ITUS Med Solutions. HITECH & HIPAA Compliance Guide

Transcription

1 Solutions HITECH & HIPAA Compliance Guide 75 East 400 South Suite Salt Lake City - UT (801) [email protected]

2

3 HITECH & HIPAA Compliance HITECH and HIPAA Act Requirements The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that appropriate administrative, technical, and physical safeguards be used to protect the privacy and security of sensitive health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law February 2009 as part of the American Recovery and Reinvestment Act (ARRA) clarifies and supplements HIPAA requirements, particularly by creating disclosure requirements, adding significant financial penalties for losses and mandating jail time for negligence in breaches of Protected Health Information (PHI) by covered entities that violate the HIPAA Privacy and Security Rules. Both HIPAA and the HITECH Act are enforced by the U.S. Department of Health and Human Services. The goal of the security provisions of HIPAA is to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information. Security provisions for HIPAA compliance are designed to motivate healthcare service providers and their business associates to adopt practices that reduce the risk of losing valuable patient information due to data theft from security breaches. The Problem with Protected Health Information (PHI) The HITECH Act introduced a significant problem for Healthcare Providers: 1) Institutions must be able to service at least 50% of their patient populations electronically and those that don t meet Meaningful Use II attestation requirements can only bill for Medicare patients at a reduced rate. Provide patients with the ability to view online, download and transmit their health information to third parties 50% patients have access EPs - within 4 business days Hospitals - within 36 hours of discharge >10% of patients view, download or transmit their records 2) All Protected Health Information (PHI) must be encrypted at the Endpoint, in transit and at rest (end-to-end encryption) Secure messaging for ambulatory systems: Not restricted to ; may include patient portal, PHR, or other messaging system Adopts encryption and hashing algorithm standards as baseline 45 CFR (a)(iv) Electronic health information store on end-user devices is encrypted after use of EHR is stopped; or Ensure EHI never remains on end-user device after use of EHR is stopped One of the major hurdles to implementing encryption of this type is that browsers and don t support end-to-end encryption, forcing enterprises to deploy Virtual Private Networks (VPN) to ensure that sensitive data is encrypted. VPNs HITECH & HIPAA Compliance Guide 1

4 are almost exclusively used within enterprises as they tend be costly, expensive, difficult to deploy and difficult to manage- Making them unsuitable to address Meaningful Use II requirements. New Solutions to Protect Institutions and Patients ITUS Med is a technology and services company that provides a secure, private-branded channel for online transactions and communications coupled with a breach insurance product backed by Lloyds of London. The company offers a comprehensive suite of solutions that secures all aspects of online patient information and transactions with Healthcare and insurance institutions. Each solution is carefully designed and tested to provide maximum security for the institution and the patient. The solution protects each patient s personal data, medical records, and identity information from Internet criminals. The ITUS Med solution uses a PKI (Public Key Infrastructure) encryption mechanism surrounding a secure communication system that incorporates legal digital signatures and a hardened browser that is immune to common web-based attacks. This approach elegantly meets the encryption requirements required by Meaningful Use II, is easy to deploy and easy to use for patients and provides a legally signed audit trail for non-repudiation as well as a low cost, secure delivery mechanism for all communications that include PHI (lab results, billing etc.) that is a higher legal standard than first class mail. General Rules Administrative Safeguards Security Management Process Risk Management (a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). Information System Activity Review (a)(1)(ii)(D) Implement procedures to regu- larly review records of infor- mation system activity, such as audit logs, access reports, and security incident tracking re- ports. Provides end-to-end encryption of all ephi. All communications and transactions are triple encrypted and digitally signed. Eliminates primary attack vectors: Browser- Hardened Browser is immune to man-in-thebrowser attacks - Point to point communications incorporates digital signatures- No third-party access Storage- All persistent communications and transactions are encrypted with PKI Digital Signatures are appended to all communications and transactions. Digital Signatures include time/day/date stamps as well as sender and recipient information and provide a legal instrument for nonrepudiation and logging of communications, transactions and events. HITECH & HIPAA Compliance Guide 2

5 Workforce Security Authorization and/or Supervi- sion (a)(3)(ii)(A) Implement procedures for the authorization and/or supervi- sion of workforce members who work with ephi or in locations where it might be accessed. Each user has a specific User Class associated with their login (Patient, Physician, Administrator etc.) Access to specific sites can be limited by User Class Secure behavior is enforced by limiting and obfuscating recipient information based on User Class Information Access Management Isolating Health Care Clearing- house Function (a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must imple- ment policies and procedures that protect the ephi of the clearinghouse from unauthor- ized access by the larger organ- ization. Clearinghouse information access is restricted to specific users with the User Class function. ArmoredView Administration Console can be customized to include any number of permissions policies and is easily integrated with existing policy systems. Access Establishment and Mod- ification (a)(4)(ii)(C) Implement policies and proce- dures that, based upon the enti- ty's access authorization poli- cies, establish, document, re- view, and modify a user's right of access to a workstation, transaction, program, or pro- cess. HITECH & HIPAA Compliance Guide 3

6 Security Awareness Protection from Malicious Software (a)(5)(ii)(B) Implement procedures for guarding against, detecting, and reporting malicious soft- ware. Armored Online Solution eliminates the primary vectors of attack: Hardened Browser locks out plug-ins, extensions, helper objects and persistent cookies that criminals coopt in their attacks Encrypted point-to-point system ensure that only the issuing institution and the authorized recipient can communicate in the secure environment Technical Safeguards Access Control Access Control Unique User Identification (a)(2)(i) Implement procedures to assign a unique name and/or number for identifying and tracking user identity. Automatic Logoff (a)(2)(iii)Implement electronic procedures that ter- minate an electronic session after a predetermined time of inactivity. The Armored Online system integrates into existing authentication systems and provides additional Multi- Factor Authentication, Mutual Authentication and Public/Private Key encryption Automatic Logoff timing is controlled through the Armored View Administration Console. Users can be automatically logged out of the system based on policy. Audit Control Encryption and Decryption (a)(2)(iv) Implement procedures to describe a mech- anism to encrypt and decrypt ephi. Audit Controls (b) Implement hardware, software, and/or procedural mechanisms that record and examine activi- ty in information systems that contain or use ephi. All communications and transactions in the Armored Online system are triple encrypted with SSL, PKI and digital signatures at all times Legally-binding Digital Signatures are appended to all communications and transactions. Digital Signatures include time/day/date stamps as well as sender and recipient information and provide a legal instrument for non-repudiation and logging of communications, transactions and events. HITECH & HIPAA Compliance Guide 4

7 Integrity Mechanism to Authenticate Electronic PHI (c)(2) Implement electronic mecha- nisms to corroborate that ephi has not been altered or de- stroyed in an unauthorized manner. Beyond the audit and logging features provided by Digital Signatures, any alteration or unauthorized viewing of digitally signed, encrypted information is flagged whether the communication was intercepted in transit or at rest (persistent data) ITUS Med leads the industry in providing secure private channel technology to Healthcare Enterprises. Headquarters: ITUS Med 75 East 400 South Suite 301 Salt Lake City, UT TEL HITECH & HIPAA Compliance Guide 5