Make Sure Your Data Doesn't Get Washed Away….

A Discussion of Remote Access

Kerry MoskolQuarles & Brady LLP

What you should take away:

CMS is starting to focus on compliance with the Security Rule

If your Security Rule policies and procedures do not address remote access and portable devices, it is time to update your policies!

Why the sudden focus on security and remote access?

• Reluctant compliance with the Security Rule

• Increased (and encouraged) use of EMRs

• Concerns over security breaches - many of which involve remote devices

So…..What do we need to look out for?

• Security Rule Audits/Onsite Compliance Reviews

• Security Breach Notification Laws

• National Identity Theft Laws (Red Flag Regulations)

• CMS Guidance Regarding Remote Access

OIG's first "audit" of a provider's

compliance with the Security Rule:

• March 5, 2007: Piedmont Hospital in Atlanta, Georgia

• Reviewed the hospital's administrative, physical and technical safeguards

Interesting aspects of the audit:

• Patient complaint did not trigger the audit

• Audit was performed by OIG not CMS – Some suspect purpose was to check whether CMS is

doing its job regarding Security Rule oversight and enforcement

• Presented list of 42 items - 24 were security related

CMS - Onsite Investigations and Compliance Reviews

• CMS Office of E-Health Standards and Services is conducting onsite investigations and compliance reviews related to potential Security Rule violations

• Contracted with PwC to assist with the reviews

CMS - Onsite Investigations and Compliance Review (cont'd)

• Who is targeted?– Onsite investigations - may arise from filed

complaint – Onsite compliance reviews – may arise from

self-report, media reports, etc.

• What are they looking for?– Assessment of security measures– Special attention to remote access

CMS - Onsite Investigations and Compliance Review (cont'd)

• Guidance from CMS - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance reviews– Identifies documents that may be requested and

personnel to be interviewed– Not a complete list – but use as guidance– http://www.cms.hhs.gov/Enforcement/Downloads/

InformationRequestforComplianceReviews.pdf

And so it goes….The first HIPAA Resolution Agreement

• Seattle-based provider lost unencrypted laptop computers, disks and tapes

• $100,000 settlement with government

• Three years of monitoring by HHS

• Corrective Action Plan - focused on physical and technical safeguards for off-site transportation and storage of EPHI and remote media 

The New Frontier: Security Breach Notification Laws

• Security Breach Notification laws require entities to notify individuals if there is an unauthorized acquisition or disclosure of their “personal information”

• “Personal Information”– Social security, address, date of birth, financial

account numbers, medical information, other identifiers

– Exception for encrypted information

Security Breach Notification Laws (cont’d)

• Applies to all types of entities

• Not limited to the health care context

• Does not have to relate to medical information – focus is the identifiers

Security Breach Notification Laws (cont'd)

• Some states, like Wisconsin, exclude “covered entities” from notification requirements

• So why do we care????

Security Breach Notification Laws (cont’d)

• Can still apply to hospital employee information

• Hospital policies may require notification as part of HIPAA mitigation requirements

• Out of state patients – not all state laws exclude covered entities (state of residency matters here)

• Proposed federal legislation may revise Security Rule requirements to require patient notification of security breach (might take a while)

And on a related note…Identity Theft Red Flag Regulations• Regulations likely apply to hospitals – not much

guidance out there yet– Effective November 1, 2008

• Entities must create policies and procedures to:– Identify activities (red flags) that signal possible ID

theft and incorporate red flags into ID theft program– Detect red flags– Respond appropriately to prevent/mitigate ID theft– Ensure the program is updated

Which leads us to….

The importance of security for remote access and portable devices!

CMS Guidance For Remote Access and Portable Devices:

• CMS issued guidance on security requirements for remote access in December, 2006

• Proposed rule regarding remote access standards was anticipated to come out in July, 2007--however, it is currently on hold (maybe permanently)

Purpose of guidance:

• Reduce security incidents related to remote access and use of portable devices/media

• Reinforce the ways covered entities protect EPHI when accessed or used offsite or remotely

Guidance applies to:

• Laptops and home-based personal computers• PDAs and Smart Phones• Hotel, library or other public workstations and

Wireless Access Points (WAPs)• USB Flash Drives and Memory Cards• Floppy disks, CDs, and DVDs• Backup media• Email• Remote Access Devices (including security

hardware)

Remote access to EPHI is appropriate only

after the entity's risk analysis concludes:

• There is a business need for remote access; and

• The entity's workforce training, policies, and procedures are effective and compliant with the Security Rule

(Remember to document this determination!)

Examples of appropriate use of remote access:

• Home health nurse accesses patient data via a laptop during home visit

• Physician refills patient's Rx via e-prescribing application on PDA

• Health plan employee transports enrollee data on a media storage device to an offsite facility

Emphasis should be placed on:

• Risk analysis and risk management strategies - make sure your risk analysis includes remote media!

• Policies and procedures for safeguarding remote access to EPHI

• Security awareness and training

Factors to consider when deciding which security measures to implement:

• Entity's size, complexity, and capabilities

• Entity's technical infrastructure, hardware, and software security

• Cost of security measures

• Potential risks to EPHI

Risks associated with remote access fall into

three areas:

• Access

• Storage

• Transmission

Access:

• Remote access is granted only to authorized users based on their role within the organization and need for access to EPHI

• Safeguards required for office workstations must also apply to offsite workstations

Storage:

• Security policies and procedures must address media and devices that store EPHI and may be removed from the facility

• Examples: laptops, hard drives, backup media, USB flash drives, and other storage media

Transmission:

• Entity must ensure the integrity and security of EPHI sent over networks

• Entity must address remote access to applications hosted by the entity, such as e-prescribing systems, web mail, etc

CMS guidance identifies a series of risks

and possible risk management strategies:

• Guidance sets forth the minimum compliance expectations

• Entities urged to comply with the identified strategies

Access – Risks and Possible Management Strategies:

• Risk: Stolen password results in potential unauthorized disclosure

• Strategy: – Implement two-factor authentication process to grant

remote access to systems containing EPHI • First step is username/password• Second step requires person to answer a security question

– Implement technical process for authentication and creating unique user name (e.g., use Remote Authentication Dial-In User Service or similar tool)

Access - Risks and Possible Management Strategies:

• Risk: Employee accesses EPHI remotely when not authorized to do so while working offsite

• Strategy: – Establish role-based access for remote users

(different remote users may require different levels of access)

– Develop clearance procedures and verify training before granting remote access

– Ensure sanction policies address unauthorized remote access

Access - Risks and Possible Management Strategies:

• Risk: Offsite workstation left unattended

• Strategy: Establish procedures for session termination (time-out) on inactive portable or remote devices

Storage - Risks and Possible Management Strategies:

• Risk: Laptop or other portable device is stolen

• Strategy:– Identify hardware/media that must be tracked and develop

inventory control systems– Maintain records of media/device movement– Require lock-down mechanism for unattended laptops– Back up all EPHI entered into the remote system– Password protect files and devices that store EPHI– Use encryption technology – Ensure technology updates are deployed to portable devices– Use biometrics to access portable device– Use tracking devices in portable devices

Storage - Risks and Possible Management Strategies:

• Risk: Data left on public computer at a hotel business center

• Strategy:– Prohibit downloading of EPHI on remote systems or

devices without justification– Minimize use of browser-cached data in web based

applications– Train workforce on policies that require users to

delete files saved to an external device

Storage - Risks and Possible Management Strategies:

• Risk: Theft of EPHI left on devices after inappropriate disposal

• Strategy:– Establish EPHI deletion policies and media

disposal procedures for remote media– At a minimum, this should include: complete

deletion (via specialized tools) of all disks and backup media prior to disposal

Transmission - Risks and Possible Management Strategies:

• Risk: Data intercepted and modified during transmission

• Strategy: – Prohibit transmission of EPHI via open networks (i.e.,

internet)– Prohibit use of offsite devices or wireless access points for

non-secure access to email– Use secure connections for email via SSL and message-

level standards such as S/MIME, SET, PEM, PGP, etc.– Use encryption for transmission of EPHI - SSL should be

the minimum requirement

Transmission - Risks and Possible Management Strategies:

• Risk: Emailing of faxing EPHI to the wrong recipient

• Strategy: – Confirm the fax number before sending– Confirm that the right document is attached and make

sure you have the right email address!– Verify receipt when possible– Comply with your organization's policies/procedures– Encrypt or password protect documents!

Transmission - Risks and Possible Management Strategies:

• Risk: System contamination by virus introduced by external device used to transmit EPHI

• Strategy: Install anti-virus software on portable devices that can be used to transmit EPHI

How to make your policies on remote access effective?

• Training

• Defined security incident procedures

• Appropriate sanction policies

Training:

• Covered entities' workforce awareness and training program must specifically address risks and security provisions associated with remote access to EPHI

• Must be able to demonstrate remote access is part of training curriculum

Training on remote access policies and procedures should address:

• Instructions for accessing, storing, and transmitting EPHI remotely and/or using portable devices

• Password management procedures for remote/portable devices

• Prohibitions on leaving devices/media in unattended cars or public areas (big problem!)

• Prohibitions on transmitting EPHI over open networks or downloading EPHI to public/remote computers

• Appropriate remote workstation use

Security Incident Procedures:

• Security incident procedures must specify the actions workforce members must take to manage harmful effects of loss or theft of EPHI via portable media

Security incident procedures should include:

• Provision for the preservation evidence

• Managing harmful effects of improper disclosure

• Notice to affected parties

• Provision for ongoing risk management activities related to remote access

Sanction Policies:

• Sanction policies must address the consequences of failing to comply with the entity's policies and procedures related to remote access

• CMS recommends that covered entities require workforce members to sign a statement of adherence to such policies and procedures

Why is compliance important?

• Government is cracking down on security rule compliance

• Increased security incidents with remote access and portable devices

• Good practice

What to do:

• Review your Security Rule policies and procedures to make sure they address remote access and portable devices

• Make sure your workforce is trained on remote access procedures

• If your policies, procedures, and training materials do not address remote access, it is time to UPDATE!

Useful Resources: • CMS Remote Security Guidance:

http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf

• NIST Guidance (for a variety of remote access topics) http://csrc.nist.gov/publications/

• CMS Security Rule Educational Materials http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp