HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding

HIPAA HITECH Solutions…Not Theory April 27, 2010

Risk Assessment

Policies and Procedures

Email Encryption

Breach Notification Plans

HIPAA HITECH Solutions…Not Theory

Consulting Rebecca Herold [email protected] www.rebeccaherold.com

Risk Assessment Jack Kolk [email protected] www.acr2solutions.com


Jack Anderson [email protected] www.compliancehelper.com

Email Encryption John Nail [email protected] www.radarmail360.com

Breach Notification Jeremy Henley [email protected] www.idexpertscorp.com

mailto:[email protected]





Page 1© Rebecca Herold. All rights reserved.

Agenda

• HIPAA / HITECH Quick Overview

• Experiences

• Requirements and common risks and problems


HIPAA is…

• On August 21, 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act

(HIPAA).

• The HIPAA Privacy Rule went into effect in April 2001, and gave covered entities (CEs) two years to meet compliance.

• The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.


HITECH is…

• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.

• HIPAA now applies to CE business associates (BAs) directly.

• HITECH includes a statutory obligation for BAs to comply with HIPAA.

• HITECH also increased the penalties for HIPAA violations of HIPAA.

• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.


All BAs Must Comply!

• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements

• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity

• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract


Experiences

• As an information security and privacy officer for a large healthcare insurer / financial organization, big

problems with brokers and agents

• ~200 business partner information security and privacy program reviews, big problems during business associate, partner and vendor reviews


Common Risks & Problems (1)

No documented assigned responsibilities



No documented policies, procedures, forms



No training or awareness communications



No compliance monitoring



Non-compliance with contractual obligations



Un-secure disposal



Inappropriate sharing and subcontracting



No documented incident or breach response plans



Lack of logs and documentation



No mobile computing controls



No use of encryption



No Business Continuity / Disaster Recovery Plans


Word To The Wise…Compliance is not a one-time event…

All CEs *AND* BAs must meet, and continuously stay in, compliance with all HIPAA and HITECH requirements or face stiff noncompliance

remediation requirements, penalties, fines or even jail time!

DonDonDonDon’’’’t be t be t be t be foolish, maintain foolish, maintain foolish, maintain foolish, maintain

compliance!compliance!compliance!compliance!

Contact Information

Rebecca Herold & Associates, LLC“The Privacy Professor”®

1408 Quail Ridge Avenue

Van Meter, Iowa 50261

Phone 515-996-2199

Web sites: www.theprivacyprofessor.com

www.compliancehelper.com

Blog: www.realtime-itcompliance.com

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI

[email protected]

TwitterID: http://twitter.com/PrivacyProf

ACR 2 Solutions, Inc.

Simplifying Information Security

ComplianceAutomating Risk

Assessments

using the Risk

Reporter Family

Lower your TCO

Meet your

requirements in a

fraction of the

time previously

required

About ACR 2 Solutions

Focused on enterprise level real-time risk

management software

Simple, elegant, easy to use compliance solutions.

Tools to support regulatory laws and regulations

such as: FISMA, GLBA, HIPAA, NAIC, NERC and

PCI DSS.

Risk and Compliance solutions for public, private,

and government organizations.

Risk and Compliance solutions that lower the total

cost of (Information Security) Compliance (TCC).

•Definitions and Relationships of Terms

Threat

Vulnerability

Risk

Safeguard

Exposure

Asset

Gives rise to

Exploits

Leads to

Can Damage

And cause an

Can be counter-measured by a

Directly Effects

Risk Assessment

Definition of Risk

“Risk is the net negative impact of the

exercise of a vulnerability, considering

both the probability and the impact of

occurrence.” NIST 800-30, page 1

Risk Assessment – 45 CFR Part

164.308 (HIPAA) - Required for

Meaningful Use Funding

(A)Risk analysis (Required). Conduct an

accurate and thorough assessment of the

potential risks and vulnerabilities to the

confidentiality, integrity, and availability of

electronic protected health information…

GLBA, FISMA, PCI, Sarbox have similar

requirements

Calculation of Risk-NIST 800-30

Risk Score = Probability Score x Impact Score

(1-100) (0.1-1.0) (10-100)

Probability = F (Threat Source, Vulnerabilities,

Safeguards and IPS/AV Metrics)

Impact = F (Data Value, Vulnerabilities and

Safeguards)

Manually Assess Risk – 1500 hours training,

30-60 Hours/site baseline, 5-15 hour/update

How Does it Work?

Three types of input to a risk assessment:

Management Data

Policy Data

Technical Controls

Technical Controls is the most difficult to answer 630+ or more settings on every Windows machine x‟s the number of machines

SCAP Vulnerability Scanners

UTM / IPS / Firewall Syslogs

Generate the Compliance Reports

Use the „Gap‟ report to prioritize remediation and put safeguards in place

Introducing Risk ReporterSingle Site Risk Assessment

Introducing Risk Reporter

Enterprise Version

ACR2 Megaprise VersionAllows management of multiple Enterprise

accounts

Megaprise

viewing of multiple

enterprises accounts

Automated Risk Assessment

Automated Risk Assessment

Scan typical

workstations and

upload SCAP data

0.5 hours

Input policy data

3.5 hours

Input UTM Data

0.5 hours

Request Assessment Report

0.1 hour

Risk Scores Listed 1-100 (800-30, p25)

Calculated Risk Scores Table Calculated Risk Scores Graph

Threat Source Vulnerability Likelihood Impact Baseline Score

E1 Wind Roof damage M M 25

E2 Fire Smoke damage M M 25

E3 Flood Facility damage M M 25

E4 Power loss Loss of operations M M 25

E5 Power loss Damage to building M M 25

E6 Vehicle collision Facility damage M M 25

HE1 Human error Data acquisition M M 25

HE2 Human error Data storage M M 25

HE3 Human error Data retrieval M M 25

HE4 Human error Data modification M M 25

HE5 Human error Data transmission M L 25

HE6 Human error System design M M 5

HE7 Human error Procedure implementation M M 25

HE8 Human error Internal controls M M 25

MI1 Malicious insider Data acquisition M M 25

MI2 Malicious insider Data storage M M 25

M13 Malicious insider Data retrieval M M 25

M14 Malicious insider Data modification M M 25

M15 Malicious insider Data transmission M H 25

M16 Malicious insider System design M M 50

M17 Malicious insider Procedure implementation M M 25

M18 Malicious insider Internal controls M H 25

MO1 Malicious outsider Data acquisition M H 50

MO2 Malicious outsider Data storage M H 50

MO3 Malicious outsider Data retrieval M H 50

MO4 Malicious outsider Data modification M H 50

MO5 Malicious outsider Data transmission M H 50

MO6 Malicious outsider System design M L 50

MO7 Malicious outsider Procedure implementation M L 5

MO8 Malicious outsider Internal controls L L 1

0 10 20 30 40 50 60

E1

E2

E3

E4

E5

E6

HE1

HE2

HE3

HE4

HE5

HE6

HE7

HE8

MI1

MI2

M13

M14

M15

M16

M17

M18

MO1

MO2

MO3

MO4

MO5

MO6

MO7

MO8

Risk Assessment Options

ACR2

Task Manual Automated

Training 1000 to1500 hrs 2 hrs

Initial Assessment 30-60 hrs 3-6 hrs

Updates 5-15 hrs < 1 hr

Meaningful Use and ARRA

$19 billion in subsidies for firms that make

“meaningful use” of certified EMRs

Meaningful Use requires 45 CFR part

164.308 risk assessment

Frequently updated list of EMRs with

meaningful use status on ACR 2 website

Contact Information

ACR 2 Solutions Office (678) 261-8181

[email protected]

Jack Kolk, President, (770) 904-0997

[email protected]

Comprehensive Privacy and Information Security Program

Small CEs and BAs Policies

Procedures Forms

Step by Step Process Personal Helper

Delivered over the Internet

Compliance Helper

HIPAA HITECH KEY PHRASES “Willful Neglect”

“Reasonable and Applicable” “Satisfactory Assurances”

Compliance Helper

Business Associates:

Can You Prove Your Compliance?

Compliance Helper

The Compliance Meter™ Can

Compliance Helper

How Does It Know?

Compliance Helper

Compliance Helper

• Screen Shot of Policies TOC with Section 1 open

Compliance Helper

Compliance Helper

Screen Shot of Policy:

Edited w/cursor over Submit

Compliance Helper


Pending

Compliance Helper


Approved

Compliance Helper

Compliance Helper

Compliance Helper

Compliance Helper

Compliance Helper

Transparency

Compliance Helper

Next Steps: Sign Up

Get Compliant Stay Compliant

Prove Compliance

Compliance Helper

HIPAA HITECH Solutions…Not Theory April 27, 2010

Risk Assessment


Email Encryption

Breach Notification Plans


• Identity Theft

• EHR

• Healthcare Reform

• 47 State HIPAA/Breach Laws

• Gramm Leach Billey Privacy

• “Red Flag” i.e. Identity Theft Protection

• Data Encryption/Privacy Laws (MA, NV et al)

HIPAA HITECH Is Just Part of a Major Change Evolving Standard for Protecting Personal Information


1. Proven to Meet Spectrum of Legal Requirements

2. Cover Threats to the Business

• Outbound Email

• Inbound Client Communication

3. Non Disruptive / Simple to Setup and Use

4. Cost Effective i.e. “Reasonable”

Email Encryption Assessment Criteria


• Traded On Nazdaq – ZIXI

• Business is Encryption

• Impressive Client List

• Securities and Exchange Commission (SEC)

• FDIC

• Federal banking regulators (FFIEC)

• The Conference of State Bank Supervisors

• Members of the American Bankers' Association

• More than 1,000 hospitals across the United States

• More than 1000 financial institutions

Who Is ZixCorp

The Power of the Zix Directory

Think of the Zix Network like “In Network” and “Out of Network” in a health plan. In the health plan cost is the differentiator. For email it is time, convenience, full HIPAA/HITECH compliant security and transparent communication.

Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers 6


• Outbound - Zix Gateway • Automatically encrypts outbound email • Via its rules based architecture • Transparent inbox to inbox solution • Users do nothing special to encrypt email, the rules

based system does it for them.

• Inbound - Zix Portal • User can retrieve and respond to messages • Initiate secure inbound PHI, personal data and

financial communication.

• Network Access - Zix Directory • Over 20 million people 150 healthplans use Zix

allowing you to connect directly to them, desktop to desktop.

Combining 3 Powerful Zix Tools delivered as SAAS

User Retrieves, Responds ,

Attaches files etc. here in the message center

Automatic, Rules Based Encryption

The message in their inbox has a link to your Portal

“ Click here” takes user to secure portal embedded in

your Website reinforcing your Brand and web tools

How RadarMail 360 Works Best Protection - Outbound & Inbound

Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service

Branded with your logo and

accessible from your website

Clients also login in to initiate communication, securely send files etc. eliminating the risk of

breach via normal email

Encrypted Responses go right to your team or Zix

Network member’s inbox

transparently

Blackberry Encryption Built In

Non Zix User gets Email like the one to the right

Inbox to Inbox Encryption to

any Zix Member Network user

8


Other Communication Services

10 www.theindustryradar.com | [email protected] | 404-418-5550

Photo here

Delivering Positive Outcomes

COMPLETE DATA BREACH CARE

DATA BREACH LIFECYCLE

Healthcare Data Breach Solutions 2

PREVENT

REMEDIATE

WHY IS IT DIFFICULT TO ACHIEVE A POSITIVE OUTCOME?

» Data breaches are complex events. Challenges can include: • Diversity in demographics and needs of affected patients• Complexity of HITECH and state legal statutes• Making sense of products available and efficacy for

addressing PHI identity theft needs• Inexperience in communicating with attorney general with

jurisdiction • Difficulty in coordinating diverse legal, reputational,

privacy, patient and operational constituencies and issues• Lack of resources in an already overwhelmed medical

system

3Healthcare Data Breach Solutions

HEALTHCARE DATA BREACHCREDIT MONITORING INSUFFICIENT

» For a positive outcome; you need to provide a complete patient solution:

4Healthcare Data Breach Solutions

• Necessary but not sufficient to address financial side of identity theftCredit Monitoring

• Proprietary ID Experts tools to enable breach victims to address medical identity theft issues

Healthcare Identity Protection Toolkit

• Protect patients from identity theft issues in the online world where IDs bought/sold

ID theft cyber-monitoring technology

• If patients fall victim to identity theft, have their problems solve by certified experts

Fully-managed identity restoration services

THANK YOU

» Jeremy Henley» Director of Breach Protection» 760-304-4761» [email protected]» www.idexpertscorp.com

Healthcare Data Breach Solutions 5

mailto:[email protected]�

http://www.idexpertscorp.com/�


Consulting Rebecca Herold [email protected] www.rebeccaherold.com

Risk Assessment Jack Kolk [email protected] www.acr2solutions.com


Jack Anderson [email protected] www.compliancehelper.com

Email Encryption John Nail [email protected] www.radarmail360.com

Breach Notification Jeremy Henley [email protected] www.idexpertscorp.com






Documents

HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding