Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital callman@primehealthcare.com Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director of IT Security & Risk Services CareTech Solutions jeff.bell@caretech.com @JeffBell_CTS 1

Conflict of Interest Disclosure Chris Allman does not have any real or perceived conflicts of interest to this presentation. Jeff Bell is an employee of CareTech Solutions, an information technology (IT) and Web products and services provider for U.S. hospitals and health systems. www.caretech.com 2

Learning Objectives Identify current healthcare privacy threats Understand risk management strategies and how effective policies and procedures can mitigate healthcare privacy threats and risks Identify current healthcare cybersecurity threats and risks Understand risk management strategies to effectively mitigate healthcare cybersecurity threats and risks 3

HIPAA Requires A Risk-Based Approach to Security Protect against any reasonably anticipated threats or hazards 164.306(a) Conduct a risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ephi] held by the covered entity 164.308(a)(1)(ii)(A) Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 164.308(a)(1)(ii)(B) 4

Risk Assessment Process Identify assets / ephi / other sensitive data Identify threats Identify vulnerabilities Likelihood * impact = risk 5

Elements of a Risk Assessment 6 Evaluate all three aspects of security 1. Confidentiality 2. Integrity 3. Availability ALL ephi Evaluate HIPAA security compliance Assess compliance with the rules Evaluate policies, procedures, training, practices Evaluate each department & each application Perform a technical assessment Interviews with IT Subject Matter Experts Vulnerability scan of all equipment Wireless assessment Web application assessment Document findings & recommendations Present to leadership for risk management process

Risk Management Process Risk Management: Is the risk level acceptable? Risk acceptance Risk mitigation Risk transference Risk avoidance Which risks will you mitigate? How will you mitigate? Who will mitigate? When will you mitigate? Budget / resources? Ongoing impact to operations? 7

Why a Risk Assessment is Essential Meaningful Use Stage 1 and 2 require a risk assessment of your certified EHR and correction of deficiencies HIPAA requires a risk assessment of all ephi and development of a plan to implement sufficient security measures to reduce risks and comply with HIPAA Audit and enforcement activities Breaches are costly, must be reported, and impact reputation Threats to cybersecurity are high 8

Why a Risk Assessment is Essential Just doing a risk assessment is NOT ENOUGH 9

Effective Policies & Procedures Effective policies and procedures are key to a robust cybersecurity program and reduction of risk Policies are not effective when they are drafted (or purchased) then put on a shelf to collect dust Polices should be living, breathing entities that are subject to change as technology and the risks of technology change Policies should reflect your actual practices HIPAA Security Rule is a great start, but it is not the end of the road! 10

How Can Effective Policies & Procedures Reduce Risk? Effective policies & procedures can help you in 5 areas: 1. Compliance 2. Identification of user & system weaknesses before an adverse event occurs 3. Mitigation or reduction in risk of potential loss after an event 4. Provide a framework to gather data 5. Reduce the number & type of adverse events 11

1. Compliance What s the first thing an auditor asks for when they are there for a survey? Why? The auditor wants to know if your policy is up to date with current rules and regulations Does it reflect your actual practice? Is your workforce educated about the policy? Having effective policies & procedures can reduce the risk that your organization is out of compliance and the fines, program exclusion, etc. that stem from failure to comply 12

2. Identification of User & System Weaknesses Before Adverse Event After the risk assessment is complete, you should know what your user and systems weaknesses are Once you know your weaknesses, then you can set priorities about how to address the weaknesses Priorities should be set by the perceived severity of the weakness and the risk appetite of the organization Priorities should also consider the potential for adverse event occurrence (i.e., breach, hack, security, etc.) Your policies should reflect your priorities, and therefore, may need to be amended more than is required by accreditation, etc. 13

3. Mitigation or Reduction in Risk of Potential Loss After an Event Your policies should also realistically reflect how you will react should an event occur Being able to follow written guidelines in a crisis can reduce the chance of a misstep that may exacerbate the issue You policy should reflect your game plan: Who is the go-to and chain of command What steps should be taken When steps should be taken Who needs to know (includes formal/required reporting) Media strategy 14

4. Framework to Gather Data Effective policies should also set out what data is important to your organization They may include specific data points to be tracked and/or audited to ensure security What data should roll up to committees and leadership for review 15

5. Adverse Events Reduction If effective policies are followed and updated to reflect current regulation and actual practice in your organization, the likelihood of adverse events can be reduced When adverse events do occur, effective policies should learn from those events and be updated with current knowledge in order to avoid repeats 16

FBI Private Industry Notification Content for Presentation Only Contact speaker for copy. 17

Ponemon Fifth Annual Benchmark Study on Patient Privacy & Data Security 90% had a data breach in the past 2 years. 40% had more than 5 Avg. economic impact due to data breaches is 2.1 million dollars / HC org and 1 million dollars / BA org over 2 yrs. Criminal attacks are now the #1 cause of data breaches Reported root cause of breaches: 45% criminal attacks, 12% malicious insider 56% of HC orgs. and 59% of BAs don t believe their incident response process has adequate funding and resources 18 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data

Conclusions from the Ponemon Study Cyber criminals recognize two critical facts of the healthcare industry: 1. Healthcare organizations manage a treasure trove of financially lucrative personal information 2. Healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data. The pace of investments is not fast enough to keep up with the threats to achieve a stronger security posture. Need to address two serious but different root causes of security incidents and data breaches: employee negligence and hackers. 1. Intensive employee training and awareness programs 2. Investments in technologies and security expertise. 3. Innovative solutions are required to achieve both goals.. 19 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data

NIST Cybersecurity Framework Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond: Response Planning, Communications, Analysis, Mitigation, Improvements Recover: Recovery Planning, Improvements, Communications 20 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

Cybersecurity Framework (NIST) FRAMEWORK CORE Framework Core : a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. 21 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

22 Cybersecurity Framework (NIST) Framework Implementation Tiers ( Tiers ) Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. Tier 1 Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others Tier 2 Risk Informed Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Tier 3 Repeatable Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration Tier 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration Why you should adopt the NIST Cybersecurity Framework, PWC, May 2014 22

Cybersecurity Framework (NIST) Framework Profile ( Profile ) represents the [security] outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 23 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

Cybersecurity Framework (NIST) Benefits of using the CSF Improve Cybersecurity: The CSF core is up to date in terms of cyber threats / risks / effective controls with an emphasis on Detect, Respond, Recover not just Protect. It is much more up to date and comprehensive than the HIPAA rule. Reduce Legal Exposure: This process can demonstrate due care in case of a breach and federal / state investigation or even law suit. The Framework is founded on a presidential order and represents best practices. Improve collaboration and communication of security posture with executives and others. 24 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

Five Actions to Quickly Reduce Risk of Cyber Crime Jeff s Quick Wins 1. Secure configuration 2. Vulnerability management 3. Strong authentication 4. Security monitoring to detect indicators of compromise 5. Incident response capabilities 25

Common Information Security Threats Data from the Office of Civil Rights Reported breaches over 500 records as of Feb. 15, 2015 Hacking/IT Improper Incident (84) Disposal (43) 7% 4% Unknown (13) 1% No Cause Listed in HHS Data (3) 0% EMR (38) 4% Email (72) 6% Loss (94) 8% Portable Electronic Device (100) 9% Paper/Films (263) 23% Other (99) 9% Unauthorized Access/Disclosure (205) 18% Theft (598) 53% Desktop Computer (128) 11% Network Server (138) 12% Laptop (240) 21% 26 www.hhs.gov/ocr

Recently Reported Breaches and Settlement Agreements Date Organization Description Cost / Penalty 12/2/14 Anchorage Community Mental Health Services Breach of 2,743 patient records due to malware infection. Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ephi on a regular basis, said OCR Director, Jocelyn Samuels. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks. $150,000 settlement amount & corrective action plan 5/7/14 New York- Presbyterian Hospital Columbia University Medical Center Breach of 6,800 patients of NYP caused by server misconfiguration. A physician employed by CUMC, who developed applications for both NYP and CUMC, attempted to deactivate a personally-owned computer server on the network containing NYP patient ephi. Because of a lack of technical safeguards, deactivation of the server resulted in ephi being accessible on internet search engines. $3,300,000 settlement for NYP $1,500,000 settlement for CUMC 27

Recently Reported Breaches and Settlement Agreements Date Organization Description Cost / Penalty Unencrypted laptop stolen from the facility. OCR found that Concentra had previously recognized in multiple risk analyses that a Concentra lack of encryption on its laptops, desktop Health computers, medical equipment, tablets Services - and other devices containing (ephi) was a Springfield critical risk. While steps were taken to 11/30/11 Missouri begin encryption, Concentra's efforts were Physical incomplete and inconsistent over time, leaving patient PHI vulnerable throughout Therapy the organization. OCR's investigation Center further found Concentra had insufficient security management processes in place to safeguard patient information. On 4/22/14 OCR announced a penalty of $1,725,220, plus costs to deal with the breach Number of records breached was not disclosed 3/4/14 Boston Medical Center MDF Transcription Services operated a website which was accessed by physicians to view patient reports. The website was not password protected. 15K patients affected. Est. cost of $2.8 million based on $188 / record Vendor fired after 10 yr. relationship 28

Recently Reported Breaches and Settlement Agreements Date Organization Description Cost / Penalty 8/18/14 Community Health Systems A cyber attack in April and June 2014 resulted in the theft of an estimated 4.5 million patient records. CHS describes the attack this way: [CHS] believes the attacker was an Advanced Persistent Threat group originating from China, which used highly sophisticated malware technology to attack CHSPSC s systems. The intruder was able to bypass the company s security measures and successfully copy and transfer some data existing on CHSPSC s systems. They believe that no credit card or medical information was taken. Estimated cost exceeds $100 million 29 6/2/14 Santa Rosa Memorial Hospital Unencrypted USB drive containing the PHI of nearly 34,000 patients was stolen from an employee's unlocked locker. The employee had backed up the X-ray records on the unencrypted drive in preparation for their migration to an EMR. Estimated cost: approx. $6.4 million based on $188 / record

Final Omnibus HIPAA / HITECH Rule of 2013 HITECH = Health Information Technology for Economic & Clinical Health Part of the American Reinvestment and Recovery Act (ARRA) 2009 Breach Notification There are new breach notification requirements for all covered entities (CE s). CE s must report most security breaches directly to individuals. If the individual cannot be contacted they must post to the hospital web site or notify local media. Large security breaches (500 or more records) must be reported to HHS and prominent media outlets. HHS will post all large breaches to their web site. The regulations provide for a safe harbor if data is encrypted or destroyed and not likely to be compromised. Omnibus rule of 2013: If data is compromised notification is required. (Previously likelihood of harm was considered.) 30

Breach Notification Risk Assessment There are four risk assessment factors that must be considered as set forth in the definition of breach. The four factors are the required factors that must be considered. There may be others the covered entity or business associate should consider as necessary based on particular circumstances related to or characteristics of the covered entity or business associate. 31

Breach Risk Assessment Factors Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: [78 Federal Register 5695] 32

Risk Assessment Factor #1 The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. In the risk assessment, examine the sensitivity of the identifiers involved and the likelihood of re-identification or linkage to other information to determine probability of impermissible use or disclosure. The identifiers of the individual or of relatives, employers, or household members of the individual are at 45 CFR 164.514(b)(2)(i): Names, geographic subdivisions, all elements of dates, telephone numbers, social security numbers, MRN, account numbers, etc. 33

Risk Assessment Factor #1 Note footnote 12 on page 5642 of the Final Rule: Information that has been de-identified in accordance with 45 CFR 164.514(a)-(c) is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information is not considered a breach for purposes of this rule. In other words, de-identified data are without any of the identifiers noted above in (a)-(r). 34

Risk Assessment Factor #2 The unauthorized person who used the protected health information or to whom the disclosure was made. In the risk assessment, examine whether the unauthorized person who received the information has obligations to protect the privacy and security of the information, [78 Federal Register 5643] and the likelihood of re-identification, to determine probability of impermissible use or disclosure. 35

Risk Assessment Factor #2 The final rule expressly includes a factor that would require consideration of the re-identifiability of the information, as well a factor that requires an assessment of the unauthorized person who used the protected health information or to whom the disclosure was made (i.e., whether this person has the ability to re-identify the affected individuals). [78 Federal Register 5644] 36

Risk Assessment Factor #3 Whether the protected health information was actually acquired or viewed. In the risk assessment, consider the distinction between actual acquisition or view of unsecured protected health information versus the opportunity for the information to be acquired or viewed, to determine the probability of impermissible use or disclosure, as the following example in the Final Rule illustrates: [I]f a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual event though the opportunity existed. [78 Federal Register 5643] 37

Risk Assessment Factor #4 The extent to which the risk to the protected health information has been mitigated. In the risk assessment, consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised, [78 Federal Register 5643] as the following example in the Final Rule illustrates: Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and acknowledge that the recipient of the information will have an impact on whether the covered entity [or business associate] can conclude that an impermissible use or disclosure has been appropriately mitigated. 38

Final Omnibus HIPAA Rule of 2013 Fines willful neglect : conscious, intentional failure or reckless indifference Consideration for violations corrected within 30 days 39 A Comprehensive Summary of the Final Omnibus HIPAA/HITECH Rules: Key Provisions and What They Mean for You, Elizabeth Johnson JD, http://www.poynerspruill.com/publications/pages/summaryofnewhipaarules.aspx

Final Omnibus HIPAA Rule of 2013 Fines HHS will investigate all cases of possible willful neglect HHS will impose penalty on all violations due to willful neglect HHS may fine any covered entities (CE), business associations (BA), and subcontractors responsible for a violation (it need not select only one party) HHS also notes that, in cases of a breach, there often will have been at least 2 violations: 1. impermissible use or disclosure of PHI 2. safeguards violation 40

HIPAA Security Compliance Resumption of HIPAA Compliance Audits in 2014 by OCR (Continues to be delayed by OCR) Initial target: 350 CEs and 50 BAs 232 providers, 109 health plans, 9 clearing houses 2 weeks to respond Narrowly focused desk audits and some comprehensive onsite audits as resources allow http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto col.html Target areas include: risk analysis, risk management, breach notification including content and timeliness of the notification, providing patients with Notice of Privacy Practice and access to health information 41

42 OCR Audit Protocol

Questions? Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital callman@primehealthcare.com Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director of IT Security & Risk Services CareTech Solutions jeff.bell@caretech.com @JeffBell_CTS www.gch.org www.caretech.com 43