hipaa hitech solutions…not theory · • the hipaa security rule went into effect in april ......
Post on 16-Jul-2020
8 Views
Preview:
TRANSCRIPT
HIPAA HITECH Solutions…Not Theory April 27, 2010
Risk Assessment
Policies and Procedures
Email Encryption
Breach Notification Plans
HIPAA HITECH Solutions…Not Theory
Consulting Rebecca Herold rebeccaherold@rebeccaherold.com www.rebeccaherold.com
Risk Assessment Jack Kolk jack.k@acr2solutions.com www.acr2solutions.com
Policies and Procedures
Jack Anderson jack@compliancehelper.com www.compliancehelper.com
Email Encryption John Nail jnail@theindustryradar.com www.radarmail360.com
Breach Notification Jeremy Henley jeremy.henley@idexpertscorp.com www.idexpertscorp.com
Page 1© Rebecca Herold. All rights reserved.
Agenda
• HIPAA / HITECH Quick Overview
• Experiences
• Requirements and common risks and problems
Page 2© Rebecca Herold. All rights reserved.
HIPAA is…
• On August 21, 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act
(HIPAA).
• The HIPAA Privacy Rule went into effect in April 2001, and gave covered entities (CEs) two years to meet compliance.
• The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.
Page 3© Rebecca Herold. All rights reserved.
HITECH is…
• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
• HIPAA now applies to CE business associates (BAs) directly.
• HITECH includes a statutory obligation for BAs to comply with HIPAA.
• HITECH also increased the penalties for HIPAA violations of HIPAA.
• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
Page 4© Rebecca Herold. All rights reserved.
All BAs Must Comply!
• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements
• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity
• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract
Page 5© Rebecca Herold. All rights reserved.
Experiences
• As an information security and privacy officer for a large healthcare insurer / financial organization, big
problems with brokers and agents
• ~200 business partner information security and privacy program reviews, big problems during business associate, partner and vendor reviews
Page 6© Rebecca Herold. All rights reserved.
Common Risks & Problems (1)
No documented assigned responsibilities
Page 7© Rebecca Herold. All rights reserved.
Common Risks & Problems (2)
No documented policies, procedures, forms
Page 8© Rebecca Herold. All rights reserved.
Common Risks & Problems (3)
No training or awareness communications
Page 9© Rebecca Herold. All rights reserved.
Common Risks & Problems (4)
No compliance monitoring
Page 10© Rebecca Herold. All rights reserved.
Common Risks & Problems (5)
Non-compliance with contractual obligations
Page 11© Rebecca Herold. All rights reserved.
Common Risks & Problems (6)
Un-secure disposal
Page 12© Rebecca Herold. All rights reserved.
Common Risks & Problems (7)
Inappropriate sharing and subcontracting
Page 13© Rebecca Herold. All rights reserved.
Common Risks & Problems (8)
No documented incident or breach response plans
Page 14© Rebecca Herold. All rights reserved.
Common Risks & Problems (9)
Lack of logs and documentation
Page 15© Rebecca Herold. All rights reserved.
Common Risks & Problems (10)
No mobile computing controls
Page 16© Rebecca Herold. All rights reserved.
Common Risks & Problems (11)
No use of encryption
Page 17© Rebecca Herold. All rights reserved.
Common Risks & Problems (12)
No Business Continuity / Disaster Recovery Plans
Page 18© Rebecca Herold. All rights reserved.
Word To The Wise…Compliance is not a one-time event…
All CEs *AND* BAs must meet, and continuously stay in, compliance with all HIPAA and HITECH requirements or face stiff noncompliance
remediation requirements, penalties, fines or even jail time!
DonDonDonDon’’’’t be t be t be t be foolish, maintain foolish, maintain foolish, maintain foolish, maintain
compliance!compliance!compliance!compliance!
Contact Information
Rebecca Herold & Associates, LLC“The Privacy Professor”®
1408 Quail Ridge Avenue
Van Meter, Iowa 50261
Phone 515-996-2199
Web sites: www.theprivacyprofessor.com
www.compliancehelper.com
Blog: www.realtime-itcompliance.com
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
rebeccaherold@rebeccaherold.com
TwitterID: http://twitter.com/PrivacyProf
ACR 2 Solutions, Inc.
Simplifying Information Security
ComplianceAutomating Risk
Assessments
using the Risk
Reporter Family
Lower your TCO
Meet your
requirements in a
fraction of the
time previously
required
About ACR 2 Solutions
Focused on enterprise level real-time risk
management software
Simple, elegant, easy to use compliance solutions.
Tools to support regulatory laws and regulations
such as: FISMA, GLBA, HIPAA, NAIC, NERC and
PCI DSS.
Risk and Compliance solutions for public, private,
and government organizations.
Risk and Compliance solutions that lower the total
cost of (Information Security) Compliance (TCC).
•Definitions and Relationships of Terms
Threat
Vulnerability
Risk
Safeguard
Exposure
Asset
Gives rise to
Exploits
Leads to
Can Damage
And cause an
Can be counter-measured by a
Directly Effects
Risk Assessment
Definition of Risk
“Risk is the net negative impact of the
exercise of a vulnerability, considering
both the probability and the impact of
occurrence.” NIST 800-30, page 1
Risk Assessment – 45 CFR Part
164.308 (HIPAA) - Required for
Meaningful Use Funding
(A)Risk analysis (Required). Conduct an
accurate and thorough assessment of the
potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information…
GLBA, FISMA, PCI, Sarbox have similar
requirements
Calculation of Risk-NIST 800-30
Risk Score = Probability Score x Impact Score
(1-100) (0.1-1.0) (10-100)
Probability = F (Threat Source, Vulnerabilities,
Safeguards and IPS/AV Metrics)
Impact = F (Data Value, Vulnerabilities and
Safeguards)
Manually Assess Risk – 1500 hours training,
30-60 Hours/site baseline, 5-15 hour/update
How Does it Work?
Three types of input to a risk assessment:
Management Data
Policy Data
Technical Controls
Technical Controls is the most difficult to answer 630+ or more settings on every Windows machine x‟s the number of machines
SCAP Vulnerability Scanners
UTM / IPS / Firewall Syslogs
Generate the Compliance Reports
Use the „Gap‟ report to prioritize remediation and put safeguards in place
Introducing Risk ReporterSingle Site Risk Assessment
Introducing Risk Reporter
Enterprise Version
ACR2 Megaprise VersionAllows management of multiple Enterprise
accounts
Megaprise
viewing of multiple
enterprises accounts
Automated Risk Assessment
Automated Risk Assessment
Scan typical
workstations and
upload SCAP data
0.5 hours
Input policy data
3.5 hours
Input UTM Data
0.5 hours
Request Assessment Report
0.1 hour
Risk Scores Listed 1-100 (800-30, p25)
Calculated Risk Scores Table Calculated Risk Scores Graph
Threat Source Vulnerability Likelihood Impact Baseline Score
E1 Wind Roof damage M M 25
E2 Fire Smoke damage M M 25
E3 Flood Facility damage M M 25
E4 Power loss Loss of operations M M 25
E5 Power loss Damage to building M M 25
E6 Vehicle collision Facility damage M M 25
HE1 Human error Data acquisition M M 25
HE2 Human error Data storage M M 25
HE3 Human error Data retrieval M M 25
HE4 Human error Data modification M M 25
HE5 Human error Data transmission M L 25
HE6 Human error System design M M 5
HE7 Human error Procedure implementation M M 25
HE8 Human error Internal controls M M 25
MI1 Malicious insider Data acquisition M M 25
MI2 Malicious insider Data storage M M 25
M13 Malicious insider Data retrieval M M 25
M14 Malicious insider Data modification M M 25
M15 Malicious insider Data transmission M H 25
M16 Malicious insider System design M M 50
M17 Malicious insider Procedure implementation M M 25
M18 Malicious insider Internal controls M H 25
MO1 Malicious outsider Data acquisition M H 50
MO2 Malicious outsider Data storage M H 50
MO3 Malicious outsider Data retrieval M H 50
MO4 Malicious outsider Data modification M H 50
MO5 Malicious outsider Data transmission M H 50
MO6 Malicious outsider System design M L 50
MO7 Malicious outsider Procedure implementation M L 5
MO8 Malicious outsider Internal controls L L 1
0 10 20 30 40 50 60
E1
E2
E3
E4
E5
E6
HE1
HE2
HE3
HE4
HE5
HE6
HE7
HE8
MI1
MI2
M13
M14
M15
M16
M17
M18
MO1
MO2
MO3
MO4
MO5
MO6
MO7
MO8
Risk Assessment Options
ACR2
Task Manual Automated
Training 1000 to1500 hrs 2 hrs
Initial Assessment 30-60 hrs 3-6 hrs
Updates 5-15 hrs < 1 hr
Meaningful Use and ARRA
$19 billion in subsidies for firms that make
“meaningful use” of certified EMRs
Meaningful Use requires 45 CFR part
164.308 risk assessment
Frequently updated list of EMRs with
meaningful use status on ACR 2 website
Contact Information
ACR 2 Solutions Office (678) 261-8181
sales@acr2solutions.com
Jack Kolk, President, (770) 904-0997
Jack.k@acr2solutions.com
Comprehensive Privacy and Information Security Program
Small CEs and BAs Policies
Procedures Forms
Step by Step Process Personal Helper
Delivered over the Internet
Compliance Helper
HIPAA HITECH KEY PHRASES “Willful Neglect”
“Reasonable and Applicable” “Satisfactory Assurances”
Compliance Helper
Business Associates:
Can You Prove Your Compliance?
Compliance Helper
The Compliance Meter™ Can
Compliance Helper
How Does It Know?
Compliance Helper
Compliance Helper
• Screen Shot of Policies TOC with Section 1 open
Compliance Helper
Compliance Helper
Screen Shot of Policy:
Edited w/cursor over Submit
Compliance Helper
Screen Shot of Policy:
Pending
Compliance Helper
Screen Shot of Policy:
Approved
Compliance Helper
Compliance Helper
Compliance Helper
Compliance Helper
Compliance Helper
Transparency
Compliance Helper
Next Steps: Sign Up
Get Compliant Stay Compliant
Prove Compliance
Compliance Helper
HIPAA HITECH Solutions…Not Theory April 27, 2010
Risk Assessment
Policies and Procedures
Email Encryption
Breach Notification Plans
HIPAA HITECH Solutions…Not Theory
• Identity Theft
• EHR
• Healthcare Reform
• 47 State HIPAA/Breach Laws
• Gramm Leach Billey Privacy
• “Red Flag” i.e. Identity Theft Protection
• Data Encryption/Privacy Laws (MA, NV et al)
HIPAA HITECH Is Just Part of a Major Change Evolving Standard for Protecting Personal Information
HIPAA HITECH Solutions…Not Theory
1. Proven to Meet Spectrum of Legal Requirements
2. Cover Threats to the Business
• Outbound Email
• Inbound Client Communication
3. Non Disruptive / Simple to Setup and Use
4. Cost Effective i.e. “Reasonable”
Email Encryption Assessment Criteria
HIPAA HITECH Solutions…Not Theory
• Traded On Nazdaq – ZIXI
• Business is Encryption
• Impressive Client List
• Securities and Exchange Commission (SEC)
• FDIC
• Federal banking regulators (FFIEC)
• The Conference of State Bank Supervisors
• Members of the American Bankers' Association
• More than 1,000 hospitals across the United States
• More than 1000 financial institutions
Who Is ZixCorp
The Power of the Zix Directory
Think of the Zix Network like “In Network” and “Out of Network” in a health plan. In the health plan cost is the differentiator. For email it is time, convenience, full HIPAA/HITECH compliant security and transparent communication.
Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers 6
HIPAA HITECH Solutions…Not Theory
• Outbound - Zix Gateway • Automatically encrypts outbound email • Via its rules based architecture • Transparent inbox to inbox solution • Users do nothing special to encrypt email, the rules
based system does it for them.
• Inbound - Zix Portal • User can retrieve and respond to messages • Initiate secure inbound PHI, personal data and
financial communication.
• Network Access - Zix Directory • Over 20 million people 150 healthplans use Zix
allowing you to connect directly to them, desktop to desktop.
Combining 3 Powerful Zix Tools delivered as SAAS
User Retrieves, Responds ,
Attaches files etc. here in the message center
Automatic, Rules Based Encryption
The message in their inbox has a link to your Portal
“ Click here” takes user to secure portal embedded in
your Website reinforcing your Brand and web tools
How RadarMail 360 Works Best Protection - Outbound & Inbound
Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service
Branded with your logo and
accessible from your website
Clients also login in to initiate communication, securely send files etc. eliminating the risk of
breach via normal email
Encrypted Responses go right to your team or Zix
Network member’s inbox
transparently
Blackberry Encryption Built In
Non Zix User gets Email like the one to the right
Inbox to Inbox Encryption to
any Zix Member Network user
8
HIPAA HITECH Solutions…Not Theory
Other Communication Services
10 www.theindustryradar.com | jnail@theindustryradar.com | 404-418-5550
Photo here
Delivering Positive Outcomes
COMPLETE DATA BREACH CARE
DATA BREACH LIFECYCLE
Healthcare Data Breach Solutions 2
PREVENT
REMEDIATE
WHY IS IT DIFFICULT TO ACHIEVE A POSITIVE OUTCOME?
» Data breaches are complex events. Challenges can include: • Diversity in demographics and needs of affected patients• Complexity of HITECH and state legal statutes• Making sense of products available and efficacy for
addressing PHI identity theft needs• Inexperience in communicating with attorney general with
jurisdiction • Difficulty in coordinating diverse legal, reputational,
privacy, patient and operational constituencies and issues• Lack of resources in an already overwhelmed medical
system
3Healthcare Data Breach Solutions
HEALTHCARE DATA BREACHCREDIT MONITORING INSUFFICIENT
» For a positive outcome; you need to provide a complete patient solution:
4Healthcare Data Breach Solutions
• Necessary but not sufficient to address financial side of identity theftCredit Monitoring
• Proprietary ID Experts tools to enable breach victims to address medical identity theft issues
Healthcare Identity Protection Toolkit
• Protect patients from identity theft issues in the online world where IDs bought/sold
ID theft cyber-monitoring technology
• If patients fall victim to identity theft, have their problems solve by certified experts
Fully-managed identity restoration services
THANK YOU
» Jeremy Henley» Director of Breach Protection» 760-304-4761» jeremy.henley@idexpertscorp.com» www.idexpertscorp.com
Healthcare Data Breach Solutions 5
HIPAA HITECH Solutions…Not Theory
Consulting Rebecca Herold rebeccaherold@rebeccaherold.com www.rebeccaherold.com
Risk Assessment Jack Kolk jack.k@acr2solutions.com www.acr2solutions.com
Policies and Procedures
Jack Anderson jack@compliancehelper.com www.compliancehelper.com
Email Encryption John Nail jnail@theindustryradar.com www.radarmail360.com
Breach Notification Jeremy Henley jeremy.henley@idexpertscorp.com www.idexpertscorp.com
top related