115 th Annual Convention

Date:

Saturday, October 12, 2013

Time:

11:00 am – 12:00 pm

Location:

The Walt Disney World Swan and Dolphin Resort, Southern Hemisphere Salon 4-5

Title:

Data Security and New Issues for HIPAA Compliance

ACPE # 207-000-13-104-L04-P



0.1 CEUs

ACPE # 207-000-13-104-L04-T

Activity Type:

Knowledge-based

Speaker:

Harry Lattanzio, RPh, President, PRS Pharmacy Services

Mark Wayne, Executive Vice President, ANXeBusiness Corp

Pharmacist Learning Objectives:

Upon completion of this activity, participants will be able to:

1.

Discuss PCI compliance and steps a business might have to take after discovering a breach of credit card

data security.

2.

Discuss changes to patient privacy and health data security in the HIPAA Omnibus rules.

Technician Learning Objectives:

Upon completion of this activity, participants will be able to:

1.

Discuss PCI compliance and steps a business might have to take after discovering a breach of credit card

data security.

2.

Discuss changes to patient privacy and health data security in the HIPAA Omnibus rules.

Disclosures:

Harry Lattanzio is the President of PRS Pharmacy Services. The conflict of interest was resolved by peer

review of the slide content.

Mark Wayne is the Executive Vice President of ANXeBusiness Corp. The conflict of interest was resolved

by peer review of the slide content.

NCPA’s education staff declares no conflicts of interest or financial interest in any product or service

mentioned in this program, including grants, employment, gifts, stock holdings, and honoraria.

The PCI Compliance Opportunity

Mark A. Wayne

Executive Vice President

Risk and Compliance

Disclosure

Mark

Wayne

is

the

Executive

Vice

President

of

ANXeBusiness Corp.

The

conflict

of

interest

was

resolved

by

peer

review

of

the

slide

content.

Learning

Objective

•

Discuss

PCI

compliance

and

steps

a

business

might

have

to

take

after

discovering

a

breach

WHAT IS PCI?

Q: What is PCI?

A:

The Payment Card Industry Data Security Standard (PCI

DSS) is a set of requirements designed to ensure that

ALL

companies that

process

,

store

or

transmit

credit card

information maintain a secure environment. Essentially any

merchant that has a Merchant ID (MID).

Q: To whom does PCI apply?

A: PCI applies to ALL organizations or merchants, regardless

of size or number of transactions, that accepts, transmits or

stores any cardholder data.

PCI Compliance is a requirement for all merchants accepting cards

PCI ECOSYSTEM

PCI SSC –

Independent standards body providing oversight on the

development and management of PCI standards.

Founding Acceptance Brand Members

AMEX, Discover, VISA, JCB and MasterCard

Standards

PCI PTS – covers tamper detection, crypto process and mechanisms to

protect the pin. Requirements apply to POS hardware and

devices.

PA-DSS – applies to third party payment applications

PCI-DSS – applies to any entity that stores, processes, or transmits

cardholder data.

PCI TERMINOLOGY 101

Cardholder –

Customer purchasing goods either as a card

present or card not present transaction. The person that

receives the payment card and bills from the issuer.

Issuer –

Bank or other organization issuing a payment card

on behalf of a payment brand such as VISA. Payment brand

issuing a payment card directly such as AMEX.

Merchant –

Organization accepting the payment card for

payment during a purchase.

PCI TERMINOLOGY 101

Acquirer –

Bank or entity merchant uses to process their payment card

transactions.

Receive authorization request from Merchant and forward to Issuer for approval

Provide authorization, clearing and settlement services to Merchant

Also called – Merchant Bank, ISO, Payment Brand (NEVER VISA or MasterCard)

Responsible for merchant compliance –

ensure that their merchants understand

PCI DSS compliance requirements and track their efforts. Manage merchant

communications.

Work with merchants until full compliance has been validated. Merchants are not

compliant until all requirements have been met and validated. Acquirer is

responsible for providing Merchant compliance status to payment brands.

Incur any liability that may result from non-compliance with payment brand

compliance programs.

TIMING IS OF THE ESSENCE

Merchants are being held accountable

MERCHANT ACCOUNTABILITY

GENERAL MERCHANT PCI

REQUIREMENTS BY LEVEL

LEVEL CRITERIA On-Site Security Audit Self-Assessment Questionnaire Network Vulnerability Scan 1

Any merchant processing more than 6 million transactions per

year

Required

Annually Required Quarterly

2 Any merchant processing 1 to 6

million transactions per year Required Annually Required Quarterly

3 Any merchant processing 20,000 _{to 1 million transactions per year} Required Annually Required Quarterly

4 All other merchants, not in _{Levels 1, 2 or 3} Required Annually Required Quarterly

PCI DSS – MERCHANT REQUIREMENTS

PCI DSS Requirement

Specific Actions Required - “Digital Dozen”

Build and Maintain a Secure

Network

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and

other security parameters

Protect Cardholder Data

Maintain a Vulnerability

Management Program

5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications

Implement Strong

Access Control Measures

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test

Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain Information Security

Policy

LEVEL 2-4 SAQ REQUIREMENTS

Requirements vary by SAQ type

Type CRITERIA Secondary Criteria Requirement

Interval Work Effort

A No Card Present – on-line

only No previous breaches Annual

Minimal 13 questions B Connected via phone line or

“knuckle-buster”

No previous breaches

Annual Reasonable 31 questions C Connected via Internet No previous breaches , segmented

network, no stored credit cards Annual

Challenging 82 questions C-VT Only web-based terminals No previous breaches , segmented

network, no stored credit cards Annual

Challenging 82 questions D POS connected via Internet All other merchants and all service

providers Annual

Exhausting 291 questions PTPE Point to point encryption End to end encrypted POS Annual Under Construction

DEFINING THE MARKET PROBLEM

THE EFFECTS OF CREDIT CARD BREACH ON

RETAIL BUSINESS ARE DAUNTING

is the average direct

cost of a data breach

$80k

are out of business within

of breached businesses

one year of the attack

70%

small businesses will

suffer a credit card breach

in the next 24 months

1

in

6

98%

organized criminal groups

Breaches originate from

Average days between

intrusion and detection

210

HOW IS THIS HAPPENING? AM I AT RISK?



Outdated Firewalls



Insecure Remote Access



Weak security configurations



Operating system flaws



Lack of staff training



Flawed security policies



Negligence



Poor change control procedures

Key Security Gaps are exploited by cybercriminals

THE BOTTOM LINE ON PCI COMPLIANCE

96% of breached businesses were not PCI compliant

Many myths about PCI compliance

• “It doesn’t apply to my business”

• “I’m already PCI compliant”

• “I have a firewall in place so I’m compliant”

• “My (fill in the blank) has me covered”

PCI DSS is solely the responsibility of the merchant

• If merchant can’t demonstrate compliance, they cover breach costs.

• If merchant can demonstrate compliance, bank covers breach costs.

If you cannot answer yes to the three

questions below, you are NOT PCI Compliant

Have all cashiers completed a PCI Certified training

program upon hire and annually thereafter?

Have all employees read and signed a formal security policy?

Does all remote access from you, your employees or vendors

incorporate 2-factor authentication?

1

2

3

WHAT HAPPENS IF I AM BREACHED?

Stop taking credit cards

Initiate a forensic audit

Implement remediation actions

1

2

3

Mark A. Wayne

EVP – Risk and

Compliance

waynem@anx.com

direct: 248.447.4050

Changes

to

HIPAA

in

2013

Harry

Lattanzio,

RPh,

President

PRS

Pharmacy

Services

Disclosure

Harry

Lattanzio is

the

President

of

PRS

Pharmacy

Services.

The

conflict

of

interest

was

resolved

by

peer

review

of

the

slide

content.

Learning

Objective

•

Discuss

changes

to

patient

privacy

and

health

The

Two

Major

Changes

•

The

Final

Omnibus

HIPAA

Rules

•

Permanent

Audit

Program

Omnibus

HIPAA

•

Notice

of

Privacy

Practices

•

Access

to

Records

•

Additional

Restrictions

•

Immunization

•

Authorizations

•

Deceased

•

Business

Associate

Notice

of

Privacy

Practices

•

Notice

of

Privacy

Practices

Edits

–

Add

a

statement

as

to

when

an

Authorization

will

be

required

–

Add

an

opt

‐

out

statement

to

any

Fundraising

Section

your

have

Access

to

Records

(Timeframe)

•

Access

to

Records

must

be

given

with

30

days

whether

onsite

or

offsite

•

Still

permitted

to

extend

by

30

days

if

patient

notified

in

writing

Access

to

Records

(Electronic)

•

Must

provide

access

in

the

electronic

form

requested

if

your

computer

system

can

accommodate.

Additional

Restrictions

•

You

must

accept

restrictions

to

disclose

PHI

to

health

plans

if

the

patient

pays

out

‐

of

‐

pocket

•

Unless

the

disclosure

is

otherwise

Immunization

•

May

disclosure

Immunization

record

to

a

school

as

required

by

law

at

the

verbal

request

of

the

patient,

parent

or

guardian.

•

Just

make

sure

you

document

the

disclosure

Authorizations

•

Authorizations

are

required

for

–

Selling

of

PHI

•

Unless

it

is

the

selling

of

your

business

–

Marketing

unless

face

to

face

•

Must

disclose

if

Remuneration

will

be

received

by

the

pharmacy

for

the

marketing

Authorizations

•

Authorizations

are

required

for

(cont)

Deceased

•

Must

protect

the

PHI

of

the

deceased

for

up

to

50

years

if

maintained

•

You

may

still

destroy

PHI

of

the

deceased

with

6

years

(or

as

required

by

your

state

if

longer)

Business

Associates

•

Business

Associates

are

not

going

to

be

held

accountable

to

various

aspects

of

the

HIPAA,

including

–

Security

Rule

–

Breach

Notification

Rule

–

Must

have

Business

Associate

Agreements

with

their

own

subcontractors

Business

Associates

•

New

Business

Associate

Agreements

(BAA)

as

of

March

23,

2013

–

BAA

in

place

prior

to

March

23,

2013

are

good

until

the

expire

or

September

22,

2014

(which

ever

comes

first)

–

Template

can

be

found

at

HIPAA

Compliance

Review

(Audits)

•

Mandated

by

congress

in

The

American

Recovery

and

Reinvestment

Act

of

2009

(ARRA)

•

Pilot

Audit

Program

to

cage

overall

compliance

was

performed

by

KPMG,

LLC

in

late

2011

and

through

out

2012

HIPAA

Compliance

Review

(Audits)

•

Because

of

the

findings

of

the

Pilot

Audit

program

that

have

been

released

so

far,

this

will

be

more

impactful

then

the

Final

Omnibus

–

115

covered

entities

were

audited

–

61

were

health

care

providers

of

all

sized

•

Only

2

of

the

health

care

providers

were

compliant

Pilot

Audit

Findings

Release

so

Far

•

Issues

by

area

–

60%

Security

Rule

–

30%

Privacy

Rule

By

Security

Rule

•

Risk

Analysis

and

Management

Plans

•

Access

Management

•

Security

Incident

Procedures

•

Contingency

Planning

and

backups

•

Audit

Controls

By

Privacy

Rule

•

Business

Associate

Agreements

•

Identity

Verification

•

Minimum

Necessary

•

Authorizations

•

Deceased

•

Personnel

Representatives

By

Breach

Notification

•

Notification

to

individual

•

Timeliness

of

Notification

In

Closing

If

these

findings

in

the

Pilot

Audit

Program

hold

to

be

true,

now

would

be

an

excellent

time

to

create,

review,

and/or

edit

your

existing

HIPAA