maninging risk exposure in meaningful use stage 2

855.85HIPAA www.compliancygroup.com

Industry leading Education

•  Please ask questions •  #CGwebinar •  Todays slides are available http://compliancy-‐group.com/slides023/ •  Past webinars and recordings http://compliancy-‐group.com/webinar/

This document may not be reproduced, transmitted, or distributed without the prior permission of All Medical Solutions

Ensuring Patient Privacy The Need to Monitor for Inappropriate Access to ePHI

© Copyright 2013 All Medical Solu9ons

About the Speaker: Stephen Salinas serves as Senior Business Development Consultant and Channel Manager at All Medical Solu9ons (AMS). While at AMS, Stephen has worked alongside California’s two most successful Regional Extension Centers (HITEC-‐LA and COREC), overseeing the successful adop9on of EHR technology and Meaningful Use to over 1,200 California physicians. About All Medical Solu4ons: All Medical Solu9ons (AMS) is a healthcare organiza9on consultancy and solu9ons development division of Fusion Systems Co., Ltd., a global Informa9on Technology Solu9ons consul9ng business. Based in California, AMS has over 20 years of experience in developing proprietary technology products for Fortune 500 companies and over 10 years in bringing tailored and insighWul solu9ons to na9onal and regional healthcare providers. As a Service Partner of two RECs, AMS has witnessed first hand the many issues healthcare organiza9ons face with regards to HIPAA and Meaningful Use. AMS launched SPHER™ in 2013, an online state-‐of-‐the-‐art Electronic Health Record (EHR) monitoring solu9on which fulfills federal HIPAA audit requirements. For more informa9on, go to amsspher.com.

Introduction


Today’s Topic:

Ensuring Pa4ent Privacy The Need to Monitor for Inappropriate Access to ePHI

A look into the current state of healthcare and security, your obliga4ons under HIPAA to monitor user ac4vity of your EHR to ensure pa4ent privacy rights are protected, and an outline of what should be done to protect your organiza4on

from the threat of a privacy breach


The Need to Become Compliant with HIPAA •  The current state of healthcare and security •  Results of the OCR Pilot HIPAA Audits of 2012 •  User Ac9vity Monitoring – the #1 security deficiency •  The official OCR HIPAA Audits enforced in 2013 A Deeper Dive into User Ac4vity Monitoring (Privacy Monitoring) •  The importance of User Ac9vity Monitoring •  User Ac9vity Monitoring references in HIPAA and Meaningful Use •  Iden9fying the hurdles organiza9ons face when aiming for compliance •  How to correctly implement, document, and maintain a Privacy Monitoring

program

Re-‐evalua4ng Your Current Security Posture •  The need to priori9ze Privacy Monitoring and Workforce Educa9on •  Case Studies

Agenda


According to HIPAA, “an impermissible use or disclosure of protected health informa9on is presumed to be a breach unless the covered en9ty or business associate demonstrates that there is a low probability that the protected health informa9on has been compromised.”

–  4 factors: •  Nature and extend of the PHI involved •  Unauthorized person who the used the PHI or to whom disclosure was made to

•  Whether PHI was actually acquired or viewed •  Extent to which the risk to the PHI has been mi9gated

What is a Privacy Breach?


The cost of a Privacy Breach •  Healthcare industry loses $7 Billion a year due to privacy breaches

•  Average cost of a privacy breach = $2.4 million •  94% of healthcare organiza9ons have had at least one data breach in the last two years

•  Compared to all other industries in the US, healthcare had the highest per capita breach cost

•  54% of organiza9ons have liile or no confidence they can quickly detect privacy breaches (Ponemon Ins9tute)

The Current State of Healthcare and Security


The Need to be Compliant with HIPAA

“The HIPAA/HITECH rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a pa9ent’s privacy rights and protec9ons, but also strengthen the ability of [the Office of Civil Rights] to vigorously enforce the HIPAA privacy and security protec9ons.” (Leon Rodriguez, Head of OCR)


"   Section 13411 of the HITECH Act –  Mandatory audits will occur separate from the standard audits now in place.

"   US Government Accountability Office GAO-12-481 –  GAO evaluates the HITECH EHR/Meaningful Use Incentive Program managed by CMS

•  Proposes the need for “Meaningful Use Audits” to ensure hospitals and providers participating in the program have not falsely attested to achieving Meaningful Use

–  10% Hospitals and 20% of Providers that attested for Meaningful Use will be audited

"   HIPAA Omnibus Final Rule redefines and increases Civil Monetary Penalties –  Civil Money Penalties (CMPs) for covered entities have been increased to a $1.5 million cap

per violation for violations due to willful neglect (“did not know”) •  Willful Neglect – Not Corrected: defined as a breach resulting from an intentional failure or reckless

indifference of HIPAA obligations, and the breach was not corrected immediately after discovery. Violations are defined as the number of patient records affected.

"   HHS Contracts KPMG – 2012 Audit Pilot Program –  115 Covered Entities (CEs) Audited during Q4 2012

•  Selection of CEs was based on random selection, and not based on prior HIPAA infractions •  #1 Discrepancy: NO User Activity Monitoring

The Driver for HIPAA/HITECH Audits


KPMG Pilot Audits: Privacy/Security/Breach Non-Compliance


*Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation

KPMG Findings – Top 9 Security Issues

Auditors reported that the CEs “did not know” it was required


"   Covered En99es can expect two (2) separate audits where they will be required to demonstrate HIPAA Compliance

•  Q1 2013 – CMS Meaningful Use (MU) Audits

•  Q4 2013 – HHS OCR Privacy/Security/Breach Audit Program

HIPAA/HITECH Audits Occurring in 2013


"   Q1 2013 – CMS Meaningful Use (MU) Audits

–  10% Hospitals, 20% of Providers will be audited and be able to demonstrate that they met the required MU criteria

•  If an audited entity has failed to correctly attest to even a single metric then that participant will be required to return all of the funds and face the possibility of fraud charges

•  Specifically MU Core Measure 14 for Hospitals, MU Core Measure 15 for Providers (HIPAA Security Rule Compliance)

–  Measure: Conduct or review a security risk analysis in accordance with § 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the risk management process.

–  You will be required to submit a copy of your Security Risk Assessment as well as an outline of your risk management process showing the security safeguards (? policies and procedures) both implemented to date and in progress.

•  If the entity is unable to demonstrate compliance with the HIPAA Security Rule, the entity may be subject to the more stringent HHS OCR Audit

CMS Meaningful Use Audits


"   Q4 2013 – HHS OCR Privacy/Security/Breach Audit Program

"   Increased number of Audit Protocol Procedures compared to the OCR KPMG Pilot Audit Program –  Privacy Audit Procedures 68 → 81 –  Security Audit Procedures 77 → 78

•  9 of the Audit Procedures directly relate to User Ac9vity Monitoring –  Breach No9fica9on Audit Procedures 10

Learn more about the HIPAA Audit Program Protocol : http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

HHS OCR Audit Program


"   Advanced 30-‐90 day no9fica9on by mail "   15 day deadline to respond a large documenta9on request "   3-‐5 day on-‐site data collec9on of up to 5 auditors

–  Interviews of key personnel and assorted staff members, site walkthroughs, opera9onal reviews, and requests for further informa9on

"   Drat report issued, 10 days window to respond "   Final report issued, imposing CMPs and correc9ve ac9on

The OCR Audit Process

Notification letter and

request for documentation

sent to Covered Entity

Receiving and reviewing

documentation and planning the audit field work

On-site field work

Draft audit report

Covered Entities review and comment on draft audit

report

Final audit report


A Deeper Dive into User Ac4vity Monitoring

HIPAA requires user ac4vity monitoring

You must review your EHR audit logs for inappropriate access

Protect your Pa4ents’ Privacy by adhering to the law


"   HHS outlines what is defined as inappropriate access and disclosure under the HIPAA Privacy Rule:

“HIPAA is based on sound current prac9ce that protected health informa9on should not be used or disclosed when it is not necessary to sa9sfy a par9cular purpose or carry out a func9on. The minimum necessary standard requires covered en99es to evaluate their prac9ces and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health informa9on.”

What is Inappropriate Access and Disclosure?


"   Internal workforce and 3rd par9es have access to your pa9ents ePHI "   You grant access to PHI under the assump9on that privacy policies

will be followed in the strictest sense "   New informa9on systems put in place (EHR)

"   Implemen9ng new policies, procedures, and security safeguards are an aterthought "   Staff not effec9vely educated on the new policies and procedures "   Management not strictly and rou9nely enforcing "   Current and newly adopted policies and procedures may not strong

enough and will need revised "   It is the covered en99es responsibility to monitor all access to ePHI,

including access granted to Business Associates "   Your Risk/Vulnerability of facing an internal privacy breach

is high

Outline the Problem


HIPAA Security Related Regulations HIPAA Security Rules "   Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. § 164.308(a)(1)(ii)(D) "   Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. § 164.312(B) "   Implement procedures for monitoring log-in attempts and reporting discrepancies. § 164.308(a)(5)(ii)(C) "   Retain required documentation of policies, procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later. § 164.316(B)(1)(ii) Meaningful Use Requirements "   ONC certification for EHR technology requires an EHR to produce an audit log. § 170.302(r) "   Conduct a Security Risk Assessment per HIPAA § 164.308(a)(1), implementing security updates as necessary and correcting deficiencies… Meaningful Use Core Measure 14 for Hospitals, 15 for Providers


Insurance Exclusions

"   “For arising out of or resulting from any act, error, omission, incident, failure of Computer Security.” "   “Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization.”

If found negligent, the Insurance Carrier is not obligated to pay these.

Due to the increasing number of ePHI related breaches since the adoption of EHR, insurance companies are utilizing their exclusion clauses. Many policies do not cover breaches due to reckless indifference of HIPAA obligations (willful neglect).

 Civil Money Penalties (CMPs) mandated by the OCR and Class Action Lawsuits  Costs associated with fulfilling breach notification requirements and loss of income due to site failure  Credit card monitoring services for affected patients, etc.

Source: Beazley, Chubb, Doctors Company, Lloyds of London


"   This is a responsibility that is supposed to be handled by my EHR vendor (or other health informa9on system) – As required by Federal ONC-‐Cer9fica9on for EHRs, their obliga9on to the client is to ensure that their system is audit capable, that it can generate a “human readable” audit log

"   This is a responsibility that can be handled by my IT department –  Reviewing audit logs requires prac9cal knowledge of healthcare workflow and as well as the organiza9ons policies and procedures; this is the responsibility of the privacy/security department

Common Misconceptions


“While external aiackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destruc9ve and insidious. Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organiza9ons today, up 22 percent since the first survey.” (Larry Ponemon, Chairman of Ponemon Ins9tute)

Why is user activity monitoring important?


5 Core Audit Log Attributes

Provide a precise date for organizations to see who has accessed patient information

Maintain record of all authorized and unauthorized access to specific patient information

Provide a precise time for organizations to see who has accessed patient information

Provide a clear definition of all user access within organizations, to know who has data privileges

Must be recorded when health information is viewed, created, modified, exported, or deleted

What does the audit log tell you?

Date

Time

User

Patient

Action


Full Review vs Partial Review

The Facts: "   Auditing takes so many resources and so much time it is near impossible to do manually. The Math: "   Time for auditing 1 line: ~15 seconds

–  Event correlation - Is this specific activity permitted? –  Users of the EHR: Staff, HIE, Vendors, etc.

"   Calculations for level of effort*: –  Average daily audit log: ~ 3560 lines per provider (3 to 4 staff)

"   100% review by use of trained staff and an automated incident detection tool is the NIST standard** * Calculations using 20 business days in a month

** NIST SP800-92 – use trained staff and tool to review 100% logs

Range Day Week Month Year

100 % 14.83 hours 74.16 hours 296.60 hours 3,559 hours

80% 11.86 59.32 237.28 2,846

20% 2.97 14.86 59.32 713


Basic audi9ng methods These methods will only be allow you to detect large security incidents Examples:

1. Abnormal 9mes of access: Accessing records during non-‐standard hours for that par9cular user

2. Abnormal number of pa9ent records accessed per user: Seeing a spike of 100 pa9ents vs the average 20 that par9cular user sees per day

3. Abnormal exports or dele9ons of informa9on

The method of auditing audit logs


Advanced audi9ng methods (known as Behavioral Analy9cs) These methods will allow you to detect smaller security incidents Examples:

1.  Role based behavior: Authorized uses of PHI by role (Physicians, Nurses,

Medical Assistants, Administrators, etc.) 2.  Individual behavior: Tracking of individual user’s paierns of behavior

i.  A medical assistant working in the front office accesses the system in a different way (check-‐in/check-‐out procedures) than a medical assistant working in the back office (documen9ng vital signs)

ii.  Individuals may only be allowed to work in a single department, where other individuals float from department to department having mul9ple roles and responsibili9es within the organiza9on

3.  Pa9ent Workflow: Tracking of the documented order of events as a pa9ent navigates through the office

The method of auditing audit logs


•  A sound policy and procedure for audi9ng user ac9vity (reviewing of audit logs) outlining a clear methodology •  Frequency and 9meliness of review, as well as to the extent they are reviewed

•  A documented history of reviewed audit logs as well as security incident tracking reports (outlining all suspicious security incidents you’ve flagged for further inves9ga9on)

•  A sound policy and procedure for an incident response plan outlining how you respond to suspicious security incidents •  Timeliness to no9fy/interview key personnel as well as the individual responsible •  Who to contact and steps to take in the event that the flagged incident is in fact a

Privacy Breach •  A documented history of your inves9ga9on of flagged incidents, the results of

you inves9ga9on, and the response taken (enforcing sanc9on policies or staff re-‐educa9on as needed)

•  Educa3on to workforce members and 3rd par9es that have access to your systems must be made aware that their ac9vity is con9nuously monitored •  Must be made a aware that they must comply to any further inves9ga9on needed by

the Security Officer(s) •  Are subject to Sanc3on Policies in the event that they have caused a privacy breach

How do I demonstrate compliance?


•  You want to demonstrate your ability to find poten9al security incidents regardless if they were a privacy breach or not •  It demonstrates your ability to enforce HIPAA •  Non-‐breaches gives you valuable informa9on of where security vulnerabili9es may exist

•  Ater the inves9ga9on leads you to believe that the incident does not cons9tute a privacy breach, ask yourself had the individual had malicious intent, could they have caused a breach

•  Rou9ne inves9ga9ons with staff members also serves as a means to re-‐educate and reinforce your security posture

•  Your ability to immediately iden9fy a breach AND immediately respond to it (within 30 days) works in your favor should you be faced with an OCR inves9ga9on

•  The use of an automated security system that reviews ALL access to ePHI is your best defense •  The audit log review remains impar9al and allows for automa9c documenta9on

From an auditors perspective


Cedars-‐Sinai Medical Center, Los Angeles (June 18th-‐24th)

“Medical Record Breaches Following Kardashian Birth Reveal an Ongoing Issue”

•  An automated security system was in place and immediately flagged this ac9vity for review •  The internal inves9ga9on and breach no9fica9on process occurred immediately ater the

event took place. •  5 staff members and 1 volunteer from the adjacent Cedars-‐affiliated physician offices were

immediately fired •  Physicians had shared with their employees their EHR usernames and passwords to access

the hospital system, in viola9on of hospital policy. Cedars is in the process of addressing the conduct of the physicians partly at fault and has indefinitely terminated their access.

•  How will they fair during the OCR inves9ga9on?

Case Study


"   The OCR may not impose a CMPs on a CE or BA for a viola9on if the CE or BA establishes that the viola9on is: – Not due to willful neglect; and –  Corrected during the 30-‐day period beginning on the first date the CE or BA knew, or by exercising reasonable diligence, would have know that the viola9on occurred.

"   However, in order to make a claim to affirma9ve defense, you must be able to quickly detect breaches in the first place.

Affirmative Defense and Good Faith Effort


"   Top factors that lower overall costs as it relates to minimizing/mi9gated breaches 1.  Strong security posture (risk management and

educa9on/training) 2.  Incident response plan (incident detec9on/

inves9ga9on and breach no9fica9on) 3.  Appointment of a CISO or equivalent posi9on

(centralizing the management of data protec9on) 4.  Consultants engaged to help remediate the breach

Re-evaluating Your Current Security Posture


Automated EHR-Centric Breach Detection

Impartial vs. Manual Log

Review

HIPPA Compliance Audit Log

Requirement

Proactive Incident &

Breach Detection

Self Reporting & Document

Storage

Improved HIPAA

Reporting Accuracy

ComplimentsEHR

Security Framework

Time Savings (more patient

focused)

Six (6) Year Activity

Reporting §164.316(b)(2)(i)


To learn more about SPHER™ please visit:

www.AMSSPHER.com

[email protected]

Stephen Salinas

Channel Manager All Medical Solutions

Contact Data Tel: (310) 602-5140 Fax: (310) 531-7397

Free Demo and 15 Day Evaluation www.compliancy-‐group.com

HIPAA Hotline 855.85HIPAA

855.854.4722

  HIPAA Compliance   HITECH Attestation

 Omnibus Rule Ready  Meaningful Use Core Measure 15