420 likes | 551 Views
HIPAA Security: Does Anybody Really, Really Care ?. Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer National Government Services HIPAA COW Fall Conference Stevens Point, WI September 21, 2007 9AM-10:15AM.
E N D
HIPAA Security: Does Anybody Really, Really Care ? Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer National Government Services HIPAA COW Fall Conference Stevens Point, WI September 21, 2007 9AM-10:15AM
Largest Processor of Medicare Claims contracted by the Centers for Medicare & Medicaid Services (CMS) Serve over 22.5 Million people with Medicare in 26 states and 5 US Territories Processed over 208 million Medicare claims totaling $87.9 Billion in 2006 ISO 9001:2000 certified company Part of the WellPoint (NYSE: WLP) - nation’s largest health insurer (43,000+ associates) Fortune 50 Company (#35) Company Background
Currently Medicare Systems Security Officer for National Government Services Formerly known as United Government Services (UGS) prior to WellPoint/Anthem merger; AdminaStar Federal, Empire Medicare Services & UGS combined to form NGS Odd Information Technology Jobs in Wisconsin, Oklahoma, Texas, Pennsylvania & Delaware Speak and write on security issues I find interesting (and EVERYONE ELSE should also) 2 Kids, both have Health Insurance because they are in college I think I live in Downtown Milwaukee Started HIPAA COW Security Taskforce; HIPAA COW Board Member My Bio Employment The Past 6 Years…. The Prior X Years… The Other Stuff
Ok, Back To Why We Are Here.. The Question: HIPAA SECURITY: Does Anybody REALLY, REALLY CARE?
And The Answer IS…. (This slide is intended to be blank. Or was it ? Was it here originally ? Did one of you take it ?)
Security Is THE Enabler of Healthcare Transactions HIPAA E-Health Initiatives RHIOs Healthcare Quality Patient Safety Information Access Information Exchange Privacy Rights Electronic Medical Record/Personal Health Record
Medicare Cares About Security • 450 Security Controls • Medicare Reform consolidating 15+ data centers into 3 • Rigorous security self-assessments • Continuous audits • Staff dedicated to security
Remember HCOW Security Rule Presentation ? January… 200X Administrative Procedures Physical Safeguards Technical Security Services Protected Health Information Technical Security Mechanisms
5 years of HIPAA Security Accomplishments • Increased Organizational awareness and education of security issues • Assignment of security responsibility • Communication of the concept of “risk” • More thoughtful attention to need-to-know principles of security • Mapping between HIPAA controls and other frameworks
Healthcare Security Breaches Making The Headlines.. • Inadequate Security Attention • Staff Improperly Trained • Misplacement of Data • Access beyond that required for job
2006 Top 10 Healthcare Security Breaches • Theft of computer disks and tapes containing 365,000 Providence Home Services Patients • Veteran Affairs’ stolen laptop from home containing 26.5 Million names and claims data • Sisters of St. Francis, Indiana temporarily lost 3 CDs containing 260,000 patients when computer returned to store.
2006 Top 10 Healthcare Security Breaches • Stolen laptop Vassar Brothers Medical Center – 257,800 former patients • 2 Employees stole 25,000 patient records from Kaiser Permanente to apply for credit cards • Georgia-based PSA Healthcare reported 51,000 records on stolen laptop left in car • Nurse from Beaumont Hospital – 28,000 records from laptop in car
2006 Top 10 Healthcare Security Breaches • Aetna – 59,000 members from laptop in car • Hospital Chain HCA Inc, 10 computers stolen containing 15-18K Medicare beneficiaries • Front-desk operator sold patient information on 1,100 people to a cousin for submitting fraudulent Medicare Claims. Source: Report on Patient Privacy, December 2006
California Department of Health California Department of Mental Health St. Joseph's Hospital A Who’s Who of Fortune 500 Companies.. And The List Is Growing
CMS Rationale for Publishing Guidance for Remote Use and Access to EPHI • Increased risk to protected health information • Associated with increased remote access to EPHI • Increase in workforce mobility • Increase in offsite availability of EPHI • Increase in use of portable media storage devices • Recent remote access security related incidents • Reported loss or theft of laptops containing EPHI • High profile incident involving Medicare Beneficiary data being “left” on a hotel computer by an employee of contracted health plan • Reported access to health information by unauthorized users Source: Presentation, Office of eHealth Standards and Services, CMS
CMS Responds December 28, 2006 With Portable Device/Remote Access Security Guidance • Risk analysis determines business necessity • Policies, procedures, workforce training, permitted access must be consistent with Privacy/Security Rule • Access, storage, and transmission processes must be in place
CMS Guidance Highlights The Risks Of Portable Device/Remote Access of EPHI Access Storage Transmission • Logon/Password lost or stolen • Employee unauthorized offsite access • Unattended workstations • Contamination of remote access system • Laptop/portable device lost or stolen • Loss of data • Inappropriate device disposal • Data left on public external device • Contamination • Data intercepted or modified • Contamination
CMS Suggests Potential Mitigation Strategies To Address The Risk Areas Access Storage Transmission Track hardware Lock mechanisms Password protect files Encryption Ensure security updates Backup and archival policies Prohibit download w/o justification Training, anti-virus Prohibit open network transmission Prohibit offsite devices for email Prohibit wireless access points Secure email SSL, HTTPS strong encryption for EPHI Anti-virus Two-factor authentication Technical user name processes Clearance procedures, role-based access, sanctions, training Session termination Personal firewalls/anti-virus
Medicare Does Not Like Headlines Either, Hence The Following Internet Policy: “Transmission of and/or receipt of health care transactions (claims, remittances, etc.) or other CMS sensitive data over the Internet is prohibited at Medicare business partners (or their agents). Practically, this prohibition means that CMS requires the use of private networks or dial-up connections with any entity that transmits or receives health care transactions and/or CMS sensitive data to or from the Medicare contractor. CMS is closely following the healthcare industry’s movement toward the adoption of industry-wide security technologies that ensure the confidentiality, integrity, and availability of data moved over the Internet and will reconsider the policy at the appropriate time. - CMS Business Partners Systems Security Manual
Percentage of Those Reporting Compliancy With Security Rule High Source: AHIMA State of HIPAA Privacy and Security Compliance April, 2006
More AHIMA Findings Indicate Security Compliance Is Improving • 100% have security officer, 65% full-time • Security task forces decreasing (86% in 2004 to 59% in 2006) • 54.3% updated systems/applications to comply with security rule • Firewalls (40.4%) • VPNs (25.9%) • Anti-virus/spam (38.2%) • Data backup technologies (30.2%) • 31% involved in RHIO’s • Newsletters (64.6%), staff meetings (68.8%) and reminders (56.3%) predominant method of training • “It appears security regulations were easier to implement than the privacy rule.” Source: AHIMA State of HIPAA Privacy and Security Compliance April, 2006
Phoenix Health Survey Indicates Attention Still Needed • Providers are of particular concern – 56% implemented security standards (80% of payers) • 49% of hospitals with 400 more beds compliant • 70% of hospitals with <100 beds and large physician groups compliant • Breaches remain concern – 39% of providers and 33% of payers experienced breach in last 6 months • Claims of full compliance; gaps remain • Agree that HIPAA implementation created greater attention to patient privacy and security • Budget constraints, other higher priority projects, complex infrastructures slowing progress Source: Phoenix Health Systems/HIMSS Summer 2006 survey
And WEDI Notes There Are Still HIPAA Gaps • PHI Data Posted on Bulletin Boards for Training • Lack of policies and procedures • Portable devices being used without training • Lack of remote device/storage media inventories • Visitor access to PHI areas • Out of date disaster recovery planning • Lack of formal audit process • Lack of regular, periodic security assessments, risk analysis with security rule H P A A Source: WEDI Testimony 5/1/2007 to NCVHS Subcommittee
Are We Improving Security ? At What Level Do We Have Minimum Security ? Today’s Key Challenge In Many Organizations Policy Procedure Implemented Tested Integrated
Or.. Are We Improving SecurityCompliance ? CLOSE AND LOCK WINDOWS AT THE END OF THE DAY POLICY PROCEDURE CHECK LATCH LOG WINDOW CHECKED IMPLEMENTATION MAINTAIN EVIDENCE IN LOG BOOK FOR AUDITORS
CMS Office of External Affairs Enforcement Statistics • Complaint driven • 28,000 Privacy complaints filed with OCR since HIPAA Privacy Rule Issued • 244 Security complaints • FAQs Issued, outreach activities • NIST 800-66 Document revision expected March 2008 • Complaint compliance by attestation vs. inspection/review
Most of The CMS HIPAA Security Complaints Issued Are Due To Human Error • Poor judgment, not malicious intent • Company needs to stress users are the keepers of very confidential data • Good job of documenting policies & procedures, but not training • Access by foolishness • Company has no way to protect • Protections may be complex, company still has responsibility • Wireless devices, USB drives are next large concern area
Security Litigation: What Is The Herd Doing ? Do We Know ? • Reviewed Final HIPAA Security Rule • Established security officer role • Identified gaps • Created mitigation plan • Implemented security controls • No right of private action under HIPAA ……. BUT
RIPPED From The Headlines 2006 North Carolina Appeals Court Allows New Use Of HIPAA In Lawsuit • Psychiatric records disclosed • Patient sues clinic owner for providing password to an office manager • Claim used HIPAA as the standard of care • Suing under negligence, new avenue for plaintiffs? Source: Amednews.com 3/12/2007
Piedmont Hospital Audited In March 2007 For Security By DHHS OIG • “HIPAA Audit Riles Health IT” …Reported June 15, 2007 • Was it a HIPAA Audit ? • Will there be more of them ? • Is security enforcement being done by the OIG in the private sector ? • What is the standard of care ? • What implications are there for heath care entities ?
Establish/Terminate User Access Emergency IT System Access Inactive Sessions Recording/examining activity Risk Assessments Employee violations/sanctions Electronic transmission Incident prevention,detection,containing Regular access review Security violation logging Monitoring systems and network Physical access to systems Types of security access controls Remote access Internet usage Wireless security Firewalls, routers, switches Physical security repair Encryption/decryption Transmission Password and sever configurations Antivirus software Network remote access Patch management Policies & Procedures Requested For 24 e-PHI Security-Related Issues
Information systems, network diagrams Terminated employees New hires Encryption mechanisms Authentication methods Outsourced/contractor access Transmission methods Org chart for IT, Security Systems Security Plans All users with access, including rights System Administrators, backup operators Antivirus servers Internet access control software Desktop antivirus software Users with remote access Database security requirements/settings Domain controllers, servers Authentication approaches …And Please Provide A List of… Source: “HIPAA Audit: The 42 Questions HHS might ask”, Computerworld June 19, 2007
Security Audits Necessary To Ensure Controls Are Functioning Audit Audit Assess Risk & Determine Needs Implement Policies & Controls Central Management Monitor & Evaluate Audit Audit Promote Awareness Source: “Learning from Leading Organizations” GAO/AIMD-98-68 Information Security Management
DHHS Office of Inspector General Audits Have An Integrity Mandate • Authority established in 1978 under Inspector Generals Act of 1978 (Public Law 95-542) to: • Conduct & supervise audits related to DHHS programs/operations • Recommend policies to: • Promote efficiency/effectiveness • Prevent/detect fraud and abuse • Provide a means to: • Inform Head of DHHS and congress of problems and corrective actions • Protect integrity of DHHS programs
OIG Conducts/Oversees Multiple Audit Types and Standards • Government Audits • Driven by security standards OMB A-123 • Chief Financial Officer’s Audit (FISCAM/NIST) • Medicare Modernization Act of 2003( Section 912 ) Audit • Federal Information Security Management Act of 2002 • SAS070 • HIPAA-based Reviews of non-government entities ?
What Is An OIG-Led Audit Like ? Agreed Upon Procedure • May be co-sourced, or completely outsourced to external auditor • Audit Entrance conference scheduled 2 weeks in advance • Agreed Upon Procedures (AUP) issued • Prepared By Client (PBC) list requested by auditor • Multiple meetings/interviews scheduled • Samples selected • Policies/Procedures requested/evidence requested • Exit Conference/Draft Report • Corrective Actions prepared • Follow-up meetings • Closure at next audit cycle of findings, new sample pulled Request List Sample Selection Testing Findings Corrective Action
FINAL THOUGHTS: Security Is Ongoing, and It Is Hard To Make Sure NOTHING HAPPENS SUCCESS FAILURE
Our Security Future… • Increased guidance driven by security events • HIT will drive enforcement/audits • Government audits continue to get more detailed • Company must protect (itself) against human error through: • Policies • Procedures • Training • “Standard of care” bar is increasing
E-PHI E-PHI E-PHI E-PHI E-PHI E-PHI Final Thoughts: Does Anybody Really Care ? • YOU BET ! • Headlines: Trust Inhibitor • Office of Inspector General • Financial Statements • Federal Information Security Management Act (Medicare Reform Mandated Compliance) • Private Litigation, Impacted Consumers • Health Information Technology Success E-PHI
Thank You !! TODD FITZGERALD Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer 6775 W. Washington St Milwaukee, WI 53214 Todd.fitzgerald@ugswlp.com Todd_fitzgerald@yahoo.com