Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Transcription

1 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19,

2 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8 staff AATS consists of 4 staff and supports 8 Audit Managers IT Audit averages about 15 audit reports annually Our Different Perspective Adds Value 2

3 AGENDA HIPAA Background What OIG Did Our Objectives What OIG Found at CMS What OIG Found at Hospitals OIG Future Plans Electronic Health Records 3

4 Background HIPAA Security Rule HIPAA defines a covered entity as a (1) health plan, (2) health care clearinghouse, or (3) health care provider who transmits any health information in electronic form 4

5 Background Covered Entity Requirements Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 5

6 Background Covered Entity Requirements (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted. (4) Ensure compliance by its workforce. 6

7 Background Delegation of Authority -- HIPAA Security Rule On October 7, 2003, HHS delegated CMS the authority to enforce and impose civil monetary penalties on covered entities that violate the HIPAA Security Rule. The Final Rule [Enforcement Rule] for enforcement of the HIPAA Security Rule became effective on March 16,

8 Background Delegation of Authority -- HIPAA Security Rule CMS developed and published the HIPAA Security Rule and guidance for covered entities. CMS also published a series of security papers designed to give covered entities insight into the HIPAA Security Rule and assistance with implementation of the security standards. 8

9 Background HIPAA and HITECH On February 17, 2009, Congress enacted the Recovery Act which contains the Health Information Technology for Economic and Clinical Health Act (HITECH Act). 9

10 Background HIPAA and HITECH The HITECH Act requires the HHS to adopt health information technology standards and implementation specifications that take into account the requirements of HIPAA privacy and security law. 10

11 Background Delegation of Authority to Office for Civil Rights On July 27, 2009, HHS delegated to the Office for Civil Rights (OCR) (1) the authority and responsibility to interpret, implement, and enforce the HIPAA Security Rule provisions; (2) the authority to conduct compliance reviews and to investigate and resolve complaints of HIPAA Security Rule noncompliance; and (3) the authority to impose civil monetary penalties for a covered entity s failure to comply with the HIPAA Security Rule provisions. 11

12 What OIG Did We conducted our audit at CMS headquarters in Baltimore, Maryland, and seven hospitals around the country. We selected 7 hospitals nationwide with the largest total Medicare billings in fiscal year 2006 (more than $150 million). 12

13 Audit Objective To determine the sufficiency of CMS s oversight and enforcement actions pertaining to hospitals implementation of the HIPAA Security Rule. To test whether hospitals had implemented certain technical, physical, and administrative safeguard provisions of the HIPAA Security Rule. 13

14 What OIG Found - CMS In October 2008, we issued a report to CMS. We reported that CMS had taken limited actions to ensure that covered entities complied with the standards, implementation specifications, or other requirements of the HIPAA Security Rule. 14

15 What OIG Found - CMS Overall, CMS s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect ephi, thereby leaving ephi vulnerable to attack and compromise. 15

16 What OIG Found - Hospitals Although each of the 7 hospitals had implemented some controls, policies, and procedures to protect ephi from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the HIPAA Security Rule. 16

17 What OIG Found - Hospitals Specifically, our audits of 7 hospitals throughout the nation identified 151 vulnerabilities, of which 124 were considered high impact in the systems and controls intended to protect ephi. 17

18 What OIG Found - Hospitals High Impact (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization s mission, reputation, or interest; or (3) may result in human death or serious injury. 18

19 What OIG Found - Hospitals These vulnerabilities placed the confidentiality, integrity, and availability of ephi at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries personal data and performed unauthorized acts without the hospitals knowledge. 19

20 What OIG Found Hospitals Wireless Access Vulnerabilities Five hospitals had 15 wireless access vulnerabilities, including outdated or ineffective encryption, unauthorized wireless access points, no firewall separating wireless from internal wired networks, 20

21 What OIG Found Hospitals Wireless Access Vulnerabilities broadcasted service set identifiers (SSID) from hospital access points, no authentication required to enter the wireless network, the inability to detect unauthorized devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks 21

22 What OIG Found Hospitals Access Control Vulnerabilities Seven hospitals had 38 access control vulnerabilities involving domain controllers, servers, workstations, and mass storage media used to receive, maintain, or transmit protected information. 22

23 What OIG Found Hospitals Access Control Vulnerabilities The vulnerabilities included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ephi, and excessive access to root folders. 23

24 What OIG Found Hospitals Audit Control Vulnerabilities Five hospitals had 9 audit control vulnerabilities involving their servers, routers, firewalls, databases, and wireless access points containing or transmitting ephi. 24

25 What OIG Found Hospitals Audit Control Vulnerabilities The 5 hospitals had audit logging disabled for one or all of the above. In addition, their network administrators did not routinely review operating system and application audit logs, either manually or by using automated logmonitoring tools. 25

26 What OIG Found Hospitals Integrity Control Vulnerabilities Seven hospitals had 21 integrity control vulnerabilities on personal computers and servers containing ephi. 26

27 What OIG Found Hospitals Integrity Control Vulnerabilities Examples of those vulnerabilities were uninstalled critical security patches, outdated antivirus updates, operating systems no longer supported by the manufacturer, and unrestricted Internet access. 27

28 What OIG Found Hospitals Authentication Control Vulnerabilities Four hospitals had 9 person or entity authentication vulnerabilities, such as inappropriate sharing of administrator accounts and unchanged default user identifiers and passwords. 28

29 What OIG Found Hospitals Transmission Security Vulnerabilities Four hospitals had 14 transmission security control vulnerabilities involving network devices, including routers and switches used for transmitting ephi. 29

30 What OIG Found Hospitals Transmission Security Vulnerabilities These vulnerabilities were the result of using inappropriate plain text remote administration tools (e.g., Simple Network Management Protocol version 1 and the Telnet protocol), no encryption, unsecure switch port connections, and unnecessary and unsecure network services. 30

31 What OIG Found Hospitals Device and Media Control Vulnerabilities Two hospitals had 5 device and media control vulnerabilities, involving no inventory system to track computer equipment containing ephi, no documented plans for or evidence of removal of ephi from media before disposal, no password protection for computers on portable carts, and no encryption on backup tapes containing ephi. 31

32 What OIG Found Hospitals Security Management Process Two hospitals each had a security management process vulnerability. One had incomplete risk assessments of hospital systems that created, received, maintained, or transmitted ephi. The other had no policies and procedures for risk analysis. 32

33 What OIG Found Hospitals Workforce Security Vulnerabilities Two hospitals each had 1 workforce security vulnerability. One hospital s insufficient policies and procedures resulted in 36 employee user accounts with inappropriate access to its network and ephi. 33

34 What OIG Found Hospitals Workforce Security Vulnerabilities Another hospital informed its network management department of employee terminations at the end of each 2-week pay period, thus allowing former employees network IDs to remain active with inappropriate network access for up to 2 weeks after the employees no longer worked for the hospital. 34

35 What OIG Found Hospitals Security Incident Procedure Vulnerabilities One hospital did not have procedures to identify, respond to, or document actions taken in response to security incidents. 35

36 What OIG Found Hospitals Contingency Plan Vulnerabilities Three hospitals had incomplete contingency plans, incomplete disaster recovery plans, unsafe storage of backup tapes, and network security disruptions. 36

37 What OIG Found Hospitals Contingency Plan Vulnerabilities For example, one hospital did not complete a contingency plan for a system that provided ready access to patient health care records and test results. 37

38 OIG Future Plans Possible future efforts might involve Auditing OCR, including other Covered Entities Electronic Health Records MMIS Business Associate Agreements (Other Regions) Portable Device and Media Security 38

39 EHR OIG OEI is currently conducting a study on States oversight of Medicaid electronic health record (EHR) incentive programs, which were authorized by the Recovery Act. 39

40 EHR This study will include all States that have a State Medicaid Health IT Plan approved by CMS and plan to launch their incentive programs in January

41 EHR Certain States expect to start distributing EHR incentive payments by March. Providers will attest to their eligibility electronically as part of their application process. Part of the attestation is to agree to maintain documentation. Submitting documentation at application is optional. 41

42 EHR Information in the application will be manually verified against available existing information. Regulation will be challenging for some States because for the first time they will be looking at the business processes and software, not just support for claims. Applicants will be limited to those able to meet the meaningful use provisions. 42

43 EHR For more information on EHRs: er.pt/community/healthit_hhs_go v meaningful_use_announceme nt/

44 My Contact Information Brian C. Johnson, CPA, CISA Manager, IT Audit / AATS HHS/OIG/OAS 61 Forsyth Street, SW, Room 3T41 Atlanta, GA Office (404) brian.johnson@oig.hhs.gov 44

45 Damn, that was a another jolt! 45