HIPAA Risk Assessment: Been There . . . Should’ve Done It ...person did not know $100 / $25,000 $50,000 / $1,500,000 Violation was due to reasonable cause and not to willful neglect

Centricity Healthcare User Group 1

HIPAA Risk Assessment: Been There . . . Should’ve Done It the First Time

David S. Finn, CISA, CISM, CRISC Health IT Officer, Symantec

Centricity Healthcare User Group April 20 & 21, 2012

Agenda

2

A little background . . . Well, a lot of background 1

Privacy & Security Under HITECH

The Risk Analysis

Other Resources

Q & A

2

3

4

5

Centricity Healthcare User Group

Top Ten Things that Would be Different if we Actually had Privacy & Security . . .

10. Wiki Leaks wouldn’t.

9. A hacker would just be a person with a bad cough.

8. The HHS “Wall of Shame” website could be leased out for advertising.

7. A “bot net” would be a net for catching runaway robots instead of a term used to describe millions of runaway computers.

6. A worm would just be fishing bait not a malicious attack.


Top Ten Things that Would be Different if we Actually had Privacy & Security . . .

5. We wouldn’t have to see or hear the word “cyber crime” 300 times/day in every book, magazine, newspaper or newscast.

4. A cloud would be a soft, fluffy thing, even to IT people . . . not a place of terror.

3. The word “virus” could be returned to the medical world - - where it came from.

2. I could be talking about clinical apps and improved operations rather than the security you need to have in place just to have clinical apps & improved operations.

1. If it happened in Vegas . . . it would actually stay in Vegas!



Who is that man and why is he talking?

•Recovering healthcare CIO •Unable to hold a job (treasurer for theatrical production company; real estate controller; world’s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations -- healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer) •CISA, CISM, CRISC •2 degrees in Theatre

Seriously, though, Security and IT has changed

• Intelligent devices with embedded and downloadable software

• The Threat Landscape

• More automation, more data, more access

• Resulting in:

– More dependency on highly complex IT systems and infra-structures

– Highly valuable data

6

• Mobile

• Anytime, any where, any device

• Separation between IT infra-structure and consumer devices is fading

– Infrastructures as well as data are merging

• Cloud for internal IT service delivery and delivery of IT services

• Legislation & Regulation are raising the Security & Privacy bar

Security How we deliver IT


Data Trends Across all Healthcare Sectors

• Increased Risk of Cyber Threats to Infrastructure – Changing paradigm

• Regulatory Pressures – HIPAA/HITECH (and the BAA), PCI, GLB, SOX, Individual States and

Foreign regulations . . .

– State & Federal Privacy & Security and Breach Notification

• Exponential Storage Growth & Data Consolidation – More data, more metrics, more audit logs

• Mobility – Comsumerization of technology

• Trend toward Cloud Based/Hosted Solutions – In-house virtualization

7 Centricity Healthcare User Group

The Information-Centric Model

8

Compliance Reporting Remediation Policy

Classification Ownership Threats Discovery

Encryption

Identity

It’s about the data.


• The goal is to do damage, destruct, scare, assert influence, or support a conventional attack.

Changing Threat Landscape – revisited in 2012

• Highly sophisticated

• Infinite financial resource

• Well-planned and executed with unprecedented levels of control.

Newest Motivation

Political

Infrastructure and socio-economic

threats

Now that we have the big scary one out of the way . . .

You have to understand your data from the inside out

• Risk Analysis

• Prioritization

– Risk tolerance

– Budget

– Your environment

• Technical

• cultural

– Other projects

• Remediation

• Rinse and Repeat


Let’s Get Acquainted! • Name & Job Title

• Age and Weight

• Marital Status

• Sexually Transmitted Disease?

–If “Yes” then Names of All Partners • Drug or Alcohol Problems?

• Amount of Money Earned Last Year

Haven’t We Done This Before?



HIPAA

HITECH

Meaningful Use

Health Insurance Portability and Accountability Act (1996) •Transactions & Code Sets •Security Rule •Privacy Rule

American Recovery and Reinvestment Act (Health Information for Economic and Clinical Health) (2009)

Meaningful Use (2010)

Security Rule 45 CFR 160 45 CFR 162 45 CFR 164

Sec Stnds: Gen Rules Admin, Technical,

Physical Safeguards P&P and documentation

req’d

HIPAA Security Rule + New civil money

penalties CEs and BAs must

comply Breach notification starting after Sept

2009

Risk Analysis 45 CFR 164.308(a)(1)

Core Measure

How Meaningful Use relates to HIPAA and HITECH

13

Typical Reactions To Compliance

• Anger

• Acting out

• Conspiracy seekers

• Prozac

• Glassed over eyes

• I’m hurt

• Sleep

• What rules?

• When did this start?

• Non-teaching careers

• Great men can’t be ruled!

• Oh God, I’m guilty, lay low!

• Let’s do it!

Mark Pfeifer, MD, U of Louisville School of Medicine


14

Privacy & Security Under HITECH


Privacy & Security = Culture Change

P&S requires controls,

awareness bordering on

suspicion, sometimes viewed as

de-personalized but private

P&S should streamline, redesign,

bring about efficient

procedures

P&S promotes Electronic

Information Systems

Caring, sharing “personal” environment

Culture (people)

Default procedures & workarounds

Operations (process)

Paper-based

Technology (technology)


16

Industry Challenges

• Dynamic regulatory environment

• Operate in a connected world

• Complex IT environment becoming more complex

• Align budget balancing risk, compliance, and security

• Increased focus on securing Protected Health Information

• New industry self-regulation requirements demanding frequent certifications and time consuming audits

• Limited resources to develop and implement a Security Strategy

Regulations

• SOX - Sarbanes-Oxley

• PCI – Payment Card Industry

• HIPAA - Health Insurance Portability & Accountability Act

• State laws California Massachusetts

• American Recovery and Reinvestment Act of 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act (Meaningful Use)

• The Joint Commission

Guidelines and Standards

• ISO 17799/27000 – Information Security Standards

• ISO 27799 – Health Informatics - Security Management

• ITIL - Information Technology Infrastructure Library

• NIST SP800-66


17

HITECH is Changing the Landscape

• HITECH provides significant financial support to adopt Electronic Record system - reimbursement incentives for “meaningful use”.

• Many significant changes to regulatory and compliance requirements:

– Data Breach Notification for breach of unencrypted information: penalties, patient notification, self-reporting to media and State HHS (>500 records).

– Expansion of HIPAA applicability (e.g. now includes Business Associates)

– Increased fines for HIPAA violations

– Increased legal exposure (criminal and civil penalties, State AG can sue)

– “Meaningful Use” Requirements:

• Maintenance of audit logs

• Data encryption preferred

• Recording of PHI disclosures

• Security risk analysis

• Implement security updates

• Increasing integration with outside parties (patients, care providers, payors, state registries, health agencies labs, pharmacies) increases risk.


Heightened Civil Penalties

18

Type of Offense

Minimum Per Violation Per Year

Maximum Per Violation Per Year

Violation when it is determined that the person did not know

$100 / $25,000 $50,000 / $1,500,000

Violation was due to reasonable cause and not to willful neglect

$1,000 / $100,000 $50,000 / $1,500,000

Violation was due to willful neglect and violation is corrected

$10,000 / $250,000 $50,000 / $1,500,000

Violation was due to willful neglect and violation is not corrected

$50,000 / $1,500,000 $50,000 / $1,500,000

Applicable to business associates, covered entity employees or other individuals if PHI obtained or disclosed from covered entity without authorization Fine issued by Security of Health and Human Services (HHS) – money goes back into HHS


19

Technology

• Security event monitoring

• Compliance and Auditing Automation

• Data Loss Prevention

• Vulnerability Assessment

• Server Hardening

• Endpoint Protection

• 24x7 Availability

Objectives People

• Security, Risk and Compliance Officers

• Privacy Officers

• IT Operations

• Legal

Process • Risk Management

• Strong Incident Response Process

• Up-to-date network drawings

• Integrated security and compliance processes

• Ongoing monitoring, measurement and reporting

• Audit Preparedness

IT Governance - Risk - Compliance

Ensure that the provider has reduced the security and compliance risk to

acceptable levels while complying to all applicable laws and regulations.


20

Components of a Comprehensive Security and Compliance Program

• Threats & Vulnerability Management

– Industry Threat Monitoring

– Vendor patches

• Identification of PHI in motion and at rest

– Identification of critical assets

– Protecting transmission of PHI

• Security Event Monitoring

– Infrastructure

– Application

• Network Vulnerability Scanning

• Endpoint Protection and Management

– Antivirus/Antispam

– IPS

– Patch Management

– Standard Builds

• Backup and Disaster Recovery

• Executive Reporting


Compliance is a Continuum

21

You can’t fix it all at once but . . . . . . You have to start


22

First Things First - The Risk Analysis

One Size Doesn’t Fit All But One Approach Does . . .


Conduct or review a security risk analysis per HIPAA, 45

CFR 164.308(a)(1) of the certified EHR technology, and

implement security updates and correct identified security

deficiencies as part of its risk management process.

Elements of a Risk Analysis

• Scope of the analysis

• Data collection

• Identify & document potential threats and vulnerabilities

• Assess current security measures

• Determine the likelihood of threat occurrence

• Determine potential impact of threat occurrence

• Determine the level of risk

• Finalize documentation

• Periodic review and updates


I’m going to go away . . . these things won’t

• Final version of the HIPAA Breach notification rule. An interim final version has been in effect since September 2009.

• Final version of HIPAA modifications, including applying many security requirements to business associates and establishing higher penalties for non-compliance.

• Proposed version of the Accounting of Disclosures Rule, which Feds suggested should include a requirement to provide patients with access reports listing everyone who has accessed their electronic information.

• Proposed version of the Nationwide Health Information Network governance rule, setting guidelines for health information exchange.

• Proposed version of the guidelines for qualifying for Stage 2 of the HITECH Act's EHR incentive program, as well as guidelines for certifying EHR software meets Stage 2 requirements. Stage 1 requirements for meaningful use of EHRs and certification of EHR software for the incentive program are now in effect.


Symantec - - Booth 221


Other Resources

Plenty of Help


If You Need Additional Help Or Guidance . . .

• Health and Human Services

– http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204

• Health Information Management and Systems Society

– http://himss.org/ASP/index.asp

• American Health Information Management Association

– http://www.ahima.org/Default.aspx

• HITECH Answers

– https://www.hitechanswers.net/

• Digital Business Law Group

– http://www.digitalbusinesslawgroup.com/

• Your state’s Office of the Governor (Health Information Exchange) and Regional Extension Centers

• Your State’s Medical Association and other professional associations.


http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204

http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204

http://himss.org/ASP/index.asp

http://www.ahima.org/Default.aspx

https://www.hitechanswers.net/

http://www.digitalbusinesslawgroup.com/


Thank You!

David S. Finn

[email protected]

832.816.2206

“A false sense of security is worse than a true sense of insecurity.”

“Concentrate on known, probable threats.”

mailto:[email protected]

Documents

HIPAA Risk Assessment: Been There . . . Should’ve Done It ...person did not know $100 / $25,000 $50,000 / $1,500,000 Violation was due to reasonable cause and not to willful neglect