By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA

Copyright 2012 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.

Building a Practical and Meaningful

HIPAA Security Program

By: Greg Williams

Security & Compliance

Consultant

[email protected]

Copyright 2012 MMIC • All rights reserved

What is Risk?

• Risk is the potential of losing something of value


Slow Pace of Regulation Timeline 1996 ‘98 2000 ‘03 ‘05 ‘08 ‘09 ‘10 2013

HIPAA signed into Law

PR

IVA

CY

Notice of Proposed Rule Making

Final Rule Published

Final Modifications Published

Compliance Deadline

Interim Rule Modifications (HITECH)

Final Rule Modifications (HITECH)

SE

CU

RIT

Y

Notice of Proposed Rule Making

Security Standards Published

Compliance Deadline

Interim Rule Modifications (HITECH)

Final Rule Modifications (Omnibus)

EN

FO

RC

E-

ME

NT

Civil Money Penalties Procedures

Breach Notification

Priva

cy R

ule

Fin

aliz

ed

First R

eso

lutio

n A

gre

em

en

t

First C

ivil

Mo

ne

y P

en

altie

s

Se

cu

rity

Ru

le F

ina

lize

d

Fin

al O

mn

ibu

s R

ule

HIP

AA

Be

co

me

s L

aw

AR

RA

/HIT

EC

H


Timeline of Compliance Audits Date Action Taken

2008 – 2009 CMS HIPAA Compliance Reviews

2012 HIPAA Security audits conducted by KPMG

June 2012 HIPAA Audit Program Protocol released

November 2012 Medicate HER incentive program audits


HIPAA Audit Program Protocol

• Three components:

– Privacy

– Security

– Breach Notification

“OCR established a comprehensive audit protocol that

contains the requirements to be assessed through these

performance audits.


1996 Technology


Missing from the Protocol?

• Smart phones

• Mobile devices

• Personally owned devices

• Portable media

• Data Loss Prevention

• Data Leakage

• Change Control

• Configuration Management

• BYOD

• MDM

• Wireless

• Texting

• Secure Messaging

• Web Portals

• Secure Web Sites

• Router, switches, firewalls

• Network Scans


Also missing

• Biomed or Biomedical Devices

• Cloud

• Remote Access

• Telemedicine

• Social Security Numbers

• Credit Card Numbers – PCI/DSS

• Software Licensing


Audit Test Procedures

• The three “P’s” to align: – Perception

– Policy

– Practice

• Policies – Updated

– Reviewed

– Approved

• Create the “Book of Evidence” – First impressions – Audits are conduced by humans!

– Proof of compliance

– Speed of response


Government Audit

• OCR – Office for Civil Rights

– Our clients may receive a notice from OCR to their CEO stating

the organization is scheduled to be audited.

– List of requests – 15 days to respond

– Three Types of Audits (1200 for 2014)

• Investigation

– Trigger: reported breach or patient complaint

• Random

– Trigger: Not sure how entitlements get “selected”

• Meaningful Use

– Trigger: Entity received incentive money

– 2014 the OCR will conduct survey’s of CE and BA’s


Most Common Areas of Concern

• Risk Assessment (Analysis)

– Should have been doing this since 2005

• Currency/Relevance of Policies and Procedures

• Security Awareness Training

• Workforce Clearance

• Workstation Security

• Encryption

• Business Associate Contracts & Other Agreements


Case Example: December 27, 2013

Adult & Pediatric Dermatology, P.C., of Concord, Mass.,

(APDerm)

• Dermatology practice settles for HIPAA violations

– $150,000 Agreed Resolution Payment

– (OCR) opened an investigation of APDerm after reported

unencrypted thumb drive stolen from a staff vehicle

– Health Information of 2,200 individuals

• 1st Settlement for violation of HITECH (American Recovery and

Reinvestment Act) of 2009 (ARRA)


Follow up Requirements

• In addition to a $150,000 resolution amount, the

settlement includes a corrective action plan requiring

APDerm to develop a:

– risk analysis and

– risk management plan

• to address and mitigate any security risks

• and vulnerabilities,

– as well as to provide an implementation report to OCR.

13


How to Create a Practical & Meaningful

Information Security Program


Focus on the 4 “P”’s


Risk Management

• Identify Assets

• Risk Analysis

• Plan Remediation

• Create Controls

• Track your risks


Policy

• Develop Policies & Procedures from Best Practice

– Not a checklist

• Avoid the Danger of - Templates

• Review, Approve, Implement & Track

• Mapped to the organization’s controls

• Empowers audit process


Processes

• Develop and Track

• Assign Ownership

• Include Vendor in the Training

• Create checks/balances


Vulnerability Assessment

• Monthly Vulnerability Scan

• Monthly Report with Recommendations

• Update to Risk Management


Vendor Management

• Manage Documents or Agreements

– Dates sent / received

• Create Master List

• Verify Controls

• Hosted Controls are Hosted Liability


Training

• Make it Fun!

• Make it simple

• Do it often

• Create the Curriculum

• Log the Training

• Test for competency

• Create fire-drills


Compliance Mapping

• Create Map of Governance

– HIPAA

– PIC / DSS

– Social Security Number Disclosure Act

– Breach Notification

• Logically Group Controls


Incident Tracking

• Issues = Good Learning

• Create a good form

• Document all issues

• Use as Training Tools


Audit

• Assess controls for effectiveness

• Show evidence

• Create Corrective Actions

• Technical and Non-Technical

• Include Vendors


Services Process

Assess

Plan

Remediate

Controls Communicate

Train

Monitor

Security Committee

• Risk

• Policy & Process

• Vulnerability

• Vendor

• Training

• Compliance

• Incident

• Audit


Changing Controls

What does tomorrow bring?






STRENGTH. SERVICE. KNOW-HOW. VISION.

Questions? Greg Williams

Security & Compliance Consultant

952-838-6778 [email protected]