Loading in 2 Seconds...
Loading in 2 Seconds...
THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For Kirsten Ruzic Wild, RN, BSN, MBA, CHC September 11, 2009. Objectives. Gain insight into government’s enforcement efforts Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For Kirsten Ruzic Wild, RN, BSN, MBA, CHC September 11, 2009
Objectives • Gain insight into government’s enforcement efforts • Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey • Understand the recent ARRA changes and impact
A little background….. HIPAA Security • Establish national standards for the security of electronic health care information • Administrative safeguards • Physical safeguards • Technical safeguards • Enforcement Authority was CMS
A little background….. HIPAA Security Rule Requirements • Establish national minimum standards for the security of electronic health care information • Published February 2003, deadline April 2005 • Administrative, technical, and physical security procedures (18 standards) • Implementation specifications are either Required (14) or Addressable (22)
HIPAA Security Rule Rule Goals • Comprehensive, scaleable and technologically neutral (flexible) • Protect the confidentiality, availability and integrity of electronic PHI (“ePHI”) • Assess YOUR risks and vulnerabilities • Improve Medicare/Medicaid through increased effectiveness and efficiency
HIPAA Security Rule Rule Goals • “Improve efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information” 45 CFR Parts 160, 162, 164 – Final Rule
HIPAA Security Rule Interpretation • Good Thing: Scaleable and flexible • Bad Thing: Scaleable and flexible • How do you know if you meet the standard? • Are you certain you are compliant?
HIPAA Security Rule Interpretation • Lack of standard • Constantly changing technologies • Complexity and variety of clinical applications • Limited IT budgets • No CMS enforcement or oversight (years) • Interpretation? Why bother?
OIG Audits and Guidance March 2007 • Audit of Piedmont Hospital – Atlanta • Non-specific findings: significant vulnerabilities • Leaked checklist of 42 questions/documents
OIG Audits and Guidance August 2007 • Audit of CMS (Results of audit released in October 2008) • Findings • No compliance reviews had been conducted in 2 years • CMS had “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule” • CMS agreed to implement a formal audit process • Defense: voluntary compliance and complaint-driven
OIG Audits and Guidance • No findings released • OIG committed to ongoing audits of covered entities nationwide for next few months • Develop understanding of CE interpretation of flexible and scalable ???
CMS CMS • Late 2007 • Office of eHealth Standards and Services (OESS) • CMS website – HIPAA Security Standard • Sample document request list for audit - 42 • First insight into federal interpretation • Conducting on-site reviews since January 2008
OCR/CMS Auditing/Enforcement CMS • Mid 2008 • Audited Providence Health and Services • In cooperation with OCR • Failure to implement P&P to protect PHI • Portable media • First Resolution Agreement/CAP • On OCR website • Only CMS audit results released
OCR/CMS Auditing/Enforcement Providence Audit • No civil monetary penalty for cooperating • Audited by OCR and CMS jointly • Complaint-triggered audit
CMS Enforcement Enforcement Statistics – 3 largest number of complaints • Information Access Management(Administrative Standard 164.308(a)(4)(i)) • Access Control(Technical Standard 164.312(a)(1)) • Security Awareness and Training(Administrative Standard 164.308(a)(5)(i))
Conclusions • Uncoordinated guidance, interpretation and enforcement • Info on a variety of government websites OIG, CMS, OESS, OCR, Dept of Commerce - NIST • Not easy to find • Where do you go from here?
New Enforcement • As of August 3rd, OCR is responsible for enforcement of HIPAA Security – not CMS • “eliminate duplication and increase efficiencies”
HIPAA COW Security Networking Group • Benchmarking Survey • March 2009 • Goals: • to provide benchmarking data to help organizations across the State determine their level of compliance with the regulations in preparation for a federal audit • Not to justify or support non-compliance • Determine if benchmarks (local?) exist
HIPAA COW Security Networking Group Benchmarking Survey • 56 questions • 10 categories • Average of 76 responses to each question • Respondents include: acute care hospitals, clinics/physician groups, long-term care facilities, payers, and integrated health care delivery networks • From <200 to >2000 employees • Size of an organization had little effect on level of compliance
HIPAA COW: Benchmarking Survey Results - Encryption • 54% of respondents indicated they encrypt e-mail • 46% do not currently encrypt e-mail • 34% of respondents indicated they encrypt laptop hard drives • 66% do not encrypt laptops
HIPAA COW: Benchmarking Survey Results - Encryption • 30.7% (less than 1/3) are encrypting USBs and other mobile devises • 26% indicated they do not encrypt any devices or data transmission
Committee Interpretation • Expected that organizations had implemented encryption techniques/solutions on more types of devises • Why not encrypting? • Budget limitations • Too difficult • IT not ready to administer • Organizational policies prohibit transmission of PHI in e-mail or on portable devises • Organizations may be currently implementing or testing to find solutions • Believe it is impossible to enforce
Conclusions/Recommendations • All organizations should be capable of encryption • Well-established technology • Inexpensive • Easy to implement • “Addressable” standard? • Per OIG Auditors presentation in April – lack of encryption will fail an audit • Provide proactive solutions to your users
HIPAA COW: Benchmarking Survey Results – Disaster Recovery • 88.8% have a Disaster Recovery Plan • Those who didn’t tended to be smaller organizations • 45.6% state their Plan covers every application • 31.6% indicated their Disaster Recovery Plan covers only those applications that support basic business functions • 89.4% state their Plan is documented
HIPAA COW: Benchmarking Survey Results – Disaster Recovery • 50.6% test their Disaster Recovery Plan • 39.5% did not answer the question • Of those that answered the question (open-ended) as to how often they test their Disaster Recovery Plan, majority stated annually
Committee Interpretation • Why not meeting the Standard? • Challenging as not a static condition • Very complicated • Cost/benefit analysis • Lack of consequences • Productivity pressures
Committee Interpretation • Are these really disaster recovery plans or just disaster response plans? • How does this compare or relate to plans for business continuity? Infrastructure recovery? Critical patient care systems? • Possibly handled by other departments? • Is the Plan being used?
Conclusions/Recommendations • Required specification • Prioritize applications • Test in order of priority • Consider the time it takes for the entire system to recover
Conclusions/Recommendations • Recovery should be intrinsic to implementation of new applications • Get started, start small • Resolve with external resources – consultant • Consider the potential consequences
HIPAA COW: Benchmarking Survey Results – E-Mail Retention • 48.2% have an E-mail Retention Policy • 54.3% store all e-mail • 45.7% do not store all e-mail • 73.1% store e-mail back-ups off-site • The length of retention is extremely variable • 2 weeks - forever • Dependent on application, retention policy, type of data, user preference
Committee Interpretation • Without a policy, in response to a legal discovery request, what would you produce? • If is discovered must now be kept • Implications of e-discovery law
Conclusions/Recommendations • Must have a Record Retention Policy • Classify by data type or classification, not medium • Decision for retention is “what” data is retained and for how long, regardless of what format the data is in • Create a Records Retention Schedule • Educate and enforce the policy
HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Network Level • 54.3% employ automatic log-out at the network level • Of those who employ automatic log-out at the network level: • 58.1% implemented log-out times of 10-30 minutes • 34.9% implemented log-outs of less than 10 minutes • Which means: • 93% require log-out times to be less than 30 minutes • Only 7% have implemented log-out times at the network level of greater than 30 minutes
HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Application Level • 66.3% employ log-outs at the application level • Of those who employ automatic log-outs a the application level: • 52.8% have implemented log-out times of 10-30 minutes • 20% have implemented log-out times of less than 10 minutes • Which means: • 73.6% require lot-out times to be less than 30 minutes • 26.4% have implemented log-out times at the application level of greater than 30 minutes
HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Physically secured • If work stations are in a physically secured area: • 65.4% still require an automatic log-out • 34.6% do not use automatic log-outs
Committee Interpretation • Log-out times at the network or application level should be less than 30 minutes • Is this really a standard and is there really an increased risk? • Longer log-out times might be acceptable in physically secured workstations or controlled environments (Surgery) – some risk is mitigated
Conclusions/Recommendations • Log-out times at the network or application level should be less than 30 minutes • Even if you have work stations in areas considered to be physically secured, most organizations still require automatic log-out • Per OIG Auditors – use of generic accounts will fail an audit, unless proof this level of access is not to any PHI • Clinical applications must authenticate to the user • Consider generic accounts to log on to network
HIPAA COW: Benchmarking Survey Results – Passwords Network Passwords • 46.9% require network passwords to be changed every 30-90 days • 37% requirepasswords to be changed after more than 90 days • 13.6% never require passwords to be changed • 92.4% have a minimum password length at the network level • 84% require passwords to contain 6-8 characters • 5.3% require network passwords to contain 9-12 characters • Which means: • 89.3% require passwords to be at least 6 characters in length
HIPAA COW: Benchmarking Survey Results – Passwords Application Passwords • 45% require application passwords to be changed every 30-90 days • 33.8% require passwords to be changed after more than 90 days • 20% never require passwords to be changed at the application level • 86.1% have a minimum password length for passwords at the application level • 86.4% require passwords to contain 6-8 characters • 1.5% require application passwords to contain 9-12 characters • Which means: • 87.9% require application passwords to be at least 6 characters in length
Committee Interpretation • There appear to be a clear agreement regarding password length • Are the users allowed to determine how frequently their password is changed? • Are password requirements for applications, dependent upon the application?
Conclusions/Recommendations • Consider the NIST recommendations • If you are an organization who does not ever require network passwords to be changed, it is highly recommended that you change your policy • If you are an organization that allows passwords to be less than 6 characters in length, it is highly recommended that you change your policy
HIPAA COW: Benchmarking Survey Results – Portable Media • 63.8% indicate they have a policy covering portable/mobile devises • 36.3% have no policy • 49.4% allow PHI to be loaded on portable media • 50.6% do not allow PHI to be loaded • Of those who allow PHI to be loaded on portable media: • 68.4% require the data to be password protected or encrypted • 31.6% have no requirements to password protect or encrypt the data
HIPAA COW: Benchmarking Survey Results – Portable Media • 50% state their policy is that no PHI can be loaded on portable media • 78.9% indicate they are not confident they know the number of portable devises used by their employees • 21.2% are confident they know the number of portable devises used by employees • 72% of those who took the survey did not answer this question
Committee Interpretation • The Committee finds this scary! • Portable media containing PHI has triggered many of the initial complaints to federal agencies resulting in investigations • We want to meet the 21.2% are confident they know the number of portable devises used by employees
Committee Interpretation • If your policy states that PHI cannot be loaded on portable media, how do you audit or enforce? • Without a policy, in response to a legal discovery request, what would you produce? • Does encrypting a laptop solve this?
Conclusions/Recommendations • We still recommend having a written policy in place to hold employees responsible and accountable and to help protect the organization from individual’s wrong-doing • Even if you are not sure how to enforce a policy or feel employees can still violate confidentiality rules • Don’t forget about your vendors
HIPAA COW: Benchmarking Survey Results – Remote Access • 81.3% confirm they have a Remote Access Policy • 86.1% also state they allow employees with remote access to access applications containing PHI • 72.3% state they audit the remote access of employees
Committee Interpretation • If you allow remote access, how do you monitor or prevent printing of PHI? • How do you protect internal networks from non-enterprise owned PCs? • Is limiting file transfers an option? • Results not dependent on the size of an organization
Conclusions/Recommendations • Really only 2 options: • Restrict the use of PCs not owned/controlled by organization • Run the risk and manage through policies, education and enforcement - attestation • If you remove the driver on the terminal printer, users cannot print at home • Utilize a VPN • Create good policies and enforce them • Consider your business objectives/alternative technologies
HIPAA COW: Benchmarking Survey Results – Auditing • 53.9% responded that they conduct regularly scheduled audits to determine if PHI is accessed inappropriately • 46.1% do not audit for inappropriate access • 86.8%, indicate they have a formal sanction policy for employees who inappropriately access PHI