HIPAA/PHI AND MOBILE DEVICES Office Practicum User Conference, Philadelphia

Transcription

1 HIPAA/PHI AND MOBILE DEVICES 2014 Office Practicum User Conference, Philadelphia

2 HIPAA AND MOBILE DEVICES Learning Objectives: HIPAA - Issues in daily patient care PHI What is it and how do you keep it safe FINAL OMNIBUS RULE Security and Privacy Rules Mobile Device increased risk Breach What do you do???

3 DATA BREACH WHAT DO YOU DO? HHS Website Lists 931 Data Breaches affecting more than 30.6M HHS has been tracking data breaches since September 2009, when the HIPAA Breach Notification Rule went into effect Lost or stolen devices that were unencrypted account for the majority of the breaches, according to Gov Info Security

4 DATA BREACHES The Identity Theft Resource Center, which tracks data breaches, has counted 204 of them through March of the this year for a loss of 4,238,983 records related to sensitive personal information Exposed through hacker cyber-attacks, stolen laptops or dumb mistakes

5 DATA BREACHES Snapchat, the photo app and delivery service, suffered a security gap in January that resulted in the phone numbers and usernames of up to 4.6 million accounts being downloaded by a website called SnapchatDB.info. Snapchat called the incident no big deal, but would try to make it more difficult to do.

6 DATA BREACHES Indiana University in February said a breach of its systems had exposed the personal data of about 146,000 students University indicated it believed the information, which had been stored in an insecure manner, wasn t grabbed by a individual hacker but instead was crawled by a number of automated web-crawling applications

7 DATA BREACHES Coca-Cola said a former employee in Atlanta stole 55 laptops that had contained unencrypted personal information on about 74,000 people, most of them Coca-Cola employees The company didn t say how it had regained the laptops but acknowledged to the Wall Street Journal that company policy requires laptops to be encrypted but these stolen laptops weren t

8 WHAT IS PHI? Under the HIPAA Privacy Rule, protected health information (PHI) refers to individually identifiable health information, i.e. that which can be linked to a particular person Specifically, this information can relate to: Common identifiers of health information include names, social security numbers, addresses, and birth dates. The HIPAA Security Rule applies to individual identifiable health information in electronic form or electronic protected health information (ephi) Intended to protect the confidentiality, integrity, and availability of ephi when it is stored, maintained, or transmitted

9 HIPAA ISSUES PATIENT CARE HIPAA OMNIBUS RULE Enacted January 2013 New rule protects patient privacy, secures health information Enhanced standards improve privacy protections and security safeguards for consumer health data HHS moved forward to strengthen the privacy and security protections for health information under HIPAA 1996

10 HIPAA OMNIBUS RULE Final omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law Much has changed in 15 years Make HIPAA more appropriate to the digital age of medicine

11 HIPAA ONMIBUS RULE Congratulations! You are a business associate!

12 BUSINESS ASSOCIATE RULE If your business creates, receives, maintains, or transmits PHI on behalf of a covered entity you re now considered a business associate under the HIPAA Final Omnibus Rule Expands many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors i.e., Transcriptionists

13 BUSINESS ASSOCIATE RULE Some of the largest breaches reported to HHS have involved business associates Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation Changes also strengthen the (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS

14 DATA BREACH NOTIFICATION

15 CAT AND MOUSE GAME Online service increase cyber-security Cybercriminals create new deceptive tactics Online Trust Alliance - created 2014 Data Protection and Breach Guide Outline impact of breach Best Practices for Best Practices in Data Security and Brand Production Fact of Life Public and Private Sectors

16 INCIDENT HIGHTLIGHTS 2013 INTERNATIONAL INCIDENT HIGHLIGHTS 76% Weak or Stolen Credentials 29% Via Social Engineering 89% Could have been prevented 31% Due to Inside 21% Physical loss/theft 40% Of the largest breaches in history

17 DATA LIFECYCLE STRATEGY Privacy and Terms of Use policies need to be continually reviewed and updated The data a business collects include some form of Personally Identifiable Information (PII) or covered information The realization that if a business collects data, it will inevitably experience a data loss incident Data stewardship is everyone s responsibility

18 MOST RECENT RULES ON BREACH

19 HIPAA OMNIBUS RULE Individual Patient Rights Expanded: Patients can ask for a copy of their electronic medical record in an electronic form When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan Final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals health information without their permission

20 HIPAA OMNIBUS RULE The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes

21 OMNIBUS SECURITY RULE The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information (HIPAA, Title II) requires the Secretary of HHS to publish national standards for the security of electronic protected health information (e-phi), electronic exchange, and the privacy and security of health information

22 OMNIBUS SECURITY RULE The Security Rule: Applies to health plans, Health care clearinghouses Any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the covered entities )

23 OMNIBUS SECURITY RULE Electronic Protected Health Information protected by HIPAA privacy of individually identifiable health information, called protected health information (PHI) The Security Rule protects a subset of information covered by the Privacy Rule - the Security Rule calls this information electronic protected health information (e-phi) The Security Rule does not apply to PHI transmitted orally or in writing.

24 OMNIBUS SECURITY RULE Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to security/integrity of data Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce

25 OMNIBUS SECURITY RULE The Security Rule defines confidentiality to mean that e-phi is not available or disclosed to unauthorized persons Security Rule's confidentiality requirements support prohibitions against improper uses and disclosures of PHI Security rule also promotes the two additional goals of maintaining the integrity (not altered) and availability (accessibility) of e-phi:

26 OMNIBUS SECURITY RULE What measures must a covered entity consider when deciding which security measures to use: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-phi. Covered entities must review and modify their security measures to currently protect e-phi

27 OMNIBUS SECURITY ANALYSIS A risk analysis process includes, but is not limited to, the following activities: Evaluate the likelihood and impact of potential risks to e-phi Implement appropriate security measures to address the risks identified Document the chosen security measures and the rationale for adopting those measures Maintain continuous, reasonable, and appropriate security protections Risk analysis should be an ongoing process, in which a covered entity regularly reviews access records

28 OMNIBUS TECHNICAL SAFEGUARDS Covered Entity Responsibilities must implement: Access Control - technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi) Audit Controls - hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi Integrity Controls - policies and procedures to ensure that e-phi is not improperly altered or destroyed. Transmission Security - technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network.

29 OMNIBUS TECHNICAL SCURITY What does this all mean?

30 SECURITY RISKS HEALTHCARE IT Five Top Security Risks to Healthcare IT: Increase of mobile devices Embedded devices Virtualization software Social Media/Social Collaboration (SharePoint and Dropbox) Consumerization of IT Healthcare IT News, April 2014

31 OMNIBUS SECURITY ISSUES If you believe your ephi security has been breached you may file a Compliant for the Security Violation Complaint Portal - File a Security Rule Violation Complaint cp.jsf

32 CHANGE GEARS - PRIVACY

33 OMNIBUS RULE PRIVACY HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes

34

35 OMNIBUS PRIVACY RULE Filing a Privacy Violation Complaint with HHS against health plan clearinghouse or Provider Complaints filed in writing, either on paper or electronically; name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation

36 OMNIBUS PRIVACY ACT Filed within 180 days of the violation of the patient s privacy HHS has delegated to the Office for Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to the Privacy Rule Within different regions of the USA there are regional offices to receive the complaints

37 OMNIBUS PRIVACY RULE HIPAA requires that all persons you collect medical information from either directly or indirectly (such as by filling a prescription) be notified of their rights to privacy and receive a Notice of Privacy Practices which is sometimes also called Notice of Information Practices. The statement must tell your patient clients what you do with their information and it either must be signed by the patient, or the patient must sign on a HIPAA consent form that they have received a copy of your privacy practices prior to signing a HIPAA consent form.

38

39 MOBILE DEVICE RISK First Risk: Enterprises often don't know where data and other business information are. Security Solution: Have a centralized way of managing data. Keep a data inventory and have a network access control solution so CIOs and CSOs know exactly who has the data, where it is, and where it is going. Second Risk: Mobile device security is usually neglected. Security is rarely the center of enterprise security and is inconsistently focused on until there is a breach Security Solution: Devices should be encrypted and authenticated. The best way to stop risk is decide what information can be on the device and if it shouldn't be there, block it.

40 MOBILE DEVICE RISK Third Risk : Lack of education and whether or not employees know the risks involved with having sensitive data on the devices. Security Solution: Provide user education for employees that explain what devices are authorized, what's not authorized, and what the risks are if an unsecure device is used Fourth Risk Putting intellectual property in employees' hands need to know basis Security Solution: If something is truly sensitive, it should be well monitored and controlled with any attempted access tracked

41 MOBILE DEVICE RISK Fifth Risk - data transfer Security Solution - data transfer should be severely restricted Sixth Risk: Lack of a governance framework. Security Solution: Implement a security policy that manages all stages of risk assessment and threat, including from installation to retirement of the devices.

42 MOBILE SECURITY RISK Security Checklist: Comprehensive Security Control Remote Device Management Access Management Controls Audit trail for discovery

43 MSM MOBILE DEVICE MANAGEMENT Urgent Need App Wrapping 24/7 stay in touch mobile app use by twothirds of all employees at work PWC only 43% of enterprises have formal MDM policies in place Mobile devices and apps are the top security concern BYOD

44 DATA BREACH- WHAT DO YOU DO? Between September 2009 and March 28, there were more than 900 large health data breaches, affecting more than 30.6 million U.S. residents, GovInfoSecurity reports HHS has been tracking data breaches since September 2009, when the HIPAA breach notification rule went into effect

45 FUTURE DATA BREACHES Lost or stolen devices that were unencrypted account for the majority of the breaches on the wall, according to Gov Info Security. Meanwhile, about 25% of the breaches involved business associates That number is expected to grow in the coming months as more vendors are considered business associates under the HIPAA Omnibus Rule, which went into effect in 2013.

46 YOUR RESPONSE TO BREACH REGULATORY REQUIREMENTS & REQUIREMENTS Awareness that information disclosed To unauthorized individuals in readable format Activate Breach Notification Process Start with detailed analysis of circumstances Report dependent upon legal requirements as well as reputational risk

47 HEARTBLEED AND HEALTHCARE

48 HEARTBLEED AND HEALTHCARE Hearth Bleed is a vulnerability in SSL (Secure Socket Layer) a way to transmit encrypted data securely over the internet and is used to send personal information to servers (like your username and password etc.) Vulnerability allows hackers to steal this protected information Affect healthcare?

49