1 / 66

HIPAA Security Workshop May 20, 2004

HIPAA Security Workshop May 20, 2004. : Due April 21, 2005. Today’s Approach. Introductions HIPAA: A Brief Overview Security: What’s the Big Deal? Your Security Program Risk Analysis & Management Required & Addressable Specs Summary & Closing Appendix. Introductions. Theresa Stroisch.

kioshi
Download Presentation

HIPAA Security Workshop May 20, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA Security Workshop May 20, 2004 : Due April 21, 2005

  2. Today’s Approach • Introductions • HIPAA:A Brief Overview • Security: What’s the Big Deal? • Your Security Program • Risk Analysis & Management • Required & Addressable Specs • Summary & Closing • Appendix

  3. Introductions

  4. Theresa Stroisch • Business Title: Senior Manager of Training • Responsibilities: Training Management, Strategic Training Delivery, Community Development Vertical • Expertise / Credentials: • Extensive training development and delivery experience

  5. Steve Mortimer • Senior manager, Consulting & Healthcare, NPower NY • Created the HIPAA practice for NPower • Implement HIPAA at NPower NY member agencies • Conduct HIPAA workshops and compliance surveys • Serve as NPower affiliate network HIPAA SME • Senior manager, Health & Provider Life Sciences, Accenture LLP • Led the creation of Accenture’s HIPAA practice: developed the strategy, products, tools, processes, team, Accenture’s in-house HIPAA training program • Led HIPAA projects for major clients (e.g. Carefirst—MD, Ascension—IN) • COO, HIP-NJ • Reengineered care delivery processes across 18 healthcare centers • Implemented 15 new technology initiatives over a 16-month period • Led NCQA & HEDIS quality certification programs • Trained senior management team on leadership & management skills

  6. Today’s Attendees: The Top 10!

  7. HIPAA: A Brief Overview HIPAA

  8. What Is HIPAA? HIPAA was passed by Congress in 1996 to improveportability and continuity of health insurance coverage, to combatwaste, fraud & abuse, and to simplify the administration of health insurance.

  9. Who Must Comply? If an organization conducts any of the covered transactions electronically... and is a Healthcare • Provider, • Clearinghouse, or Payer … then it is aCOVERED ENTITYandmust comply with all of the federally mandated HIPAA regulations.

  10. HIPAA Title I: Access, Portability and Renewal Title II: Accountability, Fraud and Abuse Title III: Tax Related Provisions Title IV: Group Health Plan Requirements Title V: Revenue Offsets Subtitle F: Administrative Simplification Electronic Transactions and Code Sets Privacy Security Standards and Electronic Signatures Unique Health Identifiers The Full HIPAA Regulation is Extremely Broad

  11. Privacy, TCS & Unique Identifiers The HIPAA Privacy Provisions protect the confidentiality of patient medical data by regulating its use and disclosure by all covered entities. Due Date: April 14, 2003 The HIPAA Transaction & Code Sets (TCS) rule states that covered entities conducting any of the HIPAA transaction electronically must use standardized formats and codes. Due Date: October 16, 2003 HIPAA requires Unique Identifiers for each player in the health care industry… though to-date, only the Employer ID has been finalized. Due Date for Employer ID: July 31, 2004 • Employer Identifier • Federal Employer Identification Number (EIN) (tax ID); 9 digits separated by hyphen (e.g., 00-0000000) • Provider Identifier • New 8 character alphanumeric or 10-digit numeric w/ check digit • Health Plan Identifier • No proposed standard • Individual Identifier • No proposed standard – on hold

  12. Low Medium High High Medium Low The Major Components of HIPAA Vary in Their Org. vs. IT Implications It’s not an IT thing! IT Implications Privacy Security Unique IDs Processes, Organizational Implications TCS

  13. Criminal Penalties • $50,000 fine & 1 yr. prison - knowingly obtain & wrongfully disclose • $100,00 fine & 5 yrs. prison - obtain & disclose under false pretenses • $250,000 fine and 10 yrs. prison - obtain & disclose for commercial advantage, personal gain or malicious harm • Biggest Penalty - Litigation Penalties for Noncompliance Civil Penalties • $100 each knowing failure to comply with provision, or requirement • $25,000 annual cap on multiple violations for the same provision or requirement • Biggest Penalty - Bad Press

  14. Security So What’s the Big Deal??

  15. Security Threats Can Originate In Many Areas … Undetected Attack Compromised Workstation Compromised Passwords and Perimeter Unauthorized insider Access Deceived User Compromised Server/Application

  16. Security Breaches Are Pervasive & Expensive… & the Risks Are From Both Outside & Inside the Organization Of 643 surveyed organizations, 90% had detected security attacks 99% of reported intrusions use known weaknesses. Source:The Computer Emergency Response Team 79% 39% 25% 21% Detected system penetration by outsiders Detected unauthorized access by insiders Detected 2 - 5 incidents Detected >10 incidents The Computer Security Institute (CSI) is an association of information security professionals. This information resulted from a survey of 643 corporations, government agencies, financial institutions, medical institutions, and universities.

  17. Security Problems Are Common… • Security policies in place but little compliance tracking • Inability to articulate the case for security to obtain requisite budget • Security technology skills shortage • Security investments not always focused on greatest return • Combination of mile and millimeter depth of protection • Cumbersome security provisions for end users • Gaping holes in operating systems and applications • Poor integration into the process of technology deployment • Access not eliminated when employees leave the company • Highly manual processes for security administration

  18. So?? • OK, so security is a concern. We’ll be sure to keep an eye out for the bad guys. • But what’s this have to do with me and my agency? • After all, we’re healthcare providers … it’s not like we have trade secrets worth millions of dollars!

  19. Consider This • In September 2003, an individual was arraigned in Raleigh for hacking into a physician office's computer system and accessing electronic protected health information (ePHI). After gathering the information, he contacted patients and insurance companies to warn them that their ePHI wasn't safe. • (Good thing he wasn’t a lawyer!!) • The hacker did not need any tools beyond a wireless card and his personal computer because the wireless network was unsecured. • Hackers practice "war driving" where they drive around searching for those Wireless Access Points (WAPs). Many of the WAPs today broadcast 800 feet in all directions. • Rather than guessing at usernames and passwords, it only takes some tools that are readily available on the Internet to sniff usernames and passwords once a wireless network is detected. • In other instances, computers behind the agency firewall may have shared drives that are inviting to anyone on the network. But what’s this have to do with HIPAA??

  20. The HIPAA Security Rule Comprised of major requirements and associated implementation features that expand / explain the rule’s intent. Applies to all health information of an individual: • Electronically maintained or transmitted • NOTE: Health information pertaining to an individual that is not electronically maintained or transmitted is covered under the Privacy Regulation In general, security measures can be grouped into four categories: • Non-IT • Administrative • Physical • IT • Data at rest • Data in transit Technical

  21. 1. Security Management Process 2. Assigned Security Responsibility 3. Personnel Security 4. Security Awareness & Training 5. Information Access Management 6. Security Incident Procedures 7. Contingency Plan 8. Data Transfer to non-Covered Entity Procedures 9. Certification Administrative Procedures The Administrative Procedures are the bulk of the rules and address the business processes and look at security from an organizational perspective See NY State handout for details

  22. 3. Workstation Security • Physical Safeguards for Access • Even to File Drawers (floppy storage) 4. Media Controls Policy/Procedures • Media relocation...receipt, removal, etc • Within the facility & to external facilities Physical Safeguards Physical Safeguards address such things as buildings, systems, equipment, fire, environmental hazards, and intrusion 1. Facility Access Controls 2. Policy/Guidelines on Workstation Use Some other examples of physical safeguards: • Clean desk policy • Document Destruction/Retention • Recycle/Shredding Bins • Physical Access to building • Badges

  23. 1. Access Control • Unique user ID, Emergency Access Procedure • Auto Log-off, Encryption, Access Restriction • Mechanisms to Restrict Access, e.g. RBAC 2. Audit Controls • To record or examine system activity 3. Data Authentication • Ensure that data is not altered or destroyed with inappropriate access 4. Entity Authentication • Entity ID Verification (both users and other machines/systems) Technical Security Services Technical Security Services cover data at rest, guarding the data integrity, confidentiality and availability Who’s doing some/all of these? What do you do?

  24. Technical Security Mechanisms (aka Transmission Security) Technical Security Mechanisms address data in transit over communications lines • Technical Security Mechanisms guard against access by unauthorized others, particularly on the internet • It is in this arena that encryption comes into play

  25. Your Security Program

  26. Naming A HIPAA Security Officer is Important Who’s the Security Officer in your agency? • Sample HIPAA Security Officer Job Description • Description: • The HIPAA Security Officer is responsible for the ongoing management of information security policies, procedures, & technology systems in order to maintain the confidentiality, integrity, and availability of all organizational healthcare information systems. • Actions and Accountabilities • Responsible for implementing, managing, and enforcing information security directives as mandated by HIPAA • Ensure the ongoing integration of information security with business strategies and requirements • Ensure that the access control, disaster recovery, business continuity, incident response, and information risk management needs of the organization are properly addressed • Lead information security awareness and training initiatives to educate workforce about information risks • Perform ongoing information risk analyses and audits to ensure that information systems are adequately protected and meet HIPAA certification requirements • Work with vendors, outside consultants, and other third parties to improve information security within the organization • Lead an incident response team to contain, investigate, and prevent future computer security breaches • Hold others and self accountable for established information security policies and procedures • General Skills and Experience Requirements (in a perfect world!) • Experienced in the management of both physical and logical information security systems • Strong technical skills • Outstanding interpersonal and communication skills • High degree of integrity and trust along with the ability to work independently • Excellent documentation and presentation skills • Ability to weigh business risks and enforce appropriate information security measures • In-depth knowledge of the HIPAA Security Rule and other government technology laws • CISSP (Certified Information Systems Security Professional) or CISA (Certified Information Systems Auditor) certification

  27. The HIPAA Security Team The Security Officer is Supported by a Team of SMEs SMEs: Subject Matter Experts, e.g. policies & procedures, training, etc.

  28. 10 Steps to HIPAA Security NPower believes that a “best practice” approach to achieving HIPAA Security compliance follows 10 steps: • Establish the agency’s HIPAA Program • Develop a HIPAA Security workplan • Analyze the current environment (Risk Analysis) • Assess the business risk • Conduct a security strategy session • Develop security options/recommendations • Summarize the final results • Develop a security plan (Risk Management) • Implement / train the security plan • Sustain the security plan Wow!! How do we get started??

  29. Risk Management & Analysis • Agencies should start by developing a Security “program”, i.e. identifying, & then assigning roles & responsibilities to, those who will be leading the security effort. An early To Do for the Security Team is to develop a workplan for implementing HIPAA security measures. • Two key elements of the workplan will be the Risk Analysis & Risk Management. • Risk analysis & risk management together are the cornerstone of the Security Rule and are required as part of the Security Management Process (164.308(a)(1)). • Risk Analysis is an "accurate & thorough assessment of the potential risks & vulnerabilities to the confidentiality, availability, and integrity" of the agency’s ePHI (electronic protected health information). • Risk Management is the "implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."

  30. Risk Management & Analysis (cont.) • Risk Management • Risk management includes not only risk analysis and risk mitigation, but also on-going risk maintenance and evaluation. • Risk Analysis • To begin the risk analysis, determine security scope -- does it focus on HIPAA compliance only or does it include business goals? • Also, conduct a gap analysis to identify the best practices currently being done. • The analysis must also determine what needs to be done to meet the Security Rule requirements (“gotta dos”) and addressable standards (“should dos”). • Risk analysis is a pre-requisite in an on-going risk management process. From a HIPAA perspective, risk analysis is the process through which the costs associated with safeguards are balanced against the potential losses if such safeguards were not in place. • Begin risk analysis by assessing existing "system asset inventories" to find each asset's vulnerability. Then determine the level of risk the agency is willing to assume to protect the asset. • Assets can be broken into classes, e.g. communications, software, hardware, and physical facility. • Once the risk analysis is completed, the agency should assign systems risk management responsibility to an appropriate individual who will lead the on-going ePHI risk maintenance and evaluation effort. • In many organizations, this would be the Security Officer or someone designated by the Security Officer.

  31. Risk Analysis & Security Strategy Process Administration Policy Organization Security Architecture Security Compliance Program Security Awareness Program Security Technology Deployment - Layers Of Security A Risk Analysis Looks at All Areas • A Risk Analysis covers administration, policy, process and organization • An agency-wide Risk Analysis should be the first stage in the lifecycle of Security Management. • The Risk Analysis will drive all security planning, analysis and design activities later in the lifecycle.

  32. Description: This step identifies elements in the current/proposed environment that may be subject to threats that could compromise the confidentiality, integrity, and availability of assets. Identifies existing components/processes that can be leveraged to secure the new capability. All findings from this step are documented. Analyze the Current Environment • Benefits: • Identifies elements in the current or proposed environment that may be subject to threats that could compromise the assets • Identifies holes in current security structure • Enables Analysis team to develop a comprehensive view of the environment, as it really applies rather than how it is perceived to be • Activities: • Schedule and conduct interviews • Obtain/review environment documentation • Identify vulnerabilities • Conduct physical site surveys • Perform technical analysis (i.e., examine critical technology arch. components) • Conduct Surveys • Deliverables: • Initial draft of the threats matrix

  33. Description: This step documents key assets, threats, vulnerabilities, and business effects to the environment; it also identifies major risks to the organization. All findings from this step are documented as the environment is reviewed. Assess Business Risk • Benefits: • Provides the organization with a thorough analysis of the identified vulnerabilities in terms of consequences to the business • Prioritizes risk according to business objectives • Activities: • Identify critical business assets • Identify threats to assets • Determine business impact • Prioritize business risk • Deliverables: • List of identified critical business assets • Second drafts of the threats matrix

  34. Description: This step gives a picture of what the future security environment should look like. It involves a facilitated discussion on future business initiatives and the security direction that is required to support the future business environment. The organization of the security group and the technology which should be implemented to support the business are topics of discussion. Conduct Security Strategy Session • Benefits: • Provides a forum for key management personnel to express common security concerns • Allows the Analysis team to achieve an understanding of the organization’s future direction and initiatives which will provide for long-term recommendations • Provides samples of how security will enable long term business strategies • Activities: • Identify future business initiatives • Identify risks to each initiative • Prioritize security initiatives • Document input to the security strategy • Deliverables: • Input to the overall Security Strategy • List of future business initiatives • Third Draft of the threats matrix

  35. Description: This step determines recommendations to mitigate risks. The priority of each of the recommendations is then determined based on a number of technical and non-technical factors. Once priorities have been determined, a security options matrix is developed to identify costs and benefits for the prioritized recommendations. Develop Security Options/Recommendations • Benefits: • Determines recommendations to mitigate the identified risks • Considers costs and benefits to recommend a balanced approach • Identifies the most appropriate solutions for given business and technical environments • Activities: • Identify security options • Determine payroll and non-payroll costs • Prioritize security options • Verify risk analysis matrix • Conduct cost/benefit analysis • Deliverables: • Risk Analysis matrix • Cost/benefits matrix

  36. Description: This step documents the results of the Analysis in a final report and a summary is presented to executive management. The quick hit and long term recommendations are discussed and next steps are determined. Summarize Final Results • Benefits: • Provides the organization with detailed recommendations and a roadmap of the steps needed to improve the level of security • Allows the Analysis team to receive feedback from the organization and further customize the solution if needed • Activities: • Document final results • Develop security delivery approach • Develop delivery plans for security initiatives • Prepare and present final results documents and presentation • Modify delivery approach as needed • Deliverables: • Input to Security Strategy • Security Plans and Budget Recommendations • Final Risk Analysis presentation including quick hits and long-term recommendations

  37. Description: This step documents the decisions of the executive management and the resulting roadmap for implementing the plan. Develop Security Plan • Benefits: • Provides a trackable roadmap for implementation of required steps • Identifies specific deliverables and outcomes expected from implementation of a security plan • Activities: • Develop a project plan for executing management decisions • Assign plan participants • Estimate resource hours/time • Identify expected deliverables • Deliverables: • Security Implementation Plan • Defined schedule, cost and quality expectations

  38. Description: This step implements all components of the Security Plan and provides necessary training for employees. Completion of each step is documented and any changes to the plan are recorded. Implement & Train Security Plan • Benefits: • Installs necessary elements for secure environment • Allows for flexibility in improving the plan as it is implemented • Creates an informed working staff that is cognizant and conscientious regarding security • Activities: • Implement steps in Security Plan • Manage and monitor the plan • Modify Plan as needed • Develop training plan & schedule • Deliver security training to all employees • Deliverables: • Training plan and schedule • Training classes

  39. Description: This step ensures that security gaps that have been addressed continue to be monitored and acted upon. Sustain Security Maintenance Plan • Benefits: • Ensures that security gained is maintained over time • Allows for continued examination of security vulnerabilities • Activities: • Document security vulnerabilities • Develop plan for continued monitoring • Assign responsible parties • Maintain security check schedule • Address security violations as encountered • Update plan to keep current • Deliverables: • Security Vulnerability Document • Security Maintenance Plan

  40. Required & Addressable Specifications

  41. All specifications are either required or addressable Addressable: provides scalability & flexibility What is meant by “Addressable”? HIPAA’s recommendation for meeting a requirement must be considered and, where appropriate, implemented in some fashion If not accepted as is: Must document the decision not to implement Must identify and document the rational behind that decision Must identify and document what was implemented Required & Addressable Specifications Example: • Decision is made to allow all staff full access to all PHI rather than limit access based on roles • Must document that the decision was made to not limit access • Must explain why decision was made to not limit access • Must document that full access was allowed

  42. Required & Addressable Specifications

  43. Required & Addressable Specifications

  44. In Summary

  45. The Security Rule Sets Forth 5 Primary Requirements The standards identify the following as requirements in order to be in compliance: • Processes and systems must be updated to ensure that health care data is protected. • Written security policies and procedures must be created and/or reviewed to ensure compliance. • Staff must receive training on those policies and procedures. • Access to data must be controlled through appropriate mechanisms (e.g., passwords, audit trails, RBAC). • Security procedures/systems must be certified (self-certification is acceptable) to meet the minimum standards.

  46. Key Points to Remember • Applies to any health information pertaining to an individual that is electronically maintained or transmitted • Includes Organizational & Facility security aspects, not just Information Systems • Requirements fall into 4 areas/categories • Non-IT: • Administrative Procedures • Physical Safeguards • IT: • Technical Security Services • Technical Security Mechanisms

  47. The Security Journey Never Ends • Assess and Review • Train / Create Awareness • Monitor / Address Breeches Maintain the Program • Event Reporting • Incident Reporting • Sanctions Implement P&P to address security breeches • Media Controls • Workstation • Audit Trails • Authentication • Access Controls (RBAC) • Automatic Removal of Accts • Emergency Mode Access Establish security policies & procedures • Connectivity • Contracts • Systems • Documentation • Infrastructure • Policies & Procedures Assess where things stand currently • Training / Awareness Train all staff, incl. volunteers, temps, etc.

  48. Apply a Good Dose of Reasonableness & Common Sense Risk $ • Administrative Simplification provisions are aimed at process improvement and saving money • You should not have to go broke becoming HIPAA-compliant • Expect fine-tuning adjustments over the years • Weigh the cost of safeguards vs. the value of the information to protect • Security should not impede care • Assess your risk aversion • Conduct due diligence

  49. Follow the HIPAA Security Golden Rule • Document everything… and ensure that your documentation reflects what you actually practice!! • As my old college track coach used to say: Don’t tell me… show me! • Keep your documentation current & accurate. HIPAA Certified

  50. Questions & Answers

More Related