Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Centricity Healthcare User Group 1
HIPAA Risk Assessment: Been There . . . Should’ve Done It the First Time
David S. Finn, CISA, CISM, CRISC Health IT Officer, Symantec
Centricity Healthcare User Group April 20 & 21, 2012
Agenda
2
A little background . . . Well, a lot of background 1
Privacy & Security Under HITECH
The Risk Analysis
Other Resources
Q & A
2
3
4
5
Centricity Healthcare User Group
Top Ten Things that Would be Different if we Actually had Privacy & Security . . .
10. Wiki Leaks wouldn’t.
9. A hacker would just be a person with a bad cough.
8. The HHS “Wall of Shame” website could be leased out for advertising.
7. A “bot net” would be a net for catching runaway robots instead of a term used to describe millions of runaway computers.
6. A worm would just be fishing bait not a malicious attack.
Centricity Healthcare User Group 3
Top Ten Things that Would be Different if we Actually had Privacy & Security . . .
5. We wouldn’t have to see or hear the word “cyber crime” 300 times/day in every book, magazine, newspaper or newscast.
4. A cloud would be a soft, fluffy thing, even to IT people . . . not a place of terror.
3. The word “virus” could be returned to the medical world - - where it came from.
2. I could be talking about clinical apps and improved operations rather than the security you need to have in place just to have clinical apps & improved operations.
1. If it happened in Vegas . . . it would actually stay in Vegas!
Centricity Healthcare User Group 4
Centricity Healthcare User Group 5
Who is that man and why is he talking?
•Recovering healthcare CIO •Unable to hold a job (treasurer for theatrical production company; real estate controller; world’s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations -- healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer) •CISA, CISM, CRISC •2 degrees in Theatre
Seriously, though, Security and IT has changed
• Intelligent devices with embedded and downloadable software
• The Threat Landscape
• More automation, more data, more access
• Resulting in:
– More dependency on highly complex IT systems and infra-structures
– Highly valuable data
6
• Mobile
• Anytime, any where, any device
• Separation between IT infra-structure and consumer devices is fading
– Infrastructures as well as data are merging
• Cloud for internal IT service delivery and delivery of IT services
• Legislation & Regulation are raising the Security & Privacy bar
Security How we deliver IT
Centricity Healthcare User Group
Data Trends Across all Healthcare Sectors
• Increased Risk of Cyber Threats to Infrastructure – Changing paradigm
• Regulatory Pressures – HIPAA/HITECH (and the BAA), PCI, GLB, SOX, Individual States and
Foreign regulations . . .
– State & Federal Privacy & Security and Breach Notification
• Exponential Storage Growth & Data Consolidation – More data, more metrics, more audit logs
• Mobility – Comsumerization of technology
• Trend toward Cloud Based/Hosted Solutions – In-house virtualization
7 Centricity Healthcare User Group
The Information-Centric Model
8
Compliance Reporting Remediation Policy
Classification Ownership Threats Discovery
Encryption
Identity
It’s about the data.
Centricity Healthcare User Group
• The goal is to do damage, destruct, scare, assert influence, or support a conventional attack.
Changing Threat Landscape – revisited in 2012
• Highly sophisticated
• Infinite financial resource
• Well-planned and executed with unprecedented levels of control.
Newest Motivation
Political
Infrastructure and socio-economic
threats
Now that we have the big scary one out of the way . . .
You have to understand your data from the inside out
• Risk Analysis
• Prioritization
– Risk tolerance
– Budget
– Your environment
• Technical
• cultural
– Other projects
• Remediation
• Rinse and Repeat
10 Centricity Healthcare User Group
Let’s Get Acquainted! • Name & Job Title
• Age and Weight
• Marital Status
• Sexually Transmitted Disease?
–If “Yes” then Names of All Partners • Drug or Alcohol Problems?
• Amount of Money Earned Last Year
Haven’t We Done This Before?
11 Centricity Healthcare User Group
Centricity Healthcare User Group 12
HIPAA
HITECH
Meaningful Use
Health Insurance Portability and Accountability Act (1996) •Transactions & Code Sets •Security Rule •Privacy Rule
American Recovery and Reinvestment Act (Health Information for Economic and Clinical Health) (2009)
Meaningful Use (2010)
Security Rule 45 CFR 160 45 CFR 162 45 CFR 164
Sec Stnds: Gen Rules Admin, Technical,
Physical Safeguards P&P and documentation
req’d
HIPAA Security Rule + New civil money
penalties CEs and BAs must
comply Breach notification starting after Sept
2009
Risk Analysis 45 CFR 164.308(a)(1)
Core Measure
How Meaningful Use relates to HIPAA and HITECH
13
Typical Reactions To Compliance
• Anger
• Acting out
• Conspiracy seekers
• Prozac
• Glassed over eyes
• I’m hurt
• Sleep
• What rules?
• When did this start?
• Non-teaching careers
• Great men can’t be ruled!
• Oh God, I’m guilty, lay low!
• Let’s do it!
Mark Pfeifer, MD, U of Louisville School of Medicine
Centricity Healthcare User Group
14
Privacy & Security Under HITECH
Centricity Healthcare User Group
Privacy & Security = Culture Change
P&S requires controls,
awareness bordering on
suspicion, sometimes viewed as
de-personalized but private
P&S should streamline, redesign,
bring about efficient
procedures
P&S promotes Electronic
Information Systems
Caring, sharing “personal” environment
Culture (people)
Default procedures & workarounds
Operations (process)
Paper-based
Technology (technology)
15 Centricity Healthcare User Group
16
Industry Challenges
• Dynamic regulatory environment
• Operate in a connected world
• Complex IT environment becoming more complex
• Align budget balancing risk, compliance, and security
• Increased focus on securing Protected Health Information
• New industry self-regulation requirements demanding frequent certifications and time consuming audits
• Limited resources to develop and implement a Security Strategy
Regulations
• SOX - Sarbanes-Oxley
• PCI – Payment Card Industry
• HIPAA - Health Insurance Portability & Accountability Act
• State laws California Massachusetts
• American Recovery and Reinvestment Act of 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act (Meaningful Use)
• The Joint Commission
Guidelines and Standards
• ISO 17799/27000 – Information Security Standards
• ISO 27799 – Health Informatics - Security Management
• ITIL - Information Technology Infrastructure Library
• NIST SP800-66
16 Centricity Healthcare User Group
17
HITECH is Changing the Landscape
• HITECH provides significant financial support to adopt Electronic Record system - reimbursement incentives for “meaningful use”.
• Many significant changes to regulatory and compliance requirements:
– Data Breach Notification for breach of unencrypted information: penalties, patient notification, self-reporting to media and State HHS (>500 records).
– Expansion of HIPAA applicability (e.g. now includes Business Associates)
– Increased fines for HIPAA violations
– Increased legal exposure (criminal and civil penalties, State AG can sue)
– “Meaningful Use” Requirements:
• Maintenance of audit logs
• Data encryption preferred
• Recording of PHI disclosures
• Security risk analysis
• Implement security updates
• Increasing integration with outside parties (patients, care providers, payors, state registries, health agencies labs, pharmacies) increases risk.
Centricity Healthcare User Group
Heightened Civil Penalties
18
Type of Offense
Minimum Per Violation Per Year
Maximum Per Violation Per Year
Violation when it is determined that the person did not know
$100 / $25,000 $50,000 / $1,500,000
Violation was due to reasonable cause and not to willful neglect
$1,000 / $100,000 $50,000 / $1,500,000
Violation was due to willful neglect and violation is corrected
$10,000 / $250,000 $50,000 / $1,500,000
Violation was due to willful neglect and violation is not corrected
$50,000 / $1,500,000 $50,000 / $1,500,000
Applicable to business associates, covered entity employees or other individuals if PHI obtained or disclosed from covered entity without authorization Fine issued by Security of Health and Human Services (HHS) – money goes back into HHS
Centricity Healthcare User Group
19
Technology
• Security event monitoring
• Compliance and Auditing Automation
• Data Loss Prevention
• Vulnerability Assessment
• Server Hardening
• Endpoint Protection
• 24x7 Availability
Objectives People
• Security, Risk and Compliance Officers
• Privacy Officers
• IT Operations
• Legal
Process • Risk Management
• Strong Incident Response Process
• Up-to-date network drawings
• Integrated security and compliance processes
• Ongoing monitoring, measurement and reporting
• Audit Preparedness
IT Governance - Risk - Compliance
Ensure that the provider has reduced the security and compliance risk to
acceptable levels while complying to all applicable laws and regulations.
Centricity Healthcare User Group
20
Components of a Comprehensive Security and Compliance Program
• Threats & Vulnerability Management
– Industry Threat Monitoring
– Vendor patches
• Identification of PHI in motion and at rest
– Identification of critical assets
– Protecting transmission of PHI
• Security Event Monitoring
– Infrastructure
– Application
• Network Vulnerability Scanning
• Endpoint Protection and Management
– Antivirus/Antispam
– IPS
– Patch Management
– Standard Builds
• Backup and Disaster Recovery
• Executive Reporting
Centricity Healthcare User Group
Compliance is a Continuum
21
You can’t fix it all at once but . . . . . . You have to start
Centricity Healthcare User Group
22
First Things First - The Risk Analysis
One Size Doesn’t Fit All But One Approach Does . . .
Centricity Healthcare User Group
Conduct or review a security risk analysis per HIPAA, 45
CFR 164.308(a)(1) of the certified EHR technology, and
implement security updates and correct identified security
deficiencies as part of its risk management process.
Elements of a Risk Analysis
• Scope of the analysis
• Data collection
• Identify & document potential threats and vulnerabilities
• Assess current security measures
• Determine the likelihood of threat occurrence
• Determine potential impact of threat occurrence
• Determine the level of risk
• Finalize documentation
• Periodic review and updates
23 Centricity Healthcare User Group
I’m going to go away . . . these things won’t
• Final version of the HIPAA Breach notification rule. An interim final version has been in effect since September 2009.
• Final version of HIPAA modifications, including applying many security requirements to business associates and establishing higher penalties for non-compliance.
• Proposed version of the Accounting of Disclosures Rule, which Feds suggested should include a requirement to provide patients with access reports listing everyone who has accessed their electronic information.
• Proposed version of the Nationwide Health Information Network governance rule, setting guidelines for health information exchange.
• Proposed version of the guidelines for qualifying for Stage 2 of the HITECH Act's EHR incentive program, as well as guidelines for certifying EHR software meets Stage 2 requirements. Stage 1 requirements for meaningful use of EHRs and certification of EHR software for the incentive program are now in effect.
Centricity Healthcare User Group 24
Symantec - - Booth 221
Centricity Healthcare User Group 25
Other Resources
Plenty of Help
26 Centricity Healthcare User Group
If You Need Additional Help Or Guidance . . .
• Health and Human Services
– http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204
• Health Information Management and Systems Society
– http://himss.org/ASP/index.asp
• American Health Information Management Association
– http://www.ahima.org/Default.aspx
• HITECH Answers
– https://www.hitechanswers.net/
• Digital Business Law Group
– http://www.digitalbusinesslawgroup.com/
• Your state’s Office of the Governor (Health Information Exchange) and Regional Extension Centers
• Your State’s Medical Association and other professional associations.
27 Centricity Healthcare User Group
Centricity Healthcare User Group 28
Thank You!
David S. Finn
832.816.2206
“A false sense of security is worse than a true sense of insecurity.”
“Concentrate on known, probable threats.”