Daniel M. Briley, CISSP Managing Director Summit Security Group

The HIPAA Security Rule

An Overview and Preview for 2014

Agenda

• Introduction • HIT Security Compliance Landscape

– From 2005 - 2014 • Enforcement Actions • Breach Stats • 2014 Action Plan • Focus on Risk • Questions / Discussion

Introduction: Summit Security Group

• Local Information Security Advisory Firm – HQ: Beaverton, Oregon

• Deep expertise in IT Security, Governance, Risk Management & Compliance

• We can help if you… – Would like a risk or vulnerability assessment to

discover gaps – Are concerned about a data breach – Would like help with security operations, ePHI log

monitoring, secure email, etc. • We participate in training events similar to this one

to support DIY a approach but please give us a call if you would like some help

The Changing Landscape

• 2005: HIPAA Security Rule – Administrative, Physical,

Technical Safeguards – Minimal enforcement – Insignificant monetary fines

• 2009: ARRA

– Included the Health Information Technology for Economic and Clinical Health (HITECH) Act

The Changing Landscape

• HITECH Act – Applies HIPAA to BAs – Mandatory data breach reporting

requirements – Civil and criminal penalties for

noncompliance – Enforcement responsibilities – New privacy requirements – Meaningful Use

• Adopt Certified EHR Technology • Use it to achieve specific objectives

The Changing Landscape

• 2009: CMS Delegates Authority to OCR

The Changing Landscape

• 2011: OIG: CMS’ oversight and enforcement actions not sufficient to ensure CEs effectively implemented HIPAA Security Rule

• Hospitals audited: 7 • Vulnerabilities

identified: 151 – High impact: 124

The Changing Landscape

• 2012: OCR Taps KPMG to Audit CEs

• Audits are ongoing – CEs only in 2012 pilot program – BAs in the future*

* http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html

The Changing Landscape

• 2013: HITECH Act changes codified in the HIPAA Omnibus Final Rule – BAs now subject to HIPAA – Increased & tiered civil

money penalties ($100 - $1.5M)

– Clarifies the definition of a data breach

Enforcement Actions

Enforcement Actions

Enforcement Actions

Enforcement Actions

“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo

Breach Stats

Breach Stats

• The healthcare industry loses $7 billion a year due to HIPAA data breaches

• The average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010

• 94% of healthcare organizations have had at least one data breach in the last two years

• The average number of lost or stolen records per breach is 2,769

Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute

Breach Stats

• Only 40% of organizations have confidence that they are able to prevent or quickly detect all patient data loss or theft

• Top 3 causes of data breaches: Lost or stolen computing device (46%), Employee mistakes or unintentional actions (42%), Third party snafus (42%)

• 18% of healthcare organizations say medical identity theft was a result of a data breach

Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute

Breach Stats

• Annual security risk assessments are done by less than half (48%) of organizations

• 48% of data breaches in 2012 involved medical files

• The primary activity conducted by healthcare organizations to comply with annual or periodic HIPAA privacy and security is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%)

Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute

Breach Stats from HHS

• HHS Breach Database

• ≥ 500 individuals impacted

Common Thread

• An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: – Managing compliance with the HIPAA Security Rule is

challenging: • Threats are emerging and dynamic • Vulnerabilities and risks are going undiscovered and/or

unresolved • Staff is tapped

– Ignoring the requirements is not a strategy for success

Common Thread

• WSJ: Security Compliance is not easy

2014 Action Plan

• Align operations with requirements set forth in the Omnibus Rule: – Confirm Privacy & Security Official – Update BAAs & NPP – Perform / Update Risk Assessment – Update P&P documents – Develop Breach Response

2014 Action Plan

• Align operations, continued… – Understand where all PHI is stored – Understand who can access PHI – Implement Technology that enhances

the security of ePHI – Execute BAAs as needed – Train staff on updates – Retain evidence of actions

Focus on Risk

• Proper Risk Management Delivers Value

From: Improving Healthcare Risk Assessments to Maximize Security Budgets White Paper

Focus on Risk

• Risk-based Approach to Security Management – Assess risk (§ 164.308(a)(1)(ii)(A))

• Technical / Administrative / Physical • Determine Impact

– Manage Risk (§ 164.308(a)(1)(ii)(B)) • Recommend improvements • Remediate gaps / mitigate risk • Document improvements

– Re-assess The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).

Approach

• Proper risk assessment and management drives prioritization of key services: – Policy and Procedure Development – Education, Awareness and Training – Incident Response – Vulnerability Remediation – Safeguards Enhancement

• Key activities support and demonstrate compliance with the HIPAA Security Rule

Discussion

Proper planning & preparation prevents pandemonium

Thank you!

http://summitinfosec.com/