hipaa security: does anybody really, really care ?

HIPAA Security: Does HIPAA Security: Does Anybody Really, Really Care ?Anybody Really, Really Care ?

Todd Fitzgerald, CISSP, CISA, CISMTodd Fitzgerald, CISSP, CISA, CISMMedicare Systems Security OfficerMedicare Systems Security Officer

National Government ServicesNational Government Services

HIPAA COW Fall Conference HIPAA COW Fall Conference Stevens Point, WIStevens Point, WI

September 21, 2007 9AM-10:15AMSeptember 21, 2007 9AM-10:15AM

HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 2

Company BackgroundCompany Background• Largest Processor of Medicare

Claims contracted by the Centers for Medicare & Medicaid Services (CMS)– Serve over 22.5 Million people

with Medicare in 26 states and 5 US Territories

– Processed over 208 million Medicare claims totaling $87.9 Billion in 2006

• ISO 9001:2000 certified company

• Part of the WellPoint (NYSE: WLP) - nation’s largest health insurer (43,000+ associates) Fortune 50 Company (#35)


My BioMy Bio

• Currently Medicare Systems Security Officer for National Government Services– Formerly known as United Government

Services (UGS) prior to WellPoint/Anthem merger; AdminaStar Federal, Empire Medicare Services & UGS combined to form NGS

• Odd Information Technology Jobs in Wisconsin, Oklahoma, Texas, Pennsylvania & Delaware

• Speak and write on security issues I find interesting (and EVERYONE ELSE should also)

• 2 Kids, both have Health Insurance because they are in college

• I think I live in Downtown Milwaukee • Started HIPAA COW Security Taskforce;

HIPAA COW Board Member

Employment The Past 6 Years….

The Prior X Years…

The Other Stuff


Ok, Back To Why We Are Here.. The Ok, Back To Why We Are Here.. The Question: Question:

HIPAA SECURITY:

Does Anybody REALLY, REALLY CARE?


And The Answer IS…. And The Answer IS….

(This slide is intended to be blank. Or was it ? Was it here originally ? Did one of you take it ?)


Security Is THE Enabler of Security Is THE Enabler of Healthcare TransactionsHealthcare Transactions

HIPAA

E-Health Initiatives

RHIOs

Healthcare Quality

Patient Safety

Information Access

Information Exchange

Privacy Rights

Electronic Medical Record/Personal Health Record


Medicare Cares About SecurityMedicare Cares About Security

• 450 Security Controls

• Medicare Reform consolidating 15+ data centers into 3

• Rigorous security self-assessments

• Continuous audits• Staff dedicated to

security


Medicare Contracting Reform Medicare Contracting Reform Consolidating RegionsConsolidating Regions


Remember HCOW Security Rule Remember HCOW Security Rule Presentation ? January… 200X Presentation ? January… 200X

AdministrativeProcedures

Physical Safeguards

Technical SecurityServices

Technical SecurityMechanisms

ProtectedHealth Information


5 years of HIPAA Security 5 years of HIPAA Security AccomplishmentsAccomplishments

• Increased Organizational awareness and education of security issues

• Assignment of security responsibility

• Communication of the concept of “risk”

• More thoughtful attention to need-to-know principles of security

• Mapping between HIPAA controls and other frameworks


Healthcare Security Breaches Healthcare Security Breaches Making The Headlines.. Making The Headlines..

• Inadequate Security Attention

• Staff Improperly Trained

• Misplacement of Data

• Access beyond that required for job


2006 Top 10 Healthcare Security 2006 Top 10 Healthcare Security Breaches Breaches

1. Theft of computer disks and tapes containing 365,000 Providence Home Services Patients

2. Veteran Affairs’ stolen laptop from home containing 26.5 Million names and claims data

3. Sisters of St. Francis, Indiana temporarily lost 3 CDs containing 260,000 patients when computer returned to store.



4. Stolen laptop Vassar Brothers Medical Center – 257,800 former patients

5. 2 Employees stole 25,000 patient records from Kaiser Permanente to apply for credit cards

6. Georgia-based PSA Healthcare reported 51,000 records on stolen laptop left in car

7. Nurse from Beaumont Hospital – 28,000 records from laptop in car



8. Aetna – 59,000 members from laptop in car

9. Hospital Chain HCA Inc, 10 computers stolen containing 15-18K Medicare beneficiaries

10.Front-desk operator sold patient information on 1,100 people to a cousin for submitting fraudulent Medicare Claims.

Source: Report on Patient Privacy, December 2006


Healthcare Is Not Alone…Healthcare Is Not Alone…

Bank of America

1.3 million consumers exposed

– Lost back-up tape

DSW retail

1.2 million consumers exposed

– Hacking

Card Services

40 million consumers exposed

– Hacking

TJX Stores

45 million consumers exposed

– Internal theft

UCLA800,000 consumers exposed

– Human error

Fidelity196,000 consumers exposed

– Stolen laptop


A Who’s Who of Fortune 500 Companies.. A Who’s Who of Fortune 500 Companies.. And The List Is GrowingAnd The List Is Growing

St. Joseph's Hospital

California Department of HealthCalifornia Department of Mental Health


CMS Rationale for Publishing Guidance for CMS Rationale for Publishing Guidance for Remote Use and Access to EPHIRemote Use and Access to EPHI

Increased risk to protected health information Associated with increased remote access to EPHI

Increase in workforce mobility Increase in offsite availability of EPHIIncrease in use of portable media storage devices

Recent remote access security related incidents Reported loss or theft of laptops containing EPHI High profile incident involving Medicare Beneficiary data

being “left” on a hotel computer by an employee of contracted health plan

Reported access to health information by unauthorized users

Source: Presentation, Office of eHealth Standards and Services, CMS


CMS Responds December 28, 2006 With CMS Responds December 28, 2006 With Portable Device/Remote Access Security Portable Device/Remote Access Security

Guidance Guidance

• Risk analysis determines business necessity

• Policies, procedures, workforce training, permitted access must be consistent with Privacy/Security Rule

• Access, storage, and transmission processes must be in place


CMS Guidance Highlights The Risks Of CMS Guidance Highlights The Risks Of Portable Device/Remote Access of EPHIPortable Device/Remote Access of EPHI

Access Storage Transmission

• Logon/Password lost or stolen

• Employee unauthorized offsite access

• Unattended workstations

• Contamination of remote access system

• Laptop/portable device lost or stolen

• Loss of data

• Inappropriate device disposal

• Data left on public external device

• Contamination

• Data intercepted or modified

• Contamination


CMS Suggests Potential Mitigation CMS Suggests Potential Mitigation Strategies To Address The Risk Areas Strategies To Address The Risk Areas

Access Storage Transmission

Two-factor authentication

Technical user name processes

Clearance procedures, role-based access, sanctions, training

Session termination

Personal firewalls/anti-virus

Track hardware

Lock mechanisms

Password protect files

Encryption

Ensure security updates

Backup and archival policies

Prohibit download w/o justification

Training, anti-virus

Prohibit open network transmission

Prohibit offsite devices for email

Prohibit wireless access points

Secure email

SSL, HTTPS strong encryption for EPHI

Anti-virus


Medicare Does Not Like Headlines Either, Medicare Does Not Like Headlines Either, Hence The Following Internet Policy:Hence The Following Internet Policy:

“Transmission of and/or receipt of health care transactions (claims, remittances, etc.) or other CMS sensitive data over the Internet is prohibited at Medicare business partners (or their agents).

Practically, this prohibition means that CMS requires the use of private networks or dial-up connections with any entity that transmits or receives health care transactions and/or CMS sensitive data to or from the Medicare contractor.

CMS is closely following the healthcare industry’s movement toward the adoption of industry-wide security technologies that ensure the confidentiality, integrity, and availability of data moved over the Internet and will reconsider the policy at the appropriate time.

- CMS Business Partners Systems Security Manual


Percentage of Those Reporting Percentage of Those Reporting Compliancy With Security Rule High Compliancy With Security Rule High

Source: AHIMA State of HIPAA Privacy and Security ComplianceApril, 2006


More AHIMA Findings Indicate More AHIMA Findings Indicate Security Compliance Is Improving Security Compliance Is Improving

• 100% have security officer, 65% full-time• Security task forces decreasing (86% in

2004 to 59% in 2006)• 54.3% updated systems/applications to

comply with security rule– Firewalls (40.4%)– VPNs (25.9%)– Anti-virus/spam (38.2%)– Data backup technologies (30.2%)– 31% involved in RHIO’s

• Newsletters (64.6%), staff meetings (68.8%) and reminders (56.3%) predominant method of training

• “It appears security regulations were easier to implement than the privacy rule.” Source: AHIMA State of HIPAA Privacy and Security Compliance

April, 2006


Phoenix Health Survey Indicates Phoenix Health Survey Indicates Attention Still NeededAttention Still Needed

• Providers are of particular concern – 56% implemented security standards (80% of payers)– 49% of hospitals with 400 more beds compliant– 70% of hospitals with <100 beds and large physician

groups compliant

• Breaches remain concern – 39% of providers and 33% of payers experienced breach in last 6 months

• Claims of full compliance; gaps remain• Agree that HIPAA implementation created

greater attention to patient privacy and security• Budget constraints, other higher priority

projects, complex infrastructures slowing progress

Source: Phoenix Health Systems/HIMSS Summer 2006 survey


And WEDI Notes There Are Still And WEDI Notes There Are Still HIPAA GapsHIPAA Gaps

• PHI Data Posted on Bulletin Boards for Training

• Lack of policies and procedures• Portable devices being used

without training• Lack of remote device/storage

media inventories• Visitor access to PHI areas• Out of date disaster recovery

planning• Lack of formal audit process• Lack of regular, periodic security

assessments, risk analysis with security rule

Source: WEDI Testimony 5/1/2007 to NCVHS Subcommittee

H

P A

A


Are We Improving Security ? At What Level Are We Improving Security ? At What Level Do We Have Minimum Security ?Do We Have Minimum Security ?

Policy

Procedure

Integrated

Implemented

Tested

Today’s Key Challenge In Many Organizations


Or.. Are We Improving Or.. Are We Improving SecuritySecurity Compliance ?Compliance ?

POLICY

PROCEDURE

IMPLEMENTATION

CLOSE AND LOCK WINDOWSAT THE END OF THE DAY

CHECK LATCHLOG WINDOW CHECKED

MAINTAIN EVIDENCE IN LOG BOOK FOR AUDITORS


CMS Office of External Affairs CMS Office of External Affairs Enforcement StatisticsEnforcement Statistics

• Complaint driven• 28,000 Privacy complaints

filed with OCR since HIPAA Privacy Rule Issued

• 244 Security complaints• FAQs Issued, outreach

activities• NIST 800-66 Document

revision expected March 2008

• Complaint compliance by attestation vs. inspection/review


Most of The CMS HIPAA Security Most of The CMS HIPAA Security Complaints Issued Are Due To Human Complaints Issued Are Due To Human

ErrorError• Poor judgment, not malicious

intent• Company needs to stress users

are the keepers of very confidential data

• Good job of documenting policies & procedures, but not training

• Access by foolishness• Company has no way to protect• Protections may be complex,

company still has responsibility• Wireless devices, USB drives

are next large concern area


Security Litigation: What Is The Herd Security Litigation: What Is The Herd Doing ? Do We Know ? Doing ? Do We Know ?

Reviewed Final HIPAA Security Rule

Established security officer role

Identified gaps Created mitigation

plan Implemented

security controls No right of private

action under HIPAA

……. BUT


2006 North Carolina Appeals Court Allows 2006 North Carolina Appeals Court Allows New Use Of HIPAA In LawsuitNew Use Of HIPAA In Lawsuit

• Psychiatric records disclosed

• Patient sues clinic owner for providing password to an office manager

• Claim used HIPAA as the standard of care

• Suing under negligence, new avenue for plaintiffs?

RIPPED From The Headlines

Source: Amednews.com 3/12/2007


Piedmont Hospital Audited In March 2007 Piedmont Hospital Audited In March 2007 For Security By DHHS OIGFor Security By DHHS OIG

• “HIPAA Audit Riles Health IT” …Reported June 15, 2007– Was it a HIPAA Audit ?– Will there be more of them ?– Is security enforcement

being done by the OIG in the private sector ?

– What is the standard of care ?

– What implications are there for heath care entities ?


Policies & Procedures Requested For 24 e-Policies & Procedures Requested For 24 e-PHI Security-Related Issues PHI Security-Related Issues

• Establish/Terminate User Access

• Emergency IT System Access• Inactive Sessions• Recording/examining activity• Risk Assessments• Employee violations/sanctions• Electronic transmission• Incident

prevention,detection,containing• Regular access review• Security violation logging• Monitoring systems and

network• Physical access to systems

• Types of security access controls

• Remote access• Internet usage• Wireless security• Firewalls, routers, switches• Physical security repair• Encryption/decryption• Transmission • Password and sever

configurations• Antivirus software• Network remote access• Patch management


……And Please Provide A List of…And Please Provide A List of…

• Information systems, network diagrams

• Terminated employees• New hires• Encryption mechanisms• Authentication methods• Outsourced/contractor

access

• Transmission methods• Org chart for IT, Security• Systems Security Plans• All users with access,

including rights• System Administrators,

backup operators• Antivirus servers• Internet access control

software• Desktop antivirus software• Users with remote access• Database security

requirements/settings• Domain controllers, servers• Authentication approachesSource: “HIPAA Audit: The 42 Questions HHS might

ask”,

Computerworld June 19, 2007


Source: “Learning from Leading Organizations” GAO/AIMD-98-68 Information Security Management

Assess Risk &Determine Needs

PromoteAwareness

Monitor &Evaluate

ImplementPolicies &Controls

CentralManagement

Audit

AuditAudit

Audit

Security Audits Necessary To Ensure Security Audits Necessary To Ensure Controls Are FunctioningControls Are Functioning


DHHS Office of Inspector General DHHS Office of Inspector General Audits Have An Integrity MandateAudits Have An Integrity Mandate

• Authority established in 1978 under Inspector Generals Act of 1978 (Public Law 95-542) to:– Conduct & supervise audits related

to DHHS programs/operations – Recommend policies to:

• Promote efficiency/effectiveness• Prevent/detect fraud and abuse

– Provide a means to:• Inform Head of DHHS and congress

of problems and corrective actions• Protect integrity of DHHS programs


OIG Conducts/Oversees Multiple OIG Conducts/Oversees Multiple Audit Types and Standards Audit Types and Standards

• Government Audits – Driven by security standards

OMB A-123– Chief Financial Officer’s

Audit (FISCAM/NIST)– Medicare Modernization Act

of 2003( Section 912 ) Audit – Federal Information

Security Management Act of 2002

– SAS070– HIPAA-based Reviews of

non-government entities ?


What Is An OIG-Led Audit Like ?What Is An OIG-Led Audit Like ?1. May be co-sourced, or

completely outsourced to external auditor

2. Audit Entrance conference scheduled 2 weeks in advance

3. Agreed Upon Procedures (AUP) issued

4. Prepared By Client (PBC) list requested by auditor

5. Multiple meetings/interviews scheduled

6. Samples selected7. Policies/Procedures

requested/evidence requested8. Exit Conference/Draft Report9. Corrective Actions prepared10.Follow-up meetings11.Closure at next audit cycle of

findings, new sample pulled

Request List

SampleSelection

AgreedUpon

Procedure

Testing

Findings

CorrectiveAction


FINAL THOUGHTS: Security Is Ongoing, FINAL THOUGHTS: Security Is Ongoing, and It Is Hard To Make Sure and It Is Hard To Make Sure NOTHING NOTHING

HAPPENSHAPPENS

SUCCESS FAILURE


Our Security Future…Our Security Future…• Increased guidance driven by

security events• HIT will drive

enforcement/audits• Government audits continue to

get more detailed• Company must protect (itself)

against human error through:– Policies– Procedures– Training

• “Standard of care” bar is increasing


Final Thoughts: Does Anybody Really Final Thoughts: Does Anybody Really Care ? Care ?

• YOU BET ! – Headlines: Trust

Inhibitor– Office of Inspector

General– Financial Statements – Federal Information

Security Management Act (Medicare Reform Mandated Compliance)

– Private Litigation, Impacted Consumers

– Health Information Technology SuccessE-PHI

E-PHI

E-PHI

E-PHIE-PHI

E-PHI

E-PHI


TODD FITZGERALD

Todd Fitzgerald, CISSP, CISA, CISMMedicare Systems Security Officer

6775 W. Washington StMilwaukee, WI 53214

[email protected][email protected]

Thank You !!

hipaa security: does anybody really, really care ?

Documents

securityhipaa security

security issues

stuffhipaa security

amhipaa security

todd fitzgerald

medicare cares

empire medicare services

health insurance