Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
1. HIPAA & HITECH Requirements, Compliance, and Meaningful Use
We know it’s confusing.
Let’s focus on what you need to know!
Information Security Assessments
“We Take Your Security Personally”
Phyllis Patrick, MBA, FACHE, CHC Dan Berger, Executive Vice President
Phyllis A. Patrick and Associates LLC Redspin, Inc.
Phyllis@phyllispatrick.com dberger@redspin.com
2. Agenda
- New Era in Health IT – What it means to you
- Risk Assessment Strategies and Components
- Effective Security Process
- Meaningful Use and how to get incentive $
- Practical Example –Case Study
3. New Era in Health IT
– New Regulations and Initiatives
– Incentive Funding (Medicare & Medicaid)
– New Consumer and Patient Issues
4. New Programs
EHRs • Electronic Health Records
HIEs • Health Information Exchanges
RECs • Regional Extension Centers
EHRs • Achieving meaningful use of
certified EHRs
5. Privacy and Security
Policies and Programs
• Privacy as a Patient Satisfaction Issue
• Synergy with Quality and Safety Programs
• Right of Private Action/State AG Activities
– New Regulations and Initiatives
– Incentive Funding (Medicare & Medicaid)
– New Consumer and Patient Issues
6. The ONC Mandate
Americans will benefit from electronic health records as
“part of a modernized, interconnected, and vastly
improved system of care delivery.”
7. ONC Mandate and Initiatives
• Temporary Certification Program
• Standards and Certification Criteria Final Rule
• Medicare and Medicaid EHR Incentive
Programs
• Meaningful Use of EHRs Final Rule
• Certified Health IT Product List
8. New Federal Regulations
– Meaningful Use of Electronic Health Records
(Final Rule) – Medicare and Medicaid Incentive
Programs
– Certification Process/Criteria
– Certification Standards
– HITECH Amendments to HIPAA
– Breach Notification Requirements
10. Security Laws
– Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
– Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
– Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
– Family Educational Rights and Privacy Act (FERPA)
– Payment Card Industry Data Security Standard (PCI DSS)
– State Breach Notification, Social Security Numbers, Data Protection, and other laws
– Children’s Online Privacy Protection Act
– Federal Information Security Management Act (FISMA)
– H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
– Encryption Laws (e.g., State laws)
– Sarbanes-Oxley Act (Public Companies)
– Gramm-Leach-Bliley Act (Financial Services)
– And more………
11. Some rules haven’t changed – Have you fully
implemented the HIPAA Security Rule?
12. The HIPAA Security Rule
– Compliance Date: April, 2005
– 42 Standards and Implementation Specifications
– Information Security Management Program
– Applies to Electronic Protected Health Information (ePHI) that
a Covered Entity Creates, Receives, Maintains, or Transmits
13. Security Rule Standards
Evaluation Standard
Perform a periodic technical and non-technical evaluation,
based initially upon the standards and implemented under this
rule and subsequently, in response to environmental or
operational changes affecting the security of electronic
protected health information, that establishes the extent to
which an entity’s security policies and procedures meet the
requirements of this subpart.” [§164.308(a)(8)]
Related Standards
Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)
Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review
§164.308(a)(1)(ii)(D)
15. New Enforcement Efforts and
Priorities
HHS made changes to the HIPAA regulations to conform
the enforcement component of the regulations to the
statutory revisions made pursuant to the HITECH Act.
• Civil Monetary Penalties
• Violations categorized
• Tiered ranges of civil money penalty amounts
16. Penalties – Per Calendar Year
$100 - $50K/violation, not to $10K - $50K/violation, not to
exceed $25K - $1.5MM exceed $250K - $1.5MM
Person did not know (and by Due to willful neglect and
exercising reasonable due violation was corrected
diligence) would not have
known
$1,000 - $50K/violation, not At least $50K/violation, not to
to exceed $100K - $1.5MM exceed $1.5MM
Violation due to reasonable Due to willful neglect and
cause and not to willful violation was not corrected
neglect
17. GOVERNANCE
Leadership
Organizational Structures
Processes that support the security and privacy
programs while supporting and sustaining the
organization’s mission and strategic goals
Relationships with Business Associates and 3rd
parties
18. Effective Security Program
Governance
– Involves appropriate organizational personnel
– Defines a governance framework or methodology
– Enables uniform risk measurement across the
organization
– Produces quantifiable, meaningful deliverables
– Reflects business practices, organizational risk
appetites, and changing levels of risk
Reference: IT Compliance Institute
19. Business Associates
Covered Entity (CE)
A health plan, health care clearinghouse, or health
care provider who transmits any health information in
electronic form in connection with a transaction
covered under the HITECH Act
Business Associate (BA)
Party who performs a function on behalf of a Covered
Entity and has access to PHI in the performance of
that function
20. Business Associate Compliance
Liability:
-BAs are contractually liable to CEs
for breach of BA agreement Business Associates (BAs):
-BAs are civilly and criminally liable - IT vendors
to Federal government for violations - coding vendors
- outsourced call center
- subcontractors
Notification:
- insurance companies
-BA notify CE of any breach - pharmacies
-CE has obligation to notify patients - hospitals
and HHS - physicians
-If 500+ persons, notify media Covered - e-prescribing ecosystem
serving their area Entity (CE) - CPOE
- radiology labs
- HIEs
Recommendations:
- RHIOs
-Identify BAs with highest risk - ACOs
-Communicate expectations to BAs - lawyers
-Automate contract and BA - CPAs
agreement files - housekeeping services
-Develop auditing and monitoring - etc. !!!
process
-Educate executives and key players
on BAs
22. Components of the Assessment
• Governance of the • Education and Training
Privacy and Security Programs
Programs • Security Breach Notification
• Privacy Rule and Security Policy and Procedures
Rule Standards • Readiness to meet
• Policies and Procedures HITECH/HIPAA requirements
• Risk Assessment and RA and Meaningful Use criteria
Management • Impacts of Business
• Program Infrastructure Partner/Business Associate
– Designation of Privacy Relationships
and Security Officers • Auditing and Monitoring
– Reporting Processes
Relationships
– Staffing and
Resources
23. Strategies for a Risk
Assessment
• Formal and ongoing evaluation and
review process
• Periodic Risk Analysis, in particular
following significant changes
• Senior leader support
• Adequate and available resources
• Steering committee
24. Strategies for a Risk
Assessment
• Governance/Reporting/Metrics
• Organization-wide Risk Analysis
• Communication of Risk Profile
• Documentation and Action Plans
• Independent Consultants?
25. Show Me the Money
How to Access Federal Dollars
26. Eligible Entities
– Eligible professionals (EPs)
– Eligible hospitals
– Critical access hospitals
– Certain Medicare Advantage Organizations whose affiliated
EPs and hospitals are meaningful users of certified EHR
technology
27. What is “Meaningful Use?”
• Use of a certified EHR in a meaningful manner (e.g.,
e-prescribing)
• Use of certified EHR technology for electronic
exchange of health information to improve quality of
health care
• Use of certified EHR technology to submit clinical
quality and other measures
28. Meaningful Use – Criteria and Standards
– Is the practice or hospital is making adequate
use of EHRs?
– Has a risk analysis been conducted?
– Is their a platform for staged implementation?
To achieve meaningful use, providers must:
– Provide and monitor privacy and security
protection of confidential PHI through operating
policies, procedures, and technologies
– Comply with all applicable federal and state laws
and regulations
– Provide transparency of data sharing to patients
29. Meaningful Incentive Program
Medicare EHR Medicaid EHR
Participation as early as Voluntarily offered by
FY 2011 individual states
EPs may receive up to May begin as early as FY
$44,000 over 5 years, plus 2011
incentive if in HSPA EPs may receive up to
Must begin by 2012 to get $63,750 over 6 years
maximum Incentives for hospitals may
Incentives for hospitals begin in 2011
may begin in 2011 w/a No payment adjustment for
$2 million base payment providers who do not show
Medicare EPs, hospitals meaningful use
and CAHs who do not
show meaningful use have
payment decrease
beginning 2015
30. CMS Meaningful Use Goals
Improve quality, safety, and efficiency of
health care and reduce health disparities
Engage patients and families
Improve care coordination
Improve population and public health, and
Ensure adequate privacy and security
protections for personal health
information
33. HIPAA/HITECH Compliance
What are the objectives of a
HIPAA Risk Analysis and
Security Assessments?
Compliance: a HIPAA Risk Analysis
verifies compliance with the standards
defined in the Security Rule of the
Administrative Provisions in Title II of
HIPAA.
Security : Utilizes a risk-based
approach to minimize the risk of a
compromise of Electronic Protected
Health Information (EPHI) triggering
the breach notification requirements.
34. Some Types of Assessments
Wireless Pen
Web App
External Pen
Internal Pen
Social Engineering
Other possible assessments: Controls
- PCI, if credit cards
- Sarbanes-Oxley
- Gramm-Leach-Bliley Data Network Physical Systems
Security Analysis Security Analysis
35. Components of Risk
The assets The vulnerabilities
(what you are trying to protect is PHI) (how could the threat occur?)
• You need to know where it is, how it is used, and • Targeted social engineering attacks; malware
how it is transported over the network. exploiting Adobe .pdf and MS office .doc
vulnerabilities
The threats • Application vulnerabilities (e.g., SQL injection,
(what are you afraid of happening?) command injection)
• Sophisticated cybercriminals stealing account • Misconfigured database access controls
credentials, credit card records, or medical Current mitigation
history to file false claims. (what is currently reducing the risk?)
• Hackers using application attacks to gain access • Staff
to database records. • Technology
• Insiders gathering inappropriate data through • Processes
misconfigured access control.
38. Axolotl Overview
• Since 1995, Axolotl has been providing
Founded: 1995
advanced Clinical Networking solutions Location:
• Health Information Exchange has San Jose, California
become a necessary foundation to Industry:
support the “meaningful use” of health Healthcare Technology Provider
information technology Solutions For:
Hospitals & Health Systems
• Cloud environment – supports electronic RHIOs
sharing of data among hospitals, State Health Agencies
physicians, clinical laboratories, Physicians
pharmacies, health plans (insurers), and Employees: 200
public health department
• Security and regulatory compliance are
imperative for Axolotl’s customers
39. Solution for Axolotl
Areas Covered
• Comprehensive information
security assessment of
governance and operational
processes covering both
production and internal systems
• Thorough assessment of
policies, practices, and
procedures from both an internal
and external point of view
• Axolotl has been able to use
information security and
compliance as a distinct
advantage in a fiercely
competitive segment of the
healthcare market.
42. Common Themes and Issues
• Lack of Documentation • Managers unaware of
• Lack of Awareness of their role and
Programs responsibilities in privacy
• Insufficient Training and and security
Education • Management of Business
• Lack of adequate Associate Relationships
Disaster and Business • Lack of or outdated
Continuity Planning Encryption Policy and
• Privacy and Security less Procedures
priority than Safety or • Who to Contact in case of
Quality Programs perceived or actual
• Mobile Device Policy and Security Breach or
Procedures Privacy Incident
43. EHR for the Future
• Whatever happens to the health care agenda, EHRs will
continue to evolve and regionalization will occur
• Some geographical areas will develop mature EHRs faster than
others
• Patients/consumer engagement is gaining traction
• Vendor market will consolidate and be more accountable
45. Strategies for a Risk Assessment
•Evaluation/
Review
• Establish a formal, ongoing Evaluation Process
•Risk Analysis
and Review Process using independent •Steering
consultant/third party. Conduct the review Committee
•Governance
using project management tools and •Metrics/
methods. Scoreboard
•Risk/Threats
•Integrated
Assessment
• Perform Risk Analysis, following •Risk Profile
established policies and procedures, at a •Consultant
Criteria
minimum, every three years or whenever •Sr. Mgmt.
there is a significant change in the Support
•Penalties
environment (e.g.,new system, new regs, •Document!
new service, new threats, changes in senior
management)
46. Strategies for Risk Assessment
•Evaluation/
Review
• Establish an ongoing Steering Committee: Process
•Risk Analysis
o Dedicate a multi-disciplinary team •Steering
responsible for guiding the Evaluation and Committee
•Governance
Risk Assessment Processes; utilize existing •Metrics/
team/committee if appropriate Scoreboard
•Risk/Threats
•Integrated
• Establish governance structure/process for Assessment
•Risk Profile
Security and Privacy reports to BOD, Audit & •Consultant
Compliance Committee, Strategic Planning Criteria
Committee, etc. •Sr. Mgmt.
Support
•Penalties
• Security and Privacy Metrics/Scoreboard •Document!
47. Strategies for Risk Assessment
•Evaluation/
Review
• Determine level of risk and threat to the Process
organization, e.g., •Risk Analysis
•Steering
• Security Breach Committee
• Identity Theft/Medical Identity Theft •Governance
•Metrics/
• Privacy Complaints/OCR Complaints/Patient Scoreboard
Suits •Risk/Threats
• Organization’s “Risk Appetite” •Integrated
Assessment
• Organizational reputation •Risk Profile
• Financial consequences •Consultant
Criteria
•Sr. Mgmt.
• Integrate risk assessment for security and privacy Support
into organization-wide risk assessment risk •Penalties
•Document!
assessment for all types of risk
• Develop and communicate Risk Profile
48. Strategies for a risk assessment
•Evaluation/
Review
• Retain independent consultant that meets Process
•Risk Analysis
specific criteria: •Steering
Determine qualifications of individuals Committee
performing review •Governance
•Metrics/
Ask questions to ascertain if consultants Scoreboard
possess “hands on” experience •Risk/Threats
•Integrated
Do reports summarize data or provide noted Assessment
gaps analysis? •Risk Profile
Does the consultant provide a “to do list” based •Consultant
upon the audit results, mapping a path for the Criteria
•Sr. Mgmt.
organization to follow or is it buried in the Support
summary? •Penalties
Do you understand the results and have •Document!
support from the organization to resolve issues
identified?
49. Strategies for a Risk Assessment
•Evaluation/
Review
• Elicit support from senior management to Process
provide adequate resources to address areas •Risk Analysis
•Steering
of identified risks Committee
•Governance
•Metrics/
• Note: Organizations that ignore findings are Scoreboard
•Risk/Threats
subject to increased penalties! •Integrated
Assessment
•Risk Profile
• Documentation and retention of action plans •Consultant
and follow-up is key to surviving and resolving Criteria
audits and investigations. •Sr. Mgmt.
Support
•Penalties
•Document!
50. Successful information
risk management program
1. Organizing for
performance
2. Assessing risk
3. Decision analysis
4. Policy implementation
5. Measuring program
effectiveness
6. Repeat steps 2-5,
adjust the
organization defined
in step 1 to evolving
business
requirements
51. Risk Management Process: Detail
Step 1. Assess Risk Step 3. Policy Implementation
Identify and prioritize risks to the Policy implementation. Acquisition and deployment of
business. controls to carry out the policy.
a. Plan data gathering. a. Ensure policy specifications are enforceable.
b. Gather risk data. b. Integrate process automation, people, and technology in
c. Prioritize risks. the mitigation solution.
c. Defense in depth – coordinate application, system, data,
Step 2. Decision Analysis and network controls.
Evaluate requirements, understand d. Communicate policies and control responsibilities
possible solutions, select controls, throughout the organization.
estimate costs, and choose the most
effective mitigation strategy. Step 4. Measure Effectiveness
a. Define functional requirements to Develop and disseminate reports. Provide management a
mitigate risks. dashboard of program effectiveness.
b. Outline possible control solutions. a. Management dashboard that summarizes organization’s
c. Estimate risk reduction. risk profile.
d. Estimate solution cost. b. Report on changes under consideration and underway.
e. Choose mitigation strategy. c. Communicate effectiveness of the control solutions in
mitigating risk.
d. Report on existing environment in terms of threats,
vulnerabilities and risk profile.