security and ehealth

Security and eHealthSecurity and eHealth

Edward MeyersEdward Meyers Antonio Antonio

WilkinsonWilkinsonDalavone PhothisenDalavone Phothisen

April 3, 2009April 3, 2009

OVERVIEW OVERVIEW

IntroductionIntroductionOIG/OASOIG/OAS

HIPAA HIPAA Security RuleSecurity Rule

OIG HIPAA AuditsOIG HIPAA AuditsSummarySummary

IT SecurityIT SecurityVulnerabilitiesVulnerabilitiesThreats/ExploitsThreats/Exploits

OVERVIEWOVERVIEW

HIT Emerging IssuesHIT Emerging IssuesFunding Funding StudiesStudiesData Exchange vs. Data Data Exchange vs. Data

WarehouseWarehouseDemo: Wireless HackDemo: Wireless Hack

INTRODUCTIONINTRODUCTIONOFFICE OF THE INSPECTOR OFFICE OF THE INSPECTOR

GENERALGENERAL MISSION: the mission of the Office of Inspector MISSION: the mission of the Office of Inspector

General (OIG), as mandated by Public Law 95-452 General (OIG), as mandated by Public Law 95-452 (as amended), is to protect the integrity of (as amended), is to protect the integrity of Department of Health and Human Services (HHS) Department of Health and Human Services (HHS) programs, as well as the health and welfare of programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has the beneficiaries of those programs. The OIG has a responsibility to report both to the Secretary a responsibility to report both to the Secretary and to the Congress program and management and to the Congress program and management problems and recommendations to correct them. problems and recommendations to correct them. The OIG's duties are carried out through a The OIG's duties are carried out through a nationwide network of audits, investigations, nationwide network of audits, investigations, inspections and other mission-related functions inspections and other mission-related functions performed by OIG components.performed by OIG components.

INTRODUCTIONINTRODUCTIONOIG ORGANIZATION CHARTOIG ORGANIZATION CHART

Deputy Inspector Generalfor M anagem ent & Policy

Deputy Inspector Generalfor Evaluation and Inspections

Deputy Inspector Generalfor Audit Services

Chief Counsel to theInspector G eneral

Deputy Inspector Generalfor Investigations

Inspector G eneral---------------------------------------------

Principal Deputy Inspector General

INTRODUCTIONINTRODUCTIONOFFICE OF AUDIT SERVICES OFFICE OF AUDIT SERVICES

(OAS)(OAS)MissionMission

We, the independent auditors for the We, the independent auditors for the Department of Health and Human Department of Health and Human Services (HHS), identify and report Services (HHS), identify and report ways to improve, through a shared ways to improve, through a shared commitment with management, the commitment with management, the economy, efficiency and effectiveness economy, efficiency and effectiveness of operations and services to of operations and services to beneficiaries of HHS programs.beneficiaries of HHS programs.

Deputy Inspector General for Audit Services

Assistant Inspector General for Centers for Medicare & Medicaid

Audits

Assistant Inspector General for Audit Management &

Policy

Assistant Inspector General for Grants, Internal

Activities, and IT Audits

Assistant Inspector General for Financial Management and

Regional Operations

Regional Inspectors General for Audit Services

Region I

Region IX

Region IV

Region V

Region II

Region VI

Region III

Region VII

INTRODUCTIONINTRODUCTIONOAS ORGANIZATION CHARTOAS ORGANIZATION CHART

Issued on: February 20, 2003Issued on: February 20, 2003Effective Date: April 21, 2003Effective Date: April 21, 2003Compliance Date: April 21, 2005 (for most)Compliance Date: April 21, 2005 (for most)

April 21, 2006 April 21, 2006 (small plans)(small plans)

Security Safeguards: Administrative Security Safeguards: Administrative SafeguardsSafeguards

Physical SafeguardsPhysical SafeguardsTechnical SafeguardsTechnical Safeguards

HIPAA: SECURITY RULEHIPAA: SECURITY RULE

Title II of HIPAATitle II of HIPAA

Sets civil and criminal penaltiesSets civil and criminal penalties Creates several programs to control Creates several programs to control

fraud and abuse within the healthcare fraud and abuse within the healthcare systemsystem

Creates standards for use and Creates standards for use and dissemination of health care information dissemination of health care information (Administrative Simplification rules)(Administrative Simplification rules)

Most SignificantMost SignificantApply to “covered entities”Apply to “covered entities”

BACKGROUNDBACKGROUND

CRITERIACRITERIA

HHS has promulgated final rules HHS has promulgated final rules for for privacy and securityprivacy and security of of

health information and for the health information and for the enforcement of these rules.enforcement of these rules.

(45 CFR Parts 160 and 164)(45 CFR Parts 160 and 164)

Standard SpecificationsStandard Specifications

Required Implementation Specifications (R)Required Implementation Specifications (R) Must be adopted and administeredMust be adopted and administered

Addressable Implementation Specifications Addressable Implementation Specifications (A)(A) Flexible, but must perform an assessment to Flexible, but must perform an assessment to

determine reasonablenessdetermine reasonableness““Covered entities” must document Covered entities” must document

assessments and all decisionsassessments and all decisions


SecuritySecurity should not be confused with should not be confused with Privacy Privacy or or ConfidentialityConfidentiality

PrivacyPrivacy: refers to the rights of an individual : refers to the rights of an individual to control his/her personal information to control his/her personal information without risk of divulging or misuse by others without risk of divulging or misuse by others against his or her wishesagainst his or her wishes

ConfidentialityConfidentiality:: o only becomes an issue nly becomes an issue when the individuals personal information when the individuals personal information has been received by another entity. has been received by another entity. Confidentiality is then a means of protecting Confidentiality is then a means of protecting this informationthis information

SecuritySecurity:: refers to the spectrum of physical, refers to the spectrum of physical, technical and administrative safeguards technical and administrative safeguards used for this protectionused for this protection


Purpose of SafeguardsPurpose of Safeguards:: To ensure integrity and confidentiality of To ensure integrity and confidentiality of

health information and to protect against health information and to protect against security breaches and unauthorized use or security breaches and unauthorized use or disclosure of health information disclosure of health information (45 CFR Part (45 CFR Part 164 Subpart C)164 Subpart C)

ApplicabilityApplicability:: To covered entities who engage in standard To covered entities who engage in standard

HIPAA transactions, which includes HIPAA transactions, which includes electronic transactions for plan enrollment, electronic transactions for plan enrollment, submission of claims or health encounter submission of claims or health encounter records, coordination of benefits, and records, coordination of benefits, and payments; Focuses on ePHIpayments; Focuses on ePHI


HIPAA: TECHNICAL HIPAA: TECHNICAL SAFEGUARDSSAFEGUARDS

1.1. Access ControlAccess Control A documented procedure for granting A documented procedure for granting

emergency access to dataemergency access to data Provision for unique user-id’sProvision for unique user-id’s The The optional optional use of encryption and use of encryption and

decryptiondecryption Provision for an automatic logoff after Provision for an automatic logoff after

idling for a period of timeidling for a period of time

2.2. Audit ControlsAudit Controls HIPAA requires that every technical HIPAA requires that every technical

system employ logging of information system employ logging of information accessesaccesses

The specific mechanisms of parsing of The specific mechanisms of parsing of logins is not specifiedlogins is not specified

Logs themselves should be protectedLogs themselves should be protected


3.3. IntegrityIntegrity Steps must be taken to ensure that the Steps must be taken to ensure that the

protected data has not been modified protected data has not been modified in any unauthorized mannerin any unauthorized manner

Use of checksums, double keying, Use of checksums, double keying, message authentication codes and message authentication codes and digital signatures are ways of digital signatures are ways of accomplishing thisaccomplishing this


4.4. Person or Entity AuthenticationPerson or Entity Authentication Organizations must take steps to Organizations must take steps to

validate the authenticity of an entity validate the authenticity of an entity attempting to access dataattempting to access data

Many solutions exist for this Many solutions exist for this (biometrics, passwords, PIN numbers, (biometrics, passwords, PIN numbers, tokens and telephone callback tokens and telephone callback procedures)procedures)


5.5. Transmission SecurityTransmission Security All covered entities must maintain at a All covered entities must maintain at a

minimumminimum Authenticity of the entity at the Authenticity of the entity at the

other end of the wireother end of the wire Alarms to sense abnormal conditionsAlarms to sense abnormal conditions Auditing to allow the reconstruction Auditing to allow the reconstruction

of eventsof events Event reporting to identify problemsEvent reporting to identify problems

May use encryption of transmitted May use encryption of transmitted data to accomplish these tasksdata to accomplish these tasks


CIVIL MONEY PENALTIESCIVIL MONEY PENALTIES(Outdated)(Outdated)

PenaltiesPenalties

Failure to ComplyFailure to Comply $100 per failure$100 per failure $25,000 maximum per calendar year$25,000 maximum per calendar year

Deliberate Violations: Potential Deliberate Violations: Potential PenaltiesPenalties $50,000 - $250,000 and 1-10 years $50,000 - $250,000 and 1-10 years

imprisonmentimprisonment

CURRENT OAS WORKCURRENT OAS WORK

Primary Focus is the Security RulePrimary Focus is the Security RuleExceptions Categories to Date:Exceptions Categories to Date:

Access ControlsAccess Controls Audit ControlsAudit Controls IntegrityIntegrity Person or Entity AuthenticationsPerson or Entity Authentications Transmission SecurityTransmission Security

OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDSTECHNICAL SAFEGUARDS

TECHNICAL SAFEGUARDS TECHNICAL SAFEGUARDS VULNERABILITIESVULNERABILITIESAccess Control vulnerabilitiesAccess Control vulnerabilities

Wireless – No encryption or WEPWireless – No encryption or WEPAdequate security settings not appliedAdequate security settings not appliedUser Access Levels Not ReviewedUser Access Levels Not ReviewedInactive Accounts not disabled or lockedInactive Accounts not disabled or lockedUser accounts inactive for excessive periodsUser accounts inactive for excessive periods

Audit Control VulnerabilityAudit Control VulnerabilityServer settings for audit logging disabledServer settings for audit logging disabled

OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDSTECHNICAL SAFEGUARDS

INTEGRITY CONTROL VULNERABILITIESINTEGRITY CONTROL VULNERABILITIESUnsupported OS by ManufacturerUnsupported OS by ManufacturerInconsistently applied security patchesInconsistently applied security patchesComputers lacked current antivirus updateComputers lacked current antivirus updatePersonal computers and servers lacked Personal computers and servers lacked

current service packscurrent service packsTRANSMISSION SECURITY TRANSMISSION SECURITY

VULNERABILITYVULNERABILITYUnencrypted sensitive information on Unencrypted sensitive information on

compact discscompact discs

OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSPHYSICAL SAFEGUARDSPHYSICAL SAFEGUARDS

PHYSICAL SAFEGUARD PHYSICAL SAFEGUARD VULNERABILITIESVULNERABILITIESUncontrolled access to EPHIUncontrolled access to EPHIDeactivated alarm on emergency doorDeactivated alarm on emergency door

EQUIPMENT CONTROL EQUIPMENT CONTROL VULNERABILITIESVULNERABILITIESNo computer equipment inventoryNo computer equipment inventoryNo password Protection for Computers No password Protection for Computers

on Portable Cartson Portable CartsNo Written Plan for Media disposalNo Written Plan for Media disposal

OIG SUMMARY OF FINDINGSOIG SUMMARY OF FINDINGSADMINISTRATIVE SAFEGUARDSADMINISTRATIVE SAFEGUARDS

ADMINISTRATIVE SAFEGUARD ADMINISTRATIVE SAFEGUARD VULNERABILITIESVULNERABILITIESContingency plan incompleteContingency plan incompleteBackup tapes at risk-once a week Backup tapes at risk-once a week

offsiteoffsiteNo backup tape catalogsNo backup tape catalogs

IT SECURITY IT SECURITY THREATS/EXPLOITSTHREATS/EXPLOITS

Medical Identity theft Medical Identity theft Access to medical information for Access to medical information for

sale/profitsale/profitTheft of equipmentTheft of equipmentEnvironmental and Natural Environmental and Natural

DisastersDisasters Internet malwareInternet malware

AMERICAN RECOVERY & AMERICAN RECOVERY & REINVESTMENT ACTREINVESTMENT ACT

(ARRA)(ARRA)

P.L. 111-05, signed February 17, P.L. 111-05, signed February 17, 20092009

Title XIII of Division A comprise the Title XIII of Division A comprise the provisions known as HITECHprovisions known as HITECH

ARRA CONTARRA CONT

HITECH enacts five componentsHITECH enacts five componentsThe national coordinator of HIT policyThe national coordinator of HIT policy

Est. federal advisory committees (policy & std)Est. federal advisory committees (policy & std)An expanded role for testing and researchAn expanded role for testing and research

To test and certify HIT, including EHRTo test and certify HIT, including EHRFederal subsidies for promoting and Federal subsidies for promoting and

implementing HIT (primarily for states)implementing HIT (primarily for states)$17.2 billion of incentive payments for EHR$17.2 billion of incentive payments for EHRRevisions to current privacy and security Revisions to current privacy and security

rulesrules

RECOVERYRECOVERYINCENTIVE PAYMENTSINCENTIVE PAYMENTS

Section 4101: Incentives for Eligible Section 4101: Incentives for Eligible ProfessionalsProfessionals

Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible professionals for meaningful use of professionals for meaningful use of certified electronic health records (EHRs)certified electronic health records (EHRs) For eligible Medicare Professionals. Also, For eligible Medicare Professionals. Also,

certain MA organizations.certain MA organizations.


Section 4102: Incentives for Section 4102: Incentives for HospitalsHospitals

Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible hospitals for the meaningful use of hospitals for the meaningful use of certified EHRs.certified EHRs.


Section 4201: Medicaid Provider HIT Section 4201: Medicaid Provider HIT adoption & operation paymentsadoption & operation payments

Purpose: To provide incentives to eligible Purpose: To provide incentives to eligible Medicaid providers to purchase, implement, and Medicaid providers to purchase, implement, and operate certified electronic health record operate certified electronic health record technology.technology.

Medicaid definition of eligible professionals is Medicaid definition of eligible professionals is not statutorily defined and includes physicians, not statutorily defined and includes physicians, dentists, certified nurse-midwives, nurse dentists, certified nurse-midwives, nurse practitioners, and physician assistants who are practitioners, and physician assistants who are practicing physician-assistant led FQHC and practicing physician-assistant led FQHC and RHCRHC (provided other requirements are met)(provided other requirements are met)

AmountsAmountsUnder both Medicaid components, Under both Medicaid components,

providers can receive up to $64,000 providers can receive up to $64,000 (est.).(est.).

Formulas for the other componentsFormulas for the other components


HIT EMERGING ISSUESHIT EMERGING ISSUESFUNDING FOR THE UNFUNDEDFUNDING FOR THE UNFUNDEDSection 4104: Studies and Report on Section 4104: Studies and Report on HITHIT

Incentives Payments to MA organizationsIncentives Payments to MA organizationsEHR Incentive Payments for ProvidersEHR Incentive Payments for Providers

Providers receiving minimal or no incentive Providers receiving minimal or no incentive payments include SNF, HHA/Hospice, Labs and payments include SNF, HHA/Hospice, Labs and non-physicians will be covered by a study non-physicians will be covered by a study conducted by secretary on later inclusion.conducted by secretary on later inclusion.

Availability of Open source HIT Availability of Open source HIT systemssystemsVAVAIHSIHSAHRQAHRQHRSAHRSA

STUDY ON OPEN SOURCE HEALTH STUDY ON OPEN SOURCE HEALTH INFORMATION TECHNOLOGY INFORMATION TECHNOLOGY

SYSTEMSSYSTEMS

ARRAARRAHIPAA PENALTYHIPAA PENALTY

Under the new law, the Secretary may Under the new law, the Secretary may impose fines ranging from $100 up to impose fines ranging from $100 up to $50,000 for each violation of HIPAA $50,000 for each violation of HIPAA depending on whether a violation was depending on whether a violation was inadvertent, reasonable, or due to willful inadvertent, reasonable, or due to willful neglect. The maximum penalty faced by neglect. The maximum penalty faced by an offender ranges from $25,000 to $1.5 an offender ranges from $25,000 to $1.5 million during a calendar year, again million during a calendar year, again depending upon an offender’s depending upon an offender’s culpability.culpability.

Privacy and SecurityPrivacy and Security

Security Breach NotificationSecurity Breach NotificationEstablishes a federal security breach Establishes a federal security breach

notification requirement for health notification requirement for health information that is not encrypted or information that is not encrypted or otherwise made indecipherable. otherwise made indecipherable.

Privacy and SecurityPrivacy and Security

Business AssociatesBusiness AssociatesAre now subject to same privacy and Are now subject to same privacy and

security rules as providers and health security rules as providers and health insurers insurers

Where do we go from Where do we go from here?here?Data exchange vs. data Data exchange vs. data warehousewarehouse

Wireless HackWireless Hack

THE ENDTHE END

security and ehealth

Documents