Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | maryam-oneal |
View: | 28 times |
Download: | 1 times |
Security and eHealthSecurity and eHealth
Edward MeyersEdward Meyers Antonio Antonio
WilkinsonWilkinsonDalavone PhothisenDalavone Phothisen
April 3, 2009April 3, 2009
OVERVIEW OVERVIEW
IntroductionIntroductionOIG/OASOIG/OAS
HIPAA HIPAA Security RuleSecurity Rule
OIG HIPAA AuditsOIG HIPAA AuditsSummarySummary
IT SecurityIT SecurityVulnerabilitiesVulnerabilitiesThreats/ExploitsThreats/Exploits
OVERVIEWOVERVIEW
HIT Emerging IssuesHIT Emerging IssuesFunding Funding StudiesStudiesData Exchange vs. Data Data Exchange vs. Data
WarehouseWarehouseDemo: Wireless HackDemo: Wireless Hack
INTRODUCTIONINTRODUCTIONOFFICE OF THE INSPECTOR OFFICE OF THE INSPECTOR
GENERALGENERAL MISSION: the mission of the Office of Inspector MISSION: the mission of the Office of Inspector
General (OIG), as mandated by Public Law 95-452 General (OIG), as mandated by Public Law 95-452 (as amended), is to protect the integrity of (as amended), is to protect the integrity of Department of Health and Human Services (HHS) Department of Health and Human Services (HHS) programs, as well as the health and welfare of programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has the beneficiaries of those programs. The OIG has a responsibility to report both to the Secretary a responsibility to report both to the Secretary and to the Congress program and management and to the Congress program and management problems and recommendations to correct them. problems and recommendations to correct them. The OIG's duties are carried out through a The OIG's duties are carried out through a nationwide network of audits, investigations, nationwide network of audits, investigations, inspections and other mission-related functions inspections and other mission-related functions performed by OIG components.performed by OIG components.
INTRODUCTIONINTRODUCTIONOIG ORGANIZATION CHARTOIG ORGANIZATION CHART
Deputy Inspector Generalfor M anagem ent & Policy
Deputy Inspector Generalfor Evaluation and Inspections
Deputy Inspector Generalfor Audit Services
Chief Counsel to theInspector G eneral
Deputy Inspector Generalfor Investigations
Inspector G eneral---------------------------------------------
Principal Deputy Inspector General
INTRODUCTIONINTRODUCTIONOFFICE OF AUDIT SERVICES OFFICE OF AUDIT SERVICES
(OAS)(OAS)MissionMission
We, the independent auditors for the We, the independent auditors for the Department of Health and Human Department of Health and Human Services (HHS), identify and report Services (HHS), identify and report ways to improve, through a shared ways to improve, through a shared commitment with management, the commitment with management, the economy, efficiency and effectiveness economy, efficiency and effectiveness of operations and services to of operations and services to beneficiaries of HHS programs.beneficiaries of HHS programs.
Deputy Inspector General for Audit Services
Assistant Inspector General for Centers for Medicare & Medicaid
Audits
Assistant Inspector General for Audit Management &
Policy
Assistant Inspector General for Grants, Internal
Activities, and IT Audits
Assistant Inspector General for Financial Management and
Regional Operations
Regional Inspectors General for Audit Services
Region I
Region IX
Region IV
Region V
Region II
Region VI
Region III
Region VII
INTRODUCTIONINTRODUCTIONOAS ORGANIZATION CHARTOAS ORGANIZATION CHART
Issued on: February 20, 2003Issued on: February 20, 2003Effective Date: April 21, 2003Effective Date: April 21, 2003Compliance Date: April 21, 2005 (for most)Compliance Date: April 21, 2005 (for most)
April 21, 2006 April 21, 2006 (small plans)(small plans)
Security Safeguards: Administrative Security Safeguards: Administrative SafeguardsSafeguards
Physical SafeguardsPhysical SafeguardsTechnical SafeguardsTechnical Safeguards
HIPAA: SECURITY RULEHIPAA: SECURITY RULE
Title II of HIPAATitle II of HIPAA
Sets civil and criminal penaltiesSets civil and criminal penalties Creates several programs to control Creates several programs to control
fraud and abuse within the healthcare fraud and abuse within the healthcare systemsystem
Creates standards for use and Creates standards for use and dissemination of health care information dissemination of health care information (Administrative Simplification rules)(Administrative Simplification rules)
Most SignificantMost SignificantApply to “covered entities”Apply to “covered entities”
BACKGROUNDBACKGROUND
CRITERIACRITERIA
HHS has promulgated final rules HHS has promulgated final rules for for privacy and securityprivacy and security of of
health information and for the health information and for the enforcement of these rules.enforcement of these rules.
(45 CFR Parts 160 and 164)(45 CFR Parts 160 and 164)
Standard SpecificationsStandard Specifications
Required Implementation Specifications (R)Required Implementation Specifications (R) Must be adopted and administeredMust be adopted and administered
Addressable Implementation Specifications Addressable Implementation Specifications (A)(A) Flexible, but must perform an assessment to Flexible, but must perform an assessment to
determine reasonablenessdetermine reasonableness““Covered entities” must document Covered entities” must document
assessments and all decisionsassessments and all decisions
HIPAA: SECURITY RULEHIPAA: SECURITY RULE
SecuritySecurity should not be confused with should not be confused with Privacy Privacy or or ConfidentialityConfidentiality
PrivacyPrivacy: refers to the rights of an individual : refers to the rights of an individual to control his/her personal information to control his/her personal information without risk of divulging or misuse by others without risk of divulging or misuse by others against his or her wishesagainst his or her wishes
ConfidentialityConfidentiality:: o only becomes an issue nly becomes an issue when the individuals personal information when the individuals personal information has been received by another entity. has been received by another entity. Confidentiality is then a means of protecting Confidentiality is then a means of protecting this informationthis information
SecuritySecurity:: refers to the spectrum of physical, refers to the spectrum of physical, technical and administrative safeguards technical and administrative safeguards used for this protectionused for this protection
HIPAA: SECURITY RULEHIPAA: SECURITY RULE
Purpose of SafeguardsPurpose of Safeguards:: To ensure integrity and confidentiality of To ensure integrity and confidentiality of
health information and to protect against health information and to protect against security breaches and unauthorized use or security breaches and unauthorized use or disclosure of health information disclosure of health information (45 CFR Part (45 CFR Part 164 Subpart C)164 Subpart C)
ApplicabilityApplicability:: To covered entities who engage in standard To covered entities who engage in standard
HIPAA transactions, which includes HIPAA transactions, which includes electronic transactions for plan enrollment, electronic transactions for plan enrollment, submission of claims or health encounter submission of claims or health encounter records, coordination of benefits, and records, coordination of benefits, and payments; Focuses on ePHIpayments; Focuses on ePHI
HIPAA: SECURITY RULEHIPAA: SECURITY RULE
HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS
1.1. Access ControlAccess Control A documented procedure for granting A documented procedure for granting
emergency access to dataemergency access to data Provision for unique user-id’sProvision for unique user-id’s The The optional optional use of encryption and use of encryption and
decryptiondecryption Provision for an automatic logoff after Provision for an automatic logoff after
idling for a period of timeidling for a period of time
2.2. Audit ControlsAudit Controls HIPAA requires that every technical HIPAA requires that every technical
system employ logging of information system employ logging of information accessesaccesses
The specific mechanisms of parsing of The specific mechanisms of parsing of logins is not specifiedlogins is not specified
Logs themselves should be protectedLogs themselves should be protected
HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS
3.3. IntegrityIntegrity Steps must be taken to ensure that the Steps must be taken to ensure that the
protected data has not been modified protected data has not been modified in any unauthorized mannerin any unauthorized manner
Use of checksums, double keying, Use of checksums, double keying, message authentication codes and message authentication codes and digital signatures are ways of digital signatures are ways of accomplishing thisaccomplishing this
HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS
4.4. Person or Entity AuthenticationPerson or Entity Authentication Organizations must take steps to Organizations must take steps to
validate the authenticity of an entity validate the authenticity of an entity attempting to access dataattempting to access data
Many solutions exist for this Many solutions exist for this (biometrics, passwords, PIN numbers, (biometrics, passwords, PIN numbers, tokens and telephone callback tokens and telephone callback procedures)procedures)
HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS
5.5. Transmission SecurityTransmission Security All covered entities must maintain at a All covered entities must maintain at a
minimumminimum Authenticity of the entity at the Authenticity of the entity at the
other end of the wireother end of the wire Alarms to sense abnormal conditionsAlarms to sense abnormal conditions Auditing to allow the reconstruction Auditing to allow the reconstruction
of eventsof events Event reporting to identify problemsEvent reporting to identify problems
May use encryption of transmitted May use encryption of transmitted data to accomplish these tasksdata to accomplish these tasks
HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS
CIVIL MONEY PENALTIESCIVIL MONEY PENALTIES(Outdated)(Outdated)
PenaltiesPenalties
Failure to ComplyFailure to Comply $100 per failure$100 per failure $25,000 maximum per calendar year$25,000 maximum per calendar year
Deliberate Violations: Potential Deliberate Violations: Potential PenaltiesPenalties $50,000 - $250,000 and 1-10 years $50,000 - $250,000 and 1-10 years
imprisonmentimprisonment
CURRENT OAS WORKCURRENT OAS WORK
Primary Focus is the Security RulePrimary Focus is the Security RuleExceptions Categories to Date:Exceptions Categories to Date:
Access ControlsAccess Controls Audit ControlsAudit Controls IntegrityIntegrity Person or Entity AuthenticationsPerson or Entity Authentications Transmission SecurityTransmission Security
OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDSTECHNICAL SAFEGUARDS
TECHNICAL SAFEGUARDS TECHNICAL SAFEGUARDS VULNERABILITIESVULNERABILITIESAccess Control vulnerabilitiesAccess Control vulnerabilities
Wireless – No encryption or WEPWireless – No encryption or WEPAdequate security settings not appliedAdequate security settings not appliedUser Access Levels Not ReviewedUser Access Levels Not ReviewedInactive Accounts not disabled or lockedInactive Accounts not disabled or lockedUser accounts inactive for excessive periodsUser accounts inactive for excessive periods
Audit Control VulnerabilityAudit Control VulnerabilityServer settings for audit logging disabledServer settings for audit logging disabled
OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDSTECHNICAL SAFEGUARDS
INTEGRITY CONTROL VULNERABILITIESINTEGRITY CONTROL VULNERABILITIESUnsupported OS by ManufacturerUnsupported OS by ManufacturerInconsistently applied security patchesInconsistently applied security patchesComputers lacked current antivirus updateComputers lacked current antivirus updatePersonal computers and servers lacked Personal computers and servers lacked
current service packscurrent service packsTRANSMISSION SECURITY TRANSMISSION SECURITY
VULNERABILITYVULNERABILITYUnencrypted sensitive information on Unencrypted sensitive information on
compact discscompact discs
OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSPHYSICAL SAFEGUARDSPHYSICAL SAFEGUARDS
PHYSICAL SAFEGUARD PHYSICAL SAFEGUARD VULNERABILITIESVULNERABILITIESUncontrolled access to EPHIUncontrolled access to EPHIDeactivated alarm on emergency doorDeactivated alarm on emergency door
EQUIPMENT CONTROL EQUIPMENT CONTROL VULNERABILITIESVULNERABILITIESNo computer equipment inventoryNo computer equipment inventoryNo password Protection for Computers No password Protection for Computers
on Portable Cartson Portable CartsNo Written Plan for Media disposalNo Written Plan for Media disposal
OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSADMINISTRATIVE SAFEGUARDSADMINISTRATIVE SAFEGUARDS
ADMINISTRATIVE SAFEGUARD ADMINISTRATIVE SAFEGUARD VULNERABILITIESVULNERABILITIESContingency plan incompleteContingency plan incompleteBackup tapes at risk-once a week Backup tapes at risk-once a week
offsiteoffsiteNo backup tape catalogsNo backup tape catalogs
IT SECURITY IT SECURITY THREATS/EXPLOITSTHREATS/EXPLOITS
Medical Identity theft Medical Identity theft Access to medical information for Access to medical information for
sale/profitsale/profitTheft of equipmentTheft of equipmentEnvironmental and Natural Environmental and Natural
DisastersDisasters Internet malwareInternet malware
AMERICAN RECOVERY & AMERICAN RECOVERY & REINVESTMENT ACTREINVESTMENT ACT
(ARRA)(ARRA)
P.L. 111-05, signed February 17, P.L. 111-05, signed February 17, 20092009
Title XIII of Division A comprise the Title XIII of Division A comprise the provisions known as HITECHprovisions known as HITECH
ARRA CONTARRA CONT
HITECH enacts five componentsHITECH enacts five componentsThe national coordinator of HIT policyThe national coordinator of HIT policy
Est. federal advisory committees (policy & std)Est. federal advisory committees (policy & std)An expanded role for testing and researchAn expanded role for testing and research
To test and certify HIT, including EHRTo test and certify HIT, including EHRFederal subsidies for promoting and Federal subsidies for promoting and
implementing HIT (primarily for states)implementing HIT (primarily for states)$17.2 billion of incentive payments for EHR$17.2 billion of incentive payments for EHRRevisions to current privacy and security Revisions to current privacy and security
rulesrules
RECOVERYRECOVERYINCENTIVE PAYMENTSINCENTIVE PAYMENTS
Section 4101: Incentives for Eligible Section 4101: Incentives for Eligible ProfessionalsProfessionals
Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible professionals for meaningful use of professionals for meaningful use of certified electronic health records (EHRs)certified electronic health records (EHRs) For eligible Medicare Professionals. Also, For eligible Medicare Professionals. Also,
certain MA organizations.certain MA organizations.
RECOVERYRECOVERYINCENTIVE PAYMENTSINCENTIVE PAYMENTS
Section 4102: Incentives for Section 4102: Incentives for HospitalsHospitals
Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible hospitals for the meaningful use of hospitals for the meaningful use of certified EHRs.certified EHRs.
RECOVERYRECOVERYINCENTIVE PAYMENTSINCENTIVE PAYMENTS
Section 4201: Medicaid Provider HIT Section 4201: Medicaid Provider HIT adoption & operation paymentsadoption & operation payments
Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible Medicaid providers to purchase, implement, and Medicaid providers to purchase, implement, and operate certified electronic health record operate certified electronic health record technology.technology.
Medicaid definition of eligible professionals is Medicaid definition of eligible professionals is not statutorily defined and includes physicians, not statutorily defined and includes physicians, dentists, certified nurse-midwives, nurse dentists, certified nurse-midwives, nurse practitioners, and physician assistants who are practitioners, and physician assistants who are practicing physician-assistant led FQHC and practicing physician-assistant led FQHC and RHCRHC (provided other requirements are met)(provided other requirements are met)
AmountsAmountsUnder both Medicaid components, Under both Medicaid components,
providers can receive up to $64,000 providers can receive up to $64,000 (est.).(est.).
Formulas for the other componentsFormulas for the other components
RECOVERYRECOVERYINCENTIVE PAYMENTSINCENTIVE PAYMENTS
HIT EMERGING ISSUESHIT EMERGING ISSUESFUNDING FOR THE UNFUNDEDFUNDING FOR THE UNFUNDEDSection 4104: Studies and Report on Section 4104: Studies and Report on HITHIT
Incentives Payments to MA organizationsIncentives Payments to MA organizationsEHR Incentive Payments for ProvidersEHR Incentive Payments for Providers
Providers receiving minimal or no incentive Providers receiving minimal or no incentive payments include SNF, HHA/Hospice, Labs and payments include SNF, HHA/Hospice, Labs and non-physicians will be covered by a study non-physicians will be covered by a study conducted by secretary on later inclusion.conducted by secretary on later inclusion.
Availability of Open source HIT Availability of Open source HIT systemssystemsVAVAIHSIHSAHRQAHRQHRSAHRSA
STUDY ON OPEN SOURCE HEALTH STUDY ON OPEN SOURCE HEALTH INFORMATION TECHNOLOGY INFORMATION TECHNOLOGY
SYSTEMSSYSTEMS
ARRAARRAHIPAA PENALTYHIPAA PENALTY
Under the new law, the Secretary may Under the new law, the Secretary may impose fines ranging from $100 up to impose fines ranging from $100 up to $50,000 for each violation of HIPAA $50,000 for each violation of HIPAA depending on whether a violation was depending on whether a violation was inadvertent, reasonable, or due to willful inadvertent, reasonable, or due to willful neglect. The maximum penalty faced by neglect. The maximum penalty faced by an offender ranges from $25,000 to $1.5 an offender ranges from $25,000 to $1.5 million during a calendar year, again million during a calendar year, again depending upon an offender’s depending upon an offender’s culpability.culpability.
Privacy and SecurityPrivacy and Security
Security Breach NotificationSecurity Breach NotificationEstablishes a federal security breach Establishes a federal security breach
notification requirement for health notification requirement for health information that is not encrypted or information that is not encrypted or otherwise made indecipherable. otherwise made indecipherable.
Privacy and SecurityPrivacy and Security
Business AssociatesBusiness AssociatesAre now subject to same privacy and Are now subject to same privacy and
security rules as providers and health security rules as providers and health insurers insurers
Where do we go from Where do we go from here?here?Data exchange vs. data Data exchange vs. data warehousewarehouse
Wireless HackWireless Hack
THE ENDTHE END