1 / 35

Wayne H. van Halem The van Halem Group – A Division of VGM Group, Inc

Security and Risk Analyses A Critical Requirement to Protect Your Business and Your Patient's Data. Wayne H. van Halem The van Halem Group – A Division of VGM Group, Inc. Please Complete Your Evaluation

reuel
Download Presentation

Wayne H. van Halem The van Halem Group – A Division of VGM Group, Inc

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Risk AnalysesA Critical Requirement to Protect Your Business and Your Patient's Data Wayne H. van Halem The van Halem Group – A Division of VGM Group, Inc

  2. Please Complete Your Evaluation Everyone should have received an evaluation form upon entering the session. Please complete evaluation form and turn in to room monitor as you exit the session. Or, you can complete your evaluation in the mobile app. Locate the session in the app and tap on the clipboard icon to begin the survey. Please help us keep the Medtrade Spring Education sessions the best in the industry by completing an evaluation for every session you attend! Your feedback is very valuable to us and will be used in planning future Medtrade Spring events! Connect with us on Social Media Twitter: @MedtradeConnect Instagram: @MedtradeConnect Facebook: facebook.com/medtrade #MedtradeSpring19

  3. Poll • Do you have a HIPAA Compliance program in place? • Do you incorporate HIPAA Training annually? • Do you have a current Security and Risk Assessment on file? • Do you have Business Associate Agreements in place for all entities that may come in contact with your PHI?

  4. HIPAA Overview • Health Insurance Portability and Accountability Act • HIPAA’s intent is to reform the healthcare industry by: • Reducing costs • Simplifying administrative processes and burdens, and • Improving the privacy and security of patient’s information

  5. Why have a HIPAA Compliance Program? • It’s the law • Increased usage of data • OCR and OIG Hotlines • OCR audits

  6. Office of Civil Rights (OCR) HIPAA Audits • OCR piloted an audit program in 2011 – 2012 to assess the controls/processes implemented by 115 covered entities to comply with HIPAA’s requirements (Phase 1) • OCR performed desk audits and onsite audits in 2016 – 2017 (Phase 2) • Audits primarily a compliance improvement activity to enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. • Included both covered entities and business associates (approximately 200)

  7. Results

  8. Recurring Compliance Issues • Pattern of disclosure of sensitive paper PHI • Business Associate Agreements • Risk Analysis • Failure to manage identified risk (i.e. encryption) • Lack of transmission security • Lack of appropriate auditing • No patching of software • Insider Threat • Improper Disposal • Insufficient data back-up and contingency planning

  9. OCR/HIPAA Audits • Phase 3 audits are intended to be non-punitive, but OCR can open up compliance review • Learned from Phase 2 in structuring permanent audit program • Develop tools and guidance for industry self-evaluation and breach prevention • OCR will use findings to: • Identify best practices, • Uncover risks and vulnerabilities, • Detect areas for technical assistance, and • Encourage consistent attention to compliance

  10. OCR/HIPAA Audits • Current Focus: • Business Associate Agreements • Security and Risk Assessments • Fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation

  11. Desk Audits – What to expect • 10 business days to respond • Responses should contain the specified documentation: • Applicable policies, procedures, and evidence of implementation • List of all Business Associates (BAs) • SRA for previous 3 years • BAs are largely drawn from the BAs identified by desk audits of covered entities • OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit

  12. Desk Audit HIPAA Controls • Privacy Rule Controls • Notice of Privacy Practices & Content Requirements • Provision of Notice – Electronic Notice • Right to Access • Breach Notification • Timeliness of Notification • Rule Controls Content of Notification • Security Rule Controls • Security Management Process - Risk Analysis • Security Management Process - Risk Management

  13. HIPAA Compliance Program

  14. Bedrock Components • Policies and Procedures • Security and Risk Assessment • Awareness Training • Business Associate Agreements

  15. Security and Risk Assessment • Helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards • Reveals areas where your organization’s PHI could be at risk • Should be updated on an annual basis • Most commonly missing or incomplete item in a provider’s compliance program

  16. Risk Analysis vs. Gap Analysis • A risk analysis is a comprehensive evaluation of a CE or BA’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level. • A gap analysis is typically a narrowed examination of a CE or BA’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.

  17. Gap Analysis

  18. Common Elements in a Risk Analysis • Scope • The risk analysis should consider the potential risks to all of an entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI. • Data Collection • When considering the potential risks to its ePHI, entities should identify all of the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.

  19. Common Elements in a Risk Analysis • Identify and Document Potential Threats and Vulnerabilities • Be sure to identify technical as well as non-technical vulnerabilities. Technical vulnerabilities can include holes, flaws, or weaknesses in information systems; or incorrectly implemented and/or configured information systems. • Assess Current Security Measures • Assess and document the effectiveness of current controls, for example the use of encryption and anti-malware solutions, or the implementation of patch management processes.

  20. Common Elements in a Risk Analysis • Determine the Likelihood and Potential Impact of Threat Occurrence • Determine and document the likelihood that a particular threat will trigger or exploit a particular vulnerability as well as the impact if a vulnerability is triggered or exploited. • Determine the Level of Risk • Assess and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs entities where the greatest risk is, so entities can appropriately prioritize resources to reduce those risks.

  21. Common Elements in a Risk Analysis • Documentation • Although the Security Rule does not specify a form or format for risk analysis documentation, such documentation should contain sufficient detail to demonstrate that an entity’s risk analysis was conducted in an accurate and thorough manner. If a covered entity or business associate submits a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, additional documentation may be required to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner.

  22. Common Elements in a Risk Analysis • Review and Update • Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly. Although the Security Rule does not prescribe a frequency for performing risk analyses, risk analysis and risk management processes work most effectively when integrated into an entity’s business processes to ensure that risks are identified and addressed in a timely manner.

  23. Let’s think of this concept in terms of automobile insurance: • You want to get a quote and you are asked to provide some general information on how you operate your vehicle: • Do you Stop at every stop sign? • Do you follow the speed limit posted? • Do you wear your seat belt every time you drive?

  24. After completing your Assessment to complete your quote, the agent offers you a better deal by installing a tracking device to your vehicle ensuring you receive the best rates. • This plug in device monitors your vehicle to verify the responses you gave on your assessment are accurate. • I DO stop at all stop signs • I DO follow the posted speed limits • I DO wear my seat belt every time I drive

  25. Complete a Risk Analysis in 2019 • § 164.308(a)(1)(ii)(A) - Risk analysis [Required]. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

  26. The OCR recently released additional guidance regarding entities approach to Security Risk Analysis. There is an obvious disconnect in our industry as it pertains to completing a SRA.

  27. Sample Questions - Administrative • Our organization has a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact • Our organization develops, documents, and implements policies and procedures for assessing and mananging risks to its PHI • Our organization knows all business associates and the access that each requires for your organization’s facilities, information systems and ePHI. • Our organization keeps records that detail when each workforce member satisfactorily completed periodic training

  28. Sample Questions - Physical • We periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access • We have an inventory of the physical systems, devices, and media in our office space that are used to store or contain ePHI • When an organization uses laptops and tablets as workstations, our organization has specific policies and procedures to safeguard these workstations • We have policies and procedures of the physical protection of our facilities and equipment. This includes controlling the environment inside the facility.

  29. Sample Questions - Technical • Our organization activates an automatic logoff that terminates an electronic session after a predetermined period of user activity. • Our organization backs up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment. • Our organization has the capability to activate emergency access to its information systems in the event of a disaster. • Our organization knows the authentication capabilities of it information systems and electronic devices to assure that a uniquely identified user is the one claimed.

  30. Questions???

  31. Stay Connected The van Halem Group @vanHalemGroup The Details Matter - blog.vanhalemgroup.com Wayne van Halem

  32. Wayne H. van Halem President The van Halem Group - A Division of VGM Group, Inc. 101 Marietta St NW Suite 1850 Atlanta, GA 30303 404-343-1815 Wayne@vanHalemGroup.com

More Related