Upload
resourceone
View
171
Download
0
Embed Size (px)
DESCRIPTION
The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
Citation preview
Daniel M. Briley, CISSP Managing Director Summit Security Group
The HIPAA Security Rule
An Overview and Preview for 2014
Agenda
• Introduction • HIT Security Compliance Landscape
– From 2005 - 2014 • Enforcement Actions • Breach Stats • 2014 Action Plan • Focus on Risk • Questions / Discussion
Introduction: Summit Security Group
• Local Information Security Advisory Firm – HQ: Beaverton, Oregon
• Deep expertise in IT Security, Governance, Risk Management & Compliance
• We can help if you… – Would like a risk or vulnerability assessment to
discover gaps – Are concerned about a data breach – Would like help with security operations, ePHI log
monitoring, secure email, etc. • We participate in training events similar to this one
to support DIY a approach but please give us a call if you would like some help
The Changing Landscape
• 2005: HIPAA Security Rule – Administrative, Physical,
Technical Safeguards – Minimal enforcement – Insignificant monetary fines
• 2009: ARRA
– Included the Health Information Technology for Economic and Clinical Health (HITECH) Act
The Changing Landscape
• HITECH Act – Applies HIPAA to BAs – Mandatory data breach reporting
requirements – Civil and criminal penalties for
noncompliance – Enforcement responsibilities – New privacy requirements – Meaningful Use
• Adopt Certified EHR Technology • Use it to achieve specific objectives
The Changing Landscape
• 2009: CMS Delegates Authority to OCR
The Changing Landscape
• 2011: OIG: CMS’ oversight and enforcement actions not sufficient to ensure CEs effectively implemented HIPAA Security Rule
• Hospitals audited: 7 • Vulnerabilities
identified: 151 – High impact: 124
The Changing Landscape
• 2012: OCR Taps KPMG to Audit CEs
• Audits are ongoing – CEs only in 2012 pilot program – BAs in the future*
* http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
The Changing Landscape
• 2013: HITECH Act changes codified in the HIPAA Omnibus Final Rule – BAs now subject to HIPAA – Increased & tiered civil
money penalties ($100 - $1.5M)
– Clarifies the definition of a data breach
Enforcement Actions
Enforcement Actions
Enforcement Actions
Enforcement Actions
“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo
Breach Stats
Breach Stats
• The healthcare industry loses $7 billion a year due to HIPAA data breaches
• The average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010
• 94% of healthcare organizations have had at least one data breach in the last two years
• The average number of lost or stolen records per breach is 2,769
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
Breach Stats
• Only 40% of organizations have confidence that they are able to prevent or quickly detect all patient data loss or theft
• Top 3 causes of data breaches: Lost or stolen computing device (46%), Employee mistakes or unintentional actions (42%), Third party snafus (42%)
• 18% of healthcare organizations say medical identity theft was a result of a data breach
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
Breach Stats
• Annual security risk assessments are done by less than half (48%) of organizations
• 48% of data breaches in 2012 involved medical files
• The primary activity conducted by healthcare organizations to comply with annual or periodic HIPAA privacy and security is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%)
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
Breach Stats from HHS
• HHS Breach Database
• ≥ 500 individuals impacted
Common Thread
• An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: – Managing compliance with the HIPAA Security Rule is
challenging: • Threats are emerging and dynamic • Vulnerabilities and risks are going undiscovered and/or
unresolved • Staff is tapped
– Ignoring the requirements is not a strategy for success
Common Thread
• WSJ: Security Compliance is not easy
2014 Action Plan
• Align operations with requirements set forth in the Omnibus Rule: – Confirm Privacy & Security Official – Update BAAs & NPP – Perform / Update Risk Assessment – Update P&P documents – Develop Breach Response
2014 Action Plan
• Align operations, continued… – Understand where all PHI is stored – Understand who can access PHI – Implement Technology that enhances
the security of ePHI – Execute BAAs as needed – Train staff on updates – Retain evidence of actions
Focus on Risk
• Proper Risk Management Delivers Value
From: Improving Healthcare Risk Assessments to Maximize Security Budgets White Paper
Focus on Risk
• Risk-based Approach to Security Management – Assess risk (§ 164.308(a)(1)(ii)(A))
• Technical / Administrative / Physical • Determine Impact
– Manage Risk (§ 164.308(a)(1)(ii)(B)) • Recommend improvements • Remediate gaps / mitigate risk • Document improvements
– Re-assess The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).
Approach
• Proper risk assessment and management drives prioritization of key services: – Policy and Procedure Development – Education, Awareness and Training – Incident Response – Vulnerability Remediation – Safeguards Enhancement
• Key activities support and demonstrate compliance with the HIPAA Security Rule
Discussion
Proper planning & preparation prevents pandemonium