Best Practices in HIPAA Security Risk Assessments



Similar documents
Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

The HIPAA Omnibus Final Rule

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Managing data security and privacy risk of third-party vendors

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Healthcare and IT Working Together KY HFMA Spring Institute

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA compliance audit: Lessons learned apply to dental practices

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

COMPLIANCE ALERT 10-12

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Easing the Burden of Healthcare Compliance

Dissecting New HIPAA Rules and What Compliance Means For You

Meaningful Use and Security Risk Analysis

Isaac Willett April 5, 2011

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

Ensuring Privacy & Security of Patient Information

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2012 HIPAA Privacy and Security Audits

HIPAA Security Risk Analysis for Meaningful Use

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

HIPAA Compliance and the Protection of Patient Health Information

InfoGard Healthcare Services InfoGard Laboratories Inc.

HIPAA Audits Are Happening. eroi

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Considering a Move to the Cloud? Key Considerations for Healthcare Institutions

What is required of a compliant Risk Assessment?

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Preparing for the HIPAA Security Rule

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

A s a covered entity or business associate, you have

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA and the HITECH Act

Texas Medical Records Privacy Act

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use


Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Bridging the HIPAA/HITECH Compliance Gap

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Healthcare Insurance Portability & Accountability Act (HIPAA)

Our Commitment to Information Security

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

The Brave. New World of Healthcare Correspondence. Harnessing the Power of SaaS to Safeguard Patient Data. White paper

2016 OCR AUDIT E-BOOK

HEALTH IT SECURITY AND THE SMALL PROVIDER

HIPAA Overview and updates since HITECH and PPACA

HIPAA Security Rule Compliance

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

HIPAA Compliance and Reporting Requirements

Law Firm Cyber Security & Compliance Risks

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

Patient Privacy and Security. Presented by, Jeffery Daigrepont

HIPAA and HITECH Compliance for Cloud Applications

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

HIPAA Audits Are Here!

Security Is Everyone s Concern:

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

HIPAA: Compliance Essentials

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

HIPAA PRIVACY AND SECURITY AWARENESS

The benefits you need... from the name you know and trust

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA Compliance Guide

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Business Associate Liability Under HIPAA/HITECH

How to Leverage HIPAA for Meaningful Use

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Somansa Data Security and Regulatory Compliance for Healthcare

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Lessons Learned from HIPAA Audits

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Anatomy of a Healthcare Data Breach

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Transcription:

BUSINESS WHITE PAPER Best Practices in HIPAA Security Risk Assessments Safeguard your protected health information (PHI) and mitigate the risk of a data breach or loss.

WHITEPAPER Best Practices in HIPAA Security Risk Assessments Every healthcare IT director on the planet cringed when they heard about the data breach at Community Health Systems (CHS) in August 2014 that affected 4.5 million patients and is expected to cost the system $100 million by some estimates. Data breaches are crippling to healthcare organizations. They can face millions of dollars in losses due to fines, remediation, and litigiation. Damaged reputations can have a negative impact on community trust, new patient enrollment, and funding. For the healthcare IT leaders entrusted to build and maintain the safeguards, a breach can mean a loss of employment and a stigma that limits long-term career success. The most effective key to avoiding a PHI breach or loss is to regularly conduct security risk assessments (SRA). What s at stake? Your entire business SRAs are designed to help protect against data breaches or loss. By conducting thorough assessments, healthcare providers and business associates can uncover potential weaknesses in their security policies, processes and systems, and remedy them before adverse security events occur. Although conducting regular SRAs may seem onerous, the cost of failing to conduct them and remediate risks is exponential. The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules require organizations that handle health information to routinely review the administrative, physical and technical safeguards they have in place to protect the security of patient health information (PHI). SRAs are also mandatory for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. Penalties can include millions of dollars in fines, loss of patients, credit monitoring, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations. 2

The Federal Players Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) Coordinates nationwide efforts to exchange health information electronically. Office for Civil Rights (OCR) Enforces the HIPAA Privacy Rule, which protects individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. Financial penalties of non-compliance with HIPAA Privacy and Security Rules can cripple healthcare organizations. Penalties for each violation can reach up to $1.5 million. 1 The Office for Civil Rights anticipates collecting $6.5 million in monetary settlements and penalties in 2014. 2 And you can bet that many of those funds will be put toward even stronger enforcement. Three states California, Texas and Massachusetts take enforcement even further. They conduct their own investigations and levy additional civil and criminal penalties and fines to medical practices that have not conducted appropriate audits or have medical privacy breaches. In one of the biggest HIPAA data breaches to date, TRICARE Management Activity, a military healthcare provider reportedly lost backup tapes containing information including patient addresses, Social Security numbers, and clinical data from military beneficiaries electronic health records. 3 The breach affected nearly 5 million individuals. The class action lawsuit sought $4.9 billion in settlement. And don t think for a second that insurance will cover it. Target said in a statement on Aug. 5, 2014, that of its estimated gross breach expenses of $236 million so far, only about $90 million will be covered by insurance. 4 The Wall of Shame Of course, the financial risks don t end there. The cost of losing patients may even be greater. One recent survey found that 30 percent of patients would change caregivers if their PHI were breached. A separate survey found 40 percent would. 5 Losing a third or more of any client base is nearly impossible to rebuild, especially once public trust is eroded. Reputation, the lifeblood of any healthcare organization, is at stake when privacy breaches occur. The Office for Civil Rights regularly updates a list of PHI breaches or losses on its website. The list is known to the healthcare industry as The Wall of Shame, and landing a spot there can lead to disastrous consequences for any healthcare entity. 1. http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html 2. http://www.hhs.gov/ocr/office/about/cj2014.pdf 3. http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breaches-unitedstates 4. http://www.databreachtoday.com/hospital-chain-breach-how-expensive-a-7252 5. http://www.esecurityplanet.com/network-security/33-percent-of-consumers-would-change-retailersafter-a-data-breach.html 3

Underfunded and overwhelmed when it comes to security According to CNN 6, 90 percent of hospitals and clinics lose their patients data. They cannot keep up with hackers and are often weighed down by outdated technology. Executives find it difficult to put IT security top of mind because day-to-day business operations are overwhelming. Although SRAs are required, healthcare organizations often struggle with the task. Information technology staff at most healthcare entities are not security experts versed in establishing correct policies, procedures and systems for protecting PHI. Typically, they are technologists with expertise in areas such as software and networking. Changes in trends and technology are further complicating the issue. IT virtualization, mobile computing, social media and offshore outsourcing have created several risk factors for securing and protecting electronic patient data. How can healthcare entities protect data if they are uncertain about where it resides? With an unavoidable mandate and entire businesses at stake, healthcare providers are looking for better ways to conduct SRAs and mitigate the risk of data breaches and losses. There are essentially two options: doing it yourself and outsourcing to an expert. DIY, and why it often falls short Many organizations elect to conduct their SRAs internally. Although this may initially seem like the simplest route, a DIY approach quickly consumes significant time, labor and costs. The time and costs required may spur organizations to abandon their efforts once they discover the level of complexity and labor required. Staff conducting SRAs are often busy with other tasks. And their proximity to the organization s daily routines regarding how it handles patient information increases the risk they ll overlook critical security flaws. Not to mention, internal resources may be wary of pointing out IT deficiencies, because any weaknesses could reflect poorly on the organization and themselves. The federal government offers resources to support the DIY approach. In March 2014, the ONC and OCR unveiled an SRA checklist and reporting tool. Organizations using the tool must download hundreds of questions, a time-consuming endeavor. They then must interpret them without the benefit of extensive security, legal or compliance expertise. Other organizations offer SRA checklists. Although helpful, checklists are designed for guiding healthcare providers in small- to medium-sized offices rather than larger organizations. And while 6. http://money.cnn.com/2014/08/20/technology/security/hospitals-data/ 4

helpful for risk assessment, checklist tools do not supply actionable risk implementation and remediation steps. Although these tools are capable of helping you create reports that can be supplied to auditors, completing a checklist does not ensure compliance. Organizations looking to avoid the scrutiny of OCR and lower their risk of expensive enforcement actions should take several measures, including conducting or updating a risk analysis and taking positive steps to remediate the findings. Entrusting SRAs to experts With so much at stake, healthcare providers may be better off having a third-party expert conduct their SRA and remediate weaknesses before breaches or data loss occur. Options for external assistance include: Contacting a regional extension center (REC) for assistance. RECs were set up to help providers navigate the EHR adoption process from vendor selection and workflow analysis to implementation and meaningful use. Many previously provided assistance in conducting SRAs. But funding for most RECs has dried up. Many are scrambling to stay afloat 7 and have abandoned their assistance for SRAs. Working with a third-party expert that can minimize staff time and business interruption. The firm should be skilled at both conducting assessments and mitigating risks in security policies, processes and systems. Look for a firm with experienced security consultants who know how to drive the process to meet deadlines and deliverables with predictable results. The firm should offer proven, repeatable processes and a structured tool kit. SRA best practices: What to expect When choosing a partner to conduct your SRA, consider the organization s expertise. Your healthcare organization has to be HIPAA compliant your PHI security partner should be, too. The partner should protect patient records with the utmost care and be assessed by the same rules. Find a partner that does not merely assess your privacy and security capabilities, but also has the skills to amplify them. Look for a partner with certifications from the International Association of Privacy Professionals such as CIPP/US, CIPT and CIPM their privacy expertise is unparalleled. Look for providers who live the 7. http://ehrintelligence.com/2014/05/06/himss-sustainability-top-of-mind-for-recs-as-funding-dries-up/ 5

daily rigor of proactive security operations with CISSP-certified personnel. Next, dig into vendors processes and procedures. In addition to inquiring about certifications, ensure that your third-party partner is healthcare-specific and keenly focused on healthcare compliance. The partner should know OCR audit protocols. Check to see if clients who have been audited have met or exceeded their audit requirements. The provider should work with leading healthcare law firms in support of clients breach notifications, remediation strategies and forensic discovery. Ask if they have HIPAA security and privacy subject matter expertise for both the primary entity and its business associates. Make sure the firm acts as an official business associate, subject to the same level of Security and Privacy Rule requirements of a covered entity. As a business associate, the firm must maintain the highest degree of HIPAA compliance and knowledge. It should be able to unequivocally deliver an SRA that meets all HIPAA and Meaningful Use requirements. Be certain the partner you select offers exemplary processes, deliverables and follow-on remediation options. As a start, the SRA should include: Review of PHI inventory to determine where electronic and other data is located Examination of the three safeguards required by 45 CFS 164.308 (a)(1) administrative, physical and technical. (Be sure that organizational safeguards such as the Business Associate Agreement with last year s Omnibus Rule changes, are also established, a facet that many assessment providers overlook) Assessment of current HIPAA security compliance operations including safeguards in place, as well as vulnerabilities and specific threats to safeguards Evaluation of existing security policies and procedures Finally, the SRA provider should provide a comprehensive, auditready report with findings and recommendations that includes detailed vulnerabilities and remediation recommendations. Remediation may include outsourcing disaster recovery, backup and restore processes, information hosting, and perimeter testing through a HIPAA-compliant, cloud-based infrastructure. With this 6

Business Associate Agreements/Omnibus Rule of 2013 The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. option, both IT and security burdens are offloaded to seasoned experts. Conclusion Medical data security breaches can and do put healthcare organizations out of business, making security risk assessment a priority that cannot be ignored. Engaging with external security experts can help meet mandatory HIPAA and Meaningful Use requirements while easing internal burdens. For most healthcare organizations, offloading security and data management provides a tremendous opportunity. By outsourcing SRAs, healthcare providers can focus on their core competency providing superb care to patients. After all, data security and IT vulnerability responsibilities are better delegated to seasoned experts. To speak with an SRA consultant call (888) 899-2066 or visit www.cleardata.com for more information. v 20141016

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information