hipaa security: a decade of breachess3.amazonaws.com/rdcms-himss/files/production/... · hipaa...
TRANSCRIPT
HIPAA Security: A Decade of Breaches Marion K. Jenkins, PhD, FHIMSS
Chief Strategy Officer
3t Systems
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Conflict of Interest
Marion K. Jenkins, PhD, FHIMSS
Has no real or apparent conflicts of interest to report.
© HIMSS 2015
Learning Objectives
1. Discuss the HIPAA Security Rule and how it relates to IT
best practices and security policies.
2. Identify the major root causes of the 900+ HIPAA breaches
reported by HHS, and identify how the mandated
remediation efforts are insufficient and ineffective, and how
they fail to correct the underlying issues.
3. Explain how the principles of IT best practices and effective
IT security policy development and compliance are both
necessary and sufficient to satisfy HIPAA Security Rule
compliance, and eliminate the true underlying causes of
HIPAA breaches.
4. Classify the primary HIPAA breach root causes in terms of
internal versus external, user-caused versus outsider-
caused, etc.
Learning Objectives: Pre-Quiz
1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the
number of reported breaches has
A. Stayed about the same
B. Decreased significantly (e.g., by more than 25%)
C. Increased significantly (e.g., by more than 25%)
2. The true cause of most HIPAA breaches can best be traced to:
A. New technologies that have been developed since the original HIPAA
Security Rule became effective in 2005, and weren't covered back then.
B. Hackers and other nefarious external threats.
C. Internal employee behaviors, such as snooping.
D. Bad IT design, coupled with bad employee compliance behaviors, where
employees doing "legitimate" work end up defeating or working around
security procedures.
3. True/False: The best way to ensure HIPAA compliance is to make usernames
and passwords longer/more complex, and make users change them more
frequently.
The HIMSS Value STEPS of Health IT and this presentation:
• Satisfaction
– Patient Satisfaction: Patient trust and satisfaction is definitely
negatively impacted by the increased number of HIPAA
breaches.
• Treatment
• Electronic Information/Data
– Data Sharing and Reporting: Lack of HIPAA Security
compliance can limit data sharing among different healthcare
entities across boundaries of care.
• Prevention and Patient Education
• Savings
http://www.himss.org/ValueSuite
6
https://www.youtube.com/watch?v=5J67xJKpB6c
Video Clip:
If US Airlines worked like the US Healthcare System
Outline
• HIPAA Overview – key definitions, brief history
• Examples of HIPAA breaches to date
• The biggest HIPAA threats
• Real life HIPAA breach example
• Cloud – is it HIPAA compliant?
• Questions/discussion
7
HIPAA (one “P”, two “A”s)
• HIPAA Stands for:
– Health
– Insurance*
– Portability**
and
– Accountability
– Act
*(not information)
**(not privacy)
8
HIPAA Breaches - Some macro numbers
• HHS-reported HIPAA breaches since 2009
– 600 993 1185 breaches of more than 500 records each
– Total is over 22 31 133 million patient records affected
– Largest is 4.9 million records (SAIC – Service Provider)
80 MILLION records (Anthem; payor/healthplan)
– Smallest reported breach (and not on this list) is 441 records (Hospice of
Northern Idaho)
– Largest pending judgments are $3-4 BILLION in class action lawsuits
(Sutter Health, California) and $3-4 BILLION against SAIC (Service
Provider)
All data here and following graphs from:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
9
HIPAA Breaches – Type of Breach
Theft 55%
Unauthorized access
19%
Loss 12%
All other 14%
10
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA Breaches – Source of Breach
Laptop 25%
Paper 23%
Portable 12%
Computer 11%
Server 10%
All other 19%
11
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA Breaches – Words (All Fields)
Theft 32%
Laptop 17%
Computer 12%
Portable 8%
Loss 8%
EHR 0.10%
All other 23%
12
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Some Recent HIPAA Headlines
• Walgreens (1 record; ~$1.44 million judgment)
• Community Health Systems (2nd largest; hacking)
• LA Gay/Lesbian Clinic (hacking)
• Stanford Children’s Hospital (5X offender)
• Oregon Health Science Unit (4X offender)
• UCLA; Cedars Sanai (celebrity snooping)
• Hospice of Northern Idaho (441 records; 50K)
• Arizona Surgery Center ($100K fine)
• LabMD in Georgia is DOA (CEO is writing a book)
• Anthem Healthcare (80 million records; hacking)
• Premera (11 million records; hacking)
13
Time to dispel a big myth
• “My HIPAA Security situation is taken care of because I use a
certified EHR”
• Number of breaches that have been directly caused by or involved a
certified EHR:
ZERO!
14
HIPAA “Chapter and Verse*”
• HIPAA is contained in the Federal Register, CFR Parts 160,
162 & 164:
– Section 164.308 – Administrative
– Section 164.310 – Physical
– Section 164.312 – Technical
– Section 164.314 – Business Associate Arrangements
– Section 164.316 – Policies and Procedures
Documentation
*More than 500 pages !
15
HIPAA on a 3x5 Card:
What does the HIPAA Security Rule* Say?
• Covered Entities must protect and secure all electronic
protected health information (ePHI) against:
accidental or intentional causes of: unauthorized
access, theft, loss or destruction, from either internal
or external sources.
* HIPAA Security governs electronic records. HIPAA
Privacy governs paper records
16
Accidental Intentional
CAUSES
Internal
Threats External
Threats
HIPAA Security – Graphical Representation
Destruction
Loss Theft
Improper
Access
EPHI
17
Definition of ePHI
• “ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).
• “Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.
18
Things HIPAA doesn’t say…
• Length/complexity/change cycle of passwords
• Timeout or logoff time interval
• Type of encryption (e.g., technically WEP for WiFi is actually
HIPAA compliant)
• Version of OS such as Win 7, Svr 08 or higher (HIPAA
doesn’t name vendor names/products)
• Actually doesn’t mention laptops (or tablets, SmartPhones,
PDAs, etc.), just “workstations”
19
Is this the biggest HIPAA threat?
20
No, this is the biggest HC threat:
By far, the largest number of threats are caused by, or
enabled by, internal users – office and clinical staff*
*Unless you are a very large organization like Anthem…
21
HIPAA – A Brief History
• HIPAA signed by President Clinton in 1996
– Primary purpose was to make HC insurance portable
– Governed paper records
– Massive increase in administrative burden to HC
– Massive efforts on compliance and training
• HIPAA Security became effective in April 2005
– Most people were unaware or chose to ignore it
– They assumed “IT had it taken care of”
– Thought it was something they had already done
22
ARRA/HITECH Act 2009
• Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of
$$ for hospitals to adopt EHRs (Medicare/Medicaid)
• Max fines increased from $25,000 to $1.5 million
• Fines apply regardless of:
– Whether docs/facilities are seeking MU funds
– Whether docs/facilities qualify for MU funds (e.g., Ambulatory Surgery
Centers, self-pay, etc.)
– Whether the facility has or uses an EHR
23
P == Portability
• Old days:
– “Cradle-to-grave” patient/doctor relationship
– Records belonged to the practice/physician
– Patients generally could not even see them
• New world order:
– Fragmented HC delivery (specialists, clinics, etc.)
– Practices are caretakers of a larger patient record
– Patient “activism” – records “belong” to them
– Portability made safekeeping rules necessary
24
Close to home… …in Colorado
HIPAA is Very Real
25
26
You don’t
want to get
one of these
nasty
grams…
27
More bad
news…only 15
days to respond;
threatened
penalties
28
Even more bad
news…Freedom of
Information Act
may make this
public
Prior to 2/2009:
Up to $100 per violation
$25,000/year cap
After 2/2009:
$100 to $50K per violation
$1.5 MILLION/year cap
Yikes!
HIPAA compliance is not optional
• HIPAA compliance is required for practices and hospitals to
achieve Meaningful Use
• Annual risk assessments are required
• HHS is doing unannounced audits
• HIPAA compliance is required with/without EHR and
with/without Meaningful Use
31
Is “Cloud” HIPAA compliant?
• Some are; many are not
• Most public cloud services are inherently unsafe and are not HIPAA
compliant (but unfortunately they are used all the time):
– Examples: Gmail; Hotmail; FaceBook; AOL; Twitter; Flickr; iCloud;
basically anything that’s “free”
• Poorly designed/poorly run IT services are bad; moving them to the
cloud doesn’t fix them
• If a cloud provider refuses to sign a BAA or provide SLAs that’s a
showstopper
32
Cloud HIPAA Headlines
•“Mobility and Cloud [Are] Keys to Fulfilling Promise of
EMRs” (HealthcareIT News)
• “Cloud solutions allow healthcare organizations to
deliver critical patient data…” (IDG White Paper)
• "Use the Cloud to Reduce HIPAA Risk“ (HealthcareIT
News)
• “Google, Microsoft agree: Cloud is now safe enough to
use” (C|Net; Annual RSA Security Conference)
33
Key takeaway points
• HIPAA breaches are increasing dramatically
• No HIPAA breaches have occurred inside an EHR
• A certified EHR doesn’t guarantee compliance
• HIPAA compliance is not optional
• HIPAA breaches are not limited to big facilities
• Most breaches are user-caused/user-enabled
• Proper cloud services are one way to secure ePHI
34
Learning Objectives: Pre-Quiz (Answers)
1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the
number of reported breaches has
A. Stayed about the same
B. Decreased significantly (e.g., by more than 25%)
C. Increased significantly (e.g., by more than 25%)
2. The true cause of most HIPAA breaches can best be traced to:
A. New technologies that have been developed since the original HIPAA Security
Rule became effective in 2005, and weren't covered back then.
B. Hackers and other nefarious external threats.
C. Internal employee behaviors, such as snooping.
D. Bad IT design, coupled with bad employee compliance behaviors, where
employees doing "legitimate" work end up defeating or working around security
procedures.
3. True/False: The best way to ensure HIPAA compliance is to make usernames and
passwords longer/more complex, and make users change them more frequently.
Review of HIMSS Value STEPS:
• Satisfaction
– Patient Satisfaction: Patient trust and satisfaction is definitely
negatively impacted by the increased number of HIPAA
breaches.
• Treatment
• Electronic Information/Data
– Data Sharing and Reporting: Lack of HIPAA Security
compliance can limit data sharing among different healthcare
entities across boundaries of care.
• Prevention and Patient Education
• Savings
http://www.himss.org/ValueSuite
Questions/More Information Marion K. Jenkins
PhD, FHIMSS
Chief Strategy Officer
3t Systems
303.918.8853