monitoring access to ephi: building a business case › wp-content › uploads › ... · breach...
TRANSCRIPT
Monitoring Access to ePHI: Building a Business Case
June 9th, 2011
View the Replay
• Houston’s oldest Accountable Care Organization
• More than 350 physicians practicing in over 50 specialties
• 21 Clinical locations
Why Now? What is the urgency?
Who is accessing your patient’s information?
Ask yourself the following:
Do you know?
Should you know?
Do you have the ability to determine?
Very Recent Headlines
AL Hospital Data Theft Affects Thousands
A Birmingham woman was arrested by U.S. Postal Inspection Service authorities and charged Thursday with felony theft of five years' worth of medical information for thousands of patients treated at Trinity Medical Center, formerly Montclair Baptist Medical Center, in Birmingham, AL.
Allina hospitals fire 32 over privacy violation
Two Allina hospitals in Anoka County have fired 32 employees for improperly accessing the medical records of patients who were hospitalized in March in the wake of a massive drug overdose at a party in Blaine.
* Clarification: During the presentation, the speaker referred to a data breach at Trinity Medical Center in Birmingham, AL. It was stated the breach occurred continuously over a five year period and the impression was the culprit was an employee of the hospital. This was incorrect. The breach was a onetime theft of 5 years of paper records from a storage location. Additionally, the culprit was not an employee of the hospital.
U.S. Regulatory Framework
• HIPAA Security Rule (2003 / 2005): • § 164.308 (a)(1)(ii)(D) Information system activity review. Implement procedures to regularly review records of information system activity, such
as audit logs, access reports, and security incident tracking reports.
• § 164.312(b) Technical safeguards. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• ARRA HITECH Privacy (2009):• Definition of privacy breach
• Willful neglect
• Patient disclosure
• Governmental notification required
• Media Notification (500 or more)
• Increased fines and precedent
• Ability of state attorney general offices to bring lawsuits against care providers
• Increased systemic audits
• Meaningful Use Criteria (2010): Level 1 certification requires an EHR to produce an audit log HITECH 45 CFR 170.302(r). Conduct a security risk analysis per HIPAA 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies…
• Proposed Accounting of Disclosure Rule (2011): Under the May27th, 2001 proposed accounting of disclosure rule care providers will be responsible for providing access reports for disclosures of information even for treatment, payment and healthcare operations. Providers, plans and their business associates will be required to maintain for 3 years the information required to produce the reports. The rule is available for public comment in the Federal Register through July 2011
Audit reports hit HHS on digital security
“Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”
Proposed Accounting of Disclosure RuleAudit logging becoming unavoidable
• “Access Report” requirement focused on who and includes electronic access to designated record sets – medical, billing, enrollment, payment, claims adjudication, other
• Audit logging core requirement to fulfill “Access Reporting” in Proposed Accounting of Disclosure Rule
• If compliant with HIPAA security rule already, not a big challenge
• Retention period reduced from 6 years to 3 years
• Response time reduced from 60 days to 30 days
• For more information see Adam Greene’s HIMSS presentation -http://www.dwt.com/portalresource/lookup/wosid/contentpilot-core-6-81506/media.name=/Greene_HIMSS.pdf
HHS proposes privacy rule on medical records
"We need to protect people's rights so that they know how their health information has been used or disclosed," said Georgina Verdugo, director of the HHS Office for Civil Rights, which is proposing the changes, in a statement.
A patient’s perspective
A nurse recently related to me the following situation: she knew a patient was withholding information that could impact her outcome. She pressed the young woman for the information. Finally the patient told her “I don’t want to tell you that, because it will go in my medical record and my mom works for you-all. I know she reads my record after every appointment.”
Difference Between Paper and Electronic Records
In the days of paper records it was much harder to gain access to hundreds or thousands of patient’s information without notice. In the age of electronic medical record the information is at your fingertips. A few clicks and you have all the Mr. Smiths or Ms. Jones personal information in your system.
Lost Revenue
Lastly, what about potential lost revenue due to bad or dishonest business practices? What you ask? How will monitoring detect that? How many of your billing office staff or “posting payments” or making adjustments to their or family members accounts? Do you know?
Where is the disconnect?We know
• Regulations require we monitor access
• It’s the right thing to do
• Patients expect us to protect their information
• Not doing so can jeopardize patient safety because patients withhold important information out of fear of who will access the information
• The cost of a breach that becomes public is high -especially to the reputation of the organization
Houston – News Stories
From the news:
• Nov 2009 – Harris County Hospital District fired 16 employees for patient privacy violations
• Aug 2008 – Harris County Hospital District lost an unencrypted USB drive containing complete records of 1200 HIV positive patients. Judge Ed Emmett described the situation as “The Worst Thing Imaginable”
Common Myths to Implementing a Monitoring Program
• It will cost to much
• We don’t have the time or resources (manpower)
• Our people are all trained on the laws and know not to access information without a need
• We trust our people
• What we don’t know can’t hurt us
• If we monitor and find inappropriate access we will have to do something
Breaking down the Myths: Myth #1
It will cost to much to monitor access
• The average cost of a data breach for an organization went up for the fifth year in a row, to $7.2 million, Ponemon Institute found in its sixth annual data breach report.
• Total cost is not the only thing that went up, as the average cost per compromised record increased to $214, according to the 2010 data breach report released by Symantec and Ponemon Institute on March 8.
Myth #2
We don’t have the time or resources
• Based on the previous slide can we afford not to throw resources at this issue?
• Often times the issue seems to really boil down to who should be responsible for the monitoring? IT or Privacy? I say both play a role. We will look at this more later.
Myths #3 and #4
Our people are all trained on the laws and know not to access information without a needWe trust our people
• I need only to refer back to the recent headlines slide.
• Understand with access to Electronic Health Records - staff develop a since of entitlement. “Since I have access I am entitled to look at what I want”, that is unless they know you are monitoring.
Myth #5
What we don’t know can’t hurt us
See the Mass General Hospital Settlement with HHS where they agreed to pay 1 million dollars and enter into a 3 year Corrective Action Plan because an employee took patient information home to work on it and left it on a commuter train. Do you think they knew?
Myth #6
If we monitor and find inappropriate access we will have to do something
This seems to be a common theme among organizations when it comes to monitoring. What if we find something what do we do? I believe this is often driven because the right people are not included in the decision to monitor, what to monitor and how to process findings. We will explore this more momentarily.
Myth #7
False Positives - It is true that a monitoring program that has not been well thought out could overburden staff due to the number of false positives. This impact can be reduced or eliminated by taking some reasonable steps:
• Understand the workflow• Understand what types of activity you are looking
for• Create a good data set
Technology risks to the business case “Weakest link breaks the chain”
Comprehensive and centralized EHR audit log management across all sources of volume
Proven-in-production, turn-key support for broad range of EHRs and healthcare applications
Ability to add new audit sources rapidly and affordably
Context-aware analytics that combines audit logs, user data and patient data
Support for authoritative user data for filtering false-positives (Lawson, PeopleSoft, identity)
Extreme scalability with seamless path to high availability
Zero FTE impact for network & systems operations
Proven speed-to-value supported by technology and well documented deployment methodology
Health-check monitoring of hardware, systems and supporting data processes
Clear path to real-time support
Tools & Resources
Available after today’s webinar:
High availability configurations
FairWarning® and Meaningful Use
Patient Privacy Framework Guides
ROI Calculator on privacy monitoring
Breach Damages Estimator Based on breach monitoring deployments as well as
interviews with health systems, legal counsel and 3rd-parties involved with high-profile breaches and audits
White paper on privacy breach findings
All available by [email protected]
Selling C – Level Executives
• You are going to need champions. I recommend you educate and enlist the help of the Chief Legal Counsel, Chief Compliance Officer, Chief Privacy Officer, Chief Security Officer at minimum. They own a piece of this pie.
• Train your leadership. Use factual information. Give examples they can relate to. Drive home the cost and benefits of what you are trying to achieve. The next couple of slides are from presentations I did for leadership.
What Would A Breach Cost Kelsey-Seybold?Assumption: 10,000 records breached
TEXAS LAW• $500/record = $5M
• $50,000 fine for law violation (data not encrypted)
• Customer notification – minimum $1 each = $10,000
• Credit monitoring (@30% acceptance @ $30/each) = $100,000
TOTAL MINIMUM TEXAS EXPOSURE$5,160,000
FEDERAL LAW• HIPAA up to $1.5 M
• FTC – No Limit (e.g. CVS case was $2.2M)
FEDERAL EXPOSURE$1.5M to $XX M
Selling C-Level continued
• Be passionate and persistent – you may have to do multiple presentations to leadership to get the buy in.
• Speak in terms they can relate to. If physicians control the leadership or money use exams like “What are the Chief Complaints” when discussing privacy complaints and “What are possible diagnosis” when talking about the possible causes.
• Take advantage of situations that happen to help illustrate how monitoring may have helped detect the situation
Sold – Now What
Now the real work begins. Before you start monitoring you need to:
• Develop a plan
• Design a workflow
• Communicate to the staff
• Get H.R. support for sanctions
• Review and revise policies
Developing the Plan
Our Chief Information Security Officer was instrumental in helping to establish the “Information Security Advisory Council”. This group composed of the Chief Information Security Officer, Chief Legal Counsel, Privacy Officer, VP of Operations and VP of H.R. helped design and endorse the entire plan around communication, monitoring and acting on the results.
Developing the Plan - continued
• Start small – decide what you view as your highest risk and monitor that. For example: Supervisor Snooping, Family Member Snooping and VIP Snooping.
• Design a monitoring workflow that shows who is responsible for the monitoring and how results are acted upon. (see next slide for an example)
FairWarning Monitoring - Roles and Responsibilities
Bu
sin
ess U
nit
Ma
na
ge
me
nt
Priva
cy O
ffic
eH
um
an
Re
so
urc
es
Info
rma
tio
n
Se
cu
rity
Conduct routine
and automated
monitoring
Identify
unexplained
activity
Contact Business
unit (B.U.)
management with
unexplained
activity to see if
there is legit
reason
B.U. Management
determines if activity is
explained
Activity explained
Notify Information
Security
Activity not
explained. Notify
Privacy Office and
copy Info Sec
Info Sec
documents and
closes.
Privacy Office
opens an
investigation and
contacts Business
Unit Management
H.R. coordinates
with Business Unit
Management,
documents.
Takes appropriate
action
Determines if
violation occurred
If violation occurred
Coordinates with Business
Unit Management and
H.R. for appropriate
sanction activity
If no violation
occurred
document and
close.
FairWarning Investigations – Roles and Responsibilities
Priva
cy O
ffic
eH
um
an
Re
so
urc
es
Info
rma
tio
n
Se
cu
rity
Bu
sin
ess U
nit
Ma
na
ge
me
nt
Report alleged
inappropriate
access of PHI to
Privacy Office
Cooperate with
Privacy Office on
investigations
Conduct
investigations in
response to patient
complaints
Make determination of whether a
violation occurred based on
investigation
If no violation occurred document and
close investigation
If a violation occurred coordinate
sanction activity with H.R.
Coordinate with the Business Unit
Management and Privacy Office on
Hotline reports of alleged
inappropriate access of PHI
Conduct investigations in
response to reports of alleged
inappropriate access of PHI by
Business Unit management or H.R.
Carry out employee
sanctions required as
result of investigation
and document sanction
activity
Provide support as
requested.
(machine files,
email logs, etc.)
Developing the Plan - continued
• Prepare the Executives for what they are going to find. My experience is no one is prepared for how many violations are going to see
• Communicate, Communicate, Communicate –“Communication is the Heartbeat of Success”
• Let the staff know you are starting a monitoring program and the level of detail you can see. Give them “Fair Warning”
Raising Visibility of Patient Privacy Protections Across the OrganizationThere are a host of ways to accomplish this. Here are a few I have used:
• Leadership Briefings• Staff Briefings• Unannounced Privacy and Security walkthroughs• All staff communications from leadership• Articles and stories on the company intranet• Required training courses (I recommend you design your
own to meet the specifics of your organization• Annual required acknowledgement of policy and fact that
the staff is aware you are conducting monitoring activities targeting certain behavior.
Planning for success
• Buy-in from Executive Stakeholders
• All stakeholders involved in kickoff and periodic updates
• Communicate “why we are deploying privacy breach detection”
• Empowered project management with access to expert data source resources
• Phased approach to deployment of audit sources and analytics
• Prioritize analytics to achieve “first success”
• On-going training of multiple personnel important to lasting success
• Investigation, remediation, sanctions, and training are essential
“Gotchas”
• “Trying out” a range of analytics rather than prioritizing
• Lack of remediation, sanctions, organizational buy-in and work-flows – a Privacy Breach Detection deployment will not fix a broken process, it will only reveal a broken process
• Plan data retention strategy up-front, it can be a “phased approach”, but it needs to be planned and a priority
• Technology that fails to keep pace with growing demands – look for KLAS rankings, www.klasresearch.com
Questions?