1 / 20

HIPAA Security Risk Overview

HIPAA Security Risk Overview. Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer. Daniel M. Briley, CISSP, CIPP Summit Security Group. Agenda. History The HIPAA Security Rule Changes Due To The HITECH Act Recent Enforcement Functions Meaningful Use and OIG Audit Activity

river
Download Presentation

HIPAA Security Risk Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group

  2. Agenda • History • The HIPAA Security Rule • Changes Due To The HITECH Act • Recent Enforcement Functions • Meaningful Use and OIG Audit Activity • Vulnerability Overview • Key Technical Findings & Mitigation Steps • In Summary • HIPAA Security Services • Questions / Discussion

  3. HIPAA Regulation Requirements • 45 CFR § 164.306(a) define general requirements for covered entities, which include hospitals, and clinics • Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

  4. History • 2005: HIPAA Security Rule • Administrative, Physical, Technical Safeguards • Minimal enforcement • Insignificant monetary fines • 2009: ARRA • Included the Health Information Technology for Economic and Clinical Health (HITECH) Act

  5. History • HITECH Act • Applies HIPAA to BAs • Mandatory data breach reporting requirements • Civil and criminal penalties for noncompliance • Enforcement responsibilities • New privacy requirements • Meaningful Use • Adopt Certified EHR Technology • Use it to achieve specific objectives

  6. Recent Enforcement Functions “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo

  7. Meaningful Use Risk Assessment Requirement and OIG Audits • Providers are required to conduct, or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. • OIG currently conducting Meaningful Use attestation desk audits/questionnaires

  8. OIG Audits • Seven hospitals were audited • 151 vulnerabilities were uncovered • 124 were high impact, and impacted confidentiality, integrity and availability of protected health information (PHI)

  9. Vulnerability Definitions • High—Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. • Medium—Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. • Low—Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

  10. High Impact Vulnerabilities • 124 high-impact vulnerabilities from the 7 hospital reports according to their Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule definitions of technical,1 physical,2 and administrative3 safeguards as follows: • 106 technical safeguard vulnerabilities related to the wireless electronic communications network and to other security measures management implemented in their computerized information systems; • Physical safeguard vulnerabilities involving physical access to electronic information systems and the facilities in which they are housed; and • 11 administrative safeguard vulnerabilities related to the hospitals’ policies and procedures for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

  11. Types of Vulnerabilities • Wireless Access Vulnerabilities • Access Control Vulnerabilities • Audit Control Vulnerabilities • Integrity Control Vulnerabilities • Person or Entity Authentication Vulnerabilities • Transmission Security Vulnerabilities

  12. Types of Vulnerabilities continued… • Facility Access Control Vulnerabilities • Device and Media Control Vulnerabilities • Security Management Process • Workforce Security Vulnerabilities • Security Incident Procedures Vulnerabilities • Contingency (Disaster)Plan Vulnerabilities

  13. Technical Findings • Wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted service set identifiers (SSID) • Laptops were not encrypted • Audit logs were not monitored (Please see Epic BTG Reports) • Access control vulnerabilities • Inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI • Inadequate password length and expiration

  14. Data Integrity Findings • Latest security patches were not installed • Outdated anti-virus • Unrestricted Internet activity by employees and providers • Unchanged user ID and passwords • No email encryption

  15. Physical Security and Risk Assessments • Unsecured data center access • Lack of completed risk assessments • Lack of polices regarding conducting annual risk assessments

  16. Device and Media Controls • No computer equipment inventory • No written plan for electronic media disposal, including computer hard drives, thumb drives, CDs • Unencrypted backup tapes/media

  17. Inadequate Workforce Security • 36 network user accounts with inappropriate access to the hospital’s network. The user accounts belonged to employees on long-term disability. Three of these individuals had accessed ePHI while on long-term disability. • Delayed termination of employee network access after the employee no longer worked at the facility

  18. In Summary • An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: • Managing compliance with the HIPAA Security Rule is challenging: • Threats are emerging and dynamic • Documentation is required • Vulnerabilities and risks are going undiscovered and/or unresolved • Staff is tapped • Ignoring the requirements is not a strategy for success

  19. HIPAA Security Services • HIPAA Security Risk Assessment Checklist (free) • Template policies and procedures (free) • Performing Administrative HIPAA Security risk assessments (scalable fees based on complexity of the organization) • Discounted Technical Risk Assessments for OCHIN Customers through Summit Security Group • Interim Information Security Officer for OCHIN Customers through Summit Security Group

  20. Questions? • Lynne Shoemaker, RHIA, CHP,CHC • shoemakerl@ochin.org • 503-943-2500 • Daniel M. Briley, CISSP, CIPP • dan.briley@summitinfosec.com • 503-577-1076

More Related