What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

Transcription

1

2 What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue Healthcare Advisors

3 The # of data breaches is climbing The average cost of a data breach is down, $194.00/per record breached, but overall breach costs are up The # of complaints to Health and Human Services (HHS) is steadily climbing The # of investigations by the Office of Civil Rights is up Penalty maximum have been raised for HIPAA violations State Attorney Generals are now empowered to file suite due to data breaches State Privacy Laws are tightening

4 Omnibus rules published on January 25, 2013 Effective date: March 26, 2013 Compliance date: September 23, 2013 Both Privacy and Security Rules updated Business Associates, Contractors & Business Associate Agreements Breach Notification Fundraising, Marketing, and Sale of PHI Notice of Privacy Practices UPDATED AREAS Access Rights & Request to Restrict Research Authorizations Decedents, Immunization Records & Genetic Information Enforcement Activities and Civil Monetary Penalties

5 Office of Civil Rights (OCR) issues first fine for small data breach (443 records breached) Health & Human Services (HHS) settles case with small cardiac practice for lack of HIPAA safeguards - $100K Alaska settles HIPAA security case for $1.7M Massachusetts Eye and Ear specialty settles HIPAA case for $1.5M Large health plan fined $4.3M for violation of HIPAA privacy rule ($3M was for lack of response to OCR) Stolen laptops a weekly occurrence in healthcare news

6 Overall Breaches % 23% 20% Healthcare Education Credit/Debit card Other Industry # Incidents Healthcare 689 Education 613 Credit Card 43 1% Other 1720 Privacy Rights Clearinghouse:

7 Healthcare Breach Breakdown % 10% 20% 30% 40% Healthcare Breaches Year # Incidents of of of 3065

8 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Healthcare Breaches by Category 6.7% Hacking 56% Lost/Stolen Equipment 37.3% Policy Violation Category Hacking 6.7 % Lost & Stolen Equipment Percentage of Breach 56% Policy Violation 37.3%

9 Ethics? It s the right thing to do Compliancy It s the Law HIPAA Security Rule Payment Card Industry Data Security Standards (not actually a law) FTC Red Flag s Rule Meaningful Use Objective #14 & #15 Others Sound Business Practice Think of it as another risk management function Malpractice insurance Clinical credential verifications Employee background screening

10 Administrative Controls HIPAA & IT policies & Procedures HIPAA & Security Awareness Training Onboarding & Termination Procedures Confidentiality and Business Associate Agreements Technical Controls Network & Host Security Access Controls Auditing & Monitoring Physical Controls Key Distribution Surveillance Restricting Access to Sensitive Areas Frameworks NIST SP NIST SP ISO 27001

11 Physical Walkthroughs Observe for weak privacy practices verbal, paper PHI, PHI clearly viewable on screens and medical equipment Random check of doors to sensitive areas Are sensitive areas in shared or less secure locations? Interview Employees Employees are the best security sensors, find out what they know Survey employees on common practices and behaviors Technical Review Network Architecture Review Testing of Host and Application Security Controls / Configurations Vulnerability Assessment Penetration Testing

12 Continuous Try to develop a culture, RA should be part of all major initiatives After Significant Changes Implementing a new system or technology Expanding the facilities Acquiring additional medical practices Before implementing changes / upgrades to sensitive systems Formal Security Risk Assessment Self-Assessments should be a continual process Outside assessment / Audit every months

13 Executive Leadership Changes will need top level sponsorship Health Information Management Usually the gatekeeper to PHI & ephi Information Technology / Systems HIPAA Security Rule requires IT involvement Compliancy HIPAA Officers, Risk Management, Training, Legal Human Resources The key to good security is good people Facilities Management

14 Lack of Risk Assessment Activities Last SRA was 2003 time frame, if ever Lack of Policies No accountable HIPAA Security person and appropriate IT security structure Lack of encryption controls on backup media & mobile devices Lack of Training No HIPAA training or infrequent training No security awareness training or reminders Outdated Wireless Security Controls WEP encryption or no encryption Poor isolation between wireless networks and core network services Security NOT Considered a Strategy Security is not baked in, it is added on top or not at all Poor Disaster Recovery & Business Continuity Planning

15

16 Who are we? Not-for-profit healthcare consulting resource from Purdue University Dedicated to helping clients improve care, manage margins and facilitate compliance Deep legacy of Lean/Six Sigma process improvement for healthcare Regional Extension Center (Indiana) for EHR Meaningful Use compliance Assisted 300+ organizations in the past 18 months to meet security risk analysis requirements

17 Core Knowledge Our core team of security professionals comes with a wide range of educational and technology backgrounds, and industry certifications from (ISC)2, SANS Information Security & Research, and the Information Systems Audit and Control Association (ISACA). Contact a PHA Account Executive at: Phone: (765) healthcareadvisors@purdue.edu Web:

18 HIPAA Omnibus Rules - Privacy Rights Clearinghouse NIST SP800-30: Conducting Risk Assessments - ipd.pdf NIST SP800-66: Implementing HIPAA Security rule - Revision1.pdf