Bringing Box into HIPAA Alignment. Bob Flynn & Anurag Shankar University Information Technology Services Indiana University

Transcription

1 Bringing Box into HIPAA Alignment Bob Flynn & Anurag Shankar University Information Technology Services Indiana University

2 Outline 1. Introduction 2. Service Partnership 3. Legal Requirements 4. Risk Management Framework 5. Box Evaluation 6. Conclusions

3 1. Introduction

4 Nature abhors a vacuum! The lack of HIPAA compliant campus services that support external collaborations is forcing biomedical researchers to share sensitive data using and cloud services such as Google docs, Dropbox, etc.

5 HIPAA in the Cloud? The lure of free or cheap cloud storage is irresistible, even for HIPAA regulated entities. Cloud providers have been unaware or unwilling to address HIPAA compliance, but... Market pressures are forcing many vendors to reconsider HIPAA. Chief among these are Amazon, Microsoft, and now Box. We at IU have also been revisiting our stance of keeping our sensitive data out of the cloud, specifically as regards Box.

6 Current Regulatory Climate With growing security threat, (Governance, Risk, and) Compliance is now the new frontier for IT. If you handle biomedical data, you not only face HIPAA, but possibly FISMA also. Recent changes to HIPAA have put more teeth into enforcement = more motivation for us.

7 Recent HIPAA Changes A new HIPAA Omnibus Rule was enacted in It adds new requirements for a business associate (BA) who handles your sensitive data. It greatly ramps up civil penalties. The government will initiate random HIPAA audits in (They were triggered only in response to a breach earlier.)

8 2. Service Partnership

9 & HIPAA Implemented at IU in 2012, Box became wildly popular for sharing data with collaborators within and outside IU. Researchers in the IU School of Medicine (second largest medical school in the U.S.) soon wanted to use Box to share clinical data. (Biomedical research grants from NIH require data sharing.) Since identifiable clinical research data is subject to HIPAA, we asked Is Box HIPAA compliant?

10 Box & HIPAA In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits. In late 2013, they began signing contracts promising to comply with HIPAA. Internet2 has negotiated a BAA and revised contract with Box.

11 IU Basics 8 Campuses (2 Core, 6 Regional) 115K Students, 20K Faculty/Staff 1.3M Credit Hours (Fall 2013) $533M in external research funding (2012) Strong Central IT and good partnership with distributed IT operations.

12 Basics Program rollout April 2012 Reached 50,000 users by October 2013 Currently 64,000 internal users 7,000 external collaborators 120,000 collaborations 50TB in storage All this without FERPA or HIPAA data

13 Basics

14 3. Legal Requirements

15 HIPAA Health Insurance Portability & Accountability Act, passed in 1996, became law in Enforced by the Office for Civil Rights (OCR) in the U.S. Dept. of Health & Human Services (HHS). Modified in 2013 by including provisions from the 2006 Health Information Technology for Economic & Clinical Health (HITECH) Act & the 2008 Genetic Information Nondiscrimination Act (GINA). Consists of the HIPAA Privacy Rule and the HIPAA Security Rule.

16 The HIPAA Security Rule The Security Rule regulates electronic protected health information* (ephi). It requires (1) administrative, (2) physical, and (3) technical safeguards to Ensure the confidentiality, integrity, and availability of all ephi created, received, maintained or transmitted; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; Ensure compliance by the workforce; and Provide a means for managing risk in an ongoing fashion. * Data with one or more of 18 patient identifiers such as name, DOB, etc.

17 The HIPAA Security Rule

18 Covered Entities & Business Associates Healthcare providers, health plans, and health clearinghouses are called HIPAA covered entities. Universities are often hybrid covered entities, with covered components that do healthcare and components that are not covered. If you serve a covered component within your organization, chances are that you too are covered. If you are not part of a covered entity but handle their data, you are a business associate (BA). In the Box context, you are a covered entity and Box is a BA.

19 Security Rule Safeguards Administrative security organization, policies, training, responsibilities, incident response, etc. Physical data center access, equipment/ media disposal, inventory control, etc. Technical firewalls, patching, auditing, scanning, monitoring, accounts, etc. + organizational/policies/documentation requirements

20 Required & Addressable Each Security Rule safeguard is either required or addressable. Required = what it says. Addressable = should address, but ok if you describe why it is not in place or how you will otherwise address the risk. A risk assessment (RA) identifies where to concentrate mitigation effort.

21 Breach Notification HIPAA requires that a breach of ephi be reported ASAP: 1. To everyone whose privacy is breached. 2. For breaches affecting > 500 patients, to the media and the Secretary of the U.S. Dept. of Health & Human Services. The BA must notify you if the breach occurs at their end.

22 Business Associates HIPAA requires a business associate agreement (BAA) with any external entity that touches your ephi. The BAA must include language that your BA & their BAs will protect your ephi. Due diligence also means ensuring that the BA is capable of protecting your ephi in conformance with HIPAA.

23 Enforcement HIPAA violations can result in civil monetary penalties up to $1.5 million/violation against a HIPAA covered entity and/or individual criminal penalties up to10 yrs in jail. For large breaches, the OCR imposes a (potentially very expensive) corrective action plan (CAP). Random govt. HIPAA audits are coming this year.

24 The Corrective Action Plan (CAP) signed by Idaho State University ì Breaches reported by universities But the worst is being in the newspapers!

25 Is All Identifiable Health Data ephi? NO. Identifiable health data outside a healthcare context (e.g. what you upload to Google Health, Microsoft HealthVault) is not ephi. Only healthcare providers, facilities, and insurers are bound by HIPAA. Data, if properly de-identified, is not subject to HIPAA. If unsure, contact your HIPAA Compliance office!

26 Just Good Security? Q: So, the HIPAA Security Rule means we just need to provide good IT security? A: NO. The Security Rule is about managing risk, and security is only PART of that management. HIPAA requires ongoing administrative controls, training, governance, policies, formal review, etc.

27 HIPAA Security Rule Myths Myth #1 Security Rule compliance is a boolean. Truth: There is no threshold where you suddenly become compliant. Myth #2 You can be certified HIPAA compliant. Truth: No company or federal agency is authorized to certify you as being HIPAA compliant. (The only way to know for sure is to survive a HIPAA audit!) So you align with the HIPAA rules as best as you can and usually self assert compliance.

28 HIPAA Security Rule Myths Myth #3 Once compliant, you stay compliant. Truth: No. Compliance is an ongoing process; once started, it never stops so long as you have ephi. Myth #4 You must have an external third party do risk/security assessment. Truth: No. You can do them internally, so long as you follow accepted practices and document it all.

29 4. Risk Management Framework

30 HIPAA requires that you manage risk intelligently

31 Information Security Risk Management Identify, assess, prioritize, and mitigate risk to information security on an ongoing basis. Think in terms of managing risk, not plugging security holes. Risk = {Threat/Vulnerability x Likelihood x Impact} A big threat due to an existing vulnerability that is highly unlikely to be exploited/has little impact is low risk. You don t kill yourself over it.

32 Risk Management Framework You should have a mature, standards-based* RMF consisting of: Good governance = institutional security organization, policies, sanctions, enforcement Risk management = assessment, mitigation through appropriate physical, administrative, technical controls, documentation Review = regular monitoring, reviews, assessment, and mitigation Awareness and training * = NIST

33 Do I need an entire RMF even if I just want to align Box? YES! If there is a breach and an OCR audit, they will first look at your general HIPAA safeguards, not just what you do with Box. Penalties are often levied due to risk not being managed properly. Having an RMF in place is an essential prerequisite to any HIPAA compliance work.

34 Implementing the RMF at IU 1. Assign ownership 8. Get official blessing & advertize 2. Form partnerships 7. Create & execute risk management plan Follow NIST Standards 3. Inventory/ document 6. Assess risk 5. Perform gap analysis/fill gaps 4. Hire external consultant (Much of this is usually already in place at most places but not documented in a compliance-oriented form.)

35 1 Assign Ownership Dedicated resources commensurate with the scale. At IU, we spent around 1.5 FTE-year for the initial effort and 1.0 FTE on an ongoing basis. Assigned someone to lead the project. Empowered the leader to be able to do the job.

36 2 Form Partnerships Got to know all IU Compliance folks. Formed an oversight committee; put all stakeholders on it Compliance, Counsel, Information Security Office, Information Policy Office, School of Medicine CIO/Security Office, staff/ faculty, and central IT senior management.

37 3 Inventory/Document Spent a lot of time on developing a documentation strategy/format. Inventoried all assets, current policies and procedures, physical, administrative, and technical controls in place already. Consulted with line managers & key staff. Instituted a secure document management system (DMS).

38 Identify Dependencies Inventoried infrastructure pieces on which systems/services depend. This means identity management, messaging, the network, data centers, etc. on which the systems/services to be aligned depend. Included as many of them as we could.

39 4 Hire External Consultant* Asked IU Compliance folks for references. Got referred to a consultant from DC, who also serves on national HIPAA committees, etc. Consultant was given information about the organization, documentation, etc. Consultant visited IU a couple times to do in-person interviews. * = optional

40 5 Perform Gap Analysis The Gap Analysis (GA) measures gaps between actual security and what the HIPAA Security Rule requires. Involved on-site interviews. Consultant used the data to identify gaps. We received the GA report.

41 Fill Gaps Reviewed gap analysis report. Filled as many holes as we could, especially the serious ones. Updated documentation. Got everything ready for a risk assessment.

42 6 Assess Risk Everything done so far went into the risk assessment exercise. Submitted updated documentation and other information as requested to the external consultant. On-site interviews followed. Received a risk assessment report listing identified risks and risk scores.

43 7 Create a Risk Management Plan Reviewed risk assessment report. Addressed all risks and documented mitigation, reason for not mitigating, or alternatives. Submitted the RM plan to the external consultant for review. Modified RM plan as per consultant recommendations.

44 Execute Risk Management Plan Execution involved some short term actions that addressed many high/ medium risk items immediately. Instituted long term processes such as regular reviews, risk monitoring, risk avoidance strategies, etc. Documented everything (again)

45 8 Get Official Blessing & Advertize Submitted everything to the oversight committee. Received an official letter of approval from Compliance in January Advertized internally and targeted only IUSM researchers to avoid unnecessary attention.

46 Follow Standards We used the NIST information security standard since it is often used for complying with HIPAA and is the basis for FISMA. It put an official seal & added rigor to the process. We also looked at other standards such as ISO 27001, COBIT, etc.

47 NIST

48 HIPAA - Ongoing Semi-annual, internal reviews, documentation updates. Risk reassessment. External reviews every 5 years. Annual, mandatory HIPAA training in the HIPAA regulation, how it applies to us, and our policies and procedures, etc. Self-assertion process for new services requires risk analysis, risk mitigation, documentation, security screening, & training/reviews.

49 Future Expand the mature, standards-based NIST approach. Provide NIST-based risk and security assessment tools for units to do their own internal assessments. Centralize documentation. Establish baseline risk profile, evaluate risks, update continuously as risks change.

50 5. Box Evaluation

51 While Box said they were HIPAA compliant, due diligence (to us) meant evaluating whether Box meets the same NIST standards we follow ourselves.

52 Method We asked Box for documentation of their information security practices, audit reports, etc. We reviewed the documents thoroughly. We used the NIST HIPAA Security Rule Toolkit to answer nearly 1000 questions about Box s security/risk management practices. Some of these answers came from the Box documentation, some from Box s Compliance folks.

53 NIST HIPAA Security Rule Toolkit Questionnaire

54 Results Box satisfies > 95% of HIPAA Security Rule requirements. They have the necessary Required and Addressable safeguards in place. It helps greatly that they encrypt all data in transit and at rest for enterprise customers (i.e. us) and secure the encryption keys.

55 Current Status We are waiting on a HIPAA compliant BAA with Box. After a BAA is in place, we will submit the paperwork to the IU HIPAA Compliance Office to approve Box s suitability for storing ephi. After approval, we expect to make Box available to biomedical researchers as a HIPAA aligned collaboration tool.

56 6. Conclusions

57 Conclusions Cloud computing is imminent; be prepared. Box provides an ideal data sharing environment for biomedical researchers. Our own NIST based evaluation found Box to be capable of keeping our ephi secure. We are using our existing RMF to satisfy dependencies and ensure end to end security.

58 Conclusions Follow your own institutional process, but an institutional RMF is an essential pre-requisite. Implementing a RMF also provides resources that can be used to align with any current/future regulation. It also makes breaches less likely, lowering liability and the chance of damaging institutional reputation.

59 We are more than happy to help in any way we can

60 Resources The HIPAA Security Rule NIST : Guide to Implementing the HIPAA Security Rule NIST : Recommended Security Controls NIST A: Guide for Assessing Security Controls FIPS 200: Federal Systems Minimum Security Requirements NIST HIPAA Security Rule Toolkit IU HIPAA Documentation Templates ( us) IU HIPAA Risk Assessment Template ( us)

61 Contact Bob Flynn Anurag Shankar