Why Security Risk Why Security Risk Analysis?Analysis?

MedSafe “The Total Compliance Solution”MedSafe “The Total Compliance Solution”

Presentation OutlinePresentation Outline

HIPAA Security Rule Security Risk Analysis Definition Security Risk Analysis Requirements Security Risk Elements & Implementation

PHI / ePHIPHI / ePHISECURITY REQUIREMENTSSECURITY REQUIREMENTS

as defined under theas defined under theHIPAA Security RuleHIPAA Security Rule

What is ePHI?What is ePHI?

Electronic Protected Health Electronic Protected Health InformationInformation

Personally identifiable electronic protected health information

that is stored, accessed, maintained, retained, destroyed, transmitted, held,

used or disclosed

What is “unsecured” PHI?What is “unsecured” PHI?

Unsecured PHI/ePHI is that Protected Health Information which is

NOT:Rendered unusable, unreadable, indecipherable

to unauthorized individuals

How do I secure PHI/ePHI?How do I secure PHI/ePHI?

Section 13402 of Title XIII of the HITECH Law and the American Recovery and Reinvestment Act of 2009 (ARRA);

Options include use of encryption technologies and proper destruction methods as

defined by HHS.

Once PHI has been de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and is

therefore, no longer subject to the HIPAA Privacy and Security Rules.

EncryptionEncryption

Encryption is the process of securing electronic information by transforming it into code

that would render it unreadable, indecipherable and unusable to any unauthorized individual.

Authorized individuals possess a “key code” to decrypt and access the secure information.

Encryption & BreachEncryption & Breach

If secured (encrypted) ePHI were stolen /accessed by an unauthorized individual,

the access would NOT constitute a breach because the individual would not be able

to read the ePHI without a key code.

Examples of ePHI mechanisms that should be secured with encryption: Laptops/EMR Tablets Smart Phones Email Website portals / gateways EMR interfaces, efaxing; eprescribing Back-up tapes / CDs External hard drives / flash drives

HIPAA Security RuleHIPAA Security Rule The final regulation under HIPAA, was published February 20, 2003.

The Security Rule specifies a series of administrative, technical, and physical

security procedures for Covered Entities to use to assure the

confidentiality, integrity, and availability of Protected Health Information (PHI).

Under 45 C.F.R. § 164.302 – Under 45 C.F.R. § 164.302 – 318318

Organizations must identify and implement the most effective and

appropriate administrative, physical, and technical safeguards to secure electronic

protected health information (e-PHI).

The Security Rule identifies Risk Analysis Risk Analysis

as the foundational element in the process of achieving

compliance.

The very first specification in the The very first specification in the HIPAA Security Rule is Risk HIPAA Security Rule is Risk

Analysis:Analysis: “What could happen?”

Hackers broke into the United Nations computer system and hid there for two years.

How do we know someone is not in our hospital computer system?

Risk analysis lays the foundation for next specification in the Security Rule …….

Risk Management.

What do the numbers say?What do the numbers say?

39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more

website) have occurred on laptop or mobile devices 88% of exposed records are mobile-media related 60%+ of breaches have a strong malicious

component Business Associates are involved in over half of

breaches Source, J. David Kirby, Former Director, Information Security Office, Duke University Health System

Covered Entities are Covered Entities are requiredrequired to:to:

Evaluate risks and vulnerabilities in their environments

Implement security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI

Risk analysis is the first step in that process.

(45 C.F.R. § 164.308(a)(1)(45 C.F.R. § 164.308(a)(1)

The Security Management Process standard in the Security Rule requires

organizations to“[i]mplement policies and procedures

to prevent, detect, contain, and correct security violations.”

Risk Analysis Requirement Risk Analysis Requirement § 164.308(a)(1)(ii)(A)§ 164.308(a)(1)(ii)(A)

Conducting a risk analysis includesidentifying and implementing

safeguardsthat comply with and carry out the

standards and implementation specifications in the

Security Rule.

OCR RISK ANALYSIS OCR RISK ANALYSIS DirectiveDirective

Per The Office for Civil Rights (OCR):Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health information held

by the [organization].

Vulnerability…definedNational Institute of Standards & Technology (NIST),

US Department of Commerce, Special Publication (SP) 800-30, defines “vulnerability” as:

“[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

Vulnerabilities expandedVulnerabilities expanded

Vulnerabilities, whether accidental or intentional, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI.

Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-

existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or

weaknesses in the development of information systems; or incorrectly

implemented and/or configured information systems.

Considerations for Considerations for OrganizationsOrganizations

Determine the most appropriate ways to achieve compliance, taking into consideration:

the characteristics of the organization the physical environment communication methodologies technological infrastructure How ePHI is stored, shared and managed

Security Rule SpecificationsSecurity Rule SpecificationsAddressable v RequiredAddressable v Required

(68FR 8334, 8336 (Feb. 20, 2003).) The Rule contains several implementation specifications that are

labeled “addressable” rather than “required.”

(68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)An “addressable” implementation specification is not “optional”.

The outcome of the risk analysis process is a critical factor in assessing whether implementation of addressable

specifications or equivalent measures are reasonable and appropriate.

Risk AnalysisRisk Analysis

Ongoing Risk Analysis should be performed by a qualified external professional to ensure

objectivityand should include the following steps:

Physical site assessment and personnel interviewing process

Identify technological infrastructure & data management Identify and document privacy & security vulnerabilities Collect documentation as proof of security measures Identify existing security measures, including encryption Implement ongoing plans of corrective action

ARE YOU READY?ARE YOU READY?

KPMG has secured a $9.2 million contract with the Office for Civil Rights (OCR) to conduct

random HIPAA HITECH Audits of Covered Entities.

The audits have already begun.

KPMG says…….KPMG says…….

After wrapping up site visits for the initial 20 compliance audits, the top HIPAA official at KPMG says Covered Entities (CEs) are failing to complete basic tasks, such as conducting a Risk Analysis and distributing a Notice of Privacy Practices.

Who is under the microscope?Who is under the microscope?

OCR contracted the consulting firm, Booz Allen Hamilton, to “identify audit candidates” and “provide background and recommendations” for the audit program.

The first 20 of those audited, were grouped by level of information technology sophistication and by type of entity, with four “levels” or tiers among them.

Of the 20, 10 were providers, eight were health plans and two were clearinghouses.

All Size Covered Entities Were Audited

Tier 1 organizations are the Tier 1 organizations are the largest……largest……

...with “revenues or assets greater than $1

billion,” including health plans, provider organizations and clearinghouses with “extensive use of health information

technology, complicated HIT-enabled clinical and business work streams.”

Tier 2 includes….Tier 2 includes….

…health plans, providers and clearinghouses including hospital systems with 3 to 10 hospitals or regions, and regional insurance companies with assets valued at between $300 million and $1 billion.

Tier 3 includes…Tier 3 includes…

….health plans & providers which could include community hospitals, outpatient surgery centers, pharmacies and “self-insured entities that don’t adjudicate their claims.” With revenues between $50 million and $300 million each, with some, but not extensive use of HIT [and] mostly paper-based workflows.”

Tier 4 includes...Tier 4 includes...

….health plans and providers, described in OCR presentations as provider practices with 10 to 15 providers, and a community or rural pharmacy,

with “little to no use of HIT, almost exclusively paper-based workflows” and “less than $50 million” in revenues.

The audited entities ranged in complexity from single physician practices to complex acute care medical centers

A covered entity can do its best to ensure broad compliance across all aspects of its operations, while the audit team might zero in on one department.

Michael Ebert, national HIPAA services Michael Ebert, national HIPAA services leader for KPMG, which is performing leader for KPMG, which is performing

the audits for OCR, stated…the audits for OCR, stated…

In addressing what covered entities should be doing in light of the audit program, Ebert said: “Do a risk analysis, risk assessment.”

“I’ll tell you now, on everything we do, that’s the biggest weakness we see,” he said.

Ebert added that “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter, he said.

Elements of a Risk Analysis Elements of a Risk Analysis include…include…

Analysis of technological infrastructure Internal operations & ePHI management ePHI sharing, interfaces, communication

methodology Existence of policies and procedures Provision of ongoing staff training Identification of ePHI sources & vulnerabilities PHI storage and physical PHI security ePHI preservation and operations Workstation security & internal processes

Compliance ChecklistCompliance Checklist

Implement HIPAA/HITECH Policies & Procedures Conduct Risk Analysis Conduct ongoing employee training Collect documentation of compliance efforts Implement written plans of correction Ensure existence of data security measures Facilitate patient rights under the law

AccountabilityAccountability

Security Risk Analysis establishes accountability. Covered Entities are ultimately responsible for protecting patients’ information they have beenentrusted with. Risk Analysis is an important tool that helps ensurethe privacy and security of the information that CEsHave promised to protect under the Law.

In Summary, Security Risk In Summary, Security Risk Analysis:Analysis:

...is a requirement.

...protects Covered Entities and patients.

...reduces the potential for breach.

...improves quality measures and establishes accountability.

…facilitates CEs’ receipt of CMS EHR Incentives.…establishes ongoing goals.…from an ethical standpoint, is the right thing to do.

MedSafe MedSafe

““The Total Compliance The Total Compliance Solution”Solution”

www.medsafe.comwww.medsafe.com