2. WHY IT’S SO IMPORTANT
Federal Requirement
Alabama is one of only 4 states without additional State-mandated
breach notification legislation
• Changing Patient Environment
• Changing Technology Environment
• Practice Exposure due to a Breach
Reputational
Financial
Operational
3. FEDERAL REQUIREMENT
The Office for Civil Rights (OCR) is responsible for issuing annual
guidance on the provisions in the HIPAA Security Rule.1 and for
assuring compliance with the Rule
(45 C.F.R. 164.302 – 318.)
The Security Management Process standard in the Security Rule
requires organizations to ::
“[i]mplement policies and procedures to prevent, detect,
contain, and correct security violations.” (45 C.F.R. 164.308(a)(1).)
4. FEDERAL REQUIREMENT
All e-PHI created, received, maintained or transmitted by an
organization is subject to the Security Rule.
The Rule contains several implementation specifications that are
labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).)
• An addressable implementation specification is not optional; rather,
if an organization determines that the implementation specification is
not reasonable & appropriate, the organization must document why
it is not reasonable & appropriate and adopt an equivalent measure
if it is reasonable & appropriate to do so.
(See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. 164.306(d)(3).)
• Meaningful Use Core Set requirement
5. CHANGING PATIENT ENVIRONMENT
The engagement of patients and their families in their own health care
is a prominent goal of the CMS Incentive Program (Meaningful Use)
Greater acceptance by patients of electronically sharing medical
information among multiple providers & care settings to improve
care coordination & adherence to care plans
Increased awareness by patients of their right to timely access to
their health information
7. PACE OF CHANGE ACCELERATING
1. The Internet eclipsed all technologies in pace of adoption
Consider:
Radio – in existence 38 yrs before 50M people tuned in
TV - took 13 yrs to reach 50M viewers
PCs – needed 16 yrs to hit 50M users
Internet – in 4 yrs - 50M users logged on
(current estimate is 2B users worldwide, as high as 78.6%
of population of N. America)
2. 2nd wave of innovation was in 2007 – introduction of the Iphone
42M smartphones were sold in the 4th Qtr of 2012
1M Iphone apps on the market (18,000 health & wellness apps)
8. PRACTICE EXPOSURES
Since 2009 as published by CMS:
477 breaches reported affecting > 500 people’s records
55,000 breaches reported involving < 500 people’s records
representing 20,970,222 people‟s records
6 health care organizations reported security breaches of > 1M+ records
(TriCare’s breach alone involved 4.9M records)
Summary of Other Key Research Findings:
• Vast majority of healthcare organizations have had at least one data
breach in the past two years
• The economic impact can exceed $1 Million (man hours to resolve incidents,
fines, legal, credit monitoring fees, etc.)
• Insider negligence continues to be at the root of most data breach –
employee carelessness
• Patient identity theft growing – medical & financial information
9. WHERE ARE THE RISKS?
Stolen laptop (1.9M records)
Hard drive went missing (1.22M records)
External drive stolen ( 1.02M records)
Data backup tapes lost (1.05M records)
Network server hacked (31, 700 records)
theft
54%
unauthor
ized
access
20%
lost
records/
devices
11%
hacking
6%
improper
disposal
5%
other
4%
types of breaches
10. FROM THE RULE
Conduct or review a security risk analysis and implement security
updates as necessary and correct identified security deficiencies as
part of its risk management process
Since Practices vary in terms of technical sophistication and security
capabilities – the Rule is designed to be flexible & scalable
11. FLEXIBLE AND SCALABLE
That‟s me!
Flexible
I‟ll do it whenever
Scalable
I‟ll just assess my EMR (which is already certified, right??)
12. CONSEQUENCES
Willful Neglect Potential Breach
• Must Identify
Internal and external areas of the practice that store, use or transmit
PHI, not just your EMR or EHR
• Must protect
Confidentially, Integrity & Availability of ePHI
OVERLY FLEXIBLE OVERLY SIMPLIFIED
13. CLINICAL RISK MANAGEMENT
THE PERFECT ANALOGY
• Focused on identifying adverse events (clinical risks), prevention &
control
• Uses root cause analysis – systemic causal factors
• Develop corrective action plans
• Devise risk reduction strategies
• Training
14. THE ELEMENTS OF A PRIVACY AND
SECURITY RISK MANAGEMENT
PROCESS
Risk Assessment & Analysis
(against controls defined in HIPAA)
Evaluating risk to the confidentiality, availability or integrity of PHI
(determine vulnerability for gaps in compliance)
Develop a Remediation Plan
(close the gaps)
Create Evidence
(training, policy and procedure documentation, track risk
mitigation activities, etc.)
Monitor Effectiveness of Controls and Periodic Review
(Ongoing Risk Management process)
15. RISK ANALYSIS
Numerous methods of performing risk analysis are available
• None „guarantee‟ compliance
Ultimately, risk is a function of:
the likelihood of a given threat triggering or exploiting a
particular vulnerability.
(gap in compliance requirements)
the anticipated impact on the organization
(usually high, medium or low)
Risk is not a single factor or event, but rather a combination of factors
or events (threats and vulnerabilities) that, if they occur, may have an
adverse impact on the organization.
16. FUNDAMENTAL STEPS IN RISK ANALYSIS
Identify the scope of the analysis
(any resources used to create, receive, maintain or transmit PHI)
Gather data
(inventories)
Assess current security measures against required controls and
standards
(ad hoc, in-place, or non-existent)
Determine the level of risk (likelihood of threat occurrence and
potential impact)
Identify security gaps to be remediated to minimize risks and
document the analysis
(remediation plan)
17. 1ST STEP
TOWARD
COMPLIANCE
The first step in an
organization‟s
Security Rule
compliance efforts
Develop an ongoing
risk management
process that
provides the
organization with
detailed
understanding of the
risks to the
confidentiality,
integrity, & availability
of e-PHI.
RISK ANALYSIS
18. DEVELOPING A REMEDIATION WORK PLAN TO
MANAGE RISK
1 Utilize the highest rated (priority) risks identified in the risk analysis
to develop an Initial Remediation Work Plan or blueprint of projects
that define ongoing risk mitigation efforts
2 Institute a disciplined Project Management Process in order to
assure progress is tracked and achieved on remediation efforts and
to demonstrate an ongoing risk management process
Documentation, Documentation, Documentation!!!!
19. EXECUTING A WORK PLAN
Assign a Project Manager to be in charge of each risk remediation
project
Customize/develop & document policies and procedures
Establish Review & Monitoring Procedures
Develop & help execute implementation plans
(contingency plan, disaster recovery plan, workforce training plan, etc.)
Coach & train personnel on new or revised policies, procedures and
plans
20. EXECUTING A WORK PLAN
Revisit what was done & do it all again!
Continue Review & Monitoring Procedures
21. REMEDIATION REQUIRED
Conduct or review a security risk analysis
AND Implement security updates as
necessary
AND Correct identified security deficiencies
as part of its risk management process
22. RISK MANAGEMENT
A JOURNEY NOT A PROJECT
Not a static event:
• Ongoing evaluation & monitoring
• Outputs of a risk assessment & analysis are the inputs to the
ongoing risk management program
GOAL : Reasonable & appropriate risk mitigation actions that
assure the confidentiality and security of PHI
23. CULTURE OF SECURITY AWARENESS
Leadership
Knowledge & Understanding of HIPAA Privacy &
Security and HITECH Act Requirements
Implement changes based on credible threats &
obvious vulnerabilities
Training ::
onboarding, annual and supplemental
Vigilence ::
ongoing reassessment, upgrading, updating
25. THE RISK OF DOING NOTHING
Recent CMS announcement
Approx. 1 out of 20 practices (5%) that attested to Meaningful
Use will be audited for compliance
Both pre-payment and post-payment audits
OCR Perspective
Audit eligible = All covered entities & their business associates
Harm to patients, potential fines, civil suits in the event of
breach, costs to mitigate an incident, loss of patients, reputation!
26. CONTACT:
KeySys Health, LLC
Susan Pretnar, President
4268 Cahaba Heights Court
Suite 190
Vestavia, Al 35243
www.keysyshealth.com
spretnar@keysyshealth.com
Hinweis der Redaktion
In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
Patients who are well informed of their medical condition are more likely to comply with their provider’s recommended regimen. They are also better able to communicate important health information to their providers, which can assist providers with their diagnosis and care plans. Informed and educated patients and their families can take an active role in healthcare decision making; for example, when faced with multiple treatment options (e.g., choice of breast or prostate cancer treatments), educational materials and tools can help them share in treatment decisions. They are also more likely to effectively manage their own care, as healthy behaviors and chronic care are ongoing, everyday activities. Patients’ participation in chronic care self-management programs can have a substantial impact on their health
Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure. Eighty-one percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. On average, 51 percent of employees are bringing their own devices to the healthcare facility.
Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) or patient information. As is revealed in the Third Annual Benchmark Study on Patient Privacy and Data Security, many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks. Since first conducting this study in 2010 the percentage of healthcare organizations reporting a data breach has increased and not declined. Further, there are more reports of multiple breaches and only 40 percent of organizations in this study have confidence that they are able to prevent or quickly detect all patient data loss or theft. Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Employee mistakes and negligence also continue to be a significant cause of data breach incidents. The price tag for dealing with these breaches can be staggering. While the cost can range from $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this benchmark study is $2.4 million over a two-year period. This year 80 healthcare organizations participated in this benchmark research and 324 interviews were conducted1. Respondents interviewed work in all areas of the organization: security, administrative, privacy, compliance, finance and clinical.
Visual picture would be nice here
Scope of the AnalysisThe scope of risk analysis that the Security Rule encompasses includes the potential risksand vulnerabilities to the confidentiality, availability and integrity of all e-PHI that anorganization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) Thisincludes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs,DVDs, smart cards or other storage devices, personal digital assistants, transmissionmedia, or portable electronic media. Electronic media includes a single workstation aswell as complex networks connected between multiple locations. Thus, an organization’srisk analysis should take into account all of its e-PHI, regardless of the particularelectronic medium in which it is created, received, maintained or transmitted or thesource or location of its e-PHI.Data CollectionAn organization must identify where the e-PHI is stored, received, maintained ortransmitted. An organization could gather relevant data by: reviewing past and/or existingprojects; performing interviews; reviewing documentation; or using other data gatheringtechniques. The data on e-PHI gathered using these methods must be documented. (See45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)Identify and Document Potential Threats and VulnerabilitiesOrganizations must identify and document reasonably anticipated threats to e-PHI. (See45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify differentthreats that are unique to the circumstances of their environment. Organizations must alsoidentify and document vulnerabilities which, if triggered or exploited by a threat, wouldcreate a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)Assess Current Security MeasuresOrganizations should assess and document the security measures an entity uses tosafeguard e-PHI, whether security measures required by the Security Rule are already inplace, and if current security measures are configured and used properly. (See 45 C.F.R.§§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)The security measures implemented to reduce risk will vary among organizations. Forexample, small organizations tend to have more control within their environment. Smallorganizations tend to have fewer variables (i.e. fewer workforce members andinformation systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk toPosted July 14, 2010the confidentiality, availability and integrity of e-PHI in a small organization may differfrom those that are appropriate in large organizations.Determine the Likelihood of Threat OccurrenceThe Security Rule requires organizations to take into account the probability of potentialrisks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment,combined with the initial list of threats, will influence the determination of which threatsthe Rule requires protection against because they are “reasonably anticipated.”The output of this part should be documentation of all threat and vulnerabilitycombinations with associated likelihood estimates that may impact the confidentiality,availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Potential Impact of Threat OccurrenceThe Rule also requires consideration of the “criticality,” or impact, of potential risks toconfidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)An organization must assess the magnitude of the potential impact resulting from a threattriggering or exploiting a specific vulnerability. An entity may use either a qualitative orquantitative method or a combination of the two methods to measure the impact on theorganization.The output of this process should be documentation of all potential impacts associatedwith the occurrence of threats triggering or exploiting vulnerabilities that affect theconfidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R.§§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Level of RiskOrganizations should assign risk levels for all threat and vulnerability combinationsidentified during the risk analysis. The level of risk could be determined, for example, byanalyzing the values assigned to the likelihood of threat occurrence and resulting impactof threat occurrence. The risk level determination might be performed by assigning a risklevel based on the average of the assigned likelihood and impact levels.The output should be documentation of the assigned risk levels and a list of correctiveactions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2),164.308(a)(1)(ii)(A), and 164.316(b)(1).)Finalize DocumentationThe Security Rule requires the risk analysis to be documented but does not require aspecific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is adirect input to the risk management process.Periodic Review and Updates to the Risk AssessmentThe risk analysis process should be ongoing. In order for an entity to update anddocument its security measures “as needed,” which the Rule requires, it should conductcontinuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e)and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to performrisk analysis as part of a comprehensive risk management process. The frequency ofperformance will vary among covered entities. Some covered entities may perform theseprocesses annually or as needed (e.g., bi-annual or every 3 years) depending oncircumstances of their environment.