HIPAA Security Rule Changes and Impacts

Transcription

1 HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II. How the Omnibus Rule Changes Security Requirements III. Security Rule Risk Analysis IV. Encryption V. Responding to a Security Incident/Breach Violation VI. Social Media Risks VII. Mobile Device Risks VIII. Other things to consider IX. What You Need to Do Now X. Tools 2 1

2 I. Introduction The Omnibus Rule regulations all have security impacts: Business Associates must implement all the Security Rule standards and implementation specifications Subcontractors are now business associates and must implement all the Security Rule standards and implementation specifications Business Associates have direct enforcement compliance with all requirements of the HIPAA Security Rule The privacy updates for sale of PHI, right of restriction and GINA will require the segregation of special data from other ephi A breach may be an act or omission of paper or to ephi 3 II. Omnibus Rule Security Changes The HIPAA Security Rule now applies directly to business associates; they must comply with applicable standards, implementation specifications, and requirements with requirements to electronic protected health information 45 C.F.R Applicability At almost every provision in the Security Rule where it records covered entity it now also records and/or business associate! 4 2

3 Business Associate Security Rule Responsibilities Business Associate now responsible for: Security standards: General rules Administrative safeguards (a)(1)(ii)(A) Risk analysis (Required) Physical safeguards Technical safeguards Organizational requirements (a)(1) Standard: Business associate contracts or other arrangements Policies and procedures and documentation requirements 5 Number of BAs Underestimated? Estimated Costs of the Final Rule Approximate # of affected entities Notices of Privacy Practices Breach Notification Requirements Business Associate Agreements Security Rule Compliance by Business Associates 700,000 covered entities 19,000 covered entities 250, ,000 business associates of covered entities 200, ,000 business associates of covered entities Omnibus Bill, Page 5567, Table 1 6 3

4 III. Security Rule Risk Analysis A HIPAA Security Risk Analysis must be performed by every Covered Entity and Business Associate. Completion of the Risk Analysis is a core requirement to meet Meaningful Use requirements. Section (a)(1)(ii)(A) of the HIPAA Security Final Rule states: RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 7 III. Security Rule Risk Analysis As required by the HITECH Act, OCR issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule on 07/14/2010 No specific methodology was indicated but it did describe 9 elements: Scope of the Analysis Data Collection (i.e., prepare an EPHI Inventory) Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk and List of Mitigating Actions Finalize Documentation Periodic Review and Updates to the Risk Analysis 8 4

5 III. Security Rule Risk Analysis Referenced two NIST documents: SP , An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP ,Risk Management Guide for IT Systems (Revised September 2011) 9 III. Security Rule Risk Analysis Steps to Performing a Risk Analysis Inventory assets Identify potential threats to those assets Identify vulnerabilities that may allow the identified threats to occur Identify existing preventative & detective controls designed to mitigate threats Identify the likelihood that those threats may occur Identify the potential impact of identified threats should they occur Recommend new controls that can further reduce the impact of threats What do you want to protect and where is it located? What can cause harm? What puts you at risk for harm? What protects you now? How likely is harm to occur? What harm will result? What do you need to do to reduce your risks? 10 5

6 Calculating Risk Likelihood III. Security Rule Risk Analysis Possibility that a threat will occur that can take advantage of the vulnerability and cause an adverse impact Level High Medium Low Definitions The threat-source is highly motivated and sufficiently capable, and activity from this threat source is frequent or is imminent. The threat-source is motivated and capable, and activity from this threat source is now occurring or has occurred in the past year. The threat-source lacks motivation or capability, or activity from this threat source occurs infrequently. 11 III. Security Rule Risk Analysis Calculating Risk Vulnerability Possibility that a threat can create a negative outcome Level High Medium Low Definitions Controls/safeguards are not sufficient to thwart an attack or mitigate potential damage (i.e., controls are not in place, not up to date, not effectively designed to protect against the threat) Controls/safeguards are in place and may thwart or mitigate damage, the potential for damage does exist (i.e., controls are in place but may not be consistently applied and/or may not be sufficient to completely protect against a highly motivated or powerful threat source). Controls/safeguards are in place, are working effectively, and have the ability to mitigate damage except from the most determined or powerful threat source. 12 6

7 Calculating Risk Impact III. Security Rule Risk Analysis Measure of the tangible and intangible effects (consequences) of one thing's or entity's action or influence upon another Level High Medium Low Definitions Exercise of the vulnerability (1) may result in the costly loss of or damage to major tangible assets or resources; (2) may significantly violate, harm, or impede an organization s mission, reputation, or interest; or (3) may result in human death or serious injury. Exercise of the vulnerability (1) may result in the moderate loss of or damage to tangible assets or resources; (2) may violate, harm, or impede an organization s mission, reputation, or interest; or (3) may result in human injury. Exercise of the vulnerability (1) may result in the loss of or damage to some tangible assets or resources or (2) may noticeably affect an organization s mission, reputation, or interest. 13 III. Security Rule Risk Analysis Calculating Risk TORNADO EXAMPLE Vulnerability x Likelihood x Impact = Level of Risk High = 3, Medium = 2, Low = 1 V x L x I = R 2 x 2 x 3 =

8 III. Security Rule Risk Analysis Calculating Risk Risk The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization Level High (18 to 27) Medium (7 to 17) Low (1 to 6) Risk Response There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Management must determine whether corrective actions are required or decide to accept the risk. 15 III. Security Rule Risk Analysis Risk Mitigation Options RISK ASSUMPTION Accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level RISK AVOIDANCE Avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions or shut the system down when risks are identified) RISK LIMITATION Limit the risk by implementing controls that minimize the adverse impact of a threat exercising a vulnerability (e.g., use preventive/detective controls) RISK TRANSFERENCE Transfer the risk by using other options to compensate for the loss, such as purchasing insurance 16 8

9 III. Security Rule Risk Analysis Threat Source Terminated Employee Calculation Threat Vulnerability Likelihood Impact Risk Unauthorized access to patient information No formal process is in place to notify the IT department when employees are terminated. Periodic access reviews are not performed. Removal of access for terminated employees has not been timely performed PHI is viewed (confidentiality) or PHI is altered (integrity) or PHI is destroyed (availability) Disgruntled employee gains unauthorized access to patient information after termination, deleting patient records Total = 27 Risk Mitigation IT implements a daily automated program that reads the employee database in the payroll system and automatically removes access to network and application systems for nonactive employees Risk is significantly reduced 17 IV. Encryption Omnibus Rule did not change the Security Rule s addressable standard regarding encryption Significant costs associated with a breach of unsecured PHI and the large number of reportable breaches that involved unencrypted PHI make encryption a matter worthy of serious consideration Encryption is one of the two methods the other destruction by which PHI can be rendered unusable, unreadable, or indecipherable (i.e., made secure ) 18 9

10 IV. Encryption 45 CFR defines encryption as the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Encrypting PHI using technologies and methodologies tested by NIST creates the functional equivalent of a safe harbor, and thus, results in covered entities and business associates not being required to provide the notification otherwise required in the event of a breach 19 IV. Encryption A risk-based approach should be used when encrypting PHI. Identify all computer systems, portable devices and storage media that contain PHI Consider the type of encryption solution that will be used: Whole versus partial disk encryption File level encryption Database encryption Application encryption encryption Transmission encryption 20 10

11 IV. Encryption Many of the breaches listed on the OCR s breach website involved the loss or theft of portable devices and portable storage media. Workstations stations and laptops can be encrypted using free utilities or with commercial solutions that cost a little as $55 a year. Smartphones and tablets can be encrypted for as little as $36 a year. Mobile device management software is available for higher cost which not only provides encryption but provides other valuable features such as forced passwords of specific configuration, locking after a specified period of inactivity, and the ability to remotely wipe all data from the devices 21 V. Security Incident/Breach Plan Parts of a plan: 1. Roles and responsibilities of Incident/Breach Team 2. Policies and Procedures plus any Necessary Form templates 3. Table of Contact Information 4. Table of Business Associates 5. Log and List of Forms and Templates 6. Test Plan, update as necessary 7. Communications Plan and Supporting Infrastructure 22 11

12 VI. Social Media Risks Over 1200 hospitals use social media to build their brand and display thought leadership Social media includes Facebook, Twitter, LinkegIn, Pinterest, Google+ and specialized apps designed for patient engagement The primary reason expressed by CEs for not using social media is fear of HIPAA violations and lack of dedicated, qualified staff to create and manage content Many healthcare entities will adopt social media in 2013 and The driving factor - a large percentage of consumers use social media to decide where or by whom they will be treated 23 VI. Social Media Risks Successful social media program should involve: People knowledgeable about social media technology and risks Inventory of current and proposed uses for social media Risk assessment that addresses social media platforms and uses Social media steering committee Social media strategy Social media policy that Addresses the risks to PHI Provides clear guidelines about the proper use of the entity s social media avenues States prohibitions against employees sharing PHI through their own social media channels 24 12

13 VI. Social Media Risks Successful social media program should involve (continued): Training for employees regarding the appropriate use of social media Monitoring of the internet and social media sites for potential HIPAA violations (as well as other issues) A plan to respond to negative situations and security breaches that occur through the use of social media 25 VII. Mobile Device Risks A mobile (computing) device is exactly what the name implies a computing device that is portable Examples are laptop computers, netbook computers, tablet computers, and smartphones Mobile devices use a variety of communications technologies including cellular, Wi-Fi, Bluetooth, and Ethernet Worldwide mobile device annual shipments reached 1.9 billion in 2012 and are expected to reach 2.6 billion in

14 VII. Mobile Device Risks Mobile devices provide tangible benefits to healthcare entities, including: Anytime, anywhere access to information, including ephi Anytime, anywhere ability to communicate Improved customer service Ability to make and accept payments Ability to take and send photos Manage logistics Scan and track inventory Give presentations 27 VII. Mobile Device Risks A survey of 792 Canadian family physicians in 2012 showed that 67% of the physicians surveyed used smartphones. The most popular clinical uses were: Looking up drug references (58 percent) Accessing clinical decision-support (50 percent) Taking notes and memos (43 percent) Digging into textbook references (38 percent) Consulting with medical peers (28 percent) Performing scheduling tasks (17 percent) E-prescribing (8 percent) Monitoring patients (6 percent) Accessing electronic medical records (6 percent) Ordering lab tests or accessing results (4 percent) 28 14

15 VII. Mobile Device Risks Mobile devices should be protected by passwords, encryption, antivirus software, remote data deletion features, and other security measures Mobile device management and other software is widely available that can provide these and other security features to protect mobile devices Secure messaging solutions are also available to encrypt messages sent between mobile devices Policies and procedures should address the ownership, management, security, appropriate use, and remote data deletion for mobile devices that contain, or might contain, ephi 29 VIII. Other Things to Consider Accounting of Disclosures is still missing! NPRM: OCR is proposing to revise of the Privacy Rule by dividing it into two separate rights for individuals: Paragraph (a) would set forth an individual s right to an accounting of disclosures and Paragraph (b) would set forth an individual s right to an access report (which would include electronic access by both workforce members and persons outside the covered entity)

16 IX. What You Need to Do Now OCR suggests there are 4 steps in a robust HIPAA Privacy and Security Compliance Plan: 1. Employee training 2. Vigilant implementation of policies and procedures 3. A prompt action 4. Regular internal audits 31 IX. What You Need to Do Now Ensure PHI in all forms and locations is protected, especially PHI stored in portable devices and media, and stored in systems hosted by 3 rd parties and cloud services providers Ensure that data which has been restricted from disclosure by patients is appropriately categorized and restricted Ensure that a robust security risk management program is in place and periodic security risk analysis is performed that meets OCR guidelines Ensure through active oversight activities that business associates have appropriate security and monitoring controls in place and that those controls are effective 32 16

17 IX. What You Need to Do Now Ensure that employees understand latest security threats and risks, how to minimize risks, and know how to recognize and promptly report suspicious activities Information technology (IT) staff must resist the practice of working in isolation and work with the executive team and operations staff to ensure that risks are effectively managed Most importantly, it must be clearly conveyed throughout the organization that security is everyone s responsibility 33 X. Tools OCR HIPAA Security Guidance Documents /securityrule/securityruleguidance.html NIST HIPAA Security Toolkit OCR Protocols udit/protocol.html 34 17

18 X. Tools OCR Protocol PrepBooks Samples at Security Incident/Breach Plan Sample at HPAA Policy and Procedure Templates Free for download: WEDI Security and Privacy Work Group (SPWG) White Papers and Presentations 35 NIST HIPAA Toolkit ONLY HIPAA Security! Questions = NIST SP & SP User Guide Download from NIST at Microsoft Windows Red Hat Enterprise Linux Apple MAC OS Both Standard + Enterprise Versions 36 18

19 Create a Profile 37 Organized by Safeguard Family 38 19

20 Explore the Application Interface Selected Question References Navigation Menu Responses Flag Level Attachments Comments Progress Bar 39 Generate Reports 40 20

21 The Value of the Toolkit Prompts consideration of risks Suggests safeguards/controls Provides documentation repository Go-to reference for audits NIST it is not a compliance tool! 41 THANK YOU! Sue Miller, JD TMSAM@aol.com Office: (978) Mobile: (978) Tony Brooks, CISA, CRISC tony.brooks@horne-llp.com Office: (601) Mobile: (601)