HIPAA Security Prepare Now or Wait and See?

Transcription

1 HIPAA Security Prepare Now or Wait and See? Background An ounce of prevention is worth a pound of cure, a saying often used in a healthcare context, was first coined by Benjamin Franklin more than two centuries ago as firefighting advice. 1 In this white paper, we share our view of how Franklin s wisdom can be applied by every administrator of a health plan or healthcare clearinghouse, as well as by any healthcare provider that transmits health information in electronic form, that must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Considering Ben Franklin s guidance when confronted with challenges, it clearly makes sense to apply an ounce of prevention. However, when it comes to HIPAA security and the increasingly complex problem of securing patients vital information, how prepared are today s healthcare organizations? For example: Have you performed a compliance evaluation within the past year? Do you have a robust risk analysis process in place to monitor and address threats and vulnerabilities to your organization continuously? Are you leveraging your Meaningful Use efforts to bring attention to the importance of health information technology (HIT)? Have you implemented a sustainable program to manage risk proactively versus reactively putting out fires? If your response to any of these questions is no, read on. What s the Issue? HIPAA security is not a new concept the final rule was issued on February 20, 2003, with compliance dates in the time frame, depending on the type of entity. However, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009, bringing with it tiered penalties that significantly increase the 1 The following information is copyrighted by, and used with permission of, the Independence Hall Association, on the Web at [In the 1700s] fires were a very dangerous threat to Philadelphians, so [Benjamin] Franklin set about trying to remedy the situation. In 1736, he organized Philadelphia s Union Fire Company, the first in the city. His famous saying, An ounce of prevention is worth a pound of cure, was actually fire-fighting advice. Those who suffered fire damage to their homes often suffered irreversible economic loss. So, in 1752, Franklin [also] helped to found the Philadelphia Contributionship for Insurance Against Loss by Fire. Those with insurance policies were not wiped out financially.

2 minimum amount for each violation, it strengthened HIPAA enforcement requirements while also providing more authority to federal, state and local enforcement bodies. In adding teeth to HIPAA, HITECH empowers the U.S. Department of Health and Human Services Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) to conduct periodic audits to assess compliance and impose higher penalties for noncompliance. 2 The added pressure on the healthcare industry to meet regulatory requirements is real. In 2011, fines and penalties of as much as US$4.3 million were levied for violations, demonstrating that HITECH has provided HHS with increased leverage when negotiating resolution of alleged HIPAA violations. Reputational damage is also a consideration. Clearly, affected organizations need a proactive approach, making the ounce of prevention metaphor very relevant. While the writing on HIPAA has always been on the wall, HITECH empowerment and OCR and FTC enforcement increase accountability of entities subject to HIPAA. Another consideration is that the Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to HITECH, remains in effect. It requires that following a breach of unsecured protected health information (PHI) covered entities must provide notification of the breach to affected individuals, the Secretary [of HHS], and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred. 3 If the breach affects more than 500 records, the violating entity has 60 days to notify the HHS secretary. Following notification, the organization s name and an overview of the breach is posted on the HHS website a listing commonly referred to as The Wall of Shame and not an accolade to be embraced. Furthermore, under the American Recovery and Reinvestment Act of 2009, the Medicare and Medicaid EHR Incentive Programs provide a financial incentive for the Meaningful Use of certified electronic health record (EHR) technology. The Protect Electronic Health Information core measure for both eligible professionals and eligible hospitals under Meaningful Use 4 requires a risk analysis to be completed pursuant to the provisions of HIPAA. The Centers for Medicare and Medicaid Services (CMS), the U.S. federal agency that administers Medicare, Medicaid and the Children s Health Insurance Program, has stated that these security requirements are not new. They simply require compliance with applicable provisions of the previously established HIPAA Security rules. If the OCR finds an organization to be noncompliant through its own audits, then Meaningful Use payments can be recouped in addition to the levy of any applicable fines. There is one more point to consider from a regulatory view. The OCR announced in June 2011 that KPMG was selected to administer HIPAA privacy and security audits targeting 150 covered entities. These audits are to be completed by the end of calendar year The 150 covered entities will be selected systematically by the OCR. According to HHS, OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care 5 clearinghouses may all be considered for an audit. It is important to note that the selection process will not necessarily be complaint or breach driven. While that does not mean covered entities previously affected by a breach are excluded, the OCR appears to have committed to eventually audit all organizations that experience a breach of more than 500 records. 2 HITECH Act Enforcement Interim Final Rule: Subtitle D of HITECH addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. For more information, go to 3 For more information on the Breach Notification Rule, go to 4 See HIPAA 45 CFR (a)(1). 5 For more information on the HIPAA Privacy and Security Audit Program, go to Protiviti 2

3 With the deadline for completing the audits rapidly approaching, one key initiative the OCR and KPMG are aggressively pursuing is finalizing the associated audit plan. While the OCR has stated they will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges, all signs seem to indicate they will not be providing a cheat sheet to facilitate compliance. Therefore, do not expect a checklist covering what to do to pass an audit. This process will put the selected entities under the microscope. It is in the best interests of covered entities to have the appropriate practices in place. 6 The issues detailed above focus primarily on what the good guys are trying to accomplish. However, it is important to remember that technology continues to evolve rapidly, and with this evolution, new security threats continue to emerge. The reality is that a myriad of hackers, criminals and other unscrupulous parties are maintaining their incessant efforts to gain access to confidential and private information across virtually all industries, including healthcare. According to some studies, nearly two-thirds of breaches are the result of malicious intent, meaning they are not accidents. With the increased reliance by most organizations on technology and the world literally at our fingertips, criminals are running rampant while drooling over a smorgasbord of information that they are not finding difficult to obtain hence the need for a proactive approach to HIPAA security compliance. The bottom line is that enforcement of the HIPAA Security Rule is here. Organizations did not take sufficient action, so the federal government did, and it would be wise to avoid testing the patience of the OCR. Without question, the OCR is monitoring affected organizations aggressively, and likely will take significant action against organizations that are noncompliant. The OCR/KPMG audit process will provide further opportunity for the OCR to identify entities that are out of compliance, as will notifications of significant breaches. When the time comes to reflect back on 2012, it is not unreasonable to surmise that we will have observed many organizations rushing to improve their security practices and establish standards that should have been in place years ago. What is Your Ounce of Prevention? Going back to Benjamin Franklin s words of wisdom, covered entities have two options. They can sit back and wait until the OCR begins levying penalties and hope they stay under the radar, meaning criminals pass them by, accidents don t happen and they are not selected for audit. The cure will come when it is forced upon them. Alternatively, they can take action now toward prevention while, at minimum, ensuring they have a defensible position that demonstrates they are focusing on securing patient information. Most importantly, regardless of whether or not auditors come knocking, they can make protecting their patients a point of emphasis. So where to begin? First and foremost, recognize that there is no prescriptive method or best practice to guarantee compliance with the HIPAA Security Rule. The federal government recognizes this and frequently makes similar disclaiming statements. The final rule itself is heavily laden with words like reasonable, which provides insight on best practice, but organizations should avoid gimmicky tricks or promises of worry-free compliance. Unfortunately, the lack of a solid road map to success has opened the door for much debate in the industry. Many organizations are choosing to take the easy path of wait and see until proven wrong. The best pathway through the maze is to take a step back to identify areas where an auditor would likely question the reasonableness of efforts taken. For example, if the last compliance evaluation was performed three years ago, will that satisfy the auditor s expectations? Is it 6 While the OCR may have KPMG pilot a few audits to refine the audit methodology, there is no commitment to provide the marketplace any information regarding the refined audit methodology. Protiviti 3

4 reasonable to present an entire risk analysis program and summary of results in a two-page memorandum? Is it reasonable to report that the entity s last refresh training was performed in 2008 or its policies were last revised in 2007? Is it reasonable to assert that your network is secure when management hasn t authorized any penetration or vulnerability testing? What if the entity has countless users with administrative access but can t pinpoint who really needs access will that work? The point is clear: Audit yourself or suffer the consequences. Here are 10 key actions your organization should take, beginning today: (1) With respect to your last compliance evaluation (often referred to as a gap assessment, safeguard analysis, etc.), determine: The date of the evaluation If the evaluation addressed changes stemming from HITECH The extent to which it evaluated compliance against each individual safeguard The extent to which results were documented and remediation activities were completed or are still being monitored If it was performed within a reasonable amount of time (e.g., within the past one to two years at most) (2) Evaluate the sufficiency of your risk analysis and risk management programs. Compare your programs against existing guidance from the OCR and leverage other resources identified in that documentation. 7 At minimum, position the entity to assert it has addressed and documented each of the key elements of these programs outlined in the high-level guidance, as issued. (3) Assess the impact of your risk analysis program on Meaningful Use attestation processes planned or under way, keeping in mind that the risk analysis required for Meaningful Use ties directly to the requirements under the HIPAA Security Rule. (4) Maintain sufficient documentation of your efforts. Consider it your evidence. It should tell management s story to an independent auditor with little or no additional explanation required. (5) Ensure the entity has implemented a sustainable program that adapts to the changing environment and is proactive versus reactive. (6) Monitor industry developments on a continuous basis and leverage existing guidance to the greatest extent practical in a timely manner. (7) Collaborate with the internal audit and compliance functions and other applicable resources. Security and privacy should be front of mind and an integral part of audit plans in some capacity each year. (8) Move beyond evaluating simply the design of security and privacy processes and test their operating effectiveness. (9) Perform penetration and vulnerability testing on a regular basis. Make sure weaknesses are addressed in a timely manner. 7 Examples include Guidance on Risk Analysis Requirements under the HIPAA Security Rule and Basics of Security Risk Analysis and Risk Management. For more information, go to Protiviti 4

5 (10) Talk to peers. Knowledge share and brainstorm with peers you ll take comfort and find it therapeutic once you realize you are not alone in this process. While the above list is not intended to be all-inclusive (and there isn t sufficient certainty for anyone to draw up such a list that fits all circumstances), it goes a long way toward providing a high-level road map for demonstrating the entity has taken reasonable steps to comply, where reasonable does not convey a guarantee for success and is, of course, subject to varying interpretations. The question is how each action item on the list should be addressed to implement a sufficiently proactive approach to compliance. Entities looking for a road map that is relevant to them should consult their legal and other advisors. Getting Ready for Prime Time Make sure the organization documents its approach for complying with the HIPAA Security Rule, maintains that documentation to keep it current, and ensures evidence exists to support its process. Simply stated, when it comes time for an audit, it is best practice for an organization to have documented evidence available to support what it is doing to comply with the regulations and what is being done to remediate any areas that are not in compliance. To that end, following are key areas for which we believe documentation should be maintained that can be provided to auditors upon request, and that will provide sufficient detail for them to understand the organization s current environment: HIPAA Security Evaluation As there still appears to be much confusion in the industry over the difference between an evaluation and a risk analysis, further clarification is warranted. While commonly used interchangeably, these efforts are unique and distinct from one another as outlined in different safeguards. With regard to the evaluation process, according to the evaluation safeguard, management must, Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart. 8 An evaluation of the organization s position against the HIPAA Security regulations should be conducted periodically (e.g., annually) and when significant organizational changes occur (e.g., implementation of a new patient accounting system, changes in infrastructure, turnover at key positions, EHR implementation, etc.). The results should be documented and include defining the security measures in place to address each individual safeguard including applicable policies and/or procedures. This should be the organization s road map for an auditor; it should be able to direct the auditor to the specific policies, processes and procedures that the organization has implemented to comply with the regulations. Go through the regulations, safeguard by safeguard, and tell the entity s story of how it is complying. It is critical to remember that addressable safeguards are not optional. If the entity has chosen not to implement an addressable safeguard, then management must clearly document the reasoning behind that decision, why it is not applicable and, when appropriate, describe the mitigating controls in place to address the associated risks. Risk Analysis and Risk Management One of the first safeguards found in the HIPAA Security Rule requires organizations to, Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of 8 HIPAA Security Regulation 45 CFR (a)(8) Evaluation (Required). Protiviti 5

6 electronic protected health information held by the covered entity. 9 It is important to note that the focus of this Risk Analysis must be on safeguarding electronic protected health information (ephi). There should be a routine process implemented for refreshing this analysis. This process should occur periodically (e.g., annually) and if the organization undergoes significant changes that affect ephi. Based upon the results of the risk analysis, the entity must perform risk management activities in order to, Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. 10 That is, management must take action in order to ensure that risks are being managed and action is being taken to resolve any deficiencies in a timely manner. CMS performed limited HIPAA audits in 2008 and 2009 to gauge compliance with HIPAA regulations. During both years, the primary concern identified was a lack of an effective and thorough assessment of the threats and risks to ephi (i.e., deficient risk analysis). In 11 conjunction with guidance issued during the July 2010 time frame, the OCR now points to the National Institute for Standards and Technology (NIST) Special Publication (SP) # as guidance on how to perform an effective risk analysis and risk management process. In our opinion, many organizations are taking a very high-level approach to this process, and we anticipate this will be an area of significant concern pointed out during the KPMG audits. It is not uncommon to find little to no documentation supporting these efforts. Likewise, it is not uncommon for organizations to assert they are relying on risk assessments performed by internal or external auditors that cover a wide range of areas. However, we believe management should determine if the following exist, at minimum, when evaluating the organization s processes: Risk Analysis Complete Inventory of Assets Containing ephi This inventory would include any asset (laptop, server, EHR system, etc.) that stores, processes or transmits ephi, and should be documented and used as part of the risk analysis. Relevant Threats and Vulnerabilities to the Asset NIST defines threats as the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability and vulnerability as [a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. 12 Each threat should have associated vulnerability(ies) and these should be documented for each asset. Security Measures Document for each asset the current security measures that are implemented in order to help mitigate vulnerabilities that the threats could exploit. Calculated Residual Risk Taking into account the security measures that are captured, determine the residual risk that the threat and vulnerability combination poses to the asset. Calculate the likelihood of the asset being exploited with the 9 HIPAA Security Regulation 45 CFR (a)(1)(ii)(A) Risk Analysis (Required). 10 HIPAA Security Regulation (a)(1)(ii)(B) Risk Management (Required). 11 Guidance on Risk Analysis Requirements under the HIPAA Security Rule, available at 12 NIST Special Publication , Risk Management Guide for Information Technology Systems, by Gary Stoneburner, Alice Goguen and Alexis Feringa, July 2002, available for download at: Protiviti 6

7 Summary current security measures in place, and the impact to the covered entity if that asset were to be exploited. 13 Risk Management Residual Risk Mitigation Plans Document what the organization s plans are to mitigate any residual risk, or document why it is not feasible/reasonable for the risk to be further mitigated from its current status. Target Completion Date Document the date that the organization is targeting to complete the residual risk mitigation plan. Completion Date Document the date the residual mitigation plan has been completed to demonstrate progress. Meaningful Use Attestation Another area for debate relates to the core measure for Meaningful Use in which eligible professionals/hospitals must, Conduct or review a security risk analysis per 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 14 The objective of this measure is that organizations must, Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. 15 As a result of this EHR-related statement, many organizations believe the HIPAA risk analysis applies only to ephi contained within the EHR technology. Each of these organizations should take a pause and consult with legal counsel to confirm they are correct. Keep in mind that organizations are required to comply with the HIPAA Security risk analysis safeguard in its entirety, which must address all ephi that the organization stores, processes or transmits. Naturally, a subset of that ephi would be that which is contained within the EHR technology. Numerous organizations are interpreting this Meaningful Use measure to mean they need to focus their more detailed risk analysis efforts only on ephi contained within the EHR, and that remaining risk analysis efforts do not have to be as rigorous. In our view, this is a misconception. If management s risk analysis and risk management efforts do not focus on all ephi, we believe the organization will be exposed if a breach occurs or it is selected for audit. The HIPAA Security Rule compliance adventure continues for the healthcare industry. Whether it depends on an ounce of prevention or a pound of cure, each covered entity dictates its respective compliance storyline through its approach. This white paper recommends a proactive approach. To that end, we have suggested action steps and key areas for maintaining documentation that will facilitate working through the maze. Reflecting on Benjamin Franklin s advice, we can conclude that good intentions with a wait and see approach do not prevent breaches nor mitigate loss. Preparation does. Please note that the information in this paper is not intended to be legal analysis or advice, nor does it purport to address every issue that may impact companies or every government response. Organizations should seek the advice of legal counsel or other appropriate advisors on specific questions as they relate to their unique circumstances. 13 Note: Impact Severity x Occurrence Likelihood = Inherent Risk. Inherent Risk Safeguards (Controls) = Residual Risk. 14 Department of Health and Human Services, Centers for Medicare & Medicaid Services, Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, Vol. 75, No. 144, page Ibid, page Protiviti 7

8 About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. How Can Protiviti Help? Protiviti continues to monitor the evolution of regulations impacting the protection of ephi and related audit requirements. We have developed our approach to assist covered entities in preparing for and implementing measures to enable compliance. Our expertise in compliance, process improvement and technology helps organizations not only prepare for a potential audit, but also implement the institutional changes needed to improve HIPAA Security Rule practices and ensure a sustainable program is implemented. Whether you are aware of deficiencies in your program, are uncertain of the sufficiency of current efforts or would like an independent evaluation to gain additional peace of mind, Protiviti can assist you. We perform full-scope compliance evaluations, assess and develop robust risk analysis and risk management programs, develop and execute effective training initiatives, and design and enhance Meaningful Use programs. Protiviti has a strong security knowledge base and subject-matter experts in today s leading security frameworks, including: HITRUST Common Security Framework (CSF) A healthcare-specific security framework built from other leading security frameworks. Protiviti is a Certified HITRUST CSF Assessor. PCI Protiviti is a qualified security assessor (QSA) for the payment card industry (PCI) security framework. ISO and International Standards Organization s (ISO) security management standards. ITIL IT Infrastructure Library s (ITIL) cohesive best practices framework for delivering business value through IT service management. COBIT Control Objectives for Information and related Technology (COBIT) is an IT governance framework for implementing a control structure to address business risks. Regardless of your organization s security posture, security framework, organizational structure or current challenges, Protiviti has the resources and knowledge to help you implement solutions to address your issues. Contact Susan Haseley Kyle Furtis Alex Robison susan.haseley@protiviti.com kyle.furtis@protiviti.com alex.robison@protiviti.com William Thomas Richard Williams william.thomas@protiviti.com richard.williams@protiviti.com 2012 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.