© 2010-12 clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved3

Welcome to today’s Live Event… we will begin shortly…

Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…


Webinar Slide Deck

http://clearwatercompliance.com/wp-content/uploads/2014/01/2014-01-17_How-To-Meet-HIPAA-HITECH-Encryption-Requirements_V3.pdf

4

Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials







How to Meet HIPAA-HITECH Encryption Requirements & Beyond

WEBINAR

January 17, 2014

Stephen Treglia, JDLegal Counsel, Recovery SectionAbsolute Software Corporation(877) [email protected]

Bob Chaput, CISSP, CIPP-US, CHP, CHSSCEO & FounderClearwater Compliance LLC615-656-4299 or [email protected]

http://www.linkedin.com/pub/stephen-treglia/19/300/224


http://www.linkedin.com/in/BobChaput



About HIPAA-HITECH Compliance

1.We are not attorneys!

2.The Omnibus has arrived!

3.Lots of different interpretations!

So there!

6


• Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present

• Prosecutor in New York 1980-2010

• Investigated/prosecuted Organized Crime 1985-1995

• Used computers, seized computers

• Started investigating/prosecuting computer crime 1996

• Created one of first Technology Crime Units 1997, headed it to 2010

• Started investigating/prosecuting Absolute cases in 2006

Stephen Treglia, JD


Bob ChaputMA, CISSP, CIPP/US, CHP, CHSS

8

• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal

• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards


http://hipaasecurityassessment.com/




Session Objectives1.Define and understand basic HIPAA-HITECH relevant terms and concepts

2.Review the specific requirements of HIPAA and HITECH for encryption

3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements

4.Address Why Encryption is Not Enough!

9

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 10

1. Secure Your PHI Avoid the “Wall

of Shame” …Get Started Now

Answer Page!

2. Technology solutions are an important part, but only part of a balanced Security Program

4. Encryption is likely not enough; consider additional safeguards

3. Large or Small: Consider Getting Help (Tools, Experts, etc)


Oops! Missed That Safe Harbor Thingy!

11

AvMed, Inc. FL 1,220,000 12/10/2009 Theft LaptopCincinnati Children's Hospital Medical Center OH 60,998 3/27/2010 Theft LaptopPraxair Healthcare Services, Inc. CT 54,165 2/18/2010 Theft LaptopThomas Jefferson University Hospitals, Inc. PA 21,000 6/14/2010 Theft LaptopAultman Hospital OH 13,867 6/7/2010 Theft LaptopDepartment of Health Care Policy & Financing CO 105,470 5/17/2010 Theft Desktop ComputerMontefiore Medical Center NY 23,753 6/9/2010 Theft Desktop ComputerSt. Joseph Heritage Healthcare CA 22,012 3/6/2010 Theft Desktop ComputerUniversity of Oklahoma-Tulsa, Neurology ClinicOK 19,264 7/25/2010 Hacking/IT Incident Desktop ComputerMontefiore Medical Center NY 16,820 5/22/2010 Theft Desktop ComputerGeisinger Wyoming Valley Medical Center PA 2,928 11/6/2010 Unauthorized Access/DisclosureE-mailThe Children's Medical Center of Dayton OH 1,001 4/22/2010 Unauthorized Access/DisclosureE-mailSinai Hospital of Baltimore, Inc. MD 937 5/3/2010 Unauthorized Access/DisclosureE-mailReliant Rehabilitation Hospital North Houston TX 763 2/9/2010 Unauthorized Access/DisclosureE-mailBlue Cross Blue Shield of Tennessee TN 1,023,209 10/2/2009 Theft Hard DrivesProvidence Hospital MI 83,945 2/4/2010 Loss Hard DrivesPuerto Rico Department of Health PR 400,000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork ServerTriple-S Salud, Inc. PR 398,000 9/9/2010 Theft Network ServerSeacoast Radiology, PA NH 231,400 11/12/2010 Hacking/IT Incident Network ServerAnkle & foot Center of Tampa Bay, Inc. FL 156,000 11/10/2010 Hacking/IT Incident Network ServerSilicon Valley Eyecare Optometry and Contact LensesCA 40,000 4/2/2010 Theft Network Server

3,895,532


Session Objectives

12

1.Define and understand basic HIPAA-HITECH relevant terms and concepts





Key Terms & Concepts1. Protected Health Information (PHI)

2. electronic PHI (ePHI)

3. Secured PHI

4. Unsecured PHI

5. Data Breach

6. Encryption

7. Destruction

8. Safe Harbor

9. Security Essentials

10. Required versus Addressable


Protected Health Information• Protected Health

Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

14

• PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history

• …and, that is linked to personal (18) identifiers


Data Breach• A breach is, generally, an

impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.


Don’t Panic!Event

16

Incident

Breach

?

?


Unsecured PHI• Unsecured PHI is PHI that has

not been rendered unusable, unreadable, or indecipherable

• CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.

17


Encryption Encryption means the use

of an algorithmic

process to transform

data into a form in

which there is a low

probability of assigning

meaning without use of

a confidential process

or key.1

145 C.F.R. § 164.304 Definitions


Safe Harbor“This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach.”1

19

1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information


Session Objectives

20






Security Rule & Encryption

Privacy Rule Reasonable Safeguards for all PHI

Physical Safeguards for EPHI

Technical Safeguards for EPHI

Administrative Safeguards for EPHI

• Security Management Process• Security Officer• Workforce Security• Information Access Mgmt• Security Training• Security Incident Process• Contingency Plan• Evaluation• Business Associate Contracts

• Access Control• Audit Control• Integrity• Person or Entity Authentication• Transmission Security

• Facility Access Control• Workstation Use• Workstation Security• Device & Media Control

21

HIPAA ACTUALLY SAYS LITTLE ABOUT ENCRYPTION!

22 Security Standards


45 C.F.R. §164.312(a)(1)Standard: Access Control.

(i) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4).

…

(2) Implementation specifications: (iv) Encryption and Decryption. (Addressable). Implement a

mechanism to encrypt and decrypt electronic protected health information.

22

Access Control (think Data at Rest)


45 C.F.R. §164.312(e)(1)Standard: Transmission Security.

(i) Transmission Security -Section 164.312(e)(1) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

(2) Implementation specifications: (ii) Encryption (Addressable). Implement a mechanism to

encrypt electronic protected health information whenever deemed appropriate.

23

Transmission Security (think Data in Motion)


The Security RuleRequired vs. Addressable1

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and

(ii) As applicable to the entity—(A) Implement the implementation specification if reasonable and appropriate; or(B) If implementing the implementation specification is not reasonable and appropriate—

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

24

ADDRESSABLE

≠OPTIONAL

145 CFR 164.306(d)(3)


MU Stage 2 Requirements Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities

Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.


The HITECH Act

THREE absolute “game changers”:

1) More Enforcement2) Bigger fines3) Wider Net Cast

26


HIPAA Rules Fall short… HITECH Addressed

• No definition of Secured or Unsecured PHI in HIPAA!

• The HITECH Act Secretary of Health and Human Services must issue guidance

27

• Securing PHI as defined in the new guidance is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.


Encryption Definition45 CFR 164.304 Definitions

• Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

28


HHS / OCR Guidance1

• Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: • Encryption• Destruction

• May be used to secure data in four commonly

recognized data states: 1. data in motion2. data at rest3. data in use4. data disposed

29

1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

http://abouthipaa.com/wp-content/uploads/Guidance-Specifying-the-Technologies-and-Methodologies-That-Render-Protected-Health-Information-Unusable-Unreadable-or-Indecipherable-to-Unauthorized-Individualshitechrfi1.pdf





Encryption GuidanceBased on HHS/OCR Guidance1…

• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

30

• Valid encryption processes for data in motion are those which comply, as appropriate, with:• NIST SP800-52

, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;

• NIST SP800-77, Guide to IPsec VPNs; • NIST SP800-113, Guide to SSL VPNs, • or others Federal Information Processing Standards (FIPS) 140-2 validated.1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html



http://abouthipaa.com/wp-content/uploads/SP800-111-Guide-to-Storage-Encryption-Technologies-for-End-User-Devices.pdf



http://abouthipaa.com/wp-content/uploads/SP800-52-Guidelines-for-the-Selection-and-Use-of-Transport-Layer-Security-TLS-Implementations.pdf



http://abouthipaa.com/wp-content/uploads/SP800-77-Guide-to-IPsec-VPNs.pdf

http://abouthipaa.com/wp-content/uploads/SP800-77-Guide-to-IPsec-VPNs.pdf

http://abouthipaa.com/wp-content/uploads/SP800-113-Guide-to-SSL-VPNs.pdf

http://abouthipaa.com/wp-content/uploads/SP800-113-Guide-to-SSL-VPNs.pdf

http://abouthipaa.com/wp-content/uploads/FIPS-140-2-FIPS-PUB-140-2-SECURITY-REQUIREMENTS-FOR-CRYPTOGRAPHIC.pdf








Destruction Guidance• Must shred or destroy paper,

film or other media

• Electronic media cleared, purged or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization

31

http://abouthipaa.com/wp-content/uploads/NIST-SP800-88-Guidelines-for-Media-Sanitization_with-errata.pdf




2012 OCR Audit Protocol

32

Audit Procedures1. Inquire of management as to whether an encryption mechanism

is in place to protect ePHI. 2. Obtain and review formal or informal policies and procedures

and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:

a. Type(s) of encryption used.b. How encryption keys are protected.c. Access to modify or create keys is restricted to appropriate

personnel.d. How keys are managed.

3. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.


Policy defines an organization’s values & expected behaviors; establishes “good faith” intent

People must include talented privacy &

security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or processes – documented - provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”,

encryption, firewalls, anti-malware, intrusion detection, incident

management tools, etc.)

BalancedCompliance

Program

Balanced Compliance Program

Clearwater Compliance Compass™33


Session Objectives

34






Next Actions to Meet Requirements1. Get Educated on Encryption2. Determine Regulations that

Apply to You3. Include ALL “ePHI homes”4. Decide If Encryption is Enough5. Establish Selection Criteria6. Identify Alternatives for

Secure PHI

35

7. Test Top Alternatives Don’t Create Bricks!

8. Ensure Fit Into an Overall HIPAA Compliance Plan

9. Put BAs and Subcontractors on Notice10.Seek Help, If Needed


Session Objectives

36






Is Encryption Enough?

37


Graphical representation of state laws

• NM, SD, Kentucky, Alabama lack statutes

• Darker colors – tougher laws

• Virginia considered toughest because of highest penalties

• California started this with law passed in 2002, effective 2003

• Generally applies to government agencies and businesses

• Some States also cover healthcare


What even constitutes a breach requiring notification?

• Again, varies State by State• Typically, the release of a name

and some other identifier• Address, SSN, account number• Some States have a harm

requirement; some don’t• Some require a minimum #

breached before notification required

• Some make encryption a safe harbor; some don’t


But does encryption always = “Safe Harbor”?• Those who claim encryption is a safe harbor to

HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09

• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

• At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”


New York General Business Law § 899-aaPrior statute:• "Personal identifying information"

means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element:

Current statute:• "Private information" shall

mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:


Several States do allow encryption to be a safe harbor

Arizona 44-7501A• 44-7501. Notification of breach of security system;

enforcement; civil penalty; preemption; exceptions; definitionsA. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.


What does all this volatility mean to you?

• Causes the most problems for multi-state entities

• How do compliance officers respond?

• They comply with “highest-denominator”

• Means they comply with the toughest State statues to play it safe

• If in compliance with the toughest• They’re in compliance with the rest• Why is staying compliant

important?


Consider More Robust Technology

44


Many Services/Many Solutions/Even Unique Ones

• Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry

• Many devices/one solution – Also unique

• Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique

• Encrypted devices/Encryption Reports

• Device Freeze/Data Delete

• Geo-fencing/Data Loss Prevention

• Forensic/Investigative Services

• Can tell what data is and isn’t seen/Report generated


Compliance is important way beyond HIPAA penalties & fines

• Think as an ambulance-chasing attorney for a moment

• Each listing of a breached healthcare system is > 500 identities

• Generally, breached identity is valued at a minimum of $1000

• Class action lawsuit just waiting to happen


Shooting fish in a barrel

Shooting sitting ducks (from a blind that’s not all that blind)

Apropos analogies?


A $4.9 BILLION Lawsuit

• U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates

• Records of 4.9 million members of military on the tape

• $1000 per victim = $4.9 billion

• Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)


Another $4 BILLION Lawsuit ???

49

Failing to use Encryption


Share Price

50

July 2011 - Accretive employee’s laptop

computer, containing 20 million pieces of

information on 23,000 patients, was stolen from

the passenger compartment of the

employee’s car

7/31/2012 $2.5M MN SAG Settlement

1/19/2012 MN SAG Suit

12/31/2013FTC Settle.

6/13/2013Class Suit

9/27/2013$14M Class Settlement

http://finance.yahoo.com/echarts?s=AH+Interactive#symbol=ah;range=5y;compare=;indicator=volume;charttype=area;crosshair=on;ohlcvalues=0;logscale=off;source=undefined;

4/2/2013CEO

Replaced

8/26/2013CFO

Replaced

http://finance.yahoo.com/echarts?s=AH+Interactive%23symbol=ah;range=5y;compare=;indicator=volume;charttype=area;crosshair=on;ohlcvalues=0;logscale=off;source=undefined





© 2010-12 Clearwater Compliance LLC | All Rights Reserved 51

1. Secure Your PHI Avoid the “Wall

of Shame” …Get Started Now

Summary

2. Technology solutions are an important part, but only part of a balanced Security Program

3. Large or Small: Consider Getting Help (Tools, Experts, etc)


ResourcesRisk Analysis Buyer’s Guide:

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist

/

Encryption & Risk Analysis Information:

http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist/










Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

53

Resources

View pre-recorded Webinars like this one at:

http://clearwatercompliance.com/on-demand-webinars/






Clearwater HIPAA Compliance BootCamp™ Events

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster

Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28• August 13-20-27• November 5-12-19

Other 2014 Plans - Live, In-Person Events (9-hours): • March 17 – Detroit• April 24 - San Francisco• July 24 – Boston• October 16 - Los Angeles

March 17| Live HIPAA BootCamp™ | Detroit

February 12, 19, 26 | HIPAA Virtual BootCamp™

http://clearwatercompliance.com/shop/clearwater-hipaa-compliance-bootcamp/

https://attendee.gototraining.com/r/3160994028653644033

https://attendee.gototraining.com/r/3160994028653644033

http://www.clearwatercompliance.com/bootcamp


HIPAA Compliance BootCamp™Welcome, Introductions and Overview1. How to Set Up Your Privacy and Security Risk Management & Governance Program 2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and

Breach Notification Policies & Procedures (PnPs)Networking Break4. How to Prepare for and Manage an OCR Investigation5. How to Train all Members of Your WorkforceNetworking Luncheon & Refresh6. Panel Discussion – How to Implement a Strong, Proactive Business Associate

Management Program7. How to Complete All HIPAA Security Rule Assessment RequirementsNetworking Break8. Presentation and Panel Discussion: How to Create a “Culture of Compliance”9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and

HITECH Breach Notification RuleBuffer Time, Q&A, Final RemarksAttendee Reception (optional)

55

HOW TO…


Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General CounselIdaho State University

Bob Chaput, CISSP, CIPP/US CHP, CHSSCEOClearwater Compliance

Expert Instructors

Elizabeth Warren, Esq.PartnerBass, Berry & Sims, PLC

Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance

Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System

David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation


57

Contact

Stephen Treglia, JDLegal Counsel, Recovery SectionAbsolute Software Corporation(877) [email protected]

Bob Chaput, CISSP, CIPP-US, CHP, CHSSCEO & FounderClearwater Compliance LLC615-656-4299 or [email protected]

http://www.linkedin.com/pub/stephen-treglia/19/300/224





© 2010-12 clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...

Documents