Upload
medsafe
View
142
Download
1
Embed Size (px)
DESCRIPTION
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Citation preview
Why Security Risk Why Security Risk Analysis?Analysis?
MedSafe “The Total Compliance Solution”MedSafe “The Total Compliance Solution”
Presentation OutlinePresentation Outline
HIPAA Security Rule Security Risk Analysis Definition Security Risk Analysis Requirements Security Risk Elements & Implementation
PHI / ePHIPHI / ePHISECURITY REQUIREMENTSSECURITY REQUIREMENTS
as defined under theas defined under theHIPAA Security RuleHIPAA Security Rule
What is ePHI?What is ePHI?
Electronic Protected Health Electronic Protected Health InformationInformation
Personally identifiable electronic protected health information
that is stored, accessed, maintained, retained, destroyed, transmitted, held,
used or disclosed
What is “unsecured” PHI?What is “unsecured” PHI?
Unsecured PHI/ePHI is that Protected Health Information which is
NOT:Rendered unusable, unreadable, indecipherable
to unauthorized individuals
How do I secure PHI/ePHI?How do I secure PHI/ePHI?
Section 13402 of Title XIII of the HITECH Law and the American Recovery and Reinvestment Act of 2009 (ARRA);
Options include use of encryption technologies and proper destruction methods as
defined by HHS.
Once PHI has been de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and is
therefore, no longer subject to the HIPAA Privacy and Security Rules.
EncryptionEncryption
Encryption is the process of securing electronic information by transforming it into code
that would render it unreadable, indecipherable and unusable to any unauthorized individual.
Authorized individuals possess a “key code” to decrypt and access the secure information.
Encryption & BreachEncryption & Breach
If secured (encrypted) ePHI were stolen /accessed by an unauthorized individual,
the access would NOT constitute a breach because the individual would not be able
to read the ePHI without a key code.
Examples of ePHI mechanisms that should be secured with encryption: Laptops/EMR Tablets Smart Phones Email Website portals / gateways EMR interfaces, efaxing; eprescribing Back-up tapes / CDs External hard drives / flash drives
HIPAA Security RuleHIPAA Security Rule The final regulation under HIPAA, was published February 20, 2003.
The Security Rule specifies a series of administrative, technical, and physical
security procedures for Covered Entities to use to assure the
confidentiality, integrity, and availability of Protected Health Information (PHI).
Under 45 C.F.R. § 164.302 – Under 45 C.F.R. § 164.302 – 318318
Organizations must identify and implement the most effective and
appropriate administrative, physical, and technical safeguards to secure electronic
protected health information (e-PHI).
The Security Rule identifies Risk Analysis Risk Analysis
as the foundational element in the process of achieving
compliance.
The very first specification in the The very first specification in the HIPAA Security Rule is Risk HIPAA Security Rule is Risk
Analysis:Analysis: “What could happen?”
Hackers broke into the United Nations computer system and hid there for two years.
How do we know someone is not in our hospital computer system?
Risk analysis lays the foundation for next specification in the Security Rule …….
Risk Management.
What do the numbers say?What do the numbers say?
39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more
website) have occurred on laptop or mobile devices 88% of exposed records are mobile-media related 60%+ of breaches have a strong malicious
component Business Associates are involved in over half of
breaches Source, J. David Kirby, Former Director, Information Security Office, Duke University Health System
Covered Entities are Covered Entities are requiredrequired to:to:
Evaluate risks and vulnerabilities in their environments
Implement security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI
Risk analysis is the first step in that process.
(45 C.F.R. § 164.308(a)(1)(45 C.F.R. § 164.308(a)(1)
The Security Management Process standard in the Security Rule requires
organizations to“[i]mplement policies and procedures
to prevent, detect, contain, and correct security violations.”
Risk Analysis Requirement Risk Analysis Requirement § 164.308(a)(1)(ii)(A)§ 164.308(a)(1)(ii)(A)
Conducting a risk analysis includesidentifying and implementing
safeguardsthat comply with and carry out the
standards and implementation specifications in the
Security Rule.
OCR RISK ANALYSIS OCR RISK ANALYSIS DirectiveDirective
Per The Office for Civil Rights (OCR):Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health information held
by the [organization].
Vulnerability…definedNational Institute of Standards & Technology (NIST),
US Department of Commerce, Special Publication (SP) 800-30, defines “vulnerability” as:
“[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
Vulnerabilities expandedVulnerabilities expanded
Vulnerabilities, whether accidental or intentional, could potentially result in a security incident, such as inappropriate access to or disclosure of e-PHI.
Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-
existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or
weaknesses in the development of information systems; or incorrectly
implemented and/or configured information systems.
Considerations for Considerations for OrganizationsOrganizations
Determine the most appropriate ways to achieve compliance, taking into consideration:
the characteristics of the organization the physical environment communication methodologies technological infrastructure How ePHI is stored, shared and managed
Security Rule SpecificationsSecurity Rule SpecificationsAddressable v RequiredAddressable v Required
(68FR 8334, 8336 (Feb. 20, 2003).) The Rule contains several implementation specifications that are
labeled “addressable” rather than “required.”
(68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)An “addressable” implementation specification is not “optional”.
The outcome of the risk analysis process is a critical factor in assessing whether implementation of addressable
specifications or equivalent measures are reasonable and appropriate.
Risk AnalysisRisk Analysis
Ongoing Risk Analysis should be performed by a qualified external professional to ensure
objectivityand should include the following steps:
Physical site assessment and personnel interviewing process
Identify technological infrastructure & data management Identify and document privacy & security vulnerabilities Collect documentation as proof of security measures Identify existing security measures, including encryption Implement ongoing plans of corrective action
ARE YOU READY?ARE YOU READY?
KPMG has secured a $9.2 million contract with the Office for Civil Rights (OCR) to conduct
random HIPAA HITECH Audits of Covered Entities.
The audits have already begun.
KPMG says…….KPMG says…….
After wrapping up site visits for the initial 20 compliance audits, the top HIPAA official at KPMG says Covered Entities (CEs) are failing to complete basic tasks, such as conducting a Risk Analysis and distributing a Notice of Privacy Practices.
Who is under the microscope?Who is under the microscope?
OCR contracted the consulting firm, Booz Allen Hamilton, to “identify audit candidates” and “provide background and recommendations” for the audit program.
The first 20 of those audited, were grouped by level of information technology sophistication and by type of entity, with four “levels” or tiers among them.
Of the 20, 10 were providers, eight were health plans and two were clearinghouses.
All Size Covered Entities Were Audited
Tier 1 organizations are the Tier 1 organizations are the largest……largest……
...with “revenues or assets greater than $1
billion,” including health plans, provider organizations and clearinghouses with “extensive use of health information
technology, complicated HIT-enabled clinical and business work streams.”
Tier 2 includes….Tier 2 includes….
…health plans, providers and clearinghouses including hospital systems with 3 to 10 hospitals or regions, and regional insurance companies with assets valued at between $300 million and $1 billion.
Tier 3 includes…Tier 3 includes…
….health plans & providers which could include community hospitals, outpatient surgery centers, pharmacies and “self-insured entities that don’t adjudicate their claims.” With revenues between $50 million and $300 million each, with some, but not extensive use of HIT [and] mostly paper-based workflows.”
Tier 4 includes...Tier 4 includes...
….health plans and providers, described in OCR presentations as provider practices with 10 to 15 providers, and a community or rural pharmacy,
with “little to no use of HIT, almost exclusively paper-based workflows” and “less than $50 million” in revenues.
The audited entities ranged in complexity from single physician practices to complex acute care medical centers
A covered entity can do its best to ensure broad compliance across all aspects of its operations, while the audit team might zero in on one department.
Michael Ebert, national HIPAA services Michael Ebert, national HIPAA services leader for KPMG, which is performing leader for KPMG, which is performing
the audits for OCR, stated…the audits for OCR, stated…
In addressing what covered entities should be doing in light of the audit program, Ebert said: “Do a risk analysis, risk assessment.”
“I’ll tell you now, on everything we do, that’s the biggest weakness we see,” he said.
Ebert added that “People need to understand that safeguarding PHI goes beyond electronic. It goes to paper and oral. So how you set up your ERs, how you set up your consultation area” matter, he said.
Elements of a Risk Analysis Elements of a Risk Analysis include…include…
Analysis of technological infrastructure Internal operations & ePHI management ePHI sharing, interfaces, communication
methodology Existence of policies and procedures Provision of ongoing staff training Identification of ePHI sources & vulnerabilities PHI storage and physical PHI security ePHI preservation and operations Workstation security & internal processes
Compliance ChecklistCompliance Checklist
Implement HIPAA/HITECH Policies & Procedures Conduct Risk Analysis Conduct ongoing employee training Collect documentation of compliance efforts Implement written plans of correction Ensure existence of data security measures Facilitate patient rights under the law
AccountabilityAccountability
Security Risk Analysis establishes accountability. Covered Entities are ultimately responsible for protecting patients’ information they have beenentrusted with. Risk Analysis is an important tool that helps ensurethe privacy and security of the information that CEsHave promised to protect under the Law.
In Summary, Security Risk In Summary, Security Risk Analysis:Analysis:
...is a requirement.
...protects Covered Entities and patients.
...reduces the potential for breach.
...improves quality measures and establishes accountability.
…facilitates CEs’ receipt of CMS EHR Incentives.…establishes ongoing goals.…from an ethical standpoint, is the right thing to do.
MedSafe MedSafe
““The Total Compliance The Total Compliance Solution”Solution”
www.medsafe.comwww.medsafe.com