140 likes | 303 Views
HIPAA: Federal regulations regarding patient Security. Underlying principles for security. Ensure the confidentiality, integrity & availability of electronic Protected Health Information ( ePHI ) Use safeguards to protect ePHI. Core requirements of HIPAA security.
E N D
Underlying principles for security • Ensure the confidentiality, integrity & availability of electronic Protected Health Information (ePHI) • Use safeguards to protect ePHI
Core requirements of HIPAA security • Designate a security official • Ensure the confidentiality, integrity & availablity of all ePHI that a covered entity creates, receives, maintains or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI • Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required by the HIPAA Privacy Rule • Ensure compliance by the workforce
Security standards • Effective April 21, 2005 • Contains 18 standards under three safeguard categories • 14 required specifications • 22 addressable specifications
Security Standards • HITECH - The Health Information Technology for Economic and Clinical Health • Effective February 18, 2009 • To promote the adoption and meaningful use of health information technology • You can be held criminally liable for knowingly obtaining and disclosing PHI in violation of HIPAA • Fines up to $250,000 • Up to 10 years in prison • You can be personally sued by a patient claiming that the privacy of their PHI was violated
Three protection categories • Confidentiality • Data is used or disclosed by authorized persons for authorized purposes • Integrity • Data has not been altered or destroyed in an unauthorized manner • Availability • Data is accessible & useable upon demand by authorized persons
Three safeguard categories • Administrative • Physical • Technical
Administrative safeguards • Maintain security through risk analysis & management • Conduct regular system activity reviews • Audit logs, access reports, incident tracking • Enforce workforce security through clearance procedures, authorization & access controls • Train all workforce members on computer security • Track, report & respond to suspected or known security incidents • Establish a contingency plan to ensure availability of ePHI during emergencies or natural disasters
Physical safeguards • Limit physical access to electronic information systems to appropriate persons to prevent tampering or theft • Allow facility access to support disaster recovery efforts & emergency operations • Document repairs to the physical components of the security system & facilities • Restrict workstation access & activity to authorized users & authorized functions • Manage receipt, removal & disposal of hardware & electronic media
Technical safeguards • Use technical measures to control access to systems that maintain ePHI • Provide for unique user identification • Ensure necessary access to ePHI during emergencies • Implement audit controls that record & examine system activity • Protect ePHI from improper alteration or destruction • Ensure transmission security
Risk assessment • Must be “accurate and thorough” • Provides rationale for decisions about addressable specifications • Basic components • Threats & vulnerabilities • Likelihood of exploitation • Existing countermeasures • Control recommendations
KUMC Approach • Adapt existing assessment tools (NIST 800-26) • Conduct risk assessment (every two years) • Network • Servers • Departments • Workstations • Applications • Evaluate administrative, physical & technical safeguards in each of the above areas
Existing practices (to name a few) • Firewalls • Remote access through VPN • Limited public “visibility” • Ongoing intrusion detection • Role-based access • Anti-virus plan • Patch management • Background checks • Electronic signature • Unique user IDs • Strong passwords • Disaster recovery plans • Established backup procedures • Documented policies & procedures • Transmission encryption methods • Biometrics • Proximity sensors • Implanted chips
QUESTIONS Sherry Callahan, CISSP, CISA, CISM Director of Information Security scallahan@kumc.edu 913.588.0966 Juli Gardner, MHSA KUMC Compliance Program Manager jgardner3@kumc.edu 913.588.0940