Upload
armani-whiteside
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
Marion K. Jenkins, PhD, FHIMSSExecutive Vice President – Healthcare3t SystemsAdjunct Faculty – HC IT – University of DenverMGMA Annual Meeting, October 2013
HIPAA Security:“How to avoid becoming the next
HIPAA Headline”
2
Outline
Learning objectivesWho is 3t Systems (not a commercial)HIPAA Overview – brief history, key definitions, examples of breaches to dateOverview of Security Rule specifications– Administrative; Physical; Technical; Omnibus
Anatomy of an actual HIPAA breachNext steps and action items for practicesQuestions/discussion
3
Learning Objectives
1. Identify the primary HIPAA risks and determine how to address them
2. Describe how HIPAA compliance can make your practice more functional
3. Avoid the primary pitfalls identified in most HIPAA assessments
4
Who is 3t Systems
(for info/background…not a commercial)Leading healthcare IT systems integrator based in Colorado: – Consulting services– Managed services– Medical-grade cloud hosting
Over 200 healthcare IT projects throughout USLarge physician practices, multi-location clinics, acute care, children’s hospitals behavioral health, surgery centers, urgent/emergent care
5
Some macro numbers
HHS-reported HIPAA breaches since 2009– There have been nearly 650 breaches that have
involved 500 or more records– Total is over 22 million patient records affected– Largest is 4.9 million records (USAF contractor)– Smallest reported breach (and not on this list) is 441
records (Hospice of Northern Idaho)– Largest pending judgments are $3-4 BILLION (Sutter
Health, California) and against SAIC (USAF)
6
HIPAA – A Brief History
HIPAA signed by President Clinton in 1996– Primary purpose was to make HC insurance portable– Governed paper records– Massive increase in administrative burden to HC– Massive efforts on compliance and training
HIPAA Security became effective in April 2005– Most people were unaware or chose to ignore it– They assumed “IT had it taken care of”– Thought it was something they had already done
7
ARRA/HITECH Act 2009
Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of $$ for hospitals to adopt EHRs (Medicare/Medicaid) Max fines increased from $50,000 to $1.5 millionFines apply regardless of:– Whether docs/facilities are seeking MU funds– Whether docs/facilities qualify for MU funds (e.g.,
Ambulatory Surgery Centers, self-pay, etc.)– Whether the facility has or uses an EHR
8
2013 Omnibus rule
Max fines remain at $1.5 millionSignificant expansion of what constitutes a “covered entity” and who must complySignificant increase in breach notification requirementsIncreased enforcement, training of state Attorneys General, random audits (e.g., KPMG)Civil penalties can also be imposedMust keep all documents for 6 years
9
Potential risks to Covered Entity
Huge fines by HHS (Office of Civil Rights)Usually must compensate victims for damages (ongoing credit monitoring services)If breach involves >500 records, entity must contact the local media (negative exposure)Civil penalties (Sutter Health in CA facing a $4 Billion class action lawsuit)Loss of productivity: investigation/remediationPublic relations nightmare
10
HIPAA “Chapter and Verse*”
HIPAA is contained in the Federal Register, CFR Parts 160, 162 & 164:– Section 164.308 – Administrative– Section 164.310 – Physical– Section 164.312 – Technical– Section 164.314 – Business Associate
Arrangements– Section 164.316 – Policies and
Procedures Documentation*More than 500 pages !
11
What does HIPAA Security* Say?
The HIPAA Security Rule requires you to protect and secure all electronic protected health information (ePHI) against:accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources.
* HIPAA Security governs electronic records. HIPAA Privacy governs paper records
Accidental IntentionalCAUSES
Internal Threats
External Threats
HIPAA Security – Graphical Representation
Destruction
LossTheft
ImproperAccess
EPHI
Source: internally produced graphic
13
Definition of ePHI
“ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).
“Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.
14
Examples of ePHI
NAME (or anything that could identify a patient and/ or connect them to a clinic or a provider), and/or some or any of the following: – Demographic data (e.g., address, date of birth, sex) – Medical record number, account number, SSN – Date of service (e.g., treatment, admission, discharge) – Ancillary medical records or components: reports, images,
test results, progress notes, treatment plans, dictation files, or anything similar (including partial records)
15
Unlikely locations of ePHI
ePHI is not just confined to an EHR:– Emails (including server stores and local caches/PST) – Reports, documents, letters, spreadsheets etc.
created by or maintained in a practice or hospital– Faxes/scans (today’s printer/copiers – MFPs – store
images of scans and faxes on internal hard drives)– PDF’s and other “static” instances of data– File shares, databases, backups– Ancillary files – labs, imaging, file attachments– Scanned/attached or other external medical records– Tweets, blogs, social media posts, phone photos
16
Things HIPAA doesn’t say…
Length/complexity/change cycle of passwordsTimeout or logoff time intervalType of encryption (e.g., technically WEP for WiFi is actually HIPAA compliant)Version of OS such as Win 7, Svr 08 or higher (HIPAA doesn’t name vendor names/products)Actually doesn’t mention laptops (or tablets, SmartPhones, PDAs, etc.), just “workstations”
17
HIPAA Security is a good thing
Most HIPAA Security requirements are best business and IT practices, and help protect any vital data from theft/loss/hacking/destructionImplementing them makes HC facilities, and basically all businesses, more secureCybersecurity legislation is in the works at both state/federal levels that is patterned after HIPAA Security and will likely govern all businesses eventually
18
3 Categories of Safeguards
Administrative Safeguards Policy/staff/training issues – mostly HR and legal, although some are definitely technical
Physical SafeguardsMostly facility and operational
Technical SafeguardsTechnology and systems – mostly “IT stuff”
Omnibus rule (2013) adds new requirements
19
Required versus Addressable
Required – self-evident – your organization must comply with the requirement (although there is no single “right way” specified to do so).Addressable – you must determine if the require-ment is pertinent to your organization and either comply or document good cause as to why not. Cost is not a valid reason to be non-compliant. You are Required to address the Addressable ones. (So basically everything is required)
20
Administrative Safeguards
23 specifications, 12 of which are required Mostly concerns policies and procedures Don’t be fooled because it’s “paperwork” – these safeguards are VERY IMPORTANT! Example required safeguards– Establish a Security Officer and reporting system– Conduct a complete system assessment– Establish procedures to address potential risks
21
Physical Safeguards
10 specifications, 4 of which are required Mostly deals with physical access/security Examples of required safeguards:– Establish physical security procedures for
all devices – Establish security procedures for use, re-use and
disposal of media (hard drives, USB, tapes, etc.)– Establish data backup procedures to make an
exact copy of ePHI
22
Technical Safeguards
9 specifications, 4 of which are required Mostly deals with true “I.T.” stuff Examples of required safeguards:– Assign a unique identifier to track user identity– Implement mechanisms that record and examine
activity in information systems containing ePHI– Implement methods to authenticate workforce
access (“hard” user names/passwords, principle of least privilege)
23
Is this the biggest HIPAA threat?
24
No, this is the biggest HC threat:
By far, the largest number of threats are caused by, or enabled by, internal users – office and clinical staff
25
Some recent HIPAA headlines
Theft of physician laptop from Hawaii condo causes 3rd HIPAA breach at Oregon HC unitStanford Children’s has 4th HIPAA breach – laptop stolen from physician’s carMass General fined $1.3 Million (178 records)UCLA settles “celebrity snooping” HIPAA case for $865 million. Tom Cruise, Farah Fawcett.Hospice of Northern Idaho fined $50K for breach involving only 441 records
26
What the HHS Breach Numbers Say
Theft 32%
Laptop 17%Computer 12%
Portable 8%
Loss 8%
Server 8%
Hacking 5%
Stolen 4%Desktop 2%
Email 2%
USB 1%Tapes 1% workstation
0%
Keyword Search
Conclusion – the key words:
+ Theft+ Laptop+ Computer+ Portable+ Loss
Are involved in the description of over 75% of all breaches
Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
27
Location of breaches
Conclusion – the following locations:
+ Laptop+ Paper+ Portable+ Computer
Total nearly 75% of all breaches
"Laptop“ 25%
"Paper“ 23%
"Other portable elctronic device"13%
"Computer“ 11%
"Network server“ 10%
"Other“ 10%
"Dekstop computer"
4%
"Email“ 3%"EMR"
2%
Location of Breached Information
Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
28
HHS – Types of breaches
Conclusion – the following types of breaches:
+ Theft (+ other issues)+ Unauthorized access+ Loss
These outnumber “hacking/IT incident” by over 10 : 1 margin
Theft (including theft + other
causes)55%Unauthorized
access19%
Loss 12%
Hacking/IT In-cident
6%
Improper disposal 5%
Other 2%
Unknown 1%
Type of Breach
Source of data: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
29
Anatomy of a HIPAA Breach… close to home…
HIPAA is Very Real
30 30
You don’t want to get one of these nasty grams…
Source of data: Personal files; used with permission
31 31
More bad news…only 15 days to respond; threatened penalties
32 32
Even more bad news…Freedom of Information Act may make this public
33
Prior to 2/2009:Up to $100 per violation$25,000/year cap
After 2/2009:$100 to $50K per violation$1.5 MILLION/year cap
34
Yikes!
35
Call to action for practices
Develop an ongoing culture of HIPAA awarenessDo a HIPAA Risk Assessment (required for both Stage 1 and Stage 2 MU)Remediate issues as neededCybersecurity legislation is in the works that is patterned after HIPAA and will affect all businesses, similar to healthcare
36
Biggest risks
“Portable” devices – Laptops (including notebooks, tablets, etc.)– Workstations– USB drives
Email, especially with attachmentsFiles outside of your EHR (letters, reports, spreadsheets, etc.)Unpatched systems (Windows XP and Server 2003 are being dropped in early 2014)
37
Best remediation ideas
Set up IT systems where no data is stored on local/portable devices (e.g., secure cloud)Use encrypted email (not Hotmail, Gmail, etc.)Hire professional IT partners (ask your IT vendor to spell HIPAA and explain it)Assess systems, remediate issues, train staffRinse and repeat
38
Review of Objectives
1. Identify the primary HIPAA risks and determine how to address them
2. Describe how HIPAA compliance can make your practice more functional
3. Avoid the primary pitfalls identified in most HIPAA assessments
Questions/Discussion
Marion K. Jenkins, PhD, FHIMSSExecutive Vice President - healthcare3t [email protected]
More information: