HIPAA Compliance Tune-Up for Are You Prepared?

Transcription

1 HIPAA Compliance Tune-Up for 2016 Are You Prepared?

2 Speakers Michael Flavin Senior Product Marketing Manager efax Corporate, Part of j2 Cloud Services 2

3 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Enhance HIPAA Compliance 3

4 The information provided in this presentation does not constitute, and is no substitute for, legal or other professional advice. We strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situations, and in connection with any compliance-related concerns. 4

5 Why HIPAA Enforcement will Ramp Up in 2016 HHS s Office of the Inspector General (OIG) issues report recommending stronger oversight of CEs and BAs. The Office for Civil Rights (OCR) responds with Phase 2, launching in early

6 HIPAA Resolutions & Corrective Actions Up Every Year * Investigated: No Violation Resolved Corrective Action or Tech Asst. Total Resolutions 6

7 Findings: The Results of HIPAA s Phase 1 Audits 2/3 of entities had no complete or accurate risk assessment program. 44% of Privacy Rule deficiencies involved disclosures of ephi. 58 out of 59 healthcare providers had at least 1 negative finding relating to the Security Rule! 7

8 Findings: The OIG Report that Led to the Phase 2 Audit In about half of the closed privacy cases covered entities were noncompliant with at least one privacy standard. Recommendation: OCR should Implement permanent audit program Keep documentation of corrective action Improve method of tracking cases Check CE HIPAA investigation history Expand outreach and education to CEs 8

9 Quick Audience Poll 1 How concerned are you about phase 2 OCR Compliance Audits in 2016? a. Not concerned at all b. Slightly concerned c. Moderately concerned d. Very concerned 2 What best describes the biggest pain point with faxing in your organization today? a. No integration into our EHR system b. HIPAA Security and Compliance concerns c. Ongoing costs of on-site fax Infrastructure d. Inefficiency of workflow processes 9

10 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Enhance HIPAA Compliance 10

11 What Exactly is a Phase 2 HIPAA Audit? Phase 2: Hundreds of Covered Entities Will Be Audited 550 to 800 entities contacted Estimated 350 selected for audit OCR s own staff conducting the audits Combination of desk and onsite audits Measuring security, breach, privacy 11

12 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Enhance HIPAA Compliance 12

13 Why Prioritize a Security Risk Analysis? Health firms are at risk: Virus vulnerabilities are up Data breaches and ephi theft are up Between 2010 and 2013, 29 million records compromised From the HHS Wall of Shame 113,180,244 breaches in 2015 alone! 13

14 Why Prioritize a Security Risk Analysis Healthcare was 2015 s #1 Data Breach Victim 78.8 million records 11 million records 10 million records 4.5 million records 3.9 million records Source: And published as required by the HITECH Act on DHHS: 14

15 Vulnerability to Cyber Hacking & ephi Breach FBI warnings to industry: The FBI has observed malicious actors targeting healthcare related systems for the purpose of obtaining Protected Healthcare Information (PHI) HHS Office for Civil Rights 1,199 Incidents 41.5 Million Individuals Top 5 Health Data Breaches in Million Individuals Data Breaches Year to Date Huge Change in Scope ,800%! Million Individuals Increase from

16 The largest data breaches in 2015 were all the result of cyber hacking breaches, resulting from... Spearphishing Malware Network Intrusion 16

17 What s a Secure ephi Transmission? HIPAA Privacy Rule: 45 CFR NIST encryption standards for handshake NIST encryption cipher standard for data protection requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. TLS encryption AES 256-bit encryption 17

18 Why Prioritize a Security Risk Analysis? 98% of healthcare providers audited were found to have failed to comply with HIPAA s Security Rule in at least one instance 18

19 The Cost Data Breaches Again, Healthcare Tops the List of Industries $154 $163 $363 Average cost per record across all industries globally Average cost per record for retail firms globally Average cost per breach for healthcare firms globally 19

20 What are the Business-Impacting Threats? Marketplace Reputation and Customer Loyalty Liability Legal costs Credit assistance for customers Training, call center triage Fraudulent charges Stock price, earnings, etc. IT Resources 20

21 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Bring Enhance Compliance 21

22 6 Tips to Prevent Cyber Hacking Build Your Network s Defensive Walls 1 Proactive Software Assurance Source code and binary code testing tools Application security scanners Certifications 4 Eliminating Security Vulnerabilities Vulnerability management Patch management Penetration testing 2 Blocking Attacks: Network Level IDS and IPS FW MSS 5 Safely Supporting Authorized Users Encryption technology VPN DLP 3 Blocking Attacks: Host Level Endpoint security NAC 6 Tools to Manage Security and Maximize Effectiveness Log management SIEM Training 22

23 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Enhance HIPAA Compliance 23

24 How to Create a Cyber-Security Culture Start at the top of your company - make everyone aware of the risks and how to avoid them. Find ways to explain the right processes that are non-technical - because that loses a lot of people. Identify the digital assets you most need to secure - and make sure you re monitoring and protecting them. Look also for non-cyber data risks - hardcopy files left unattended, etc. - and include them in your training. 24

25 Most Common Pitfalls Risk Assessment Lack of Accurate Data Inventory/ Controls Audit Logs (critical for compliance and root cause) Humans Accidents Happen Social Engineering Security Awareness Training Missing Policies and Procedures Incident Response Team and Plan & Audit Trail 25

26 Agenda 1 Why HIPAA Enforcement Will Get Stronger in What Exactly is the OCR Phase 2 Audit? 3 Why Covered Entities Should Prioritize a Security Risk Analysis 4 6 Tips to Prevent Cyber Hacking 5 How to Create Cyber-Security Culture Across Your Organization 6 How a Cloud Fax Model Can Enhance HIPAA Compliance 26

27 Faxing in Healthcare today Trends The Move toward a Cloud Fax Model The Cloud Fax Model Your staff can fax anywhere Virtually No IT administration, maintenance and troubleshooting Deploys in minutes Easy to use Requires no training Highly secure Compliant* Provides clear audit trails Cost-effective *efax Secure, part of the efax Corporate suite of solutions is a HIPAA-compliant solution for Healthcare 27

28 efax Corporate The world s #1 online fax company and the industry s most experienced hosted fax service , Secure Browser, Mobile App & efax Messenger User Interfaces Encrypted in Transit (optional) The most widely deployed online fax service for the Fortune 500 Hosted Fax Service Encrypted Fax Storage via efax Secure (optional) Trusted by more major healthcare, legal, financial and other highlyregulated firms than any other online fax provider to transmit sensitive documents PSTN Telco Service Inbound/ Outbound Faxes 28

29 Q&A enterprise.efax.com U.S. Sales (888) UK Sales +44 (0)

30 Helpful Resources HIPAA Privacy Rule The HIPAA Security Rule Toolkit OCR s HIPAA Enforcement Data Page OCR s Findings from Phase 1 Audits OIG 2015 Report Recommending Strengthened HIPAA Oversight BitSight Data-Security Industry Report HealthITNews: Top 10 Breaches of 2015 HIPAAJournal: Top 2015 Breaches (Healthcare Industry #1 Victim) efax Corporate Blog: Six Best Practices to Deter Cyber Hackers HealthCareITNews Article on Cyber Security Culture SANS Institute: Layered Defense Approach to Preventing Cyber Hacking The American Bar Association s Interpretation of the HIPAA Security Rule and Protecting ephi HHS Report: Security 101 for the CE HIPAA Audit Webpage Ponemon: 2015 Costs of Breaches 2015 HIMSS Conference efax Corporate Data Sheet on HIPAA- Compliant Faxing 30