1 / 49

AMC Privacy & Security: Progress & Prospects September 26-28, 2006

AMC Privacy & Security: Progress & Prospects September 26-28, 2006. Clinical Research Track Information Risk Mitigation in the Conduct of Research Susan Miller Health Transactions Lee Olson Mayo Clinics Eric Schmidt Indiana University School of Medicine Darren Lacey

kairos
Download Presentation

AMC Privacy & Security: Progress & Prospects September 26-28, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AMC Privacy & Security: Progress & ProspectsSeptember 26-28, 2006 Clinical Research TrackInformation Risk Mitigation in the Conduct of Research Susan MillerHealth Transactions Lee Olson Mayo Clinics Eric Schmidt Indiana University School of Medicine Darren Lacey Johns Hopkins University

  2. HIPAA Enforcement September 27, 2005 Susan A Miller, JD Chief Operations Officer and Privacy Officer, HealthTransactions.com Co-Chair - Southern Healthcare Administrative Regional Process (SHARP) Co-Chair – WEDI/SNIP Co-Chair – WEDI/SNIP Privacy and Security Workgroup Steering Committee – New England HIPAA Workgroup (NEHW)

  3. HIPAA Civil Enforcement • The New Enforcement Rule Proposal: 70 FR 20223. • Comments Were Due by June 17, 2005 • Definitions: • “Persons” are subject to the enforcement rule • “Persons” are: ``a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private” • Violation? New rule clarifies that the Enforcement Rule applies to “Acts” AND “Omissions” • “a violation occurs when a covered entity fails to take an action required by a HIPAA rule, as well as when a covered entity takes an action prohibited by a HIPAA rule”

  4. Who is subject to HIPAA criminal penalties? • June 1, 2005 DOJ Memorandum to DHHS • http://www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf

  5. Scope of Compliance • “Voluntary Compliance Enforcement” originally applicable ONLY to privacy rules, now proposed applicable to ALL HIPAA rules: subpart C applies only to the Privacy Rule • New rule BROADENS the scope • We propose to define the term ``administrative simplification provision'' in Sec. 160.302 to mean any requirement or prohibition established by the HIPAA provisions or HIPAA rules: ``* * * any requirement or prohibition established by: • (1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; • (2) Section 264 of Pub. L. 104-191; or • (3) This subchapter.''

  6. Penalties are PUBLIC!!! • When a penalty proposed by the Secretary becomes final, the Secretary notifies certain specified or appropriate State or local agencies, New rule proposes to add “the public generally.” • 70 FR 20240 • So, in addition to “the appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs, the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization, now EVERYONE will know. • Posting to an HHS Web site and/or the periodic publication of a notice in the Federal Register are among the methods which the Secretary is considering using for the efficient dissemination of such information. Id.

  7. Legal Concept • New Rule Adopts Federal Collateral Estoppel Doctrine • § 160.532 Collateral estoppel.When a final determination that the respondent violated an administrative simplification provision has been rendered in any proceeding in which the respondent was a party and had an opportunity to be heard, the respondent is bound by that determination in any proceeding under this part.70 FR 20224, 20256

  8. Compliance Stepping Stones • Complaint and Investigation • Subpart C • Imposition Civil Monetary Penalties • Subpart D • Procedures for Hearing • Subpart E

  9. WHAT TO DO IF THE OCR or CMS KNOCKS ON YOUR DOOR • How are improper uses and disclosures of PHI or breaches of security brought to your attention? • When to provide a compliant to your lawyer? • Internal investigation – 8 Steps • Stop all further actions by staff • Engage in initial fact-gathering • Establish a response team • Have the response team or privacy officer conduct a formal investigation • Formulate a corrective action plan • “Account” for the erroneous disclosure (if required) • Apply appropriate sanctions to employees who disclose PHI or breached security in violation of the law • Consider proactively disclosing an incident to the consumer, if the consumer is not already aware of it – Caution – “don’t try this at home”, call your attorney

  10. WHAT TO DO IF THE OCR or CMS KNOCKS ON YOUR DOOR • What happens if the OCR decides to impose a civil monetary penalty on your organization? • What should you do if the OCR investigates, finds a violation and does not impose a civil monetary penalty? • BEWARE

  11. Thank You • Questions • Susan.Miller@HealthTransactions.com • TMSAM@aol.com • www.SharpWorkGroup.Com

  12. Information Security Risk Mitigation in Research Lee Olson Mayo Clinic

  13. Mayo Clinic high level compliance documentation Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations.

  14. Observed Risks in Research • Unauthorized devices connected to network • PHI on desktops & portables • Lack of backup • Nonstandard configurations • Limited data sets • External PHI transfer • Tracking authorizations • Information theft

  15. THREE LAYERS OF SECURITY PERIMETER CONTROLS Standards COMMUNICATIONS BETWEEN SYSTEMS Standards REMOTE ACCESS SERVICES APPLICATION LEVEL FIREWALLS Standards Authentication Authorization Audit INTRUSION DETECTION VULNERABILITY SCANS FOUNDATION SERVICES

  16. Unauthorized devices connected to network: mitigation strategy • STANDARD: Users must not connect unauthorized devices to the Mayo network. Exceptions include: • Personally owned devices authorized for remote access • Devices necessary to fulfill obligations under defined business relations • Devices used for institutional education, training or professional presentations

  17. Unauthorized devices connected to network: mitigation strategy • Partner with Research Computing Facility to enforce standard • Conduct quarterly wireless scans to detect and locate • Provide education & training to labs

  18. PHI on desktops & portables: mitigation strategy • STANDARD: Each entity will determine the efficacy of storing Mayo confidential information on portable devices. Portable devices include, but are not limited to, laptop computers, notebook computers, tablet computers and personal digital assistants. [Cross reference local guidance on personal digital assistants] Where permitted the entity will: • Specify risk-appropriate security procedures to include: • Guidance to address on-site, home and travel usage • Storage criteria to address unauthorized access to, and theft of, devices • Recommend technical security controls to include: • User identification and authentication • Data encryption • Disallow contractor use of portable devices for storage, processing and / or transmission of Mayo Confidential information.

  19. Lack of backup: mitigation strategy • STANDARD: All information must have sufficient backup and be recoverable. • GUIDELINES: 1. Multiple levels of backup and storage should be used for critical information. 2. Backup should provide for the loss of multiple cycles. 3. Users of personal computers and other personal digital devices are responsible for backup and recovery of locally stored information. 4. Files and programs should be properly labeled and indexed to facilitate recovery. 5. Alternate fire zone storage facilities should be used for media containing vital data that, if lost or destroyed, would be difficult to recreate. 6. Alternate fire zone storage facilities should be used for files containing patient care programs, program changes, or data that could be used to reconstruct essential systems in the event of a disaster. 7. Backup and recovery procedures should be tested.

  20. Lack of backup: mitigation strategy • Raise awareness and encourage labs to use Research Computing Facility resources where data is backed up. • We are usually able to recover lost data with forensics tools. We do not charge for our services and use the opportunities to educate.

  21. Nonstandard configurations: mitigation strategy • STANDARD: The Information Security Office will develop security baselinesfor devices connected to the network. Foundation Telecommunications and Network Services is responsible for implementation. Devices that do not meet standards are subject to: 1. Removal from the network at any time deemed necessary 2. Logical isolation (quarantine) at any time deemed necessary 3. Remedial action deemed necessary at any time to protect the availability and integrity of the network and devices connected to it 4. A record of device identification, action taken and the reason for the action will be maintained

  22. IN-DEPTH NETWORK SECURITY: EIGHT STRATEGIES TO REDUCING CORPORATE RISK • Know what’s on the network • Establish configuration standards and assign implementation responsibility • Control what’s connected to the network • Articulate and communicate expectations • Create protective architectures to isolate high risk devices • Develop drawbridge capability to quickly isolate network segments • Adopt a more homogenous environment • Centralize management and control

  23. Limited data sets: mitigation strategy If a query against the Life Sciences Warehouse (EMR database + genomics data) returns fewer than 50 de-identified records, no results are forwarded to the researcher to assure patient privacy. All queries are logged to facilitate investigation and reconstruction of events.

  24. External PHI transfer: mitigation strategy • Policy • Develop enterprise level security standards • Process • Committee review of PHI transfer requests • Communications • General awareness & specific guidance for proponents • Tighten Business Associate Agreements • Develop a detailed security addendum

  25. Tracking authorizations: mitigation strategy • Include the requirement to support a research authorization “flag” in systems & databases. • The flag must follow the data from source systems through departmental research systems.

  26. Information theft: mitigation strategy • Raise awareness on information value and what motivates thieves. Understand the enemy. • Watch for equipment junkies– those who bring excessive personal equipment with them: portable devices, CD burners & media. • Watch for those with inordinate interests outside assigned areas. • Get to know and work with your local F.B.I. office. Be tough on crime.

  27. Risk Mitigation in Research Eric W. Schmidt, CISSP, CISM Chief Security Officer Indiana University School of Medicine

  28. Mitigation and the HIPAA Security Rule • HIPAA Security Requirements • Eighteen Standards • Thirty-six Specifications • Six standards do not have corresponding specifications • Twenty “Required” specifications • Twenty-two “Addressable” specifications • Mitigation must address both Required and Addressable specifications 84% solution

  29. Mitigation and the HIPAA Security Rule • Required specifications: • If the specification is “Required” then it must be implemented • Addressable specifications: • If the specification is “Addressable” then the rule states: • “The entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.* • In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable implementation specification or an alternative security measure.”* • Determining how each of these is handled is mitigation * Reference: 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule; February 20, 2003; p8336

  30. Case Study – IU School of Medicine IU School of Medicine facts: • Second largest medical school in the United States • Only medical school in Indiana • Nine campuses throughout state • Thirty-six different departments and organizations within IUSM • Practice plans: IU Medical Group – Primary Care and IU Medical Group – Specialty Care • IUSM works closely with Regenstrief Institute, Clarian Health Partners, Wishard Memorial Hospital and the Roudebush VA Medical Center • Research grants awarded for fiscal year 2003-2004 equaled $205,808,544

  31. Case Study – IU School of Medicine • HIPAA Security compliance program began January 2004 • Decision was made to determine level of compliance based on only one threat – “Threat of Non-Compliance” • Mitigation plan would then initially address the 84% solution • Determine, develop, and disseminate required policy, procedures, and documentation • Security measure gaps would be addressed at the university and/or school level in most cases • Gap analysis reports completed and disseminated to all departments and practice plans by EOM August 2004 • Resulting mitigation plans developed and provided to all departments and practice plans by EOM November 2004 • Several large departments pooled resources, formed a committee, and jointly developed various policies and some procedures • Finally, an audit program was developed to measure on-going efforts towards compliance

  32. Case Study – IU School of Medicine Basic response to HIPAA security mitigation can be summed up as: • IUSM addressed the fundamental requirements (policy, procedures, documentation) first • Relative low cost to develop and implement • In most cases departments were already doing the right things, the efforts were just not formally documented • Departments required to address mitigation of policy, procedures, and documentation for their own department/practice plan • Security measures applied at the enterprise level and needed to be addressed from a school-wide (or university) perspective

  33. Mitigation in the Research Arena How is the IU School of Medicine’s approach to HIPAA security mitigation similar to risk mitigation in the research arena?

  34. Mitigation in the Research Arena • IU Research and Sponsored Programs, IUSM Compliance Office and IUSM Security Office worked together to address data security issues in research • New NIH grant requirements outlined the need for a data security plan with each new grant proposal • A Standard Operating Procedure (SOP) was developed in December 2004 to be used by IU researchers primarily involved in human subjects research • This SOP titled “Security of Research Data” jointly applies to both IU and Clarian research • Link to “Security of Research Data” document:http://www.iupui.edu/~respoly/human-sop/SOP%20-%20Security%20of%20Research%20Data%20(EC%20Review%2012-7-04).htm

  35. Mitigation in the Research Arena • The objectives for this SOP are: • To define expectations regarding Principal Investigator and research team member responsibilities in appropriately safeguarding all basic and clinical research data, whether or not it includes Protected Health Information (PHI) in all forms – electronic, paper and verbal; and • To define procedures and guidelines to help the IUPUI research community and its partners (Clarian, VA, Wishard, etc.) understand what is expected under Indiana University (IU) and Indiana University School of Medicine (IUSM) policy, as well as state and federal laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA.)

  36. Mitigation in the Research Arena • Each research project or center is required to implement an appropriate security plan designed to safeguard the security of research data • This may be delegated to an appropriate person within a Department, School, or Division but the PI is ultimately responsible for communicating needs and for ensuring an appropriate security organizations plan exists. If the PI chooses not to delegate this responsibility, the PI is responsible for developing their own security plan that provides the following: • Description of the local environment, including: • Identification of data inputs; • Locations of collections of data; • Explanation of the type of data collected and a data flow diagram; and • Explanation of the security controls that will be employed to ensure compliance with this policy

  37. INDIANA UNIVERSITY Eric W. Schmidt, CISSP, CISM Chief Security Officer Eric W. Schmidt, CISSP, CISM Chief Security Officer Gatch Clinical Building, CL583 541 Clinical Drive Indianapolis, IN 46202-5111 Office: 317-278-8751 Fax: 317-278-8885 E-mail: erschmid@iupui.edu Gatch Clinical Building, CL583 541 Clinical Drive Indianapolis, IN 46202-5111 Office: 317-278-8751 Fax: 317-278-8885 E-mail:erschmid@iupui.edu Information Services and Technology Management Contact Information INDIANA UNIVERSITY Information Services and Technology Management

  38. Security in Research Darren Lacey Johns Hopkins University Johns Hopkins Medicine

  39. Information Security Risk in Research • Assessing risk requires thinking about consequences • Security Incidents • Catastrophe • Security Incidents • Researcher gaining access to data through non-standard means • Researcher storing data internally in an insecure manner • Unencrypted e-mail with some E-PHI • Catastrophes – CISO is in the newspaper • Spreadsheet with a thousand patient records sent to the wrong person • Mis-configured server opening up databases to the Web • Lost laptop with unprotected patient records

  40. Preventing Incidents • First objective – authorization • EMR access • Close attention to systems of record that feed authorization lists • Second objective – limit circumvention • Many environments are, at best, neutral to security • Circumvention of security standards and technology are usually much worse than weaker standards or no standards at all • Third objective – technical access control • Limited technical options for controlling access for those with systems access • Record-by-record access control would be difficult to implement and easy to circumvent • “Gotcha” approach to access may make catastrophes more likely as users work there way around a system • Solution 1 -- Policy, Awareness, Training • Solution 2 – Routine audits and judicious discipline

  41. Thinking about Catastrophes • Assume that people will circumvent policy and practice, and that incidents will happen • Create an environment that does not unduly punish violators, so as to prevent catastrophes • Provide security advice • Make people aware that they will be held accountable for catastrophes • Never assume that policy alone will prevent a catastrophe • Network and host monitoring • Build security to large data sources (e.g. including research databases)

  42. Research • Administrative access control is generally only maintained at EMR (not research database) levels • There are few technical options for limiting access to clinicians engaged in research • IRB process provides a snapshot into potential access issues • Time-consuming to chase down rights of each investigator • Circumvention is still easy • IRB is critical in setting information security expectations and these can help with preventing incidents and catastrophes

  43. Research security • Begins with the location and type of database • Danger signs • Web applications, Excel, Access • DB in labs or offices • Distributed data sets across sites • Requirements • Professional administration of server in physically secure environment • Administrative access procedures (e.g. long passwords, SSH) • Unique user IDs • Careful with Web interfaces and report writing • IT can help • Centrally managed server farms • Monitoring tools • Guidance and recommendation

  44. Encryption • At rest • Reduce the need by prohibiting storage of PHI on mobile devices or at-risk workstations • This should be communicated clearly and strongly to researchers • Data stored locally can use Windows EFS (with some limitations) • Consider encrypting elements of databases that are particularly sensitive • In transit • Look at encryption of credentials first • Then large scale transmission – FTP, some attachments • Then small transmissions – e-mail • Solutions – secure messaging, Winzip, password protection

  45. Questions or Concerns? Darren Lacey dll@jhu.edu 443-997-2477

  46. Facilitated Questions

  47. Question 1 • On a scale of 1-5 how well do you think your organization is mitigating potential risks presented by research?

  48. Question 2 • What steps is your organization taking to mitigate the security risks presented by research?

More Related