HIPAA COMPLIANCE - NetWatcherNetWatcher HIPAA Compliance eBook Preparing for the Client-Driven Cybersecurity Audit HIPAA Citation HIPAA Security Rule Standard Implementation Spec Requirement

NetWatcher HIPAA Compliance eBook | Preparing for the Client-Driven Cybersecurity Audit

HIPAA COMPLIANCEWHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED


HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTEDWithin this eBook we are covering the Security Rule as it relates to healthcare organizations.

The Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access.

The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Security Rule. You can find that documentation here.

Basic information about HIPAA is located here.


IT IS YOUR RESPONSIBILITY TO PROTECT YOUR CUSTOMER’S PERSONALLY IDENTIFIABLE INFORMATION (PII) DATAThe Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. The penalties can be steep at $100 to $50,000 or more per violation with a $1,500,000 calendar year cap.

State and regional governments may also impose separate fines in addition to the federal ones.

To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights.


EXAMPLES OF WHEN SECURITY IS COMPROMISEDNOVEMBER 12, 2014 - Hackers swipe data of 60K in vendor HIPAA breach A state insurance plan subcontractor is at the center of a serious security incident after hackers gained three months of unfettered access to its computer system, compromising thousands of members’ health records. What’s more, despite discovering the HIPAA breach in April, it took officials some four months to notify those affected. The Dallas-based Onsite Health Diagnostics – a medical testing and screening company, which contracts with the state of Tennessee’s wellness plan – notified 60,582 people that their protected health information was accessed and stored by an “unknown source.” The breach affected members from the Tennessee’s State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan.

DECEMBER 10, 2014 - Malware Infection Results in $150,000 HIPAA Fine Anchorage Community Mental Health Services (ACMHS) was fined $150,000 for not preventing malware from infecting its computers. The malicious programming breached the protected electronic health information of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to an OCR news release, ACMHS adopted HHS security rule policies in 2005 but never followed them. The introduction of the malware into the ACMHS system was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software,” according to an HHS/OCR bulletin (.pdf). In addition to the $150,000 settlement amount, the resolution agreement (.pdf) between ACMHS and OCR includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a 2-year period.


HIPAA Citation HIPAA Security Rule Standard Implementation Spec Requirement Description Item on Following Slides

164.308(a)(1)(i) Security Management Process Policies and procedures to manage security violations

164.308(a)(1)(ii)(A) Risk Analysis Conduct vulerability assessment 4

164.308(a)(1)(ii)(B) Risk Management Implement security measures to reduce risk of security breaches 10

164.308(a)(1)(ii)(C) Sanction Policy Worker sanction for policies and procedures violations 7

164.308(a)(1)(ii)(D) Information System Activity Review Procedures to review system activity 10

164.308(a)(2) Assigned Security Responsibility Identify security official responsible for policies and procedures 1

164.308(a)(3)(i) Workforce Security Implement policies and procedures to ensure appropriate PHI access 7

164.308(a)(4)(i) Information Access Management Policies and procedures to authorize access to PHI 7

164.308(a)(4)(ii)(A) Isolation Health Clearinghouse Functions Policies and procedures to separate PHI from other operations 7

164.308(a)(5)(i) Security Awareness Training Training program for workers and managers 6

164.308(a)(6)(i) Security Incident Procedures Policies and procedures to manage security incidents 9

164.308(a)(6)(ii) Response and Reporting Mitigate and document security incidents 10

164.308(a)(7)(i) Contingency Plan Emergency response policies and procedures 9

164.308(a)(7)(ii)(A) Data Backup Plan Data backup planning and procedures 7

164.308(a)(7)(ii)(B) Disaster-Recovery Plan Data recovery planning and procedures 7

164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Business continuity procedures 7

164.308(a)(8) Evaluation Periodic security evaluation 3 and 4

164.308(b)(1) Business Associate Contracts and Other Arrangements CE implement BACs to ensure safeguards 7

164.308(b)(4) Written Contract Implement coompliant BACs 7

164.310(a)(1) Facility Access Controls Policies and procedures to limit access to systems and facilities 7

164.310(b) Workstation Use Policies and procedures to specify workstation environment and use 7

164.310( c ) Workstation Security Physical safeguards for workstation access 2

164.310(d)(1) Device and Media Controls Policies and procedures to govern receipt and removal of hardware and media 7

164.310(d)(2)(i) Disposal Policies and procedures to manage media and equipment disposal 7

164.310(d)(2)(ii) Media Reuse Policies and procedures to remove PHI from media and equipment 7

164.312(a)(1) Access Control Technical (administrative) policies and procedures to manage PHI access 7

164.312(a)(2)(i) Unique User Identification Assign unique IDs to support tracking 2

164.312(a)(2)(ii) Emergency Access Procedure Procedures to support emergency access 7

164.312(b) Audit Controls Procedures and mechanisms for monitoring system activity 10

164.312( c)(1) Integrity Policies and procedures to safeguard PHI unauthorized alteration 7

164.312(d) Person or Entity Authentication Procedures to verify identities 7

164.312(e)(1) Transmission Security Measures to guard against unauthorized access to transmitted PHI 7

Do you address all of the HIPPA Security Rules? Receive guidance on each rule using the following 10 pages.


1.CREATE A COMMITTEE WITH PLAYERS FROM IT, COMPLIANCE, MANAGEMENT AND SECURITYThis team will be responsible for the ongoing cybersecurity of the organization. Ensure that this team is led by a senior executive in the organization. This team can be the Audit committee for the organization. Here is a good read on the subject of Audit committees and cybersecurity from Deloitte.


2.USE A FRAMEWORK SUCH AS THE NIST CYBER-SECURITY FRAMEWORK OR THE ISO 27001/27002“The Framework focuses on using business drivers to guide cyber-security activities and considering cyber-security risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cyber-security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cyber-security activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cyber-security risk.”

– NIST framework

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (here)


3.CONDUCT A YEARLY SECURITY RISK ASSESSMENT TO IDENTIFY RISKS AND DEVELOP A MITIGATION PLAN“Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tiers 1 and 2, organizations use risk assessments to evaluate, for example, systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, organizations use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring).”

- NIST Special Publication 800-39


4.SCHEDULE A 3RD PARTY SECURITY COMPANY TO TEST YOUR ORGANIZATION’S SECURITYWe encourage that they following tests are run:

• Penetration Testing

• Vulnerability Assessments

• Web Application Assessments

• Social Engineering Testing


5.ENSURE YOUR ORGANIZATION HAS CYBER LIABILITY INSURANCENot all cyber insurance policies are created equal, so you will need to get educated on all the items the policy will need to cover. Click here for a good article from Modern Healthcare. Click here for information from a DHS sponsored Cyber Insurance Roundtable for Healthcare.


6.CONDUCT MANDATORY SECURITY TRAININGKeep everyone in your organization advised of new security threats and underscore the need for vigilance, including being watchful for suspicious emails, texts, hyperlinks, etc., as well as social engineering ploys. Here is an example.


7.HAVE, FOLLOW AND AUDIT ALL THE NECESSARY PLANS AND POLICIES THAT IMPACT THE ORGANIZATION’S DATA SECURITYCompanies with the necessary plans in place are able to respond and protect their business more swiftly than those without. There are a number of plans your business could consider including:

• Business continuity plan

• Disaster recovery plan

• Remote access policy

• Employee termination policy

• Password policy

• Encryption policy

• Data access policy

• Bring Your Own Device Policy

To speed policy development, you can start with open-source templates from SANS found here.


8.CREATE AN ACCEPTABLE USE POLICYIn an ideal world, employees would use the computers and Internet access provided their employer solely for business use. However, throughout the work day, organizations are often exposed by their users misuse of the system.

The dilemma faced by every organization is what to do about it and how to start. The creation and dissemination of an Acceptable Use Policy (AUP) can help an organization avoid unwanted consequences and enable it to deal with transgressions in a fair and systematic way that will survive legal challenges without reducing employee morale and productivity.

Ensure ALL employees sign the AUP before using your organization’s IT resources.


9.CREATE AN INCIDENT RESPONSE PLANEnsure that someone is formally designated for managing your organization’s incident response. NIST has published a Computer Security Incident Response Guide that can help you develop appropriate policies and procedures. Practice by running through scenarios with your incident response team at least once a year to ensure that your processes are working as expected.


10.USE A REAL-TIME CONTINUOUS MONITORING SOLUTION NETWATCHER.COMNetWatcher’s Security-as-a-Service platform enables organizations to have a cost-effective 24 x 7 security service monitoring their networks for vulnerabilities and exploits. Today’s healthcare organizations require the need for continuous monitoring.

NetWatcher enables a healthcare organization to immediately deploy these services and take advantage of a fully-staffed Security Operations Center (SOC). This means superior protection with no capital outlay, resource commitments or additional headcount.

Available for as low as $299/month with a 1 year contract. Contact NetWatcher at [email protected].

Documents

HIPAA COMPLIANCE - NetWatcherNetWatcher HIPAA Compliance eBook Preparing for the Client-Driven Cybersecurity Audit HIPAA Citation HIPAA Security Rule Standard Implementation Spec Requirement