headline news: anatomy of a vip records breach · headline news: anatomy of a vip records breach...
TRANSCRIPT
Headline News: Anatomy of a VIP Records Breach
Executive Series Webinar
September 24, 2014
Watch the Replay
Kim Roberts, MS, RHIA, CHP
• Privacy Specialist
• Sparrow Health System
Kurt Long
• Founder
• FairWarning, Inc.
Mike Nessen
• Customer Community Manager
• FairWarning, Inc.
Today’s Panel
Agenda
• Sparrow Health System Introduction• VIP Records Breach Scenario• Corrective Action Plan• Lessons Learned• Escalating Threats to Data
– Patient– Employee– Physician
• Industry News: OCR Audit Update• Next Steps• Q&A
Anatomy of a VIP Records Breach
Kim Roberts, MS, RHIA, CHP
Background Information
» Location and Background
» Visit from a VIP Government Official
» State of Michigan Inquiry
» OCR Letter of Inquiry
Sequence of Events VIP Admitted using alias
VIP stay released to media by VIP staff
VIP Discharged (Four Day Stay)
CPO & CISO
meeting re: Access
Audit Plan
Full audit of VIPs
records in all systems
Department Directors review of access of identified
staff
Human Resources notified of
inappropriate access
Human Resources
investigation
Sanctions imposed
Hospital issued news release re:
disciplinary actions taken for privacy policy violations
OCR and State Inquires & Responses OCR Inquiry
Received (3 weeks)
Response sent
OCR ResponseFormally closed
( 7 months)
State Inquiry Received (1 week)
Response to the State of
Second Formal Response and meeting
Closed with follow up actions (6 months)
OCR Questions
» Did caregivers impermissibly access medical records as alleged?
» If the impermissible access occurred, when did it occur?
» How did Sparrow discover the alleged occurrences?
» What did Sparrow do as a result of its findings?
Response to the Event
» Position Statement
» Actions Taken to Monitor and Investigate
» Corrective Action Plans Outcome Objectives
» Corrective Action Plan Monitoring
Position Statement
» Chronological Statement of Events
» List Events surrounding the Breach
»Dates of Admission
»Alias Name Identification
» Actions Taken to Monitor the Investigation
»Routine Manual Review of Access Logs
Manual Review of Access Logs» Prior to Implementing FairWarning®
Concurrent Access Audit Plan
» Manual Review of Audit Files – twice daily
» Concurrent monitoring of email communications based on name and title
Retrospective Access Audit Post Discharge
» Review of 281 caregivers
» 50 to 60 hours reviewing the MR to Access Logs
VIP Review Workflow
» Email notification were sent to the Directors
»Access to account or record necessary to do their job
»More than the minimum necessary
» Inappropriate review for the role
Dear Colleague:
There was a recent visit of a high profile individual in the ________and the individual had a subsequent_________. A high level review was conducted by correlating care giver access results to the medical record. A more detailed assessment is needed to determine appropriate access for individuals under your purview. If you determine that access is inappropriate, please contact LCR to assist in the disciplinary investigation.
Audit results concerning care giver(s) working in your area are attached for your review and are highlighted. Please complete a User Access Form for each care giver and return the form electronically to me at:
Please complete your review within 1 week of the date of this e-mail.
Please consider the following questions as you review:
1) Did the individual access only those accounts or records necessary to do his/her job?
2) Did the individual access only the information contained in the account or record needed to do his/her job (Minimum Necessary)?
3) Was the access appropriate if so, indicate reason for access?
Please contact me if I can answer questions or offer assistance.
Corrective Actions Outcome Objectives Sanctions Applied
» 31 Caregivers were referred to the Department Directors
» 21 Caregivers were Sanctioned
»17 Caregivers were Terminated
»5 were Suspended and given a Level 3 Discipline
Corrective Actions Outcome Objectives
» Action Plan – Alias Name
» Policy Review for VIPs
» Overview of all Privacy Training
» Remedial Training via E-mail
»10 privacy reminders
Corrective Actions Outcome Objectives Communications
» Response to the Media
» Response to Caregivers regarding Sanctions
» Sent Privacy Email Reminders as Training to Caregivers
» News Release pertaining to Disciplinary Action
» Used focus of public attention on policies as an opportunity
Corrective Actions Outcome Objectives Communications
» Email to the Board of Directors
» Informing them of the Detroit Free Press inquiry and the anticipated news article
» Conducted a Privacy Summit
»Learning and Planning Objectives
Corrective Actions Outcome Objectives Compliance Actions and Follow Up
Centralized Electronic Access Monitoring and Reporting
» Description: System Selection, Purchase Decision and Implementation Timeline
» Description: Proactive alert of our designated VIPs
» examples: VIP record access or user access to the record of a patient, who has requested Total Privacy – Average of 800 per month
» Audit Plan to review 8 patients per month
Corrective Action Plan Monitoring» The results of the corrective action plan will be monitored in the
following ways:
» Using the FairWarning® System to conduct routine, random reviews of employee access to patient records under the following circumstances:
» Patient is a high profile individual (VIP) known to many
» Caregiver access of the record of a patient with a surname similar to that of the caregiver
» Access of his/her own record
» Patient has requested Total Privacy upon registration for services
» Random review of patient discharges by application
Corrective Action Plan Monitoring continued
» Evidence of Privacy related training:
» Orientation training rosters
» Completion of annual Privacy Test
» HIPAA Privacy Complaint Investigation Process
» Reporting Structure
Lessons Learned» Sent Privacy Email Reminders as Training
» Proficiency training to include acknowledgement of the requirement to report any alleged violations
» Audit Plan equaled 1% of Total Privacy Patients (including VIPs)
» Final Audit Plan 22% of Total Users 8,000
23
July Audit Totals by System2009 Audit Totals by System
0
100
200
300
400
500
600
700
Tsystem Impax OB tracevue Dolbey Horizon IRHIS Syngo Star
System Audited
Num
ber
of A
udits
Self-exams
Random Audits
Escalating Threats to Patient, Employee & Physician Data
´1
Lost laptops, media, paper records
Patient Complaints
Snooping
Medical & Financial ID Theft
201420122010
IRS Tax Fraud
2011 2013Pre-2010
Sale of Patient Data
to Crime Rings
Sale of Physician Data
to Crime Rings
Sale of Employee Data
to Crime Rings
• 45% of all identity theft relates back to the Healthcare Industry
• Source: ID Theft Center July 15, 2014 http://www.idtheftcenter.org/id-theft/data-breaches.html
• 60 Minutes Report: Biggest IRS Scam Around: Identity
• Source: http://www.cbsnews.com/news/irs-scam-identity-tax-refund-fraud-60-minutes/
Scaling a Criminal Enterprise
• Organized Crime: Taking advantage of healthcare vulnerabilities• IRS Tax Fraud• Financial Identity Theft
Healthcare Fraud and Organized Crime
• HHS OIG Fraud Fugitive List, Estimated $ 100 B of Fraud / Year– 25% use Identity Theft of Patient, Physicians in Fraud Operations
– OIG Fugitive Profiles at hhs.oig.gov, http://goo.gl/FYgWk1
– Stolen Identity with insurance info $20; credit card info $1-2 (Dell SecureWorks), http://tinyurl.com/khq2yex
• IRS Tax Fraud – Identity Theft #1 of “Dirty Dozen”– Dirty Dozen Tax Scams, irs.gov, http://goo.gl/lyHf7m
– Healthcare Specific Alerts, irs.gov, http://goo.gl/PQiIVV
In The News - Today
What it means to you: • Anticipate more comprehensive on-site audits• Take advantage of delay by closing gaps • Customers tell us that FairWarning® streamlines your preparation
http://www.careersinfosecurity.com/hipaa-audits-revised-game-plan-a-7296
HIPAA Audits: A Revised Game Plan More On-site Audits Planned, But All Audits on Hold for Now
In The News - Today
What it means to you:
• Meaningful Use funds are at risk
• Zero-tolerance policy for failing to document your security risk assessment
• This is a clear opportunity to improve your own information security risk posture, but the window is closing
Meaningful Use Auditors Retract $900KHospital fails to perform mandatory HIPAA Risk Assessment
http://ehrintelligence.com/2014/09/19/meaningful-use-audit-leaves-arkansas-hospital-owing-900000/
OCR HIPAA Audit Findings:Security AreaTotal Audit Findings and Observations by Area of Focus and Entity Type
Contingency Planning & Backups
Access Management
Audit Controls & Monitoring
Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis, Presentation to IAPP Global Privacy Summit March 7, 2013, http://abouthipaa.com/wp-content/uploads/Lessons-Learned-from-OCR-Privacy-and-Security-Audits-Sanches_Rinker_03-07-2013.pdf
Escalating Expertise Required
Pre-2009 (HITECH)
• Global Investigations
2013/2014 (Post-HIPAA Omnibus)
• Security Incident Management
• Advanced Analytics, Filtering
• Proactive Alerts
• Global Investigations
Expertise Gap
-Removal of Harm Standard-New Reporting & Notification
Requirements• Partial FTE
• Security, Forensics & Compliance Expertise
• OCR Audit Experience
• Clinical Data & Workflow Expertise
• Investigations & Security Skills
Collaboration for Patients’ Sake
FairWarning® and our customers envision a healthcare industry in which patients
confidently share their sensitive medical details to receive the best care possible
without regard to privacy concerns.
Next Steps
• ONC Security Risk Assessment Tool• For more information, please email [email protected]• Managed Privacy Services Advanced Demonstration October 28,
2014 Register Now• Are You Ready for Round Two (of HIPAA Compliance Audits)?
http://www.natlawreview.com/article/are-you-ready-round-two-hipaa-compliance-audits
• A pdf copy of this presentation and the embedded links will be distributed after the event
Questions?
Please submit via the Webex Q&A or Chat windows to the right side of your screen
Kim Roberts, MS, RHIA, CHP
• Privacy Specialist
• Sparrow Health System
Kurt Long
• Founder
• FairWarning, Inc.
Mike Nessen
• Customer Community Manager
• FairWarning, Inc.
Questions and Answers