Data Protection and Compliance in Your EMR: Cerner

September 8, 2016

Watch the Replay

Speakers

Andrew Cooper, CISSP, CHP, CSCSDirector of Information Security

AssuranceNCH Healthcare System

Chuck BurbankCISO and Director of Managed

Privacy ServicesFairWarning

Agenda

• About NCH Healthcare System

- Cerner and the data NCH protects

- Getting ahead of a breach

- How NCH developed an Information Security Program

- Tools, Methods and Technologies

• Update on 2016 OCR Enforcement Activity

• Resolution Agreements

• OCR Bulletins

• Meeting Areas of Enforcement

• Actionable & Demonstrable Compliance

• Most Common Reports for a Cerner Environment

About NCH Healthcare System

Naples Community Hospital opened its doors to the first patient on March 7, 1956. In the last 60 years, we’ve grown into a system of two hospitals and an alliance of over 700 independent physicians and medical facilities in dozens of locations in Southwest Florida.

• Our two hospitals - NCH Baker Hospital Downtown and NCH Naples Hospital – are comprised of 716 beds and provide care to over 40, 000 patients annually

• We offer advanced heart, cancer, obstetric, newborn, and pediatric care

• Member of the Mayo Clinic Care Network since 2012

Noted Awards:

• 2016, (HIMSS) Level 7, Health Information Management Services

• 2016 – 2012 Health Care's Most Wired

• 2015, Comprehensive Stroke Center Designation, Agency for Healthcare Administration

• 2015, Ranked #10 in Florida, US News & World Report Best Regional Hospital

• 2014, 50 Top Cardiovascular Hospital, Truven Healthcare Analytics

Excellence in Every Patient Experience

Cerner and the data we protect

How it works…• 440 servers in use

• 330 servers hosted at the Cerner data center

• 110 servers hosted by NCH's data center

• Our entire IT department is outsourced to Cerner

What if there wasn’t an OCR?

• NCH Healthcare System assigns the same value to employee information, financial data, and PHI, etc…

– Even if there were no audits –

We’d still protect the data!

Getting ahead of a breach…by assuming you are behind

Mitigating risk starts with knowing what they are…

1. We stopped outsourcing risk assessments and trained our staff

2. We review, update, and re-benchmark risk assessments every quarter

And, we prepare for the worst…

3. Incident Response & Disaster Recovery Framework

How we developed our Information Security Program

• Performed our initial risk assessment and prioritized risks

• Developed a tactical plan to address the low hanging fruit

• Developed a strategic plan to address risks that have a significant operations and/or capital investment

• Communicated plans to Executive leadership and key stakeholders

• Routinely update Executive leadership and key stakeholders

Tools, Methods and Technologies

• Policy and procedure set based on the HIPAA OCR Audit Protocol

• Defense-in-depth methodology

- Automated auditing platforms (FairWarning, Active Directory, SIEM)

- Vulnerability Management

- Proactive measures (Network and Host IPS, AV, Filtering, Email DLP)

• Continuous review framework (internal and external reviews)

• Employee awareness program

• Continuous improvement framework

June 2016: OCR said they would enforce…

• OCR will continue to increase enforcement of HIPAA

• Notable areas of enforcement:

- Risk Analysis, See 45 C.F.R. § 164.308(a)(1)(ii)(A)

- Managing Insider Threats, See 45 C.F.R. § 164.308(a)(3)

- Lack of Appropriate Auditing , See 45 C.F.R. § 164.312(b)

Webinar with Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS OCR

Update: 2016 OCR Enforcement Activity Increases

• OCR Phase 2 HIPAA Desk Audits began

• Resolution Agreements, one being the largest in history

• Two bulletins issued indicating OCR enforcement will continue to grow and likely target insider abuses:

- “Do You Know Who Your Employees Are?” (Aug. 1, 2016)

- The OCR will increase investigations of breaches affecting PHI of fewer than 500 individuals (Aug. 18, 2016)

Resolution Agreements

10 resolution agreements, year-to-date

• $20.5 million total, more than any previous year

• $5.5 million settlement, the largest ever

Highlights from the most recent 4 agreements:

• Requirement to perform a thorough “Risk Analysis”

• Requirement to produce a “Risk Management Plan”

• Develop or update policies

• Implement unique user IDs to track activity in systems with ePHI

• Report incidents of non-compliance with policies to OCR

Full List of Resolution Agreements Year-to-Date

The OCR BulletinsKey takeaways for covered entities and BAs:

• Insider threats are amongst the largest threats to organizations and that external cyberattacks may be insider-driven

• Insider threats have a negative impact on the confidentiality, integrity, and availability of ePHI

• OCR has launched an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals

• OCR will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches

• OCR wants to see actionable and demonstrable compliance

• Covered entities need a defensible compliance posture

Meeting Areas of EnforcementFairWarning Patient Privacy Intelligence fully addresses 5 of the HIPAA Audit Protocol elements and partially addresses 26 more.

Meeting Areas of Enforcement

More Information: How FairWarning Provides a Framework for OCR Phase 2 HIPAA Audits

Audit Controls § 164.312(b)

“Organizations frequently underestimate the proliferation of ePHI within their environment. When conducting a risk analysis, an organization must identify all of the ePHI created, maintained, received or transmitted by the organization.”

– Iliana Peters, Sr. Advisor for HIPAA Compliance and Enforcement, HHS OCR

• Perform an application inventory as part of your risk assessment and prioritize monitoring based on risk

• FairWarning provides a platform to seamlessly monitor over 350 applications, including every major EHR

Actionable & Demonstrable Compliance

How can I prove that I am complying with these requirements and others?

1. Aggregate view of user access across applications

2. Automated reports to detect employee/user non-compliance

3. Evidence that “automated reports” are working – i.e. Alerts, and actively reviewed

4. Investigations of potential incidents of non compliance

Most Common Reports for a Cerner Environment

• Unusually High Access (children, elderly, or in general)

• Patient of Interest

• Access after Termination

• Snooping

• Co-Worker

• Supervisor

• Household Member

• Servicing over 500 hospitals and 2,300 facilities worldwide

• Proactively monitoring over 700,000 employees

• 6.5 applications integrated per customer

• Over 25% of our Cerner customers partner with Managed Privacy Services

Cerner customers relying on FairWarning

Questions?For more information, please visit:

www.FairWarning.com

Email:Solutions@FairWarning.com

Additional Resources

Evaluating Care Provider Readiness for an External HIPAA Audit

FairWarning Phase 2 HIPAA Audit Protocol Mapping