Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Transcription

1 Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

2 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] ii CONTENTS OVERVIEW...1 ADDRESSING THE UNIQUE ISSUES OF HEALTHCARE...3 THE CONSEQUENCES OF NOT COMPLYING...5 THE RISK OF A DATA BREACH...6 PARTNERING TO ACHIEVE END-TO-END COMPLIANCE...7

3 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 1 OVERVIEW As those that work in healthcare IT know, the healthcare industry has some of the most complex IT needs of all industries that exist today. However, HIPAA and related healthcare IT requirements are some of the most nonprescriptive in the IT space, especially when compared to other standards such as PCI, which is used to protect payment card information in financial services organizations. With more than 14 million individuals employed in the industry in the United States, protecting the privacy and confidentiality of a patients electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.

4 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 2 Organizations subject to HIPAA, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HITECH Act include: Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearinghouses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers Per these regulatory laws, covered entities and business associates are required to ensure the following safeguards on patient data in order to remain compliant: Administrative safeguards to protect data integrity, confidentiality and availability of electronic protected health information (ephi) Physical safeguards to protect data integrity, confidentiality and availability of ephi Technical safeguards to protect data integrity, confidentiality and availability of ephi Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are beginning to be used. In addition, the HITECH Act was signed into law in 2009 and increases the use of Electronic Health Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in 2011, through which eligible healthcare providers are offered financial incentives for adopting, implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments will continue through 2016, which is the last year to begin participation in the program. Beginning in 2015, penalties may be levied for failing to demonstrate meaningful use. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The Medicaid EHR Incentive Program s incentive payments will continue through 2021, however the last year that an eligible healthcare professional can begin participation in the program will be Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are being used. Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. These requirements become even more complex when organizations work with the single largest healthcare program in the world, TRICARE. TRICARE is the healthcare program serving uniformed service members, retirees and their families worldwide. Now, not only are healthcare organizations required to protect PHI and ephi, they re also required to support civilian and DoD IT requirements FISMA and DIACAP.

5 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 3 Addressing the Unique Issues of Healthcare To ensure PHI and ephi, covered entities and business associates must abide by the following standards. REQUIREMENT 1. Breach Notification Policy 2. Security Management Process 3. Risk Analysis DESCRIPTION Define how Covered Entity will respond to security and/or privacy incidents or suspected privacy and/or security incidents that result in a breach. Describes processes the organization implements to prevent, detect, contain and correct security violations relative to its ephi. Discusses what the organization should do to identify, define and prioritize risks to the confidentiality, integrity and availability of its ephi. 4. Risk Management Defines what the organization should do to reduce the risks to its ephi to reasonable and appropriate levels. 5. Sanction Policy Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures. 6. Information System Activity Review Describes processes for regular organizational review of activity on its information systems containing ephi. 7. Assigned Security Responsibility Describes the requirements for the responsibilities of the Information Security Officer. 8. Workforce Security 9. Authorization and/or Supervision Describes what the organization should do to ensure ephi access occurs only by employees who have been appropriately authorized. Identifies what the organization should do to ensure that all employees who can access its ephi are appropriately authorized or supervised. 10. Workforce Clearance Procedure Reviews what the organization should do to ensure that employee access to its ephi is appropriate. 11. Termination Procedures Defines what the organization should do to prevent unauthorized access to its ephi by former employees. 12. Information Access Management Indicates what the organization should do to ensure that only appropriate and authorized access is made to its ephi. 13. Access Authorization Defines how the organization provides authorized access to its ephi. 14. Access Establishment and Modification Discusses what the organization should do to establish, document, review and modify access to its ephi. 15. Security Awareness & Training Describes elements of the organizational program for regularly providing appropriate security training and awareness to its employees. 16. Security Reminders Defines what the organization should do to provide ongoing security information and awareness to its employees. 17. Protection from Malicious Software 18. Log-in Monitoring 19. Password Management 20. Security Incident Procedures Indicates what the organization should do to provide regular training and awareness to its employees about its process for guarding against, detecting and reporting malicious software. Discusses what the organization should do to inform employees about its process for monitoring log-in attempts and reporting discrepancies. Describes what the organization should do to maintain an effective process for appropriately creating, changing and safeguarding passwords. Discusses what the organization should do to maintain a system for addressing security incidents that may impact the confidentiality, integrity or availability of its ephi. 21. Response and Reporting Defines what the organization should do to be able to effectively respond to security incidents involving its ephi. 22. Contingency Plan Identifies what the organization should do to be able to effectively respond to emergencies or disasters that impact its ephi. 23. Data Backup Plan Discusses organizational processes to regularly back up and securely store ephi. 24. Disaster Recovery Plan 25. Emergency Mode Operation Plan 26. Testing and Revision Procedure 27. Applications and Data Criticality Analysis 28. Evaluation 29. Business Associate Contracts and Other Arrangements 30. Facility Access Controls Indicates what the organization should do to create a disaster recovery plan to recover ephi that was impacted by a disaster. Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ephi during and immediately after a crisis situation. Describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective. Reviews what the organization should do to have a formal process for defining and identifying the criticality of its information systems. Describes what the organization should do to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule. Describes how to establish agreements that should exist between the organization and its various business associates that create, receive, maintain or transmit ephi on its behalf. Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems.

6 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Contingency Operations 32. Facility Security Plan 33. Access Control and Validation Procedures 34. Maintenance Records Identifies what the organization should do to have formal, documented procedures for allowing authorized employees to enter its facility to take necessary actions as defined in its disaster recovery and emergency mode operations plans. Discusses what the organization should do to establish a facility security plan to protect its facilities and the equipment therein. Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ephi or software programs that can access ephi. Defines what the organization should do to document repairs and modifications to the physical components of its facilities related to the protection of its ephi. 35. Workstation Use Indicates what the organization should do to appropriately protect its workstations. 36. Workstation Security 37. Device and Media Controls 38. Disposal Reviews what the organization should do to prevent unauthorized physical access to workstations that can access ephi while ensuring that authorized employees have appropriate access. Discusses what the organization should do to appropriately protect information systems and electronic media containing PHI that are moved to various organizational locations. Describes what the organization should do to appropriately dispose of information systems and electronic media containing ephi when it is no longer needed. 39. Media Re-use Discusses what the organization should do to erase ephi from electronic media before re-using the media. 40. Accountability 41. Data Backup and Storage 42. Access Control 43. Unique User Identification 44. Emergency Access Procedure 45. Automatic Logoff 46. Encryption and Decryption 47. Audit Controls Defines what the organization should do to appropriately track and log all movement of information systems and electronic media containing ephi to various organizational locations. Discusses what the organization should do to backup and securely store ephi on its information systems and electronic media. Indicates what the organization should do to purchase and implement information systems that comply with its information access management policies. Discusses what the organization should do to assign a unique identifier for each of its employees who access its ephi for the purpose of tracking and monitoring use of information systems. Discusses what the organization should do to have a formal, documented emergency access procedure enabling authorized employees to obtain required ephi during the emergency. Discusses what the organization should do to develop and implement procedures for terminating users' sessions after a certain period of inactivity on systems that contain or have the ability to access ephi. Discusses what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of its ephi. Discusses what the organization should do to record and examine significant activity on its information systems that contain or use ephi. 48. Integrity Defines what the organization should do to appropriately protect the integrity of its ephi. 49. Mechanism to Authenticate Electronic Protected Health Information 50. Person or Entity Authentication 51. Transmission Security 52. Integrity Controls 53. Encryption Discusses what the organization should do to implement appropriate electronic mechanisms to confirm that its ephi has not been altered or destroyed in any unauthorized manner. Defines what the organization should do to ensure that all persons or entities seeking access to its ephi are appropriately authenticated before access is granted. Describes what the organization should do to appropriately protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Indicates what the organization should do to maintain appropriate integrity controls that protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Defines what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of ephi it transmits over electronic communications networks. 54. Policies and Procedures Defines what the requirements are relative to establishing organizational policies and procedures. 55. Documentation 56. Isolating Healthcare Clearinghouse Function 57. Group Health Plan Requirements 58. Wireless Security Policy 59. Security Policy Discusses what the organization should do to appropriately maintain, distribute and review the security policies and procedures it implements to comply with the HIPAA Security Rule. Purpose is to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The purpose is to ensure that reasonable and appropriate safeguards are maintained on electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of the wireless infrastructure. The purpose is to establish management direction, procedure, and requirements to ensure safe and successful delivery of Analog Line Policy The purpose is to explains Company's analog and ISDN line acceptable use and approval policies and procedures. 61. Dial-in Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of dial-in connections to the enterprise infrastructure. 62. Automatically Forwarded Policy The purpose is to prevent the unauthorized or inadvertent disclosure of sensitive company information.

7 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Remote Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the enterprise infrastructure. 64. Ethics Policy The purpose is to establish a culture of openness, trust and integrity in business practices. 65. VPN Security Policy 66. Extranet Policy 67. Internet DMZ Equipment Policy The purpose is to implement security measures sufficient to reduce the risks and vulnerabilities of the VPN infrastructure. The purpose is to describes the policy under which third party organizations connect to Company's networks for the purpose of transacting business related to Company. The purpose is to define standards to be met by all equipment owned and/or operated by Company located outside Company's corporate Internet firewalls. 68. Network Security Policy The purpose is to establish requirements for information processed by computer networks. The Consequences of Not Complying While complying with HIPAA used to be perceived as optional, the HITECH Act of 2009 gave HIPAA compliance some long-awaited teeth. Today, both HIPAA and the HITECH Act have consistent enforcement under the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Just ask Cignet Health. In 2009, for the first time in history, federal officials issued a civil monetary penalty (CMP) to a healthcare organization for violations of the HIPAA privacy rule. When Cignet Health of Prince George s County, Md. failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators, HHS imposed a CMP of $4.3 million for the violations. In a Notice of Proposed Determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October These patients individually filed complaints with OCR, initiating investigations of each complaint. Because the HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient s request, Cignet s CMP began at $1.3 million. Making matters worse for Cignet, OCR also found that the medical service provider failed to cooperate with OCR s investigations on a continuing daily basis from March 17, 2009, to April 7, OCR found that the failure to cooperate was due to Cignet s willful neglect to comply with the Privacy Rule, which states that covered entities are required under law to cooperate with the Department s investigations. Based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act, Cignet s fine was increased by an additional $3 million. This steep $4.3 million penalty sent a clear message to healthcare entities: HHS is serious about enforcing individual rights guaranteed by HIPAA.

8 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 6 The Risk of a Data Breach The Cignet case is of course an extreme, and the organization knowingly violated patient rights, but what about a data breach? Because PHI records typically contain highly personal data such as a person s name, birthdate, Social Security number, insurance information and medical history, it should come of no surprise that healthcare data theft is the fastest growing criminal enterprise today. In fact, according to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents in the past year 1. According to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents. 1 The economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. However, not all data breaches are the result of malicious intent. Rather, the vast majority are the result of unintentional actions of employees or thirdparty vendors. From lost or stolen laptops, to misdirected s and faxes, sensitive information can be exposed at any point in the process. And while the cost of healthcare data breaches has been hard to quantify, the economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. In addition to the actual loss of money, most organizations also suffer from time and productivity loss, brand or reputation diminishment and/or loss of patient goodwill, thus resulting in patient churn. 45 percent of organizations have little or no confidence that they have the ability to identify patient data loss or theft. However, 55 percent of organizations are confident that they have the policies and procedures to effectively prevent or quickly detect unauthorized patient data access, loss or theft. 1

9 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 7 Partnering to Achieve End-to-end Compliance Ultimately, the Ponemon Institute study 1 revealed the need to strengthen privacy and security to protect patient data. It can often become overwhelming for a healthcare provider to ensure that all systems and processes meet the criteria for HIPAA and the HITECH Act, and even when the minimum criteria are met, it doesn t necessarily mean that PHI is secure. Whether or not it s known that gaps exist, it s still the responsibility of the covered entity or business associate to ensure PHI is protected and that incident response measures are in place so the organization is adequately prepared to handle data breaches. To assist, the National Institute of Standards and Technology (NIST) provides the conformance tests, tools and resources needed to support and test the implementation of standards-based health systems. However, it s still essential for healthcare providers to partner with established, expert and proven services providers who can ensure their migration, implementation and operations and maintenance fulfill their promises. Key skill-sets and assets include: Professional services that go beyond technical proficiency A healthcare-friendly partner with a proven track-record An ability to work seamlessly with other integrators, as well as plug into existing programs (or frame new ones) with minimal start-up efforts An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults and environmental services A Defense-in-Depth approach that includes physical and logical access and policy controls; an environment that supports not just cloud services, but colocation and managed service requirements; and security that goes beyond regulatory or mandated standards, to industry best-ofclass procedures Multiple facility fail-over provisions that support the organization s plan across regions Continuous monitoring, including operational and security staffing that s 24x7x365, as threats don t keep a schedule Compliance for mandates like HIPAA, FISMA, PCI DSS, and DIACAP, so there s no question of coverage for any application or data environment within that infrastructure Carpathia understands the challenges IT security professionals face in managing risk and securing information. As a trusted cloud operator, we enable our customers to have the confidence that they are able to comply with HIPAA/HITECH obligations. Our industry-leading solutions can allow healthcare customers to experience end-to-end compliance in the hosting environment that best suits their needs. 1

10 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 8 Since HIPAA is not a prescriptive set of IT standards, it s very key that the IT service provider working with a healthcare organization selects an established baseline to build policy from. Carpathia has elected to follow many of the same controls and requirements used in federal IT systems (FISMA). These are derived from NIST special publications in the 800 series of documents, which has the additional benefit of systems that meet both FISMA and DIACAP requirements should the organization start delivering services to the government. Our data center footprint includes North America, Europe and Asia, providing comprehensive solutions for networks, servers and storage equipment. Carpathia s 64,000 sq. ft., 7.3 MW IBX Vault data center in Dulles, VA was designed to deliver cloud, managed hosting and colocation solutions for both healthcare and federal agencies. It was built to exceed Tier 3 standards and provides the environment healthcare entities need to keep patient data safe it is among the most connected and secure data centers in the industry. Carpathia has historical precedence in engineering and hosting HIPAA compliant systems for medium and small companies, system integrators, development companies and small A8 business. Customers rely on Carpathia s compliance experience and expertise to ensure their information systems achieve and maintain healthcare compliance mandates throughout the lifecycle of their systems. Our HIPAA-compliant hosting services are built on our trusted private cloud operator platform and are designed to support multiple deployment models, offering flexibility and managed servers that provide scalability. Carpathia is a trusted cloud operator with over a decade of managed hosting experience serving covered entities, including healthcare providers, insurance and health plan clearinghouses and their business associates. Our solutions blend the people, processes and technology required to meet the challenges of health IT. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. For more information, please contact us today: sales@carpathia.com Phone: Toll Free: Carpathia is a trusted cloud operator and leading provider of cloud services and managed hosting, providing secure, reliable and compliant IT infrastructure and management for some of the world s most demanding enterprises and federal agencies. Carpathia s cloud platform delivers solutions for every stage of the cloud journey, empowering organizations to meet their unique security and compliance requirements. Carpathia s experienced customer care team and innovative data center facilities provide 24x7 global support to ensure optimum performance and reliability. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds expectations. Contact Carpathia at , or visit for more information Atlantic Boulevard Suite 500 Dulles, VA /