New privacy and security requirements increase
potential legal liability—and jeopardize brand
reputation.
Protect personal health information in motion, in use and at rest with HP access,
authentication, authorization and audit solutions.
Executive summary
According to a 2008 study by the independent privacy, data-protection and
data-security technologies research firm Ponemon Institute, the healthcare industry
is among the top three industries most frequently victimized by data breaches.
1Healthcare entities have largely ignored the Health Insurance Portability and
Account-ability Act (HIPAA) and the associated security framework necessary to safeguard
protected health information (PHI). But the newly implemented HITECH Act gives
HIPAA new life. The Act is emphasizing accountability, raising breach response costs
and increasing penalties for data breach to as high as $1.5 million. Not only can
a data breach carry huge medical and financial risks to the people whose data is
lost—it can also severely damage a healthcare entity’s brand.
Many organizations think that traditional IT security and compliance are sufficient safety
measures for PHI. However, a recent study by PricewaterhouseCoopers
2found that
only 5 percent of data breaches are caused by malicious cyber attacks, almost 55
per-cent are linked to human error and 44 perper-cent are due to third-party handling of data.
The study also revealed that 70 percent of all organizations do not have an accurate
inventory of where personally identifiable information (PII) in their custody is stored. With
the complex web of organizations involved in providing healthcare services, this is
a critical issue for the healthcare industry.
HIPAA and the HITECH Act
In 2009, the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect. HITECH requires healthcare organizations to take more responsibility for protecting patient records and health information. The Act widens the scope of privacy and security protections available under HIPAA, increases potential legal liability for non-compliance and provides more enforcement of HIPAA rules. The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.
Risks of PHI data breach
A protected health information (PHI) data breach is any unauthorized use, access or disclosure of PHI that violates the HIPAA Privacy Rule and poses significant financial, reputational or other harmful risks to an individual.
The Department of Health and Human Services (HHS) provides three steps for determining whether a breach has occurred.
• Determine whether there has been an impermissible use or disclosure of PHI under the Privacy Rule. • Determine and document whether the impermissible use or disclosure compromises the security or
privacy of the PHI in a manner that poses a significant financial, reputational or other harmful risks to the individual.
• Determine whether the incident falls under one of the exceptions to the breach definition.4
HHS has also provided a number of considerations to help determine the risk involved. In a risk assessment, covered entities (CEs) will need to answer the following questions:
• Was information safeguarded by encryption?
• Who impermissibly used information and to whom was the information impermissibly disclosed? • What immediate steps were taken to mitigate an impermissible use or disclosure?
• Was the disclosed PHI returned prior to being accessed? • What was the type and amount of PHI involved in the disclosure? • What is the risk of re-identification of PHI contained in a limited data set?
Identity theft
The latest statistics provided by the Identity Theft Resource Center (ITRC) reveal that 2009 was a bad year for data security: 498 paper and electronic breaches, potentially affecting more than 223 million records were reported. The ITRC categorizes these breaches as follows:
• 41.8 percent from general businesses
• 18.1 percent from government/military agencies • 15.7 percent from educational institutions • 13.1 percent from healthcare facilities, companies • 11.4 percent from banking, credit, financial services
The latest statistics provided by the ITRC include data up to early April 2010 and show that this could be the worst year yet for data security. Already 211 paper and electronic breaches, potentially affecting more than six million records, were reported. The ITRC categorizes these breaches as follows:
• 41.8 percent from general businesses
• 26.1 percent from healthcare facilities, companies • 15.6 percent from government/military agencies • 12.3 percent from banking, credit, financial services • 8.5 percent from educational institutions
2
Recent data breaches3
• Five hundred thousand patient records were stolen from a Virginia drug prescription database in May 2009. • The University of California reported a hacker gained access to 160,000 patient records.
• Ninety-seven confirmed breaches were reported in 2008, up from 64 in 2007, according to the Identify Theft Resource Center.
• California reported 823 notifications of unauthorized access and viewing of patient data.
• Kaiser Permanente’s Bellflower hospital—where Nadya Suleman’s octuplets were born—was fined $187,500 for failing to protect their medical privacy.
• CalOptima, a Medicaid managed care plan serving 360,000 recipients in Orange County, California, lost claims data along with substantial identifying information on 68,000 members.
3
Technology and security
To keep technology and security working hand in hand, HHS released strict new rules for notification in the case of a PHI data breach. The Security Rule under HIPAA sets up a methodology that permits appropriate access yet protects electronic PHI from unauthorized viewing.
Security is defined as having controls, counter-measures and procedures in place to ensure the appropriate protection of information assets and control access to PHI. Confidentiality, integrity and availability of electronic protected health information (e-PHI) are the core principles of security, and CEs must protect each. Transmissions of PHI over the Internet, extranet, leased lines, dial-up lines, analog fax lines and private networks are all included.
The security management process refers to the creation, administration and oversight of policies to address the full range of security issues and to enable the prevention, detection, containment and correction of security violations. This process also includes the establishment of accountability, policies and education, electronic controls, physical security, and penalties for abuse and misuse of PHI. These are mandatory and healthcare payers, providers and business associates must meet the specification regardless of individual circumstances.
The HIPAA Administrative Simplification Title is the launch pad for e-security initiatives, and includes three main topics for areas for compliance: administrative safeguards, physical safeguards and technical safeguards. Some of the implementation specifications are labeled “required” in the following charts. Others are scalable, based on the individual needs and practices of the entity; and are labeled “addressable.” Each organization must decide whether an addressable specification is reasonable and appropriate for its own particular security framework. This decision depends on a variety of factors, such as, the organization’s risk analysis, risk mitigation strategy, security measures already in place, and the cost of implementation.
Administrative safeguards
Administrative safeguards are administrative actions, policies and procedures put in place to manage the selection, development, implementation and maintenance of security measures to protect e-PHI, and to manage the conduct of the provider. These safeguards mandate the development and implementation of policies and procedures that are focused on reasonable and appropriate access to, and protection of, e-PHI. The CIO and information systems department need to be involved in this effort, however, this is not just an IT issue. These policies and procedures should be part of an organization’s overall business practice.
Physical safeguards
Physical safeguards are the physical measures, policies and procedures put in place to protect a CE’s electronic information system and the related buildings and equipment from unauthorized intrusion. Centers for Medicare and Medicaid Services (CMS) has just recently ruled that both workstation use and work-station security are now required; meaning that measures to control physical access and log access are necessary. Network-attached printers and multifunction devices that contain hard disk drives, have access to PHI, and have software that allows the access to and augmentation of PHI have expanded the need to include these devices into security access and device and media control security solutions.
Technical safeguards
Technical safeguards cover technology and any policies and procedures for its use that protect electronic health information. Audit controls have recently been updated to include mandatory requirements to monitor, record and examine information systems activity that contains or uses electronic protected health information. These technical safeguards are implemented almost entirely by the software package(s) that a provider uses. Implementation specifications must be compared with features and functionality of the software.
4
Figure 1. HIPAA security standards matrix: administrative safeguards
Standards Sections Implementation specifications (R) = Required, (A) = Addressable
Security management process 164.308(a)(1) Risk analysis (R)
Risk management (R)
Sanction policy (R)
Information system activity review (R) Assigned security responsibility 164.308(a)(2)
Workforce security 164.308(a)(3) Authorization and/or supervision (A)
Workforce clearance procedure (A)
Termination procedures (A)
Information access management 164.308(a)(4) Isolating healthcare clearinghouse functions (R)
Access authorization (A)
Access establishment and modification (A)
Security awareness and training 164.308(a)(5) Security reminders (A)
Protection from malicious software (A)
Log-in monitoring (A)
Password management (A)
Security incident procedures 164.308(a)(6) Response and reporting (R)
Contingency plan 164.308(a)(7) Data backup plan (R)
Disaster recovery plan (R)
Emergency mode operation plan (R)
Testing and revision procedures (A) Applications and data criticality analysis (A)
Evaluation 164.308(a)(8)
Business associate contracts
Figure 2. HIPAA security standards matrix: physical safeguards
5
When a breach occurs
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromis-es the security or privacy of the protected health information such that the use or disclosure poscompromis-es a significant risk of financial, reputational or other harm to the affected individual. Consequences of a breach:
• CE and Business Associates will receive fines up to $1.5 million where there is determined to be “willful neglect” or no security strategy in place.
• The CE will be listed on an HHS website.
• Attorney generals can sue if over 500 patients are involved in the breach.
• CE must notify patients and, in many cases, pay for a one-year subscription to a credit monitoring service.
Avoiding the risks of a breach
Security and risk professionals in healthcare organizations realize that many basic and common-sense rules for ensuring the confidentiality, integrity and availability of information assets remain the same. The implementation may vary by industry, geography and the size of the company, but the principles remain the same.
Forrester recommends that the healthcare industry apply these proven principles in their context to ensure security, privacy and compliance for its information assets:
• Develop a systematic and rigorous security plan. • Classify data: public, restricted, confidential and secret. • Track disclosures.
• Log access to PHI (protected health information).
• Encrypt data in hard disk drives (HDDs), and erase to (NIST, 800-88) DoD standards when disposed. • Focus on all networked devices and devices containing HDDs.
State-by-state implementation
In California, covered healthcare entities and business associates will have the challenge of complying with the HHS Rules for HITECH, as well as the strict state laws regarding data breach notifi-cation. Since HITECH is not pre-emptive, an organization is required to comply with both state and federal laws. On September 30, 2008, California also passed Senate Bill No. 541. As of January 1, 2009, this bill states that entities in Cali-fornia are required to report unauthorized access to patient PII, intentional or uninten-tional. Since January 1, 2009, more than 800 health record breaches have occurred in California. More than 122 of these violations have been investigated and 116 are confirmed as health record breaches. Organizations have five days to notify an individual once the health record breach has been discovered. They also have ten days to submit a correction plan that will prevent future violations. If an organization fails to report the breach, they are subject to up to a $250,000 fine.
Standards Sections Implementation specifications (R) = Required, (A) = Addressable
Facility access controls 164.310(a)(1) Contingency operations (A)
Facility security plan (A)
Access control and validation procedures (A)
Maintenance records (A)
Workstation use 164.310(b)
Workstation security 164.310(c)
Device and media controls 164.310(d)(1) Disposal (R)
Media re-use (R)
Accountability (A)
HP IPG solutions
HP Secure Intranet Cloud Print for Electronic Medical Records (EMR) is a software platform providing secure and assured delivery of EMR documents and other healthcare business-critical information throughout the healthcare enterprise. It provides:
• Lower IT Support Costs and Improve Customer Satisfaction.
− Organizations that deploy HP Output Management experience a dramatic reduction in their printing support calls, and higher end user satisfaction. In many cases, IT departments can reallocate those support resources to other areas of the business.
• Secure and reliable delivery:
− Immediate alerts of output failures enabling corrective action, minimizing disruptions in patient care related to EMR output
− Automatic delivery re-tries and secure, audited re-routing, including job check pointing − Centralized secure output management enabling simplified management of entire output
infrastructure from the desktop to the data center
− Improved help desk support capabilities without compromising patient data − Encrypted data from server to the device
− Secure printing capabilities
• Redundant and failover delivery processes • Hard drive encryption
• Scalable to virtually any output volume
• Accurate error detection to minimize troubleshooting effort • Follow me printing—access card required to authenticate at device
• Standards-based (SOA) programming integration with external applications based on XML, SOAP and WSDL technologies
6
Figure 3. HIPAA security standards matrix: technical safeguards
Standards Sections Implementation specifications (R) = Required, (A) = Addressable
Access control 164.312(a)(1) Unique user identification (R)
Emergency access procedure (R)
Automatic log-off (A)
Encryption and decryption (A)
Audit controls 164.312(b)
Integrity 164.312(c)(1) Mechanism to authenticate electronic
protected health information (A)
Person or entity authentication 164.312(d)
Transmission security 164.312(e)(1) Integrity controls (A)
Why HP?
HP is recognized as the global leader in imaging and printing solutions for large organizations. HP offers technical expertise, and reliable products and solution sets that allow customers to benefit from: • Consulting services, including procurement, installation, management and support that can be
customized to enhance your organization’s effectiveness • Relationships with industry-leading solution providers
• Powerful solutions to optimize your environment, improve the bottom line and help the planet
How do you get started?
Contact your local HP representative to:
• Set up a workshop with HP to assess your specific business needs.
• Establish a plan to implement the best solution for today and into the future. • Identify an environmental approach that can help your company save money.
To learn more, contact your HP sales representative or visit www.hp.com/security.
Optimize infrastructure
Manage environment
Improve workflow
HP three-part approach
HP works with you to assess, deploy and manage an imaging and printing environment tailored to meet your business needs, while helping you reduce costs, conserve resources and simplify document-intensive processes.
HP can help you achieve a balance between your total cost of printing and your needs for user convenience and productivity.
Working together, HP can help you maintain your optimized infrastructure while improving business efficiency and tightening security.
By streamlining your document-intensive processes, HP can help you deliver a more efficient environment for capturing, managing and sharing information.
© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA1-4056ENW, May 2010
1 Source: Security of Paper Documents in the Workplace; Ponemon Institute LLC, October 15, 2008. 2 Source: http://www.idexpertscorp.com/newsstories/?articleid=254, (accessed April 26, 2010).
3 Source: http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml#, (accessed April 26, 2010). 4 Source: Health Care ADVISORY, A review of the HHS Ruling by Alston+Bird LLP, See 3, August 24, 2009.
