Watch List: 2021 Privacy and Security Trends€¦ · innovation for our clients. Murray, a...

Watch List: 2021 Privacy and Security Trends

Anthony Murray, CISSP

Rita Bowen, MA, RHIA, CHPS, SSGB

12/15/2020 © 2020 MRO. All rights reserved. 1

Click below to listen to the recording:https://info.mrocorp.com/webinar/2020/

pt5/recording


https://info.mrocorp.com/webinar/2020/pt5/recording

Today’s Speakers

Anthony Murray

Chief Information Officer, ISSO


Stephanie Kindlick

Sr. Director of Marketing& Host

Rita Bowen

VP of Privacy, Compliance and HIM Policy

Housekeeping


Housekeeping• All attendees are on mute

• At the end of today’s presentation, we will have time for live Q&A • Please use the Q&A feature throughout the presentation to submit your questions for our

experts.

• Webinar pre-approved by AHIMA for 1 CEU • Participants who were unable to attend the live presentation will still receive 1 CEU

• Certificates of completion are not required – the presentation will be an option in your AHIMA CEU portal

• We are recording this webinar and will send the playback along with a survey

• We appreciate your feedback

• Did you miss earlier sessions of our 2020 webinar series?• Request playback at: https://info.mrocorp.com/webinar/2020


https://info.mrocorp.com/webinar/2020

About MRO


MRO Overview


2ndLargest Disclosure

Management Provider

#1KLAS Category Leader

for 7 Years in a Row

Company Established in 2002

Meet Today’s Speakers


Anthony Murray, CISSP

Chief Information Officer – Security Officer

In his role as Chief Information Officer, Murray oversees MRO’s strategic

initiatives related to technology, security and system design required to

efficiently and securely exchange PHI, while delivering best in KLAS

innovation for our clients. Murray, a Certified Information Systems

Security Professional (CISSP) also serves as the company’s Information

Systems Security Officer (ISSO). He has over 20 years of experience in

IT, supporting the healthcare vertical – including Release of Information,

clinical manufacturing and pharmaceuticals.


Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB

VP, Privacy, Compliance and HIM Policy, MRO

In her role as Vice President of Privacy, Compliance and HIM Policy, Bowen ensures new

and existing client HIM policies and procedures are to code. Bowen also serves as the

company’s Privacy and Compliance Officer (PCO), assuring timely reporting of any

disclosure incident. She is also responsible for reviewing legislation to assure industry

response and compliance within MRO. Bowen has more than 40 years of experience in

Health Information Management (HIM), holding a variety of HIM director and consulting

roles. Bowen currently sits on The Sequoia Project Board of Directors and is an active

member of the American Health Information Management Association (AHIMA). She

served as AHIMA President and Board Chair, as a member of the Board of Directors for

six years, and of the Council on Certification for three years. Bowen has also served on

the AHIMA Foundation Board of Directors, serving as its Board Chair. She has been

honored with AHIMA’s Triumph Award in the mentor category; she is also the recipient of

the Distinguished Member Award from the Tennessee Health Information Management

Association (THIMA). Bowen is an established author and speaker on HIM topics and has

taught HIM studies at Chattanooga State and the University of Tennessee Memphis.

Bowen holds a Bachelor of Medical Science degree from Emory University in Atlanta, GA

with a focus in medical record administration and a Master’s degree in Health Information/

Informatics Management Technology from the College of Saint Scholastic in Duluth, MN.


Agenda


Agenda

• What is• HIPAA

• Patient Access

• Associated Penalties

• What might we expect to see in 2021

• Patient Identifier

• Interoperability

• Telemedicine

• HIPAA 2.0

• Security• Recent OCR Examples

• The COVID Effect• Telehealth Boom

• On track to top 1 billion by end of 2020

• Remote Workforce

• 40-50% work from home in some capacity

• March to the Cloud

• Increase in Ransomware • Volume and Extortion

• Complexity of Attacks

• A look at 2021


What is the HIPAA Privacy Rule, Patient Access Requirements, and

Associated Penalties?


HIPAA

• The HIPAA Privacy Rule was issued by the US Department of Health and Human Services.

• The privacy rule is in place to restrict the way that personal information is used and shared.

• This type of information is referred to as protected health information (PHI).


https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

The Right of Access Initiative

• This major policy change sets out to protect the rights of patients who would like to have copies of their medical records quickly without being overcharged.

• These changes address criticisms of the HIPAA legislation. The criticisms state that it is too complex and expensive to gain access to your own personal medical records.

• The right of access means that in the future, the Office of Civil Rights will clamp down on organizations that don’t meet the right of access requirements.

• To avoid penalties, it is important that you review your policies that relate to the right of access and ensure that pricing and delivery standards are up to regulation.


The HHS’ OCR announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative

• In 2019, OCR announced an initiative to ensure individuals are given timely access to health records, at a reasonable cost.

• The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.


Other Nuances of HHS, OCR Cases

• Asking for a fully HIPAA Authorization

• Not releasing health records from the Designated Record Set (DRS)

• Not providing the diagnostic films that the individual specifically requested

• Failure to forward a patient’s medical record in electronic format to a third party

• A personal representative (P.R.) – was denied access

• Psychiatric records – to patient and/or P. R .


Non-Compliance Penalties Rise

• The amount that can be charged in penalties has risen significantly for each violation, there is also a new annual cap on each violation category too.

• The maximum penalties for the four tiers are:• Tier 1 - $58,490

• Tier 2 - $58,490

• Tier 3 - $58,490

• Tier 4 - $1,754,698

• The maximum annual caps for each of the four tiers are now set at $1,754,698. With penalties being so high for non-compliance, it is vital that organizations review their procedures and policies immediately to ensure they are meeting the standards set out by HIPAA.


https://www.law360.com/articles/1315033/the-crushing-cost-of-hipaa-security-rule-noncompliance

What might we expect to see in 2021


New Patient Identifier for Medicare Patients

• A National Patient Identifier (NPI) is an identification number designed for use by healthcare providers.

• This has been on the cards ever since the early days of HIPAA back in 1996, however, for various reasons it has never come to pass.

• In June 2019, congress ruled in favor of legislation that brought the NPI into existence. The reason for its creation? To overcome difficulties in patient matching so that medical errors and misidentification can be reduced.


New Patient Identifier for Medicare Patients

• The decision to implement the National Patient Identifier was supported by AHIMA and AHIOS, along with other national associations.

• While there was plenty of support for this legislation it was not without criticism. Senator Rand Paul argued that NPIs could threaten the privacy of patients.

• In total, there are 18 different identifiers that cover everything from email addresses, to social security numbers as well as biometric identifiers.


Interoperability - Intake for Requests

• Intake Process

• Timing Requirements

• Review State Laws that may supersede

• Review the published 49 examples of Information Blocking


Internal Review - Referral for Portal to assure Information Blocking does not occur

Exceptions to Information Blocking

• A practice that may be permitted if applicable

• Each exception has various elements that must be considered

• Analyze for any act of omission of exchange or use of PHI

If this

Then this

Outcome


HIPAA 2.0

• There is a great deal of uncertainty of exactly how the current global healthcare crisis will play out. As such, the HIPAA privacy rule will no doubt need to adapt further as 2021 progresses.

• Will it resemble GDPR

• Or potentially CCPA

• HIPAA needs a face lift… hopefully it isn’t just fillers with no real substantive changes

• It is essential that all organizations that handle medical records keep up-to-date with HIPAA laws and comply with them to the letter.


Rumor has it…

Security


Cyber 2020 - 2021

• Recent OCR examples

• The COVID Effect• Telehealth Boom

• On track to top 1 billion by end of 2020

• Remote workforce

• 40-50% work from home in some capacity

• March to the Cloud

• Increase in Ransomware • Volume and extortion

• Complexity of attacks

• A look at 2021


2020 in Review and what may come

Office for Civil Rights:Security Enforcement


Office for Civil Rights

• 9/25/2020 - Premera Blue Cross – Largest Health Plan in Pacific Northwest• Cyber-attackers gained unauthorized access to its IT system using a phishing email• OCR found failure to comply with an enterprise-wide risk analysis and failure to implement

risk management and audit controls

• 9/23/2020 - CHSPCS LLC - Business Associate • Cyber-attackers used compromised administrative credentials to remotely access PHI

through the VPN• OCR found longstanding noncompliance with the HIPAA Security Rule – risk analysis,

system activity review, security incident procedures and access controls• Additional source

• 9/21/2020 - Athens Orthopedic Clinic (GA)• June 28, 2016 – Hacker contacted Athens demanding money for the database • Athens determined hacker used vendor credentials to access EMR and obtain PHI for this

time period• OCR found longstanding noncompliance with the HIPAA Privacy and Security Rules – risk

analysis, implement risk management and audit controls, maintain policies and procedures, secure BAAs, and provide workforce training


Security Enforcement

https://www.hhs.gov/about/news/2020/09/25/health-insurer-pays-6-85-million-settle-data-breach-affecting-over-10-4-million-people.htmlhttps://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.htmlhttps://www.hipaajournal.com/community-health-systems-pays-5-million-to-settle-multi-state-breach-investigation/https://www.hhs.gov/about/news/2020/09/21/orthopedic-clinic-pays-1.5-million-to-settle-systemic-noncompliance-with-hipaa-rules.html

The COVID Effect


The COVID Effect


Google Search Results: Social Distancing

What is Telehealth?

• The use of electronic information and telecommunications technologies to support long-distance clinical healthcare, patient and professional health-related education, public health, and health administration.

• Telehealth applications include:

• Live (synchronous) videoconferencing:a two-way audiovisual link between a patient and a care provider.

• Store-and-forward (asynchronous) videoconferencing: transmission of a recorded health history to a health practitioner, usually a specialist.

• Remote patient monitoring (RPM): the use of connected electronic tools to record personal health and medical data in one location for review by a provider in another location, usually at a different time.

• Mobile health (mHealth):health care and public health information provided through mobile devices. The information may include general educational information, targeted texts, and notifications about disease outbreaks.


Telehealth IT Management

• Regulations and Guidelines• OCR will not pursue breach penalties

in telehealth during the national public health emergency. That time is ending.

• Policy and Procedure Needs • Business Associate Agreements

• Remote Access and Confidentiality Agreement

• Downtime procedures

• Risk Assessment

• Legislation Changes • Protecting Access to Post COVID-19

Telehealth Act

• KEEP Telehealth Options Act

• Education and Training

• Remote Workforce Check-Ups• Rebooting/Applying Updates

• MFA

• Smart Devices

• Secure Communications

• Additional Threats


Threats and Mitigation

• Threats and Mitigations• Access Points / Identify Management

• Cloud Migration

• Endpoint Security and Patching

• Corporate Firewalls

• At Homework Areas

• Asset Inventory / Management

• BYOD

• Bob

• Education

• Emerging threats


Remote Workforce

Ransomware/Threats


Ransomware

• What is ransomware?• CISA - Ransomware is a form of

malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

• Players (Bad Actors)• Nation-state, eCrime, Hacktavists• Motivators – espionage, financial, and

others

• Types of Attack• Malware - These are simple use cases

where a malicious file is written to disk• Malware-free – Attach did not begin with

a file-based attack – Stolen Credentials leverage for remote logins known tools

• Tactics• Not just us moving to the cloud

• Raas (Ransomware as a service) -• MaaS (Malware as a service) –

Ransomware Modules• Daas (download as a service) –

Banking Trojans

• Strands• Ryuk, REvil, Dharma (Ransomware);

Emotet, Smoke Bot, GetandGo Loader (Malware)


Crowdstrike Global Threat Report 2020


Motivation


IBM: Ponemon Cost of Data Breach Report 2020

Ransomware

• What does this all mean• Increase in the number of ransomware attacks, the demands are higher

• The bad actors are working together

• The complexity of attacks is increasing

• New dimension to ransomware

• Originally encrypt for ransom

• Now exfiltration of the data is occurring

• Targeted approach to attacks

• October 2020 • Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health

Sector


2020

Preparedness


People, Policy not just technology

Beyond Ransomware


IBM: Ponemon Cost of Data Breach Report 2020

• Ransomware makes the headlines• Breaches still occur with out Ransomware

Ransomware

• Back Up (3-2-1?)

• Risk Analysis

• Training and Education• Phishing Simulation and Social

Engineering Awareness• Training for your Technology

Teams

• Patching and Vulnerability Management

• Follow endpoint and server hardening guides

• Have a plan, test the plan (Incident Response/ Business Continuity)


Best Practices

• Be aware of the threat landscape

• Educate implement newer technologies

• Apply automation to your response techniques

• Locks are great but know what’s moving on your network

• Adopt zero trust principles

• MFA – seriously just do it

• Third Parties and Risk Management

2021 Predications – What we could see

Benefits• 5G networking

• Always on, fast speeds, low latency, greater number of connected devices

• Investments in Cyber Technology• AI/ML increasingly powerful tool for threat

detection and response (AI-based Playbooks)• Multi-Perimeter monitoring; cloud, endpoints,

and traditional network• Augmenting staff with MSP to close skill gaps

• AI/ML – will continue to be applied to solve broader problems, improve workflows, and quality

• Hyper automation

• Quantum Computing – will continue to mature and find ways to solve big problems

• Privacy regulations – will continue to evolve to try and protect personal data

Threats• 5G networking

• Bad Actors will find ways to leverage the power of 5G to find new attack surfaces and compute power

• Remote workforce• Bad actors will continue to live on the borders

• Ransomware• Bad actors will continue to monetize the

activities and threat escalation• AI/ML will continue to be implemented in the

attack chain

• Identity Management • Every Service Without MFA Will Suffer a Breach

(Watchguard)


Summary


Summary

• Assure your P&Ps are updated

• Update your DRS

• Stay alert to HHS-OCR Settlements

• Watch for new HIPAA Updates

• A newfound focus regarding Patient Access

• OCR's settlements – read and understand them

• Don't get distracted by seemingly low dollar figures

• If OCR reaches out, don't ignore it

• Make sure staff understand HIPAA

• Understand your current threats

• Look to new technologies but people are still key

• Follow the best practices and deploy the best you have


Thank You!

Anthony Murray, CISSPChief Information Officer

ISSOMRO Corporation

[email protected]: https://www.linkedin.com/in/anthony-

murray-3348b6b/


Rita Bowen, MA, RHIA, CHPS, CHPC, SSGBVice President, Privacy, Compliance, HIM Policy

MRO Corporation [email protected]

Office: 610-994-7500 x1526LinkedIn: https://www.linkedin.com/in/rita-bowen-

74206012/

mailto:[email protected]://www.linkedin.com/in/anthony-murray-3348b6b/mailto:[email protected]://www.linkedin.com/in/rita-bowen-74206012/

Resources


Security


• https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf• https://www.ibm.com/account/reg/us-en/signup?formid=urx-46542• https://www.watchguard.com/wgrd-resource-center/cyber-security-predictions-2021• https://content.fireeye.com/predictions/rpt-security-predictions-2021• https://www.appviewx.com/blogs/top-10-cyber-security-trends-to-watch-out-for-in-2021/• https://cyberriskleaders.com/cyber-security-predictions-for-2021-securing-the-next-normal-check-point-software/• https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/• Rethink the Security and Risk Strategy E-Book (gartner.com)• https://symantec-enterprise-blogs.security.com/blogs/feature-stories/symantec-2021-cyber-security-predictions-

looking-toward-future• https://www.stealthlabs.com/blog/top-10-cybersecurity-trends-in-2021-and-beyond/• https://www.beyondtrust.com/blog/entry/top-cybersecurity-trends-to-watch-in-2021• https://www.fortinet.com/blog/threat-research/new-cybersecurity-threat-predictions-for-2021• https://securityscorecard.com/blog/6-cybersecurity-trends-predictions-for-2021
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdfhttps://www.ibm.com/account/reg/us-en/signup?formid=urx-46542https://www.watchguard.com/wgrd-resource-center/cyber-security-predictions-2021https://content.fireeye.com/predictions/rpt-security-predictions-2021https://www.appviewx.com/blogs/top-10-cyber-security-trends-to-watch-out-for-in-2021/https://cyberriskleaders.com/cyber-security-predictions-for-2021-securing-the-next-normal-check-point-software/https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/https://www.gartner.com/en/publications/rethink-security-risk-strategy-ebookhttps://symantec-enterprise-blogs.security.com/blogs/feature-stories/symantec-2021-cyber-security-predictions-looking-toward-futurehttps://www.stealthlabs.com/blog/top-10-cybersecurity-trends-in-2021-and-beyond/https://www.beyondtrust.com/blog/entry/top-cybersecurity-trends-to-watch-in-2021https://www.fortinet.com/blog/threat-research/new-cybersecurity-threat-predictions-for-2021https://securityscorecard.com/blog/6-cybersecurity-trends-predictions-for-2021

Date post:	12-Feb-2021
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Watch List: 2021 Privacy and Security Trends€¦ · innovation for our clients. Murray, a...

Documents