530 likes | 653 Views
Latest on HIPAA Information Security. Increase in healthcare data breaches Higher fines from the Office of the Civil Rights (OCR) Cost of breaches at the healthcare organizations is higher Breaches are more likely with mobile devices and with business associates
E N D
Latest on HIPAA Information Security • Increase in healthcare data breaches • Higher fines from the Office of the Civil Rights (OCR) • Cost of breaches at the healthcare organizations is higher • Breaches are more likely with mobile devices and with business associates • Unprotected Protected Health Information (PHI) on cloud has become a breach • OCR has initiated the HIPAA audit program • (More regulations are coming !)
…77 bullet points for information security …88 bullet points for privacy …to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. • OCR published Audit program protocol… June 2012
Initiated in Fall 2010 • Center-wide PHI asset discovery processes • A risk management (security) questionnaire based on HIPAA, HITECH, CoBIT, PCIDSS for PHI applications (HITRUST) • Application owners and custodians fill the questionnaire • Information security evaluates responses, conducts vulnerability scans (“hacking activity”) • Critical and High risks are addressed with owners and custodians with urgency • Application is certified and is permitted to operate officially • Rinse and repeat • CUMC OCR Risk Management Process
Risk analysis process identifies common, high risk areas • Institution must have a Risk compliance committee consisting of senior management • … which deliberates, discusses, addresses and mitigates PHI risks, helps prioritize risks and controls, allocates funds, and manages the risk management program • Examples of risks include: • CUMC OCR Risk Management: New steps
The Bring Your Own Device (“BYOD”) revolution, • …but, separate personal storage systems from work place data, and vice versa • No gmail for PHI, period • No personal tax forms in cubmail • Share control of personal devices if used to access work place data • Mobile Device Management • Network Access Control • Information security trends
How to hold 3rd party (including Business Associates) responsible for security at their end - Cloud • Contracts need to be specific for HITECH • If BA’s are required to follow HIPAA explicitly, it will help • Choose 3rd party who understand HIPAA, and will sign the BAA • Monitoring user behavior with institutional access and data • Monitoring and Surveillance are related • Try not to conduct personal business at workplace • Information security trends
Application security is a big issue with SQL injection and Cross-site scripting • It is important to hire a programmer who knows security • It is important to hire system administrator who knows security • It is crazy to hire a programmer who knows no security • It is crazy to hire system administrator who knows no security • Observation: We are in the midst of a culture change !! • Information security trends
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! We better encrypt (with strong passwords) !! • Information security trends
Hot Topics and Potential Risk Areas • Security Breaches • Security Incident Response • Physical Security • Disaster Recovery and Business Continuity Planning • Increased Enforcement • Privacy & Security Training Cyber Security Incidents Disposal of Device Security Mobile Healthcare Use of Social Media Cloud Computing Meeting Meaningful Use Requirements Business Associates, Vendors, Contractors
HIPAA/HITECH Fines, Penalties & Enforcement • 2003 – 2010 - Minimal enforcement reported • 2011 - OCR reaches four (4) settlements and issued one Civil Monitory Penalties (CMP) • 2012 BCBS Tennessee fined $1.5 mil for stolen unencrypted hard drive (3/13/2012) HHS Settles Case with Phoenix Cardiac Surgery for lack of HIPAA safeguards fined $100,000 (4/13/2012) South Shore Hospital Mass fined $750,000 for unencrypted tapes (5/30/2012)
Business Associate OCR proposed rule to apply HIPAA civil and criminal enforcement and penalties directly to BA’s in addition to contractual liability. Business Associate - a person or entity that performs or assists with certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. 45 CFR 160.103.
Business Associates • Important for departments to identify when a business associate agreement is needed. • Proposed new rule may require new agreement with existing business associates. • Proposed rule includes e-Prescribing Gateways, Personal Health Records (PHR), subcontractors of Business Associates & Health Information Exchange (HIE) organizations.
Examples of Business Associates • Billing organizations, collection vendors & claims processing companies • Software Support / Data Administration (electronic applications with access to PHI) • examples include: CROWN, GE, Siemens & IDX • Data analysis / processing – e.g. research • Quality Assurance & Customer Satisfaction svs • Medical record/information storage and destruction companies • Accreditation organizations • Consultants – business, financial, medical etc.
Workforce Training & Education Faculty, staff & student education include both HIPAA Privacy & Information Security requirements • Welcome Program for new faculty & staff • New student education • medical, nursing, dental & physical therapy • On-line training for new faculty, staff and students • Refresher /remedial HIPAA training • Department, role & program specific training • HIPAA training for research staff • Periodic Email reminders • Annual Officers & Faculty Briefing
COLUMBIA UNIVERSITY MEDICAL CENTER CONFIDENTIALITY AGREEMENT • I understand that I may have access to electronic, printed, or spoken confidential information, which may include, but is not limited to, information relating to: • Patients - including Protected Heath Information (PHI), records, conversations, patient financial information, etc.; • Employees - including salaries, employment records, disciplinary actions, etc.; • Students - including enrollment, grade and disciplinary information; • Research - including PHI created, collected, or used for research purposes; • CUMC - including but not limited to financial and statistical records, strategic plans, internal reports, memos, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.; • Third party information - including computer programs, client and vendor proprietary information, source code, proprietary technology, etc.; • PHI and Personal Identifying Information (PII) used in other contexts. • Accordingly, as a condition of, and in consideration of my access to confidential information, I promise that: • 1. I will use confidential information only as needed by me to perform my legitimate duties as defined by my relationship (faculty, employment, student, visitor, consulting, etc.) with CUMC. • I will not access confidential information which I have no legitimate need to know. • I will not in any way divulge, copy, release, alter, revise, or destroy any confidential information except as properly authorized within the scope of my relationship with CUMC. • I will not misuse or carelessly handle confidential information. • I understand that it is my responsibility to assure that confidential information in my possession is maintained in a physically secure environment. • 2. I will safeguard and will not disclose to any other person my access code (password) or any other authorization code that allows me access to confidential information. I will be responsible • for misuse or wrongful disclosure of confidential information that may arise from sharing access codes with another person and/or for failure appropriately to safeguard my access code or • other authorization to access confidential information. • I will log off computer systems after use. • I will not log on to a system or access confidential information to allow another person access to use that system. • I will report any suspicion or knowledge that my access code, authorization, or any confidential information has been misused or disclosed without CUMC authorization. • I will not download or transfer computer files containing confidential information to any non-NYP/CUMC authorized computer, data storage device, portable device, telephone, or other device capable of storing digitized data. • I will only print documents containing confidential information in a physically secure environment, will not allow other persons’ access to printed confidential information, will store all printed confidential information in a physically secure environment, and will destroy all printed confidential information when my legitimate need for that information ends in a way that protects the confidentiality of the information. • 3. I will follow CUMC policies and procedures regarding the use of any portable devices that may contain confidential information including the use of encryption or other equivalent method of • protection. • 4. I acknowledge my obligation to report to the CUMC Privacy Officer any practice by another person that violates these obligations or puts CUMC, its personnel, or its patients at risk of a • disclosure of confidential information. • 5. I will only use my Columbia email account to send and receive message that may include confidential information and will not use email to send confidential information to other parties • outside of Columbia/NYP without protection to prevent unauthorized access. • 6. If I am involved in research, any research utilizing individually identifiable protected health information will be performed in accordance with federal, state, local and Institutional Review • Board policies. • 7. If I no longer need confidential information, I will dispose in a way that assures others cannot use or disclose it including following the Information Technology policy for disposal of printed • confidential information or electronic equipment that may contain confidential information. • 8. I understand that my communication using the Columbia University information network is not private and the content of my communication may be monitored to protect the confidentiality • and security of the data. • 9. I understand that my obligation under this Agreement will continue after termination of my relationship with CUMC. • 10. I understand that I have no right or ownership interest in any confidential information referred to in this Agreement. CUMC may at any time revoke my access code, or access to confidential • information. At all times during my relationship, I will act in the best interests of CUMC. • May 2011