Marion K. Jenkins, PhD, FHIMSSExecutive Vice President – Healthcare3t SystemsAdjunct Faculty – HC IT – University of DenverMGMA Annual Meeting, October 2013

HIPAA Security:“How to avoid becoming the next

HIPAA Headline”

2

Outline

Learning objectivesWho is 3t Systems (not a commercial)HIPAA Overview – brief history, key definitions, examples of breaches to dateOverview of Security Rule specifications– Administrative; Physical; Technical; Omnibus

Anatomy of an actual HIPAA breachNext steps and action items for practicesQuestions/discussion

3

Learning Objectives

1. Identify the primary HIPAA risks and determine how to address them

2. Describe how HIPAA compliance can make your practice more functional

3. Avoid the primary pitfalls identified in most HIPAA assessments

4

Who is 3t Systems

(for info/background…not a commercial)Leading healthcare IT systems integrator based in Colorado: – Consulting services– Managed services– Medical-grade cloud hosting

Over 200 healthcare IT projects throughout USLarge physician practices, multi-location clinics, acute care, children’s hospitals behavioral health, surgery centers, urgent/emergent care

5

Some macro numbers

HHS-reported HIPAA breaches since 2009– There have been nearly 650 breaches that have

involved 500 or more records– Total is over 22 million patient records affected– Largest is 4.9 million records (USAF contractor)– Smallest reported breach (and not on this list) is 441

records (Hospice of Northern Idaho)– Largest pending judgments are $3-4 BILLION (Sutter

Health, California) and against SAIC (USAF)

6

HIPAA – A Brief History

HIPAA signed by President Clinton in 1996– Primary purpose was to make HC insurance portable– Governed paper records– Massive increase in administrative burden to HC– Massive efforts on compliance and training

HIPAA Security became effective in April 2005– Most people were unaware or chose to ignore it– They assumed “IT had it taken care of”– Thought it was something they had already done

7

ARRA/HITECH Act 2009

Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of $$ for hospitals to adopt EHRs (Medicare/Medicaid) Max fines increased from $50,000 to $1.5 millionFines apply regardless of:– Whether docs/facilities are seeking MU funds– Whether docs/facilities qualify for MU funds (e.g.,

Ambulatory Surgery Centers, self-pay, etc.)– Whether the facility has or uses an EHR

8

2013 Omnibus rule

Max fines remain at $1.5 millionSignificant expansion of what constitutes a “covered entity” and who must complySignificant increase in breach notification requirementsIncreased enforcement, training of state Attorneys General, random audits (e.g., KPMG)Civil penalties can also be imposedMust keep all documents for 6 years

9

Potential risks to Covered Entity

Huge fines by HHS (Office of Civil Rights)Usually must compensate victims for damages (ongoing credit monitoring services)If breach involves >500 records, entity must contact the local media (negative exposure)Civil penalties (Sutter Health in CA facing a $4 Billion class action lawsuit)Loss of productivity: investigation/remediationPublic relations nightmare

10

HIPAA “Chapter and Verse*”

HIPAA is contained in the Federal Register, CFR Parts 160, 162 & 164:– Section 164.308 – Administrative– Section 164.310 – Physical– Section 164.312 – Technical– Section 164.314 – Business Associate

Arrangements– Section 164.316 – Policies and

Procedures Documentation*More than 500 pages !

11

What does HIPAA Security* Say?

The HIPAA Security Rule requires you to protect and secure all electronic protected health information (ePHI) against:accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources.

* HIPAA Security governs electronic records. HIPAA Privacy governs paper records

Accidental IntentionalCAUSES

Internal Threats

External Threats

HIPAA Security – Graphical Representation

Destruction

LossTheft

ImproperAccess

EPHI

Source: internally produced graphic

13

Definition of ePHI

“ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).

“Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.

14

Examples of ePHI

NAME (or anything that could identify a patient and/ or connect them to a clinic or a provider), and/or some or any of the following: – Demographic data (e.g., address, date of birth, sex) – Medical record number, account number, SSN – Date of service (e.g., treatment, admission, discharge) – Ancillary medical records or components: reports, images,

test results, progress notes, treatment plans, dictation files, or anything similar (including partial records)

15

Unlikely locations of ePHI

ePHI is not just confined to an EHR:– Emails (including server stores and local caches/PST) – Reports, documents, letters, spreadsheets etc.

created by or maintained in a practice or hospital– Faxes/scans (today’s printer/copiers – MFPs – store

images of scans and faxes on internal hard drives)– PDF’s and other “static” instances of data– File shares, databases, backups– Ancillary files – labs, imaging, file attachments– Scanned/attached or other external medical records– Tweets, blogs, social media posts, phone photos

16

Things HIPAA doesn’t say…

Length/complexity/change cycle of passwordsTimeout or logoff time intervalType of encryption (e.g., technically WEP for WiFi is actually HIPAA compliant)Version of OS such as Win 7, Svr 08 or higher (HIPAA doesn’t name vendor names/products)Actually doesn’t mention laptops (or tablets, SmartPhones, PDAs, etc.), just “workstations”

17

HIPAA Security is a good thing

Most HIPAA Security requirements are best business and IT practices, and help protect any vital data from theft/loss/hacking/destructionImplementing them makes HC facilities, and basically all businesses, more secureCybersecurity legislation is in the works at both state/federal levels that is patterned after HIPAA Security and will likely govern all businesses eventually

18

3 Categories of Safeguards

Administrative Safeguards Policy/staff/training issues – mostly HR and legal, although some are definitely technical

Physical SafeguardsMostly facility and operational

Technical SafeguardsTechnology and systems – mostly “IT stuff”

Omnibus rule (2013) adds new requirements

19

Required versus Addressable

Required – self-evident – your organization must comply with the requirement (although there is no single “right way” specified to do so).Addressable – you must determine if the require-ment is pertinent to your organization and either comply or document good cause as to why not. Cost is not a valid reason to be non-compliant. You are Required to address the Addressable ones. (So basically everything is required)

20

Administrative Safeguards

23 specifications, 12 of which are required Mostly concerns policies and procedures Don’t be fooled because it’s “paperwork” – these safeguards are VERY IMPORTANT! Example required safeguards– Establish a Security Officer and reporting system– Conduct a complete system assessment– Establish procedures to address potential risks

21

Physical Safeguards

10 specifications, 4 of which are required Mostly deals with physical access/security Examples of required safeguards:– Establish physical security procedures for

all devices – Establish security procedures for use, re-use and

disposal of media (hard drives, USB, tapes, etc.)– Establish data backup procedures to make an

exact copy of ePHI

22

Technical Safeguards

9 specifications, 4 of which are required Mostly deals with true “I.T.” stuff Examples of required safeguards:– Assign a unique identifier to track user identity– Implement mechanisms that record and examine

activity in information systems containing ePHI– Implement methods to authenticate workforce

access (“hard” user names/passwords, principle of least privilege)

23

Is this the biggest HIPAA threat?

24

No, this is the biggest HC threat:

By far, the largest number of threats are caused by, or enabled by, internal users – office and clinical staff

25

Some recent HIPAA headlines

Theft of physician laptop from Hawaii condo causes 3rd HIPAA breach at Oregon HC unitStanford Children’s has 4th HIPAA breach – laptop stolen from physician’s carMass General fined $1.3 Million (178 records)UCLA settles “celebrity snooping” HIPAA case for $865 million. Tom Cruise, Farah Fawcett.Hospice of Northern Idaho fined $50K for breach involving only 441 records

26

What the HHS Breach Numbers Say

Theft 32%

Laptop 17%Computer 12%

Portable 8%

Loss 8%

Server 8%

Hacking 5%

Stolen 4%Desktop 2%

Email 2%

USB 1%Tapes 1% workstation

0%

Keyword Search

Conclusion – the key words:

+ Theft+ Laptop+ Computer+ Portable+ Loss

Are involved in the description of over 75% of all breaches

Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

27

Location of breaches

Conclusion – the following locations:

+ Laptop+ Paper+ Portable+ Computer

Total nearly 75% of all breaches

"Laptop“ 25%

"Paper“ 23%

"Other portable elctronic device"13%

"Computer“ 11%

"Network server“ 10%

"Other“ 10%

"Dekstop computer"

4%

"Email“ 3%"EMR"

2%

Location of Breached Information

Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

28

HHS – Types of breaches

Conclusion – the following types of breaches:

+ Theft (+ other issues)+ Unauthorized access+ Loss

These outnumber “hacking/IT incident” by over 10 : 1 margin

Theft (including theft + other

causes)55%Unauthorized

access19%

Loss 12%

Hacking/IT In-cident

6%

Improper disposal 5%

Other 2%

Unknown 1%

Type of Breach

Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

29

Anatomy of a HIPAA Breach… close to home…

HIPAA is Very Real

30 30

You don’t want to get one of these nasty grams…

Source of data: Personal files; used with permission

31 31

More bad news…only 15 days to respond; threatened penalties

32 32

Even more bad news…Freedom of Information Act may make this public

33

Prior to 2/2009:Up to $100 per violation$25,000/year cap

After 2/2009:$100 to $50K per violation$1.5 MILLION/year cap

34

Yikes!

35

Call to action for practices

Develop an ongoing culture of HIPAA awarenessDo a HIPAA Risk Assessment (required for both Stage 1 and Stage 2 MU)Remediate issues as neededCybersecurity legislation is in the works that is patterned after HIPAA and will affect all businesses, similar to healthcare

36

Biggest risks

“Portable” devices – Laptops (including notebooks, tablets, etc.)– Workstations– USB drives

Email, especially with attachmentsFiles outside of your EHR (letters, reports, spreadsheets, etc.)Unpatched systems (Windows XP and Server 2003 are being dropped in early 2014)

37

Best remediation ideas

Set up IT systems where no data is stored on local/portable devices (e.g., secure cloud)Use encrypted email (not Hotmail, Gmail, etc.)Hire professional IT partners (ask your IT vendor to spell HIPAA and explain it)Assess systems, remediate issues, train staffRinse and repeat

38

Review of Objectives

1. Identify the primary HIPAA risks and determine how to address them

2. Describe how HIPAA compliance can make your practice more functional

3. Avoid the primary pitfalls identified in most HIPAA assessments

Questions/Discussion

Marion K. Jenkins, PhD, FHIMSSExecutive Vice President - healthcare3t Systemsmarion.jenkins@3tsystems.com303.991.8296

More information: