healthcare and new federal security protections (hipaa)
Post on 12-Jan-2016
218 Views
Preview:
TRANSCRIPT
Healthcare andNew Federal Security Protections (HIPAA)
Copyright 2001 The Marblehead Group
Contact info:
Kate Borten, CISSPKate Borten, CISSPPresident, The Marblehead
GroupOne Martin TerraceMarblehead, MA 01945Tel: 781 639-0532Fax: 781 639-0562kborten@marbleheadgroup.com
Copyright 2001 The Marblehead Group
Agenda
HIPAA: What? When? Why?HIPAA’s Security and Privacy RulesImplications for vendors and
products Business contracts Technical features
Healthcare Resources
Copyright 2001 The Marblehead Group
HIPAA
Copyright 2001 The Marblehead Group
HIPAA
Health Insurance Portability and Accountability Act of 1996
aka the Kennedy-Kassebaum billTo assure health insurance after leaving
job (“insurance portability”)Congress added “Administrative
Simplification” [aspe.hhs.gov/admnsimp]POW!
Copyright 2001 The Marblehead Group
“Administrative Simplification”
Goal: Save moneyMeans: Standard electronic
transactions Standard record formats, code sets, and
identifiers For common transactions such as
enrollment, claims, remittance, eligibility, and referrals
Compliance date: October 2002
Copyright 2001 The Marblehead Group
Downside to Electronic Standardization
Increased risk to information security and patient privacy
So Congress added HIPAA requirements US Dept. of Health and Human Services
(HHS) to develop security regulations Congress to pass health privacy law (but
they missed their deadline in 1999, so HHS wrote privacy regulations)
Copyright 2001 The Marblehead Group
“Security” vs. “Privacy”
Security = Assurance of Confidentiality, Integrity, and Availability
Privacy = a personal “right” (we’d like to think) to control info about oneself
Organizations have formal infosec programs in order to assure patients’ or members’ privacy
No privacy without security!
Copyright 2001 The Marblehead Group
Fair Information Practices
When you think privacy, think Fair Info Practices (HHS Sec’y Shalala): SecuritySecurity (obligation to protect) Boundaries (limit use of info) Consumer Control (right to copy,
correct, review audit trail...) Accountability (penalties) Public Responsibility (balance public
good vs. individual privacy rights)
Copyright 2001 The Marblehead Group
Scope: Who’s Covered
Rules apply directly to health care plans, providers, and clearinghouses - called “covered entities”
Rules apply only indirectly to “business associates” of those covered (until a broader privacy law is passed)
Rules do not apply to life insurers, workers comp, etc. (until a broader privacy law is passed)
Copyright 2001 The Marblehead Group
Scope: What’s Covered
Privacy Rule covers all individually-identifiable health data in any form includes demographic data, even if in
public realm includes data unless thoroughly de-
identifiedProposed Security Rule covers subset
of above - only electronic data
Copyright 2001 The Marblehead Group
Compliance Deadlines
Privacy Rule compliance date: Feb. 26, 2003 (for all but smallest plans which have until 2004)
Expect Security Rule compliance date shortly thereafter
Copyright 2001 The Marblehead Group
Why Comply? Penalties!
Civil penalty for “failure to comply”: up to $100/person/violation; maximum of $25,000/person/violation/year (can add up!)
Criminal penalties for “wrongful disclosure” “knowingly and in violation of HIPAA” up to $50,000 and/or 1 year prison for knowing misuse up to $100,000 and/or 5 years prison when under false
pretenses up to $250,000 and/or 10 years prison when intent to
sell, use for personal gain or commercial advantage, malicious harm
Copyright 2001 The Marblehead Group
Why Comply?
HIPAA penalties for health plans, providers, and clearinghouses only
But their “business associates” will be bound by contract (indemnified?)
Vendors could be out of business if their products don’t meet basic requirements!
Copyright 2001 The Marblehead Group
Security & Privacy Rules
Copyright 2001 The Marblehead Group
Patient Rights
Receive copy of own record
Request record amendment/correction
Voluntarily authorize and revoke secondary uses of own data
Receive report of certain disclosures
Receive Notice of Privacy Practices
File complaint of non-compliance
Copyright 2001 The Marblehead Group
Privacy Rule RequirementsSecurity safeguardsPrivacy OfficerUse/disclosure policies and procedures
when OK, when not, when authorization req’d, etc. de-identification; minimum necessary data verification of requestor identity, authority
Audit/reporting of secondary disclosuresWorkforce training and certificationStringent business contractsSanctionsNotice of Privacy Practices
Copyright 2001 The Marblehead Group
Security Rule Requirements
A comprehensive, formal infosec program:“Administrative Procedures”
Policies Procedures Education of workforce
Physical SafeguardsTechnical controlsInformation Security Officer
Copyright 2001 The Marblehead Group
“Administrative Procedures”
CertificationChain-of-trust
partner agreementContingency planRecord processing
controlsAccess controlsAuditing
Personnel securityConfiguration mgmtSecurity incident
proceduresSecurity mgmt
processTermination processTraining
Copyright 2001 The Marblehead Group
Physical Safeguards
Media controlsPhysical access controlsWorkstation use policy, guidelinesSecure workstation location/positionSecurity awareness training
Copyright 2001 The Marblehead Group
Technical Controls
Access controlsAudit controlsAuthorization controlsData “authentication” (integrity)Entity authenticationEvent reporting, alarms
Copyright 2001 The Marblehead Group
Implications for Vendorsand Products
Copyright 2001 The Marblehead Group
Business Associate ContractsApplies to business associates (BA) who
may have access to patient-identifiable data, even inadvertently
Healthcare organization may terminateContracts likely to require BA to have
appropriate infosec programsBA required to
report breach/improper disclosure audit certain re-disclosures permit access by Sec’y of HHS
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Identification - unique userIDsAuthentication -
Password or PIN or token or smartcard or biometric (or call-back?)
If over “open” network (at least the Net), must be “irrefutable” (2-factor)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Authorization - at least necessary level Role- or user-based Optionally modified by location, by
date/time Organization must be able to
periodically review who has access and with what privileges, so systems must be able to provide reports
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Automatic logoff (inactivity timeout) to “cause electronic session to terminate”
(i.e., not suspend)(Healthcare organizations will look for
intelligent implementation - preferably allowing variable timeouts based on different risks in different environments. Ex: Emergency room 2 mins vs. private office 180 mins)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Data integrity Suggested mechanisms include
check sumsdouble keyingmessage authentication codedigital signature (providing message hash...)
(Healthcare organizations may look more closely at software edits. Implement “double keying” in s/w for critical fields?)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Protections for data in transit Integrity controls Message authentication Access controls and/or encryption
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Plus, when in transit over “open” networks Alarms (“signal of abnormality”)
Audit trails Entity authentication Event reporting (of “operational irregularities in
physical elements of network ... or response to occurrence of a significant task, e.g., completion of request for information”)
Encryption
Copyright 2001 The Marblehead Group
Use Standards Wherever You Can Find Them!
HCFA Internet Security Policy (1998)[www.hcfa.gov/security/isecplcy.htm]
Intended for HCFA, but expected to meet HIPAA: minimum encryption standards - Symmetric: 3DES with 112 bit key Asymmetric: RSA-type with 1024 bit key Elliptic Curve: 160 bit key (Assume AES also acceptable)
Common examples: SSL (3.0+); S-MIME
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Secure remote access Protection of “remote access points”
and “external electronic communications”
(HIPAA leaves it up to the organization to figure out what this means! But HIPAA does expect firewalls.)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Security event auditing HIPAA non-specific, but gives example
of logon attempts(Healthcare organizations will want
to audit security parameter changes, security-related events, other suspicious or unusual activity. Will need tools to do this.)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Security event auditing (cont’d) Security Rule implies also auditing at the
patient level, i.e., internal to the application(This level of audit is not uncommon in
healthcare as a deterrent to “snooping” and includes read-only access. Requires good tools for reviewing audit log to identify inappropriate patient access.)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
System (and network if applicable) certification
Can be done internally or externally(Healthcare organizations will look
for guidance on secure configuration of each platform, database, application.)
Copyright 2001 The Marblehead Group
Explicit Technical Requirements
Disaster recovery/business continuity plan Hardware/software inventory and
criticality analysis Backups/restores Plan tested regularly
Virus protection
Copyright 2001 The Marblehead Group
Optional or Implicit Technical Requirements
De-identification of dataAudit of some disclosuresLimiting access by reason, and
depending on voluntary patient authorization
Amendment of records
Copyright 2001 The Marblehead Group
Implicit Technical Controls
Even though HIPAA doesn’t discuss password features, they should be considered implicitly required, e.g.: Password minimum length control Password aging Password encrypted and never displayed in
clear text
Many other security features aren’t mentioned, but should be available
Copyright 2001 The Marblehead Group
Healthcare Resources
Copyright 2001 The Marblehead Group
“Common Criteria”Applying ISO standards to healthcare
security productsForum on Privacy and Security in
Healthcare [www.healthcaresecurity.org]
“HOST-affiliated, industry group working with the National Information Assurance Partnership (NIAP), a government agency, to provide a wide-based industry view on security issues confronting healthcare”
Copyright 2001 The Marblehead Group
Health/HIPAA Resources
“For the Record” NRC subcommittee report www.nap.edu/readingroom/books/for
EHNAC (Elec. Hlthcare Network Accredit. Comm.)www.ehnac.org
AFEHCT (Assoc. for Elec. Health Care Transact.)www.afehct.org
WEDI (Workgroup for EDI)www.wedi.org
Copyright 2001 The Marblehead Group
Health/HIPAA Resources
JHITA (Joint Healthcare IT Alliance)www.jhita.org
AHIMA (Am. Hlth Info Mgmt Assoc.)www.ahima.org
Health Privacy Projectwww.healthprivacy.org
Congressional bill trackingthomas.loc.gov
Copyright 2001 The Marblehead Group
Where Are Healthcare Organizations Now?
Getting educated on HIPAA & infosecGetting sr management support &
fundingGetting organizational structure setGetting a baseline risk assessmentGetting an information security
officer
Copyright 2001 The Marblehead Group
Contact info:
Kate Borten, CISSPKate Borten, CISSPPresident, The Marblehead
GroupOne Martin TerraceMarblehead, MA 01945Tel: 781 639-0532Fax: 781 639-0562kborten@marbleheadgroup.com
top related