An Independent Member of Baker Tilly International

Healthcare Security and Compliance July 23, 2015

Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2

Agenda Introductions Cybersecurity Texting & ecommunications Medical Devices Compliance Audits 3

4

Cybersecurity 2014 Top Healthcare Breaches Community Health Systems (CHS) ; 4.5M Patients Affected (APT China) Texas Health and Human Services Commission: 2M Patients Affected (BA Xerox) County of Los Angeles Public Health; 342,000 Patients Affected (BA Sutherland Healthcare Services) Touchstone Medical Imaging; 307,000 Patients Affected (Inadvertent access via the Internet) 5

Cybersecurity 2015 Top Healthcare Breaches (as of March 31, 2015) Anthem, Inc. March 13: Affected Individuals: 78.8 million (Admin credentials perhaps through email phishing?) Premera Blue Cross, March 17: Affected Individuals: 11 million (network intrusion in May 2014, breach found in March) Virginia Department of Medical Assistance Services (VA-DMAS), March 12: Affected Individuals: 697,586 X2 Georgia Department of Community Health, March 2: Affected Individuals: 557,779 (1) 355,127 (2) 6

Cybersecurity Definition: cyber a combining form meaning computer, computer network or virtual reality cyberspace cybersecurity 7

CyberSecurity 8

Cybersecurity Lessons Learned Any organization with health information is vulnerable Organizations do NOT know where the health information is on their systems Health Information moves so much within and between these system - it is open to breaches 9

Cybersecurity All you need to be a part of cyber space is an IP Address No longer possible to PREVENT attacks or breaches Interconnectivity increases vulnerabilities Businesses need to move fast including introductions of new technologies 10

Cybersecurity Cybercrime is big business Attackers (Hackers) are organized not just opportunists Patient have gained access and are just waiting Advanced Persistent Threat (APT) 11

Cybersecurity 5 Signs that You ve Been Hit with an APT Increase in elevated log-ons late at night Finding widespread backdoor Trojans Unexpected information flows Discovering unexpected data bundles Detecting pass-the-has hacking tools * - focused spear-fishing campaigns using Adobe PDF 12

Cybersecurity Strategies for Protecting Patient Data Find and identify your ephi Consider the non-standard systems which might house ephi Obtain leadership engagement/support Assess risks Assess and manage vendor relationships and data access 13

Cybersecurity Strategies for Protecting Patient Data Consider privacy and security an integral part of new technology Incident Response Management 14

Cybersecurity The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 established national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity according to the US Department of Health & Human Services (HHS). 15

Cybersecurity HIPAA Security Rule - Technology Neutral Administrative - Testing of controls provide reasonable assurance the entity has an established and mature security program. Administrative controls include: security management, assigned security responsibility, workstation security, information security management, security awareness training, security incident process, contingency plan, evaluation, business associate contracts. Technical - Testing of controls would provide reasonable assurance of security and authentication mechanisms including: access controls, audit controls, transmission security, integrity and person authentication. Physical - Testing of controls that provide for the integrity of information as it is processed and stored including: facility access controls, workstation use, workstation security, device and media controls. 16

Cybersecurity ephi Individually identifiable health information is that which can be linked to a particular person. Specifically, this information can relate to: The individual's past, present or future physical or mental health or condition, The provision of health care to the individual, or, The past, present, or future payment for the provision of health care to the individual. 17

Cybersecurity There are 18 specific ephi Types: Name Address (all geographic subdivisions smaller than state, including street address, city, county, zip code) All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89) Telephone numbers Fax number Email address Social Security number Medical record number 18

Cybersecurity ephi Types (cont.): Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL Internet Protocol (IP) address numbers Finger or voice prints Photographic images Any other characteristic that could uniquely identify the individual 19

Texting & ecommunications Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages. 20

Texting & ecommunications However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices. 21

Texting & ecommunications Five steps to manage mobile devices Decide Assess Identify Develop, Document, and Implement Train 22

Texting & ecommunications 1) Decide Understand the Risks Lost mobile device Stolen Malware/virus Unintentional disclosure Using an unsecured Wi-Fi network 23

Texting & ecommunications 2) Assess Analyze the risks Which mobile devices are being used What information is accessed, received, stored or transmitted 24

Texting & ecommunications 3) Identify your Mobile Device Management (MDM) Strategy Use password or other user authentication Install/enable encryption Install/activate remote wiping Disable file sharing applications Install/enable firewall Install/enable security software Keep security software up-to-date Maintain physical controls Adequate security over Wi-Fi Delete all PHI before discarding or re-using 25

Texting & ecommunications 4) Develop, Document, and Implement Policies / Topics Mobile Device Management BYOD Restrictions on Mobile Device Use Security/Configuration Settings on Mobile Devices Information Storage on Mobile Devices Misuse of Mobile Devices Recovery/Deactivation of Mobile Devices Mobile Device Training 26

Texting & ecommunications 5) Train Security Awareness and training for providers and professionals Discuss risks How to secure and protect How to avoid mistakes 27

Medical Devices In an effort to address the cybersecurity challenges of networked medical devices, the National Institute of Standards and Technology, through the National Cybersecurity Center of Excellence, is launching a project to secure those devices from risks such as malware, hacking and access control. See Also: How Private Organizations Can Develop a Military-Grade Cybersecurity Program The project, done in collaboration with the Technological Leadership Institute at the University of Minnesota and the medical device industry, is inviting comments on ways to properly secure medical devices that are increasingly being connected to central systems within hospitals, the NCCoE says, starting with draft use case on wireless infusion pumps. 28

Medical Devices FDA Guidance The FDA suggests security measures that device manufacturers should consider for protection of medical devices. Those include: Limiting access to devices to trusted users through the use of authentication, such as ID and password, smart card and biometrics, including multi-layered authentication "where appropriate;" Ensuring secure data transfer to and from the device, using encryption where appropriate; Implementing features that allow for security compromises to be detected, recognized, logged, timed and acted upon; Providing information to end users concerning appropriate actions to take upon detection of a cybersecurity event. 29

FDA Medical Device - Guidance The new guidance, "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff," recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. FDA 30

Medical Device Security HIMSS and NEMA standardized the Manufacturer Disclosure Statement for Medical Device Security ( MDS2) Form gives manufacturers a mechanism to disclose security features Form gives entities a tool as part of the RA required by the Security Rule Allows for an uniform comparison among devices of security related information and features. 31

Compliance Audits HITECH Act of 2009 / HIPAA Omnibus Rule 2013 Stiffer Penalties Increased Breach Notification Rules Updated BA agreements State Attorney Generals can bring enforcement actions 32

Compliance Audits Key HIPAA Definitions Reasonable Diligence Reasonable Cause Willful Neglect 33

HIPAA Compliance Audits HITECH Act Section 13411 requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards. HHS has delegated this responsibility to the Office of Civil Rights (OCR). 34

HIPAA Compliance Audits Phase I KPMG performed the audits of providers, clearinghouses and health plans. The majority were providers. Findings & Observations by Covered Entity Providers 3% Health Plans 32% 65% Clearinghouses 35

HIPAA Phase I Audits Audit Findings by Areas Security 10% Privacy 30% 60% Breach 36

HIPAA Phase I Audit Findings Privacy Uses and Disclosures of PHI Security - No complete RISK assessment Access management Contingency Planning & Backup Breach - Methods of Individual Notification 37

HIPAA Phase I Findings #1 Reason Given for Non Compliance Entity unaware of requirement 38

HIPAA Phase II Audits Utilize information from Phase I findings OCR view of Phase 1 - compliance improvement activity and designed to help OCR determine the types of technical assistance needed BUT as the program evolves ( Phase II) the audits will be an enforcement tool Performed by OCR staff Both desk audits and on-site reviews Delayed implementation of new web portal Includes covered entities and business associates Pre- audit survey then choose 350 entities 39

HIPAA Phase II Audits Selected entities receive notification and data request Two weeks period of entity response Information current from date of request Late submission will not be reviewed Lack of response may lead to a referral for a compliance review Provide a list of business associates 40

HIPAA Phase II Audit Preparation Review and update policies and procedures to reflect HITECH Act/ HIPAA Omnibus Rule. Conduct an assessment of the risk to ephi and a subsequent risk management plan. Review BA and CE relationships for HIPAA compliance. Review and update training materials and perform appropriate training. 41

HIPAA Phase II Audit Preparation Review compliance in High Risk Areas Privacy - Notice of privacy practices Individual Access Rights Minimum necessary requirements Security Media and device disposal Transmission security Audit Controls & monitoring Breach - Content and timeliness of notification 42

Meaningful Use The American Recovery and Reinvestment Act of 2009 specifies three main components of Meaningful Use : The use of a certified EHR in a meaningful manner. The electronic exchange of health information to improve quality of health care. The use of certified EHR technology to submit clinical quality and other measure. Simply put, "meaningful use" means providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity. HRSA 43

Meaningful Use Audits Confirm the audit documentation pertains to the actual reporting period that you attested to. Stage 1 requirement for Security ( Core Objective and Measure 15) Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process. 44

Meaningful Use Audits Must conduct a risk analysis and management process at least once before the EHR reporting period. Attest to the CMS or the State that you have: 1) Conducted the risk analysis 2) Identified the deficiencies 3) Taken corrective action to eliminate the deficiencies 45

Meaningful Use Audit Stage 2 Stage 1 requirements plus address encryption of data at rest. Data at rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and also files stored off-site or on a storage area network (SAN). 46

Risk Analysis & Risk Management NIST SP 800-30 NIST HIPAA Security Toolkit CIA triad to ephi All electronic or cyber medium Identify potential threats and vulnerabilities Assess current security measures Determine the Likelihood and Impact Determine your risk tolerance Determine roadmap which aligns with your goals, budgetary constraints and risk tolerance Periodic review 47

Meaningful Use Audit Prep Be proactive - designate an audit response team Timely review of email account Create a repository of supporting documentation for attested items. Remember if you fail one area CMS recoups ALL of the MONEY! 48

Additional Resources http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/securityrule/ http://www.hrsa.gov/healthit http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/securityrule/rafinalguidancepdf.pdf http://www.himss.org/resourcelibrary/mds2 49

Additional Resources http://www.dhs.gov/cybersecurity-overview http://www.healthit.gov/sites/default/files/fe deral-healthit-strategic-plan-2014.pdf http://www.healthit.gov/sites/default/files/ba sic-security-for-the-small-healthcare-practicechecklists.pdf http://www.healthit.gov/sites/default/files/pd f/privacy/privacy-and-security-guide.pdf 50

Additional Resources http://www.govinfosecurity.com/nist-to-address-medical-devicesecurity-a-7718 http://www.healthit.gov/providers-professionals/frequently-askedquestions/533#id210 Office of the National Coordinator for Health Information Technology U.S. Department of Health and Human Services 200 Independence Avenue S.W. Suite 729-D Washington, D.C. 20201 http://www.healthit.gov/providers-professionals/five-stepsorganizations-can-take-manage-mobile-devices-used-health-carepro 51

Questions? 52