Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Data Protection and Compliance in Your EMR: Cerner
September 8, 2016
Watch the Replay
Speakers
Andrew Cooper, CISSP, CHP, CSCSDirector of Information Security
AssuranceNCH Healthcare System
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Agenda
• About NCH Healthcare System
- Cerner and the data NCH protects
- Getting ahead of a breach
- How NCH developed an Information Security Program
- Tools, Methods and Technologies
• Update on 2016 OCR Enforcement Activity
• Resolution Agreements
• OCR Bulletins
• Meeting Areas of Enforcement
• Actionable & Demonstrable Compliance
• Most Common Reports for a Cerner Environment
About NCH Healthcare System
Naples Community Hospital opened its doors to the first patient on March 7, 1956. In the last 60 years, we’ve grown into a system of two hospitals and an alliance of over 700 independent physicians and medical facilities in dozens of locations in Southwest Florida.
• Our two hospitals - NCH Baker Hospital Downtown and NCH Naples Hospital – are comprised of 716 beds and provide care to over 40, 000 patients annually
• We offer advanced heart, cancer, obstetric, newborn, and pediatric care
• Member of the Mayo Clinic Care Network since 2012
Noted Awards:
• 2016, (HIMSS) Level 7, Health Information Management Services
• 2016 – 2012 Health Care's Most Wired
• 2015, Comprehensive Stroke Center Designation, Agency for Healthcare Administration
• 2015, Ranked #10 in Florida, US News & World Report Best Regional Hospital
• 2014, 50 Top Cardiovascular Hospital, Truven Healthcare Analytics
Excellence in Every Patient Experience
Cerner and the data we protect
How it works…• 440 servers in use
• 330 servers hosted at the Cerner data center
• 110 servers hosted by NCH's data center
• Our entire IT department is outsourced to Cerner
What if there wasn’t an OCR?
• NCH Healthcare System assigns the same value to employee information, financial data, and PHI, etc…
– Even if there were no audits –
We’d still protect the data!
Getting ahead of a breach…by assuming you are behind
Mitigating risk starts with knowing what they are…
1. We stopped outsourcing risk assessments and trained our staff
2. We review, update, and re-benchmark risk assessments every quarter
And, we prepare for the worst…
3. Incident Response & Disaster Recovery Framework
How we developed our Information Security Program
• Performed our initial risk assessment and prioritized risks
• Developed a tactical plan to address the low hanging fruit
• Developed a strategic plan to address risks that have a significant operations and/or capital investment
• Communicated plans to Executive leadership and key stakeholders
• Routinely update Executive leadership and key stakeholders
Tools, Methods and Technologies
• Policy and procedure set based on the HIPAA OCR Audit Protocol
• Defense-in-depth methodology
- Automated auditing platforms (FairWarning, Active Directory, SIEM)
- Vulnerability Management
- Proactive measures (Network and Host IPS, AV, Filtering, Email DLP)
• Continuous review framework (internal and external reviews)
• Employee awareness program
• Continuous improvement framework
June 2016: OCR said they would enforce…
• OCR will continue to increase enforcement of HIPAA
• Notable areas of enforcement:
- Risk Analysis, See 45 C.F.R. § 164.308(a)(1)(ii)(A)
- Managing Insider Threats, See 45 C.F.R. § 164.308(a)(3)
- Lack of Appropriate Auditing , See 45 C.F.R. § 164.312(b)
Webinar with Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS OCR
Update: 2016 OCR Enforcement Activity Increases
• OCR Phase 2 HIPAA Desk Audits began
• Resolution Agreements, one being the largest in history
• Two bulletins issued indicating OCR enforcement will continue to grow and likely target insider abuses:
- “Do You Know Who Your Employees Are?” (Aug. 1, 2016)
- The OCR will increase investigations of breaches affecting PHI of fewer than 500 individuals (Aug. 18, 2016)
Resolution Agreements
10 resolution agreements, year-to-date
• $20.5 million total, more than any previous year
• $5.5 million settlement, the largest ever
Highlights from the most recent 4 agreements:
• Requirement to perform a thorough “Risk Analysis”
• Requirement to produce a “Risk Management Plan”
• Develop or update policies
• Implement unique user IDs to track activity in systems with ePHI
• Report incidents of non-compliance with policies to OCR
Full List of Resolution Agreements Year-to-Date
The OCR BulletinsKey takeaways for covered entities and BAs:
• Insider threats are amongst the largest threats to organizations and that external cyberattacks may be insider-driven
• Insider threats have a negative impact on the confidentiality, integrity, and availability of ePHI
• OCR has launched an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals
• OCR will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches
• OCR wants to see actionable and demonstrable compliance
• Covered entities need a defensible compliance posture
Meeting Areas of EnforcementFairWarning Patient Privacy Intelligence fully addresses 5 of the HIPAA Audit Protocol elements and partially addresses 26 more.
Meeting Areas of Enforcement
More Information: How FairWarning Provides a Framework for OCR Phase 2 HIPAA Audits
Audit Controls § 164.312(b)
“Organizations frequently underestimate the proliferation of ePHI within their environment. When conducting a risk analysis, an organization must identify all of the ePHI created, maintained, received or transmitted by the organization.”
– Iliana Peters, Sr. Advisor for HIPAA Compliance and Enforcement, HHS OCR
• Perform an application inventory as part of your risk assessment and prioritize monitoring based on risk
• FairWarning provides a platform to seamlessly monitor over 350 applications, including every major EHR
Actionable & Demonstrable Compliance
How can I prove that I am complying with these requirements and others?
1. Aggregate view of user access across applications
2. Automated reports to detect employee/user non-compliance
3. Evidence that “automated reports” are working – i.e. Alerts, and actively reviewed
4. Investigations of potential incidents of non compliance
Most Common Reports for a Cerner Environment
• Unusually High Access (children, elderly, or in general)
• Patient of Interest
• Access after Termination
• Snooping
• Co-Worker
• Supervisor
• Household Member
• Servicing over 500 hospitals and 2,300 facilities worldwide
• Proactively monitoring over 700,000 employees
• 6.5 applications integrated per customer
• Over 25% of our Cerner customers partner with Managed Privacy Services
Cerner customers relying on FairWarning
Questions?For more information, please visit:
www.FairWarning.com
Email:[email protected]
Additional Resources
Evaluating Care Provider Readiness for an External HIPAA Audit
FairWarning Phase 2 HIPAA Audit Protocol Mapping