1 / 35

HIPAA and SB 1386: The New Security Imperatives

HIPAA and SB 1386: The New Security Imperatives. Presented by: Russell L. Rowe rrowe@chiefsecurityofficers.com. Background. Chief Security Officers, LLC is a full- service IT firm specializing in security compliance and auditing services. We help companies protect their

otis
Download Presentation

HIPAA and SB 1386: The New Security Imperatives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA and SB 1386: The New Security Imperatives Presented by: Russell L. Rowe rrowe@chiefsecurityofficers.com

  2. Background Chief Security Officers, LLC is a full- service IT firm specializing in security compliance and auditing services. We help companies protect their information, people, and facilities

  3. Seminar Objectives • Define HIPAA and SB 1386 and their impact on your business. • Provide specific techniques to aid in planning and implementing security measures to meet HIPAA and SB 1386 requirements.

  4. HIPAA • Healthcare Insurance Portability and Accountability Act (HIPAA) • Privacy Compliance Dates • 2/26/03 Healthcare Clearinghouses • 4/14/04 Large Covered Entities • 4/14/04 Small Covered Entities • Security Compliance Dates • 4/20/05 Large Covered Entities • 4/20/06 Small Covered Entities

  5. HIPAA’s Goals • Ensure health insurance portability • Reduce health care fraud and abuse • Guarantee security and privacy of personal health information • Enforce standards for health information, i.e., medical records use and release

  6. A Simple Mandate “It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect patients' privacy, including designating an official to establish and monitor the entity's privacy practices and training.”

  7. Affected Healthcare Organizations • Health Plans • Individual or group plans that provide for or pays the cost of medical care • Employers that self-insure • Providers (furnish healthcare services or supplies) • Hospitals, medical groups, physicians’ LLPs, clinics,eEmergency care facilities • Clearinghouses • Public or private organizations that process or facilitate processing of health information • Other Entities • Employers that want to utilize medical information for data mining • Pharmaceutical companies conducting clinical research

  8. Affected Business Processes • All individually identifiable information relating to past, present, or future: • Health conditions • Treatment • Payment for treatment • Demographic data collected by plans or providers

  9. Administrative Procedure Standards • Certification • Chain of Trust Agreements • Contingency Planning • Record Processing • Information Access Control • Internal Audit • Security Management • Personal Security • Training • Termination Procedures • Security Incident Response • Security Configuration Management

  10. Physical Safeguards • Assigned security responsibility • Media controls • Physical access controls • Policy/guideline on workstation use • Secure workstation location • Security awareness training • Business continuity & disaster recovery plans

  11. Technical Security Services Standards • Access Control • Authorization Control • Data Authentication (Integrity) • Entity Authentication

  12. Technical Security for Network Communications • Basic networking safeguards • Confidentiality • Integrity • Availability • Network security issues • Integrity (message corruption) and confidentiality (message interception) • Protection from unauthorized remote access

  13. Why Comply? • Statutory Penalties • Standards: Up to $25,000 per violation per year • Wrongful disclosure: Up to $250,000 and 10 years in prison • Cost Savings • Reduction in processing costs • Simplification of manual processing • Improved Customer Service • Fewer errors • Quicker turnaround • Enabler of e-commerce

  14. Healthcare IT Professionals Understand HIPAA’s Importance • 79% say HIPAA is the top business issue in healthcare industry • Two-thirds say upgrading security to meet HIPAA is a top priority Source: HIMSS leadership survey, 1/01

  15. Structural Impact • Cultural transformation for handling, using, communicating, and sharing patient information • Major revamping of business/security policies and procedures • Must rethink how to protect security and privacy of patient and consumer information • Additional information security technology solutions (e.g., PKI, VPNs, Business Continuity) • Standard formats for most common transactions among healthcare organizations • Replacement or substantial change to providers’ current systems and processes

  16. Financial Impact • Establish “Privacy Official” • Extraordinary budget and staff requirements for next two years • More extensive than Y2K efforts: $5B in spending by end of 2003 (IDC) • Large healthcare providers and/or payers could spend $50-$200 million each to become HIPAA compliant

  17. 20 Steps to Compliance 1. Identify gaps between current practices and proposed rules. 2. Identify key individuals to spearheadcompliance efforts. Include senior managementto insure top-down support. 3. Educate staff, physicians, and other key constituents. 4. Make a comprehensive inventory of individuallyidentifiable electronic health information your organizationmaintains. Include information kept on PCs and in research databases.

  18. 20 Steps to Compliance 5. Conduct a risk assessment to evaluate potential risks andvulnerabilities to individually identifiable electronic healthinformation. Include the possibility of outside attacks. 6. Develop tactical plan to address identified risks,with highest priority on areas of greatest vulnerability. 7. Collect and organize existing information security policies into the four categories outlined in the securitystandards. Evaluate for currency,consistency, and adequacy. 8. Develop checklistof policies to be developed. Assignresponsibility to appropriate individuals.

  19. 20 Steps to Compliance 9. Educate staff about security policies - enforcethem. 10. Establish confidential reporting system to report security breaches without fear ofrepercussion. 11. Impose sanctions for violations. Prepare for system disruptions or data corruptionthat may result from security violations. 12. Assess accuracy of master patient index (MPI) for duplication (patients assigned more thanone number) and overlays (more than one patient assigned thesame number). Out-task if necessary. 13. Evaluate current billing system for EDI transaction standard and modifications.

  20. 20 Steps to Compliance 14. Compare current healthinformation disclosure procedures with proposed privacy standards. • Areindividuals allowed to inspect and copy their healthinformation? Are reasonable fees charged? • Does theorganization account for all disclosures of protected healthinformation other than for treatment, payment,or healthcare operations? • Is there a procedure in place toallow individuals to request amendments or corrections totheir health information? • Is there a mechanism for individualsto complain about possible violations of privacy? 15. Designate a privacy officer. 16. Review/revise existing vendor contracts to ensure HIPAAcompliance. Ensure that business partners also protect privacy of identifiablehealth information.

  21. 20 Steps to Compliance 17. Evaluate new information security technologies. 18. Considerbiometric identifiers (fingerprints,voiceprints, retinal scans) for secure authentication ofusers, and single sign-on technology to eliminate multiple passwords andlogons. 19. Evaluate audit trails on existing informationsystems. Audit trails must recordevery access (including read-only access) to patientinformation, not just additions ordeletions. 20. Look for audit trail technologies that can analyzelarge amounts of information and flag suspiciouspatterns.

  22. California SB 1386 California SB 1386 provides Californians with immediate notification, when confidential information about them has been compromised due to a breach on any computer system that stores such information, and this breach is discovered.

  23. Why was it created? Early, in 2002, the State of California's Data Center that runs the Payroll application for the State of California, was breached. For many weeks, confidential information about 265,000 employees of the state was available to the hackers – names, addresses, bank account numbers, social security numbers, etc. The Data Center did not notify anybody about this breach for many weeks, leaving state employees and lawmakers open to identity theft attacks longer than they needed to be.

  24. Who does the Bill impact? Any business, government or non-profit agency, or individual that stores confidential information about California residents on their computers.

  25. When does it become effective? The Bill was approved by the Governor on September 25, 2002, while its provisions became effective July 01, 2003.

  26. What’s considered to be “confidential personal information”? • Social Security numbers, California Driver's License numbers or Identification Card numbers, Account numbers, Credit or Debit card numbers, etc. • Information that is lawfully available to the general public, from government records, is not considered confidential personal information.

  27. What constitutes a breach of a computer system? Any unauthorized access of a computer and its data, constitutes a breach of a computer system. Typically, if a policy exists within a business or agency, authorizing access to a computer and its data, any access outside the scope of that policy is unauthorized.

  28. What if a computer was breached, but the confidential personal information was not stolen? While possible, this would be very difficult to prove. It would depend on the technology used to store the confidential personal information and the security policies and procedures in force within that infrastructure.

  29. What if I don’t monitor the systems and thus, do not detect a breach? Unfortunately, you will not be able to get away with such an argument. In general, businesses have a responsibility to exercise a certain level of care in protecting its information especially information deemed confidential. By not monitoring your systems, and thus, not detecting a breach, you can be accused on negligence - for not applying what is considered to be the standard level of care within the industry.

  30. Does SB 1386 apply to me if I do not have an office in California? As long as you have a single employee or customer that resides in California, and as long as you store any confidential personal information about that employee or customer on a computer, you will need to comply with SB 1386. It doesn't matter if you do not have an office in California, or do not maintain any computers in California – you're still responsible to uphold the provisions of SB 1386 as long as the above conditions are true.

  31. What if I am just a small business, and not a large corporation? SB 1386 does not discriminate based on size of the business. If you are a Sole Proprietorship, a Partnership, an LLC, LLP, a Corporation, a Non- Profit or any form of Government agency – and maintain confidential personal information about a California resident on a computer – SB 1386 applies to you.

  32. What if the data is encrypted? Where the confidential data is encrypted on the computer, and in the transmissions between the computer and its use by authorized users, the company may be exempted from disclosure. Notice the emphasis on the word "may". The reason is - there are many different kinds of encryption technologies, ranging from being relatively trivial to break, to being "computationally infeasible". Depending on the kind of encryption you use, you may be judged to have exercised sufficient, or insufficient, standard-of-care in protecting the data.

  33. What if the confidential data is separated from the name and password? In the event that your database maintains confidential data about Californians, but does not store either the password or the name of the Californian in the same database or computer, then SB 1386 disclosure rules will not apply to you. The rationale for this is obvious - if an attacker stumbled upon social security numbers or account numbers, but did not know who they belonged to, then it would make the attackers job much harder in attempting to steal identities.

  34. What preventive measures are available? • Implementing rigorous policies and controls • Re-architecting the critical infrastructure and/or applications • Elimination of User ID's and Passwords • Use of encryption beyond the network

  35. Questions Russell Rowe President Chief Security Officers 11445 E. Via Linda Scottsdale, AZ 85259 480-344-2635 rrowe@chiefsecurityofficers.com

More Related