Implementing Security for HIPAA Privacy Compliancy

e

Ferre Institute Security Management

Security Controls, Plans, and Procedures

Concerns

World events have drawn attention to the need for technical and physical security. A culture that is increasingly litigious regarding privacy rights has raised awareness of the liabilities associated with failure to implement both physical and information security.

HIPAA

The US government has enacted federal legislation to regulate how private health information is handled and stored, including the transmission of email.

What Assets do We Need to Protect?

Ideally every single organizational asset should be examined and every conceivable risk should be evaluated.Physical infrastructure (doors, windows,

building perimeter, etc.)

Data Storage (paper/digital

files, hard drives, file cabinets, etc.)

Communications (email)

Dollar Amount of Losses by Type of Crime

How Should We Implement Security?

We will look at all risks but address only a

portion of them.

We already have many security features in

place but they are not enough.

Can we financially afford this? Expenditures on

resources to reduce risks will be proportional to

the potential costs to the organization if the risks

were to occur.

Concerns will be addressed systematically over

time.

Everyone will be involved and will understand

and be comfortable with all new security

implementations.

Types of Security Available

Security Breaches

The following slides depict what can go wrong when security is overlooked.

Data Storage Issue

Dr. Evil has a plan to make one million dollars. He is going to break into Ferre Institute and steal the laptops and computers. He has decided to post the information he finds on the “HIPAAwikileaks” site. He is blackmailing us for one million dollars.

How did this happen?

How could this have been prevented?

•Locked doors, security system, better

lighting, shades on the windows, and

better perimeter security.

•Robust password authentication on each

component

•Encrypted data

What will happen now?

We have three options: We must pay Dr. Evil one million

dollars. Or The information is leaked and we

face the possibility of steep fines, jail time, and loss of reputation.

Or We contact the authorities and

face harsh public criticism, steep fines, jail time, and loss of reputation.

HIPAA Violations

HIPAA imposed penalties can range from $100 per violation, up to $25,000 per year for each requirement violated. These can include both civil and penal violations that include up to $250,000 fines and imprisonment for up to 10 years.

Locks work...why bother with the rest?

Diane is called away from her desk to go over billing with a patient. She leaves her computer on but logs off, and walks away. In the meantime, our new employee Frau, who works undercover for Dr. Evil, gets onto Diane’s computer, guesses her easy password, and downloads all of the files. She then erases all of the drives, sabotages the hard drive, and changes the password.

How did this happen?

We trusted an imposter and took security for granted.

We did not utilize best practices in maintaining the appropriate local security policy features on our computers.

Passwords should never be easy enough to guess.

We did not encrypt any of our digital data.

So...All We Need To Do Is.....

Encrypt our data. Secure the physical perimeter with locks

and various security methods. Password protect our computers and use

additional authentication features that protect against unauthorized viewing.

Right?

Wrong!

Again, Diane has left her desk and gone upstairs. This time she knows that she has a difficult password and feels confident logging off of her computer, she closes all the encrypted data files, and locks the door when no one is in the office. However, there are many files sitting in various locations that need to be scanned or are stacked up for Luba to take with her in the morning.

Frau

Although disappointed with our new security features, Frau sees another BIG opportunity to make Dr. Evil happy. Upon entering the office, she gathers all of the files together and takes them with her. We find out later that our patients’ identities have been stolen because we allowed Frau to steal that information so easily.

How did this Happen?

We thought we had done some critical security upgrades. We employed encryption and upgraded authentication. We put locks on the doors and windows.

However, we forgot to train everyone in “good housekeeping” skills. The simplest and least expensive process was completely overlooked.

Concept of in-the-clear Email Communication

This is similar to the postal mailing of a postcard. Both the sender and receiver can view the message, as well as anyone that intercepts it. This is as easy to do as reaching into a mailbox and taking the postcard.

Intercepting Email Transmissions

A mail message bound for an external client may cross 3 to 10 or more ISP’s before reaching its final destination. A message can be intercepted at any one of these points. This means that anyone can view, edit, or copy the message prior to it reaching its final destination.

Bob, Sue, and Victor

Bob sends Sue an email instructing her that he will meet her at the airport at 3pm on Sunday for a business trip. Victor (the evil hacker) is able to intercept the message while it travels through several relay points, and prior to it being received in Sue’s message box.

Victor changes the message to inform Sue that the trip was cancelled and to take the week off. Sue receives the message, unaware that it has been altered.

On Sunday Bob misses his flight while he waits for Sue.

CIA and Why it is Important

Confidentiality, Integrity, and Authentication

Bob and Sue now understand the importance of encrypting email messages. The message confidentiality was compromised when Victor was able to view it. The integrity of the message was damaged when Victor was able to change the message and send it on to Sue. The message authenticity was also compromised since Sue assumed it was genuine and sent from Bob; she had no way of knowing that the message was tampered with by Victor, who leaves no footprint behind.

Why do we need encryption?Does anyone know why we would

need encryption in this circumstance?

Mark receives an email from Jane through our online PRN form. Jane is worried about how her prescribed use of oxycontin will affect her unborn child. Jane does not list an address, last name, or any other personally identifiable information.

Email Tracing

There are many ways to trace back an email, and locate an individual. Today’s criminal uses a variety of technological tools and expertise to commit common crimes such as robbery, burglary, and murder.

How safe do you think Jane is now, especially after explaining that she has a prescription for oxycontin?

The chance happening for a crime to occur is remote, but still exists.

What can be done?

Email Encryption

There are several email encryption models that can be utilized to meet HIPAA compliancy. We will investigate desktop applications, Bluehost domain mail server options, and an ASP service option, which is a subscription based service provider.

In a Nutshell....

There is a need for access controls, integrity checks, authentication, and related control processes that ensure confidentiality, integrity, and authentication of email and stored data.

What is this all about?

We are embarking on an organizational security analysis project for the purpose of creating a Security Policy and Disaster Recovery Policy. The Security Policy will cover physical and technological infrastructure security necessary for meeting HIPAA compliancy. The Disaster Recovery Policy is a necessary component of the Security Policy and will provide provisions for operating under a disaster and recovery situation.

The Challenges

Government mandates have made security a stated priority in the healthcare industry.

There is often a culture of status quo within healthcare settings making cooperation in addressing security issues hard to manage.

Additional to data security, there is a great need for physical security since healthcare settings have a number of publicly accessible areas.

There is no recognized single standard component that integrates security making this a multi-dimensional project that will require the cooperation of everyone.

Team Effort

Particular individuals with specific knowledge required for the scope of this security process will be appointed. Chief Information Officer, CIO (Shanon Nasoni) Information Security Officer, ISO (Adrienne

Sullivan) The Security Steering Committee should be

comprised of personnel who are members of departments in the primary areas concerned with HIPAA......in our case this will be the whole organization.

•Formal risk assessment• Physical safeguards- facility access

control, workstation use and security, device and media controls

• Technical safeguards- access control, audit control, data authentication and integrity, and encryption

Implementation

Threat Assessment Plan

Set up a steering committee

Obtain information and assistance

Identify all possible threats

Determine likelihood of each threat

Approximate direct costs

Consider cascading costs (costs of fire-extinguishers in building vs. cost of fire)

Prioritize the threats Complete the threat

assessment report

Prioritization Scale

Determine how best to address action items.

Consider costs, benefits, and evaluate

risk

Test various applications and

procedures and make recommendations

Develop timeline and address

immediate concerns first

Disaster Recovery Plan

As part of this project, a Disaster Recovery Plan will be implemented. This is a considerably large project that will be time-consuming. Rather than addressing this project in its entirety now, we will only address a few critical aspects that are essential to building our security policy and then move on to finish the Disaster Recovery Policy last.

Essential Elements of Disaster Recovery That We Need to Think about Now.

Who will store the data? What data will be

stored? Where will the data be

stored? When will it be stored? Why is it being stored? How is data being

stored?

Who will store hardware/software backups?

What equipment and software should be used for back up?

Where will it be stored?

When will it be stored? Why should it be

stored? How is it going to be

stored?

Data

Who, what, where, when, why and howHardware/softwareWho, what, where, when, why, and how

Conclusion

By Implementing both a Security Policy and Disaster Recovery Policy we are embarking on a joint effort in raising the operational standards of Ferre Institute. These standards will serve as a benchmark for future policy implementations and will also demonstrate a renewed dedication to our clients, employees, and funding sources.

This project will also serve as a valuable learning experience for the staff and has the potential to raise our awareness of physical security, data security, and the use of new technologies, while also providing a macro view of the Institute.