Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
Agenda Security Rule Requirements A Look at NIST A Word on Encryption Vendor Questions Strategies for Success
Security Rule Requirements Learn what's addressable vs. what's required as defined by the HIPAA Security standards Understand what policies and procedures must be in place for compliance Learn the integral parts to ensuring a successful HIPAA Security Compliance Plan Learn how to create and maintain an audit program for verification and validation of security control
Create Awareness
DHHS Reported Breaches > 500 Individuals Affected 2010/2011 385 Reported Breaches ~ 19M Individuals 1.3% 4.7% 9.9% 24.7% 1.0% 1.6% 14.5% 40.5% 1.8% Backup Tapes Computer Electronic Medical Record E-mail Laptop and other portable device Network Server Other X-Ray Film Paper Breaches Affecting 500 or More Individuals ( HHS Wall of Shame ) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.htm
Breach of Protected Health Information US Dept. of Health and Human Services reported Data Breaches September 2009 December 2012 19M Individuals have been affected # Affected Individuals 6000000 5969483 5000000 4477468 4000000 3000000 2277213 2443022 2000000 1719204 1517366 1000000 597063 0 Backup Tapes Computer Electronic Medical Record 9347 E-mail Laptop and other portable device Network Server 6681 Other X-Ray Film Paper
So Why is EHR Security Important? Because everyone cares about the privacy and integrity of their health information. In most cases, the point of computer security is to prevent personal health information from falling into the wrong hands or being inadvertently altered or destroyed. Don t be complacent, drill down on security issues today. Look in every corner of your organization.
What is a breach? California State Law Unlawful or unauthorized access to, and use or disclosure of patients medical information whether electronic, paper, or oral Federal Regulations acquisition, access, use, or disclosure of Protected Health Information (PHI) in manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI
KEY POINTS Practices need to ensure that their current computer security complies with the HIPAA standards that took effect April 21, 2003. Physicians should take responsibility for understanding how health information technology is used in their practice By taking a proactive approach to your computer security now, you will be able to detect and prevent trouble later. There is no one-size-fits-all approach for computer security.
Compliance and Confidence Confidence is essential to patients and your organization. A Poneman Institute research Report completed in December 2011 showed that respondents say they have little or no confidence that their organization has the ability to detect ALL data breaches. The study found that general perceptions are that EHR systems have made no difference in security of patient data.
Privacy and Security Benchmark Study Findings* Data breaches in healthcare organizations is on the rise Widespread use of mobile devices is putting patients at risk Despite policies and federal mandates, unauthorized access to patient information is not a priority in many organizations Diminished productivity and financial consequences can be severe when data breach incident occurs Medical identity theft poses a greater risk to patients Ponemon Institute Research Report December 2011
Breach Examples Emailing PHI OUTSIDE of the organization (if unencrypted) Texting PHI to another mobile device (if unencrypted) A laptop containing PHI, in your possession, is lost or stolen (if unencrypted) A flash drive containing PHI, in your possession, is lost or stolen (if unencrypted) Electronic equipment containing PHI is improperly disposed of (if unencrypted)
Enforcement is on the Upswing! $1B Class-Action Lawsuit Sutter Health $20M lawsuit against Stanford Hospital $865K Resolution Agreement -UCLA Health $4.8B -TRICARE Health Management Sued $4.3M for Violation of HIPAA Privacy Rule -Cignet Health $625 K and counting since 2009 -Health Net DELAY in notification following data breach reporting brings action by Attorney General Wellpoint
Civil Penalty Violations Accidental $100 each violation Up to $25,000 for identical violations, per year Not Willful Neglect, but Not Accidental $1,000 each violation Up to $100,000 for identical violations, per year Willful Neglect (Corrected)$10,000 each violation Up to $250,000 for identical violations, per year Willful Neglect (Not Corrected)$50,000 each Up to $1.5 million, per year
Security Rule Overview
PHI Defined HIPAA Privacy Rule Protected Health Information (PHI) Individually identifiable health information that is transmitted or maintained in any form Paper Electronic Verbal/Oral
PHI Defined Under the HIPAA Security Rule ephi or electronic Protected Health Information is patient health information which is computer based, e.g., created received, stored or maintained, processed and/or transmitted in electronic media. Electronic media o Includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, E- Mail, websites, etc.
How Secure is your ephi? The Security Rule requirements: Ensure the CIA (Confidentiality, Integrity, and Availability) of all ephi created, received, maintained or transmitted. Protect against reasonably anticipated threats or hazards to the security and integrity of ephi, e.g., hackers, virus, data back-ups Protect against unauthorized disclosures
Compliance Program Elements 1. Appointment of an official to oversee the program (Privacy and Security Officer) 2. Set standards of expected conduct (Policies and Procedures) 3. Training, education, and awareness (Training) 4. Process for receiving reports of violations (Incident Reporting) 5. Response to reports (Incident Response) 6. On-going auditing and monitoring for compliance (Audits and Evaluation) 7. Take appropriate corrective actions (Sanctions, risk management, security controls, etc.)
HIPAA Security Rule Published February 2003 Contains Standards and Implementation Specifications Standards are divided into 5 Categories Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedure/Documentation Requirements Implementation Specification provide for flexibility depending on size and complexity of the organization Required Addressable
Implementation Terms Required (R) Performed by ALL Covered Entities Addressable (A) Covered Entities have additional flexibility on how to satisfy the requirement
Security Standards Information Security means to ensure the confidentiality, integrity, and availability of information through safeguards. Confidentiality that information will not be disclosed to unauthorized individuals or processes. Integrity the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems Availability the data or information is accessible and useable upon demand by an authorized person.
Administrative Safeguards Administrative Safeguards: Non-technical measures that an organization s management establishes Policies Standards Guidelines Procedures Administrative safeguards comprise over half of the HIPAA Security requirements
Physical Safeguards Physical Safeguards: Physical measures, policies and procedures to protect a CE s electronic information systems, building and equipment. Physical access: key locks, visitor sign-in sheets, window access Workstation Use/Security: prevent theft, unauthorized access Device/Media controls: removable disks
Technical Safeguards Technical Safeguards: the technology and the policies and procedures for its use that protect ephi and control access to it. Rules provide for the CE to determine which type of technology it implements Rules provide for CE to use any security measures that are reasonable and appropriate based on the organization s structure.
Addressable Implementation Specifications Covered Entities must Implement one or more of addressable implementation specifications Implement one or more alternative security measures Implement a combination of both Determine that the implementation specification does not apply to its situation (must document rationale)
Addressable Implementation Specifications The entity must decide whether a given addressable implementation is reasonable and appropriate to apply within its security framework. The decision depends on a variety of factors including: Entity s Risk Analysis Entity s Risk Mitigation Strategy Security Measures already in place Cost of implementation If a given addressable implementation specification is determined reasonable and appropriate, it must be implemented.
Security Standards Administrative Safeguards Security Management Process (164.308(a) (1) Risk Analysis (R) (a) (1) Risk Analysis Identification of software Worksheet 1 Risk Analysis Threat Assessment -Worksheet 2 Risk Analysis Description of Uses, Hardware/Software - Worksheet 3 Risk Management [Information Security and Privacy Violation(R) Sanction Policy (R) Information System Activity Review (R)
Security Standards Administrative Safeguards - more Assigned Security Responsibility (164.308(a) (2))[Security Officer Policy] Workforce Security (164.308(a) (3)) Information Access Management (164.308(a) (4)) Security Awareness & Training (164.308(a) (5)) Document, document, document!! If it wasn t documented.
Security Standards Administrative Safeguards - more Security Incident Procedures (164.308(a) (6)) Contingency Plan (164.308(a) (7)) Evaluation of Security Compliance (164.308(a) (8)) Business Associate Contracts & Other Arrangements (164.308(b) (1))
PHYSICAL SAFEGUARDS Facility Access Controls (164.310(a)) Workstation Use (164.310(b)) Workstation Security Policy (164.310(c)) Device & Media Control (164.310(d))
TECHNICAL SAFEGUARDS Access Control (164.312(a)) Audit Controls (164.312 (b)) Integrity (164.312) (c)) Person or Entity Authentication (164.312(d)) Transmission Security (134.312(e))
NIST and EHR ARRA emphasized need for US to move toward use of EHR To encourage a widespread adoption of intraoperative health information technology, legislation called for ONC in consultation with NIST to recognize a program for certification of Health Information Technology NIST developed functional and conformance testing requirements, test cases, and test tools in support of the health IT certification program (http://healthcare.nist.gov/use_testing/effective_requirements.html) NIST publishes several Special Publications that can assist with compliance with HIPAA Regulations
Security Rule Compliance Alexis "Difficulties mastered are opportunities won -Winston Churchill
CMS Security Rule Audits Focus Areas Risk Analysis and management Security training Physical security of facility and mobile devices Off-site access and use of ephi from remote locations Storage of ephi on portable devices and media Disposal of equipment containing ephi Business associate agreements and contracts Data encryption Virus protection Technical safeguards in place to protect ephi Monitoring of access to ephi
CMS Key Audit Findings (2008 and 2009) Insufficient Risk Analysis 164.308(a)(1)(ii)(A) Inadequate Security Awareness and Training 164.308(a)(5)(i) Lack of Current and Adequate Policies and Procedures 164.308(a)(8) Policies and Procedures did not address the HIPAA Security Standards and Implementation Specifications Policies and Procedures inconsistent with procedures followed by CE personnel
CMS Key Audit Findings Continued Workforce Clearance 164.308(a)(3)(ii)(B) o Personnel given access to ephi who do not have a reasonable and appropriate need Workstation Security 164.308(b) Encryption 164.308(a)(2)(iv) o Lost media not encrypted Insufficient Business Associate Contracts 164.308(b)(1)
Risk Analysis Audit Findings Risk Analysis 164.308(a)(1)(ii)(A) o CE did not perform a risk assessment o CE did not have a formalized documented risk assessment process o CE had outdated risk assessments o CE did not address all potential areas of risk (incomplete)
Risk Assessments?? Polling Question Has your organization conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information?
Where s Waldo?
Breach Safe Harbor PHI rendered unusable, unreadable, or indecipherable Valid encryption processes established for Data at rest, Data in motion (guidance established by NIST) Providers not required to follow guidance o If methodologies ARE used, no breach notification exists Breach Safe Harbor
2012 HIPAAAudits
A Word About Encryption Audit Findings Encryption and decryption Implement a mechanism to encrypt and decrypt electronic protected health information. 2008 Encryption was not implemented consistently. 2009 No negative findings in encryption, Encryption may evolve to a Required Standard Reasonable and appropriate Room for improvement in the formal polices and procedures which addressed encryption.
Encryption Strategies for Success Create an inventory of all devices containing ephi including mobile devices Develop Encryption policies. What gets encrypted and to what strength? Implement strong encryption on all devices. Implement Whole Disk Encryption (WDE) o Use FIPS 140-2 validated solutions Communicate to your workforce
Encryption & Integrity Where is ephi stored? Is data at rest & in transit encrypted? owhat type of encryption is used? Is there a firewall? What anti-virus protection is used? owhen & how is it updated & monitored? Any other integrity controls used?
Vendor Points to Remember Duties of Vendor that Impact Providers Quality/ effectiveness Guaranteed up-time HIPAA Privacy and Security Compliance Record Keeping Transferability/ exchange Assistance upon termination Vendor must represent and warrant the functionality of the system Vendor must also represent that the system meets the requirements of various standards required under HIPAA
Vendor Presentations Whenever possible, ask to see a live demonstration rather than a canned one. Have the right people in the room; whether for an RFP process or the mapping of workflow; include representatives of providers, nurses, medical assistants, IT, security/privacy, front desk, billing, etc. The feedback they will provide from their unique perspectives will be invaluable, and well worth the up front investment of their time.
Suggestions for Software Demonstrations How does the EHR restrict bills from being sent to patients homes in the case of minor patients consenting to own treatment? How does the EHR restrict billing to health plans in accordance with patient requests and new HITECH HIPAA requirements? What functions does your EHR have to specially protect (i.e. restrict access) certain patient data? (i.e. substance abuse, mental health, minor consented health information).
Demonstrations and Documentation Ask to see the auditing functions. Are they understandable? o Who has access to these features? o Is this limited? Ask to see how difficult it is to: o 1) provide electronic copy of patient data; o 2) paper copy of patient data and how access to those features are configured What training and documentation does the vendor provide for these features?
Vendor Questions System Access Role (or user) based access o Does the system allow the organization to create & assign different access roles (to meet minimum necessary requirements)? o Does the vendor assign them? User modifications & terminations Does the organization or the vendor do this? Can access to certain types of records be locked so certain roles are not able to access them (i.e. sensitive records such as mental health, AODA, etc.)?
Authentication What type of authentication is used? User ID & Password, or other two-factor? o Does the system work with finger print or id badge sign-on applications? o Does the system work with single sign-on applications? Passwords o o o o o o Strength: at least 8 characters, alpha numeric, and require a character? Frequency to change? Is this forced by the application or something the organization can change? Users may not utilize previous 6 passwords? Users forced to change password after first log-in? What are the default settings? Can settings be changed by users and/or the organization, or only by the vendor?
Audit Trails User access What details are included on the audit trail? Is it easy to manipulate the data? How long are audit reports maintained? How easy is it to access meta-data in the case of subpoena? Log-in monitoring Are there system event logs Who monitors them? Can alerts be sent? Does the system lock accounts after 3 unsuccessful
General Security Are all of the security features on or is this controlled by the organization? Are there any interdependencies that will impact the confidentiality, integrity, and/or availability of ephi? Have all the security features been tested for reliability? What did the tests show about performing the function correctly, accurately, and with integrity? What other types of security and system support do you provide? Will any of this security cost more or does it come with it? Including support?
What Not to Do Don t give staff more rights than they need because it is easier than arguing. It is important to look at all of the rights and permissions in every corner of your System Administrator. Understand each element and assign rights based on minimum necessary. Don t wait! It is much easier to do the hard work now, than to try and fix it later. Talk to staff, ask lots of questions about what they do. Ask about workflow.
Question??
HIPAA/HITECH Resources Privacy and Security Section of HealthIT.gov: http://healthit.hhs.gov HHS Health IT Privacy and Security Toolkit OCR Guidance: http://healthit.hhs.gov/portal/server.pt?open=512&objid=1174&parentname=com munitypage&parenti d=26&mode=2&in_hi_userid=10732&cached=true OCR HIPAA Privacy Rule Training Materials: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidan ce.html Fast Facts about the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/cefastfacts.htm l The HHS Office of Civil Rights, HIPAA FAQs: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/smallbusiness. html OCR s Sample Business Associate Contract Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.h tml