association http://www.ahima.org/Default.aspx HITECH Answers https://www.hitechanswers.net/ Digital Business Law Group http://www.digitalbusinesslawgroup.com/ HITRUST http://hitrustalliance.net/ Your state’s Office of the Governor (Health Information Exchange) and Regional Extension Centers and your State’s Medical Association and other professional associations VA HIMSS 2012

  38. David S. Finn 832.816.2206 david_finn@symantec.com VA HIMSS 2012

More Related