Verizon\'s solution for address HITECH Act\'s Privacy and Security requirements. All US organizations (healthcare providers, payers and partners / business associates) that store or process Protected Healthcare Information (PHI) must comply with this Federal law.
2. 2
HITECH Act
Overview
= Health Information Technology for Economic and Clinical Health
• Title 13 of ARRA
• $20B
• Objectives
– Develop standards by 2010 for electronic exchange of healthcare
information
– Incentives to encourage doctors and hospitals to digitize
– Save government $10B
– Strengthen privacy and security to protect PHI
• Expanded scope of HIPAA in HITECH
1. Mandates public notification of data breaches
2. Stricter compliance and accounting for ePHI requests
3. Responsibility for managing PHI at Business Associates
Stiff enforcement, penalties: $50k to $1.5MM per violation
3. 3
Background
“Meaningful Use”
• Criteria that needs to be met by healthcare providers to qualify
for HITECH grants and incentives
• CMS provides $18B in reimbursement incentives for “meaningful
users”
• Five Policy Priorities to establish Meaningful Use:
1. Improved Quality, Safety, and Efficiency
2. Engage Patients and Families
3. Improve Care Coordination
4. Improve Public Health
5. Ensure Privacy & Security of PHI
• Care Goals
• Set of Objectives & Measures for Each Two Year Window (2011,
2013, and 2015)
6. 6
Background
What is a Business Associate?
• Person or entity that performs certain functions or activities that
involve the use or disclosure of PHI
• Work on behalf of, or provides services to, a Covered Entity (CE)
• Member of the CE’s workforce is not a BA
• May include:
– Accountants
– Consultants
– Pharmacy
– Payers (health insurance provider)
– Labs (e.g.: LabCorp)
– Software Vendors (EHR, PHR, etc.)
– HIOs, RHIOs, HIEs
• How many BAs?
– United Healthcare Group: 3600+ BAs
– Humana: 2400+ BAs
– Medco: ~900 BAs
10. 10
Industry Recognition
Verizon is the leading global MSSP (Gartner, Forrester)
Verizon security consultants actively participate in 20+ security industry specific
organizations
Verizon Security Consulting practice recognized as a Strong Performer
(Forrester)
ICSA Labs is the industry standard for certifying security products
Credentials
BSI Associate Consultant for ISO 27001 and BS 25999
PCI ASV, QSA and PA-QSA
CREST approved penetration tester
HITRUST Qualified CSF Assessor and member Leadership Roundtable
Global Reach
500+ dedicated security consultants based in 23 countries that speak 24 languages
Serve 77% of Forbes Global 2000
7 sources of risk intelligence
Experience
Investigated breaches involving 900+ million records
Verizon SMP is the oldest security certification program in the industry
Provide national identity solutions in over 25 countries
Provide services to 78% of Fortune 100
Delivered 1800+ security consulting engagements in 2009
Why Verizon?
Leading Provider of Security Solutions
11. 11
Finally…
• The Federal Government is serious
– Apr ‘03 – Feb ‘09: 42k HIPAA complaints 0 penalties
– May ‘09: Kaiser fined $250k for privacy breach
– Security of PHI is required for Meaningful Use
• Lack of security is costly
– Aug ‘08: LensCrafters settles class action suit for
$20m
– Jan ‘09: VA to pay $20m for privacy breach
– Individuals (not just organizations) are on the hook
• Why VzB?
– VzB already has the services to address HITECH
Privacy and Security
– VzB has 2800+ healthcare customers
– VzB has a dedicated Healthcare Solutions team
– Transfer knowledge based on 1800+ security
consulting engagements in just 2009
13. 13
HITECH Act
Enforcement and Penalties
• Criminal penalties can now be applied to individuals (not just
companies)
• New system of civil monetary penalties that incorporates concept
of “willful neglect”
• Establishment of methodology to distribute to harmed
individuals a portion of civil penalties collected
• State attorneys general can bring civil action on behalf of
residents whose privacy has been violated
• Requires HHS secretary to periodically audit CEs, BAs
• OCR responsible for enforcing HIPAA Security and Privacy Rules
No max penalty
Willful neglect
Must authorize and define the use of PHI in contracts w/ partners
10% reduction in Medicare reimbursements if organization is not HIPAA compliant
Subtitle D of HITECH is Privacy
Dis-incentives in latter years of HITECH for non-Meaningful Users
www.hipaasurvivalguide.com
[WSJ, 02/02/09]
[ITRC]
Notices must be sent within 60 days
Over-rides FTC Red Flags
administrative, physical and technical
BA’s are now within the jurisdiction of HHS
Goes into effect on 02/18/2010
Reduces the risk on CEs (by shifting some of it to BAs)
Other = HITECH / HIPAA Compliant Smart Centers, Secure Messaging, etc.
For the latest version, please contact Omar Khawaja
Verizon Business manages 260,000-plus security, network and hosting devices across more than 4,200 customer networks in 142 countries and territories.
Privacy Rights has tracked only 263 million breached records from Jan ‘05 to July ’09
(http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total)
Threat & Vulnerability Intel
Track and analyze new software vulnerabilities and related attacks
Underground Intel
Watch discussions, code sharing, planning,... Historically BBS, then Usenet, now more IRC and Cons...
ICSA Labs Intel
Security product testing and security consortia operations. 400+ products
Forensics Intel
Data and Intel from forensics investigations (200+ cases per year).
MSS Intel
Data from IDS, FW, IPS, Applications… Management & Monitoring SOC operations
Net Intel
Data from backbone. Sensors on more than 1 Million VzB addresses. Netflow Honey nets, Honey Pots…
Studies & Surveys
VZB Studies, surveys (10+/yr), Others published data to drive Risk Models, equations & methodology
OCR = Office of Civil Rights
HHS = Health and Human Services
State attorneys general can bring civil action in federal court on behalf of residents whose privacy has been violated
(Independent of ARRA) HHS assigned to the OCR responsibility for enforcing HIPAA Security Rule (in addition to Privacy Rule)