HIPAA Security: How to avoid becoming the next HIPAA Headline Marion K. Jenkins, PhD, FHIMSS Executive Vice President Healthcare 3t Systems Adjunct Faculty HC IT University of Denver MGMA Annual Meeting, October 2013 Outline Learning objectives Who is 3t Systems (not a commercial) HIPAA Overview brief history, key definitions, examples of breaches to date Overview of Security Rule specifications Administrative; Physical; Technical; Omnibus Anatomy of an actual HIPAA breach Next steps and action items for practices Questions/discussion 2 Learning Objectives 1. Identify the primary HIPAA risks and determine how to address them 2. Describe how HIPAA compliance can make your practice more functional 3. Avoid the primary pitfalls identified in most HIPAA assessments 3 1
Who is 3t Systems (for info/background not a commercial) Leading healthcare IT systems integrator based in Colorado: Consulting services Managed services Medical grade cloud hosting Over 200 healthcare IT projects throughout US Large physician practices, multi location clinics, acute care, children s hospitals behavioral health, surgery centers, urgent/emergent care 4 Some macro numbers HHS reported HIPAA breaches since 2009 There have been nearly 650 breaches that have involved 500 or more records Total is over 22 million patient records affected Largest is 4.9 million records (USAF contractor) Smallest reported breach (and not on this list) is 441 records (Hospice of Northern Idaho) Largest pending judgments are $3 4 BILLION (Sutter Health, California) and against SAIC (USAF) 5 HIPAA A Brief History HIPAA signed by President Clinton in 1996 Primary purpose was to make HC insurance portable Governed paper records Massive increase in administrative burden to HC Massive efforts on compliance and training HIPAA Security became effective in April 2005 Most people were unaware or chose to ignore it They assumed IT had it taken care of Thought it was something they had already done 6 2
ARRA/HITECH Act 2009 Part of Meaningful Use stimulus up to $54K/ $63K for physicians, millions of $$ for hospitals to adopt EHRs (Medicare/Medicaid) Max fines increased from $50,000 to $1.5 million Fines apply regardless of: Whether docs/facilities are seeking MU funds Whether docs/facilities qualify for MU funds (e.g., Ambulatory Surgery Centers, self pay, etc.) Whether the facility has or uses an EHR 7 2013 Omnibus rule Max fines remain at $1.5 million Significant expansion of what constitutes a covered entity and who must comply Significant increase in breach notification requirements Increased enforcement, training of state Attorneys General, random audits (e.g., KPMG) Civil penalties can also be imposed Must keep all documents for 6 years 8 Potential risks to Covered Entity Huge fines by HHS (Office of Civil Rights) Usually must compensate victims for damages (ongoing credit monitoring services) If breach involves >500 records, entity must contact the local media (negative exposure) Civil penalties (Sutter Health in CA facing a $4 Billion class action lawsuit) Loss of productivity: investigation/remediation Public relations nightmare 9 3
HIPAA Chapter and Verse* HIPAA is contained in the Federal Register, CFR Parts 160, 162 & 164: Section 164.308 Administrative Section 164.310 Physical Section 164.312 Technical Section 164.314 Business Associate Arrangements Section 164.316 Policies and Procedures Documentation *More than 500 pages! 10 What does HIPAA Security* Say? The HIPAA Security Rule requires you to protect and secure all electronic protected health information (ephi) against: accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources. * HIPAA Security governs electronic records. HIPAA Privacy governs paper records 11 HIPAA Security Graphical Representation Theft Loss Internal Threats Improper Access EPHI Destruction External Threats Accidental CAUSES Intentional Source: internally produced graphic 4
Definition of ephi ephi is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means). Electronic media includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc. 13 Examples of ephi NAME (or anything that could identify a patient and/ or connect them to a clinic or a provider), and/or some or any of the following: Demographic data (e.g., address, date of birth, sex) Medical record number, account number, SSN Date of service (e.g., treatment, admission, discharge) Ancillary medical records or components: reports, images, test results, progress notes, treatment plans, dictation files, or anything similar (including partial records) 14 Unlikely locations of ephi ephi is not just confined to an EHR: Emails (including server stores and local caches/pst) Reports, documents, letters, spreadsheets etc. created by or maintained in a practice or hospital Faxes/scans (today s printer/copiers p MFPs store images of scans and faxes on internal hard drives) PDF s and other static instances of data File shares, databases, backups Ancillary files labs, imaging, file attachments Scanned/attached or other external medical records Tweets, blogs, social media posts, phone photos 15 5
Things HIPAA doesn t say Length/complexity/change cycle of passwords Timeout or logoff time interval Type of encryption (e.g., technically WEP for WiFi is actually HIPAA compliant) Version of OS such as Win 7, Svr 08 or higher (HIPAA doesn t name vendor names/products) Actually doesn t mention laptops (or tablets, SmartPhones, PDAs, etc.), just workstations 16 HIPAA Security is a good thing Most HIPAA Security requirements are best business and IT practices, and help protect any vital data from theft/loss/hacking/destruction Implementing them makes HC facilities, and basically all businesses, more secure Cybersecurity legislation is in the works at both state/federal levels that is patterned after HIPAA Security and will likely govern all businesses eventually 17 3 Categories of Safeguards Administrative Safeguards Policy/staff/training issues mostly HR and legal, although some are definitely technical Physical Safeguards Mostly facility and operational Technical Safeguards Technology and systems mostly IT stuff Omnibus rule (2013) adds new requirements 18 6
Required versus Addressable Required self evident your organization must comply with the requirement (although there is no single right way specified to do so). Addressable you must determine if the require ment is pertinent to your organization and either comply or document good cause as to why not. Cost is not a valid reason to be non compliant. You are Required to address the Addressable ones. (So basically everything is required) 19 Administrative Safeguards 23 specifications, 12 of which are required Mostly concerns policies and procedures Don t be fooled because it s paperwork these safeguards are VERY IMPORTANT! Example required safeguards Establish a Security Officer and reporting system Conduct a complete system assessment Establish procedures to address potential risks 20 Physical Safeguards 10 specifications, 4 of which are required Mostly deals with physical access/security Examples of required safeguards: Establish physical security proceduresfor all devices Establish security procedures for use, re use and disposal of media (hard drives, USB, tapes, etc.) Establish data backup procedures to make an exact copy of ephi 21 7
Technical Safeguards 9 specifications, 4 of which are required Mostly deals with true I.T. stuff Examples of required safeguards: Assign a unique identifier to track user identity Implement mechanisms that record and examine activity in information systems containing ephi Implement methods to authenticate workforce access ( hard user names/passwords, principle of least privilege) 22 Is this the biggest HIPAA threat? 23 No, this is the biggest HC threat: By far, the largest number of threats are caused by, or enabled by, internal users office and clinical staff 24 8
Some recent HIPAA headlines Theft of physician laptop from Hawaii condo causes 3 rd HIPAA breach at Oregon HC unit Stanford Children s has 4 th HIPAA breach laptop stolen from physician s car Mass General fined $1.3 Million (178 records) UCLA settles celebrity snooping HIPAA case for $865 million. Tom Cruise, Farah Fawcett. Hospice of Northern Idaho fined $50K for breach involving only 441 records 25 What the HHS Breach Numbers Say Email 2% Desktop 2% Tapes 1% USB 1% Server 8% Loss 8% Stolen 4% Hacking 5% Keyword Search workstation 0% Theft 32% Conclusion the key words: + Theft + Laptop + Computer + Portable + Loss Are involved in the description of over 75% of all breaches Portable 8% Computer 12% Laptop 17% Source of data: http://www.hhs.gov/ocr/privacy/hipaa/ administrative/breachnotificationrule/b reachtool.html 26 Location of breaches Location of Breached Information "Dekstop computer" 4% "Email 3% "EMR" 2% Conclusion the following locations: "Other 10% "Network server 10% "Computer 11% "Laptop 25% "Paper 23% + Laptop + Paper + Portable + Computer Total nearly 75% of all breaches "Other portable elctronic device" 12% Source of data: http://www.hhs.gov/ocr/privacy/hipaa/ administrative/breachnotificationrule/b reachtool.html 27 9
HHS Types of breaches Unknown 1% Other 2% Improper disposal 5% Type of Breach Type of breach 0% Conclusion the following types of breaches: Hacking/IT Incident 6% Loss 12% Unauthorized access 19% Theft (including theft + other causes) 55% + Theft (+ other issues) + Unauthorized access + Loss These outnumber hacking/it incident by over 10 : 1 margin Source of data: http://www.hhs.gov/ocr/privacy/hipaa/ administrative/breachnotificationrule/b reachtool.html 28 HIPAA is Very Real Anatomy of a HIPAA Breach close to home 29 You don t want to get one of these nasty grams Source of data: Personal files; used with permission 30 30 10
More bad news only 15 days to respond; threatened penalties 31 31 Even more bad news Freedom of Information Act may make this public 32 32 Prior to 2/2009: Up to $100 per violation $25,000/year cap After 2/2009: $100 to $50K per violation $1.5 MILLION/year cap 33 11
Yikes! 34 Call to action for practices Develop an ongoing culture of HIPAA awareness Do a HIPAA Risk Assessment (required for both Stage 1 and Stage 2 MU) Remediate issues as needed Cybersecurity legislation is in the works that is patterned after HIPAA and will affect all businesses, similar to healthcare 35 Biggest risks Portable devices Laptops(including notebooks, tablets, etc.) Workstations USB drives Email, especially with attachments Files outside of your EHR (letters, reports, spreadsheets, etc.) Unpatched systems (Windows XP and Server 2003 are being dropped in early 2014) 36 12
Best remediation ideas Set up IT systems where no data is stored on local/portable devices (e.g., secure cloud) Use encrypted email (not Hotmail, Gmail, etc.) Hire professional IT partners (ask your IT vendor to spell HIPAA and explain it) Assess systems, remediate issues, train staff Rinse and repeat 37 Review of Objectives 1. Identify the primary HIPAA risks and determine how to address them 2. Describe how HIPAA compliance can make your practice more functional 3. Avoid the primary pitfalls identified in most HIPAA assessments 38 Questions/Discussion 13
More information: Marion K. Jenkins, PhD, FHIMSS Executive Vice President healthcare 3t Systems marion.jenkins@3tsystems.com 303.991.8296 14