hipaa security: does anybody really, really care ?
Post on 27-Jan-2016
48 Views
Preview:
DESCRIPTION
TRANSCRIPT
HIPAA Security: Does HIPAA Security: Does Anybody Really, Really Care ?Anybody Really, Really Care ?
Todd Fitzgerald, CISSP, CISA, CISMTodd Fitzgerald, CISSP, CISA, CISMMedicare Systems Security OfficerMedicare Systems Security Officer
National Government ServicesNational Government Services
HIPAA COW Fall Conference HIPAA COW Fall Conference Stevens Point, WIStevens Point, WI
September 21, 2007 9AM-10:15AMSeptember 21, 2007 9AM-10:15AM
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 2
Company BackgroundCompany Background• Largest Processor of Medicare
Claims contracted by the Centers for Medicare & Medicaid Services (CMS)– Serve over 22.5 Million people
with Medicare in 26 states and 5 US Territories
– Processed over 208 million Medicare claims totaling $87.9 Billion in 2006
• ISO 9001:2000 certified company
• Part of the WellPoint (NYSE: WLP) - nation’s largest health insurer (43,000+ associates) Fortune 50 Company (#35)
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 3
My BioMy Bio
• Currently Medicare Systems Security Officer for National Government Services– Formerly known as United Government
Services (UGS) prior to WellPoint/Anthem merger; AdminaStar Federal, Empire Medicare Services & UGS combined to form NGS
• Odd Information Technology Jobs in Wisconsin, Oklahoma, Texas, Pennsylvania & Delaware
• Speak and write on security issues I find interesting (and EVERYONE ELSE should also)
• 2 Kids, both have Health Insurance because they are in college
• I think I live in Downtown Milwaukee • Started HIPAA COW Security Taskforce;
HIPAA COW Board Member
Employment The Past 6 Years….
The Prior X Years…
The Other Stuff
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 4
Ok, Back To Why We Are Here.. The Ok, Back To Why We Are Here.. The Question: Question:
HIPAA SECURITY:
Does Anybody REALLY, REALLY CARE?
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 5
And The Answer IS…. And The Answer IS….
(This slide is intended to be blank. Or was it ? Was it here originally ? Did one of you take it ?)
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 6
Security Is THE Enabler of Security Is THE Enabler of Healthcare TransactionsHealthcare Transactions
HIPAA
E-Health Initiatives
RHIOs
Healthcare Quality
Patient Safety
Information Access
Information Exchange
Privacy Rights
Electronic Medical Record/Personal Health Record
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 7
Medicare Cares About SecurityMedicare Cares About Security
• 450 Security Controls
• Medicare Reform consolidating 15+ data centers into 3
• Rigorous security self-assessments
• Continuous audits• Staff dedicated to
security
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 8
Medicare Contracting Reform Medicare Contracting Reform Consolidating RegionsConsolidating Regions
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 9
Remember HCOW Security Rule Remember HCOW Security Rule Presentation ? January… 200X Presentation ? January… 200X
AdministrativeProcedures
Physical Safeguards
Technical SecurityServices
Technical SecurityMechanisms
ProtectedHealth Information
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 10
5 years of HIPAA Security 5 years of HIPAA Security AccomplishmentsAccomplishments
• Increased Organizational awareness and education of security issues
• Assignment of security responsibility
• Communication of the concept of “risk”
• More thoughtful attention to need-to-know principles of security
• Mapping between HIPAA controls and other frameworks
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 11
Healthcare Security Breaches Healthcare Security Breaches Making The Headlines.. Making The Headlines..
• Inadequate Security Attention
• Staff Improperly Trained
• Misplacement of Data
• Access beyond that required for job
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 12
2006 Top 10 Healthcare Security 2006 Top 10 Healthcare Security Breaches Breaches
1. Theft of computer disks and tapes containing 365,000 Providence Home Services Patients
2. Veteran Affairs’ stolen laptop from home containing 26.5 Million names and claims data
3. Sisters of St. Francis, Indiana temporarily lost 3 CDs containing 260,000 patients when computer returned to store.
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 13
2006 Top 10 Healthcare Security 2006 Top 10 Healthcare Security Breaches Breaches
4. Stolen laptop Vassar Brothers Medical Center – 257,800 former patients
5. 2 Employees stole 25,000 patient records from Kaiser Permanente to apply for credit cards
6. Georgia-based PSA Healthcare reported 51,000 records on stolen laptop left in car
7. Nurse from Beaumont Hospital – 28,000 records from laptop in car
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 14
2006 Top 10 Healthcare Security 2006 Top 10 Healthcare Security Breaches Breaches
8. Aetna – 59,000 members from laptop in car
9. Hospital Chain HCA Inc, 10 computers stolen containing 15-18K Medicare beneficiaries
10.Front-desk operator sold patient information on 1,100 people to a cousin for submitting fraudulent Medicare Claims.
Source: Report on Patient Privacy, December 2006
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 15
Healthcare Is Not Alone…Healthcare Is Not Alone…
Bank of America
1.3 million consumers exposed
– Lost back-up tape
DSW retail
1.2 million consumers exposed
– Hacking
Card Services
40 million consumers exposed
– Hacking
TJX Stores
45 million consumers exposed
– Internal theft
UCLA800,000 consumers exposed
– Human error
Fidelity196,000 consumers exposed
– Stolen laptop
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 16
A Who’s Who of Fortune 500 Companies.. A Who’s Who of Fortune 500 Companies.. And The List Is GrowingAnd The List Is Growing
St. Joseph's Hospital
California Department of HealthCalifornia Department of Mental Health
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 17
CMS Rationale for Publishing Guidance for CMS Rationale for Publishing Guidance for Remote Use and Access to EPHIRemote Use and Access to EPHI
Increased risk to protected health information Associated with increased remote access to EPHI
Increase in workforce mobility Increase in offsite availability of EPHIIncrease in use of portable media storage devices
Recent remote access security related incidents Reported loss or theft of laptops containing EPHI High profile incident involving Medicare Beneficiary data
being “left” on a hotel computer by an employee of contracted health plan
Reported access to health information by unauthorized users
Source: Presentation, Office of eHealth Standards and Services, CMS
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 18
CMS Responds December 28, 2006 With CMS Responds December 28, 2006 With Portable Device/Remote Access Security Portable Device/Remote Access Security
Guidance Guidance
• Risk analysis determines business necessity
• Policies, procedures, workforce training, permitted access must be consistent with Privacy/Security Rule
• Access, storage, and transmission processes must be in place
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 19
CMS Guidance Highlights The Risks Of CMS Guidance Highlights The Risks Of Portable Device/Remote Access of EPHIPortable Device/Remote Access of EPHI
Access Storage Transmission
• Logon/Password lost or stolen
• Employee unauthorized offsite access
• Unattended workstations
• Contamination of remote access system
• Laptop/portable device lost or stolen
• Loss of data
• Inappropriate device disposal
• Data left on public external device
• Contamination
• Data intercepted or modified
• Contamination
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 20
CMS Suggests Potential Mitigation CMS Suggests Potential Mitigation Strategies To Address The Risk Areas Strategies To Address The Risk Areas
Access Storage Transmission
Two-factor authentication
Technical user name processes
Clearance procedures, role-based access, sanctions, training
Session termination
Personal firewalls/anti-virus
Track hardware
Lock mechanisms
Password protect files
Encryption
Ensure security updates
Backup and archival policies
Prohibit download w/o justification
Training, anti-virus
Prohibit open network transmission
Prohibit offsite devices for email
Prohibit wireless access points
Secure email
SSL, HTTPS strong encryption for EPHI
Anti-virus
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 21
Medicare Does Not Like Headlines Either, Medicare Does Not Like Headlines Either, Hence The Following Internet Policy:Hence The Following Internet Policy:
“Transmission of and/or receipt of health care transactions (claims, remittances, etc.) or other CMS sensitive data over the Internet is prohibited at Medicare business partners (or their agents).
Practically, this prohibition means that CMS requires the use of private networks or dial-up connections with any entity that transmits or receives health care transactions and/or CMS sensitive data to or from the Medicare contractor.
CMS is closely following the healthcare industry’s movement toward the adoption of industry-wide security technologies that ensure the confidentiality, integrity, and availability of data moved over the Internet and will reconsider the policy at the appropriate time.
- CMS Business Partners Systems Security Manual
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 22
Percentage of Those Reporting Percentage of Those Reporting Compliancy With Security Rule High Compliancy With Security Rule High
Source: AHIMA State of HIPAA Privacy and Security ComplianceApril, 2006
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 23
More AHIMA Findings Indicate More AHIMA Findings Indicate Security Compliance Is Improving Security Compliance Is Improving
• 100% have security officer, 65% full-time• Security task forces decreasing (86% in
2004 to 59% in 2006)• 54.3% updated systems/applications to
comply with security rule– Firewalls (40.4%)– VPNs (25.9%)– Anti-virus/spam (38.2%)– Data backup technologies (30.2%)– 31% involved in RHIO’s
• Newsletters (64.6%), staff meetings (68.8%) and reminders (56.3%) predominant method of training
• “It appears security regulations were easier to implement than the privacy rule.” Source: AHIMA State of HIPAA Privacy and Security Compliance
April, 2006
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 24
Phoenix Health Survey Indicates Phoenix Health Survey Indicates Attention Still NeededAttention Still Needed
• Providers are of particular concern – 56% implemented security standards (80% of payers)– 49% of hospitals with 400 more beds compliant– 70% of hospitals with <100 beds and large physician
groups compliant
• Breaches remain concern – 39% of providers and 33% of payers experienced breach in last 6 months
• Claims of full compliance; gaps remain• Agree that HIPAA implementation created
greater attention to patient privacy and security• Budget constraints, other higher priority
projects, complex infrastructures slowing progress
Source: Phoenix Health Systems/HIMSS Summer 2006 survey
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 25
And WEDI Notes There Are Still And WEDI Notes There Are Still HIPAA GapsHIPAA Gaps
• PHI Data Posted on Bulletin Boards for Training
• Lack of policies and procedures• Portable devices being used
without training• Lack of remote device/storage
media inventories• Visitor access to PHI areas• Out of date disaster recovery
planning• Lack of formal audit process• Lack of regular, periodic security
assessments, risk analysis with security rule
Source: WEDI Testimony 5/1/2007 to NCVHS Subcommittee
H
P A
A
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 26
Are We Improving Security ? At What Level Are We Improving Security ? At What Level Do We Have Minimum Security ?Do We Have Minimum Security ?
Policy
Procedure
Integrated
Implemented
Tested
Today’s Key Challenge In Many Organizations
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 27
Or.. Are We Improving Or.. Are We Improving SecuritySecurity Compliance ?Compliance ?
POLICY
PROCEDURE
IMPLEMENTATION
CLOSE AND LOCK WINDOWSAT THE END OF THE DAY
CHECK LATCHLOG WINDOW CHECKED
MAINTAIN EVIDENCE IN LOG BOOK FOR AUDITORS
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 28
CMS Office of External Affairs CMS Office of External Affairs Enforcement StatisticsEnforcement Statistics
• Complaint driven• 28,000 Privacy complaints
filed with OCR since HIPAA Privacy Rule Issued
• 244 Security complaints• FAQs Issued, outreach
activities• NIST 800-66 Document
revision expected March 2008
• Complaint compliance by attestation vs. inspection/review
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 29
Most of The CMS HIPAA Security Most of The CMS HIPAA Security Complaints Issued Are Due To Human Complaints Issued Are Due To Human
ErrorError• Poor judgment, not malicious
intent• Company needs to stress users
are the keepers of very confidential data
• Good job of documenting policies & procedures, but not training
• Access by foolishness• Company has no way to protect• Protections may be complex,
company still has responsibility• Wireless devices, USB drives
are next large concern area
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 30
Security Litigation: What Is The Herd Security Litigation: What Is The Herd Doing ? Do We Know ? Doing ? Do We Know ?
Reviewed Final HIPAA Security Rule
Established security officer role
Identified gaps Created mitigation
plan Implemented
security controls No right of private
action under HIPAA
……. BUT
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 31
2006 North Carolina Appeals Court Allows 2006 North Carolina Appeals Court Allows New Use Of HIPAA In LawsuitNew Use Of HIPAA In Lawsuit
• Psychiatric records disclosed
• Patient sues clinic owner for providing password to an office manager
• Claim used HIPAA as the standard of care
• Suing under negligence, new avenue for plaintiffs?
RIPPED From The Headlines
Source: Amednews.com 3/12/2007
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 32
Piedmont Hospital Audited In March 2007 Piedmont Hospital Audited In March 2007 For Security By DHHS OIGFor Security By DHHS OIG
• “HIPAA Audit Riles Health IT” …Reported June 15, 2007– Was it a HIPAA Audit ?– Will there be more of them ?– Is security enforcement
being done by the OIG in the private sector ?
– What is the standard of care ?
– What implications are there for heath care entities ?
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 33
Policies & Procedures Requested For 24 e-Policies & Procedures Requested For 24 e-PHI Security-Related Issues PHI Security-Related Issues
• Establish/Terminate User Access
• Emergency IT System Access• Inactive Sessions• Recording/examining activity• Risk Assessments• Employee violations/sanctions• Electronic transmission• Incident
prevention,detection,containing• Regular access review• Security violation logging• Monitoring systems and
network• Physical access to systems
• Types of security access controls
• Remote access• Internet usage• Wireless security• Firewalls, routers, switches• Physical security repair• Encryption/decryption• Transmission • Password and sever
configurations• Antivirus software• Network remote access• Patch management
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 34
……And Please Provide A List of…And Please Provide A List of…
• Information systems, network diagrams
• Terminated employees• New hires• Encryption mechanisms• Authentication methods• Outsourced/contractor
access
• Transmission methods• Org chart for IT, Security• Systems Security Plans• All users with access,
including rights• System Administrators,
backup operators• Antivirus servers• Internet access control
software• Desktop antivirus software• Users with remote access• Database security
requirements/settings• Domain controllers, servers• Authentication approachesSource: “HIPAA Audit: The 42 Questions HHS might
ask”,
Computerworld June 19, 2007
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 35
Source: “Learning from Leading Organizations” GAO/AIMD-98-68 Information Security Management
Assess Risk &Determine Needs
PromoteAwareness
Monitor &Evaluate
ImplementPolicies &Controls
CentralManagement
Audit
AuditAudit
Audit
Security Audits Necessary To Ensure Security Audits Necessary To Ensure Controls Are FunctioningControls Are Functioning
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 36
DHHS Office of Inspector General DHHS Office of Inspector General Audits Have An Integrity MandateAudits Have An Integrity Mandate
• Authority established in 1978 under Inspector Generals Act of 1978 (Public Law 95-542) to:– Conduct & supervise audits related
to DHHS programs/operations – Recommend policies to:
• Promote efficiency/effectiveness• Prevent/detect fraud and abuse
– Provide a means to:• Inform Head of DHHS and congress
of problems and corrective actions• Protect integrity of DHHS programs
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 37
OIG Conducts/Oversees Multiple OIG Conducts/Oversees Multiple Audit Types and Standards Audit Types and Standards
• Government Audits – Driven by security standards
OMB A-123– Chief Financial Officer’s
Audit (FISCAM/NIST)– Medicare Modernization Act
of 2003( Section 912 ) Audit – Federal Information
Security Management Act of 2002
– SAS070– HIPAA-based Reviews of
non-government entities ?
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 38
What Is An OIG-Led Audit Like ?What Is An OIG-Led Audit Like ?1. May be co-sourced, or
completely outsourced to external auditor
2. Audit Entrance conference scheduled 2 weeks in advance
3. Agreed Upon Procedures (AUP) issued
4. Prepared By Client (PBC) list requested by auditor
5. Multiple meetings/interviews scheduled
6. Samples selected7. Policies/Procedures
requested/evidence requested8. Exit Conference/Draft Report9. Corrective Actions prepared10.Follow-up meetings11.Closure at next audit cycle of
findings, new sample pulled
Request List
SampleSelection
AgreedUpon
Procedure
Testing
Findings
CorrectiveAction
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 39
FINAL THOUGHTS: Security Is Ongoing, FINAL THOUGHTS: Security Is Ongoing, and It Is Hard To Make Sure and It Is Hard To Make Sure NOTHING NOTHING
HAPPENSHAPPENS
SUCCESS FAILURE
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 40
Our Security Future…Our Security Future…• Increased guidance driven by
security events• HIT will drive
enforcement/audits• Government audits continue to
get more detailed• Company must protect (itself)
against human error through:– Policies– Procedures– Training
• “Standard of care” bar is increasing
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 41
Final Thoughts: Does Anybody Really Final Thoughts: Does Anybody Really Care ? Care ?
• YOU BET ! – Headlines: Trust
Inhibitor– Office of Inspector
General– Financial Statements – Federal Information
Security Management Act (Medicare Reform Mandated Compliance)
– Private Litigation, Impacted Consumers
– Health Information Technology SuccessE-PHI
E-PHI
E-PHI
E-PHIE-PHI
E-PHI
E-PHI
HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 42
TODD FITZGERALD
Todd Fitzgerald, CISSP, CISA, CISMMedicare Systems Security Officer
6775 W. Washington StMilwaukee, WI 53214
Todd.fitzgerald@ugswlp.comTodd_fitzgerald@yahoo.com
Thank You !!
top related