hipaa infosec presentation by greg patterson
TRANSCRIPT
INTRODUCTIONS Greg Patterson, CISSP
Information Security Officer
Over 25 years in Information Systems
Certified Information Systems Security Professional
Member of the FBI Infraguard
Member of ISSA
TODAYS FOCUS What changed in the HIPAA / HITECH Omnibus rule
Important Dates
Breach Notifications
Safe Harbor for Breach Notification
Where Breaches Occur
Rule Enforcement - Fines imposed by the HHS
What you can do – Steps to reduce risk
Example – Information Security and Compliance Program
IMPORTANT DATES
HITECH Omnibus Final Rulemaking
Published in Federal Register – January 25, 2013
Effective Date – March 26, 2013
Compliance Date – September 23, 2013
Transition Period to Conform BA Contracts – Up to September 22, 2014,
for Qualifying Contracts
Source: http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf
CHANGES IN THE OMNIBUS RULE
Definition of Breach – Old Rule
Impermissible use or disclosure of (unsecured) PHI which compromises the security or privacy
of the information
Compromises means poses a significant risk of financial, reputational, or other harm to
the individual
To determine if must notify, preamble stated CE/BA must perform risk assessment, based on
at least:
What type or amount of PHI was used or disclosed
Who received/accessed the information
Potential that PHI was actually accessed or acquired
What steps were taken to mitigate
Exceptions for inadvertent, harmless mistakes
Narrow exception for limited data sets without dates of birth & zip codes
Source: http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf
CHANGES IN THE OMNIBUS RULE
Definition of Breach – New Rule
Harm standard removed
New standard – impermissible use/disclosure of (unsecured) PHI presumed to
require notification, unless CE/BA can demonstrate low probability that PHI has
been compromised based on a risk assessment of at least:
Nature & extent of PHI involved
Who received/accessed the information
Potential that PHI was actually acquired or viewed
Extent to which risk to the data has been mitigated
Exceptions for inadvertent, harmless mistakes remain
Exception for limited data sets without dates of birth & zip codes removed Source: http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf
SAFE HARBOR FOR BREACH
NOTIFICATION
HHS does not require notification if PHI was secure Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to
unauthorized individuals if one or more of the following applies:
1. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of
an algorithmic process to transform data into a form in which there is a low probability of
assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of
encryption) and such confidential process or key that might enable decryption has not been
breached.
i. Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide
to Storage Encryption Technologies for End User Devices.1
ii. Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special
Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are
Federal Information Processing Standards (FIPS) 140-2 validated.
SAFE HARBORS FOR BREACH
NOTIFICATION HHS does not require notification if PHI was secure 2. The media on which the PHI is stored or recorded has been destroyed in one of the
following ways:
i. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be
read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data
destruction.
ii. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication
800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
BREACHES IN 2012 BY ENTITY TYPE
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf
BREACHES IN 2012 BY GENERAL
CAUSE
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf
BREACHES IN 2012 BY LOCATION OF
PHI
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf
RULE ENFORCEMENT Fines Imposed by the HHS
$4,800,000, 5/7/14, Hospital / University
Physicians server was accessible via the Internet
$1,725,220, 4/22/14, Physical Therapy Center
Laptops stolen from vehicle
$150,000, 12/26/13, Dermatology Practice
Unencrypted thumb drive
$100,000, 4/17/12, Cardiac Surgery Practice
posting clinical and surgical appointments on Internet calendar Source: http://www.hhs.gov/news/
WHAT YOU CAN DO TO REDUCE RISK
Perform a Risk Assessment
The Administrative Safeguards provisions in the Security Rule require
covered entities to perform risk analysis as part of their security
management processes. The risk analysis and management provisions of
the Security Rule are addressed separately here because, by helping to
determine which security measures are reasonable and appropriate for a
particular covered entity, risk analysis affects the implementation of all of the
safeguards contained in the Security Rule.
Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html (Risk Analysis and Management)
WHAT YOU CAN DO TO REDUCE RISK
Security Risk Assessment Tool provided by HHS
The Office of the National Coordinator for Health Information Technology
(ONC) recognizes that conducting a risk assessment can be a challenging
task. That’s why ONC, in collaboration with the HHS Office for Civil Rights
(OCR) and the HHS Office of the General Counsel (OGC), developed a
downloadable SRA Tool to help guide you through the process. This tool is
not required by the HIPAA Security Rule, but is meant to assist providers and
professionals as they perform a risk assessment.
Source: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
SECURITY 101 – SECURITY RISK
ANALYSIS
WHAT YOU CAN DO TO REDUCE RISK
Security Risk Assessment Tool Demonstration
Windows or iPad version at the HHS web site
http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
Also available as Microsoft Word documents
SOFTWARE DEMO
WHAT YOU CAN DO TO REDUCE RISK Protect mobile devices
Use a password or other user authentication
Install and enable encryption.
Install and activate wiping and/or remote disabling.
Disable and do not install file- sharing applications.
Install and enable a firewall.
Install and enable security software.
Keep security software up to date.
Research mobile applications (apps) before downloading.
Maintain physical control of your mobile device.
Use adequate security to send or receive health information over public Wi-Fi networks.
Delete all stored health information before discarding or reusing the mobile device.
Source: http://www.healthit.gov/providers-professionals/security-risk-assessment
HELPFUL RESOURCES
Guide to Privacy and Security of Health Information http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
10 Step Plan
http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan
Top 10 Myths of Security Risk Analysis
http://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
EXAMPLE Information Security and Compliance Program
Anti-Virus Protection
Application Code Review
Business Associate Agreement Reviews (BAA)
Data Loss Prevention (DLP)
Disaster Recovery
Email / Spam Filtering
External Penetration Testing
Full Disk Encryption
Intrusion Prevention System (IPS/IDS)
Mobile Device Management (MDM)
PCI Attestation of Compliance
EXAMPLE Information Security and Compliance Program
Physical Security
Policies and Procedures
Risk Assessments (HIPAA / PCI)
Security Awareness Training
Security Incident Response Team (SIRT)
Security Information Event Management (SIEM)
Two Factor Authentication
SSAE16 Certification
Vendor Management Program
Vulnerability Management
Web Filtering