By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg...

transcript

Building a Practical and Meaningful

HIPAA Security Program

By: Greg Williams

Security & Compliance

Consultant

greg.williams@mmicgroup.com

What is Risk?

• Risk is the potential of losing something of value

Slow Pace of Regulation Timeline 1996 ‘98 2000 ‘03 ‘05 ‘08 ‘09 ‘10 2013

HIPAA signed into Law

Notice of Proposed Rule Making

Final Rule Published

Final Modifications Published

Compliance Deadline

Interim Rule Modifications (HITECH)

Final Rule Modifications (HITECH)

Notice of Proposed Rule Making

Security Standards Published

Compliance Deadline

Interim Rule Modifications (HITECH)

Final Rule Modifications (Omnibus)

Civil Money Penalties Procedures

Breach Notification

First R

First C

Timeline of Compliance Audits Date Action Taken

2008 – 2009 CMS HIPAA Compliance Reviews

2012 HIPAA Security audits conducted by KPMG

June 2012 HIPAA Audit Program Protocol released

November 2012 Medicate HER incentive program audits

HIPAA Audit Program Protocol

• Three components:

– Privacy

– Security

– Breach Notification

“OCR established a comprehensive audit protocol that

contains the requirements to be assessed through these

performance audits.

1996 Technology

Missing from the Protocol?

• Smart phones

• Mobile devices

• Personally owned devices

• Portable media

• Data Loss Prevention

• Data Leakage

• Change Control

• Configuration Management

• BYOD

• MDM

• Wireless

• Texting

• Secure Messaging

• Web Portals

• Secure Web Sites

• Router, switches, firewalls

• Network Scans

Also missing

• Biomed or Biomedical Devices

• Cloud

• Remote Access

• Telemedicine

• Social Security Numbers

• Credit Card Numbers – PCI/DSS

• Software Licensing

Audit Test Procedures

• The three “P’s” to align: – Perception

– Policy

– Practice

• Policies – Updated

– Reviewed

– Approved

• Create the “Book of Evidence” – First impressions – Audits are conduced by humans!

– Proof of compliance

– Speed of response

Government Audit

• OCR – Office for Civil Rights

– Our clients may receive a notice from OCR to their CEO stating

the organization is scheduled to be audited.

– List of requests – 15 days to respond

– Three Types of Audits (1200 for 2014)

• Investigation

– Trigger: reported breach or patient complaint

• Random

– Trigger: Not sure how entitlements get “selected”

• Meaningful Use

– Trigger: Entity received incentive money

– 2014 the OCR will conduct survey’s of CE and BA’s

Most Common Areas of Concern

• Risk Assessment (Analysis)

– Should have been doing this since 2005

• Currency/Relevance of Policies and Procedures

• Security Awareness Training

• Workforce Clearance

• Workstation Security

• Encryption

• Business Associate Contracts & Other Agreements

Case Example: December 27, 2013

Adult & Pediatric Dermatology, P.C., of Concord, Mass.,

(APDerm)

• Dermatology practice settles for HIPAA violations

– $150,000 Agreed Resolution Payment

– (OCR) opened an investigation of APDerm after reported

unencrypted thumb drive stolen from a staff vehicle

– Health Information of 2,200 individuals

• 1st Settlement for violation of HITECH (American Recovery and

Reinvestment Act) of 2009 (ARRA)

Follow up Requirements

• In addition to a $150,000 resolution amount, the

settlement includes a corrective action plan requiring

APDerm to develop a:

– risk analysis and

– risk management plan

• to address and mitigate any security risks

• and vulnerabilities,

– as well as to provide an implementation report to OCR.

How to Create a Practical & Meaningful

Information Security Program

Focus on the 4 “P”’s

Risk Management

• Identify Assets

• Risk Analysis

• Plan Remediation

• Create Controls

• Track your risks

Policy

• Develop Policies & Procedures from Best Practice

– Not a checklist

• Avoid the Danger of - Templates

• Review, Approve, Implement & Track

• Mapped to the organization’s controls

• Empowers audit process

Processes

• Develop and Track

• Assign Ownership

• Include Vendor in the Training

• Create checks/balances

Vulnerability Assessment

• Monthly Vulnerability Scan

• Monthly Report with Recommendations

• Update to Risk Management

Vendor Management

• Manage Documents or Agreements

– Dates sent / received

• Create Master List

• Verify Controls

• Hosted Controls are Hosted Liability

Training

• Make it Fun!

• Make it simple

• Do it often

• Create the Curriculum

• Log the Training

• Test for competency

• Create fire-drills

Compliance Mapping

• Create Map of Governance

– HIPAA

– PIC / DSS

– Social Security Number Disclosure Act

– Breach Notification

• Logically Group Controls

Incident Tracking

• Issues = Good Learning

• Create a good form

• Document all issues

• Use as Training Tools

• Assess controls for effectiveness

• Show evidence

• Create Corrective Actions

• Technical and Non-Technical

• Include Vendors

Services Process

Assess

Remediate

Controls Communicate

Monitor

Security Committee

• Risk

• Policy & Process

• Vulnerability

• Vendor

• Training

• Compliance

• Incident

• Audit

Changing Controls

What does tomorrow bring?

STRENGTH. SERVICE. KNOW-HOW. VISION.

Questions? Greg Williams

Security & Compliance Consultant

952-838-6778 greg.williams@mmicgroup.com