440 likes | 453 Views
Learn why healthcare faces cyber threats, the costs of breaches, best practices for defense, and the importance of HIPAA compliance in this insightful session. Join us to safeguard your business!
E N D
Where HIPAA Compliance and Cyber Security Intersect: Are you Protected? Carol Albaugh, Technical Solutions Consultant, VMG Group, Inc. Kelly Grahovac, Senior Consultant, The van Halem Group
Please Complete Your Evaluation Everyone should have received an evaluation form upon entering the session. Please complete evaluation form and turn in to room monitor as you exit the session. Or, you can complete your evaluation in the mobile app. Locate the session in the app and tap on the clipboard icon to begin the survey. Please help us keep the Medtrade Spring Education sessions the best in the industry by completing an evaluation for every session you attend! Your feedback is very valuable to us and will be used in planning future Medtrade Spring events! Connect with us on Social Media Twitter: @MedtradeConnect Instagram: @MedtradeConnect Facebook: facebook.com/medtrade #MedtradeSpring19
BUT…. • The majority of breaches in the U.S. affect small to medium-sized businesses • Lack of IT expertise • Lack of resources for sophisticated IT security staff • 67% do not use web-based security • 61% do not use antivirus on all computers • 60% of small businesses will go out of business within a year of having a major breach Current State of Cyber Threats
Current State of Cyber Threats • The costs of a healthcare breach are skyrocketing: • $402/patient record • Fees for government agency involvement (HIPAA, HITEC) • Patient and media notification expenses • What’s not covered in the cost… • Brand reputation costs – loss of contracts and referrals • Loss of business revenue • Hackers have become more savvy • Operate as a stand-alone hacking entity or under a legitimate business front. • Their employees get salaries and full benefit packages!
Healthcare is now the #1 target for hackers • Healthcare data is rich with information hackers can make money on: • Patient Names & Addresses • Social Security Numbers • Date of birth • Insurance/Medicare ID • Cell phone numbers • Credit card/checking account numbers • EACH of these data points is valuable on the cyber black market – together, they are a gold mine! Why Health Care?
Don’t know where to start • Limited visibility into systems • Unprepared for an attack • Ever changing landscape • HIPAA compliance SMB Health Care Pain Points
“If you haven’t suffered a cybersecurity breach you’ve either been incredibly well prepared, or very, very lucky… Are you incredibly well prepared?”
Technology: • Vulnerability Assessments • Penetration Testing (ethical hacking) • Compliance/Regulatory: • Compliance & Regulatory Risk Assessment • HIPAA • HITRUST • Breach Protection (reactive response) • Incident Response Plan • Cybersecurity Insurance • People: • Employee Awareness Training • Security & Privacy Strategy Cyber Security Road Map
Update company software as soon as updates are released, this will patch security vulnerabilities • Develop a schedule for regularly backing up sensitive files • Keep confidential information and important files backed up in a remote location not connected to your network • Protect your infrastructure by using proper firewalls, anti-virus, web filtering, email filtering, access levels, etc. • Develop a protocol for reporting all suspicious activity/incidents Best Practices to Protect Your Business
Hire third-party experts to expose threats and offer best practices • Perform a Risk Assessment • Review your BAA, who is liable for what • Have IT policies & update annually to address newer technologies and increasing cyber threats • Communicate changes with staff members • Train your staff about the types of cyber threats & identify suspicious emails/attachments/websites • Purchase Cyber Liability Insurance! Best Practices to Protect Your Business
“Cyber is uncharted territory. It’s going to get worse not better and it’s a bigger threat to humanity than nuclear weapons.” -Warren Buffett Prepare to the Future
"You can't have privacy without security, but you can have security without privacy," - Daniel Farris attorney/partner and co-chair of the technology group at law firm Fox Rothschild LLP Compliance Security
Privacy Regulations: • Govern how healthcare facilities use and share ePHI • Security Regulations: • Cover measures that curtail unauthorized access to ePHI, including the use of IT capabilities. HIPAA broadly divides specifications among its Privacy and Security Rules Privacy and Security Rules
Do you have a HIPAA Compliance program in place? • Do you incorporate HIPAA Training annually? • Do you have a current Security and Risk Assessment on file? • Do you have Business Associate Agreements in place for all entities that may come in contact with your PHI? Poll
Health Insurance Portability and Accountability Act • HIPAA’s intent is to reform the healthcare industry by: • Reducing costs • Simplifying administrative processes and burdens, and • Improving the privacy and security of patient’s information HIPAA Overview
It’s the law • Increased usage of data • OCR and OIG Hotlines • OCR audits • Insurance Why have a HIPAA Compliance Program?
Phases 1 and 2 completed, OCR preparing for Phase 3 • Intended to be non-punitive, but OCR can open up compliance review • Learn from this next phase in structuring permanent audit program • Develop tools and guidance for industry self-evaluation and breach prevention • OCR will use findings to: • Identify best practices, • Uncover risks and vulnerabilities, • Detect areas for technical assistance, and • Encourage consistent attention to compliance OCR Audits
It exists today, it existed last year, it is shared, it is reviewed, and is maintained regularly • Willful Neglect HIPAA Compliance Program
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. • 45 CFR §160.401 Willful Neglect
2015 - $6,193,000 • 2016 - $23,504,800 • 2017 - $19,393,000 • 2018 - $25,635,400 • 2019 - $3,000,000 OCR Fines
Compliance Officer • Existing or new employee • Develops and oversees corporate compliance program – to include HIPAA • Privacy Officer • Oversees all activities related to the development, implementation, maintenance, and adherence to the organization’s policies and procedures covering the privacy and access to patient health information • Security Officer • Developing and implementing policies and procedures to safeguard PHI • Identifying and evaluating threats to the integrity of PHI • Developing and implementing action plans for addressing risks to PHI Building your compliance team
The compliance team will be the main contact for: • Identifying individuals responsible for HIPAA compliance and defining responsibilities • Performing an updated SRA • Managing all BAA’s and other HIPAA related documentation • Establishing and maintaining an ongoing HIPAA awareness training program • Breach and incident reporting - Know the requirements and act accordingly! Building your compliance team
Policies and Procedures • Security and Risk Assessment • Awareness Training • Business Associate Agreements Core Compliance Components
Helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards • Reveals areas where your organization’s PHI could be at risk • Should be updated on an annual basis • Most commonly missing or incomplete item in a provider’s compliance program Security and Risk Assessment
CardioNet paid HHS $2.5 million to settle potential noncompliance with the HIPAA Privacy and Security Rules • Employee laptop containing the ePHI of 1,391 individuals was stolen from a parked car • OCR’s investigation revealed: • Insufficient risk analysis and risk management processes in place at the time of the theft • Policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. • Unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. Violation – Insufficient SRA
Any company or person outside your organization that has access to PHI or ePHI should sign a BAA • Ensure all BAA’s are in place with an audit • Store BAA’s in one place with access available to internal management • Include BAA language in your policies and procedures Business Associate Agreement
The Center for Children’s Digestive Health (CCDH) paid HHS $31,000 to settle potential violations of the HIPAA Privacy Rule • OCR initiated a compliance review following an investigation of a business associate, FileFax, Inc. • While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015 Violation - Missing BAA
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI • 500 or more individuals: Must report without unreasonable delay and no later than 60 calendar days from the date of discovery • Less than 500 individuals: Must report within 60 days of the end of the calendar year Breach Reporting
(September 2009 – December 31, 2017) • Approximately 2,178 reports involving a breach of PHI affecting 500 or more individuals • Theft and Loss are 46% of large breaches • Hacking/IT now account for 19% of incidents • Laptops and other portable storage devices account for 25% of large breaches • Paper records are 21% of large breaches • Individuals affected are approximately 176,589,175 • Approximately 307,061 reports of breaches of PHI affecting fewer than 500 individuals HIPAA Breach Highlights
How you communicate HIPAA policies and guidelines with your employees • The program should, at a minimum, include the following: • HIPAA Policies & Procedures • Should also be provided to employees and require a signature acknowledging they have read and understand • Regular awareness training (phishing, email, etc.) • Well defined escalation policies and procedures HIPAA Awareness Program
Ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions • Currently restricted to 9 HIPAA-covered entities • Health Plans • Clearinghouses • CMS has authority to investigate HIPAA transaction complaints and conduct compliance reviews for: • Standards • Code sets • Unique identifiers • Operating rules • OCR manages complaints related to HIPAA Privacy and Security Rule CMS Compliance Review program
HIPAA compliance is an ongoing effort and must be addressed and updated on a regular basis • The time to get started is right now! Any effort is better than doing nothing • Safeguard against willful neglect “egregious cases” • Finalize policies & procedures and make sure all employees are aware • Have all BAA’s, finalized P&Ps, HIPAA policies, SRAs, and training materials in one easily accessible location Best Practices - HIPAA Compliance
Come see us in Booth #615! Sign up at Medtrade and receive a 50% discount on your implementation fee! Medtrade Specials
Carol Albaugh Technical Solutions Consultant VGM Group, Inc. 319-874-4797 Carol.Albaugh@vgm.com Kelly Grahovac Sr. Consultant The van Halem Group 404-343-1815 Kelly@vanHalemGroup.com Questions???
The van Halem Group/The VGM Group, Inc. @vanHalemGroup The Details Matter - blog.vanhalemgroup.com Kelly Grahovac/Carol Albaugh Stay Connected