1 / 46

Make Sure Your Data Doesn't Get Washed Away…. A Discussion of Remote Access

Make Sure Your Data Doesn't Get Washed Away…. A Discussion of Remote Access. Kerry Moskol Quarles & Brady LLP. What you should take away:. CMS is starting to focus on compliance with the Security Rule

pello
Download Presentation

Make Sure Your Data Doesn't Get Washed Away…. A Discussion of Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Make Sure Your Data Doesn't Get Washed Away…. A Discussion of Remote Access Kerry Moskol Quarles & Brady LLP

  2. What you should take away: • CMS is starting to focus on compliance with the Security Rule • If your Security Rule policies and procedures do not address remote access and portable devices, it is time to update your policies!

  3. Why the sudden focus on security and remote access? • Reluctant compliance with the Security Rule • Increased (and encouraged) use of EMRs • Concerns over security breaches - many of which involve remote devices

  4. So…..What do we need to look out for? • Security Rule Audits/Onsite Compliance Reviews • Security Breach Notification Laws • National Identity Theft Laws (Red Flag Regulations) • CMS Guidance Regarding Remote Access

  5. OIG's first "audit" of a provider's compliance with the Security Rule: • March 5, 2007: Piedmont Hospital in Atlanta, Georgia • Reviewed the hospital's administrative, physical and technical safeguards

  6. Interesting aspects of the audit: • Patient complaint did not trigger the audit • Audit was performed by OIG not CMS • Some suspect purpose was to check whether CMS is doing its job regarding Security Rule oversight and enforcement • Presented list of 42 items - 24 were security related

  7. CMS - Onsite Investigations and Compliance Reviews • CMS Office of E-Health Standards and Services is conducting onsite investigations and compliance reviews related to potential Security Rule violations • Contracted with PwC to assist with the reviews

  8. CMS - Onsite Investigations and Compliance Review (cont'd) • Who is targeted? • Onsite investigations - may arise from filed complaint • Onsite compliance reviews – may arise from self-report, media reports, etc. • What are they looking for? • Assessment of security measures • Special attention to remote access

  9. CMS - Onsite Investigations and Compliance Review (cont'd) • Guidance from CMS - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance reviews • Identifies documents that may be requested and personnel to be interviewed • Not a complete list – but use as guidance • http://www.cms.hhs.gov/Enforcement/Downloads/InformationRequestforComplianceReviews.pdf

  10. And so it goes….The first HIPAA Resolution Agreement • Seattle-based provider lost unencrypted laptop computers, disks and tapes • $100,000 settlement with government • Three years of monitoring by HHS • Corrective Action Plan - focused on physical and technical safeguards for off-site transportation and storage of EPHI and remote media 

  11. The New Frontier: Security Breach Notification Laws • Security Breach Notification laws require entities to notify individuals if there is an unauthorized acquisition or disclosure of their “personal information” • “Personal Information” • Social security, address, date of birth, financial account numbers, medical information, other identifiers • Exception for encrypted information

  12. Security Breach Notification Laws (cont’d) • Applies to all types of entities • Not limited to the health care context • Does not have to relate to medical information – focus is the identifiers

  13. Security Breach Notification Laws (cont'd) • Some states, like Wisconsin, exclude “covered entities” from notification requirements • So why do we care????

  14. Security Breach Notification Laws (cont’d) • Can still apply to hospital employee information • Hospital policies may require notification as part of HIPAA mitigation requirements • Out of state patients – not all state laws exclude covered entities (state of residency matters here) • Proposed federal legislation may revise Security Rule requirements to require patient notification of security breach (might take a while)

  15. And on a related note…Identity Theft Red Flag Regulations • Regulations likely apply to hospitals – not much guidance out there yet • Effective November 1, 2008 • Entities must create policies and procedures to: • Identify activities (red flags) that signal possible ID theft and incorporate red flags into ID theft program • Detect red flags • Respond appropriately to prevent/mitigate ID theft • Ensure the program is updated

  16. Which leads us to…. The importance of security for remote access and portable devices!

  17. CMS Guidance For Remote Access and Portable Devices: • CMS issued guidance on security requirements for remote access in December, 2006 • Proposed rule regarding remote access standards was anticipated to come out in July, 2007--however, it is currently on hold (maybe permanently)

  18. Purpose of guidance: • Reduce security incidents related to remote access and use of portable devices/media • Reinforce the ways covered entities protect EPHI when accessed or used offsite or remotely

  19. Guidance applies to: • Laptops and home-based personal computers • PDAs and Smart Phones • Hotel, library or other public workstations and Wireless Access Points (WAPs) • USB Flash Drives and Memory Cards • Floppy disks, CDs, and DVDs • Backup media • Email • Remote Access Devices (including security hardware)

  20. Remote access to EPHI is appropriate only after the entity's risk analysis concludes: • There is a business need for remote access; and • The entity's workforce training, policies, and procedures are effective and compliant with the Security Rule (Remember to document this determination!)

  21. Examples of appropriate use of remote access: • Home health nurse accesses patient data via a laptop during home visit • Physician refills patient's Rx via e-prescribing application on PDA • Health plan employee transports enrollee data on a media storage device to an offsite facility

  22. Emphasis should be placed on: • Risk analysis and risk management strategies - make sure your risk analysis includes remote media! • Policies and procedures for safeguarding remote access to EPHI • Security awareness and training

  23. Factors to consider when deciding which security measures to implement: • Entity's size, complexity, and capabilities • Entity's technical infrastructure, hardware, and software security • Cost of security measures • Potential risks to EPHI

  24. Risks associated with remote access fall into three areas: • Access • Storage • Transmission

  25. Access: • Remote access is granted only to authorized users based on their role within the organization and need for access to EPHI • Safeguards required for office workstations must also apply to offsite workstations

  26. Storage: • Security policies and procedures must address media and devices that store EPHI and may be removed from the facility • Examples: laptops, hard drives, backup media, USB flash drives, and other storage media

  27. Transmission: • Entity must ensure the integrity and security of EPHI sent over networks • Entity must address remote access to applications hosted by the entity, such as e-prescribing systems, web mail, etc

  28. CMS guidance identifies a series of risks and possible risk management strategies: • Guidance sets forth the minimum compliance expectations • Entities urged to comply with the identified strategies

  29. Access – Risks and Possible Management Strategies: • Risk: Stolen password results in potential unauthorized disclosure • Strategy: • Implement two-factor authentication process to grant remote access to systems containing EPHI • First step is username/password • Second step requires person to answer a security question • Implement technical process for authentication and creating unique user name (e.g., use Remote Authentication Dial-In User Service or similar tool)

  30. Access - Risks and Possible Management Strategies: • Risk: Employee accesses EPHI remotely when not authorized to do so while working offsite • Strategy: • Establish role-based access for remote users (different remote users may require different levels of access) • Develop clearance procedures and verify training before granting remote access • Ensure sanction policies address unauthorized remote access

  31. Access - Risks and Possible Management Strategies: • Risk: Offsite workstation left unattended • Strategy: Establish procedures for session termination (time-out) on inactive portable or remote devices

  32. Storage - Risks and Possible Management Strategies: • Risk: Laptop or other portable device is stolen • Strategy: • Identify hardware/media that must be tracked and develop inventory control systems • Maintain records of media/device movement • Require lock-down mechanism for unattended laptops • Back up all EPHI entered into the remote system • Password protect files and devices that store EPHI • Use encryption technology • Ensure technology updates are deployed to portable devices • Use biometrics to access portable device • Use tracking devices in portable devices

  33. Storage - Risks and Possible Management Strategies: • Risk: Data left on public computer at a hotel business center • Strategy: • Prohibit downloading of EPHI on remote systems or devices without justification • Minimize use of browser-cached data in web based applications • Train workforce on policies that require users to delete files saved to an external device

  34. Storage - Risks and Possible Management Strategies: • Risk: Theft of EPHI left on devices after inappropriate disposal • Strategy: • Establish EPHI deletion policies and media disposal procedures for remote media • At a minimum, this should include: complete deletion (via specialized tools) of all disks and backup media prior to disposal

  35. Transmission - Risks and Possible Management Strategies: • Risk: Data intercepted and modified during transmission • Strategy: • Prohibit transmission of EPHI via open networks (i.e., internet) • Prohibit use of offsite devices or wireless access points for non-secure access to email • Use secure connections for email via SSL and message-level standards such as S/MIME, SET, PEM, PGP, etc. • Use encryption for transmission of EPHI - SSL should be the minimum requirement

  36. Transmission - Risks and Possible Management Strategies: • Risk: Emailing of faxing EPHI to the wrong recipient • Strategy: • Confirm the fax number before sending • Confirm that the right document is attached and make sure you have the right email address! • Verify receipt when possible • Comply with your organization's policies/procedures • Encrypt or password protect documents!

  37. Transmission - Risks and Possible Management Strategies: • Risk: System contamination by virus introduced by external device used to transmit EPHI • Strategy: Install anti-virus software on portable devices that can be used to transmit EPHI

  38. How to make your policies on remote access effective? • Training • Defined security incident procedures • Appropriate sanction policies

  39. Training: • Covered entities' workforce awareness and training program must specifically address risks and security provisions associated with remote access to EPHI • Must be able to demonstrate remote access is part of training curriculum

  40. Training on remote access policies and procedures should address: • Instructions for accessing, storing, and transmitting EPHI remotely and/or using portable devices • Password management procedures for remote/portable devices • Prohibitions on leaving devices/media in unattended cars or public areas (big problem!) • Prohibitions on transmitting EPHI over open networks or downloading EPHI to public/remote computers • Appropriate remote workstation use

  41. Security Incident Procedures: • Security incident procedures must specify the actions workforce members must take to manage harmful effects of loss or theft of EPHI via portable media

  42. Security incident procedures should include: • Provision for the preservation evidence • Managing harmful effects of improper disclosure • Notice to affected parties • Provision for ongoing risk management activities related to remote access

  43. Sanction Policies: • Sanction policies must address the consequences of failing to comply with the entity's policies and procedures related to remote access • CMS recommends that covered entities require workforce members to sign a statement of adherence to such policies and procedures

  44. Why is compliance important? • Government is cracking down on security rule compliance • Increased security incidents with remote access and portable devices • Good practice

  45. What to do: • Review your Security Rule policies and procedures to make sure they address remote access and portable devices • Make sure your workforce is trained on remote access procedures • If your policies, procedures, and training materials do not address remote access, it is time to UPDATE!

  46. Useful Resources: • CMS Remote Security Guidance: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf • NIST Guidance (for a variety of remote access topics) http://csrc.nist.gov/publications/ • CMS Security Rule Educational Materials http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp

More Related