Embed Size (px)
Citation preview
Data Governance and HIPAA Risk Assessments
Presented by Sarah BadahmanCEO/Founder, HIPAAtrek
What is data governance?
Information Governance (IG): is organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.
Data Governance (DG): is the responsibility of the business unit. It is the policies, processes, and practices that address the accuracy, validity, completeness, timeliness and integrity of data (data quality)
(AHIMA via http://www.ahima.org/topics/infogovernance/ig-glossary )
What is data governance?
Information Governance
Creation &
ContentPrivacy
Security
Retention
Retrieval
Disposition
What is data governance?
Written Policies and Procedures: These policies should be accessible to providers and staff so that questions about business processes can be easily answered. Those policies might include:
§ Registration and Front Desk Processes§ Content of the Medical Record§ Privacy and Security § Employee Training, Training Records, and Acknowledgments§ Release of Information Procedures§ Internal Audit Processes§ External Audit Processes§ Storage, Retention and Disposition of Health Information (PHI)§ Storage, Retention and Disposition of Business Records
Provider and Staff Education: An organization should train providers and staff on policies and procedures at hire and at least annually thereafter. Inter-periodic training may be needed to reteach whenever questions, incidents or weaknesses are detected.
Policies and Procedures
Policies and Procedure (Safeguards)
n Policies: Define an organization’s approach
n Procedures: Describe how the organization carries out that approach.
n Both should reflect the mission and culture of the organization
Privacy Rule
Security Rule
Breach Notification Rule
n Legalese: “Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”
n Version control managementn Be sure to notate when the policy was first created
n Be sure to notate when the policy is updated
n Maintain each new version for the time limit required by law
Time LimitTime Limit
Availability
n Legalese: “Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.”
n Considerations:n Having printed manuals for your management and staff
n Posting your policies and procedures on your intranet
n Using a software management system to manage and share your policies and procedures
Updates
n Legalese: “Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”
n Considerations:n Frequency of reviews
n Operational Changes
n Move to EMR
n Change EMR
n Physical location
n Identified threats in risk analysis
n Major staffing changes
Implementing HIPAA
Define Measure Analyze Improve Control
Process Approach
Project Management Approach to HIPAA Compliance: Define for each process or policy
Each process defined should be evaluated and broken down into the smallest process possible
Project Management Approach to HIPAA Compliance: Measure current progress or performance for each defined goal or process
Project Management Approach to HIPAA Compliance: Analyze to determine if the process is meeting the objectives. Discover root cause if not meeting goals.
Analyze: Threat Analysis
Goal Root Cause
Unable to quantitativelyasses threats to third party applications –i.e. EMR
We do not have control over business associate environments
Successful Not Meeting Goals
n Determined Threat Model: STRIDE and DREAD
n Determined Methodology
Project Management Approach to HIPAA Compliance: Improve the problem by selecting a solution
Improve: Threat Analysis
n Survey business associates for their compliance/security controls
n Conduct a qualitative analysis based off variables we have control over
Brainstorm and select solution
Goal Root Cause
Unable to quantitatively asses threats to third party applications –ie EMR
We do not have control over business associate environments
Not Meeting Goals
Project Management Approach to HIPAA Compliance: Control the improved process to ensure goals are met
RACI Approach to HIPAA
n What is RACI?n Responsible: responsible for doing the actual work
n Accountable: ultimately accountable for the completion of the work
n Consulted: provide input/output as needed
n Informed: want/need to be kept up-to-date
n Rolesn Champion
n Business Owner
n Process Owner
n Subject Matter Expert
Example: Threat AnalysisDefine Measure Analyze Improve Control
Privacy Officer
C I I C C
Security Officer
R R R R R
IT Department
A A A A A
Management C C C C C
Employees n/a n/a n/a n/a n/a
Champion: Privacy OfficerBusiness Owner: Security Officer
Process Owner: ManagementSME: IT Department
Roles:
Create An Auditable Trail of Compliance
Document every compliance activity
Who, when, where, why, and how of every activity
OCR HIPAA Enforcement
• 2016 Phase 2 Audits
• 2017 Business Associate Audits
• Stage 3 of Phase 2 Audits will include on-site audits
• Information Gathering vs Punitive
• Prepare now! Only 10 days to respond when chosen for an audit
• Only submit requested information
Risk Analysis
Preparing for the Risk Analysis
n Scope the Assessmentn Which systems and/or processes
will be included in the assessment?
n What is the purpose of the assessment? Routine, response to a breach or client request, or adopting new technology or moving/adding a new physical location?
n Gather Informationn Where is PHI created, received,
maintained, processed or transmitted? n This should correlate with your
inventoryn What controls (policies or
procedures) are in place to protect the security and privacy of your PHI and how effective are they?
Assessing Treats and Vulnerabilities
n Identifying Threats
n Choose a threat modeln STRIDE
n DREADn Assess known potential threats
n Technical
n Environmentaln People
n Identifying Vulnerabilities
n Run a Vulnerability Scann Rapid Fire, Provensec, or other
similar tooln Use the National Database of
Vulnerabilities
n Enlist the assistance of your IT Department or IT vendor to assess your technical vulnerabilities
n Conduct a site survey to identify non-technical vulnerabilities
Threat Likelihood
n Using the threats and vulnerabilities identified in the previous step
n Determine the likelihood of a threat exposing a vulnerability
n Assess by threat, using the model determined in the previous step
n Prioritize threat likelihood using a quantitative, qualitative or hybrid model
Assessing Policy Effectiveness
n Conduct a Policy Gap Analysisn Assess whether or not all required implementation specifications have policies
createdn Assess how well they are implemented
n Survey workforce members on HIPAA policy adherence
Assessing Treats and Vulnerabilities
n Determine the Level of Riskn Using the previous steps,
assess the overall risk to your PHI security and privacy
n Risk = (Threats x Vulnerabilities x Impact) -Controls
n Recommend Security Controls
n Based on the findings from all the previous steps, create a risk management plan to address identified threats and vulnerabilities designed to reduce the impact to your organization
Creating a Culture of Security
Avoid Treating Your Work Environment Like Your Home Environment
n Computing habitsn Browsingn Emailn Social Media
n Physical Securityn Leaving unlocked and unattendedn Leaving mobile devices in vulnerable areas
n Security Practicesn Passwordsn Firewallsn Audit Procedures
Avoid Outdated Technologyn Outdated technology costs the health industry $8.3B annually
n Reliance on legacy systems
n Older technology more prone to crashes
n Incapability with newer softwares
n Higher prevalence of cyber attacks and malware
n Less likely to be supported by the manufacturer
n Lost productivity and revenue
n Use of home or non-commercial technology
Bolster BYOD Policy
n Devices included:n Laptops, tablets, mobile phones, company owned, employee
owned, non-employee owned
n Rules regarding:n What is allowed based on operating systems
n What devices, data types or applications are restricted
n Monitoring of devices
n Basic controls required for each device
n Enhanced controls required for certain devices
Encryption Practicesn Encrypt data at rest
n Full Disk encryption
n Only effective on an unbooted computer
n Files are not protected when moved
n File Encryption
n Stay encrypted regardless of where they are stored
n As long as the file is ‘at rest’ it is encrypted
n Most thefts involving portable devices and laptops involved unencrypted devices
n Encrypt smart phones and tablets that store, transmit, access ePHI
n Many cost affective solutions
n AES-256 is industry standard in the healthcare industry
