Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Transcription

1 Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased Audits & On-site Investigations Compliance Challenges Key Regulations State Regulations PCI DSS HIPAA Privacy HIPAA Security HITECH Act FACTA (Red Flags Rule) FISMA

2 Meaningful Use: Stage 1 Core Set Mandate Ensure adequate privacy and security protections for personal health information Through use of policies, procedures, and technologies Meaningful Use Stage 1 Objective (Final Rule) Protect EHR created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Meaningful Use Stage 1 Measure (Final Rule) Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of the risk management process Meaningful Use: HITECH Act Compliance with HIPAA's Privacy & Security Rules remain part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 CMS will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved State Medicaid administrators will withhold meaningful use payment until any confirmed state privacy or security violation has been resolved EHR initiatives are coupled with increased privacy and security compliance with mandates State Regulations California SB 1386 requires notification of security breaches involving unencrypted sensitive data AB 1950 requires that organizations take reasonable precautions to protect CA residents personal data AB 1298 expands data breach notification law to include unencrypted medical histories, health insurance information, medical treatments & diagnoses SB 541 requires breaches must be disclosed to the affected patients AB 211 includes fines starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records

3 Massachusetts 201 CMR Comprehensive Written Information Security Program Establishes minimal standards for safeguarding personal information contained in both paper and electronic records Requires each covered business to develop, implement, maintain and monitor a comprehensive written information security program that applies to records that contain Massachusetts residents personal information Security program must include administrative, technical and physical safeguards to protect such records Regulations also require businesses that store or transmit personal information about Massachusetts residents to (201 CMR 17.04): Restrict access by use of passwords Deploy updated malware protection Encrypt information transmitted across public or wireless networks Monitor all systems to detect unauthorized access Encrypt information stored on laptops Incorporate firewalls State of Connecticut IC-25 All insurance companies doing business in Connecticut must report information breaches to state authorities within five calendar days, even if the data involved was encrypted The new state insurance breach reporting policy applies to health maintenance organizations, preferred provider organizations, and other health insurers, as well as property and casualty insurers, pharmacy benefit managers and medical discount plans It does not apply to hospitals and physicians A tough regulation which applies to paper and electronic records Rising Risk to Business Rising Risk to Business Risk to Information is a Risk to Business

4 Recent Breaches Nationwide 1. State: Texas Approx. # of Individuals Affected: 600 Date of Breach: 5/29/10 Location of Breached Information: Network Server 3. Rainbow Hospice and Palliative Care State: Illinois Approx. # of Individuals Affected: 1,000 Date of Breach: 4/12/10 Location of Breached Information: Laptop 2. State: Arizona Approx. # of Individuals Affected: 5,893 Date of Breach: 5/15/10 Location of Breached Information: Laptop 4. Emergency Healthcare Physicians, Ltd. State: Illinois Business Associate Involved: Millennium Medical Management Resources, Inc. Approx. # of Individuals Affected: 180,111 Date of Breach: 2/27/10 Location of Breached Information: Portable Electronic Device, Other Recent Breaches in CA 1. Children's Hospital & Research Center at Oakland Approx. # of Individuals Affected: 1,000 Date of Breach: 5/25/10 and 5/26/2010 Type of Breach: Other Location of Breached Information: Paper 2. Loma Linda University Health Care Approx. # of Individuals Affected: 584 Date of Breach: 4/04/10 Location of Breached Information: Desktop Computer 3. Silicon Valley Eyecare Optometry and Contact Lenses Approx. # of Individuals Affected: 40,000 Date of Breach: 4/02/10 Location of Breached Information: Network Server 4. St. Joseph Heritage Healthcare Approx. # of Individuals Affected: 22,012 Date of Breach: 3/06/10 Location of Breached Information: Desktop Computer 5. John Muir Physician Network Approx. # of Individuals Affected: 5,450 Date of Breach: 2/04/10 Location of Breached Information: Laptop Is Your Organization Next? Harris County Hospital, Texas Administrator lost medical/financial records of 1,200 patients with HIV/AIDS Information was on a portable flash drive Data was not password protected nor encrypted Staten Island University Hospital, NY Computer with Medical Records Stolen - Patients informed 4 months later UCSF Medical Center Information on patients was accessible on the Internet - Patients informed 6 months later New York-Presbyterian Hospital/Weill Cornell Medical Center 2000 patient records sold; 50,000 improperly accessed University of Utah Health Care Password protected but unencrypted laptop with data on 4,800 people was stolen after hours from a locked room University of Minnesota Reproductive Medicine Center Doctor lost an unencrypted portable storage device with information on 3,100 patients

5 Data Breach Reach New Heights Cost of data breach rose to $202 for each compromised record Average cost of healthcare breach was $282 for each record Average expense to an organization was $6.6 million Vast majority caused by negligence Portable devices, laptops are responsible for growing # of breaches Source: The Wall Street Journal, February 2, 2009 How prepared is your organization? Key Definitions Breach The term breach means the unauthorized acquisition, access, use, or disclosure of sensitive information which compromises the security or privacy of sensitive information such that it poses a significant risk of financial, reputational, or other harm to the individual Unsecured Sensitive Information Sensitive information must be rendered unusable, unreadable, or indecipherable to unauthorized individuals Encryption Use of an algorithmic process to transform data into a forms in which there is low probability of assigning meaning without use of a confidential process or key an such confidential process or key that might enable decryption has not been breached What Federal Agencies Expect! Organizations must: Identify if breach affects 500 or more OR Less than 500 Initial Report, Addendum to Previous Report Provide covered entity contact information Identify if breach occurred at or by a Business Associate Breach Date of breach, Date of Discovery Approx # of impacted individuals Type of Breach Theft, Loss, Improper disposal, Unauthorized access, Hacking/IT incident Other, Unknown Type of Sensitive Information Involved in Breach: Demographic information Financial information Clinical Information Other

6 What Federal Agencies Expect! Brief Description of Breach Location How it occurred? Additional information: type of breach, type of media, type of PHI Safeguards in Place Prior to Breach Firewalls, Packet filtering (router based) Secure Browser Sessions, Logical Access Control Strong Authentication, Encrypted Wireless, Physical Security Anti-virus Software, Intrusion Detection, Biometrics Action in Response to Breach: Security and/or Privacy Safeguards Mitigation Sanctions Policies & Procedures Other Attestation Establishing s a Security Program What Is Your Information Security Framework? A Checklist for Compliance Critical Action: Conduct a Risk Analysis

7 ISO 27000: A Global Information Security Standard A comprehensive set of controls comprising best practices in information security Comprised of: A code of practice A specification for an information security management system Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce What Is Your Security Framework? PCI DSS A Global Data Security Standard 1. Build and Maintain a Secure Network 1. Firewall configuration 2. Vendor defaults 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission 3. Maintain a Vulnerability Management Program 5. Update anti-virus software 6. Maintain secure systems and applications 4. Implement Strong Access Control Measures 7. Restrict access need to know 8. Assign unique ID s 9. Restrict physical access 5. Regularly Monitor and Test Networks 10. Track and monitor all access 11. Regularly test security processes 6. Maintain an Information Security Policy 12. Maintain policies Checklist for Audits Entity-wide Security Plan Risk Analysis (most recent) Risk Management Plan (addressing risks identified in the Risk Analysis) Security violation monitoring reports Vulnerability scanning plans Results from most recent vulnerability scan Network penetration testing policy and procedure Results from most recent network penetration test List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI

8 Checklist for Audits - Policies Prevention, detection, containment, and correction of security violations Employee background checks and confidentiality agreements Establishing user access for new and existing employees List of authentication methods used to identify users authorized to access EPHI List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements List of software used to manage and control access to the Internet Detecting, reporting, and responding to security incidents Physical security Encryption and decryption of EPHI Mechanisms to ensure integrity of data during transmission - including portable media transmission Checklist for Audits - Procedures Monitoring systems use - authorized and unauthorized Use of wireless networks Granting, approving, and monitoring systems access (for example, by level, role, and job function) Sanctions for workforce members in violation of policies and procedures governing EPHI access or use Termination of systems access Session termination policies and procedures for inactive computer systems Policies and procedures for emergency access to electronic information systems Password management policies and procedures Disposal of media and devices containing EPHI Secure workstation use Addressing HITECH Breach Mandates Develop policy on Discovery, Reporting & Notification of Information Breaches Create a specific procedure for information breach management Develop specific procedure for information breach notification Conduct training for all members of the workforce 2010 & Beyond: It s About PII Personally Identifiable Information

9 Beyond PHI. PII. Personally Identifiable Information Until now, it has been about Protected Health Information (PHI) HIPAA Privacy Electronic Protected t Health Information (EPHI) HIPAA Security Unsecured PHI HITECH Act Cardholder information PCI DSS Personal data or information State Regulations 2010 and beyond it is about PII What PII does your organization come into contact with? Where is PII in your organization? How is the PII secured in your organization? Incident Response for Breaches of PII What is Your Formal Plan? 1. Preparation 1. Build PII breach response as part of incident response 2. Develop appropriate policies & procedures 3. Employees must understand d what constitutes t a PII breach 4. Develop a comprehensive breach notification plan 2. Detection and Analysis 1. Implement detection & analysis technologies & techniques 2. Make adjustments as needed 3. Containment, Eradication & Recovery 1. Perform additional media sanitization steps 2. Ensure proper forensics techniques are practiced 4. Post-Incident Activity 1. Learn and update PII breach response plan Information Security Program Strategy Core to the Edge and the Cloud Physical Security Firewall Systems IDS/IPS Identity Management Encryption Critical Info & Vital Assets Security Strategy Must be Risk-based, Pro-active, Integrated!

10 Pabrai s Laws of Information Security Is Your Security Kismet or Karma? 1. There is no such thing as a 100% secure environment 2. Security is only as strong as your weakest link 3. Security defenses must be integrated and include robust (passive) and roving (active) controls to ensure a resilient enterprise 4. Security incidents provide the foundation for security intelligence Is Your Enterprise Security? Kismet A Reactive Security Framework Karma A Proactive Security Framework The ecfirst STePS TM Program Exclusive StePS TM - Meaningful Use/EHR Program components include: Private Webcast: Raise Knowledge of Your Organization Risk Analysis of one EHR Application Know Your Meaningful Use Score! Report Card on Status HIPAA Privacy & HIPAA Security Policy Templates HITECH Data Breach Policy & Procedures EHR Vendor Evaluation & Coordination Ali Pabrai, Pabrai@ecfirst.com