Upload
arissa
View
50
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Startel’s Contributions to your hipaa compliance. Bill lane and Margaret Lally. Agenda. Overview of HIPAA Startel’s HIPAA/HITECH Assessment Report Findings & Recommendations HIPAA /HITECH Compliance Program Assessment Report - PowerPoint PPT Presentation
Citation preview
B I L L L A N E A N D M A R G A R E T L A L LY
STARTEL’S CONTRIBUTIONS TO YOUR HIPAA COMPLIANCE
AGENDA
Overview of HIPAA Startel’s HIPAA/HITECH Assessment Report Findings & Recommendations
HIPAA/HITECH Compliance Program Assessment Report HIPAA Security Rule - Technical Safeguards Application
Assessment Report for ePHI Compliance HIPAA Security Best Practices Summary
OVERVIEW OF HIPAA
HIPAA – WHAT IS IT?
The Health Insurance Portability & Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information
HIPAA – WHAT IS IT? CONTINUED
HHS published what are commonly known as the HIPAA Privacy Rule & HIPAA Security Rule Help to protect the privacy of a individual’s health
information Allow covered entities to adopt new technologies to improve
the quality and efficiency of patient care
HIPAA SECURITY RULE
The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI) Addresses the administrative, physical & technical
safeguards that covered entities must put in place to secure ePHI Technical safeguards include access control, audit controls,
integrity controls and transmission security Each of these technical safeguards can be addressed with software
solutions, like encryption technology
COVERED ENTITY VS. BUSINESS ASSOCIATE
COVERED ENTITY VS. BUSINESS ASSOCIATE Business Associate (BA): A person or organization
that performs a function on behalf of a CE.
Examples include: Software Vendors (such as STARTEL) Third-party Billing Companies Claims Processors Collections Agencies Outsourced Contact Centers/Telephone answering
services
BUSINESS ASSOCIATE REQUIREMENTS Ensure the confidentiality, integrity and availability of all
ePHI that is created, received, maintained or transmitted
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule
Ensure compliance by workforce
STARTEL’S HIPAA/HITECH ASSESSMENT
OVERVIEW
Auditing Firm: Hired Coalfire Systems Annual, 3-year engagement
Objective: To perform an assessment of the controls in place to satisfy requirements of the HIPAA Security Rule, HITECH & Omnibus Rule
Assessment Period: September – December Locations Assessed: Startel HQ & Colo (Latisys)
PROJECT ACTIVITIES
1. Performed an environment characterization to understand the uses/flows of ePHI throughout Startel2. Reviewed policies/procedures to identify compliance gaps3. Reviewed the controls in place to satisfy the IT security-related requirements of HIPAA, HITECH and Omnibus Rule4. Performed control analysis and testing for the purpose of understanding the level of operating effectiveness5. Provided detailed assessment results outlining Startel’s HIPAA compliance posture, as well as recommendations
STARTEL’S ACTIVITIES
Performed a risk analysis Implemented information system policies & procedures Named a security official Defined workforce clearance/termination procedures Implemented user access rights Performed (annual) training and periodic security updates Protection from malicious software
STARTEL’S ACTIVITIES CONTINUED
Log-in monitoring and audit controls Password management Data back-up plan Tested Startel applications in Coalfire Lab Acquired secure shredding bins Created breach notification procedures Modified ATSI Sample BA agreements for users to sign
REPORT FINDINGSHIPAA/HITECH COMPLIANCE PROGRAM ASSESSMENT REPORT
REPORT KEY
Full compliance for a given requirement is based on two objectives: Assess whether or not the Startel has defined
policies/procedures to meet the requirement Determine if appropriate controls have been implemented
If requirements are not fully met, the compliance status is identified as “Partially Compliant”
Standards and implementation specifications that don’t apply to Startel are identified as “Not Applicable” (N/A)
STARTEL’S HIPAA COMPLIANCE SCORECARD
STARTEL’S HIPAA COMPLIANCE POSTURE
ADMINISTRATIVE SAFEGUARDS
ADMINISTRATIVE SAFEGUARDS CONT.
PHYSICAL SAFEGUARDS
TECHNICAL SAFEGUARDS
ORGANIZATIONAL SAFEGUARDS
POLICES, PROCEDURES & DOCUMENTATION REQUIREMENTS
HITECH ACT & OMNIBUS RULE – IT SECURITY PROVISIONS
RECOMMENDATIONS
WORKFORCE SECURITY: Workforce Clearance Procedure (A)
Create procedures for obtaining appropriate sign-offs to grant or terminate access to ePHI
Modify Company policies to require that background checks be performed on all potential employees prior to hire
RECOMMENDATIONS
INFORMATION ACCESS MANAGEMENT: Access Establishment and Modification (A)
Ensure that documented review is performed monthly of user access and privileges
RECOMMENDATIONS
SECURITY INCIDENT PROCEDURES: Testing and Revision Procedure (A)
Review and test BCDR Plan on an annual basis Document results and implement improvements
RECOMMENDATIONS
ACCESS CONTROL: Encryption & Decryption (A)
Ensure that ePHI is encrypted at rest. This includes managed clients’ CMC databases but also Startel Appointment Scheduler and Startel Secure Messaging databases.
RECOMMENDATIONS
AUDIT CONTROLS: Change Management (R)
Ensure that all changes to hardware and software in ePHI environment require formal Change Management policy and strategy for production systems
RECOMMENDATIONS
POLICIES, PROCEDURES AND DOCUMENTATION: Updates (R)
Review Company’s IT policies and procedures annually Document changes to environment and any potential risks
REPORT FINDINGSHIPAA SECURITY RULE – TECHNICAL SAFEGUARDS APPLICATION ASSESSMENT REPORT FOR EPHI COMPLIANCE
OVERVIEW
Objectives: To determine if the HIPAA Security Rule for ePHI applies to
Startel’s Application Suite To determine if Startel’s Application Suite is compliant with
HIPAA’s Technical Safeguards via Lab Testing Assessment Period: December 10-14, 2013 Testing Access: Remote
PROJECT SCOPE
PROJECT SCOPE CONTINUED
PROJECT ACTIVITIES
1. Testing of Startel’s Application Suite in Coalfire’s lab environment including:
a. Lab set-up and application implementation following vendor guidanceb. Technical testing of the application in the lab environmentc. Review of all relevant documentationd. Interview of vendor personnel
2. Completion of the HIPAA Security Rule – Technical Safeguards Assessment Report
SUMMARY RESULTS
On January 3, 2014, Coalfire complete the full assessment testing process and found the Startel Application Suite to be fully compliant with all applicable requirements of HIPAA’s Technical Safeguards (Part 164.312)
KEY FEATURES OF STARTEL’S HIPAA-COMPLIANT APPLICATION SUITE Unique User Identification (R) Emergency Access Procedures (R) Automatic Log Off (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate ePHI (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption of Transmitted ePHI (A)
RECOMMENDATIONS
Unique User Identification (R) Develop & maintain access control documentation of the
applications access controls in relation to establishing unique user IDs
Emergency Access Procedure (R) Application users should develop & maintain a BCDR
plan; include how to restore application and access to ePHI data
RECOMMENDATIONS
Automatic Log Off (A) Develop & maintain access control documentation in
relation to how the application enforces automatic log off of sessions Changing log-off for period of inactivity from 30 mins to 15 mins
RECOMMENDATIONS
Encryption/Decryption (A) Develop & maintain encryption documentation which
describes how the application implements requirements for encrypting/decrypting ePHI at rest
Encrypt ePHI stored by the application (data at rest) using strong encryption algorithms and key lengths
RECOMMENDATIONS
Audit Controls (R) Develop and maintain audit control documentation which
describes how the application implements requirements for audit and logging of access to ePHI
Maintain a log of all activity in application
RECOMMENDATIONS
Mechanism to Authenticate ePHI (A) Develop & maintain documentation which describes how
the application implements requirements to protect ePHI from improper alteration of destruction
Employ encryption technology/integrity-checking controls to detect a change to ePHI made outside the application
RECOMMENDATIONS
Person or Entity Authentication (R) Develop & maintain encryption documentation which
describes how the application implements requirements for verifying access to ePHI is limited to the one claiming access
Authenticate each user or entity for each device they are permitted to use to access ePHI
RECOMMENDATIONS
Integrity Controls (A) Develop & maintain encryption documentation which
describes how the application implements ePHI requirements for integrity of transmission of ePHI
Employ electronic mechanisms to ensure that ePHI transmitted across networks is not improperly modified without detection until disposed of
RECOMMENDATIONS
Encryption of Transmitted ePHI (A) Develop & maintain documentation which describes how
the application implements ePHI requirements for encryption of transmitted ePHI
Encrypt ePHI using strong algorithms & key lengths (SSL/TLS)
Certificates should be signed by a Certificate Authority, not self-signed
HIPAA SECURITY BEST PRACTICES
SAFEGUARD YOUR ORGANIZATION
Perform a risk assessment of your environment Implement/update IT policies to include HIPAA Name a security official Ensure user IDs are unique; review user access
rights Monitor log-ins Create/update workforce clearance and
termination procedures to ensure it addresses HIPAA
SAFEGUARD YOUR ORGANIZATION CONT. Perform annual training and periodic security
updates Install protection from malicious software Update passwords following HIPAA
recommendations Implement/update/test BCDR plan Issue/Sign BA agreements with CE/BA/sub-
contractors Create breach notification procedures
WHAT YOU CAN DO TO PROTECT PHI/EPHI Lock computer workstation when not at desk Lock up portable devices and documents that may
contain sensitive information at the end of each work day
Don’t forward work emails with sensitive info to personal email accounts
Don’t upload sensitive info to unauthorized websites
WHAT YOU CAN DO TO PROTECT PHI/EPHI CONTINUED When traveling, keep equipment in your
possession Don’t leave documents that contain PHI on
printers or fax machines, or on your desk when you are not there
Dispose of papers containing PHI via secure shredding bin
When exiting a screen, close out of all systems
SUMMARY
IN CONCLUSION
Startel & Startel Application Suite have been deemed HIPAA-compliant by Coalfire Systems!
Reports available for users on Startel Partner Portal Reproduction or distribution of the Reports with any non-
user (end user included) requires approval from Coalfire and Startel
For questions regarding Startel’s HIPAA-compliance, contact [email protected]
THANK YOU!
Questions & Answersall questions are good questions