Final Recommendations for the HIT Commission

(1)

CHARTERED BY THE MICHIGAN HEALTH INFORMATION NETWORK SHARED SERVICES

Health Information & Cyber Security In Michigan

Final Recommendations for the HIT Commission

First Quarter 2013

This white paper outlines high level security and privacy related recommendations to the State of Michigan’s Health Information Technology Commission by national and regional experts to ensure that the people in Michigan can remain confident that their health information is protected and accessed appropriately when shared electronically.

(2)

1. INTRODUCTION & PURPOSE

The Necessity of Health Information Sharing

The capability to share health information among providers involved in the transitions of care and with patients and their families has been shown to improve patient outcomes and safety and reduce costs. In order to support these new types of care delivery Michigan has made great progress in the adoption of electronic health records, the promotion of health information exchange, and the increased utilization of other types of health information technology (HIT) such as the use of registries or electronic prescribing. These exciting forms of health

information sharing can clearly help compensate for the fragmented nature of the United States health system as patients seek care from a variety of service options. Unfortunately, while these advances offer unparalleled potential for new models of care, they also bring with them increased concerns related to privacy and security.

Growing Privacy and Security Concerns

The greatly accelerated adoption of HIT by the health care industry combined with the rapid rise in public disclosure of breach notifications, stringent enforcement of disclosure penalties, and the growing number of class action lawsuits has created the perfect storm for an erosion of trust among the provider, public, and policy making communities. A major concern is that unless proactive steps are taken to ensure that potential security and privacy threats are

mitigated, there is a potential for growing distrust of health information sharing infrastructures, which may ultimately inhibit the electronic exchange of health information and hinder patient or provider acceptance of HIT in Michigan.

2. OPPORTUNITY FOR PROACTIVE ACTION

This document is meant to serve as an outline of high level security and privacy related recommendations from national and regional experts to the Michigan Health Information Technology (HIT) Commission. The HIT Commission was created by PA 137-06. The HIT Commission is housed within the Michigan Department of Community Health and its

commissioners are appointed by the governor. The HIT Commission's mission is to facilitate and promote the design, implementation, operation, and maintenance of an interoperable health care information infrastructure in Michigan. The 13-member HIT Commission was appointed in August 2006 and met for the first time in October 2006. It is anticipated that the HIT Commission will employ this report as a proactive vehicle to fulfill its mission and ensure that patients, providers, and policymakers in Michigan can remain confident that health

information is protected and accessed appropriately when shared electronically as more and more providers adopt new forms of HIT.

At its January 17, 2013 meeting the HIT Commission tasked MiHIN with prioritizing the Cyber-Security White Paper recommendations. To accomplish this work, MiHIN surveyed 50 participants and key stakeholders who were involved in developing and reviewing the White Paper to solicit their input as to the priority of each recommendation. Respondents ranked recommendations based on their opinion as to the importance and desirability of implementing each one, on a scale of 1 to 4, with 1 being a “low priority” and 4 being an “essential priority” to maintaining the security of protected health information. The priorities (essential, high, medium and low) are indicated in this final version of the White Paper in bold following each recommendation.

(4)

3. STATUTORY AREAS

Limitation of Liability

Organizational concerns regarding the scope of liability may inhibit the electronic exchange of health information in Michigan. Many organizations desire to exchange Protected Health Information (PHI)1 with other organizations through electronic means in an effort to provide better care and to reduce costs. Further, such exchange is a requirement to receive

reimbursement under the Federal Meaningful Use framework. However, many organizations fear that they are taking on additional liability because: (i) they are relying on electronic PHI (ePHI) provided by others and such ePHI may or may not be accurate, and (ii) they are sending the PHI of their patients to organizations that may not be following the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act requirements, as well as other industry best practices related to the security of PHI.

3.1. Limitation of Liability Recommendations

3.1.1 Direct an entity designated by the State to create and implement information security educational programs (e.g., encryption of servers and portable devices), including an online resource center, as further described in Awareness, Section 5. High Priority

3.1.2 Direct an entity designated by the State to create a HIPAA risk assessment program to provide risk assessment services to healthcare organizations. Direct that, in the creation of such program, various cost options be considered including providing services at a discount rate to certain organizations (e.g., rural health providers). Medium Priority

Addressing Violations

To facilitate the growth of health information exchange (HIE), Michigan must take a more active role in addressing violations, which would encourage organizations to undertake security compliance efforts. Michigan residents trust their private health details to their providers, such providers’ agents and contractors, and in turn expect that such details are protected in accordance with Federal law, State law, and best practices. Patients may lose confidence in and decline to participate in the HIE program if the increase in preventable data breaches continues (e.g., preventable by encrypting portable devices). However, the incentives to comply with rules and regulations are only as strong as the enforcement penalties.

1_{For these purposes, we are adopting the definition set forth in the implementing regulations for the Health}

Insurance Portability and Accountability Act: Protected health information means individually identifiable health information: that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 160.103.

(5)

3.2. Addressing Violations Recommendations

3.2.1 Explore opportunities for entities participating in HIE to receive State of Michigan level protections to help reduce the financial burden and costs associated with privacy and security compliance and data breach related issues. Essential Priority

3.2.2 Explore the opportunities for individuals impacted by healthcare data breaches and healthcare organizations that suffered data breaches to collectively

coordinate efforts to address damages suffered by impacted individuals.

Low Priority

3.2.3 Encourage that the Michigan Attorney General exercise existing authority under Federal and State2 law to investigate [take action against] organizations that have experienced a healthcare data breach. Low Priority

4. ROLE OF INSURANCE IN FACILITATING BEST PRACTICE

ADOPTION

Cyber Liability Insurance

Michigan organizations can minimize their exposure to certain data security issues through purchasing cyber liability insurance policies. Even organizations that take all reasonable measures to secure PHI may nonetheless be the subject of a data breach. Responding to a data breach is costly and may threaten the survival of an organization. Cyber liability insurance can provide the necessary bridge for organizations to survive by, for example, paying for the costs of the breach notification, providing the resources and expertise to investigate the breach and assist with remediation steps.

4.1. Cyber Liability Recommendations

4.1.1 Direct an entity designated by the State to create a liability risk assessment program, based in part on the MiHIN sub-state HIE security audit program and the Nebraska HIE model, where the entity designated by the State and/or its approved contractors shall offer the Risk Assessment Plus audit program. This audit program will provide organizations with the basic HIPAA risk assessment, a vulnerability penetration test and remediation services.

High Priority

4.1.2 Direct an entity designated by the State to create a task force to investigate the opportunities for an “approved or recommended” broker program whereby the State of Michigan or entity designated by the State leverages discounted rates for cyber liability insurance and possibility other insurance policy types (e.g., errors and omissions, directors and officers) that are needed for providers and HIEs. Medium Priority

4.1.3 Direct an entity designated by the State to compile and publish online a list of insurance companies able to provide discounts (with the amount of the

discount) to Michigan organizations that undergo the Risk Assessment Plus

(6)

audit program and take the necessary steps to remediate flagged vulnerabilities. Medium Priority

4.1.4 Direct an entity designated by the State to create and publish online an Insurance Guidebook that educates organizations on their responsibilities to carry appropriate insurance and provides a list of recommended coverage requirements (e.g., provide coverage for notifications, forensic examiner, legal assistance, etc.)as further outlined in Awareness, Section 5. Low Priority

5. SECURITY AWARENESS & EDUCATION AREAS

5.1. Security Baseline Recommendations

5.1.1 Direct an entity designated by the State to establish a minimum required set of safeguards (physical, administrative, and technical) for all organizations that engage in health information exchange. Essential Priority

5.1.2 Direct an entity designated by the State to develop and conduct an auditing program to enforce that organizations engaged in health information exchange have met a minimum set of security requirements. Qualified organizations should be audited every three (3) years. Essential Priority

5.1.3 Direct an entity designated by the State to develop a “center for excellence” that supports HIT/HIE in Michigan to achieve security standards. The Center shall provide options for health information organizations to pose security questions and to receive support for implementing the framework. This support environment may take the form of an online discussion group or listserv to distribute best practices with regard to the secure exchange of protected health information. Medium Priority

(a) Mechanisms for interested parties to receive security information briefs should be provided as well as options to access a directory of security-related information and materials on an as need basis. This directory may include security-related news, information on breaches, and software patches and exports related to security updates.

5.1.4 Direct an entity designated by the State to develop an attestation document for organizations to affirm that comprehensive security policies, procedures, and safeguards as well as annual security controls testing have been documented, implemented and completed. Medium Priority

5.2. Training and Education Recommendations

5.2.5 Direct an entity designated by the State to develop an education and training program with a security risk and awareness curriculum to provide

organizations that exchange health information with options for implementing the framework requirements, social engineering techniques, and holding their users accountable for adhering to the safeguards. Incentives for individuals and organizations to participate in training programs should offer continuing education credits for all eligible participants and discounts on purchasing risk assessment services and cyber liability insurance for those who complete the training. High Priority

(7)

– Training opportunities may include (in order of priority, highest to lowest): (a) Web-based training modules (computer-based training) on each

framework domain that organizations that exchange health information and their participants can complete at their convenience.

(b) Create a tool kit leveraging ONC materials that will be available online and may include forms, brochures, FAQs, talking points, and other educational materials to support the training.

(c) In-person “classroom” role based training sessions.

– The education curriculum and training modules should be comprehensive and include these components (in order of priority, highest to lowest):

(a) Risk management (e.g. risk identification, threat analysis) (b) Identity management (e.g. user IDs, passwords)

(c) Information protection (e.g. encryption, key management) (d) Vulnerability management (e.g. secure configuration, patches) (e) Security control testing (penetration testing, audits, etc.) (f) Operations management (e.g. logs, laptops, desktops, change

management, network, mobile devices, removable media)

(g) Threat management/matrix (e.g. intrusion detection, incident response) (h) Business continuity (e.g. impact analysis, backups, disaster recovery,

pandemic planning)

(i) Physical security (e.g. premises protection, visitors) (j) Asset management (physical and information) (k) Applications development (e.g. code review, testing)

5.3. Risk Assessment and Mitigation Recommendations

5.3.1 Direct an entity designated by the State to develop a requirement that

organizations exchanging health information should conduct a risk assessment every three (3) years and review all supporting policies and procedures

annually. Essential Priority

5.3.2 Direct an entity designated by the State to provide an online security risk assessment tool and/or audit service (at an affordable fee). Said entity should also develop and issue a request for qualifications (RFQ) to identify

companies that can conduct a risk assessment in accordance with established program requirements. Approved companies will provide to organizations that exchange health information and their participants/users online security risk assessment tools and/or auditing services as well as discounted rates when purchasing a full security audit. High Priority

5.4. Insurance Protection Recommendations

5.4.1 Direct an entity designated by the State to create and publish an online

insurance guidebook that educates organizations about their responsibilities to carry appropriate insurance. Low Priority

(8)

– The insurance guidebook may include:

(a) A self-assessment checklist to allow organizations to better understand their risk and need for different types of insurance coverage.

(b) Information on the entity designated by the State’s liability risk assessment program, if any.

5.4.2 Direct an entity of the State to develop and issue a RFQ to identify insurance brokers who are willing to provide discounted rates to organizations that adhere to the security framework. Low Priority

(a) Publish a list of “recommended” brokers and/or insurance companies that will make discounts available to organizations that undertake a risk assessment and audit program.

(b) Publish a list of the specific insurance coverage types and/or

components that should be considered by types of organizations and the types of data sharing in which they are engaged.

6. HEALTH INFORMATION SHARING & IDENTITY MANAGEMENT

6.1. Assurance Level Recommendations

6.1.1 The HIT Commission should formally endorse the National Institute of Standards and Technology (NIST) definitions of assurance levels.

Essential Priority

6.1.2 The HIT Commission should develop a roadmap for moving organizations to at least Level of Assurance (LOA) Three (3) for all health information sharing activities that fall into the HIPAA defined categories of Treatment, Payment, and Health Care Operations. Any such plans must provide reasonable and workable exemptions for emergency situations where human life is at risk.

High Priority

6.1.3 The HIT Commission should develop a roadmap for moving organizations to LOA Four (4) for all health information sharing activities where patient data for multiple patients from multiple organizations has been aggregated. Any such plans must provide reasonable and workable exemptions for emergency situations where human life is at risk. Medium Priority

6.2. Identity Management Infrastructure Recommendations

6.2.1 The HIT Commission should work with appropriate organizations within the State of Michigan towards developing a formally accepted framework for

identity management. Essential Priority

6.2.2 The HIT Commission should work with appropriate organizations within the State of Michigan towards developing an identity management infrastructure that is both secure and interoperable across the all of the systems involved in statewide health information sharing that provides the ability to know what information is allowed to be shared and how information in one system may be exchanged with another system so that only those with appropriate rights

(9)

6.3. Identity Trust Federation Recommendations

6.3.1 The HIT Commission should endorse an Identity Trust Federation approach versus a centralized model. High Priority

6.3.2 The HIT Commission should encourage the State of Michigan to endeavor to build an Identity Trust Federation that can operate and register as a Trust Framework Provider within the Federal Identity, Credentialing and Access Management (FICAM) Trust Framework Provider Adoption Process (TFPAP). This will allow identities within the Michigan HIE Identity Trust Federation to be trusted for access to systems operated by the Federal

government such as those used for managing Medicare and Medicaid benefits.

High Priority The points below are prioritized from highest to lowest:

(a) Ensure that the State of Michigan has the necessary tools and infrastructure to function as an identity manager for certain critical functions such as provider licensing and that the State of Michigan designs its identity manager to participate in any evolving identity federation.

(b) Designate an entity or coalition of entities to serve as the Federation Manager who operates the federation, establishes standard and protocols that participants in the federation must follow in order to exchange identity information, and who typically operates certain core systems that allow participants in the federation to identify other participants in the federation and to ensure that they are securely exchanging trusted identity information with other participants. (c) Identify a subset of existing and potential identity managers and

relying parties willing to participate in a small identity federation pilot program and provide funding assistance for such a pilot program. 6.3.3 The HIT Commission should establish a formal mechanism to continue to

monitor Federal efforts such as National Strategy for Trusted Identity in Cyberspace (NSTIC), which is also developing models for trusted identity federations. NSTIC is strongly behind the idea of trust federations as the right model, as opposed to a single government operated identity management system. High Priority

6.3.4 The HIT Commission should encourage the establishment of appropriate model regulations that will allow a Michigan HIE Trust Federation to operate with appropriate safeguards and limits on liability so that identity managers and relying parties can design and operate systems with an understanding of the risks they undertake, and processes and procedures that are needed to limit such risk and liability. Legislation that may serve as a model is underway in the State of Virginia. Medium Priority

7. CHARTERING WORKING GROUPS & TIMELINE

Continued work to refine details and develop plans for potential execution of these recommendations will require broad stakeholder participation on a continued basis.

(10)

7.1 Chartering Additional Workgroups Recommendations

7.1.1 The HIT Commission should establish a working group on security and privacy legislative issues related to health information sharing. High Priority 7.1.2 The HIT Commission should establish a working group on establishing a

Michigan Identity Trust Federation to enable secure identity management for use in the Michigan HIE. High Priority

7.1.3 The HIT Commission should encourage funding for one or more pilot projects in establishing a framework for an HIE Identity Federation and working operational models for such an identity federation. High Priority

8. FEEDBACK & HOW TO GET INVOLVED

Your feedback is welcomed and encouraged. Please send comments and/or requests to participate to [email protected].

9. CONTRIBUTORS

We wish to express our appreciation to the many contributors who co-authored, reviewed and responded to the recommendation prioritization survey to support the development of this White Paper. Name Organization Co-Author Reviewer Survey Respondent

Joe Adams Merit Network, Inc. X

Peter Alterman SAFE-BioPharma Association X X

Paul Amaranth Aurora Group X

Leslie Amaros Advances in Management, Inc. X X

David Behen State of Michigan X

Carl Bertrams HT Systems X X

Gina Bianco Advances in Management, Inc. X X X

Tonya Byers Blue Cross Blue Shield of MI X X X

Greg Campbell State of MI - DTMB supporting DCH X X

Jim Collins State of Michigan X

Michael Davenport Trilogy Security X

Darrell Dontje Great Lakes HIE X X X

Scott Dresen Spectrum Health System X

Dr. Jeff Eastman MiHIN Shared Services X X

Mark Ford Deloitte & Touche LLP X X

Randall Frank Independent Consultant X X X

Kelly Frey Dickenson Wright X

Adam Gee Michigan Health Connect X X

Dana Green Covisint X

Cynthia Green-Edwards MI Department of Community Health X X

(11)

Carol Hall

Southeastern Michigan Health

Association X

John Hazewinkel MSU Institute for Health Policy X X

Doug Hill Nitor Group X

Helen Hill SEMHIE X X

Paula Johnson UPHIE / UPHCN X X

Joe Kryza University of Michigan X

Scott Larsen

MI Department of Technology,

Management & Budget X X

Jeff Livesay MiHIN Shared Services X X X

Rod Mach HiperLogic X

James Mahony PNC Financial Services Group X

Rusty Mandle Ingenium (formerly My1HIE) X

Sarah Matthews Advances in Management, Inc. X X

Tatiana Melnik Dickinson Wright PLLC X X

David Miller Covisint X

Ken O'Brien United Physicians/Ingenium X X

Carol Parker Great Lakes HIE X

Tim Pletcher MiHIN Shared Services X X X

Karthik Ramachandran Southern Methodist University X

Ashok Ramanjanappa CNSI X

Ross Roberts HQ Army Medical Command X X

Brian Seggie MiHIN Shared Services X X

Jeff Shaw MiHIN Shared Services X X X

Dawn Siggett OptumInsight X

Mick Talley SEMHIE X X X

Michael Tucker* Intel Americas, Inc. X X

Meghan Vanderstelt State of Michigan X

John Vismara Ingenium (formerly My1HIE) X

Rick Warren Allegiance Health X

Larry Whiteside* Spectrum Health System X

Bruce Wiegand

Southeast Michigan Beacon

Community (SEMBC) X X

Final Recommendations for the HIT Commission

Health Information & Cyber Security In Michigan