san diego, ca is your security back door open? hipaa’s ...€¦ · ©s. l. grimes ~ 4 significant...
Post on 30-Jul-2020
1 Views
Preview:
TRANSCRIPT
February 11, 2003
Is Your Security Back Door Open?Is Your Security Back Door Open?HIPAA’sHIPAA’s Implications Implications
for Biomedical Devices & Systemsfor Biomedical Devices & SystemsTuesday, February 11, 2003Tuesday, February 11, 2003
9:45 am 9:45 am –– 11:00 am11:00 am
Stephen L. Grimes, ChairStephen L. Grimes, ChairHIPAA Task ForceHIPAA Task ForceAmerican College of Clinical EngineeringAmerican College of Clinical Engineering
HIMSS 2002HIMSS 2002San Diego, CASan Diego, CA
AAMIAAMIAssociation for the Advancement Association for the Advancement
of Medical Instrumentationof Medical Instrumentation
© S. L. Grimes ~ 2
Identifiers, Transactions & Code Sets
October 2002 / 2003
Privacy RulesApril 2003
Security RulesOctober 2004 ?
Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)
Subtitle G:Duplication & Coordination of Medicare-Related Plans
Subtitle F:Administrative Simplification
Subtitle E:Revisions to
Criminal Law
Subtitle D:Civil
Monetary Penalties
Subtitle C:Data
Collection
Subtitle B:Revisions to Current Sanctions for Fraud and Abuse
Subtitle A:Fraud and
Abuse Control Program
© S. L. Grimes ~ 3
Period between Publication and Period between Publication and Enforcement of HIPAA Final RulesEnforcement of HIPAA Final Rules
nn Transactions & Code Sets Transactions & Code Sets –– Final rule ~ Aug 2000Final rule ~ Aug 2000–– Compliance ~ October 2002 (can apply for extension to Oct 2003)Compliance ~ October 2002 (can apply for extension to Oct 2003)
nn PrivacyPrivacy–– Final Rule ~ December 2000Final Rule ~ December 2000–– Compliance ~ April 2003Compliance ~ April 2003
nn SecuritySecurity–– Proposed Rule ~ Aug 1998 (Proposed Rule ~ Aug 1998 (Final Rule imminentFinal Rule imminent))–– Anticipated Anticipated Compliance ~ Compliance ~ December 2004?December 2004?
© S. L. Grimes ~ 4
Significant Developments ~ Significant Developments ~ Transaction RuleTransaction Rule
nn Administrative Simplification Compliance Act Administrative Simplification Compliance Act (ASCA) (ASCA) akaaka HR 3323 signed by POTUS on HR 3323 signed by POTUS on 12/27/0112/27/01•• 1 year extension on Transaction Rule (from 10/02 to 1 year extension on Transaction Rule (from 10/02 to
10/03) for covered entities 10/03) for covered entities who applywho apply beforebefore Oct 15Oct 15
nn Proposed modification to Standards for Proposed modification to Standards for Transactions (NPRM 5/31/02)Transactions (NPRM 5/31/02)
•• Adopted revised National Council for Prescription Drug Adopted revised National Council for Prescription Drug Programs (NCPDP) standardPrograms (NCPDP) standard
•• Adopted revised standard for pharmacy remittance Adopted revised standard for pharmacy remittance advice & prior authorizationadvice & prior authorization
•• Retracts NDC code as the standard for drugs in all Retracts NDC code as the standard for drugs in all transactions (except retail pharmacies)transactions (except retail pharmacies)
© S. L. Grimes ~ 5
Significant Developments ~ Significant Developments ~ Privacy RulePrivacy Rule
nn Privacy Rule amendments published in Federal Privacy Rule amendments published in Federal Register on August 14, 2002 … highlights Register on August 14, 2002 … highlights include:include:•• Modify consent requirement for “routine” uses of IIHI Modify consent requirement for “routine” uses of IIHI
(written consent may now be optional)(written consent may now be optional)•• Address the use of IIHI for marketing without patient Address the use of IIHI for marketing without patient
consentconsent•• Facilitate parent access to minor’s unless prevented by Facilitate parent access to minor’s unless prevented by
state lawstate law•• Provides additional year to convert to compliant Provides additional year to convert to compliant
agreements with HIPAA Business Associatesagreements with HIPAA Business Associates
© S. L. Grimes ~ 6
Significant Developments ~ Significant Developments ~ Security RuleSecurity Rule
nn Release of Final Rule is still “imminent”Release of Final Rule is still “imminent”
–– Q4 2001Q4 2001–– Q1 2002Q1 2002–– Q2 2002Q2 2002–– August 2002August 2002–– October 2002October 2002–– Q1 2003Q1 2003 ?
© S. L. Grimes ~ 7
Three blind men and a HIPAAThree blind men and a HIPAAView of HIPAA often depends on who you ask!View of HIPAA often depends on who you ask!
LAWYER sees Privacy issues- Informed consents & notices- Business Associate Agreements- Gov Fines/Penalties- Legal liability
INFORMATION TECHNOLOGISTsees Security issues- user authentication- firewalls- virus protection- backups- disaster plans
MEDICAL RECORDSsees Standardized Transactions & Codes- universal data sets & forms- electronic data interchange (EDI)- portable, electronic medical records
FINANCEsees expenditures & potential savings- Reduced operating costs & bad debt- Return on Investment (ROI)
CLINICAL ENGINEERsees- managing risks associated withmedical devices & systems
- insuring the integrity & availability ofhealth data on standalone ornetworked devices & systems
February 11, 2003
Health Insurance Portability & Health Insurance Portability & Accountability Act (HIPAA)Accountability Act (HIPAA)
Origins of Origins of Administrative SimplificationAdministrative Simplification
© S. L. Grimes ~ 9
How How HIPAA’sHIPAA’s Administrative Administrative Simplification Provision’s Came About:Simplification Provision’s Came About:
$0
$500
$1,000
$1,500
$2,000
$2,500
Billions
1990 1997 2000* 2007*
* Estimates
US Healthcare Industry ExpendituresUS Healthcare Industry Expenditures
© S. L. Grimes ~ 10
Administrative Cost as a Administrative Cost as a Percent of Healthcare DollarPercent of Healthcare Dollar
0%
5%
10%
15%
20%
25%
US Canada Europe
© S. L. Grimes ~ 11
High Administrative CostsHigh Administrative Costs
Major reasons for high administrative costs in USMajor reasons for high administrative costs in US
nn 70% of data manually keyed in healthcare 70% of data manually keyed in healthcare computers is data output from another computercomputers is data output from another computer
nn Industry’s extensive use of photocopy, faxing, Industry’s extensive use of photocopy, faxing, manual filing, mailing, telephonemanual filing, mailing, telephone
© S. L. Grimes ~ 12
Administrative SimplificationAdministrative Simplification
nn Objective:Objective:Reduce cost & improve efficiency thru Reduce cost & improve efficiency thru implementation of electronic data interchange implementation of electronic data interchange (EDI)(EDI)
nn Theory:Theory:If costs reducedIf costs reduced , funds should be available to , funds should be available to apply toward improvement of healthcare quality apply toward improvement of healthcare quality & availability& availability
© S. L. Grimes ~ 13
How do we get from EDI (standardized transaction & codes)How do we get from EDI (standardized transaction & codes)to Privacy & Security?to Privacy & Security?
Security Rules
Privacy Rules
Identifiers, Transaction & Code Sets
Effective Privacy & Transactionsrequires Security precautions (as spelled out by HIPAA’s proposed Security Rule)
Because they are in electronic form, Identifiers, Transaction & Code Setsrequire additional Privacy precautions (as spelled out by HIPAA Privacy Rule)
© S. L. Grimes ~ 14
HHS Projected Savings from HHS Projected Savings from Administrative SimplificationAdministrative Simplification
ØØ Net savings of $12.3 billion over 10 years. Net savings of $12.3 billion over 10 years. –– Total savings of EDI standards (from transactions rule) Total savings of EDI standards (from transactions rule)
of $29.9 billion over 10 years. of $29.9 billion over 10 years. –– Partially offset by estimated cost of privacy Partially offset by estimated cost of privacy
implementation of $17.6 billionimplementation of $17.6 billion
»» Note: Note: nn Federal estimates are only for those expenses Federal estimates are only for those expenses requiredrequired by the by the
regulations. regulations. nn Most efficient implementation requires process reengineering andMost efficient implementation requires process reengineering and
potentially additional expensespotentially additional expenses
* Braithwaite, Nov 2001 @ JHITA* Braithwaite, Nov 2001 @ JHITA
February 11, 2003
Who’s Affected By Who’s Affected By HIPAA’s Security RuleHIPAA’s Security Rule
© S. L. Grimes ~ 16
Applicability & Scope of Security Standard Applicability & Scope of Security Standard Who does Security Rule Apply To?Who does Security Rule Apply To?
The standards adopted or designated under The standards adopted or designated under this subpart apply, in whole or in part, to the this subpart apply, in whole or in part, to the following:following:(b) … a (b) … a health care providerhealth care provider that takes one of the that takes one of the
following actions:following actions:(1) (1) Processes any electronic transmission between any Processes any electronic transmission between any
combination of health care entities …combination of health care entities …(2) (2) Electronically maintains Electronically maintains anyany health informationhealth information
used in an electronic transmission that has been used in an electronic transmission that has been sent or received between any combination of sent or received between any combination of health care entities …health care entities …
* §142.302 Applicability & scope Federal Register Aug 12, 1998
© S. L. Grimes ~ 17
Who does Security Rule Apply To?Who does Security Rule Apply To?
ØØ Providers (1.2 million nationally)Providers (1.2 million nationally)üü HospitalsHospitalsüü Imaging centersImaging centersüü Outpatient surgery centersOutpatient surgery centersüü LaboratoriesLaboratoriesüü PharmaciesPharmaciesüü Medical, dental & therapy groups & individual Medical, dental & therapy groups & individual
practicespractices
ØØ Health Plans (i.e., payers, insurance, HMO)Health Plans (i.e., payers, insurance, HMO)ØØ ClearinghousesClearinghouses
February 11, 2003
Overview of Security RuleOverview of Security Rule
© S. L. Grimes ~ 19
HIPAA Security Standard HIPAA Security Standard “Summarized”“Summarized”
ØØEach entity must guard “Each entity must guard “confidentiality, integrity confidentiality, integrity & & availability”availability” of of individual health dataindividual health data. .
Confidentiality
AvailabilityIntegrity
* §142.308 Security StandardFederal Register Aug 12, 1998
Remember the “CIA”
ØØTo accomplish this, each provider is required to To accomplish this, each provider is required to meet three conditions:meet three conditions:
© S. L. Grimes ~ 20
HIPAA Security Standard HIPAA Security Standard “Summarized”“Summarized”
1)1) Must “assess potential risks and Must “assess potential risks and vulnerabilities to the vulnerabilities to the individual health individual health datadata in its possession” … and in its possession” … and
* §142.308 Security StandardFederal Register Aug 12, 1998
© S. L. Grimes ~ 21
HIPAA Security Standard HIPAA Security Standard “Summarized”“Summarized”
2)2) Must …“develop, implement, and Must …“develop, implement, and maintain appropriate security measures” maintain appropriate security measures” … which “must include, at a minimum, … which “must include, at a minimum, the following requirements & the following requirements & implementation features”implementation features”ØØ Administrative ProceduresAdministrative ProceduresØØ Physical SafeguardsPhysical SafeguardsØØ Technical Security Services .. Technical Security Services ..
and Mechanismsand Mechanisms
* §142.308 Security StandardFederal Register Aug 12, 1998
© S. L. Grimes ~ 22
HIPAA Security Standard HIPAA Security Standard “Summarized”“Summarized”
3)3) Must insure these measures are Must insure these measures are “documented and kept current” “documented and kept current”
* §142.308 Security StandardFederal Register Aug 12, 1998
© S. L. Grimes ~ 23
Security Rule Security Rule Definition of Health InformationDefinition of Health Information
Health informationHealth information means any information, means any information, whether oral or recorded in any form or whether oral or recorded in any form or medium, thatmedium, that(1)(1) Is created or received by a health care provider … Is created or received by a health care provider …
andand(2)(2) Relates to the past, present, or future … health or Relates to the past, present, or future … health or
condition of an individual; the provision of health condition of an individual; the provision of health care to an individual care to an individual or the past, present, or future payment for the or the past, present, or future payment for the provision of care to an individualprovision of care to an individual **
* §142.103 DefinitionsFederal Register Aug 12, 1998
© S. L. Grimes ~ 24
Rules for the Security StandardRules for the Security Standard
An entity must apply the security standard An entity must apply the security standard … to … to allall health information pertaining to health information pertaining to an individualan individual that is electronically that is electronically maintained or electronically transmitted. *maintained or electronically transmitted. *
* §142.306 Rules for security standardsFederal Register Aug 12, 1998
© S. L. Grimes ~ 25
Health Information Health Information covered by Security Rulecovered by Security Rule
Covered Covered health informationhealth information includes all includes all electronically maintained or transmitted:electronically maintained or transmitted:uu Diagnostic or treatment (therapeutic) data Diagnostic or treatment (therapeutic) data
related to an individualrelated to an individualuu Billing & payment data related to an Billing & payment data related to an
individualindividual
© S. L. Grimes ~ 26
Different types of information covered by Different types of information covered by HIPAA’s Security Rule and Privacy RuleHIPAA’s Security Rule and Privacy Rule
nn Privacy Rule covers Privacy Rule covers individuallyindividuallyidentifiable health information (IIHI)identifiable health information (IIHI) or or protected health information (PHI)protected health information (PHI) (i.e., (i.e., information that could be used to identify a information that could be used to identify a patient)patient)
nn Security Rule covers Security Rule covers health information health information related to an individualrelated to an individual but does not but does not necessarily have to necessarily have to identifyidentify a specific a specific patientpatient
© S. L. Grimes ~ 27
Different types of information covered by Different types of information covered by HIPAA’s Security Rule and Privacy RuleHIPAA’s Security Rule and Privacy Rule
nn All All IIHIIIHI or or PHIPHI is is Individual Health Individual Health InformationInformation butbut
nn Not all Not all Individual Health InformationIndividual Health Information is is IIHIIIHI or or PHIPHI
HIPAA Security RuleIndividual Health Information
HIPAA Privacy RuleIndividually Identifiable Health Information (IIHI) orProtected Health Information (PHI)
© S. L. Grimes ~ 28
Security RulePrivacy Rule
Difference in Coverage between Difference in Coverage between HIPAA Privacy & SecurityHIPAA Privacy & Security
Biomedical Component/Devicecontaining Health Information related to an Individual
• diagnostic data
• therapeutic data
IndividualPatient
• Integrity• Availability
Biomedical orComputer Device/Systemcontaining Individually Identifiable Health Information (IIHI)
Linking Identifiers
• Confidentiality
February 11, 2003
HIPAA Security: HIPAA Security: Where Affected Data ResidesWhere Affected Data Resides
© S. L. Grimes ~ 30
BiomedicalTechnology
Where does affected data reside?Where does affected data reside?
Information Technology
© S. L. Grimes ~ 31
Devices/Systems Devices/Systems Electronically Maintaining / Transmitting Electronically Maintaining / Transmitting
Individual Health DataIndividual Health Data
Biomedical Technology
Information Technology
Hybrid Systems
Clinical lab analyzers
Computers
Peripherals
Workstations
Servers
Terminals
Web Sites
Application Service Providers
Electronic Medical Records
Physiologic monitoring
Radiographic Units
Billing & Claims Processing
Endoscopy
Diagnostic ultrasound
PACS
Remote access
Cardiology analyzers (e.g., EKG)
Pulmonary function analyzers
Infusion pumps
Ventilators
Stress test systems
Defibrillators
Audiometers
Cardiac assist devices
Anesthesia systems
Networks
Scanner, CT
MRI
© S. L. Grimes ~ 32
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn Anesthesia unitAnesthesia unit–– Gas delivered Gas delivered
»» volume, volume, »» raterate»» concentrationconcentration
–– Expired gas monitoringExpired gas monitoring
© S. L. Grimes ~ 33
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn Physiologic MonitorPhysiologic Monitor–– ECG / Heart RateECG / Heart Rate–– Blood pressureBlood pressure–– TempTemp–– RespirationRespiration–– OO22 SaturationSaturation
© S. L. Grimes ~ 34
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn Clinical AnalyzerClinical Analyzer–– Blood (hemoglobin, glucose, gas, ph, electrolyte, etc)Blood (hemoglobin, glucose, gas, ph, electrolyte, etc)–– Urine (albumin, creatinine, bilirubin, etc)Urine (albumin, creatinine, bilirubin, etc)
© S. L. Grimes ~ 35
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn Infusion PumpInfusion Pump–– Med delivered Med delivered
»» volume, volume, »» raterate»» durationduration
© S. L. Grimes ~ 36
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn VentilatorVentilator–– Respiration Respiration
»» volume & volume & »» raterate»» bpmbpm
–– OO22 concentrationconcentration
© S. L. Grimes ~ 37
Examples of Biomedical Devices/Systems Examples of Biomedical Devices/Systems with Individual Health Infowith Individual Health Info
nn Radiographic unitRadiographic unitnn Diagnostic UltrasoundDiagnostic Ultrasoundnn CT ScannerCT Scanner
- Medical Image
- Patient ID
© S. L. Grimes ~ 38
Examples of Biomedical Examples of Biomedical Devices/Systems Devices/Systems
with Individual Health Infowith Individual Health InfoEven theEven thenn Hospital bed …. Hospital bed …. with with
a network connection!a network connection!–– Bed locationBed location–– Patient positionPatient position–– Patient scalePatient scale–– Communications Communications
(nurse call, telephone)(nurse call, telephone)
© S. L. Grimes ~ 39
Medical Devices & Systems Medical Devices & Systems Typical Data InterconnectsTypical Data Interconnects
Bedside MonitorRemote Monitor
PBX
Clinical Analyzer
Ventilator
Infusion Pump
Defibrillator
DiagnosticUltrasound
CT Scan
Remote ViewingWorkstation
Personal DigitalAssistant
Local Area Netork (LAN),Wide Area Network (WAN),
and/or Internet
© S. L. Grimes ~ 40
Remote Access to Medical DevicesRemote Access to Medical Devices
Internet
Devices on Internet transmit:
§ Location (& patient info)
§ Current Status & Settings
§ Diagnostics
§ Error Codes
Devices on Internet receive:
§ Calibration
§ Software/Firmware Upgrades
§ Diagnostics
© S. L. Grimes ~ 41
Identify Devices & Systems Identify Devices & Systems Containing Health InformationContaining Health Information
PCM
CIA
56K
INSE RT THIS E ND
iM ac
This information is aboutHIPAA and therefore shouldbe viewed carefully
VCR Tapes
PC Card orMemory Stick
CD-Rom, DVD orOptical DiskHard Disk
Drives
PhotographsX-RaysPaper (i.e., Printouts)Displays
RemovableDisketteNon-volitile
Memory
Digital DataTapes
Telephone, Network orDirect Connect Cable
Wireless
February 11, 2003
HIPAA Security: HIPAA Security: Assessing RisksAssessing Risks
© S. L. Grimes ~ 43
Assess Risks associated with Assess Risks associated with Health Info on Devices & SystemsHealth Info on Devices & Systems
Requirements a health care entity must address in order Requirements a health care entity must address in order to safeguard electronic data’sto safeguard electronic data’snn ConfidentialityConfidentiality:: degree to which degree to which individual health dataindividual health data
requires protection from unauthorized disclosurerequires protection from unauthorized disclosurenn IntegrityIntegrity: : degree to which degree to which individual health dataindividual health data must be must be
protected from unauthorized, unanticipated, or unintentional protected from unauthorized, unanticipated, or unintentional modificationmodificationnn AvailabilityAvailability: : degree to which degree to which individual health informationindividual health information
must be available on a timely basis to meet operational must be available on a timely basis to meet operational requirements or to avoid compromising health carerequirements or to avoid compromising health care
Federal Register, p. 43250August 12, 1998
Confidentiality
AvailabilityIntegrity
© S. L. Grimes ~ 44
Assess Risks associated with Assess Risks associated with Health Info on Device & Systems Health Info on Device & Systems
High
Medium
Medical Device/System withHealth Information/Data relating to an Individual
Low
Co
nfi
den
tial
ity
Inte
gri
ty
Ava
ilab
ility
H i g h
Medium
Medical Device/System withHealth Information/Data relating to an Individual
Low
Co
nfi
den
tia
lity
Int
egr
ity
Av
aila
bil
ity
© S. L. Grimes ~ 45
Assessing Risks Assessing Risks ~ ~ Ranking Security Risk LevelRanking Security Risk Level
Admiistra-tive
NoneMinorMinor damageCould not be associated with a specific patient
Minor ImpactLow
LegalModerate Fines
ModerateSerious damageCould identify patientMinor impact to patient’s health due to:misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment
Medium
LegalImprisonment and/or large fines
MajorExtremely grave damage to organization’s interests
Could identify patient and their diagnosis and/or treatment
Serious impact to patient’s health (including loss of life) due to: misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment
High
Likely corrective measures required
Potential legal penalties
Potential financial impact
Potential degree to which interests would be adversely impacted by compromise of confidentiality, availability or integrity of information
Potential degree to which privacy would be adversely impacted by compromise of confidentiality of information
Potential degree to which health care would be adversely impacted by compromise of availability or integrity of information
RISK LEVEL
Impact on OrganizationImpact on Patient
© S. L. Grimes ~ 46
Assessing RisksAssessing Risks
When assigning remediation priorities, When assigning remediation priorities, notenote::Total Risk = Magnitude of Individual Risk Total Risk = Magnitude of Individual Risk
x Frequency of Occurrencex Frequency of Occurrence
© S. L. Grimes ~ 47
Assessing Risks & PreparednessAssessing Risks & PreparednessComplete Questionnaire for each Device that Complete Questionnaire for each Device that
maintains/transmits individual health informationmaintains/transmits individual health information
© S. L. Grimes ~ 48
Assessing Risks & PreparednessAssessing Risks & PreparednessExamples of QuestionsExamples of Questions
1)1) Is the display only physically observable by Is the display only physically observable by authorized staff/users?authorized staff/users?
2)2) Is device/system, its storage media and any output Is device/system, its storage media and any output kept in secure area accessible only by key, kept in secure area accessible only by key, combination lock, access card or similar?combination lock, access card or similar?
3)3) Does data access require a user name & password (or Does data access require a user name & password (or other appropriate authentication method)?other appropriate authentication method)?
4)4) Is the storage media and any output destroyed by Is the storage media and any output destroyed by acceptable means when no longer needed? For acceptable means when no longer needed? For example:example:oo Shred paper, film, photoShred paper, film, photooo Erase/overwrite disks, pc cards, memory stickErase/overwrite disks, pc cards, memory stickoo Deposit in locked “Destruction Bin” for disposal by a bonded Deposit in locked “Destruction Bin” for disposal by a bonded
serviceservice
© S. L. Grimes ~ 49
Assessing Risks & PreparednessAssessing Risks & PreparednessExamples of QuestionsExamples of Questions
5)5) Is data transmitted via secure cable connection (i.e. no Is data transmitted via secure cable connection (i.e. no access possible via unsecured hub or other unsecured access possible via unsecured hub or other unsecured intermediate connection)?intermediate connection)?
6)6) Is data encrypted prior to transmission via wireless or Is data encrypted prior to transmission via wireless or public network?public network?
7)7) Does the system permit remote access?Does the system permit remote access?oo Does the system security restrict remote access to specific deviDoes the system security restrict remote access to specific devices ces
or locations?or locations?oo Does the system log and provide audit trail of remote access Does the system log and provide audit trail of remote access
activity?activity?8)8) Is the device/system physically secure?Is the device/system physically secure?
oo Is the system kept in secure area, inaccessible except to authorIs the system kept in secure area, inaccessible except to authorized ized users?users?
oo Are components secure within the system (i.e., can any componentAre components secure within the system (i.e., can any componentcontaining data be removed)?containing data be removed)?
© S. L. Grimes ~ 50
Assessing Risks & PreparednessAssessing Risks & PreparednessExamples of QuestionsExamples of Questions
9)9) Does data access require appropriate ID & password Does data access require appropriate ID & password (or other appropriate authentication)?(or other appropriate authentication)?
10)10) Is critical data backed up & stored in secure Is critical data backed up & stored in secure location?location?
11)11) Is the system PC based?Is the system PC based?oo Does the system run virus protection?Does the system run virus protection?oo Does it prevent bootDoes it prevent boot--up from an unauthorized boot disk?up from an unauthorized boot disk?
12)12) Have device/system users been trained in security Have device/system users been trained in security and are they practicing appropriate security and are they practicing appropriate security procedures?procedures?
13)13) Is the device/system tested/calibrated to insure the Is the device/system tested/calibrated to insure the data is accurate & verifiabledata is accurate & verifiable
February 11, 2003
HIPAA Security: HIPAA Security: Mitigating RisksMitigating Risks
© S. L. Grimes ~ 52
Mitigate RisksMitigate Risks
1.1. Assign roles & responsibilities ~ involve all Assign roles & responsibilities ~ involve all affected departmentsaffected departments
2.2. Treat Security Risks (HIPAA Security Matrix)Treat Security Risks (HIPAA Security Matrix)a)a) Administrative proceduresAdministrative proceduresb)b) Physical safeguardsPhysical safeguardsc)c) Technical security servicesTechnical security servicesd)d) Technical security mechanismsTechnical security mechanisms
3.3. Educate StaffEducate Staff4.4. Require cooperation of Require cooperation of Business Associates Business Associates
(“chain of trust” agreements)(“chain of trust” agreements)5.5. Establish onEstablish on--going audit & review processgoing audit & review process
© S. L. Grimes ~ 53
Step 1:Step 1: Assign roles & responsibilitiesAssign roles & responsibilitiesCrossCross--departmental Participation/Cooperationdepartmental Participation/Cooperation
Effective Information Security Program
Requires Cross Departmental Participation/Cooperation
(Policies, Procedures, Education)
Security Officer
Privacy Officer
Quality Assurance
Risk Management
Education/ In-service
Compliance Officer
Admin istration
Clinical Engineering
Information Technology
Facilities Engineering
Human Resources
Medical, Nursing, &
Clinical Accounting/
Finance/ Billing
Medical Records
Materials Management
© S. L. Grimes ~ 54
Step 2:Step 2: Treat Security RisksTreat Security RisksFour Categories of Requirements in HIPAA’s Security Matrix (Security NPRM)(Security NPRM)
Documented, formal practices to manage theü Selection & execution of security measures to
protect data and ü Conduct of personnel in relation to the protection
of data
1) Administrative Procedures
© S. L. Grimes ~ 55
Step 2:Step 2: Treat Security RisksTreat Security RisksFour Categories of Requirements in HIPAA’s Security Matrix (Security NPRM)(Security NPRM)
Protection of physical computers systems (any hardware storing or transmitting health data) and related buildings & equipment from ü Natural & environmental hazards (e.g., fire, flood)ü Intrusion (i.e., use of locks, keys and
administrative measures to control access)
2) Physical Safeguards
© S. L. Grimes ~ 56
Step 2:Step 2: Treat Security RisksTreat Security RisksFour Categories of Requirements in HIPAA’s Security Matrix (Security NPRM)(Security NPRM)
Processes that are put in place to ü Protect information accessü Control & monitor information access
3) Technical Security Services
© S. L. Grimes ~ 57
Step 2:Step 2: Treat Security RisksTreat Security RisksFour Categories of Requirements in HIPAA’s Security Matrix (Security NPRM)(Security NPRM)
Processes put in place to prevent unauthorized access to data that is transmitted over a communications network
4) Technical Security Mechanisms
© S. L. Grimes ~ 58
Step 3:Step 3: Educate StaffEducate Staff
Conduct orientation of new staff and onConduct orientation of new staff and on--going education going education of existing staff on organization’s: of existing staff on organization’s: nn Privacy policies & proceduresPrivacy policies & proceduresnn SecuritySecurityüü Policies & ProceduresPolicies & Proceduresüü Technical security services &Technical security services &
mechanismsmechanisms
© S. L. Grimes ~ 59
Step 4:Step 4: Require Cooperation of Require Cooperation of Business AssociatesBusiness Associates
nn Identify Identify Business AssociatesBusiness Associates (businesses that could (businesses that could conceivably access health data) ~ e.g., conceivably access health data) ~ e.g., –– Medical device/system manufacturersMedical device/system manufacturers–– Independent service organizations (ISO)Independent service organizations (ISO)–– Consultants, educatorsConsultants, educators
nn Establish formal and establish “Chain of Trust” agreements Establish formal and establish “Chain of Trust” agreements where where BABA agrees to:agrees to:–– Limit uses and disclosures of health dataLimit uses and disclosures of health data–– Destroy or return any health data when no Destroy or return any health data when no
longer neededlonger needed–– Maintain safeguards to protect health dataMaintain safeguards to protect health data–– Report to organization any inappropriate Report to organization any inappropriate
use or disclosureuse or disclosure
Y2K Certified
© S. L. Grimes ~ 60
Step 5:Step 5: Establish onEstablish on--going audit & review going audit & review processprocess
nn Audit to insure requirements Audit to insure requirements associated with security associated with security elements & their elements & their implementation implementation features are features are effectively meteffectively met
nn Analyze information Analyze information security Incident Reports security Incident Reports to determine need for to determine need for corrective actioncorrective action
Policies
Implementation
Testing
Integration
Procedures
Increasing Security Program
Effectiveness
GOAL:HIPAA Compliance &
an Effective Info Security Program
© S. L. Grimes ~ 61
Step 6:Step 6: Document, Document, DocumentDocument, Document, Document
© S. L. Grimes ~ 62
DocumentDocumentDocumentDocument
Review HIPAA Security Risk Assessment ProcessReview HIPAA Security Risk Assessment Process
Audit:
Evaluateeffectivenessof Securitymeasures thru:
1. PeriodicAudits
2. Incidentreporting
Treat Risks:
1. Apply Securitymeasures (including • procedural,• physical, &• technical)where riskshave beenidentified
2. Conduct StaffEducation& Training
Assess Risk:
1. Inventory Applications, Devices &Systems
2. Identify Applications,Devices, &Systemsthat may contain data
3. Identify what,if any, pre-cautions havebeen taken
Report to Security Committee
Security Officer & Committee:
Establish
1.Workingknowledgeof HIPAA
2.Roles &Responsibilities
3.Security Policies & Procedures
4.Review process
© S. L. Grimes ~ 63
American College of Clinical Engineering American College of Clinical Engineering (ACCE)(ACCE)
nn Clinical EngineeringClinical Engineering … … discipline of engineering that works with other discipline of engineering that works with other members of the healthcare team in the clinical members of the healthcare team in the clinical environment environment •• Planning & acquisition of the “right” medical Planning & acquisition of the “right” medical
technology … insuring proper integration with other technology … insuring proper integration with other devices/systemsdevices/systems
•• Effective application of medical devices & systemsEffective application of medical devices & systems•• Maintenance of medical devices & systemsMaintenance of medical devices & systems•• OnOn--going evaluation of medical devices & systems to going evaluation of medical devices & systems to
insure they are upgraded, retired or replaced when insure they are upgraded, retired or replaced when appropriateappropriate
nn ACCE is professional society of Clinical ACCE is professional society of Clinical Engineering (founded in 1990)Engineering (founded in 1990)
February 11, 2003
ACCE ACCE HIPAA Task ForceHIPAA Task Force
..,,
© S. L. Grimes ~ 65
ACCE’s HIPAA Task ForceACCE’s HIPAA Task Force
Purpose:Purpose:nn Educating the CE community regarding the Educating the CE community regarding the
implications of HIPAAimplications of HIPAAnn Representing CE interests with those elements Representing CE interests with those elements
of the healthcare community dealing with of the healthcare community dealing with HIPAAHIPAA
nn Identifying & developing resources and tools Identifying & developing resources and tools CE could use to effectively address HIPAA’s CE could use to effectively address HIPAA’s implications for biomedical technologyimplications for biomedical technology
© S. L. Grimes ~ 66
HIPAA Task Force ProjectHIPAA Task Force Project1.1. Identify a generic list of major biomedical equipment Identify a generic list of major biomedical equipment
categories … i.e., a subset of all biomedical equipment categories … i.e., a subset of all biomedical equipment categories that represents the substantial majority of categories that represents the substantial majority of biomedical devices & systems typically managed by CE biomedical devices & systems typically managed by CE
© S. L. Grimes ~ 67
HIPAA Task Force ProjectHIPAA Task Force Project2.2. Establish criteria & ranking system to serve as a guide Establish criteria & ranking system to serve as a guide
in assigning “potential” security risks levels for in assigning “potential” security risks levels for ØØ Confidentiality Confidentiality ØØ IntegrityIntegrityØØ AvailabilityAvailability
to each biomedical equipment categoryto each biomedical equipment category
High
Medium
Medical Device/System withHealth Information/Data relating to an Individual
Low
Co
nfid
ent
ialit
y
Inte
gri
ty
Ava
ilabi
lity
© S. L. Grimes ~ 68
HIPAA Task Force ProjectHIPAA Task Force Project3.3. Create documentCreate document
List of major biomedical equipment categories with each categoryList of major biomedical equipment categories with each categoryranked in each of the security areas (i.e., potential risk assocranked in each of the security areas (i.e., potential risk associated iated with a compromise of with a compromise of confidentialityconfidentiality, , integrityintegrity & & availabilityavailability) ) using newly established criteria & ranking system. The completeusing newly established criteria & ranking system. The completed d document would be available to serve as a CE’s tool for:document would be available to serve as a CE’s tool for:a)a) Assessing the scope of the HIPAA Security compliance needAssessing the scope of the HIPAA Security compliance needb)b) Pointing to those categories that most likely will require Pointing to those categories that most likely will require
further, detailed risk assessmentfurther, detailed risk assessment
© S. L. Grimes ~ 69
HIPAA Task Force ProjectHIPAA Task Force Project4.4. Establish a detailed risk assessment tool (form & Establish a detailed risk assessment tool (form &
questionnaire) that can be used to identify the actual questionnaire) that can be used to identify the actual security risks (pertaining to security risks (pertaining to confidentialityconfidentiality, , integrityintegrity & & availabilityavailability) associated with specific biomedical devices ) associated with specific biomedical devices & systems in use. This tool will enable & systems in use. This tool will enable CEsCEs to identify to identify actual risks and suggesting potential remediation actual risks and suggesting potential remediation coursescourses
February 11, 2003
Questions?Questions?Stephen GrimesStephen Grimes ~ ~ slgrimes@nycap.rr.comslgrimes@nycap.rr.com
Association for the Advancement of Medical Instrumentation (AAMIAssociation for the Advancement of Medical Instrumentation (AAMI) ) www.aami.orgwww.aami.org
American College of Clinical Engineering (ACCE) American College of Clinical Engineering (ACCE) www.accenet.orgwww.accenet.org
top related