hipaa security risk assessments
DESCRIPTION
Presentations that briefly covers HIPAA and concentrates of the Risk Assessment portion which is a requirement for overall compliance and meaningful use.TRANSCRIPT
![Page 1: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/1.jpg)
HIPAA SecurityRisk Assessment
Dr. Jose I. Delgado
Dr. Jose I. Delgado
![Page 2: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/2.jpg)
Introduction
• HIPAA Background– Privacy– Security
• Risk Assessment• Risk Management
– Omnibus Rule
• Meaningful Use
![Page 3: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/3.jpg)
Must Know• Every Covered Entity (CE) must identify a HIPAA
Security Officer• Every CE entity must be in compliance with the
final HIPAA Omnibus Rule• Every CE must have a Risk Assessment
Completed with all components covered• A covered entity can be fined $1,000 to $50,000
per patient record up to $1,500,000 if patient records are breached
![Page 4: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/4.jpg)
HIPAA Audits
• Audits will be conducted by Office for Civil Rights instead of contractor
• Number of audits to increase• Monies collected to be used to fund further audits• Audits to include Covered Entities and Business
Associates• 2014 first time a Government Entity was fined
![Page 5: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/5.jpg)
Meaningful Use
• Ties HIPAA Security to Attestation• Fraud charges possibility based on answers• Part of Meaningful Use and Records Review
Audits
![Page 6: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/6.jpg)
HIPAA
![Page 7: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/7.jpg)
Title II – Administrative Simplification
![Page 8: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/8.jpg)
Security CategoriesAdministrative safeguards Physical safeguards
Technical safeguards
![Page 9: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/9.jpg)
Basic Concepts Scalability – flexibility to adopt implementing measures appropriate to their situation.
“Required” and “Addressable”
Under no conditions should any covered entity considered addressable specifications as optional requirements.
![Page 10: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/10.jpg)
Risk AnalysisCFR 164.308(a)(1)
"Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity."
• Perform Risk Assessment• Formalized/Document Risk Assessment Process• Update Risk Assessment Process• Address all potential areas of risk
![Page 11: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/11.jpg)
Risk Analysis
• Gap/risk assessment– Audit of security based on HIPAA Security
Components– Document findings on all areas– Use initial analysis as baseline– Base Security Management on findings
![Page 12: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/12.jpg)
Resources
• HHS Security Risk Assessment Tool– http://www.healthit.gov/providers-
professionals/security-risk-assessment
• Taino Consultants Compliance Tool– Forms– Policies– Security Reminders– Monthly instructions
![Page 13: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/13.jpg)
Security Risk Assessment
HIPAA
Meets Requirem
ent
Not
Review of Current Procedure Citation Guidelines for Policy Yes No Reqd.
Person Responsible
Task 1 Identify RelevantInformation System
- Has all hardware and software for which the organization is responsible been identified? - Is the current information system configuration documented, including connections to other systems? - Have the types of information and uses of that information been identified and the sensitivity of each type of information been evaluated?
§164.308(a)(1)
- Identify all information systems that house individually identifiable health information. - Include all hardware and software that are used to collect, store, process, or transmit protected health information. - Analyze business functions and verify ownership and control of information system elements as necessary.
![Page 14: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/14.jpg)
Security Risk Report
Sample Risk Analysis
![Page 15: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/15.jpg)
Risk Management§ 164.308(a)(1)(ii)(B)
"“[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”
• Develop and implement a risk management plan. • Implement security measures. • Evaluate and maintain security measures.
![Page 16: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/16.jpg)
Policies• Live Documents• Review as needed• Document reviews and updates• Having policies alone will not suffice
![Page 17: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/17.jpg)
Forms/Documentation• Not Required• Useful to document actions• Prevents adding too much information
“Anything you say can be used against you”
![Page 18: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/18.jpg)
Training• Initial Training• Security Reminders• Annual Training
![Page 19: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/19.jpg)
Monthly Actions
• Easier to keep track• Easier to document• Easier to manage
![Page 20: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/20.jpg)
Administrative Safeguards• Security management process (CFR §164.308(a)(1)): Prevent, detect,
contain, and correct security violations• Assigned security responsibility (CFR §164.308(a)(2))• Workforce security (CFR §164.308(a)(3)): Employees and access to EPHI. • Information access management (CFR §164.308(a)(4)): ePHI access. • Security awareness and training (CFR §164.308(a)(5))• Security incident procedures (CFR §164.308(a)(6))• Contingency plan (CFR §164.308(a)(7))• Evaluation (CFR §164.308(a)(8)): Periodic evaluations. • Business associate contracts and other arrangements (CFR §164.308(b)
(1))
![Page 21: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/21.jpg)
Administrative SafeguardsSecurity Management Process 164.308(a)
(1) Risk Analysis (R) Risk Management (R)
Sanction Policy (R) Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2)
[None]
Workforce Security 164.308(a)(3)
Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A)
Information Access Management 164.308(A)(4)
Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5)
Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)
![Page 22: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/22.jpg)
Administrative SafeguardsContinuation
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis A)
Evaluation 164.308(a)(8) [None]
Business Associate Contracts and Other Arrangements
164.308(b)(1) Written Contract or Other Arrangement (R)
![Page 23: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/23.jpg)
Sanction PolicyCFR 164.308(a)(1)
• Every covered entity must "have and apply appropriate sanctions against members of its workforce who fail to comply”.
• Any system of penalties should be reasonable in relation to the violations to which they apply, particularly with regard to deterrence.
![Page 24: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/24.jpg)
System Activity Review“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
• What are the audit and activity review functions of the current information systems?
• Are the information systems functions adequately used and monitored to promote continual awareness of information system activity?
• What logs or reports are generated by the information systems? • Is there a policy that establishes what reviews will be conducted? • Is there a procedure that describes specifics of the reviews?
![Page 25: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/25.jpg)
Assigned Security ResponsibilityThe HIPAA Security Officer is responsible for:• Understanding the HIPAA Security Rule and how it applies. • Developing appropriate policies and procedures.• Overseeing the security of EPHI.• Monitoring each Covered Component for compliance.• Identifying and evaluating threats.• Responding to actual or suspected breaches.
![Page 26: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/26.jpg)
AUTHORIZATION AND/OR SUPERVISION§164.308(a)(3)(ii)(A)
“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
• Detailed job descriptions with level of access to EPHI? • Policy that identifies the authority to determine who can access EPHI
![Page 27: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/27.jpg)
Security RemindersCFR 164.308(a)(5)
Security reminders are just tidbits of information given to employees of covered entities throughout the year.
Recommendations: Bulletin board in the break room or main office is a start.
“org chart” showing who is in charge of HIPAA Emergency contact phone numbers HIPAA Breach checklist Changing HIPAA security reminders
Use e-mail to sent security reminders
![Page 28: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/28.jpg)
Protection from Malicious Software
“Procedures for guarding against, detecting, and reporting malicious software.”
• Policies covering antivirus protection • Software used against malicious software• Updates and logs• Employee training
![Page 29: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/29.jpg)
Log-in Monitoring CFR 164.308(a)(5)
Procedures for monitoring log-in attempts and reporting discrepancies.
•Identify multiple unsuccessful attempts to log-in. •Record attempts in a log or audit trail. •Resetting of a password after a specified number of unsuccessful log-in attempts.
![Page 30: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/30.jpg)
Contingency Plans164.308(a)(7)
• Data Backup Plan• Disaster recovery plan• Emergency Mode Operation Plan• Testing and Revision Procedure• Applications and Data Criticality
Analysis: procedures for assessing the criticality of applications and systems.
![Page 31: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/31.jpg)
Physical Safeguards• Facility access controls: limit
physical access to systems.• Workstation use: specify the
proper workstation functions.• Workstation security: limit access
to only authorized users. • Device and media controls:
receipt and removal of hardware and electronic media.
![Page 32: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/32.jpg)
Physical Safeguards
Facility Access Controls 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A)
Workstation Use 164.310(b) [None]
Workstation Security 164.310(c) [None]
Device and Media Controls 164.310(D)(1) Disposal (R) Media Re-use (R)
Accountability (A) Data Backup and Storage (A)
![Page 33: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/33.jpg)
Technical Safeguards
• Access control: Implementing policies and procedures for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights.
• Audit controls: Implementing hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use EPHI.
• Integrity: Implementing policies and procedures to protect EPHI from improper modification or destruction.
• Person or entity authentication: Implementing procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be.
• Transmission security: Implementing security measures to prevent unauthorized access to EPHI that is being transmitted over an electronic communications network.
![Page 34: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/34.jpg)
Technical Safeguards
Access Control 164.312(a)(1)
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A) Encryption and
Decryption (A)
Audit Controls 164.312(b) [None]
Integrity 164.312(c)(1)
Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication
164.312(d) [None]
Transmission Security 164.312(e)(1)
Integrity Controls (A) Encryption (A)
![Page 35: HIPAA security risk assessments](https://reader038.vdocuments.mx/reader038/viewer/2022103016/554b4433b4c905b5378b4e6c/html5/thumbnails/35.jpg)
Key Items to Remember
• Policies and Procedures not enough• Documentation is key
– Evidence book
• Follow the steps– Risk Assessment– Risk Management– Training
ACT NOW!!