preparing for hipaa risk analysis - amazon web … 1 preparing for hipaa risk analysis presented by...
TRANSCRIPT
4/15/2016
1
Preparing for HIPAA Risk Analysis
Presented by
Steve Spearman• VP of HIPAA Compliance Services, Healthicity
• 20 years in Health Information Technology
• HIPAA Expert and Speaker
Disclaimer: Nothing in this presentation should be construed as legal advice nor replied upon as legal expertise.
4/15/2016
2
What is HIPAA?
HIPAA is…
• Law that governs a person’s ability to qualify immediately for
health coverage when they change employment (dependent on
employer’s program)
• Rules for Data Interchange
• Regulations protecting the security and privacy of Protected
Health Information (PHI)
4/15/2016
3
To whom does it apply?
Covered Entities*
• Health Care Providers
• Health Care Clearinghouse
• Health Plan
Business Associates**
*Covered Transactions: Tx’s related to Claims, Verification, Referrals, Status, Enrollment, Payment, Premiums, coordination of benefits
**Contractor or vendor, not involved in patient care, that requires access to PHI in order to fulfull the duties of the contract
Covered Entity Decision Tree
4/15/2016
4
What are the covered transactions?
Electronic Transactions Related To
• Claims
• Verification of Coverage
• Referrals
• Status of Claims
• Enrollment Information
• Payment including EOB and Remittance Advice
• Premium Payment
• Coordination of Benefits
Any one makes a provider a covered entity!
Obligations of Business Associates
1. Comply with the HIPAA Security Rule
2. Report to Covered Entity and breach of unsecured PHI
3. Enter into BAAs with subcontractors imposing the same obligations that apply to the Business Associate
4. Comply with the HIPAA Privacy Rule to the extent Business Associates is carrying out a Covered Entity’s Privacy Rule obligations (e.g. accounting of disclosures, request for amendments, etc.)
4/15/2016
5
Privacy vs Security
Privacy Rules
• Establishes the rights of patients to control
the use of personal information in all its
forms – verbal, written, electronic
Security Rules
• Administrative, Physical and Technical
safeguards for PHI in digital form (ePHI)
The Three Essential Elements of a HIPAA Compliance Program
Security Risk Analysis
Policies and Procedures
Training
4/15/2016
6
CIA:Confidentiality Integrity Availability
12
Confidentiality:
The property that data or information is not made available or disclosed to an unauthorized
person
Integrity:
The property that data or information has not been altered or destroyed in an unauthorized
manner
Availability:
The property that data or information is accessible and useable upon demand by an
authorized person
4/15/2016
7
Structure of the Security Rule
13
Standards Sections Implementation Specifications (R)=Required
Security 1644.308(a)(1) Risk Analysis (R)
Management Risk Management (R)
Process Sanction Policy (R)
Information System Activity (R)
Standards – the broad security
requirements
• The standards are “required”
Implementation Specifications
• The more detailed instructions contained within each Standard
• Some are required (R)
• Some are addressable (A) – flexibility and latitude in meeting
- Based on what’s “reasonable and appropriate”
Security Standards Matrix (Appendix A of the Security Rule)
Reasonable and Appropriate?
March of Dimes High Heel-a-Thon New York City…OUCH!!!
What is Reasonable & Appropriate?
4/15/2016
8
• The size and complexity and capabilities of the covered entity
• The covered entity's technical infrastructure, hardware, and software security capabilities
• Sensitivity of the data
• The costs of security measures
• The probability and criticality of potential risks to ePHI
Defining Reasonable & Appropriate
• Implement the specification
• Implement one or more alternative security measures
• Do not implement either an addressable
implementation specification or an alternative
• Document your decision!
Options for Addressable
Specifications
Policy Map or Security Management Plan
4/15/2016
9
The Types of Safegaurds
Administrative
Organizational Rules and Procedures
• 9 Standards
• 23 Implementation Specifications
Physical Therapy
Physical Protections and Rules
• 4 Standards
• 10 Implementation Specifications
Technical
Technology Protections and Rules
• 5 Standards
• 9 Implementations
“Actions, policies and procedures to manage the selection, development,
implementation, and maintenance of security measures…
and manage the conduct of the covered entity’s workforce.”
Administrative Safeguards are defined
as...
4/15/2016
10
Administrative Safeguards
Security Management Process
• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)
Assigned Security
Responsibility
• (no spec) (R)
1. Addressable safeguards – Based
on the “Reasonable and
Appropriate” standard
2. Risk Analysis findings and results
Two BIG Compliance Gray Areas
4/15/2016
11
• Encryption• Class of device – laptop, workstation, etc.
• Laptops – portable, battery
• Mobility and physical security
• Data storage
• Performance
• Alternatives
Example: Addressable Safeguard
• Windows XP EOL• Support discontinued April 8th 2014
• Devices increasingly vulnerable
• Regulatory compliance impact?
Example: Non-regulatory high risk from risk analysis
4/15/2016
12
Risk Analysis “form the foundation upon
which an entity’s necessary security
activities are built.” (68 Fed. Reg.
8346.)
Risk Analysis is the first and possibly
the single most important component of
your HIPAA Security Compliance
Program
Step One: Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity and availability of electronic protected
health information”
Risk Analysis Report
4/15/2016
13
Why Security Risk Analysis?
• Improves Awareness• Justification for “Reasonable and Appropriate”
for Addressable Implementation Specifications• Identify assets, vulnerabilities and controls• Improved basis for decision making• Justify Expenditures for Security• Helps determine personnel access levels
Otherwise you are only guessing…and
hoping!
How to Conduct a Security Risk Analysis?#1
• NIST
• SP 800-30 – Guidance on Risk Assessment
• SP 800-66 – Resource Guide for Implementing HIPAA
• Audit Protocol – June 2012
• ONC Guide to Privacy and Security of HIT
• Myths and Facts (p.11)
4/15/2016
14
ONC Guide to Privacy and Security:Security Risk Analysis Myths and
Facts
Myths Facts
Optional for small providers No. All eligible providers (EP)
Installing a certified EHR is enough No. The risk analysis must look at all systems with ePHI
My EHR vendor is handling this No. EP’s are solely responsible for the risk aynalyis
A checklist will suffice No. While useful, they are inadaquate
Only needs to look at EHR No. All IT assets processing, storing, accessing ePHI
I must outsource the risk analysis. No. You can conduct this yourself.
Consider the Four States of Data
• Data in Motion• Data at Rest • Data in Use• Data Disposed
4/15/2016
15
RA Mini Project Plan
Scoping
Identify team
Inventory and Asset List
Information Flows
Network diagram and system boundary -risk categorization
Interfaces inventory
Gather Data
Interview Key Personnel
Document Review
Policy review and mapping
Security incidents review
Training materials review
Assess Risks/Document Threats/Current Controls
Vulnerability scan and penetration testing
Wireless security assessment
Firewall/Gateway settings
Physical security assessment
Contingency plan and backup analysis
Leadership analysis
Authentication and access controls
Encryption determination
Transmission security
Mobile device security
Risk Rating/Likelihood/Impact
Risk identification and ranking
Report-mitigation & controls
PotentialTeam Members
Security Officer
Privacy Officer
Compliance Officer
Project Management
Application Specialists
Network Engineer/Security Engineer
Facility Managers
Data Center Manager
Legal
3rd Party Contractor (e.g. IT provider
Human Resources
Biomed/Clinical Engineering
HIM Director/Manager
*Please note that one person may and usually does fill multiple roles.
4/15/2016
16
Inventory of IT Assets/System Characterizaion
Compile list of all IT assets within the scope of the assessmentProcess, store, transmit ePHI,
Inventory software
Medical Devices?
Categorize According to RiskAmount of PHI
Type of ePHI
Stored Locally
Physical Security of Device
Location
Mobile/Fixed
Encryption Analysis
System CharacterizationDescription of Network
Virtual vs Physical
On-premise vs Hosted or Cloud
Interfaces
Gather Data
Interview Key PersonnelAppropriate for Job Function e.g.
HR for Workforce Clearance
Top down
Users to guage understanding
Create a policy mapWhat policies meet what regs
Include documentation artifacts
Review Training Program
Format, method and content of training
Is participation logged
Is mastery demonstrated
IncidencesReview reports
Indication of failing controls?
Root Cause Analysis
Security Management – Life Cycle
4/15/2016
17
Assess Risks
Technical Assessments keyVulnerability Scanning
Penetration Testing
Network Perimeter
Endpoint security
Wireless Security
Authentication and Access Controls
Encryption Assessment
Mobile Devices
Transmission including email/text
Contingency/Backup
LeadershipExecutive support for security
Compliance officials resources and authority
Communication
Physical SecurityWalkthrough checklist
Assets – servers/workstation
19. Rank overall risk based on the “vulnerability pairings”
Determine the Level of Risk
4/15/2016
18
Risk Assessment Report and Management Plan
Elements of a good SRA reportMethodologyScope of projectTeam membersSystem CharacterizationRanked Key Findings-
Threats/VulnerabilitiesRanked recommended “fixes” or
controlsInclude Compliance Risks and
Technical Risks
Security Management PlanThis is a “living” documentInclude the Findings and FixesPunch-list of needed activitiesFocus on high priority issuesNot all needs to be done but
document dates and intentionsBring risks down to reasonable
levelBut update as new issues arise
from incidents, routine vulnerability scans, etc.
• Checklists only
• No inventory
• Compliance focused only
• No listing or ranking of risks
• No recommended controls or mitigation actions
• Not dated within reporting period for MU
• No Technical Analysis
Common Errors & Deficiencies
4/15/2016
19
• Reference ONC and HHS guidance and
• Adequately covers risk associated with the use of
certified EHR technology
• Conducted by either audited entity or a consultant (not
EHR vendor affirmations)
• Is it just compliance/checklist or an actual assessment of
risks
• Needs to be dated but can reference a previous risk
assessment that shows continued improvement
Key Auditor Considerations
Problems
• Not intended for enterprises
• Hard to use
• Aren’t very good at identifying risks
• Requires expert knowledge to use
well
• Compliance rather than risk focused
• NIST not required by non-federal
entities
• VERY weak technically
Available Tools:
Not Recommended
• HHS Toolkit
• NIST Toolkit
Use with caution
• National Learning Consortium
• HIMSS
Self-Assessment tools
4/15/2016
20
The Rules Certainly Allow You to Do It!
Questions to Consider?
• Do we have the expertise to do this?
• Do we have the resources to do this?
• If we do this, what will be my confidence level in it if we are audited?
• Do we have the expertise and skill for the technical assessment ?
• Your IT vendor MAY know have some technical expertise, but do they know HIPAA?
• Understanding the trade-offs and alternatives is tricky
When Should You Outsource the Risk Analysis?
Expert Advice:
Many Covered Entities should
outsource this, at least
Initially
Iterative (changes since last risk assessment)Document changes Update inventoryReview incidences and do root
cause analysisWork-flow analysisNew vulnerability scans inc.
externalReview of prior technical
assessment (wireless security, authentication and access controls, audit controls, and processes, etc)
Progress implementing controls
Update risk matrix Recommend and advise on additional security controls
Update the security management plan
Risk Assessment “Review”
Only if no significant changes in system or operating environment Full risk analysis should be conducted every 2 to 3 years
4/15/2016
21
Risk Management Process
“Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level”
Consider:• Findings from risk analysis• What security measures are already in place to protect EPHI (i.e.,
safeguards)? • Is executive leadership and/or management involved in risk
management and mitigation decisions? • Are security processes being communicated throughout the
organization? • Does the covered entity need to engage other resources to assist
in risk management?
Security Management Plan
Questions?
www.healthcity.com/compliance