Bridging the HIPAA/HITECH Compliance Gap

Transcription

1 CyberSheath Healthcare Compliance Paper Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance

2 According to the 2014 Healthcare Breach Report by Bitglass 1, the healthcare industry accounts for 44% of all reported breaches over the past 18 years with costs per HIPAA violation up to $50,000 and $1,500,000 for reoccurring violations. These breaches risk the medical and financial well-being of breach victims and the credibility and future business of healthcare providers. As a result, federal and state governments are responding to the growing public concern with stronger compliance regulations. The most sweeping of these regulations is the long-a Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule 2. The Omnibus represents landmark legislation that impacts nearly every aspect of healthcare data security and patient privacy. It consists of four rules: 1. Modification of the HIPAA Privacy, Security, and Enforcement Rules to include HITECH requirements 2. Modification of the Breach Notification Rule 3. Modification of the HIPAA Privacy Rule regarding the Genetic Information Discrimination Act of Additional modifications to the HIPAA Rules These rules increase the privacy and security protections available under HIPAA by strengthening security standards, expanding the scope of accountability, financial incentives for achieving compliance, and steep penalties for non-compliance. The History of HIPAA and HITECH HIPAA was brought into law in 1996 to help protect against the breach of personal medical information. It introduced a set standards for medical privacy that went into effect over the next 10 years. The American Recovery and Reinvestment Act (ARRA), put into law February 2009, raised the bar for cybersecurity with the Health Information Technology for Economic and Clinical Health Act (HITECH), which at the time experts called the biggest change to the healthcare privacy and security environment since the original HIPAA privacy rule Healthcare Breach Report by Bitglass, 2 The Final Rule can be found at: 2

3 The below figure, created by the team over at ID Experts, illustrates HPAA s evolution since its start. 3

4 4

5 HITECH s Impact on HIPAA Specific thresholds, response timeline, and methods or breach victim notification. Expansion of contractual obligation for security and privacy of PHI to subcontractors of business associates 5

6 A new definition of business associates and extension of the HIPAA privacy and security requirements to include business associates. Explicit authority for state Attorneys General to enforce HIPAA Rules and to pursue HIPAA criminal and civil cases against HIPAA covered entities (CEs), employees of CEs, or their business associates. Tiered increase in penalties for violations of these rules, some of them mandatory, with potential fines ranging from $25,000 to as much as $1.5 million, effective immediately. Provisions for more aggressive enforcement by the federal government. Broader Accountability Organizations that are subject to HIPAA are referred to as covered entities. This extends to the organizations that deliver services to covered entities, they are known as business associates and per the HITECH Act, include: Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearinghouses Businesses who self-insure Businesses that sponsor a group health plan and assist their employees on medical coverage Businesses that deliver services to other healthcare providers 6

7 Furthermore, per these regulatory laws, covered entities and business associates are required to ensure the following safeguards to protect patient data (electronic protected health information, or ephi) in order to achieve compliance: Administrative safeguards to protect data integrity, confidentiality and availability of ephi Physical safeguards to protect data integrity, confidentiality and availability of ephi Technical safeguards to protect data integrity, confidentiality and availability of ephi HITECH Introduced Tiered increase in penalties for violations of these rules, some of them mandatory, with potential fines ranging from $25,000 to as much as $1.5 million, effective immediately. Countdown to Compliance The HITECH Act was signed into law in 2009 and increases the use of Electronic Health Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in 2011, through which eligible healthcare providers are offered financial incentives for adopting, implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments will continue through 2016, which is the last year to begin participation in the program. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate meaningful use. Covered entities and business associates that struggled to reach compliance with HIPAA, now face an even greater challenge with HITECH.HIPAA / HITECH Compliance Requirements. 7

8 Compliance Requirement Breakdown Covered entities and business associates must abide to the following list of requirements: # Requirement Description 1. Breach Notification Policy Define how Covered Entity will respond to security and/or privacy incidents or suspected privacy and/or security incidents that result in a breach. 2. Security Management Process Describes processes the organization implements to prevent, detect, contain and correct security violations relative to its ephi. 3. Risk Analysis Discusses what the organization should do to identify, define and prioritize risks to the confidentiality, integrity and availability of its ephi. 4. Risk Management Defines what the organization should do to reduce the risks to its ephi to reasonable and appropriate levels. 5. Sanction Policy Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures. 6. Information System Activity Review Describes processes for regular organizational review of activity on its information systems containing ephi. 7. Assigned Security Responsibility Describes the requirements for the responsibilities of the Information Security Officer. 8. Workforce Security Describes what the organization should do to ensure ephi access occurs only by employees who have been appropriately authorized 8

9 # Requirement Description 9. Authorization and/or Supervision Identifies what the organization should do to ensure that all employees who can access its ephi are appropriately authorized or supervised. 10. Workforce Clearance Procedure Reviews what the organization should do to ensure that employee access to its ephi is appropriate. 11. Termination Procedures Defines what the organization should do to prevent unauthorized access to its ephi by former employees. 12 Information Access Management Indicates what the organization should do to ensure that only appropriate and authorized access is made to its ephi. 13 Access Authorization Defines how the organization provides authorized access to its ephi. 14 Access Establishment and Modification Discusses what the organization should do to establish, document, review and modify access to its ephi. 15 Security Awareness & Training Describes elements of the organizational program for regularly providing appropriate security training and aware- ness to its employees. 16 Security Reminders Defines what the organization should do to provide ongoing security information and awareness to its employees. 17 Protection from Malicious Software Indicates what the organization should do to provide regular training and awareness to its employees about its process for guarding against, detecting and reporting malicious software. 9

10 # Requirement Description 18 Log-in Monitoring Discusses what the organization should do to inform employees about its process for monitoring log-in attempts and reporting discrepancies. 19 Password Management Describes what the organization should do to maintain an effective process for appropriately creating, changing and safeguarding passwords. 20 Security Incident Procedures Discusses what the organization should do to maintain a system for addressing security incidents that may impact the confidentiality, integrity or availability of its ephi. 21 Response and Reporting Defines what the organization should do to be able to effectively respond to security incidents involving its ephi. 22 Contingency Plan Identifies what the organization should do to be able to effectively respond to emergencies or disasters that impact its ephi. 23 Data Backup Plan Discusses organizational processes to regularly back up and securely store ephi. 24 Disaster Recovery Plan Indicates what the organization should do to create a disaster recovery plan to recover ephi that was impacted by a disaster. 25 Emergency Mode Operation Plan Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ephi during and immediately after a crisis situation. 10

11 # Requirement Description 25 Emergency Mode Operation Plan Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ephi during and immediately after a crisis situation. 26 Testing and Revision Procedure Describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective. 27 Applications and Data Criticality Analysis Reviews what the organization should do to have a formal process for defining and identifying the criticality of its information systems. 28 Evaluation Describes what the organization should do to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule. 29 Business Associate Contracts and Other Arrangements Describes how to establish agreements that should exist between the organization and its various business associates that create, receive, maintain or transmit ephi on its behalf. 30 Facility Access Controls Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems. 11

12 Getting the Right Resources and Skills Healthcare industry's migration to Electronic Health Records (HER) will enable providers to deliver better care more efficiently, but cybersecurity will become a critical success factor in every health organization's future. Everyone stands to gain in this prodigious shift and no one can afford to lose. It can often become overwhelming for a healthcare provider to ensure that all systems and processes meet the criteria for HIPAA and the HITECH Act. Even when the minimum criteria is met, it doesn t necessarily mean that PHI is secure Covered entities and business associates must partner with established and proven cybersecurity services providers who can ensure their migration, implementation, operations, and maintenance fulfil their promises. Covered entities and business associated should look for the following key skill-sets and resources when evaluating potential partnerships for cybersecurity services: Professional services that go beyond technical proficiency A healthcare-friendly partner with a proven track-record An ability to work seamlessly with other integrators, as well as plug into existing programs An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults A Defense-in-Depth approach that includes physical and logical access and policy controls; Multiple facility fail-over provisions that support the organization s plan across regions Continuous monitoring, including operational and security staffing that s 24x7x365 Third Party Attestation for Vendor Compliance in HIPAA, FISMA, PCI DSS, and DIACAP Achieving HIPAA and HITECH Compliance with CyberSheath At CyberSheath, we understand the cybersecurity challenges covered entities and business associates face in ensuring ephi is protected and we enable our customers to have the confidence that they are able to comply with HIPAA/HITECH obligations. Our industry leading security services help covered entities and business associates understand their regulatory responsibilities and achieve compliance. 12

13 Mapping CyberSheath s Security Services to the HIPAA and HITECH Security Standards & Rules 13

14 HIPAA Security Standards and Rules CyberSheath Service Delivery Outcomes Business Associate Contracts and Other Arrangements ( (b)(1)), ( (a)(1)) Third Party Security and Oversight Identification of Critical Vendors Vendor Security Due Diligence Program Documentation Review Process Business Continuity Management Contingency Plan ( (a)(7)) Access Control ( (a)(1)) Cradle to Grave Data Backup Process Business Impact Analysis Process Disaster Recovery Planning and Testing Recovery Time Objectives for Critical Functions Security Operations Security Management Process ( (a)(1)) Assigned Responsibility ( (a)(2)) Security Incident Procedures ( (a)(6)) Contextual Access Controls Cradle to Grave Patch Management Efficient Asset Management Intrusion Detection and Endpoint Protection Facility Access Controls ( (a)(1)) Workstation Use ( (b)) Workstation Security ( (c)) Physical Security Holistic Environment Protections Reliable Facility Access Control Capability Geographical Risks for Critical Assets 14

15 HIPAA Security Standards and Rules CyberSheath Service Outcomes Human Resource Security Workforce Security ( (a)(3)) Security Awareness and Training ( (a)(5)) Secure Hire and Term Processes Security Awareness Training Specialized Training for Security Organization Increased Resilency with InsiderThreats Security Architecture Access Control ( (a)(1)) Audit Controls ( (b)) Integrity ( (c)(1)) Person or Entity Authentication ( (d)) Infrastructure Design and Review Process System Hardening for At-Risk / Critical Assets Least Privilege Model Enforcement Robust Identify Management Capability Optimized Deployment of Security Tools Security Management Process ( (a)(1)) Assigned Responsibility ( (a)(2)) Security Incident Procedures ( (a)(6)) Evaluation ( (a)(8)) Audit Controls ( (b)) Policies and Procedures ( (a)) Documentation ( (b)(1)) Comprehensive Cybersecurity Program Process Alignment Strategic Security Roadmap Defined Security Organization Hierarchy Established Security Policies and Standards Custom-fit Security Programs and Capabilities Clear and Concise Security Metrics and Reporting 15

16 Cybersecurity Beyond Compliance Checking the right boxes on your annual compliance audit does not mean you are immune from data breaches. Security must go beyond compliance and our comprehensive suite of security services and solutions far and exceed the required mandates. We integrate your compliance and threat mitigation efforts to eliminate redundant security practices and increase security operations efficiency. Our services are delivered by some of the best experts in the industry and will work closely to understand your unique challenges and provide pragmatic security solutions that tangibly address your specific risks. 16

17 About CyberSheath Co-founded by a Chief Information Security Officer for a Global Fortune 500 company & Chief Executive Officer for an Inc. 500 company, CyberSheath applies business discipline to cyber security, enabling our customers to measure risk, meet compliance goals, prioritize investments, and improve overall security posture. We ve built a global network of best-in-class partners that we leverage as a force multiplier to deliver pragmatic, end to end solutions for our customers. Having been in the trenches as security practitioners and business executives, CyberSheath goes beyond the WHAT (best practices) and delivers the HOW (measurable results). 17 P a g e Copyright 2015 CyberSheath, for permission to reproduce, please contact CyberSheath at [email protected]