san diego, ca is your security back door open? hipaa’s ...€¦ · ©s. l. grimes ~ 4 significant...

February 11, 2003

Is Your Security Back Door Open?Is Your Security Back Door Open?HIPAA’sHIPAA’s Implications Implications

for Biomedical Devices & Systemsfor Biomedical Devices & SystemsTuesday, February 11, 2003Tuesday, February 11, 2003

9:45 am 9:45 am –– 11:00 am11:00 am

Stephen L. Grimes, ChairStephen L. Grimes, ChairHIPAA Task ForceHIPAA Task ForceAmerican College of Clinical EngineeringAmerican College of Clinical Engineering

HIMSS 2002HIMSS 2002San Diego, CASan Diego, CA

AAMIAAMIAssociation for the Advancement Association for the Advancement

of Medical Instrumentationof Medical Instrumentation

© S. L. Grimes ~ 2

Identifiers, Transactions & Code Sets

October 2002 / 2003

Privacy RulesApril 2003

Security RulesOctober 2004 ?

Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)

Subtitle G:Duplication & Coordination of Medicare-Related Plans

Subtitle F:Administrative Simplification

Subtitle E:Revisions to

Criminal Law

Subtitle D:Civil

Monetary Penalties

Subtitle C:Data

Collection

Subtitle B:Revisions to Current Sanctions for Fraud and Abuse

Subtitle A:Fraud and

Abuse Control Program

© S. L. Grimes ~ 3

Period between Publication and Period between Publication and Enforcement of HIPAA Final RulesEnforcement of HIPAA Final Rules

nn Transactions & Code Sets Transactions & Code Sets –– Final rule ~ Aug 2000Final rule ~ Aug 2000–– Compliance ~ October 2002 (can apply for extension to Oct 2003)Compliance ~ October 2002 (can apply for extension to Oct 2003)

nn PrivacyPrivacy–– Final Rule ~ December 2000Final Rule ~ December 2000–– Compliance ~ April 2003Compliance ~ April 2003

nn SecuritySecurity–– Proposed Rule ~ Aug 1998 (Proposed Rule ~ Aug 1998 (Final Rule imminentFinal Rule imminent))–– Anticipated Anticipated Compliance ~ Compliance ~ December 2004?December 2004?

© S. L. Grimes ~ 4

Significant Developments ~ Significant Developments ~ Transaction RuleTransaction Rule

nn Administrative Simplification Compliance Act Administrative Simplification Compliance Act (ASCA) (ASCA) akaaka HR 3323 signed by POTUS on HR 3323 signed by POTUS on 12/27/0112/27/01•• 1 year extension on Transaction Rule (from 10/02 to 1 year extension on Transaction Rule (from 10/02 to

10/03) for covered entities 10/03) for covered entities who applywho apply beforebefore Oct 15Oct 15

nn Proposed modification to Standards for Proposed modification to Standards for Transactions (NPRM 5/31/02)Transactions (NPRM 5/31/02)

•• Adopted revised National Council for Prescription Drug Adopted revised National Council for Prescription Drug Programs (NCPDP) standardPrograms (NCPDP) standard

•• Adopted revised standard for pharmacy remittance Adopted revised standard for pharmacy remittance advice & prior authorizationadvice & prior authorization

•• Retracts NDC code as the standard for drugs in all Retracts NDC code as the standard for drugs in all transactions (except retail pharmacies)transactions (except retail pharmacies)

© S. L. Grimes ~ 5

Significant Developments ~ Significant Developments ~ Privacy RulePrivacy Rule

nn Privacy Rule amendments published in Federal Privacy Rule amendments published in Federal Register on August 14, 2002 … highlights Register on August 14, 2002 … highlights include:include:•• Modify consent requirement for “routine” uses of IIHI Modify consent requirement for “routine” uses of IIHI

(written consent may now be optional)(written consent may now be optional)•• Address the use of IIHI for marketing without patient Address the use of IIHI for marketing without patient

consentconsent•• Facilitate parent access to minor’s unless prevented by Facilitate parent access to minor’s unless prevented by

state lawstate law•• Provides additional year to convert to compliant Provides additional year to convert to compliant

agreements with HIPAA Business Associatesagreements with HIPAA Business Associates

© S. L. Grimes ~ 6

Significant Developments ~ Significant Developments ~ Security RuleSecurity Rule

nn Release of Final Rule is still “imminent”Release of Final Rule is still “imminent”

–– Q4 2001Q4 2001–– Q1 2002Q1 2002–– Q2 2002Q2 2002–– August 2002August 2002–– October 2002October 2002–– Q1 2003Q1 2003 ?

© S. L. Grimes ~ 7

Three blind men and a HIPAAThree blind men and a HIPAAView of HIPAA often depends on who you ask!View of HIPAA often depends on who you ask!

LAWYER sees Privacy issues- Informed consents & notices- Business Associate Agreements- Gov Fines/Penalties- Legal liability

INFORMATION TECHNOLOGISTsees Security issues- user authentication- firewalls- virus protection- backups- disaster plans

MEDICAL RECORDSsees Standardized Transactions & Codes- universal data sets & forms- electronic data interchange (EDI)- portable, electronic medical records

FINANCEsees expenditures & potential savings- Reduced operating costs & bad debt- Return on Investment (ROI)

CLINICAL ENGINEERsees- managing risks associated withmedical devices & systems

- insuring the integrity & availability ofhealth data on standalone ornetworked devices & systems

February 11, 2003

Health Insurance Portability & Health Insurance Portability & Accountability Act (HIPAA)Accountability Act (HIPAA)

Origins of Origins of Administrative SimplificationAdministrative Simplification

© S. L. Grimes ~ 9

How How HIPAA’sHIPAA’s Administrative Administrative Simplification Provision’s Came About:Simplification Provision’s Came About:

$0

$500

$1,000

$1,500

$2,000

$2,500

Billions

1990 1997 2000* 2007*

* Estimates

US Healthcare Industry ExpendituresUS Healthcare Industry Expenditures

© S. L. Grimes ~ 10

Administrative Cost as a Administrative Cost as a Percent of Healthcare DollarPercent of Healthcare Dollar

0%

5%

10%

15%

20%

25%

US Canada Europe


High Administrative CostsHigh Administrative Costs

Major reasons for high administrative costs in USMajor reasons for high administrative costs in US

nn 70% of data manually keyed in healthcare 70% of data manually keyed in healthcare computers is data output from another computercomputers is data output from another computer

nn Industry’s extensive use of photocopy, faxing, Industry’s extensive use of photocopy, faxing, manual filing, mailing, telephonemanual filing, mailing, telephone


Administrative SimplificationAdministrative Simplification

nn Objective:Objective:Reduce cost & improve efficiency thru Reduce cost & improve efficiency thru implementation of electronic data interchange implementation of electronic data interchange (EDI)(EDI)

nn Theory:Theory:If costs reducedIf costs reduced , funds should be available to , funds should be available to apply toward improvement of healthcare quality apply toward improvement of healthcare quality & availability& availability


How do we get from EDI (standardized transaction & codes)How do we get from EDI (standardized transaction & codes)to Privacy & Security?to Privacy & Security?

Security Rules

Privacy Rules

Identifiers, Transaction & Code Sets

Effective Privacy & Transactionsrequires Security precautions (as spelled out by HIPAA’s proposed Security Rule)

Because they are in electronic form, Identifiers, Transaction & Code Setsrequire additional Privacy precautions (as spelled out by HIPAA Privacy Rule)


HHS Projected Savings from HHS Projected Savings from Administrative SimplificationAdministrative Simplification

ØØ Net savings of $12.3 billion over 10 years. Net savings of $12.3 billion over 10 years. –– Total savings of EDI standards (from transactions rule) Total savings of EDI standards (from transactions rule)

of $29.9 billion over 10 years. of $29.9 billion over 10 years. –– Partially offset by estimated cost of privacy Partially offset by estimated cost of privacy

implementation of $17.6 billionimplementation of $17.6 billion

»» Note: Note: nn Federal estimates are only for those expenses Federal estimates are only for those expenses requiredrequired by the by the

regulations. regulations. nn Most efficient implementation requires process reengineering andMost efficient implementation requires process reengineering and

potentially additional expensespotentially additional expenses

* Braithwaite, Nov 2001 @ JHITA* Braithwaite, Nov 2001 @ JHITA

February 11, 2003

Who’s Affected By Who’s Affected By HIPAA’s Security RuleHIPAA’s Security Rule


Applicability & Scope of Security Standard Applicability & Scope of Security Standard Who does Security Rule Apply To?Who does Security Rule Apply To?

The standards adopted or designated under The standards adopted or designated under this subpart apply, in whole or in part, to the this subpart apply, in whole or in part, to the following:following:(b) … a (b) … a health care providerhealth care provider that takes one of the that takes one of the

following actions:following actions:(1) (1) Processes any electronic transmission between any Processes any electronic transmission between any

combination of health care entities …combination of health care entities …(2) (2) Electronically maintains Electronically maintains anyany health informationhealth information

used in an electronic transmission that has been used in an electronic transmission that has been sent or received between any combination of sent or received between any combination of health care entities …health care entities …

* §142.302 Applicability & scope Federal Register Aug 12, 1998


Who does Security Rule Apply To?Who does Security Rule Apply To?

ØØ Providers (1.2 million nationally)Providers (1.2 million nationally)üü HospitalsHospitalsüü Imaging centersImaging centersüü Outpatient surgery centersOutpatient surgery centersüü LaboratoriesLaboratoriesüü PharmaciesPharmaciesüü Medical, dental & therapy groups & individual Medical, dental & therapy groups & individual

practicespractices

ØØ Health Plans (i.e., payers, insurance, HMO)Health Plans (i.e., payers, insurance, HMO)ØØ ClearinghousesClearinghouses

February 11, 2003

Overview of Security RuleOverview of Security Rule


HIPAA Security Standard HIPAA Security Standard “Summarized”“Summarized”

ØØEach entity must guard “Each entity must guard “confidentiality, integrity confidentiality, integrity & & availability”availability” of of individual health dataindividual health data. .

Confidentiality

AvailabilityIntegrity

* §142.308 Security StandardFederal Register Aug 12, 1998

Remember the “CIA”

ØØTo accomplish this, each provider is required to To accomplish this, each provider is required to meet three conditions:meet three conditions:



1)1) Must “assess potential risks and Must “assess potential risks and vulnerabilities to the vulnerabilities to the individual health individual health datadata in its possession” … and in its possession” … and




2)2) Must …“develop, implement, and Must …“develop, implement, and maintain appropriate security measures” maintain appropriate security measures” … which “must include, at a minimum, … which “must include, at a minimum, the following requirements & the following requirements & implementation features”implementation features”ØØ Administrative ProceduresAdministrative ProceduresØØ Physical SafeguardsPhysical SafeguardsØØ Technical Security Services .. Technical Security Services ..

and Mechanismsand Mechanisms




3)3) Must insure these measures are Must insure these measures are “documented and kept current” “documented and kept current”



Security Rule Security Rule Definition of Health InformationDefinition of Health Information

Health informationHealth information means any information, means any information, whether oral or recorded in any form or whether oral or recorded in any form or medium, thatmedium, that(1)(1) Is created or received by a health care provider … Is created or received by a health care provider …

andand(2)(2) Relates to the past, present, or future … health or Relates to the past, present, or future … health or

condition of an individual; the provision of health condition of an individual; the provision of health care to an individual care to an individual or the past, present, or future payment for the or the past, present, or future payment for the provision of care to an individualprovision of care to an individual **

* §142.103 DefinitionsFederal Register Aug 12, 1998


Rules for the Security StandardRules for the Security Standard

An entity must apply the security standard An entity must apply the security standard … to … to allall health information pertaining to health information pertaining to an individualan individual that is electronically that is electronically maintained or electronically transmitted. *maintained or electronically transmitted. *

* §142.306 Rules for security standardsFederal Register Aug 12, 1998


Health Information Health Information covered by Security Rulecovered by Security Rule

Covered Covered health informationhealth information includes all includes all electronically maintained or transmitted:electronically maintained or transmitted:uu Diagnostic or treatment (therapeutic) data Diagnostic or treatment (therapeutic) data

related to an individualrelated to an individualuu Billing & payment data related to an Billing & payment data related to an

individualindividual


Different types of information covered by Different types of information covered by HIPAA’s Security Rule and Privacy RuleHIPAA’s Security Rule and Privacy Rule

nn Privacy Rule covers Privacy Rule covers individuallyindividuallyidentifiable health information (IIHI)identifiable health information (IIHI) or or protected health information (PHI)protected health information (PHI) (i.e., (i.e., information that could be used to identify a information that could be used to identify a patient)patient)

nn Security Rule covers Security Rule covers health information health information related to an individualrelated to an individual but does not but does not necessarily have to necessarily have to identifyidentify a specific a specific patientpatient


Different types of information covered by Different types of information covered by HIPAA’s Security Rule and Privacy RuleHIPAA’s Security Rule and Privacy Rule

nn All All IIHIIIHI or or PHIPHI is is Individual Health Individual Health InformationInformation butbut

nn Not all Not all Individual Health InformationIndividual Health Information is is IIHIIIHI or or PHIPHI

HIPAA Security RuleIndividual Health Information

HIPAA Privacy RuleIndividually Identifiable Health Information (IIHI) orProtected Health Information (PHI)


Security RulePrivacy Rule

Difference in Coverage between Difference in Coverage between HIPAA Privacy & SecurityHIPAA Privacy & Security

Biomedical Component/Devicecontaining Health Information related to an Individual

• diagnostic data

• therapeutic data

IndividualPatient

• Integrity• Availability

Biomedical orComputer Device/Systemcontaining Individually Identifiable Health Information (IIHI)

Linking Identifiers

• Confidentiality

February 11, 2003

HIPAA Security: HIPAA Security: Where Affected Data ResidesWhere Affected Data Resides


BiomedicalTechnology

Where does affected data reside?Where does affected data reside?

Information Technology


Devices/Systems Devices/Systems Electronically Maintaining / Transmitting Electronically Maintaining / Transmitting

Individual Health DataIndividual Health Data

Biomedical Technology


Hybrid Systems

Clinical lab analyzers

Computers

Peripherals

Workstations

Servers

Terminals

Web Sites

Application Service Providers

Electronic Medical Records

Physiologic monitoring

Radiographic Units

Billing & Claims Processing

Endoscopy

Diagnostic ultrasound

PACS

Remote access

Cardiology analyzers (e.g., EKG)

Pulmonary function analyzers

Infusion pumps

Ventilators

Stress test systems

Defibrillators

Audiometers

Cardiac assist devices

Anesthesia systems

Networks

Scanner, CT

MRI


Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info

nn Anesthesia unitAnesthesia unit–– Gas delivered Gas delivered

»» volume, volume, »» raterate»» concentrationconcentration

–– Expired gas monitoringExpired gas monitoring



nn Physiologic MonitorPhysiologic Monitor–– ECG / Heart RateECG / Heart Rate–– Blood pressureBlood pressure–– TempTemp–– RespirationRespiration–– OO22 SaturationSaturation



nn Clinical AnalyzerClinical Analyzer–– Blood (hemoglobin, glucose, gas, ph, electrolyte, etc)Blood (hemoglobin, glucose, gas, ph, electrolyte, etc)–– Urine (albumin, creatinine, bilirubin, etc)Urine (albumin, creatinine, bilirubin, etc)



nn Infusion PumpInfusion Pump–– Med delivered Med delivered

»» volume, volume, »» raterate»» durationduration



nn VentilatorVentilator–– Respiration Respiration

»» volume & volume & »» raterate»» bpmbpm

–– OO22 concentrationconcentration



nn Radiographic unitRadiographic unitnn Diagnostic UltrasoundDiagnostic Ultrasoundnn CT ScannerCT Scanner

- Medical Image

- Patient ID


Examples of Biomedical Examples of Biomedical Devices/Systems Devices/Systems

with Individual Health Infowith Individual Health InfoEven theEven thenn Hospital bed …. Hospital bed …. with with

a network connection!a network connection!–– Bed locationBed location–– Patient positionPatient position–– Patient scalePatient scale–– Communications Communications

(nurse call, telephone)(nurse call, telephone)


Medical Devices & Systems Medical Devices & Systems Typical Data InterconnectsTypical Data Interconnects

Bedside MonitorRemote Monitor

PBX

Clinical Analyzer

Ventilator

Infusion Pump

Defibrillator

DiagnosticUltrasound

CT Scan

Remote ViewingWorkstation

Personal DigitalAssistant

Local Area Netork (LAN),Wide Area Network (WAN),

and/or Internet


Remote Access to Medical DevicesRemote Access to Medical Devices

Internet

Devices on Internet transmit:

§ Location (& patient info)

§ Current Status & Settings

§ Diagnostics

§ Error Codes

Devices on Internet receive:

§ Calibration

§ Software/Firmware Upgrades

§ Diagnostics


Identify Devices & Systems Identify Devices & Systems Containing Health InformationContaining Health Information

PCM

CIA

56K

INSE RT THIS E ND

iM ac

This information is aboutHIPAA and therefore shouldbe viewed carefully

VCR Tapes

PC Card orMemory Stick

CD-Rom, DVD orOptical DiskHard Disk

Drives

PhotographsX-RaysPaper (i.e., Printouts)Displays

RemovableDisketteNon-volitile

Memory

Digital DataTapes

Telephone, Network orDirect Connect Cable

Wireless

February 11, 2003

HIPAA Security: HIPAA Security: Assessing RisksAssessing Risks


Assess Risks associated with Assess Risks associated with Health Info on Devices & SystemsHealth Info on Devices & Systems

Requirements a health care entity must address in order Requirements a health care entity must address in order to safeguard electronic data’sto safeguard electronic data’snn ConfidentialityConfidentiality:: degree to which degree to which individual health dataindividual health data

requires protection from unauthorized disclosurerequires protection from unauthorized disclosurenn IntegrityIntegrity: : degree to which degree to which individual health dataindividual health data must be must be

protected from unauthorized, unanticipated, or unintentional protected from unauthorized, unanticipated, or unintentional modificationmodificationnn AvailabilityAvailability: : degree to which degree to which individual health informationindividual health information

must be available on a timely basis to meet operational must be available on a timely basis to meet operational requirements or to avoid compromising health carerequirements or to avoid compromising health care

Federal Register, p. 43250August 12, 1998

Confidentiality

AvailabilityIntegrity


Assess Risks associated with Assess Risks associated with Health Info on Device & Systems Health Info on Device & Systems

High

Medium

Medical Device/System withHealth Information/Data relating to an Individual

Low

Co

nfi

den

tial

ity

Inte

gri

ty

Ava

ilab

ility

H i g h

Medium


Low

Co

nfi

den

tia

lity

Int

egr

ity

Av

aila

bil

ity


Assessing Risks Assessing Risks ~ ~ Ranking Security Risk LevelRanking Security Risk Level

Admiistra-tive

NoneMinorMinor damageCould not be associated with a specific patient

Minor ImpactLow

LegalModerate Fines

ModerateSerious damageCould identify patientMinor impact to patient’s health due to:misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment

Medium

LegalImprisonment and/or large fines

MajorExtremely grave damage to organization’s interests

Could identify patient and their diagnosis and/or treatment

Serious impact to patient’s health (including loss of life) due to: misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment

High

Likely corrective measures required

Potential legal penalties

Potential financial impact

Potential degree to which interests would be adversely impacted by compromise of confidentiality, availability or integrity of information

Potential degree to which privacy would be adversely impacted by compromise of confidentiality of information

Potential degree to which health care would be adversely impacted by compromise of availability or integrity of information

RISK LEVEL

Impact on OrganizationImpact on Patient


Assessing RisksAssessing Risks

When assigning remediation priorities, When assigning remediation priorities, notenote::Total Risk = Magnitude of Individual Risk Total Risk = Magnitude of Individual Risk

x Frequency of Occurrencex Frequency of Occurrence


Assessing Risks & PreparednessAssessing Risks & PreparednessComplete Questionnaire for each Device that Complete Questionnaire for each Device that

maintains/transmits individual health informationmaintains/transmits individual health information


Assessing Risks & PreparednessAssessing Risks & PreparednessExamples of QuestionsExamples of Questions

1)1) Is the display only physically observable by Is the display only physically observable by authorized staff/users?authorized staff/users?

2)2) Is device/system, its storage media and any output Is device/system, its storage media and any output kept in secure area accessible only by key, kept in secure area accessible only by key, combination lock, access card or similar?combination lock, access card or similar?

3)3) Does data access require a user name & password (or Does data access require a user name & password (or other appropriate authentication method)?other appropriate authentication method)?

4)4) Is the storage media and any output destroyed by Is the storage media and any output destroyed by acceptable means when no longer needed? For acceptable means when no longer needed? For example:example:oo Shred paper, film, photoShred paper, film, photooo Erase/overwrite disks, pc cards, memory stickErase/overwrite disks, pc cards, memory stickoo Deposit in locked “Destruction Bin” for disposal by a bonded Deposit in locked “Destruction Bin” for disposal by a bonded

serviceservice



5)5) Is data transmitted via secure cable connection (i.e. no Is data transmitted via secure cable connection (i.e. no access possible via unsecured hub or other unsecured access possible via unsecured hub or other unsecured intermediate connection)?intermediate connection)?

6)6) Is data encrypted prior to transmission via wireless or Is data encrypted prior to transmission via wireless or public network?public network?

7)7) Does the system permit remote access?Does the system permit remote access?oo Does the system security restrict remote access to specific deviDoes the system security restrict remote access to specific devices ces

or locations?or locations?oo Does the system log and provide audit trail of remote access Does the system log and provide audit trail of remote access

activity?activity?8)8) Is the device/system physically secure?Is the device/system physically secure?

oo Is the system kept in secure area, inaccessible except to authorIs the system kept in secure area, inaccessible except to authorized ized users?users?

oo Are components secure within the system (i.e., can any componentAre components secure within the system (i.e., can any componentcontaining data be removed)?containing data be removed)?



9)9) Does data access require appropriate ID & password Does data access require appropriate ID & password (or other appropriate authentication)?(or other appropriate authentication)?

10)10) Is critical data backed up & stored in secure Is critical data backed up & stored in secure location?location?

11)11) Is the system PC based?Is the system PC based?oo Does the system run virus protection?Does the system run virus protection?oo Does it prevent bootDoes it prevent boot--up from an unauthorized boot disk?up from an unauthorized boot disk?

12)12) Have device/system users been trained in security Have device/system users been trained in security and are they practicing appropriate security and are they practicing appropriate security procedures?procedures?

13)13) Is the device/system tested/calibrated to insure the Is the device/system tested/calibrated to insure the data is accurate & verifiabledata is accurate & verifiable

February 11, 2003

HIPAA Security: HIPAA Security: Mitigating RisksMitigating Risks


Mitigate RisksMitigate Risks

1.1. Assign roles & responsibilities ~ involve all Assign roles & responsibilities ~ involve all affected departmentsaffected departments

2.2. Treat Security Risks (HIPAA Security Matrix)Treat Security Risks (HIPAA Security Matrix)a)a) Administrative proceduresAdministrative proceduresb)b) Physical safeguardsPhysical safeguardsc)c) Technical security servicesTechnical security servicesd)d) Technical security mechanismsTechnical security mechanisms

3.3. Educate StaffEducate Staff4.4. Require cooperation of Require cooperation of Business Associates Business Associates

(“chain of trust” agreements)(“chain of trust” agreements)5.5. Establish onEstablish on--going audit & review processgoing audit & review process


Step 1:Step 1: Assign roles & responsibilitiesAssign roles & responsibilitiesCrossCross--departmental Participation/Cooperationdepartmental Participation/Cooperation

Effective Information Security Program

Requires Cross Departmental Participation/Cooperation

(Policies, Procedures, Education)

Security Officer

Privacy Officer

Quality Assurance

Risk Management

Education/ In-service

Compliance Officer

Admin istration

Clinical Engineering


Facilities Engineering

Human Resources

Medical, Nursing, &

Clinical Accounting/

Finance/ Billing

Medical Records

Materials Management


Step 2:Step 2: Treat Security RisksTreat Security RisksFour Categories of Requirements in HIPAA’s Security Matrix (Security NPRM)(Security NPRM)

Documented, formal practices to manage theü Selection & execution of security measures to

protect data and ü Conduct of personnel in relation to the protection

of data

1) Administrative Procedures



Protection of physical computers systems (any hardware storing or transmitting health data) and related buildings & equipment from ü Natural & environmental hazards (e.g., fire, flood)ü Intrusion (i.e., use of locks, keys and

administrative measures to control access)

2) Physical Safeguards



Processes that are put in place to ü Protect information accessü Control & monitor information access

3) Technical Security Services



Processes put in place to prevent unauthorized access to data that is transmitted over a communications network

4) Technical Security Mechanisms


Step 3:Step 3: Educate StaffEducate Staff

Conduct orientation of new staff and onConduct orientation of new staff and on--going education going education of existing staff on organization’s: of existing staff on organization’s: nn Privacy policies & proceduresPrivacy policies & proceduresnn SecuritySecurityüü Policies & ProceduresPolicies & Proceduresüü Technical security services &Technical security services &

mechanismsmechanisms


Step 4:Step 4: Require Cooperation of Require Cooperation of Business AssociatesBusiness Associates

nn Identify Identify Business AssociatesBusiness Associates (businesses that could (businesses that could conceivably access health data) ~ e.g., conceivably access health data) ~ e.g., –– Medical device/system manufacturersMedical device/system manufacturers–– Independent service organizations (ISO)Independent service organizations (ISO)–– Consultants, educatorsConsultants, educators

nn Establish formal and establish “Chain of Trust” agreements Establish formal and establish “Chain of Trust” agreements where where BABA agrees to:agrees to:–– Limit uses and disclosures of health dataLimit uses and disclosures of health data–– Destroy or return any health data when no Destroy or return any health data when no

longer neededlonger needed–– Maintain safeguards to protect health dataMaintain safeguards to protect health data–– Report to organization any inappropriate Report to organization any inappropriate

use or disclosureuse or disclosure

Y2K Certified


Step 5:Step 5: Establish onEstablish on--going audit & review going audit & review processprocess

nn Audit to insure requirements Audit to insure requirements associated with security associated with security elements & their elements & their implementation implementation features are features are effectively meteffectively met

nn Analyze information Analyze information security Incident Reports security Incident Reports to determine need for to determine need for corrective actioncorrective action

Policies

Implementation

Testing

Integration

Procedures

Increasing Security Program

Effectiveness

GOAL:HIPAA Compliance &

an Effective Info Security Program


Step 6:Step 6: Document, Document, DocumentDocument, Document, Document


DocumentDocumentDocumentDocument

Review HIPAA Security Risk Assessment ProcessReview HIPAA Security Risk Assessment Process

Audit:

Evaluateeffectivenessof Securitymeasures thru:

1. PeriodicAudits

2. Incidentreporting

Treat Risks:

1. Apply Securitymeasures (including • procedural,• physical, &• technical)where riskshave beenidentified

2. Conduct StaffEducation& Training

Assess Risk:

1. Inventory Applications, Devices &Systems

2. Identify Applications,Devices, &Systemsthat may contain data

3. Identify what,if any, pre-cautions havebeen taken

Report to Security Committee

Security Officer & Committee:

Establish

1.Workingknowledgeof HIPAA

2.Roles &Responsibilities

3.Security Policies & Procedures

4.Review process


American College of Clinical Engineering American College of Clinical Engineering (ACCE)(ACCE)

nn Clinical EngineeringClinical Engineering … … discipline of engineering that works with other discipline of engineering that works with other members of the healthcare team in the clinical members of the healthcare team in the clinical environment environment •• Planning & acquisition of the “right” medical Planning & acquisition of the “right” medical

technology … insuring proper integration with other technology … insuring proper integration with other devices/systemsdevices/systems

•• Effective application of medical devices & systemsEffective application of medical devices & systems•• Maintenance of medical devices & systemsMaintenance of medical devices & systems•• OnOn--going evaluation of medical devices & systems to going evaluation of medical devices & systems to

insure they are upgraded, retired or replaced when insure they are upgraded, retired or replaced when appropriateappropriate

nn ACCE is professional society of Clinical ACCE is professional society of Clinical Engineering (founded in 1990)Engineering (founded in 1990)

February 11, 2003

ACCE ACCE HIPAA Task ForceHIPAA Task Force

..,,


ACCE’s HIPAA Task ForceACCE’s HIPAA Task Force

Purpose:Purpose:nn Educating the CE community regarding the Educating the CE community regarding the

implications of HIPAAimplications of HIPAAnn Representing CE interests with those elements Representing CE interests with those elements

of the healthcare community dealing with of the healthcare community dealing with HIPAAHIPAA

nn Identifying & developing resources and tools Identifying & developing resources and tools CE could use to effectively address HIPAA’s CE could use to effectively address HIPAA’s implications for biomedical technologyimplications for biomedical technology


HIPAA Task Force ProjectHIPAA Task Force Project1.1. Identify a generic list of major biomedical equipment Identify a generic list of major biomedical equipment

categories … i.e., a subset of all biomedical equipment categories … i.e., a subset of all biomedical equipment categories that represents the substantial majority of categories that represents the substantial majority of biomedical devices & systems typically managed by CE biomedical devices & systems typically managed by CE


HIPAA Task Force ProjectHIPAA Task Force Project2.2. Establish criteria & ranking system to serve as a guide Establish criteria & ranking system to serve as a guide

in assigning “potential” security risks levels for in assigning “potential” security risks levels for ØØ Confidentiality Confidentiality ØØ IntegrityIntegrityØØ AvailabilityAvailability

to each biomedical equipment categoryto each biomedical equipment category

High

Medium


Low

Co

nfid

ent

ialit

y

Inte

gri

ty

Ava

ilabi

lity


HIPAA Task Force ProjectHIPAA Task Force Project3.3. Create documentCreate document

List of major biomedical equipment categories with each categoryList of major biomedical equipment categories with each categoryranked in each of the security areas (i.e., potential risk assocranked in each of the security areas (i.e., potential risk associated iated with a compromise of with a compromise of confidentialityconfidentiality, , integrityintegrity & & availabilityavailability) ) using newly established criteria & ranking system. The completeusing newly established criteria & ranking system. The completed d document would be available to serve as a CE’s tool for:document would be available to serve as a CE’s tool for:a)a) Assessing the scope of the HIPAA Security compliance needAssessing the scope of the HIPAA Security compliance needb)b) Pointing to those categories that most likely will require Pointing to those categories that most likely will require

further, detailed risk assessmentfurther, detailed risk assessment


HIPAA Task Force ProjectHIPAA Task Force Project4.4. Establish a detailed risk assessment tool (form & Establish a detailed risk assessment tool (form &

questionnaire) that can be used to identify the actual questionnaire) that can be used to identify the actual security risks (pertaining to security risks (pertaining to confidentialityconfidentiality, , integrityintegrity & & availabilityavailability) associated with specific biomedical devices ) associated with specific biomedical devices & systems in use. This tool will enable & systems in use. This tool will enable CEsCEs to identify to identify actual risks and suggesting potential remediation actual risks and suggesting potential remediation coursescourses

February 11, 2003

Questions?Questions?Stephen GrimesStephen Grimes ~ ~ [email protected]@nycap.rr.com

Association for the Advancement of Medical Instrumentation (AAMIAssociation for the Advancement of Medical Instrumentation (AAMI) ) www.aami.orgwww.aami.org

American College of Clinical Engineering (ACCE) American College of Clinical Engineering (ACCE) www.accenet.orgwww.accenet.org

san diego, ca is your security back door open? hipaa’s ...€¦ · ©s. l. grimes ~ 4 significant...

Documents