hipaa security risk assessment the real risks or compliance is not security and vice versa n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa) PowerPoint Presentation
Download Presentation
HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa)

Loading in 2 Seconds...

play fullscreen
1 / 38

HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa) - PowerPoint PPT Presentation


  • 193 Views
  • Uploaded on

HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa). David S. Finn. Health IT Officer. Agenda. Introduction & Background It isn’t just about the headlines This is Real and You are Completely Unprepared Real Threats in Healthcare

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HIPAA Security Risk Assessment:  The Real Risks OR Compliance Is Not Security (and vice versa)' - aulani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa security risk assessment the real risks or compliance is not security and vice versa

HIPAA Security Risk Assessment:  The Real RisksOR Compliance Is Not Security (and vice versa)

David S. Finn

Health IT Officer

VA HIMSS 2012

agenda
Agenda
  • Introduction & Background
  • It isn’t just about the headlines
  • This is Real and You are Completely Unprepared
  • Real Threats in Healthcare
  • The Data is the Patient
  • Q & A

VA HIMSS 2012

introduction background
Introduction & Background
  • Recovering healthcare CIO
  • Unable to hold a job (treasurer for theatrical production company; real estate controller; world’s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations - healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer)
  • CISA, CISM, CRISC
  • 2 degrees in Theatre

VA HIMSS 2012

it isn t just about the headlines anymore
It Isn’t Just About the Headlines Anymore
  • Blue Cross/Blue Shield reaches $1.5 million settlement
  • Cignet assessed $4.3 million penalty
  • $1 million penalty against Mass General
  • 2011 - - 3 individual breaches impacting 5 million, 4.3 million and 1.8 million individuals
  • HHS Issues $100,000 Fine to Small Phoenix Practice, Warning to Physicians

VA HIMSS 2012

symantec internet security threat report
Symantec Internet SecurityThreat Report*

*Symantec Corp., Internet Security Threat Report, Vol. 17.

  • In 2011, Symantec blocked more than 5.5 billion attacks. An increase of 81% over 2010.
  • Number of unique malware variants increased to 403 million.
  • Mobile vulnerabilities increased by 93% in 2011. 2011 was the first year that mobile malware presented a tangible threat to business and consumers.
  • 2011 saw 232 million identities stolen. Hacking accounted for 187 millions of those thefts. 18 million identities exposed through lost or stolen devices. Increasing focus on gathering information through social engineering.

VA HIMSS 2012

symantec internet security threat report1
Symantec Internet SecurityThreat Report*

*Symantec Corp., Internet Security Threat Report, Vol. 17.

VA HIMSS 2012

slide8

HIPAA and HITECH

Securing Patient Information and Protecting Privacy since . . .

NOW!

VA HIMSS 2012

slide10
From the HHS publication . . . Cybersecurity: The protection of data and systems in networks that connect to the Internet

“Good patient care means safe record-keeping practices. Never forget that the electronic health record (EHR) represents a unique and valuable human being: it is not just a collection of data that you are guarding. It is a life.”

VA HIMSS 2012

it s ten o clock do you know where your ephi is
It’s ten o’clock. Do you know where your ePHI is?

The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security*

*The Financial Impact of Breached Protected Health Information,

2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance

slide12

The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security*

*The Financial Impact of Breached Protected Health Information,

2012 American National Standards Institute (ANSI) / The Santa Fe Group /Internet Security Alliance

slide14

Risk = Threat x Vulnerabilities x

Consequences

  • Patient Safety/Care
  • Fines
  • Loss of reputation
  • Class action suits
  • Prison
  • Patients leaving

Potential for a particular threat-source to successfully exercise a particular

vulnerability

Potential

Damage; possibility of suffering harm or loss

A flaw or weakness in system security procedures, design, implementation, or

internal controls that could result in a security breach or violation of policy

VA HIMSS 2012

slide15

Medical Device Cyber Security and Management

OS Patch Deployment

Example:

Conficker

FDA, CE

IT, BioMed

Malware Volume & Sophistication

Device Lifecycle

Regulatory Mandates

Management Complexities

Challenge

Diagnostics &Specialty

Patient Care

Imaging

On-Device PHI Exposure

Sneakernetattack

PHI Leavingon Device

Device-basedattack on Network

PHI TransmissionIntercept

Networkattack

Loss of System & Device Functionality

Enterprise PHI Exposure

HIS

Archive

EMR

Device-based Cyber Security

Network Security Architecture

Risk Management

Discovery & Compliance Management

Remedy

Example:

HIPS

VLAN, Firewall

IEC 80001

MDS2, CMDB

Patient Care Devices (PCD)

Medical Equipment Management (MEM)

Medical Device Cyber Security – AAMI 2011, San Antonio, TX

chime online survey on risk management
CHIME online survey on Risk Management
  • July/Aug 2012 (released at CHIME Oct 12)
  • Total of 74 respondents
    • 64% hospitals > 250 beds
    • 85% CIO/CTO/CISO/CMIO
  • Objective: Assess state of risk management and risk management practices.
  • What we think we learned:
    • RA’s are not done properly/timely
    • No proper RA -> risk, security holes, inconsistencies, audit risks
    • In this age of HIPAA, HITECH, Meaningful Use, Consumerization and the issues around assessing risk, prioritizing those risks, mitigating and controlling them are becoming more complex.

VA HIMSS 2012

questionnaire results
Questionnaire Results

Q3: Which trends driving privacy & security risk in healthcare are you most concerned about? (choose all that apply; 74 responses, 0 skip)

VA HIMSS 2012

questionnaire results1
Questionnaire Results

Q4: What is driving your need to do risk assessments?(choose all that apply; 69 responses, 5 skip)

VA HIMSS 2012

questionnaire results2
Questionnaire Results

Q5: What challenges do you have with your organization’s privacy and security practice(s)? (choose all that apply; 68 responses, 6 skip)

VA HIMSS 2012

questionnaire results3
Questionnaire Results

Q8: How are risk assessments used at your organization?(choose all that apply; 67 responses, 7 skip)

VA HIMSS 2012

questionnaire results4
Questionnaire Results

Q9: What do you consider the most positive impact of these risk assessments? (choose all that apply; 67 responses, 7 skip)

VA HIMSS 2012

security vs compliance
Security vs Compliance
  • Check lists lead to compliance.
  • Compliance is not security.
  • Risk management process leads to real security and privacy.
  • Starts with repeatable risk assessments done on a regular basis and remediated across the business - - not by IT.

VA HIMSS 2012

how meaningful use relates to hipaa hitech
How Meaningful Use relates to HIPAA/HITECH

Security Rule

45 CFR 160

45 CFR 162

45 CFR 164

Sec Stnds: Gen Rules

Admin, Technical, Physical Safeguards

P&P and documentation req’d

  • Health Insurance Portability and Accountability Act (1996)
  • Transactions & Code Sets
  • Security Rule
  • Privacy Rule

HIPAA

HITECH

American Recovery and Reinvestment Act

(Health Information for Economic and Clinical Health) (2009)

HIPAA Security Rule +

New civil money penalties

CEs and BAs must comply

Breach notification starting after Sept 2009

Meaningful

Use

Risk Analysis

45 CFR 164.308(a)(1)

Core Measure

Meaningful Use (2010)

VA HIMSS 2012

mu stage 2 protect electronic health information
MU Stage 2:Protect Electronic Health Information
  • Measure: Conduct or review a security risk analysis in accordance with requirements of HIPAA Security Rule
    • Specifically requires addressing encryption/security of data at rest
      • Does not require use of encryption, but assessment of data at rest
      • Not limited to data at rest
    • Must also implement security updates and correct deficiencies
  • Review must be updated for each reporting period
    • Becomes annual update process to meet MU annually
    • The intent, all along, to create an on-going Risk Management Process

VA HIMSS 2012

risk analysis under mu and hipaa
Risk Analysis under MU and HIPAA
  • Risk Analysis is required under both MU and HIPAA
    • HIPAA requires risk analysis for all PHI, not just the EHR
  • MU Stage 2 measure emphasizes analysis of encryption of EHR data at rest
    • Under HIPAA, don’t forget about the non-EHR ePHI on mobile devices
  • Comply with the HIPAA Security Rule!

VA HIMSS 2012

portals and security
Portals and Security
  • Risk Analysis and Risk Management (45 C.F.R. 164.308(a)(1)(ii)(A) and (B)
    • What is the risk of interception in transit?
    • What is the risk that portal user is not authorized user?
    • What is the risk that information is corrupted in transit?

VA HIMSS 2012

portals and security1
Portals and Security
  • Integrity (45 C.F.R. 164. 312(e)(2)(i))
    • Is it reasonable to ensure that information is not modified or destroyed during transmission?
  • Encryption (45 C.F.R. 164.312(3)(2)(ii))
    • Is it reasonable and appropriate to encrypt the portal information in transit?
  • Unique user identifiers (45 C.F.R. 164.312(a)(2)(i))
    • Should family members or patient representatives get separate IDs?

VA HIMSS 2012

portals and security2
Portals and Security
  • Authentication (45 C.F.R. 164.312(d))
    • Implement procedure to verify identity
    • What is reasonable and appropriate for patients?
  • Audit logs (45 C.F.R. 164.312(b))
  • Review of audit logs (45 C.F.R. 164.308(a)(1)(D))
  • CE is not responsible for information on patient’s end

VA HIMSS 2012

mu stage 2 objective send patient reminders eps
MU Stage 2 Objective:Send Patient Reminders (EPs)
  • Step 1 – Reasonable, appropriate safeguards:
    • Encryption?
    • Correct Address?
  • Step 2 – Accommodate reasonable patient requests
    • Patient may prefer unencrypted email

VA HIMSS 2012

secure messaging with patients
Secure Messaging with Patients
  • MU focuses on patient-initiated communications, while HIPAA focuses on provider-initiated communications
  • Provider-initiated communications should be addressed in risk analysis
    • Consider likelihood of risk (wrong address, interception)
    • Consider impact of risk (will vary depending on content)
  • Some communications may not require “secure” system

VA HIMSS 2012

security and hie
Security and HIE
  • Have potential threats and vulnerabilities been addressed in risk analysis?
    • Is transmission encrypted if reasonable and appropriate?
    • Are systems in place to avoid misdirection?
  • If partnering with HIE, is Business Associates Agreement in place?
    • Does BAA permit disclosure to public health authorities?
  • Exchange between different systems increases risks
  • CE is not responsible for security of recipient
    • But it is still your patient and their information if breached

VA HIMSS 2012

hipaa audit success equation
HIPAA Audit Success Equation

Policies + Processes + Tracking Mechanisms = 

Visible Demonstrable Evidence = Culture of Compliance.

VA HIMSS 2012

defining the variables
Defining the variables

A policy statement that reflects an organization's intentions:  the what;

A definition of a process by which the policy is implemented:  the how; and

Suggested tracking mechanism(s) for capturing process results:  the measurement.

VA HIMSS 2012

outcomes conclusions
Outcomes & Conclusions

Do Meaningful Risk Analysis.

The risks are real, your understanding and protection against them need to be real.

It is a requirement but it is also a powerful tool to protect your patients and yourself.

A breach is more a question of “when” than “if” in this day and age.

VA HIMSS 2012

other resources
Other Resources

Health and Human Services

http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204

Health Information Management and Systems Society

http://himss.org/ASP/index.asp

American Health Information Management Association

http://www.ahima.org/Default.aspx

HITECH Answers

https://www.hitechanswers.net/

Digital Business Law Group

http://www.digitalbusinesslawgroup.com/

HITRUST

http://hitrustalliance.net/

Your state’s Office of the Governor (Health Information Exchange) and Regional Extension Centers and your State’s Medical Association and other professional associations

VA HIMSS 2012

david s finn 832 816 2206 david finn@symantec com
David S. Finn

832.816.2206

david_finn@symantec.com

VA HIMSS 2012