CI2013 Session107 Ruppert-Presentation vFINAL(04222013

5/14/2013

1

5/14/2013

2

Identify key risks by Identify key risks by Identify key risks by Identify key risks by first understanding your true objectivesfirst understanding your true objectivesfirst understanding your true objectivesfirst understanding your true objectives

� Primary Objectives:

◦ Capture accurate, complete, current patient identity

◦ Capture applicable sufficient research subject identity.

◦ Protect patient identity (identifiable information).

◦ Protect human research subject identity (id info.).

Patient Identity Patient Identity Patient Identity Patient Identity ---- ObjectivesObjectivesObjectivesObjectives

� Secondary Objectives/Key Risk Categories:

◦ Comply with the laws supporting primary objectives.

◦ Maintain positive public image.

◦ Hold onto your resources.

Identify key risks by Identify key risks by Identify key risks by Identify key risks by

understanding your true understanding your true understanding your true understanding your true objectivesobjectivesobjectivesobjectives

Identify key identity theft risks by asking at least

two questions related to each objective:

Patient Identity Patient Identity Patient Identity Patient Identity ---- RisksRisksRisksRisks

• What must you do to succeed at achieving

that objective (what must we do right)?

• What do you know of that will prevent you

from achieving that objective

(what can go wrong)?

5/14/2013

3

WHAT MUST WE DO RIGHT TO SUCCEED:WHAT MUST WE DO RIGHT TO SUCCEED:WHAT MUST WE DO RIGHT TO SUCCEED:WHAT MUST WE DO RIGHT TO SUCCEED:

OBJ: Capture Accurate, Complete Identity:OBJ: Capture Accurate, Complete Identity:OBJ: Capture Accurate, Complete Identity:OBJ: Capture Accurate, Complete Identity:

� Prevent inaccurate/false identity upon capture

� Detect inaccurate/false identity at capture

� Respond swiftly/completely

OBJ: Protect OBJ: Protect OBJ: Protect OBJ: Protect Identity:Identity:Identity:Identity:

� Prevent information breach

� Detect information breachas soon as possible (preferably immediately)

� Respond swiftly and completely


OBJ: Capture Accurate, OBJ: Capture Accurate, OBJ: Capture Accurate, OBJ: Capture Accurate, Complete Patient Identity Complete Patient Identity Complete Patient Identity Complete Patient Identity (WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):

� Untrained front-end personnel

� Incomplete front-end capture processes

� Faulty system edits and/or interfaces

� Inappropriate system access (create false info)

� Information Capture or Recording Errors (well-trained employees may be tired, hungover, sick, disgruntled, improperly incented, etc.)

� Patients presenting with false identification:

◦ Shared ID |||| Stolen IDs | | | | No ID


5/14/2013

4

OBJ: Capture Accurate, Complete Research OBJ: Capture Accurate, Complete Research OBJ: Capture Accurate, Complete Research OBJ: Capture Accurate, Complete Research Subject Identity (WHAT CAN GO WRONG):Subject Identity (WHAT CAN GO WRONG):Subject Identity (WHAT CAN GO WRONG):Subject Identity (WHAT CAN GO WRONG):

� Untrained front-end personnel

� Incomplete front-end capture processes

� Faulty system edits and/or interfaces

� Inappropriate system access

� Information Capture or Recording Errors (well-trained employees may be tired, hungover, sick, disgruntled, improperly incented, etc.)

� Research subjects presenting with false identification and representing false information regarding how they may fit the study needs


Protect Patient Identity Protect Patient Identity Protect Patient Identity Protect Patient Identity (WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):

� Not knowing where your PHI resides

� Not knowing who should have access

� Medical record access is not controlled

� Systems containing/w\PHI links not protected.

� Laptops/removable media not encrypted.

� Individuals authorized to access PHI are not educated on proper PHI handling, use, etc.

� Individuals authorized to access PHI who misuse their authority

� Systems/files containing PHI are not known and thus cannot be identified for proper protection.


5/14/2013

5

Protect Patient Identity Protect Patient Identity Protect Patient Identity Protect Patient Identity ((((WHAT CAN GO WRONG) WHAT CAN GO WRONG) WHAT CAN GO WRONG) WHAT CAN GO WRONG) (continued)(continued)(continued)(continued)::::

� Poor PHI file controls (physical and electronic)

� Unknown PHI files (physical and electronic):◦ Stored locally or on the network

◦ PHI maintained in “rogue” spreadsheets, databases, etc.

◦ PHI collected on forms, in reports, etc. & not controlled

◦ PHI unnecessarily collected on forms, in reports, etc.

� Curious employees, clinicians, consultants, etc.

� Corrupt/Corrupted emps, clinicians, consult, etc. employees and/or corrupted employees

� Insufficient systems and/or processes for detecting a breach, responding to a breach and following up



� Insufficient/incomplete policies & procedures

� Weak physical security: Open Facility Access

� Lack of accountability

� Lack of management awareness or concern

� Sending information requests unauthorized individuals:◦ Request source not verified

◦ Mis-directed facsimiles and other communications

◦ Sending more information than necessary

� Lost, stolen and sold removable media (incld. Laptops, portable HDs, thumbdrives, etc.


5/14/2013

6


� System limitations that prevent propercontrol of authorized use/functionalityhindering PHI protection

� PHI download to unprotected business “systems” (e.g., spreadsheets, databases, analytical tools, etc.)

� Discarded PHI not effectively destroyed/de-identified

� Residency and Fellowship Program Challenges:◦ Ineffective PHI protection training during training

� Community Outreach Programs

� Volunteers

� Attending physicians


Protect Research Subject Identity Protect Research Subject Identity Protect Research Subject Identity Protect Research Subject Identity (WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):(WHAT CAN GO WRONG):

� Think of all the patient specific challenges and add:

� In an AMC, patients are also often research subjects and vice versa

� Open Research Environment: Information Sharing

� Integrity of research data cores and research data generation, review, evaluation and reporting.

� Research data not blinded/properly blinded

� Research data updated to patient record


5/14/2013

7

Patient Identity Patient Identity Patient Identity Patient Identity ---- RisksRisksRisksRisksSource of CompromiseSource of CompromiseSource of CompromiseSource of Compromise

USA TODAYUSA TODAYUSA TODAYUSA TODAYJanuary 8, 2013

Patient Identity Patient Identity Patient Identity Patient Identity ---- RisksRisksRisksRisksThe Patient’s PerspectiveThe Patient’s PerspectiveThe Patient’s PerspectiveThe Patient’s Perspective

5/14/2013

8

CONTROL DECISIONS: CONTROL DECISIONS: CONTROL DECISIONS: CONTROL DECISIONS: � Before audit, understand how your organization

addresses what it can and can’t control?◦ How is patient identity theft addressed, tolerated,

documented?◦ Is it based on a documented risk assessment?◦ Is that risk assessment periodically updated and used

to guide changes in the control decisions?◦ Will the audit help to document this risk assessment?

� Inventory and Risk Assessment� Queries / Surveys� Interviews� Process Reviews: Walk Through� Walk Around / Observation / Physical Security Tests◦ Workstation Reviews, Signage, Password Sticky notes, etc.

� P&P Reviews:◦ Breach Response | Data Retention / Destruction

� System Reviews:◦ Access Controls / Specific Demographic Screens◦ Student Volunteers

� Hardcopy Form Reviews� Training Analysis:◦ To Function/Role

� Research Lab Data Integrity� Third Party Considerations◦ BAAs, etc.,

5/14/2013

9

Patient Identity Patient Identity Patient Identity Patient Identity ---- Audit “Findings”Audit “Findings”Audit “Findings”Audit “Findings”

Said another way, it’s difficult to achieve the desiredlevels of control in an environment where a reasonablepatient would want everyone who can provide care,especially in an acute situation, to have immediateaccess to information to help provide that care whilesimultaneously limiting access to all others.

5/14/2013

10

� Unsecured personal electronic devices

� Debit/credit card storage issues

� P&Ps not designed to address all key regulatory identity theft protection elements of HIPAA, HITECH, Red Flags, etc.

� Training and awareness program may not adequately address key regulatory elements.

� Physical security of patient information may not be adequate to protect against potential identity theft.◦ Consider unusual records like volunteer, employee, consultant records

� Logical security of patient information may not be adequate to protect against potential identity theft.

� Old forms never updated to avoid collecting data like SSN and/or no process to ensure that data is destroyed

� Individuals granted access w\no appropriate need to know

� Interfaces send PHI data to ancillary systems w\o need

� Encryption

� Identity Theft Policies & Procedures:◦ Breach Notification

� Identity Theft Task Force

◦ Business Associate Agreements

◦ Data destruction policies and procedures.

◦ Debit\Credit Card Information Handling

� Identity management/theft training & awareness:Train managers what to monitor.

� Physical security walkthroughs.

� SSN's should not be displayed or should be masked on screens where they are not needed.

� Security & Privacy Insurance.

� Future: Workstations/Dumb Terminals?Patient control of medical info?

5/14/2013

11

For Employees wFor Employees wFor Employees wFor Employees w\\\\Authorized Access:Authorized Access:Authorized Access:Authorized Access:• Abnormal Levels of record changes by a given employee.• Employees photographing computer screen.• Using hard drive/ext. storage tot regularly copy analyze data• Hrly employee working early or late, esp. when no one else is

around.• Hrly employees working weekends after hours w\o swiping in to get

credit for the time (i.e., the “good employee” going the extra mile without requesting overtime pay).

• Control of telecommuting coders, billers, etc? How to “watch” what they are doing without being physically present?

• Inappropriate personal telephone use during work hours while working at the computer or with paper files. Cell phones have texting capabilities and note-taking capabilities in addition to cameras.

• Known challenging lifestyle or bad habits/addictions such as frequent gambling, drug use, alcohol use, personal financial problems, etc. Within the boundaries of the law, it’s a good idea to keep tighter control over individuals with known personal problems.

For Employees wFor Employees wFor Employees wFor Employees w\\\\Authorized Access Authorized Access Authorized Access Authorized Access (continued)(continued)(continued)(continued)::::• Not taking vacation or other time of. As with other fraud, it is one indicator of an employee who may be involved in a scheme whereby if another individual assumed the duties the scheme would be uncovered.

• Notepad (paper or electronic) handy while working PHI.• Significant sustained change in behavior or lifestyle, especially when combined with one or more other red flags.

• Unexpected or excessive printer use, especially combined with frequent use of the shredder or confidential disposal.

• Unusual attention to celebrities, VIPs, etc and related matters.• Unusual level of email use while performing sensitive information related duties.

• Use of a personal laptop at work, especially if being used to or while accessing sensitive information? (vendors?)

• Use of company laptop in unusual situations for the employees’ typical work requirements.

• Use of thumb drives s\not be permitted by any one w\access.

AWARENESS CONSIDERATIONSAWARENESS CONSIDERATIONSAWARENESS CONSIDERATIONSAWARENESS CONSIDERATIONS

5/14/2013

12

For Employees withFor Employees withFor Employees withFor Employees withoutoutoutout authorized Accessauthorized Accessauthorized Accessauthorized Access

• Employee taking pictures of computer screen.

• EVS and other employees without access but who frequent areas like HID, nursing stations, etc., especially when seen looking through papers in trash cans, on desks, etc.

• Workforce member without normal access asks a lot of questions of and/or frequents employees with access.

• IT personnel. Because the nature of their access is so broad in many cases, traditional system administrator controls should be in place including ensuring ac limited number of such employees have such access, all those employees are documented, etc.

• Use of company laptop in unusual situations for the employees’ typical work requirements.


Other Controls• Confirmation of address or other key individual changes. Anytime the core data of a

sensitive record, is changed, the change should require verification before being made.

• Disallow e-mail access from computers used for PHI purposes.

• Prevented from “after hours” access without documented pre-approval?

• Keep people with access in more open cubical-type environments so that it is harder to conceal inappropriate activity.

• Manager review of Kronos records: analyze unusual work patterns.

• Occasional one-on-one employee meetings asking questions related to what they are seeing among their peers (basically, management by walking around to see if they’ve seen any unusual the list of unusual behaviors).

• Periodic background checks (e.g., annually) of individuals with access.

• Require annual attestations whereby employees with access formally attest to understanding the policies and identifying that they have not personally committed such theft or witnessed such thefts without reporting such to a supervisor – just add it as a statement they sign as part of finalizing their annual evaluation (not certain if this can be done legally).

• Rotation of responsibilities so that employees can self-monitor by seeing the work of other employees.

• Use of thumb drives should not be permitted at all by any one with such access.

• Work station only access for individuals with such access wherever practical.


5/14/2013

13

� Vendor Supplied Equipment� Email/texting/Facebook/tweeting� Stolen equipment – fax machine, copier, etc.� Moving devices – eg printers, copiers, fax machines� Replacing devices - eg computers, printers, copiers, fax

machines� Public Printers� Disposal of information� Overflow issues -� Patient education – helping patients avoid leaking their

own information� Proper Identification of research data� Vendor remote access� Leaving voice mail with PHI� Sharepoint� HCFA 5010

� Information overload – analysis of access profiles

� Documentation reviews – training verification

� Disallow cell phones in patient access / information areas

5/14/2013

14

Mark P. Ruppert, Mark P. Ruppert, Mark P. Ruppert, Mark P. Ruppert, CPA, CIA, CISA, CHFP, CHCCPA, CIA, CISA, CHFP, CHCCPA, CIA, CISA, CHFP, CHCCPA, CIA, CISA, CHFP, CHC

Director, Internal AuditCedars-Sinai Health System

[email protected]

Documents

CI2013 Session107 Ruppert-Presentation vFINAL(04222013