4/15/2016

1

Preparing for HIPAA Risk Analysis

Presented by

Steve Spearman• VP of HIPAA Compliance Services, Healthicity

• 20 years in Health Information Technology

• HIPAA Expert and Speaker

Disclaimer: Nothing in this presentation should be construed as legal advice nor replied upon as legal expertise.

4/15/2016

2

What is HIPAA?

HIPAA is…

• Law that governs a person’s ability to qualify immediately for

health coverage when they change employment (dependent on

employer’s program)

• Rules for Data Interchange

• Regulations protecting the security and privacy of Protected

Health Information (PHI)

4/15/2016

3

To whom does it apply?

Covered Entities*

• Health Care Providers

• Health Care Clearinghouse

• Health Plan

Business Associates**

*Covered Transactions: Tx’s related to Claims, Verification, Referrals, Status, Enrollment, Payment, Premiums, coordination of benefits

**Contractor or vendor, not involved in patient care, that requires access to PHI in order to fulfull the duties of the contract

Covered Entity Decision Tree

4/15/2016

4

What are the covered transactions?

Electronic Transactions Related To

• Claims

• Verification of Coverage

• Referrals

• Status of Claims

• Enrollment Information

• Payment including EOB and Remittance Advice

• Premium Payment

• Coordination of Benefits

Any one makes a provider a covered entity!

Obligations of Business Associates

1. Comply with the HIPAA Security Rule

2. Report to Covered Entity and breach of unsecured PHI

3. Enter into BAAs with subcontractors imposing the same obligations that apply to the Business Associate

4. Comply with the HIPAA Privacy Rule to the extent Business Associates is carrying out a Covered Entity’s Privacy Rule obligations (e.g. accounting of disclosures, request for amendments, etc.)

4/15/2016

5

Privacy vs Security

Privacy Rules

• Establishes the rights of patients to control

the use of personal information in all its

forms – verbal, written, electronic

Security Rules

• Administrative, Physical and Technical

safeguards for PHI in digital form (ePHI)

The Three Essential Elements of a HIPAA Compliance Program

Security Risk Analysis

Policies and Procedures

Training

4/15/2016

6

CIA:Confidentiality Integrity Availability

12

Confidentiality:

The property that data or information is not made available or disclosed to an unauthorized

person

Integrity:

The property that data or information has not been altered or destroyed in an unauthorized

manner

Availability:

The property that data or information is accessible and useable upon demand by an

authorized person

4/15/2016

7

Structure of the Security Rule

13

Standards Sections Implementation Specifications (R)=Required

Security 1644.308(a)(1) Risk Analysis (R)

Management Risk Management (R)

Process Sanction Policy (R)

Information System Activity (R)

Standards – the broad security

requirements

• The standards are “required”

Implementation Specifications

• The more detailed instructions contained within each Standard

• Some are required (R)

• Some are addressable (A) – flexibility and latitude in meeting

- Based on what’s “reasonable and appropriate”

Security Standards Matrix (Appendix A of the Security Rule)

Reasonable and Appropriate?

March of Dimes High Heel-a-Thon New York City…OUCH!!!

What is Reasonable & Appropriate?

4/15/2016

8

• The size and complexity and capabilities of the covered entity

• The covered entity's technical infrastructure, hardware, and software security capabilities

• Sensitivity of the data

• The costs of security measures

• The probability and criticality of potential risks to ePHI

Defining Reasonable & Appropriate

• Implement the specification

• Implement one or more alternative security measures

• Do not implement either an addressable

implementation specification or an alternative

• Document your decision!

Options for Addressable

Specifications

Policy Map or Security Management Plan

4/15/2016

9

The Types of Safegaurds

Administrative

Organizational Rules and Procedures

• 9 Standards

• 23 Implementation Specifications

Physical Therapy

Physical Protections and Rules

• 4 Standards

• 10 Implementation Specifications

Technical

Technology Protections and Rules

• 5 Standards

• 9 Implementations

“Actions, policies and procedures to manage the selection, development,

implementation, and maintenance of security measures…

and manage the conduct of the covered entity’s workforce.”

Administrative Safeguards are defined

as...

4/15/2016

10

Administrative Safeguards

Security Management Process

• Risk Analysis (R)

• Risk Management (R)

• Sanction Policy (R)

• Information System Activity Review (R)

Assigned Security

Responsibility

• (no spec) (R)

1. Addressable safeguards – Based

on the “Reasonable and

Appropriate” standard

2. Risk Analysis findings and results

Two BIG Compliance Gray Areas

4/15/2016

11

• Encryption• Class of device – laptop, workstation, etc.

• Laptops – portable, battery

• Mobility and physical security

• Data storage

• Performance

• Alternatives

Example: Addressable Safeguard

• Windows XP EOL• Support discontinued April 8th 2014

• Devices increasingly vulnerable

• Regulatory compliance impact?

Example: Non-regulatory high risk from risk analysis

4/15/2016

12

Risk Analysis “form the foundation upon

which an entity’s necessary security

activities are built.” (68 Fed. Reg.

8346.)

Risk Analysis is the first and possibly

the single most important component of

your HIPAA Security Compliance

Program

Step One: Risk Analysis

“Conduct an accurate and thorough assessment of the potential risks and

vulnerabilities to the confidentiality, integrity and availability of electronic protected

health information”

Risk Analysis Report

4/15/2016

13

Why Security Risk Analysis?

• Improves Awareness• Justification for “Reasonable and Appropriate”

for Addressable Implementation Specifications• Identify assets, vulnerabilities and controls• Improved basis for decision making• Justify Expenditures for Security• Helps determine personnel access levels

Otherwise you are only guessing…and

hoping!

How to Conduct a Security Risk Analysis?#1

• NIST

• SP 800-30 – Guidance on Risk Assessment

• SP 800-66 – Resource Guide for Implementing HIPAA

• Audit Protocol – June 2012

• ONC Guide to Privacy and Security of HIT

• Myths and Facts (p.11)

4/15/2016

14

ONC Guide to Privacy and Security:Security Risk Analysis Myths and

Facts

Myths Facts

Optional for small providers No. All eligible providers (EP)

Installing a certified EHR is enough No. The risk analysis must look at all systems with ePHI

My EHR vendor is handling this No. EP’s are solely responsible for the risk aynalyis

A checklist will suffice No. While useful, they are inadaquate

Only needs to look at EHR No. All IT assets processing, storing, accessing ePHI

I must outsource the risk analysis. No. You can conduct this yourself.

Consider the Four States of Data

• Data in Motion• Data at Rest • Data in Use• Data Disposed

4/15/2016

15

RA Mini Project Plan

Scoping

Identify team

Inventory and Asset List

Information Flows

Network diagram and system boundary -risk categorization

Interfaces inventory

Gather Data

Interview Key Personnel

Document Review

Policy review and mapping

Security incidents review

Training materials review

Assess Risks/Document Threats/Current Controls

Vulnerability scan and penetration testing

Wireless security assessment

Firewall/Gateway settings

Physical security assessment

Contingency plan and backup analysis

Leadership analysis

Authentication and access controls

Encryption determination

Transmission security

Mobile device security

Risk Rating/Likelihood/Impact

Risk identification and ranking

Report-mitigation & controls

PotentialTeam Members

Security Officer

Privacy Officer

Compliance Officer

Project Management

Application Specialists

Network Engineer/Security Engineer

Facility Managers

Data Center Manager

Legal

3rd Party Contractor (e.g. IT provider

Human Resources

Biomed/Clinical Engineering

HIM Director/Manager

*Please note that one person may and usually does fill multiple roles.

4/15/2016

16

Inventory of IT Assets/System Characterizaion

Compile list of all IT assets within the scope of the assessmentProcess, store, transmit ePHI,

Inventory software

Medical Devices?

Categorize According to RiskAmount of PHI

Type of ePHI

Stored Locally

Physical Security of Device

Location

Mobile/Fixed

Encryption Analysis

System CharacterizationDescription of Network

Virtual vs Physical

On-premise vs Hosted or Cloud

Interfaces

Gather Data

Interview Key PersonnelAppropriate for Job Function e.g.

HR for Workforce Clearance

Top down

Users to guage understanding

Create a policy mapWhat policies meet what regs

Include documentation artifacts

Review Training Program

Format, method and content of training

Is participation logged

Is mastery demonstrated

IncidencesReview reports

Indication of failing controls?

Root Cause Analysis

Security Management – Life Cycle

4/15/2016

17

Assess Risks

Technical Assessments keyVulnerability Scanning

Penetration Testing

Network Perimeter

Endpoint security

Wireless Security

Authentication and Access Controls

Encryption Assessment

Mobile Devices

Transmission including email/text

Contingency/Backup

LeadershipExecutive support for security

Compliance officials resources and authority

Communication

Physical SecurityWalkthrough checklist

Assets – servers/workstation

19. Rank overall risk based on the “vulnerability pairings”

Determine the Level of Risk

4/15/2016

18

Risk Assessment Report and Management Plan

Elements of a good SRA reportMethodologyScope of projectTeam membersSystem CharacterizationRanked Key Findings-

Threats/VulnerabilitiesRanked recommended “fixes” or

controlsInclude Compliance Risks and

Technical Risks

Security Management PlanThis is a “living” documentInclude the Findings and FixesPunch-list of needed activitiesFocus on high priority issuesNot all needs to be done but

document dates and intentionsBring risks down to reasonable

levelBut update as new issues arise

from incidents, routine vulnerability scans, etc.

• Checklists only

• No inventory

• Compliance focused only

• No listing or ranking of risks

• No recommended controls or mitigation actions

• Not dated within reporting period for MU

• No Technical Analysis

Common Errors & Deficiencies

4/15/2016

19

• Reference ONC and HHS guidance and

• Adequately covers risk associated with the use of

certified EHR technology

• Conducted by either audited entity or a consultant (not

EHR vendor affirmations)

• Is it just compliance/checklist or an actual assessment of

risks

• Needs to be dated but can reference a previous risk

assessment that shows continued improvement

Key Auditor Considerations

Problems

• Not intended for enterprises

• Hard to use

• Aren’t very good at identifying risks

• Requires expert knowledge to use

well

• Compliance rather than risk focused

• NIST not required by non-federal

entities

• VERY weak technically

Available Tools:

Not Recommended

• HHS Toolkit

• NIST Toolkit

Use with caution

• National Learning Consortium

• HIMSS

Self-Assessment tools

4/15/2016

20

The Rules Certainly Allow You to Do It!

Questions to Consider?

• Do we have the expertise to do this?

• Do we have the resources to do this?

• If we do this, what will be my confidence level in it if we are audited?

• Do we have the expertise and skill for the technical assessment ?

• Your IT vendor MAY know have some technical expertise, but do they know HIPAA?

• Understanding the trade-offs and alternatives is tricky

When Should You Outsource the Risk Analysis?

Expert Advice:

Many Covered Entities should

outsource this, at least

Initially

Iterative (changes since last risk assessment)Document changes Update inventoryReview incidences and do root

cause analysisWork-flow analysisNew vulnerability scans inc.

externalReview of prior technical

assessment (wireless security, authentication and access controls, audit controls, and processes, etc)

Progress implementing controls

Update risk matrix Recommend and advise on additional security controls

Update the security management plan

Risk Assessment “Review”

Only if no significant changes in system or operating environment Full risk analysis should be conducted every 2 to 3 years

4/15/2016

21

Risk Management Process

“Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level”

Consider:• Findings from risk analysis• What security measures are already in place to protect EPHI (i.e.,

safeguards)? • Is executive leadership and/or management involved in risk

management and mitigation decisions? • Are security processes being communicated throughout the

organization? • Does the covered entity need to engage other resources to assist

in risk management?

Security Management Plan

Questions?

www.healthcity.com/compliance

support@healthicity.com