healthcare privacy and security trends 2012-2013 - hipaa cow
TRANSCRIPT
1
Healthcare
Privacy and Security
Landscape in 2012-2013
Cliff Baker, Managing Partner - Meditology Services
Agenda
Privacy and Security in Healthcare - It’s more than just
data
What’s making privacy and security such a challenge
Tackling the challenges in 2013
2
Privacy & Healthcare—IOM
‘Quality Chasm’
Safety
• Information for clinical decisions is accurate
Efficiency
• Physicians get access to the information that they need when they need it
Patient-Centeredness
• Patients provide information when they trust that their privacy is maintained
Effectiveness
• Unintended changes are minimized
Timeliness
• Clinical information is available in a timely manner
Equity
• Bias is not instituted due to inappropriate sharing of information
3
Quality. Institute of Medicine’s (IOM) 6 Aims. The IOM has recommended 6 aims for “Crossing the Quality Chasm.”
3
2
Privacy and Security in
Healthcare The stakes are high as the Institute of Medicine (IOM)
highlights in its recent publication related to privacy:
‒ “breaches of an individual’s privacy and confidentiality may
affect a person’s dignity and cause irreparable harm” and
“[unauthorized disclosures] can result in stigma,
embarrassment, and discrimination.”
IOM: Beyond the HIPAA Privacy Rule—Enhancing Privacy,
Improving Health Through Research, February 4, 2009
4
4
The Hippocratic Oath I swear by Apollo, the healer, Asclepius, Hygieia, and Panacea, and I take to witness all the gods, all the goddesses, to keep according to my ability and my judgment, the following Oath and agreement:
‒ To consider dear to me, as my parents, him who taught me this art; to live in common with him and, if necessary, to share my goods with him; To look upon his children as my own brothers, to teach them this art.
‒ I will prescribe regimens for the good of my patients according to my ability and my judgment and never do harm to anyone. …
‒ All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.
5
5
Understanding Industry
Trends
Regulatory and Compliance Environment
Healthcare Reform
Breaches
Fraud
Technology
6
3
Regulatory and Compliance
Environment
Software Developers
Regulators
Inconsistency Inefficiency
Increasing Costs Greater Risk
Increasing breaches
Greater oversight, scrutiny both internally and
externally
Numerous and ambiguous federal
and state regulations
Rapidly changing business,
technology and regulatory
environment Inability or failure
to implement security in devices and applications
Ineffective and inefficient
compliance management
Limited guidance and inconsistent expectations for
security
Auditors
Investors Underwriters
Customers
Vendors & Partners
Source: HITRUST LLC, Frisco, TX
7
Regulatory Environment
Meaningful Use
‒ Stage 2
HIPAA Enforcement
‒ Office for Civil Rights
‒ State Enforcement
Interconnectivity Requirements
Healthcare Reform
8
Meaningful Use - Impact
Progress on Stage 1 risk assessment results— areas of focus:
− Physical Safeguards
• Facility access and data storage
• Workstation use and security
• Device and media controls
− Administrative Safeguards
• Identify relevant information systems
• Conduct a risk assessment
• Implement a risk management program
• Implement policies and procedures to prevent, detect and correct
security violations
− Technical Safeguards
• Automatic log off policies and use of encryption
• Access Control and Audit controls
9
U.S. Department of Health and Human Services
4
Stage 1 Stage 2
Objectives: Improve Quality, Safety, Efficiency & Reduce Health Disparities
Measures: • Access Control • Conduct/Review a security risk
analysis • Implement security updates • Identify security deficiencies as part
of the risk management process • Apply and enable audit logs
Measures: • Access Control • Authentication • Authorization of access • Audit reporting • Automatic log-off system • Encryption of data at rest • Data integrity • Accountability and log of disclosure
10
Breakdown of Privacy & Security Requirements
Meaningful Use - Impact
Meaningful Use - Impact Other Stage 2 Requirements
Patient Portals
‒ Managing access
• Create appointment
• Request prescription refills
• Access their medical records
‒ Privacy requirements
• Consider monitoring patient log-in activity
• Consider 2-step patient login verification
‒ Disclosure requirements
• Health summaries—including procedures
• Test results—including lab
• Medication list
• Allergies list—including medications
• Immunizations
11
HIPAA Enforcement - Impact
OCR Audits ‒ Audit Protocol Standards: 77 Security, 78 Privacy & 10 Breach
Notification
‒ They’ll continue in 2013
‒ Preliminary issues identified • Lack of written policies and procedures
• Missing BA contracts
• Improper use and disclosure of information concerning deceased patients
• Failure to verify the identity of the person requesting health information
• Improper disclosures in response to judicial subpoenas and administrative requests
• Denials of patients’ access to their own records
• Lack of ongoing privacy training
• Minimal monitoring of employees’ access to electronic patient records
• Lack of contingency plans in cases of emergencies in order to access electronic records
12
5
Impact of State Law
Examples of more stringent state law that would not be
preempted:
‒ More stringent breach notification
‒ Mandatory opt-in/opt-out
‒ Required notice to patients of HIE
‒ Additional authorization requirements
‒ More limited provisions on research disclosures
‒ Encryption requirements
‒ Increased protections for sensitive information (HIV,
Genetics, STDs)
13
Breaches
In 2011-2012: the most common healthcare industry breaches originated from:
‒ Hacking/IT incidents
‒ Theft
‒ Improper Disposal
‒ 28% of breaches implicated a BA
Breach Statistics:
‒ As of August 2012, there are 487 reported breaches posted on the HHS website
‒ Cost of Breach is estimated at $194 per record (Ponemon Institute)
‒ Estimated cost of all breaches is $4.1 trillion and increasing
‒ Estimated total number of affected individuals is over 21 million (21,247,855) nationally 14
Breaches
15
HHS Healthcare Industry - Breach Areas
Health Organization Type Number of Individuals Affected
Education Institution 195,206
Financial Services 9,500
Government Agency 1,795,121
Hospice / Home Health Organization 26,705
Hospital / Provider Network 7,022,107
Insurance Plan 10,745,202
Laboratory 18,089
Physician Practice 1,295,636
Retailer 14,140
Supplies Vendor 101,973
Pharmacy 20,285
Research Institute 3,891
Grand Total 21,247,855
6
Breaches
16
21%
15%
1% 4%
1% 16% 1%
35%
6%
Healthcare Breach Types Hacking/IT Incident Improper Disposal Incorrect Mailing Loss Misdirected Email
Other Phishing Scam Theft Unknown
Out of 487 reported breaches, the most common breaches result from: Hacking/IT incidents, Theft, and Improper Disposal (HHS Website).
Healthcare Reform
Incentives for Managed Care
Accountable Care Organizations
Acquisitions
New Business Relationships
17
Healthcare Reform - Impact
New organizational models and new business
relationships
Significant dependency on data and analytics
Integrating new organizations
High political stakes will drive enforcement
New payment and incentive models promote data
sharing across the continuum of care
18
7
Healthcare/Medicare Fraud
Fraud by healthcare providers costs federal and state
governments billions of dollars every year.
At times, the people who commit fraud are often the
same ones we rely on to provide us with medical care:
‒ Doctors, physical therapists and other medical practitioners
and their administrative staff
‒ Hospitals, nursing homes, assisted living centers
‒ Pharmacies and pharmacists
‒ Insurance companies
‒ Medical equipment suppliers
19 Healthcare/Medicare/Medicaid Fraud." Whistleblower Lawyers : Atlanta : Washington, DC : Oklahoma.
Healthcare/ Medicare Fraud Significant issue
Medicare fraud case: October 4, 2012
‒ Approximately $430 Million in False Billing:
• $230 million in home health care fraud
• $100 million in mental health care fraud
• $49 million in ambulance transportation fraud
• Millions more in other frauds
‒ Medicare Fraud Strike Force operations in seven cities have
led to charges against 91 individuals:
• Doctors
• Nurses
• Other licensed medical professionals
20
"Medicare Fraud Strike Force Charges 91 Individuals for Approximately $430 Million in False Billing." FBI.
Cybercrime
Healthcare organizations are a newly favored target among
cybercriminals because of the wealth of personal data they collect
which can be monetized.
Fraud resulting from exposure of health data versus other kinds of
sensitive information increased year upon year.
Criminals were able to exploit information from medical records to
commit fraud for four times longer as compared to other types of
identity theft.
Information contained in medical records has much broader utility, can
be used to commit multiple types of fraud or identity theft, and does
not change, even if compromised.
The value of personal data to a cybercriminal is much higher than a
credit card or bank account number.
RSA White Paper: Cybercrime and the Healthcare Industry 21
8
Cybercrime: Why Steal Healthcare Data?
Harder to detect:
‒ Medical information fraud takes more than twice as long to identify
as compared to regular identity theft
‒ Victims cannot delete or change their personal information,
medical records or history of prescription use
‒ Healthcare organizations are considered “soft targets” when
compared to banking and other regulated industries
It pays:
‒ The World Privacy Forum has reported that the street cost for
stolen medical information is $50, versus $1 for a stolen Social
Security number
‒ The average payout for a medical identity theft is $20,000,
compared to $2,000 for a regular identity theft.
RSA White Paper: Cybercrime and the Healthcare Industry
22
Cybercrime: How to Use Healthcare Data
Cybercriminals target not just consumer data but also information
from healthcare providers, insurers, and pharmaceutical
manufacturers and distributors.
One of the ways in which cybercriminals are committing healthcare
fraud is by filing false patient claims to insurers and government
agencies that provide health services.
Another example is simply selling data on individual medical records
in the black market.
There is also a demand for pharmaceutical data, which cybercriminals
can use to order prescriptions at multiple pharmacies and then
attempt to resell the medicine online.
Physicians’ information is also valuable to cybercriminals because
they can use it to write fake prescriptions to facilitate schemes
involving the purchase and resale of prescription drugs.
RSA White Paper: Cybercrime and the Healthcare Industry 23
Cybercrime—Example (i)
Cybercriminal seeking data that will enable him/her to file false
medical claims:
RSA White Paper: Cybercrime and the Healthcare Industry 24
9
Cybercrime—Example (ii)
A post in the underground seeking buyers for the medical records of
over 6,500 patients:
RSA White Paper: Cybercrime and the Healthcare Industry 25
Technology – Impact
Rapid adoption of new technology
Data, data everywhere
Mobile computing
Sourced technology
Patient portals
Physician portals / Health Information Exchanges
26
Focus areas 2013
Alignment of Privacy and Security
Move towards standards
Incident response
Acquisitions
Business Associate compliance / vendor management
Social media policy and monitoring processes
Meaningful Use – Stage 2
Solution Deployments
‒ Encryption
‒ Identity Management
‒ Data Loss Prevention
‒ Mobile Device Security / BYOD
‒ Cloud Computing
‒ Vendor Management
27
10
Alignment of Privacy &
Security
There is broad interest across the industry and within government to explore governance models that more closely align privacy and security functions than was historically the case in many healthcare organizations.
An example of an organizational structure for aligning privacy and security governance responsibilities. NOTE: A grey box represents shared responsibilities outside, or in addition to, privacy and security (e.g., guidance from Legal for Regulatory Compliance).
28
BAA / Vendor Compliance An effective vendor risk management
program is comprised of four key steps:
1. Profile—classify vendors by
inherent risk (likelihood of a breach
+ impact to the organization) to
determine where to focus
2. Conduct Due Diligence—
additional due diligence (self-
assessment questionnaires, remote
assessments, on-site audits) should
be performed for high risk vendors
3. Mitigate Risk—develop and agree
to a corrective action plan with the
vendor and formally document
accepted risk
4. Monitor Risk—periodically
checkup on vendors to determine
changes in risk
29
Profiling
Conducting Due
Diligence
Mitigating Risk
Continuous Monitoring
Social Media
30
Marketing and patient engagement strategies continue to drive adoption
Privacy incidents highlight need for continued policy development and education
‒ “Nurse posts pictures of patient list to Facebook”
‒ “Hospital worker fired over Facebook comments about patient”
Policies should emphasize that regulations apply to all media types, including social media
Malware campaigns via social media are quick, efficient, and far-reaching
New web filtering and DLP technologies support more granular protections
Hospitals are monitoring social media for both marketing and privacy considerations
11
Regulatory and Compliance
Environment
COBIT
NIST
ISO 27001/2
FTC Red
Flags
PCI
HIPAA Security
HITECH Act
Sarbanes-Oxley
States
GLBA
Source: HITRUST LLC, Frisco, TX
31
Principles—Standards &
Regulations Coverage
COBIT
Wh
at
Scope of Coverage
Ho
w
NIST
ISO 27001/2
FTC Red
Flags
PCI
HIPAA Security
HITECH Act
Sarbanes-Oxley
States
GLBA
Source: HITRUST LLC, Frisco, TX
32
Principles—Standards &
Regulations Overlap (i)
ISO 27001/2
FTC Red
Flags
PCI
COBIT
NIST
HIPAA Security
HITECH Act
States
Source: HITRUST LLC, Frisco, TX
33
12
Identity Management
Challenges healthcare organizations are facing:
‒ Using shared accounts
‒ Tracking multiple user IDs
‒ Provisioning and De-provisioning user accounts
‒ Implementing strong authentication
‒ Logging and Monitoring access
Solutions:
‒ Identity and Access Management Solutions
• Allow for the automatic provisioning and de-provisioning of user accounts, as well as enhanced reporting and reduction of administrative overheard in managing user accounts.
‒ Single Sign-on (SSO)
• Gathering credentials from a user once and authenticating to multiple disparate systems without prompting the user for additional authentication information.
34
Data Loss Prevention
Designed to detect and alert security, privacy, and compliance teams of the unauthorized use and transmission of sensitive information (PHI, SSNs, etc.)
Shifts focus from reactive detection and breach notification to breach prevention
Goal is to curb user behavior via real-time alerts and enhance overall privacy and security culture
Provides protection for sensitive data at rest, in use, and in transit including:
‒ Emails
‒ File transfers
‒ Internet and web
‒ Servers, file shares, databases and other storage
‒ USB flash drives and external media
35
Mobile Device Security Policy # Policy 1 Policy 2 Policy 3
Device Owner BYOD BYOD Organization Owned or
BYOD
Technologies No MDM MDM (LW) - Limited Policy MDM (LW) - Full Control
MDM - Container
Level of Control Low Control Moderate Control Full Control
Smart phone capabilities (e.g., camera) - All X X
Smart phone capabilities (e.g., camera) -
Limited
X
Email/Calendar (Web browser access) X X
Email/Calendar sync (Exchange/Corporate
Server)
Partial (no attachments) X
Apps
Unlimited X X
Pre-approved (White list/Black list) X
Medical Record (virtualized session) X
Medical Record (app) X
Network Connection X 36
13
Cloud Computing Security
Due Diligence
‒ Perform vendor screening / risk assessment / audit to assess the cloud provider's security controls
‒ Assess the cloud provider's reputation in the marketplace
‒ Obtain references for clients in similar or highly regulated industries
‒ Understand cloud provider's alignment with regulatory requirements (e.g., HIPAA)
37
Cloud Computing Security
Contractual Process
‒ Ensure the contract addresses incident response
‒ Require that the cloud provider carries cyber insurance
‒ Include notification requirements with a maximum timeframe
‒ Ensure that the cloud provider will support investigations
‒ Specify the access logging requirements
‒ Include Service Level Agreements for security as well as availability and integrity requirements
‒ Ensure that the contract addresses how your organization will exit the business relationship
‒ Return of data
‒ Disposal of hospital data •
38
Cloud Computing Security
Technical Controls
‒ Strong cloud encryption should be considered when PHI stored in the cloud.
‒ Best practice for an effective and secure cloud key management is split-key encryption( hospital owns half of the management key and provider owns another half).
‒ Maintain through the use of single sign on and federated identity.
‒ A cloud identity management solution that is capable of integrating with a centralized directory, supports strong authentication and is compatible with federation standards should be implemented.
‒ Centralized automated user account management that lets your organization manage accounts in a central directory, synchronizing to cloud applications where necessary.
‒ Filtering internet gateway - traffic classification to particular cloud vendor should be managed and monitored on firewall side.
•
39
14
Patient Portals
Strong privacy and security settings for protecting patient
information online should be developed to allow a patient
(or customer) the capability to:
‒ Be provided with an audit trail of who has viewed and
accessed their online record
‒ Have options to restrict access to data by members under
a single health plan policy
‒ See the last date and user login information
‒ Provide options for strong authentication
40
Questions
Cliff Baker
Managing Partner, Meditology Services
41