Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Transcription

1 Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013

2 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing Web-based Patient Portals... 3 Meaningful Use Incentives... 3 Increased Penalties... 4 Government Audit & Oversight... 4 Sharing the Risk: Business Associate and Subcontractor Obligations... 5 Securing Patient Portals... 6 Patient Portal Security Requirements... 6 Trend Micro Web App Security... 7 Conclusion

3 Abstract Information security has evolved into a mission-critical function for healthcare organizations amid the tumult of industry reform, innovation, and regulatory upheaval. A nationwide move towards Electronic Health Record (EHR) systems, web-based platforms for patient and provider access to information, increased regulation, provider consolidation, and the increasing need to share health information between patients, providers, and payers all point toward the need for robust information security protections. At the same time, changes in federal legislation are offering lucrative incentives for implementing EHRs and patient portals, and those who do not vigilantly protect patient information stored in EHRs and web-based portals face increasingly stiff penalties. With the emergence of e-health networks offering web-based services, the future success of healthcare is likely to depend on how effectively patients can obtain and manage their health related information over the web in a secure manner. This challenge is further amplified by the growing complexity of patient data management practices including outsourcing the development and implementation of web-based platforms to third party Business Associates and their subcontractors. The Carrot and the Stick: Incentives and Penalties for Securing Web-based Patient Portals Meaningful Use Incentives The Health Information Technology for Economic and Clinical Health (HITECH) Act and recently released HIPAA Omnibus Rule seek to improve health care delivery and patient care by encouraging electronic access to personal health information across the continuum of care, including via web-based patient portals. HITECH takes a carrot-and-stick approach to promote the mandated conversion to EHRs and implementation of web-based patient portals. The act provides a healthy carrot of $19.2 billion in incentive payments to promote EHR adoption, primarily funneled through Medicare and Medicaid reimbursement as incentive payments for the Meaningful Use of certified EHR technology. Each physician can qualify for a total of up to $44,000 over five years through Medicare or up to $63,750 over six years from Medicaid dependent upon satisfying annual qualification criteria. At the same time, the Meaningful Use requirements call for increased security and privacy controls to bolster patient confidence and adoption of EHR technology in order to qualify for incentives. Stage 2 of Meaningful Use specifically requires the implementation and adoption of a secure web-based patient portal to facilitate patient access to health information. 3

4 Increased Penalties The HITECH Act and HIPAA Omnibus Rule have acknowledged the increased risk associated with storing and transmitting electronic Protected Health Information (PHI) by introducing strong penalties (a heavy stick ) for healthcare providers and their Business Associates and subcontractors who fail to meet the HIPAA Security and Privacy Rule mandates. Prior to the enactment of the HITECH Act, the imposition of civil penalties under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. Enacted in February 2009, HITECH increased the range at minimum of $100 up to $50,000 per violation, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Additionally, criminal penalties of up to $250,000 and up to 10 years in prison for HIPAA violations not only apply to healthcare covered entities but also to employees and other individuals. The Omnibus Rule, effective in 2013, ups the ante even further by allowing for fines of up to $1.5 million per violation, regardless of how many violations occur concurrently within a given calendar year. As if the regulatory non-compliance penalties did not already supply sufficient motivation for compliance with security requirements, the Meaningful Use incentive provisions also threaten reduced reimbursement, starting in 2015 for entities who have not met the requirements for securing EHRs and patient portals. Government Audit & Oversight In addition to more proactive oversight underway via the new regulations, both federal and state governments have also been actively investigating possible violations and filing suit for breaches that have been reported to the Department of Health and Human Services (HHS) under HITECH. Several entities are empowered to investigate and audit security compliance including the Office for Civil Rights (OCR), Center for Medicare and Medicaid Services (CMS), and State Attorneys General. Under HITECH, money collected in civil penalties is funneled back into OCR s enforcement budget. The act also permits state attorneys general to bring civil actions for HIPAA violations, making wider oversight and enforcement far more likely than prior years under HIPAA. 4

5 Sharing the Risk Business Associate and Subcontractor Obligations The risk of incurring penalties associated with patient data breaches is further exacerbated by the growing trend of healthcare organizations outsourcing EHR and patient portal solutions to third party Business Associates. According to a recent HITRUST Alliance report, 21% of healthcare security breaches in 2012 implicated a third party Business Associate. Healthcare organizations are also challenged with a lack of resources needed to effectively manage, evaluate, and continuously monitor Business Associate security compliance including patient portal web applications while maintaining focus on delivering quality patient care. The HITECH and the Omnibus Rule widened the net of compliance obligations by expanded the definition of a Business Associate to include organizations that transmit and routinely access PHI, such as health information exchange organizations, web application providers, and IT hosting vendors. Previously, Business Associates were liable only under the terms of their contracts, but under HITECH, Business Associates are subject to direct government oversight and civil and criminal penalties for HIPAA violations. Additionally, the HIPAA Omnibus Rule also expands many of these requirements to the subcontractors of Business Associates, resulting in the rollout of modified Business Associate Agreements to reflect these new obligations. 5

6 Securing Patient Portals Patient Portal Security Requirements The Meaningful Use Stage 2 criteria focus on patient engagement to provide better care. The aim of this requirement is to make health information more accessible to the individuals, and to provide patient with the means to communicate electronically with health care providers via patient portals. However, this also makes the web application the direct link to sensitive enterprise information including PHI. Patient portals, combined with EHRs, allow clinicians to communicate directly with their patients, also extending to them capabilities to schedule appointments, refill prescriptions, access lab results, and pay bills. Stage 2 of MU requires that a secure web-based patient portal be established and sets out specific standards to demonstrate that the portal is being used by both providers and a substantial number of patients to meet following measures: 1. Provide secure messaging between patients and providers 2. Allow patients the ability to access and download their electronic information in a secure manner 3. Deliver reminders for preventive and follow-up care 4. Provide patients with specific educational materials 5. Conduct a risk assessment of the patient portal must to ensure that appropriate security controls are in place to protect patient information in alignment with HIPAA / HITECH / Omnibus requirements For healthcare professionals participating in the Centers for Medicare & Medicaid Services (CMS) EHR incentive programs, the deadline for meeting Stage 2 criteria is right around the corner. A technical solution for assessing and remediating security risks specific to web-based platforms and portals is an essential component to achieving these compliance objectives. Security scanning and remediation tools allow healthcare organizations and Business Associates to demonstrate continual risk assessment of their web-based platforms and avoid jeopardizing incentive payments or incurring significant financial penalties. 6

7 Trend Micro Web App Security Trend Micro Web App Security was developed to address today s complex threat environment, providing a complete suite of security capabilities designed to detect threats and vulnerabilities, and protect web applications and patient portals in a single integrated solution without the cost and effort of traditional approaches. Trend Micro Web App Security as a Service delivers: Complete Intelligent Application Testing o Provides organizations a complete suite of scanning products to identify and quickly remediate vulnerabilities for both in-house hosted and third party / Business Associate web applications and portals o Offers comprehensive testing of patient portal platforms (operating system, server, network) with over 50,000 checks o Allows scanning to be done on-demand or run continuously to assess third party Business Associate web applications Integrated Detection and Protection o Provides continuous monitoring of security controls for patient portals and other third party web applications, ensures vulnerabilities are quickly identified (industry average is 231 days to find) and minimizes the time to respond to security threats with the ability to quickly block new attacks Unlimited SSL o Allows customers to deploy SSL for patient and provider portals and other online applications to improve security and patient trust while significantly reducing infrastructure costs related to managing multiple SSL certificates o Integrates SSL health checking into the detection capabilities of the solution, allowing for time saving checks for configuration errors and certificate expiration for third party / Business Associate web applications including EHRs and patient/provider portals Integrated Management Console o Unlike other security offerings, platform and application vulnerability detection and protection is accomplished via a single integrated console including logging and reporting for internal and third party applications to substantially simplify operation and reduce resource requirements o Monitors web application reputation for third party Business Associate web applications to ensure reputation and categorization issues are identified and resolved 7

8 Conclusion Healthcare organizations are becoming increasingly dependent on web-based technologies such as patient portals to improve patient engagement and address government incentive and regulatory requirements. Organizations are also beginning to understand that HITECH/HIPAA compliance and information security risk assessments are not one-time events and must be implemented as part of a continual security monitoring and remediation program. The impact of lapses in security can be staggering and can cause significant financial harm, reputational damage, and loss of consumer confidence. As such, healthcare organizations must continuously work to identify web application weaknesses for EHRs and patient portals to defend against increasingly sophisticated external threats. The complexity of managing security requirements for third party hosted applications on web and mobile platforms further compounds the security compliance conundrum for healthcare entities. Automated web application security solutions such as Trend Micro Web App Security serve a critical role in supporting the development of robust information security programs to protect patient information for both in-house and third party hosted web applications. Trend Micro Web App Security provides a flexible and repeatable way to perform continual security risk assessments of patient portals and web-based healthcare platforms to demonstrate compliance with federal regulations and incentive programs and protect patients from the harm associated with health information exposure. 8

9 About Meditology Meditology Services LLC is a healthcare-focused advisory services firm with core principles of quality, integrity, loyalty and value. Our executive team has an average of 15 years of consulting and operational experience in healthcare with provider and payer clients nationally of varying size and complexity. We understand the importance of relationships and derive much of our business from a long list of satisfied clients who value the quality of our work products combined with the professionalism, approach, and innovative solutions we bring to our engagements. About Trend Micro As a global leader in cloud security, Trend Micro develops security solutions that make the world safe for businesses and consumers to exchange digital information. With more than 20 years of experience, we deliver top-ranked security that fits our customers needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments. For More Information Contact: Meditology Services LLC 5256 Peachtree Road, Suite 190 Atlanta, GA info@meditologyservices.com Tel. (404)