1 / 92

THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For

THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For Kirsten Ruzic Wild, RN, BSN, MBA, CHC September 11, 2009. Objectives. Gain insight into government’s enforcement efforts Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey

colin-benson
Download Presentation

THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE EVOLUTION OF HIPAA SECURITY – Be Careful What You Ask For Kirsten Ruzic Wild, RN, BSN, MBA, CHC September 11, 2009

  2. Objectives • Gain insight into government’s enforcement efforts • Highlight current level of health care entities’ compliance – HIPAA COW Benchmarking Survey • Understand the recent ARRA changes and impact

  3. A little background….. HIPAA Security • Establish national standards for the security of electronic health care information • Administrative safeguards • Physical safeguards • Technical safeguards • Enforcement Authority was CMS

  4. A little background….. HIPAA Security Rule Requirements • Establish national minimum standards for the security of electronic health care information • Published February 2003, deadline April 2005 • Administrative, technical, and physical security procedures (18 standards) • Implementation specifications are either Required (14) or Addressable (22)

  5. HIPAA Security Rule Rule Goals • Comprehensive, scaleable and technologically neutral (flexible) • Protect the confidentiality, availability and integrity of electronic PHI (“ePHI”) • Assess YOUR risks and vulnerabilities • Improve Medicare/Medicaid through increased effectiveness and efficiency

  6. HIPAA Security Rule Rule Goals • “Improve efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements to enable the electronic exchange of certain health information” 45 CFR Parts 160, 162, 164 – Final Rule

  7. HIPAA Security Rule Interpretation • Good Thing: Scaleable and flexible • Bad Thing: Scaleable and flexible • How do you know if you meet the standard? • Are you certain you are compliant?

  8. HIPAA Security Rule Interpretation • Lack of standard • Constantly changing technologies • Complexity and variety of clinical applications • Limited IT budgets • No CMS enforcement or oversight (years) • Interpretation? Why bother?

  9. OIG Audits and Guidance March 2007 • Audit of Piedmont Hospital – Atlanta • Non-specific findings: significant vulnerabilities • Leaked checklist of 42 questions/documents

  10. OIG Audits and Guidance August 2007 • Audit of CMS (Results of audit released in October 2008) • Findings • No compliance reviews had been conducted in 2 years • CMS had “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule” • CMS agreed to implement a formal audit process • Defense: voluntary compliance and complaint-driven

  11. OIG Audits and Guidance • No findings released • OIG committed to ongoing audits of covered entities nationwide for next few months • Develop understanding of CE interpretation of flexible and scalable ???

  12. CMS CMS • Late 2007 • Office of eHealth Standards and Services (OESS) • CMS website – HIPAA Security Standard • Sample document request list for audit - 42 • First insight into federal interpretation • Conducting on-site reviews since January 2008

  13. OCR/CMS Auditing/Enforcement CMS • Mid 2008 • Audited Providence Health and Services • In cooperation with OCR • Failure to implement P&P to protect PHI • Portable media • First Resolution Agreement/CAP • On OCR website • Only CMS audit results released

  14. OCR/CMS Auditing/Enforcement Providence Audit • No civil monetary penalty for cooperating • Audited by OCR and CMS jointly • Complaint-triggered audit

  15. CMS Enforcement Enforcement Statistics – 3 largest number of complaints • Information Access Management(Administrative Standard 164.308(a)(4)(i)) • Access Control(Technical Standard 164.312(a)(1)) • Security Awareness and Training(Administrative Standard 164.308(a)(5)(i))

  16. Conclusions • Uncoordinated guidance, interpretation and enforcement • Info on a variety of government websites OIG, CMS, OESS, OCR, Dept of Commerce - NIST • Not easy to find • Where do you go from here?

  17. New Enforcement • As of August 3rd, OCR is responsible for enforcement of HIPAA Security – not CMS • “eliminate duplication and increase efficiencies”

  18. HIPAA COW Security Networking Group • Benchmarking Survey • March 2009 • Goals: • to provide benchmarking data to help organizations across the State determine their level of compliance with the regulations in preparation for a federal audit • Not to justify or support non-compliance • Determine if benchmarks (local?) exist

  19. HIPAA COW Security Networking Group Benchmarking Survey • 56 questions • 10 categories • Average of 76 responses to each question • Respondents include: acute care hospitals, clinics/physician groups, long-term care facilities, payers, and integrated health care delivery networks • From <200 to >2000 employees • Size of an organization had little effect on level of compliance

  20. HIPAA COW: Benchmarking Survey Results - Encryption • 54% of respondents indicated they encrypt e-mail • 46% do not currently encrypt e-mail • 34% of respondents indicated they encrypt laptop hard drives • 66% do not encrypt laptops

  21. HIPAA COW: Benchmarking Survey Results - Encryption • 30.7% (less than 1/3) are encrypting USBs and other mobile devises • 26% indicated they do not encrypt any devices or data transmission

  22. Committee Interpretation • Expected that organizations had implemented encryption techniques/solutions on more types of devises • Why not encrypting? • Budget limitations • Too difficult • IT not ready to administer • Organizational policies prohibit transmission of PHI in e-mail or on portable devises • Organizations may be currently implementing or testing to find solutions • Believe it is impossible to enforce

  23. Conclusions/Recommendations • All organizations should be capable of encryption • Well-established technology • Inexpensive • Easy to implement • “Addressable” standard? • Per OIG Auditors presentation in April – lack of encryption will fail an audit • Provide proactive solutions to your users

  24. HIPAA COW: Benchmarking Survey Results – Disaster Recovery • 88.8% have a Disaster Recovery Plan • Those who didn’t tended to be smaller organizations • 45.6% state their Plan covers every application • 31.6% indicated their Disaster Recovery Plan covers only those applications that support basic business functions • 89.4% state their Plan is documented

  25. HIPAA COW: Benchmarking Survey Results – Disaster Recovery • 50.6% test their Disaster Recovery Plan • 39.5% did not answer the question • Of those that answered the question (open-ended) as to how often they test their Disaster Recovery Plan, majority stated annually

  26. Committee Interpretation • Why not meeting the Standard? • Challenging as not a static condition • Very complicated • Cost/benefit analysis • Lack of consequences • Productivity pressures

  27. Committee Interpretation • Are these really disaster recovery plans or just disaster response plans? • How does this compare or relate to plans for business continuity? Infrastructure recovery? Critical patient care systems? • Possibly handled by other departments? • Is the Plan being used?

  28. Conclusions/Recommendations • Required specification • Prioritize applications • Test in order of priority • Consider the time it takes for the entire system to recover

  29. Conclusions/Recommendations • Recovery should be intrinsic to implementation of new applications • Get started, start small • Resolve with external resources – consultant • Consider the potential consequences

  30. HIPAA COW: Benchmarking Survey Results – E-Mail Retention • 48.2% have an E-mail Retention Policy • 54.3% store all e-mail • 45.7% do not store all e-mail • 73.1% store e-mail back-ups off-site • The length of retention is extremely variable • 2 weeks - forever • Dependent on application, retention policy, type of data, user preference

  31. Committee Interpretation • Without a policy, in response to a legal discovery request, what would you produce? • If is discovered must now be kept • Implications of e-discovery law

  32. Conclusions/Recommendations • Must have a Record Retention Policy • Classify by data type or classification, not medium • Decision for retention is “what” data is retained and for how long, regardless of what format the data is in • Create a Records Retention Schedule • Educate and enforce the policy

  33. HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Network Level • 54.3% employ automatic log-out at the network level • Of those who employ automatic log-out at the network level: • 58.1% implemented log-out times of 10-30 minutes • 34.9% implemented log-outs of less than 10 minutes • Which means: • 93% require log-out times to be less than 30 minutes • Only 7% have implemented log-out times at the network level of greater than 30 minutes

  34. HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Application Level • 66.3% employ log-outs at the application level • Of those who employ automatic log-outs a the application level: • 52.8% have implemented log-out times of 10-30 minutes • 20% have implemented log-out times of less than 10 minutes • Which means: • 73.6% require lot-out times to be less than 30 minutes • 26.4% have implemented log-out times at the application level of greater than 30 minutes

  35. HIPAA COW: Benchmarking Survey Results – Automatic Log-out/Log-off Physically secured • If work stations are in a physically secured area: • 65.4% still require an automatic log-out • 34.6% do not use automatic log-outs

  36. Committee Interpretation • Log-out times at the network or application level should be less than 30 minutes • Is this really a standard and is there really an increased risk? • Longer log-out times might be acceptable in physically secured workstations or controlled environments (Surgery) – some risk is mitigated

  37. Conclusions/Recommendations • Log-out times at the network or application level should be less than 30 minutes • Even if you have work stations in areas considered to be physically secured, most organizations still require automatic log-out • Per OIG Auditors – use of generic accounts will fail an audit, unless proof this level of access is not to any PHI • Clinical applications must authenticate to the user • Consider generic accounts to log on to network

  38. HIPAA COW: Benchmarking Survey Results – Passwords Network Passwords • 46.9% require network passwords to be changed every 30-90 days • 37% requirepasswords to be changed after more than 90 days • 13.6% never require passwords to be changed • 92.4% have a minimum password length at the network level • 84% require passwords to contain 6-8 characters • 5.3% require network passwords to contain 9-12 characters • Which means: • 89.3% require passwords to be at least 6 characters in length

  39. HIPAA COW: Benchmarking Survey Results – Passwords Application Passwords • 45% require application passwords to be changed every 30-90 days • 33.8% require passwords to be changed after more than 90 days • 20% never require passwords to be changed at the application level • 86.1% have a minimum password length for passwords at the application level • 86.4% require passwords to contain 6-8 characters • 1.5% require application passwords to contain 9-12 characters • Which means: • 87.9% require application passwords to be at least 6 characters in length

  40. Committee Interpretation • There appear to be a clear agreement regarding password length • Are the users allowed to determine how frequently their password is changed? • Are password requirements for applications, dependent upon the application?

  41. Conclusions/Recommendations • Consider the NIST recommendations • If you are an organization who does not ever require network passwords to be changed, it is highly recommended that you change your policy • If you are an organization that allows passwords to be less than 6 characters in length, it is highly recommended that you change your policy

  42. HIPAA COW: Benchmarking Survey Results – Portable Media • 63.8% indicate they have a policy covering portable/mobile devises • 36.3% have no policy • 49.4% allow PHI to be loaded on portable media • 50.6% do not allow PHI to be loaded • Of those who allow PHI to be loaded on portable media: • 68.4% require the data to be password protected or encrypted • 31.6% have no requirements to password protect or encrypt the data

  43. HIPAA COW: Benchmarking Survey Results – Portable Media • 50% state their policy is that no PHI can be loaded on portable media • 78.9% indicate they are not confident they know the number of portable devises used by their employees • 21.2% are confident they know the number of portable devises used by employees • 72% of those who took the survey did not answer this question

  44. Committee Interpretation • The Committee finds this scary! • Portable media containing PHI has triggered many of the initial complaints to federal agencies resulting in investigations • We want to meet the 21.2% are confident they know the number of portable devises used by employees

  45. Committee Interpretation • If your policy states that PHI cannot be loaded on portable media, how do you audit or enforce? • Without a policy, in response to a legal discovery request, what would you produce? • Does encrypting a laptop solve this?

  46. Conclusions/Recommendations • We still recommend having a written policy in place to hold employees responsible and accountable and to help protect the organization from individual’s wrong-doing • Even if you are not sure how to enforce a policy or feel employees can still violate confidentiality rules • Don’t forget about your vendors

  47. HIPAA COW: Benchmarking Survey Results – Remote Access • 81.3% confirm they have a Remote Access Policy • 86.1% also state they allow employees with remote access to access applications containing PHI • 72.3% state they audit the remote access of employees

  48. Committee Interpretation • If you allow remote access, how do you monitor or prevent printing of PHI? • How do you protect internal networks from non-enterprise owned PCs? • Is limiting file transfers an option? • Results not dependent on the size of an organization

  49. Conclusions/Recommendations • Really only 2 options: • Restrict the use of PCs not owned/controlled by organization • Run the risk and manage through policies, education and enforcement - attestation • If you remove the driver on the terminal printer, users cannot print at home • Utilize a VPN • Create good policies and enforce them • Consider your business objectives/alternative technologies

  50. HIPAA COW: Benchmarking Survey Results – Auditing • 53.9% responded that they conduct regularly scheduled audits to determine if PHI is accessed inappropriately • 46.1% do not audit for inappropriate access • 86.8%, indicate they have a formal sanction policy for employees who inappropriately access PHI

More Related