managing the hipaa & the audit trail wayne pierce, c|ciso
TRANSCRIPT
Managing the HIPAA & The Audit Trail
Wayne Pierce, C|CISO
Overview
• Background• Compliance vs. Security• Recent HIPAA Changes• HIPAA Audit Requirements– Common Problems
• Industry Trends– Expected Regulation– New Technology
Background
• Working in information security professionally for 19 years.
• Currently manage information security for a 700M+ health network.
• Active member of HIPAA-COW– Risk and Security workgroups
Compliance is not Security.
• Compliance is about meeting a checklist, while it can help address security issues you are not secure just by being compliant.
• HIPAA Security requires a risk assessment to help bridge this gap.
Regulation or Policy
What we must do.
Technical Capabilities
What we can do.
Operational Request
What we want to do.
GAP Analysis vs. Risk Assessment
• The HIPAA Security Rule requires both a GAP analysis and a risk assessment.– The GAP analysis is focused on policies and
procedures being in place.– The risk assessment is broader in focus and allows
HIPAA to be applied to organizations of all sizes.
Recent HIPAA Changes - Timelines
• Almost all provisions went into effect March 26, 2013. Compliance enforcement will begin September 23, 2013.
• Existing Business Associate Agreements (prior to January 25, 2012) do not need to be updated until September 22, 2014.
Recent HIPAA Changes – Breach Notification
• The “harm threshold” has been removed and replaced with 4 objective factors.– This will result in more incidents being considered
a breach and needing to be reported.
• A risk analysis must be performed for each incident.– OCR will issue guidance to aid us in performing risk
assessments with frequently occurring scenarios.
Recent HIPAA Changes – Business Associates
• Business Associates and their sub-contractors are now directly liable under HIPAA.– Business Associates and their sub-contractors
must have a HIPAA Privacy and Security program.
• Covered Entities are still accountable for the actions of their Business Associate and can be fined if they have a breach.
Recent HIPAA Changes - Enforcement and Penalties
• The penalty amount has not changed from the interim rule.– $100 to $50,000 per violation up to an annual
maximum of $1.5 million per provision violated.
• OCR is now required to conduct a compliance review if willful negligence is indicated following a preliminary review.– This could result is more government oversight and
additional fines.
Recent HIPAA Changes - Privacy Requirements
• There are several changes concerning the use of PHI for areas such as fundraising, marketing and student immunization records.
• Individuals have new rights to restrict disclosure of information that they pay for out of pocket.– If requested this information must be restricted from
going to an insurance company. The patient is responsible to notify anyone “downstream” about the restriction.
Recent HIPAA Changes - Security Requirements
• No new Security Rule requirements have been established however all interim requirements are final.
• Larger fines are being levied for incidents which OCR feels are common sense.– Failure to encrypt a laptop has cost one entity $1.5
million and extra government auditing for the next 20 years at the entities expense.
HIPAA Audit Requirements• The audit protocol covers Privacy Rule requirements for (1) notice of privacy
practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
• The protocol covers requirements for the Breach Notification Rule.
• Privacy and Breach – 88
• Security – 77
Source: http://ocrnotifications.hhs.gov/hipaa.html
HIPAA Audit Requirements - Top Items
• Data Classification• Risk Assessments• System Activity Review Process• Security Training• Security Incident Response• Business Continuity and Disaster Recovery
The key is being able to prove that your choices were deliberate.
HIPAA Audit Requirements – Common Problems
• FDA Certified devices – May not always have auditing capabilities.
• Microsoft Excel and Access– Hard to audit and may not be known.
• Network File Storage– Hard to audit and is usually not deleted.
• Text Messaging– Can’t audit, sent unencrypted and stored on the
cell providers system.
HIPAA Audit Requirements - Tools
• You must have a good operational security management program.
• Primary tool to find and manage PHI is Data Loss Prevention (DLP)– Shows information stored or transmitted over the network or on
a computer.– Actions can be blocked or changed.
• No saving to thumb drives unless the drive is encrypted.• Routing outbound emails that have PHI through the encryption system.
• HIPAA-COW has a free risk toolkit that maps to the OCR Audit Protocol.
Industry Trends – Expected Regulation
• With the new HIPAA rules we did not get an update to the Accounting for Disclosures requirement.– Currently Payment, Treatment and Operations are
exempt. This exemption may be removed in the future.
New Technology - mHealth
• An increasing number of devices are being incorporated into smartphones as applications.– Pros: Individuals can take more control over their
health, reducing costs and most likely saving lives.– Cons: Information is siloed within applications, may not
be treated securely and applications may not perform the desired function.
At some point doctors will prescribe applications, not just medications.
New Technology – Google Glass
• Wearable computer system that can overlay information through a head mounted display.– Pros: Google Glass could allow diagnostic imaging to be
overlaid onto a patient while surgeries are being performed so that a separate system does not need to be referenced.
– Cons: Currently all traffic routes through Google’s servers. The system is not
Given the interest and money at stake the cons will be addressed quickly.
New Technology – Brain Machine Interface
• A way to read brain waves and directly translate them into computer actions.– Pros: Allows paralyzed people to interact with their world.– Cons: Who is accountable for the software and security of an implanted
computer? When a computer’s actions are based upon your thoughts who has a right to the logs?
This may seem far off, but on Feb 28th Brown University announced a “wireless, broadband, rechargeable, fully implantable brain sensor that has performed well in animal models for more than a year.”
Source: http://news.brown.edu/pressreleases/2013/02/wireless
Questions?
• Resources– HIPAA-COW (http://hipaacow.org/)• Risk Toolkit
– http://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit/