HIPAA Security Rule
Changes and Impacts
Susan A. Miller, JD
Tony Brooks, CISA, CRISC
HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 | Baltimore, MD
Agenda
I. Introduction
II. How the Omnibus Rule Changes Security Requirements III. Security Rule Risk Analysis
IV. Encryption
V. Responding to a Security Incident/Breach Violation VI. Social Media Risks
VII. Mobile Device Risks VIII. Other things to consider IX. What You Need to Do Now X. Tools
3
The Omnibus Rule regulations all have security impacts:
Business Associates must implement all the Security Rule standards and implementation specifications
Subcontractors are now ‘business associates” and must implement all the Security Rule standards and implementation specifications
Business Associates have direct enforcement compliance with all requirements of the HIPAA Security Rule
The privacy updates for sale of PHI, right of restriction and GINA will require the segregation of “special data” from other ePHI
A breach may be an act or omission of paper or to ePHI
I. Introduction
II. Omnibus Rule Security Changes
The HIPAA Security Rule now applies directly to
business associates; they must comply with “applicable
standards, implementation specifications, and
requirements … with requirements to electronic
protected health information”
45 C.F.R. §164.302 Applicability
At almost every provision in the Security Rule where it
records ‘covered entity’ it now also records ‘ and/or
business associate!’
5
Business Associate Security Rule
Responsibilities
Business Associate now responsible for:
§164.306 Security standards: General rules
§164.308 Administrative safeguards
§164.308(a)(1)(ii)(A) Risk analysis (Required)
§164.310 Physical safeguards
§164.312 Technical safeguards
§164.314 Organizational requirements
§164.314(a)(1) Standard: Business associate contracts or other arrangements
§164.316 Policies and procedures and documentation requirements
Number of BAs Underestimated?
Estimated Costs of the Final Rule Approximate # of affected entities
Notices of Privacy Practices 700,000 covered entities
Breach Notification
Requirements
19,000 covered entities
Business Associate
Agreements
250,000–500,000 business
associates of covered entities
Security Rule Compliance
by Business Associates
200,000–400,000 business
associates of covered entities
7
III. Security Rule Risk Analysis
A HIPAA Security Risk Analysis must be performed by every Covered Entity and Business Associate.
Completion of the Risk Analysis is a core requirement to meet Meaningful Use requirements.
Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
As required by the HITECH Act, OCR issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule on 07/14/2010
No specific methodology was indicated but it did describe 9 elements:
Scope of the Analysis
Data Collection (i.e., prepare an EPHI Inventory)
Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures
Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk and List of Mitigating Actions Finalize Documentation
Periodic Review and Updates to the Risk Analysis
III. Security Rule Risk Analysis
9
Referenced two NIST documents:
SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule
SP 800-30,Risk Management Guide for IT Systems (Revised September 2011)
III. Security Rule Risk Analysis
Steps to Performing a Risk Analysis
Inventory assets What do you want to protect
and where is it located?
Identify potential threats to those assets What can cause harm?
Identify vulnerabilities that may allow the identified threats to occur
What puts you at risk for harm?
Identify existing preventative & detective controls designed to mitigate threats
What protects you now?
Identify the likelihood that those threats may occur How likely is harm to occur?
Identify the potential impact of identified threats should they occur
What harm will result?
Recommend new controls that can further reduce the impact of threats
What do you need to do to reduce your risks?
III. Security Rule Risk Analysis
11
Calculating Risk
Likelihood
Possibility that a threat will occur that can take advantage of the vulnerability and cause an adverse impact
Level Definitions
High The threat-source is highly motivated and sufficiently capable, and activity from this threat source is frequent or is imminent.
Medium The threat-source is motivated and capable, and activity from this threat source is now occurring or has occurred in the past year.
Low The threat-source lacks motivation or capability, or activity from this threat source occurs infrequently.
III. Security Rule Risk Analysis
Calculating Risk
Vulnerability
Possibility that a threat can create a negative outcome
Level Definitions
High Controls/safeguards are not sufficient to thwart an attack or mitigate potential damage (i.e., controls are not in place, not up to date, not effectively designed to protect against the threat)
Medium Controls/safeguards are in place and may thwart or mitigate damage, the potential for damage does exist (i.e., controls are in place but may not be consistently applied and/or may not be sufficient to completely protect against a highly motivated or powerful threat source).
Low Controls/safeguards are in place, are working effectively, and have the ability to mitigate damage except from the most determined or powerful threat source.
III. Security Rule Risk Analysis
13
Calculating Risk
Impact
Measure of the tangible and intangible effects (consequences) of one thing's or entity's action or influence upon another
III. Security Rule Risk Analysis
Level Definitions
High Exercise of the vulnerability (1) may result in the costly loss of or damage to major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Medium Exercise of the vulnerability (1) may result in the moderate loss of or damage to tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
Low Exercise of the vulnerability (1) may result in the loss of or damage to some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.
Calculating Risk
III. Security Rule Risk Analysis
TORNADO EXAMPLE
Vulnerability x Likelihood x Impact = Level of Risk
High = 3, Medium = 2, Low = 1
V x L x I = R
2 x 2 x 3 = 12
15
Calculating Risk
III. Security Rule Risk Analysis
Risk
• The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Level Risk Response
High (18 to 27)
There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Medium (7 to 17)
Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low (1 to 6)
Management must determine whether corrective actions are required or decide to accept the risk.
Risk Mitigation Options
RISK ASSUMPTION
Accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
RISK AVOIDANCE
Avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions or shut the system down when risks are identified)
RISK LIMITATION
Limit the risk by implementing controls that minimize the adverse impact of a threat exercising a vulnerability (e.g., use preventive/detective controls)
RISK TRANSFERENCE
Transfer the risk by using other options to compensate for the loss, such as purchasing insurance
III. Security Rule Risk Analysis
17
III. Security Rule Risk Analysis
Threat Source Terminated Employee Calculation
Threat Unauthorized access to patient information
Vulnerability No formal process is in place to notify the IT department when employees are terminated. Periodic access reviews are not performed.
3
Likelihood Removal of access for terminated employees has not been timely performed
3
Impact PHI is viewed (confidentiality) or PHI is altered (integrity) or PHI is destroyed (availability)
3
Risk Disgruntled employee gains unauthorized access to patient information after termination, deleting patient records
Total = 27
Risk Mitigation IT implements a daily automated program that reads the employee database in the payroll system and automatically removes access to network and application systems for non- active employees
Risk is significantly
reduced
Omnibus Rule did not change the Security Rule’s addressable standard regarding encryption
Significant costs associated with a breach of unsecured PHI and the large number of reportable breaches that involved unencrypted PHI make encryption a matter worthy of serious consideration
Encryption is one of the two methods – the other destruction – by which PHI can be rendered unusable, unreadable, or indecipherable (i.e., made
“secure”)
IV. Encryption
19
45 CFR 164.304 defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
Encrypting PHI using technologies and methodologies tested by NIST creates the functional equivalent of a safe harbor, and thus, results in covered entities and business associates not being required to provide the notification otherwise required in the event of a breach
IV. Encryption
A risk-based approach should be used when encrypting PHI.
Identify all computer systems, portable devices and storage media that contain PHI
Consider the type of encryption solution that will be used:
Whole versus partial disk encryption File level encryption
Database encryption Application encryption Email encryption Transmission encryption
IV. Encryption
21
Many of the breaches listed on the OCR’s breach website involved the loss or theft of portable devices and portable storage media.
Workstations stations and laptops can be encrypted using free utilities or with commercial solutions that cost a little as $55 a year.
Smartphones and tablets can be encrypted for as little as $36 a year.
Mobile device management software is available for higher cost which not only provides encryption but provides other valuable features such as forced passwords of specific configuration, locking after a specified period of inactivity, and the ability to remotely wipe all data from the devices
IV. Encryption
V. Security Incident/Breach Plan
Parts of a plan:
1. Roles and responsibilities of Incident/Breach Team 2. Policies and Procedures plus any Necessary Form templates 3. Table of Contact Information
4. Table of Business Associates
5. Log and List of Forms and Templates 6. Test Plan, update as necessary
7. Communications Plan and Supporting Infrastructure
23
VI. Social Media Risks
Over 1200 hospitals use social media to build their brand and display thought leadership
Social media includes Facebook, Twitter, LinkegIn, Pinterest, Google+ and specialized apps designed for patient engagement The primary reason expressed by CEs for not using social media is fear of HIPAA violations and lack of dedicated, qualified staff to create and manage content
Many healthcare entities will adopt social media in 2013 and 2014. The driving factor - a large percentage of consumers use social media to decide where or by whom they will be treated
VI. Social Media Risks
Successful social media program should involve:
People knowledgeable about social media technology and risks Inventory of current and proposed uses for social media Risk assessment that addresses social media platforms and uses Social media steering committee
Social media strategy Social media policy that
Addresses the risks to PHI
Provides clear guidelines about the proper use of the entity’s social media avenues
States prohibitions against employees sharing PHI through their own social media channels
25
VI. Social Media Risks
Successful social media program should involve (continued):
Training for employees regarding the appropriate use of social media
Monitoring of the internet and social media sites for potential HIPAA violations (as well as other issues)
A plan to respond to negative situations and security breaches that occur through the use of social media
VII. Mobile Device Risks
A mobile (computing) device is exactly what the name implies – a computing device that is portable
Examples are laptop computers, netbook computers, tablet computers, and smartphones
Mobile devices use a variety of communications technologies including cellular, Wi-Fi, Bluetooth, and Ethernet
Worldwide mobile device annual shipments reached 1.9 billion in 2012 and are expected to reach 2.6 billion in 2016
27
VII. Mobile Device Risks
Mobile devices provide tangible benefits to healthcare entities, including:
Anytime, anywhere access to information, including ePHI Anytime, anywhere ability to communicate
Improved customer service
Ability to make and accept payments Ability to take and send photos Manage logistics
Scan and track inventory Give presentations
VII. Mobile Device Risks
A survey of 792 Canadian family physicians in 2012 showed that 67% of the physicians surveyed used smartphones.
The most popular clinical uses were:
Looking up drug references (58 percent) Accessing clinical decision-support (50 percent) Taking notes and memos (43 percent)
Digging into textbook references (38 percent) Consulting with medical peers (28 percent) Performing scheduling tasks (17 percent) E-prescribing (8 percent)
Monitoring patients (6 percent)
Accessing electronic medical records (6 percent) Ordering lab tests or accessing results (4 percent)
29
VII. Mobile Device Risks
Mobile devices should be protected by passwords, encryption, antivirus software, remote data deletion features, and other security measures
Mobile device management and other software is widely available that can provide these and other security features to protect mobile devices
Secure messaging solutions are also available to encrypt messages sent between mobile devices
Policies and procedures should address the ownership, management, security, appropriate use, and remote data deletion for mobile devices that contain, or might contain, ePHI
VIII. Other Things to Consider
Accounting of Disclosures is still missing! NPRM:
http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011- 13297.pdf
OCR is proposing to revise § 164.528 of the Privacy Rule by dividing it into two separate rights for individuals:
Paragraph (a) would set forth an individual’s right to an accounting of disclosures and
Paragraph (b) would set forth an individual’s right to an access report (which would include electronic access by both workforce members and persons outside the covered entity).
31
IX. What You Need to Do Now
OCR suggests there are 4 steps in a robust HIPAA
Privacy and Security Compliance Plan:
1.
Employee training
2.
Vigilant implementation of policies and procedures
3.A prompt action
4.
Regular internal audits
IX. What You Need to Do Now
Ensure PHI in all forms and locations is protected, especially PHI stored in portable devices and media, and stored in systems hosted by 3rdparties and cloud services providers
Ensure that data which has been restricted from disclosure by patients is appropriately categorized and restricted
Ensure that a robust security risk management program is in place and periodic security risk analysis is performed that meets OCR guidelines
Ensure through active oversight activities that business associates have appropriate security and monitoring controls in place and that those controls are effective
33
IX. What You Need to Do Now
Ensure that employees understand latest security threats and risks, how to minimize risks, and know how to recognize and promptly report suspicious activities
Information technology (IT) staff must resist the practice of working in isolation and work with the executive team and operations staff to ensure that risks are effectively managed Most importantly, it must be clearly conveyed throughout the organization that security is everyone’s responsibility
X. Tools
OCR HIPAA Security Guidance Documents
http://www.hhs.gov/ocr/privacy/hipaa/administrative /securityrule/securityruleguidance.html
NIST HIPAA Security Toolkit
http://scap.nist.gov/hipaa/OCR Protocols
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/a udit/protocol.html
35
X. Tools
OCR Protocol PrepBooks Samples at
http://www.malverngroup.com/Publications.html
Security Incident/Breach Plan Sample at
http://www.malverngroup.com/Publications.html HPAA Policy and Procedure Templates
Free for download:
http://www.malverngroup.com/Webinars.html.
WEDI Security and Privacy Work Group (SPWG) White Papers and Presentations
http://wedi.org/workgroups/security-privacy
NIST HIPAA Toolkit
ONLY HIPAA Security!
Questions = NIST SP 800-66 & SP 800-53 User Guide
Download from NIST at http://scap.nist.gov/hipaa/
Microsoft Windows Red Hat Enterprise Linux Apple MAC OS
Both Standard + Enterprise Versions
37
Create a Profile
Organized by Safeguard Family
39
Navigation Menu
Selected Question
References Responses
Attachments
Flag Level
Progress Bar
Comments
Explore the Application Interface
Generate Reports
41
The Value of the Toolkit
Prompts consideration of risks Suggests safeguards/controls Provides documentation repository Go-to reference for audits
NIST “it is not a compliance tool!”
THANK YOU!
Sue Miller, JD
[email protected] Office: (978) 369-2092 Mobile: (978) 505-5660
Tony Brooks, CISA, CRISC [email protected] Office: (601) 326-1281 Mobile: (601) 942-2508
