Healthcare and New Federal Security Protections (HIPAA)

Healthcare andNew Federal Security Protections (HIPAA)

Copyright 2001 The Marblehead Group

Contact info:

Kate Borten, CISSPKate Borten, CISSPPresident, The Marblehead

GroupOne Martin TerraceMarblehead, MA 01945Tel: 781 639-0532Fax: 781 [email protected]


Agenda

HIPAA: What? When? Why?HIPAA’s Security and Privacy RulesImplications for vendors and

products Business contracts Technical features

Healthcare Resources


HIPAA


HIPAA

Health Insurance Portability and Accountability Act of 1996

aka the Kennedy-Kassebaum billTo assure health insurance after leaving

job (“insurance portability”)Congress added “Administrative

Simplification” [aspe.hhs.gov/admnsimp]POW!


“Administrative Simplification”

Goal: Save moneyMeans: Standard electronic

transactions Standard record formats, code sets, and

identifiers For common transactions such as

enrollment, claims, remittance, eligibility, and referrals

Compliance date: October 2002


Downside to Electronic Standardization

Increased risk to information security and patient privacy

So Congress added HIPAA requirements US Dept. of Health and Human Services

(HHS) to develop security regulations Congress to pass health privacy law (but

they missed their deadline in 1999, so HHS wrote privacy regulations)


“Security” vs. “Privacy”

Security = Assurance of Confidentiality, Integrity, and Availability

Privacy = a personal “right” (we’d like to think) to control info about oneself

Organizations have formal infosec programs in order to assure patients’ or members’ privacy

No privacy without security!


Fair Information Practices

When you think privacy, think Fair Info Practices (HHS Sec’y Shalala): SecuritySecurity (obligation to protect) Boundaries (limit use of info) Consumer Control (right to copy,

correct, review audit trail...) Accountability (penalties) Public Responsibility (balance public

good vs. individual privacy rights)


Scope: Who’s Covered

Rules apply directly to health care plans, providers, and clearinghouses - called “covered entities”

Rules apply only indirectly to “business associates” of those covered (until a broader privacy law is passed)

Rules do not apply to life insurers, workers comp, etc. (until a broader privacy law is passed)


Scope: What’s Covered

Privacy Rule covers all individually-identifiable health data in any form includes demographic data, even if in

public realm includes data unless thoroughly de-

identifiedProposed Security Rule covers subset

of above - only electronic data


Compliance Deadlines

Privacy Rule compliance date: Feb. 26, 2003 (for all but smallest plans which have until 2004)

Expect Security Rule compliance date shortly thereafter


Why Comply? Penalties!

Civil penalty for “failure to comply”: up to $100/person/violation; maximum of $25,000/person/violation/year (can add up!)

Criminal penalties for “wrongful disclosure” “knowingly and in violation of HIPAA” up to $50,000 and/or 1 year prison for knowing misuse up to $100,000 and/or 5 years prison when under false

pretenses up to $250,000 and/or 10 years prison when intent to

sell, use for personal gain or commercial advantage, malicious harm


Why Comply?

HIPAA penalties for health plans, providers, and clearinghouses only

But their “business associates” will be bound by contract (indemnified?)

Vendors could be out of business if their products don’t meet basic requirements!


Security & Privacy Rules


Patient Rights

Receive copy of own record

Request record amendment/correction

Voluntarily authorize and revoke secondary uses of own data

Receive report of certain disclosures

Receive Notice of Privacy Practices

File complaint of non-compliance


Privacy Rule RequirementsSecurity safeguardsPrivacy OfficerUse/disclosure policies and procedures

when OK, when not, when authorization req’d, etc. de-identification; minimum necessary data verification of requestor identity, authority

Audit/reporting of secondary disclosuresWorkforce training and certificationStringent business contractsSanctionsNotice of Privacy Practices


Security Rule Requirements

A comprehensive, formal infosec program:“Administrative Procedures”

Policies Procedures Education of workforce

Physical SafeguardsTechnical controlsInformation Security Officer


“Administrative Procedures”

CertificationChain-of-trust

partner agreementContingency planRecord processing

controlsAccess controlsAuditing

Personnel securityConfiguration mgmtSecurity incident

proceduresSecurity mgmt

processTermination processTraining


Physical Safeguards

Media controlsPhysical access controlsWorkstation use policy, guidelinesSecure workstation location/positionSecurity awareness training


Technical Controls

Access controlsAudit controlsAuthorization controlsData “authentication” (integrity)Entity authenticationEvent reporting, alarms


Implications for Vendorsand Products


Business Associate ContractsApplies to business associates (BA) who

may have access to patient-identifiable data, even inadvertently

Healthcare organization may terminateContracts likely to require BA to have

appropriate infosec programsBA required to

report breach/improper disclosure audit certain re-disclosures permit access by Sec’y of HHS


Explicit Technical Requirements

Identification - unique userIDsAuthentication -

Password or PIN or token or smartcard or biometric (or call-back?)

If over “open” network (at least the Net), must be “irrefutable” (2-factor)



Authorization - at least necessary level Role- or user-based Optionally modified by location, by

date/time Organization must be able to

periodically review who has access and with what privileges, so systems must be able to provide reports



Automatic logoff (inactivity timeout) to “cause electronic session to terminate”

(i.e., not suspend)(Healthcare organizations will look for

intelligent implementation - preferably allowing variable timeouts based on different risks in different environments. Ex: Emergency room 2 mins vs. private office 180 mins)



Data integrity Suggested mechanisms include

check sumsdouble keyingmessage authentication codedigital signature (providing message hash...)

(Healthcare organizations may look more closely at software edits. Implement “double keying” in s/w for critical fields?)



Protections for data in transit Integrity controls Message authentication Access controls and/or encryption



Plus, when in transit over “open” networks Alarms (“signal of abnormality”)

Audit trails Entity authentication Event reporting (of “operational irregularities in

physical elements of network ... or response to occurrence of a significant task, e.g., completion of request for information”)

Encryption


Use Standards Wherever You Can Find Them!

HCFA Internet Security Policy (1998)[www.hcfa.gov/security/isecplcy.htm]

Intended for HCFA, but expected to meet HIPAA: minimum encryption standards - Symmetric: 3DES with 112 bit key Asymmetric: RSA-type with 1024 bit key Elliptic Curve: 160 bit key (Assume AES also acceptable)

Common examples: SSL (3.0+); S-MIME



Secure remote access Protection of “remote access points”

and “external electronic communications”

(HIPAA leaves it up to the organization to figure out what this means! But HIPAA does expect firewalls.)



Security event auditing HIPAA non-specific, but gives example

of logon attempts(Healthcare organizations will want

to audit security parameter changes, security-related events, other suspicious or unusual activity. Will need tools to do this.)



Security event auditing (cont’d) Security Rule implies also auditing at the

patient level, i.e., internal to the application(This level of audit is not uncommon in

healthcare as a deterrent to “snooping” and includes read-only access. Requires good tools for reviewing audit log to identify inappropriate patient access.)



System (and network if applicable) certification

Can be done internally or externally(Healthcare organizations will look

for guidance on secure configuration of each platform, database, application.)



Disaster recovery/business continuity plan Hardware/software inventory and

criticality analysis Backups/restores Plan tested regularly

Virus protection


Optional or Implicit Technical Requirements

De-identification of dataAudit of some disclosuresLimiting access by reason, and

depending on voluntary patient authorization

Amendment of records


Implicit Technical Controls

Even though HIPAA doesn’t discuss password features, they should be considered implicitly required, e.g.: Password minimum length control Password aging Password encrypted and never displayed in

clear text

Many other security features aren’t mentioned, but should be available


Healthcare Resources


“Common Criteria”Applying ISO standards to healthcare

security productsForum on Privacy and Security in

Healthcare [www.healthcaresecurity.org]

“HOST-affiliated, industry group working with the National Information Assurance Partnership (NIAP), a government agency, to provide a wide-based industry view on security issues confronting healthcare”


Health/HIPAA Resources

“For the Record” NRC subcommittee report www.nap.edu/readingroom/books/for

EHNAC (Elec. Hlthcare Network Accredit. Comm.)www.ehnac.org

AFEHCT (Assoc. for Elec. Health Care Transact.)www.afehct.org

WEDI (Workgroup for EDI)www.wedi.org


Health/HIPAA Resources

JHITA (Joint Healthcare IT Alliance)www.jhita.org

AHIMA (Am. Hlth Info Mgmt Assoc.)www.ahima.org

Health Privacy Projectwww.healthprivacy.org

Congressional bill trackingthomas.loc.gov


Where Are Healthcare Organizations Now?

Getting educated on HIPAA & infosecGetting sr management support &

fundingGetting organizational structure setGetting a baseline risk assessmentGetting an information security

officer


Contact info:

Kate Borten, CISSPKate Borten, CISSPPresident, The Marblehead

GroupOne Martin TerraceMarblehead, MA 01945Tel: 781 639-0532Fax: 781 [email protected]

Date post:	12-Jan-2016
Category:	Documents
Upload:	benjamin-martin
View:	218 times
Download:	2 times

Healthcare and New Federal Security Protections (HIPAA)

Documents