hipaa compliance? what you need to - netwatcher · individuals physical or mental health condition,...
TRANSCRIPT
Basic information about HIPAA is located here . For this eBook we are most concerned with the Privacy Rule and the Security Rule.
The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care. (more ). The Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access.
The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Security Rule. You can find that documentation (here ).
Healthcare organizations are under intense
scrutiny by the US Federal government to
ensure patient data is protected
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. The penalties can be steep at $100 to $50,000 or more per violation with a $1,500,000 calendar year cap.
State and regional governments may also impose separate fines in addition to the federal ones.
To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights.
It is your responsibility to protect your
customer’s Personally Identifiable
Information (PII) data!
DECEMBER 10, 2014 Malware Infection Results in
$150,000 HIPAA Fine Anchorage Community Mental
Health Services (ACMHS) was fined $150,000 for not
preventing malware from infecting its computers. The
malicious programming breached the protected electronic
health information of 2,743 individuals in violation of the
Health Insurance Portability and Accountability Act of 1996
(HIPAA). According to an OCR news release, ACMHS
adopted HHS security rule policies in 2005 but never
followed them. The introduction of the malware into the
ACMHS system was "the direct result of ACMHS failing to
identify and address basic risks, such as not regularly
updating their IT resources with available patches and
running outdated, unsupported software," according to
an HHS/OCR bulletin (.pdf) . In addition to the $150,000
settlement amount, the resolution agreement
(.pdf) between ACMHS and OCR includes a corrective
action plan and requires ACMHS to report on the state of its
compliance to OCR for a 2-year period.
When it goes wrong!
NOVEMBER 12, 2014 Hackers swipe data of 60K in
vendor HIPAA breach A state insurance plan
subcontractor is at the center of a serious security
incident after hackers gained three months of unfettered
access to its computer system, compromising
thousands of members' health records. What's more,
despite discovering the HIPAA breach in April, it took
officials some four months to notify those affected. The
Dallas-based Onsite Health Diagnostics – a medical
testing and screening company, which contracts with
the state of Tennessee's wellness plan – notified 60,582
people that their protected health information was
accessed and stored by an "unknown source." The
breach affected members from the Tennessee's State
Insurance Plan, Local Government Insurance Plan and
Local Education Insurance plan.
This team will be responsible for the ongoing cyber-security of the organization.
Most importantly, ensure this team is led by a senior executive in the organization.
This team may actually be the Audit committee for the organization. Here is a good read on the subject of Audit committees and cyber-security from Deloitte.
#1 Create a committee with players
from IT, compliance, management and
security
“The Framework focuses on using business drivers to guide cyber-security activities and considering cyber-security risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cyber-security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cyber-security activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cyber-security risk.” – NIST framework
#2 Use a framework similar to The NIST
Cyber-security Framework or ISO
27001/27002
“Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tiers 1 and 2, organizations use risk assessments to evaluate, for example, systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, organizations use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring).” - NIST Special Publication 800-39
#3 Conduct a yearly security risk assessment to
identify risks and develop a mitigation plan.
You can use the NIST SP 800-30 as a great guide
post
Penetration testingVulnerability assessmentsWeb application assessmentsSocial engineering testing
Actual attempts by experts to breach your organization’s network…
#4 Schedule a 3rd party security company
to test your organization’s security
Keeping in mind not all “cyber” insurance policies are created equal so you will need to get educated on all the items the policy will need to cover.
Click Here for a good article from Modern Healthcare.
Click Here for information from a DHS sponsored Cyber Insurance Roundtable for Healthcare.
#5 Ensure the organization has cyber
liability insurance
Keep everyone advised of new security
threats and underscore the need for
vigilance, including being watchful for
suspicious emails, texts, hyperlinks, etc.,
as well as social engineering ploys.
Here is an example.
#6 Conduct mandatory security
training
Examples include: Business continuity plan (more info) Disaster recovery plan (more info) Remote access policy (more info) Employee termination policy Password policy (more info) Encryption policy (more info) Data access policy Bring your own device (BYOD) policy
To speed policy development, you can start with open-source templates from SANS found here.
#7 Have, follow and audit all the
necessary plans and policies that
impact the organization’s data security?
In an ideal world, employees would use the
computers and Internet access provided their
employer solely for business use.
However, throughout the work day, organizations
are often exposed by their users misuse of the
system.
The dilemma faced by every organization is what
to do about it and how to start. The creation and
dissemination of an Acceptable Use Policy (AUP)
can offer in helping an organization avoid
unwanted consequences and enabling it to deal
with transgressions in a fair and systematic way
that will survive legal challenges without reducing
employee morale and productivity.
Ensure ALL employees sign the AUP before using
your organization’s IT resources.
#8 Create an Acceptable Use Policy
Ensure someone is formally designated for managing your organization’s incident response. NIST has published a Computer Security Incident Response Guide that can help you develop appropriate policies and procedures.
Practice by running through “exercises” with your incident response team at least once a year, to ensure that your processes are working as expected.
#9 Create an Incident Response Plan
NetWatcher’s Security-as-a-Service platform enables organizations to have a cost-effective 24 x 7 security service monitoring their networks for vulnerabilities and exploits.
Today’s healthcare organizations require the need for continuous monitoring.
NetWatcher enables a healthcare organization to immediately deploy these services and take advantage of a fully-staffed Security Operations Center (SOC). This means superior protection with no capital outlay, resource commitments or additional headcount.
Available for as low as $299/month with a 1 year contract
Contact NetWatcher at [email protected]
#10 Use a real-time continuous
monitoring solution NetWatcher.com