33
HIPAA Security 101 Speaker Lorna Waggoner, CHP Director of Business Development Certified HIPAA Trainer September 16, 2015
HIPAA Security 101
Speaker
Lorna Waggoner, CHP
Director of Business Development
Certified HIPAA Trainer
September 16, 2015
ecfirstCompliance & Security
Thousands of clients served since 1999 including: Microsoft, Cerner, HP, State of Utah, PNC Bank, Kaiser
& hundreds of hospitals, government agencies, business
associates
Privacy vs Security
Defining Reasonable and Appropriate
HIPAA Penalties
New Risks for Non- Compliance
Updates from the Final Rule
Defining Security
Where these rules came from
Nothing is 100%
Confidentiality, Integrity and Availability (CIA)
Safeguards, Standards and Implementation Specifications
Required and Addressable
The Big Picture3
Agenda
4
HIPAA is the acronym
for
Health Insurance Portability
and Accountability Act
Patient’s right over the use and disclosure of his/her own
personal health information.
When, how, and to what extent PHI is shared with others.
Patient is guaranteed access to their own information, with
certain exceptions.
All forms of PHI are protected: electronic, written, or oral.
5
Privacy Rule
Specific measures a Covered Entity must take to protect PHI
at a “Reasonable and Appropriate” level, from
unauthorized breaches of privacy. (such as the information is
stolen or sent to the wrong person in error).
Measures taken to ensure against the loss of integrity of PHI
(such as a patient’s records are lost, changed, or destroyed
either accidentally or maliciously).
Guards against unauthorized disclosure of PHI stored
electronically.
Does not cover PHI transmitted or stored on paper, or
provided orally. 6
Security Rule
7
D. Up to $50,000 Fine
As of 2/23/10, up to $1.5M
A. Up to $100 Fine
As of 2/23/10, up to $25,000
PENALTY CIVIL VIOLATION
Multiple violations due to (Willful Neglect
Not Corrected) of an identical,
requirement or prohibition made during
the same calendar year.
Single violation of a provision, or can be
multiple violations with a penalty of $100
each, as long as each violation is for a
DIFFERENT provision.
(Did Not Know)
Violation was due to (Reasonable Cause)
and not willful neglect of an identical
requirement or prohibition during a
calendar year
B. New in 2010: $1,000 for each
violation; may not exceed
$100,000.
Violation was due to (Willful Neglect but
Corrected) an identical requirement or
prohibition during a calendar year
C. New in 2010: $10,000 for each
violation; may not to exceed
$250,000.
Civil Penalties
8
Up to $250,000 Fine
Up to $100,000 Fine
PENALTY CRIMINAL VIOLATION
Wrongful disclosure of PHI
under false pretenses to sell,
transfer, or otherwise misuse.
Wrongful disclosure of PHI
Up to 10 Years Imprisonment
Wrongful disclosure of PHI
under false pretenses.
Up to 5 Years Imprisonment
Up to $50,000 Fine
Up to 1 Year Imprisonment
Criminal Penalties
Recent Fines for Healthcare
$800,000
Medical records left unattended and vulnerable
$1,215,000
Previously leased copier with unencrypted Medical information
$1,725,000
Unencrypted laptop computer stolen
$2,250,000
PHI discoveredin public dumpsters
$4,800,000
EPHI accessible on internet search engines
10
Breaches affecting 500 or more individuals
July 2015 - the federal “Wall of Shame" keeping a tally of major breaches affecting a total about 200 million individuals since 2009.
■ 70% would not be there if they had encrypted
■ Includes Business Associates involved/culpable
■ 55,000 breaches reported under 500
■ Top 4 Data Breaches: 78.8MM – Anthem – Hacking/IT incident – CE 11MM – Premera Blue Cross – Hacking/IT incident – CE 4.9MM – Science Applications International – Loss – BA 4.5MM – Community Health Systems Professional – Theft – BA
2015 Wall of Shame update
ocrportal.hhs.gov
Cost of Breaches$10 M Settlement, $10K Each Person
● The 2013 Target breach compromised credit/debit card information for 40 M customers
● Target estimated the data breach costs exceeded $252 M (The New York Times)
● Target may face additional fines and penalties from the FTC, SEC, and state attorney
generals.
$10M
Settlement
$10K each
Person
$25M
Settlement
280K
Impacted
In 2010 they started to talk about part of the
monies collected for fines going to the patients for damages.
July 2015
UCLA Health Faces Lawsuit
Class Action Filed Almost Immediately After Breach Revealed
Talk about an incentive to file a complaint!
12
More Awareness - Bigger Risks!
Fine tunes HIPAA
Includes HIOs, PSOs and Subcontractors
Nothing was eliminated
Makes sure HIPAA is current with the changing times
Burden of Proof
13
The Final Rule
1990’s
These countries worked together:
France, Canada, Germany, The Netherlands, United Kingdom
and United States
14
Common Criteria for Security
National Institute of Standards and Technology (NIST) has been collaborating with industry and others to improve the health care information infrastructure since the 1990’s. NIST IT researchers have an internationally respected reputation for their knowledge, experience, and leadership. Since 2004, NIST has worked closely with the Department of Health and Human Services' Office of the National Coordinator for Health IT (HHS/ONC).
15
NIST Standards and health care
The role of NIST is further articulated in the 2008‐2012 Federal Health IT strategic plan and the Health Information Technology for Economic and Clinical Health (HITECH) Act to:
Advance health care information enterprise integration through standards and testing.
Consult on updating the Federal Health IT Strategic Plan.
Consult on voluntary certification programs.
Consult on health IT implementation.
Provide pilot testing of standards and implementation specifications, as requested.
16
NIST Standards and health care
Having in place:
Controls
Countermeasures
Procedures
17
Defining Security
Asset is anything of value – ePHI
Vulnerability is any weakness that could be exploited
Unencrypted laptop, jump drive or email
Threat is a potential violation of security
No policies, untrained employee or disgruntled employee
18
Security is: minimizing the vulnerability
of assets & resources
Technical Safeguards - Firewall Systems
Critical Info &Vital Assets
IDS/IPS
Identity Management
Encryption
Physical Safeguards – Building Access
Nothing is 100% Secure
Administrative Safeguards - Written Policies/Training
Defense In-Depth
19Burden of Proof!
20
Confidentiality, Integrity and Availability
are the core principles of security.
The wording of the Security Rule designates that a
Covered Entity must protect the Confidentiality,
Integrity, and Availability of electronic protected
health information (EPHI).
CIA
Means by which records or systems are protected
from unauthorized access.
Implement by: Limiting permissions to a “need to know” basis related to job function.
Allow disclosure privileges only to users who have training and authority to make decisions.
Install reliable authentication methods to identify system users and access control mechanisms to automatically control each employee’s use of medical data.
21
Ensuring Confidentiality
Data Integrity – Data has not been changed inappropriately, whether by accident or deliberate, malicious intent.
Source integrity – Did the data come from the person or business you think it did, or did it come from an imposter?
Data or information has not been altered or destroyed in an unauthorized act.
Security backups allow reconstruction of data after a security threat or natural disaster.
22
Ensuring Integrity
Make PHI accessible to an authorized person when
wanted and needed.
Implement by: Adding policies and procedures that allow proper personnel to see and use
PHI.
Guard against threats to the systems, and processes resulting in erroneous denial or unavailable computer systems.
Have appropriate backups and business continuity plans for operation in the event of an emergency.
23
Ensuring Availability
24
SAFEGUARD
STANDARD STANDARD STANDARD
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
ISS
Implementation Specifications Implementation Specifications Implementation Specifications
Safeguards, Standards, and
Implementation Specifications
25
Required Implementation Specifications
are mandatory if your organization is a
Covered Entity.
“Required”
Option One for Addressable
Implementation Specifications
1. Assess whether it is a “reasonable and appropriate” safeguard in the
unique environment in which you operate.
2. Is likely to contribute to protecting the PHI with which you work.
If you answer Yes to BOTH – Implement
26
“Addressable” – Option One
Option Two for Addressable
Implementation Specifications
1. If your answer would be “No, it doesn’t make sense for us to do this because we are too small, the exposure risk is slight, or it would be overkill, …”
2. Document why it is not “reasonable and appropriate” and do an equivalent method to insure protection of EPHI.
27
“Addressable” – Option Two
28
Security Mgmt. Process, Sec. Officer
Workforce Security, Info. Access Mgmt.
Security Training, Security Incident Proc.
Contingency Plan, Evaluation, BACs
Facility Access Controls
Workstation Use
Workstation Security
Device & Media Controls
Access Control
Audit Control
Integrity
Person or Entity Authentication
Transmission Security
Technical
Safeguards
for EPHI
Physical Safeguards
for EPHI
Administrative Safeguards
for EPHI
Privacy Rule
“reasonable” safeguards for all PHI
2 options for Standards
Compliant
Not Compliant
With in each Security
Standard are Implementation
Specifications
Three HIPAA Security Domains
3 options for ImplementationSpecifications
Compliant
Partially Compliant
Not Compliant
29
ADMINISTRATIVE SAFEGUARDS
StandardsImplementation Specifications
(R) = Required (A) = Addressable
Security Management Process Risk Analysis R
Risk Management R
Sanction Policy R
Information System Activity Review R
Assigned Security Responsibility R
Workforce Security Authorization and/or Supervision A
Workforce Clearance Procedure A
Termination Procedures A
Information Access Management Isolating Health Care Clearinghouse Functions R
Access Authorization A
Access Establishment and Modification A
Security Awareness and Training Security Reminders A
Protection from Malicious Software A
Log-in Monitoring A
Password Management A
Security Incident Procedures Response and Reporting R
Contingency Plan Data Backup Plan R
Disaster Recovery Plan R
Emergency Mode Operation Plan R
Testing and Revision Procedures A
Applications and Data Criticality Analysis A
Evaluation R
Business Associate Contracts and Other Arrangements
Written Contract or Other Arrangement R
30
PHYSICAL SAFEGUARDS
StandardsImplementation Specifications
(R) = Required (A) = Addressable
Facility Access Controls Contingency Operations A
Facility Security Plan A
Access Control and Validation Procedures A
Maintenance Records A
Workstation Use R
Workstation Security R
Device and Media
Controls
Disposal R
Media Re-use R
Accountability A
Data Backup and Storage A
31
TECHNICAL SAFEGUARDS
StandardsImplementation Specifications
(R) = Required (A) = Addressable
Access Control Unique User Identification R
Emergency Access Procedure R
Automatic Logoff A
Encryption and Decryption A
Audit Controls (This means you must maintain a log and keep an audit trail of activity for each system.)
R
Integrity Mechanism to Authenticate Electronic Protected Health Information (PHI)
A
Person or Entity Authentication (This means you will control access to systems containing electronic PHI, and maintain a log and audit trail of activity for each system. All workstations should require a password for log-on and additional passwords to access key systems.)
R
Transmission Security Integrity Controls A
Encryption A
• Scenario 1.
• Scenario 2.
• Scenario 3.
• Scenario 4.
• Scenario 5.
• Scenario 6.
32
Break up into Groups
