bridging the hipaa/hitech compliance gap...cybersheath - bridging the hipaa/hitech compliance gap...
TRANSCRIPT
-65
CyberSheath Healthcare Compliance Paper
www.cybersheath.com
Bridging the HIPAA/HITECH Compliance Gap
Security insights that help covered entities and business associates achieve compliance
2
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
According to the 2014 Healthcare Breach Report by Bitglass1, the healthcare
industry accounts for 44% of all reported breaches over the past 18 years with
costs per HIPAA violation up to $50,000 and $1,500,000 for reoccurring violations.
These breaches risk the medical and financial well-being of breach victims and
the credibility and future business of healthcare providers.
As a result, federal and state governments are responding to the growing public concern
with stronger compliance regulations. The most sweeping of these regulations is the long-a
Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule2. The
Omnibus represents landmark legislation that impacts nearly every aspect of healthcare data
security and patient privacy. It consists of four rules:
1. Modification of the HIPAA Privacy, Security, and Enforcement Rules to include HITECH requirements
2. Modification of the Breach Notification Rule
3. Modification of the HIPAA Privacy Rule regarding the Genetic Information Discrimination Act of 2008
4. Additional modifications to the HIPAA Rules
These rules increase the privacy and security protections available under HIPAA by
strengthening security standards, expanding the scope of accountability, financial incentives
for achieving compliance, and steep penalties for non-compliance.
The History of HIPAA and HITECH
HIPAA was brought into law in 1996 to help protect against the breach of personal medical
information. It introduced a set standards for medical privacy that went into effect over the
next 10 years. The American Recovery and Reinvestment Act (ARRA), put into law February
2009, raised the bar for cybersecurity with the Health Information Technology for Economic
and Clinical Health Act (HITECH), which at the time experts called “the biggest change to the
healthcare privacy and security environment since the original HIPAA privacy rule.
1 2014 Healthcare Breach Report by Bitglass, http://pages.bitglass.com/healthcare-breach-report.html
2 The Final Rule can be found at: www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
3
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
The below figure, created by the team over at ID Experts, illustrates HPAA’s evolution since its start.
4
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
5
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
HITECH’s Impact on HIPAA
Specific thresholds, response
timeline, and methods or
breach victim notification.
Expansion of contractual
obligation for security and
privacy of PHI to
subcontractors of business
associates
6
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Broader Accountability
Organizations that are subject to HIPAA are referred to as “covered entities”. This extends to
the organizations that deliver services to covered entities, they are known as “business
associates” and per the HITECH Act, include:
Healthcare providers such as doctors, hospitals, etc.
Healthcare insurance and health plan clearinghouses
Businesses who self-insure
Businesses that sponsor a group health plan and assist their employees on medical coverage
Businesses that deliver services to other healthcare providers
A new definition of business
associates and extension of the
HIPAA privacy and security
requirements to include
business associates.
Explicit authority for state
Attorneys General to enforce
HIPAA Rules and to pursue
HIPAA criminal and civil cases
against HIPAA covered entities
(CEs), employees of CEs, or
their business associates.
Tiered increase in penalties for
violations of these rules, some
of them mandatory, with
potential fines ranging from
$25,000 to as much as $1.5
million, effective immediately.
Provisions for more aggressive
enforcement by the federal
government.
7
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Furthermore, per these regulatory laws, covered entities and business associates are required
to ensure the following safeguards to protect patient data (electronic protected health
information, or ePHI) in order to achieve compliance:
Administrative safeguards to protect data integrity, confidentiality and availability of ePHI
Physical safeguards to protect data integrity, confidentiality and availability of ePHI
Technical safeguards to protect data integrity, confidentiality and availability of ePHI
Countdown to Compliance
The HITECH Act was signed into law in 2009 and increases the use of Electronic Health
Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in
2011, through which eligible healthcare providers are offered financial incentives for adopting,
implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments
will continue through 2016, which is the last year to begin participation in the program.
Incentives will be offered until 2015, after which time penalties may be levied for failing to
demonstrate meaningful use. Covered entities and business associates that struggled to
reach compliance with HIPAA, now face an even greater challenge with HITECH.HIPAA /
HITECH Compliance Requirements.
HITECH Introduced…
Tiered increase in penalties for violations of
these rules, some of them mandatory, with
potential fines ranging from $25,000 to as
much as $1.5 million, effective immediately.
8
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Compliance Requirement Breakdown
Covered entities and business associates must abide to the following list of requirements:
# Requirement Description
1. Breach Notification Policy
Define how Covered Entity will respond to security
and/or privacy incidents or suspected privacy and/or
security incidents that result in a breach.
2. Security Management Process
Describes processes the organization implements to
prevent, detect, contain and correct security violations
relative to its ePHI.
3. Risk Analysis
Discusses what the organization should do to identify,
define and prioritize risks to the confidentiality, integrity
and availability of its ePHI.
4. Risk Management Defines what the organization should do to reduce the
risks to its ePHI to reasonable and appropriate levels.
5. Sanction Policy
Indicates actions that are to be taken against employees
who do not comply with organizational security policies
and procedures.
6. Information System Activity Review Describes processes for regular organizational review of
activity on its information systems containing ePHI.
7. Assigned Security Responsibility Describes the requirements for the responsibilities of the
Information Security Officer.
8. Workforce Security
Describes what the organization should do to ensure
ePHI access occurs only by employees who have been
appropriately authorized
9
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
# Requirement Description
9. Authorization and/or Supervision
Identifies what the organization should do to ensure that
all employees who can access its ePHI are appropriately
authorized or supervised.
10. Workforce Clearance Procedure Reviews what the organization should do to ensure that
employee access to its ePHI is appropriate.
11. Termination Procedures Defines what the organization should do to prevent
unauthorized access to its ePHI by former employees.
12 Information Access Management
Indicates what the organization should do to ensure that
only appropriate and authorized access is made to its
ePHI.
13 Access Authorization Defines how the organization provides authorized access
to its ePHI.
14 Access Establishment and
Modification
Discusses what the organization should do to establish,
document, review and modify access to its ePHI.
15 Security Awareness & Training
Describes elements of the organizational program for
regularly providing appropriate security training and
aware- ness to its employees.
16 Security Reminders
Defines what the organization should do to provide
ongoing security information and awareness to its
employees.
17 Protection from Malicious Software
Indicates what the organization should do to provide
regular training and awareness to its employees about its
process for guarding against, detecting and reporting
malicious software.
10
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
# Requirement Description
18 Log-in Monitoring
Discusses what the organization should do to inform
employees about its process for monitoring log-in
attempts and reporting discrepancies.
19 Password Management
Describes what the organization should do to maintain
an effective process for appropriately creating, changing
and safeguarding passwords.
20 Security Incident Procedures
Discusses what the organization should do to maintain a
system for addressing security incidents that may impact
the confidentiality, integrity or availability of its ePHI.
21 Response and Reporting
Defines what the organization should do to be able to
effectively respond to security incidents involving its
ePHI.
22 Contingency Plan
Identifies what the organization should do to be able to
effectively respond to emergencies or disasters that
impact its ePHI.
23 Data Backup Plan Discusses organizational processes to regularly back up
and securely store ePHI.
24 Disaster Recovery Plan
Indicates what the organization should do to create a
disaster recovery plan to recover ePHI that was impacted
by a disaster.
25 Emergency Mode Operation Plan
Discusses what the organization should do to establish a
formal, documented emergency mode operations plan
to enable the continuance of crucial business processes
that protect the security of its ePHI during and
immediately after a crisis situation.
11
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
# Requirement Description
25 Emergency Mode Operation Plan
Discusses what the organization should do to establish a
formal, documented emergency mode operations plan
to enable the continuance of crucial business processes
that protect the security of its ePHI during and
immediately after a crisis situation.
26 Testing and Revision Procedure
Describes what the organization should do to conduct
regular testing of its disaster recovery plan to ensure that
it is up-to-date and effective.
27 Applications and Data Criticality
Analysis
Reviews what the organization should do to have a
formal process for defining and identifying the criticality
of its information systems.
28 Evaluation
Describes what the organization should do to regularly
conduct a technical and non-technical evaluation of its
security controls and processes in order to document
compliance with its own security policies and the HIPAA
Security Rule.
29 Business Associate Contracts and
Other Arrangements
Describes how to establish agreements that should exist
between the organization and its various business
associates that create, receive, maintain or transmit ePHI
on its behalf.
30 Facility Access Controls
Describes what the organization should do to
appropriately limit physical access to the information
systems contained within its facilities, while ensuring that
properly authorized employees can physically access
such systems.
12
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Getting the Right Resources and Skills
Healthcare industry's migration to Electronic Health Records (HER) will enable providers to
deliver better care more efficiently, but cybersecurity will become a critical success factor in
every health organization's future. Everyone stands to gain in this prodigious shift and no one
can afford to lose.
It can often become overwhelming for a healthcare provider to ensure that all systems and
processes meet the criteria for HIPAA and the HITECH Act. Even when the minimum criteria is
met, it doesn’t necessarily mean that PHI is secure Covered entities and business associates
must partner with established and proven cybersecurity services providers who can ensure
their migration, implementation, operations, and maintenance fulfil their promises. Covered
entities and business associated should look for the following key skill-sets and resources
when evaluating potential partnerships for cybersecurity services:
Professional services that go beyond technical proficiency
A “healthcare-friendly” partner with a proven track-record
An ability to work seamlessly with other integrators, as well as plug into existing programs
An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults
A Defense-in-Depth approach that includes physical and logical access and policy controls;
Multiple facility fail-over provisions that support the organization’s plan across regions
Continuous monitoring, including operational and security staffing that’s 24x7x365
Third Party Attestation for Vendor Compliance in HIPAA, FISMA, PCI DSS, and DIACAP
Achieving HIPAA and HITECH Compliance with CyberSheath
At CyberSheath, we understand the cybersecurity challenges covered entities and business
associates face in ensuring ePHI is protected and we enable our customers to have the
confidence that they are able to comply with HIPAA/HITECH obligations. Our industry
leading security services help covered entities and business associates understand their
regulatory responsibilities and achieve compliance.
13
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Mapping CyberSheath’s Security Services to the
HIPAA and HITECH Security Standards & Rules
14
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
HIPAA Security Standards and Rules CyberSheath Service Delivery Outcomes
Business Associate Contracts and Other
Arrangements (§ 164.308(b)(1)), (§ 164.314(a)(1))
Third Party Security and Oversight
Identification of Critical Vendors
Vendor Security Due Diligence Program
Documentation Review Process
Contingency Plan (§ 164.308(a)(7))
Access Control (§ 164.312(a)(1))
Business Continuity Management
Cradle to Grave Data Backup Process
Business Impact Analysis Process
Disaster Recovery Planning and Testing
Recovery Time Objectives for Critical Functions
Security Management Process (§ 164.308(a)(1))
Assigned Responsibility (§ 164.308(a)(2))
Security Incident Procedures (§ 164.308(a)(6))
Security Operations
Contextual Access Controls
Cradle to Grave Patch Management
Efficient Asset Management
Intrusion Detection and Endpoint Protection
Facility Access Controls (§ 164.310(a)(1))
Workstation Use (§ 164.310(b))
Workstation Security (§ 164.310(c))
Physical Security
Holistic Environment Protections
Reliable Facility Access Control Capability
Geographical Risks for Critical Assets
15
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
HIPAA Security Standards and Rules CyberSheath Service Outcomes
Workforce Security (§ 164.308(a)(3))
Security Awareness and Training (§ 164.308(a)(5))
Human Resource Security
Secure Hire and Term Processes
Security Awareness Training
Specialized Training for Security Organization
Increased Resilency with InsiderThreats
Access Control (§ 164.312(a)(1))
Audit Controls (§ 164.312(b))
Integrity (§ 164.312(c)(1))
Person or Entity Authentication (§ 164.312(d))
Security Architecture
Infrastructure Design and Review Process
System Hardening for At-Risk / Critical Assets
Least Privilege Model Enforcement
Robust Identify Management Capability
Optimized Deployment of Security Tools
Security Management Process (§ 164.308(a)(1))
Assigned Responsibility (§ 164.308(a)(2))
Security Incident Procedures (§ 164.308(a)(6))
Evaluation (§ 164.308(a)(8))
Audit Controls (§ 164.312(b))
Policies and Procedures (§ 164.316(a))
Documentation (§ 164.316(b)(1))
Comprehensive Cybersecurity Program
Process Alignment
Strategic Security Roadmap
Defined Security Organization Hierarchy
Established Security Policies and Standards
Custom-fit Security Programs and Capabilities
Clear and Concise Security Metrics and Reporting
16
CyberSheath - Bridging the HIPAA/HITECH Compliance Gap
Cybersecurity Beyond Compliance
Checking the right boxes on your annual compliance audit does not mean you are immune
from data breaches. Security must go beyond compliance and our comprehensive suite of
security services and solutions far and exceed the required mandates. We integrate your
compliance and threat mitigation efforts to eliminate redundant security practices and
increase security operations efficiency. Our services are delivered by some of the best experts
in the industry and will work closely to understand your unique challenges and provide
pragmatic security solutions that tangibly address your specific risks.
17 | P a g e
© Copyright 2015 CyberSheath, for permission to reproduce, please contact CyberSheath at [email protected]
About CyberSheath
Co-founded by a Chief Information Security Officer for a Global Fortune 500
company & Chief Executive Officer for an Inc. 500 company, CyberSheath applies
business discipline to cyber security, enabling our customers to measure risk, meet
compliance goals, prioritize investments, and improve overall security posture.
We’ve built a global network of best-in-class partners that we leverage as a force
multiplier to deliver pragmatic, end to end solutions for our customers. Having been
in the trenches as security practitioners and business executives, CyberSheath goes
beyond the WHAT (best practices) and delivers the HOW (measurable results).