Security Is Everyone’s Concern:
What a Practice Needs to Know About ePHI Security
Mert Gambito
Hawaii HIE Compliance and Privacy Officer July 26, 2014
E Komo Mai!
•
This session’spresenter is
Mert Gambito
– Compliance and Privacy Officer, Hawai‘i HIE
• Physician attendees may earn 1.0 CME credit for attending
this session. Please complete the blue test and evaluation
forms for this session to earn your credit.
No other relevant financial disclosures
Oh no, a HIPAA
Presentation . . .
Quick! Tell Us What
Part of HIPAA Security
Is Important to Know
While You Still Have
Our Attention
• Well, good news!
The answer is simple:
ALL OF IT!
HIPAA Security, went into effect 2005:
Called for Safeguards Specific to Electronic
PHI (ePHI) not Addressed by HIPAA Privacy
HIPAA
Security
Administrative Safeguards | Policies and Procedures | Risk Analysis / Assessment | Risk Management | Sanctions | System Activity Review | Security Official / Officer | Authorization / Supervision
| Workforce Clearance | Termination | Access Authorization | Access Establishment and Modification | Security Awareness and Training | Security Reminders | Malicious Software Protection | Log-in Monitoring
| Password Management | Security Incident Response and Reporting | Data Backup Plan | Disaster Recovery Plan | Emergency Mode Operation Plan | Testing and Revision of Contingency Plans | Applications and Data Criticality Analysis | Periodic Security Evaluation | Business Associate Agreements |
Physical Safeguards | Workstation Function Specifications | Workstation Physical Safeguards | Device and Media Disposal | Media Reuse | Device and Media Accountability | Data Backup and Storage |
Technical Safeguards | Unique User Identification | Emergency Access | Automatic Logoff | Encryption and Decryption of Stored PHI | Audit Controls | Authentication of ePHI | Authentication of Person/Entity | Integrity Controls of Transmitted ePHI | Encryption of Transmitted ePHI |
Organizational Requirements | Business Associate Agreements | Policies, Procedures, Documentation Requirements | Policies and Procedures | Security-Related Documentation
?
HIPAA Security:
Consists of Almost 50 Specifications . . .
That Fall Within 5 Categories
Administrative Safeguards | Policies and Procedures | Risk Analysis / Assessment | Risk Management | Sanctions | System Activity Review | Security Official / Officer | Authorization / Supervision
| Workforce Clearance | Termination | Access Authorization | Access Establishment and Modification | Security Awareness and Training | Security Reminders | Malicious Software Protection | Log-in Monitoring
| Password Management | Security Incident Response and Reporting | Data Backup Plan | Disaster Recovery Plan | Emergency Mode Operation Plan | Testing and Revision of Contingency Plans | Applications and Data Criticality Analysis | Periodic Security Evaluation | Business Associate Agreements |
Physical Safeguards | Workstation Function Specifications | Workstation Physical Safeguards | Device and Media Disposal | Media Reuse | Device and Media Accountability | Data Backup and Storage |
Technical Safeguards | Unique User Identification | Emergency Access | Automatic Logoff | Encryption and Decryption of Stored PHI | Audit Controls | Authentication of ePHI | Authentication of Person/Entity | Integrity Controls of Transmitted ePHI | Encryption of Transmitted ePHI |
Organizational Requirements | Business Associate Agreements | Policies, Procedures, Documentation Requirements | Policies and Procedures | Security-Related Documentation
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards
4. Organizational Requirements
5. Policies, Procedures and Documentation Requirements
HIPAA Security:
Consists of Almost 50 Specifications . . .
That Fall Within 5 Categories
Administrative Safeguards
What business practices are in place to
safeguard your patients’ ePHI, and help
ensure the staff keep the data secure?
• Management and evaluation of your practice’s security program:
– This starts with a security risk analysis (it was a HIPAA requirement long before “Meaningful Use” came along).
– Who is your practice’s security official?
• Workforce security and information access management
– Procedures to ensure only the staff members who need access to your ePHI have it, and are appropriately disciplined if they abuse that access or otherwise compromise the security of your patients’ data.
• System activity review
– Review records to determine if any ePHI has been compromised.
Administrative Safeguards
What business practices are in place to
safeguard your patients’ ePHI, and help
ensure the staff keep the data secure?
• Security incident procedures
– Identifying and mitigating attempted or successful unauthorized, access, use, disclosure, modification or destruction of your practice’s ePHI, or tampering with your information systems.
• Contingency plan
– Have a plan to back up your ePHI, and make it available in case of emergency or disaster while keeping it secure.
• Business associate agreements
– Contractually ensure that your vendors, other third-parties and their subcontractors with access to PHI are bound to abide by HIPAA.
Administrative Safeguards
What business practices are in place to
safeguard your patients’ ePHI, and help
ensure the staff keep the data secure?
• Security awareness and training
– The single, most important aspect of a security program!
– Our Hawai‘i Pacific Regional Extension Center (HPREC) program provides
ongoing workforce security training sessions for providers and their staff
members to help them meet this HIPAA security requirement.
We currently hold annual training sessions on Oahu, the Big Island, Kauai and Maui.
Physical Safeguards
How does your practice safeguard facilities,
equipment and media within which ePHI is
accessed, used or stored?
• Ensure proper and necessary access to your practice’s facility.
– Control, validate and monitor who has facility access.
– Provide for facility access necessary to restore data during an emergency or disaster.
• Ensure the security, and secure use of, your practice’s
workstations with access to ePHI.
– Specify appropriate use of workstations by workforce members.
– Minimize risks to ePHI accessible via the workstations, on and off site.
Physical Safeguards
How does your practice safeguard facilities,
equipment and media within which ePHI is
accessed, used or stored?
• Keep track of portable devices and media that contain ePHI.
– Maintain records of which devices and media contain ePHI, where they are located, and to whom they have been assigned.
– Dispose of end-of-life devices and media that contain or have
contained ePHI only after ensuring that the data has been rendered completely unusable and/or inaccessible.
– If a device or media will be re-used, whether within the practice or provided to someone else, the ePHI must be permanently deleted or otherwise rendered inaccessible.
Technical Safeguards
Which technological controls, and policies
and procedures to ensure implementation of
those controls, are used in your practice?
• Implement controls to ensure only unique, authorized users
have access to information systems containing ePHI.
• Implement controls to prevent unauthorized alteration or
destruction of ePHI.
• Review audit records to determine if any ePHI has been
compromised.
• Implement controls to safeguard ePHI during transmission.
Organizational, Policies, and Procedures
Documentation Requirements
Memorizing All This HIPAA Stuff is Hard!
• Independent practices, and other HIPAA covered entities,
must execute agreements with business associates, e.g. vendors
with access to PHI on behalf of the HIPAA covered entity.
• Policies and procedures must be in writing and available to all of
your practice’s workforce members.
• Policies and procedures must be updated as needed to address
your practice’s changing security needs.
• Other documentation, e.g. related to incident response, must
also be maintained by a practice.
2012 OCR HIPAA Audit Pilot Results
OK, Lots of
Information . . .
Is there anything you
can recommend my
coworkers and I focus
on to improve our
Security program?
• Every practice’s needs are
different, which is why a
security risk analysis, for
example, is one of the first
steps to take in creating or
updating a security program.
Learnings: OCR HIPAA Investigations
• Look at the types of complaints the U.S. Office for Civil Rights
(OCR) investigates for a general idea of where practices
should focus attention in their compliance programs.
Now, Let’s See What
We Can Learn . . .
When the Feds
Decide Something’s
REALLY Gone Wrong!
Learnings: OCR HIPAA Enforcement
Key Findings in Cases Resulting in
Independent Practices Paying Penalties
• April 13, 2013: Phoenix Cardiac Surgery
– $100,000 settlement for publicly posting ePHI on the Internet.
– Over 1,000 entries containing PHI were posted online.
– The OCR’s investigation was triggered by a complaint.
• December 26, 2013: Adult & Pediatric Dermatology
– $150,000 settlement for stolen unencrypted thumb drive containing data of 2,200 patients.
– The thumb drive was never recovered.
– The OCR’s investigation was triggered by a complaint.
Learnings: OCR HIPAA Enforcement
Key Findings in Cases Resulting in
Independent Practices Paying Penalties
• In addition to the two breaches of ePHI, the federal
investigators identified actions needed to address other
findings related to the following HIPAA Security requirements:
– Formal identification of a security official – Security risk analysis and risk management – Policies and procedures
– Business associate agreements – HIPAA training of employees
• Let’s add one more that goes without saying:
– Incident and breach response and notification
Identify Your Practice’s Security Official
(It Just Might Be You :-)
• What’s the main responsibility
of a security official?
– Developing and implementing the security policies and procedures.
• Is this role the same as the
HIPAA “privacy official”?
– No, but the same person can fulfill both roles, and often does.
• Do I have to do all the HIPAA compliance work in this role?
– SECURITY IS EVERYONE’S CONCERN in the practice, not just yours.
– You can delegate (e.g. safeguarding your network), then document who’s responsible for the delegated aspect of your security program.
Poll Question #1:
Who Is Your Practice’s Security Official?
• Instructions:
1. If you haven’t already done so, launch the AudienceOpinion app.
2. Enter the event code for this breakout session’s poll: betutc (the event code is case sensitive).
3. You’ll be prompted to enter an e-mail address. Feel free to enter a fictitious one, e.g. name@abc.xyz.
4. The “Start” page for the Security Is Everyone’s Concern poll will appear on your mobile device.
5. The presenter will activate the poll.
6. Tap “Start” on your mobile device to go to Question #1. (If you
accidentally tried to start the poll before it was activated, tap “Next Question” to go to Question #1.)
Poll Question #1:
The rest of this presentation
covers key security safeguards
that many practices, not just
small ones, overlook.
But as the data shows,
the regulators are paying attention,
and so should we.
Security Risk Analysis and Management
The Foundation for Securing YOUR Practice
Same Specialty
Same Town Same EHR System Same Size Staff Different Security Needs
• There’s no one-size-fits-all way
to build a Security program.
• Every practice’s security needs
change over time.
• A security risk analysis
identifies current threats,
vulnerabilities and risks facing
your practice.
– It helps you learn what you’re
doing right, and what needs work.
– It drives how you develop the rest of your security program.
Security Risk Analysis and Management
The Foundation for Securing YOUR Practice
• Analyze risks. Identify and
rank initial security risks
unique to your practice.
• Manage risks. Use the results
of the analysis to prioritize
which risks to mitigate.
• Evaluate your security
program. Periodically review
your practice’s security
safeguards, and make
changes as necessary.
Security
Management
Cycle
Risk
Management Risk
Analysis
Policies and Procedures
Your Practice’s Security Instruction Manual
• Policies define your practice’s approach to meeting each
security standard, e.g.:
– “A vendor with access to PHI on behalf of our practice must execute a business associate agreement with our practice.”
• Procedures describe how your practice carries out that
approach, e.g.:
– “A representative of the vendor must sign our practice’s business associate agreement, and provide us the original signed agreement, before the vendor may access the PHI.”
• Retain policies and procedures (and other HIPAA-related
documentation) for at least 6 years.
– OCR investigators and auditors may ask for your documentation – even out-of-date versions.
Business Associate Agreements
HIPAA: It’s Not Just for Covered Entities
• The HITECH Act of 2009 established HIPAA compliance
requirements for business associates.
• Business associates are now:
– Required to adopt most of the same security safeguards as independent practices and other covered entities
– Responsible for playing a role in notifications in the event of a breach – Subject to investigations, corrective actions and penalties under the
HIPAA Enforcement Rule
• Subcontractors of business associates, including
subcontractors of subcontractors, with access to PHI are also
considered business associates.
Workforce HIPAA Training
Train Early, Train Often, Train Everyone!
• All workforce members must receive training
– This includes physicians, other providers and management, as well as – Staff members who do not have access to the EHR or other systems
with ePHI.
– Train workforce members when they’re hired, as well as
– Periodically so they receive reminders and updates about HIPAA.
• Your practice’s workforce members may not memorize HIPAA
word for word . . .
– But the awareness of what safeguards are required and should be considered will go a long way to preventing violations that could
literally impact the well-being of your practice’s patients – and subject your practice to regulatory penalties.
Incident and Breach Procedures
With HIPAA, as in Life, What Can Go Wrong…
• Some of the most common, and damaging incidents are
intentionally caused by people, e.g.:
– Unauthorized access (e.g. snooping)
– Theft of PHI, and devices containing ePHI
• Some incidents are caused by unintentional acts, e.g.:
– Lost devices containing ePHI
– Failure to adequately lock/secure facilities, vehicles and homes
• Some incidents aren’t caused by people, e.g.:
– Malware attacks – Server failures
– Natural disasters (is your PHI in a tsunami zone?)
Incident and Breach Procedures
With HIPAA, as in Life, What Can Go Wrong…
• Some incidents are caused by neglect, e.g.:
– Weak passwords – Lack of encryption – Out-of-date software
• When you detect an incident, or one is reported, you must
document the details of the incident, as well as your steps to
investigate and mitigate it. (Remember: 6-year retention).
• Not all “incidents” are “breaches”. Your investigations should
include an incident risk assessment to determine if this so.
• And, even when PHI ends up in the wrong hands, an incident
may still meet HIPAA exclusions to being defined as a breach.
Incident and Breach Procedures
With HIPAA, as in Life, What Can Go Wrong…
• If, following your risk assessment, you determine that an
incident qualifies as a breach:
– You have up to 60 days following discovery of the incident to notify the necessary parties of the breach, in particular the impacted individuals and the U.S. Department of Health and Human Services (HHS).
– Notifications to impacted individuals, depending on the nature and severity of the breach, may be delivered by: first-class mail, notice published on the practice’s website, e-mail, phone – as well as the local or statewide media.
• What’s the best way to deal with incidents and breaches?
– Prevent them from occurring by addressing the safeguards discussed in this presentation – paying attention to deficiencies identified by the OCR in the cases involving independent practices.
Poll Question #2:
Learnings: OCR HIPAA Enforcement
Not All OCR Investigations Result in
Enforcement Actions, Let Alone Penalties
Source data from the U.S. Office for
Civil Rights, April 14, 2003 through July 26, 2014
Learnings: OCR HIPAA Enforcement
Not All OCR Investigations Result in
Enforcement Actions, Let Alone Penalties
• 24.6%, or 1 out of every 4.1 cases resolved by the OCR,
resulted in a corrective action plan.*
Of these cases . . .
• 0.097%, or 1 out of every 1,028 cases that required a
corrective action to address HIPAA violations resulted in a
civil monetary penalty or settlement.*
Now for the bigger picture to see how we did in Poll #1:
• 0.024%, or 1 out of every 4,171 HIPAA complaint cases
resolved by the OCR, has resulted in a monetary penalty.*
*Since HIPAA Privacy went into effect, April 14, 2003
Learnings: OCR HIPAA Enforcement
In fact, most HIPAA enforcement activity
looks like this:
So, In Closing . . .
• HIPAA enforcement is typically an opportunity to improve a practice’s security program, not penalize the practice.
• Focusing on the handful of security safeguards that have historically been neglected by independent practices:
– Addresses regulatory requirements that may contribute to breaches and other unfortunate incidents.
• In the course of doing so, e.g. by conducting a risk assessment and developing current policies and procedures:
– Other aspects of your practice’s security program can be added or impoved along the way.
• The Hawai‘i HIE’s HPREC program will continue to provide services, such as Workforce Security Awareness Training, to help practices develop their security programs.