overview of hipaa security and breach notification rules · cynergistek, inc. 11410 jollyville...

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

Overview of HIPAA Security and Breach Notification RulesPresented by:David HoltzmanVP, Compliance Strategies

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 2

Agenda

HIPAA & its Security Rule

Key Methods to Securing e-PHI

How to Identify Phishing

Questions


HIPAA & its Security Rule

3


• Health Insurance Portability &

Accountability Act of 1996

• Framework for protection

patient confidentiality, security

standards for electronic

systems, standards for

electronic transmission of

health information

• Notification to individuals,

government and media if there

is a breach of protected health

information (added in 2009)

4

What is HIPAA?


Privacy Rule

Breach Notification

Security Rule

Privacy Rule is Foundation & Floor


• Covered Entities and Business Associates are required to

comply with the Privacy, Security and Breach

Notification Rules

• Covered Entities (CE) are defined as:

– Health care providers who transmit health

information electronically in connection with a

transaction for which there is a HIPAA standard

– Health plans

– Healthcare clearinghouses

Who is Covered?


• Agents, contractors, and others hired to do the work of, or to work

for, the CE, and such work requires the use or disclosure of

protected health information (PHI)

• BA’s required to have Privacy Rule policies & procedures regarding

uses & disclosures and minimum necessary

• Assess unauthorized uses & disclosures to determine if a breach

has occurred and to notify the CE of any breach.

• The Privacy and Security Rules require CE’s and BA’s to receive

“satisfactory assurance”

– Assurance usually takes the form of a contract

– BA only use or disclose PHI as permitted by agreement

– Safeguard PHI from unauthorized disclosure

Business Associates


Confidentiality Only the right people see it

8

The e-PHI is what it is supposed to be: No unauthorized alteration or destruction

The right people can see the e-PHI when needed

Guiding Principles of HIPAA Security

Integrity

Availability


Scope of HIPAA Security Rule

Applies to e-PHI

Covered Entity or Business Associate

Created

Maintained

Stored

Transmitted


Protect e-PHI against reasonably anticipated threats or hazards to the security or integrity of information

Goals of HIPAA Security Standards

Protect against reasonably anticipated uses and disclosures not permitted by the Privacy Rule

Establish policies, procedures and training to ensure compliance by workforce


Through reasonable and appropriate safeguards

11

Standards to assure the confidentiality, integrity,

and availability of PHI

HHS Approach to HIPAA Security

Addressing vulnerabilities identified through risk

analysis & risk management

Technology neutral

Safeguards appropriate to the size and complexity of

the organization


Access control

Audit controls

Integrity

Person or entity

authentication

Transmission

security

TechnicalSafeguards

Security Rule Safeguards

Facility access

Workstation use

Workstation

security

Device and

media controls

PhysicalSafeguards

Risk analysis

Risk management

Security official

Workforce security

Access management

Security awareness &

training

Incident procedures and

contingency plans

Periodic Risk Evaluation

BA agreements

AdministrativeSafeguards


• An assessment of threats and vulnerabilities to

information systems that handle e-PHI.

• This provides the starting point for determining what is

‘appropriate’and ‘reasonable’.

• Organizations determine their own technology and

administrative choices to mitigate their risks.

• The risk analysis process should be ongoing and

repeated as needed when the organization experiences

changes in technology or operating environment.

Information Security Risk Assessment


What is Risk Assessment?

Analyzing threats and

vulnerabilities in a specified environment

Determining the impact or

magnitude

Identifying areas

needing safeguards or

controls

The process of:


Performing a Risk Analysis

Gather Information

Analyze Information

Develop Remedial

Plans

• Prepare inventory lists of information assets-data, hardware and software.• Determine potential threats to information assets.• Identify organizational and information system vulnerabilities.• Document existing security controls and processes.

• Evaluate and measure risks associated with information assets.• Rank information assets based on asset criticality and business value.• Develop and analyze multiple potential threat scenarios.

• Prioritize potential threats based on importance and criticality.• Develop remedial plans to combat potential threat scenarios.• Repeat risk analysis to evaluate success of remediation and when there are

changes in technology or operating environment.


• Implement reasonable and appropriate safeguards to

ensure the CIA of data on systems that create, transmit

or store PHI

– Encryption at rest

– Encryption during transmission

– Automatic logoff

– Strong authentication

• Ensure that applications and systems are patched and

updated

• Properly configure wireless network access

Security Rule: Key Technical Safeguards


Password Management

17


Keep it Secret

Keep it Secure

Change it

Often

Password is the 1st Line of Defense


• Organizations should adopt a password policy with minimum requirements

– Create a password with a minimum of 8 characters

– Password should contain at least three of the

following four components:

• Uppercase letters (A B C D)

• Lowercase letters (a b c d)

• Number (1 2 3 4)

• A special character (%, ^, *, !, ?)

• Require regular, forced password changes – at least every 90 days.

• Limit the ability to reuse the last 5 generations of a password.

• Educate users to change their password immediately if compromised

Create a Strong Password Policy


1 2

3 4

5 6

Don’t write it down anywhere near the device, place it in a

secure location

20

Do choose a strong password

Keys to Password Security

Don’t leave your workstation, laptop or smartphone without logging-off or locking device

Don’t share passwords with anyone else

Don’t embed password in shortcuts or scripts

Don’t use a password for multiple accounts


Monitoring Log-Ins and

Audit System Activity

21


• Security Rule requires that organizations collect and

review system activity on any network or device

• Proactive access monitoring and audit using technology

that analyzes access to PHI is authorized and appropriate

• Take action to investigate unusual network activity or

instances of unauthorized use/disclosure

• Apply sanctions against workforce where there is a

violation

• Implement safeguards for network vulnerabilities

Monitoring System Activity & Log-Ins


Periodic Security

Reminders

23


Periodic Security Awareness Reminders

• Awareness programs

provide education and

keep information security

fresh in their minds

• Use employee newsletters

• Link to FTC, HHS & DHS

You Tube channels

• Provide alerts in case of an

incident or specific threat


Protecting Against

Malicious Programs

25


What Are Malicious s?

Virus - A small program designed with the objective of infecting as many software applications or devices as possible and spread rapidly.

Phishing – A technique using fake emails and web pages designed to trick users to acquire valid usernames and passwords.

Ransomware - is a malicious program (malware) that has the capacity of encrypting either the complete hard drive or specific files on the computer. In order for you to access your files again, a window asks you to pay a ransom to the attacker. Payment is typically made by digital currency such as bitcoin.


Protecting Against Malware

• Employ virus detection and anti-spyware protection on

all your devices

– Microsoft, Apple and Google provide for free

– Set it to scan your device automatically

• Regularly patch and update your OS, browsers and other

software applications

• Be cautious when opening or downloading hyperlinks

from an internet web page or an email message


How to Identify a Phish

28


Attackers can leverage a single account to gain access user’s entire

contact list

Phishermen often target through social media, company websites,

results of previous attacks

Targeted Exposure

Accounts at high risk are often the most public

Attackers develop personalized spear phish with information

available via social media

Users with high volume of email typically don’t spend as much time

to vet legitimacy of email

29


1

3

5

2

4

6

30

Review senders’

addresses

Review the

sending domain

Investigate

context clues

Enticing offers are often

too good to be true

Hover over link or

perform a cut and

paste review

Increase suspicion if

the content tries to

invoke urgency

How to Avoid Being Phisherman’s Catch


Example 1

Clues:• Sender’s address• Sense of urgency• Domain isn’t owned

by the organization


Example 2

Clues• Sender’s address• Website link doesn’t match intended destination• Version of mail server does not exist


Example 3

Clues• Sender’s address• Website links don’t

match intended destination


Example 4

Clues• Sender’s address• Website links do not

match intended destination

• Enticing offer


• Get to know your organization’s HIPAA Privacy

and Security policies

• Watch the 5 videos on how to secure e-PHI and

mobile devices at

http://www.healthit.gov/providers-

professionals/worried-about-using-mobile-

device-work-heres-what-do-video

• See something? Say something.

HIPAA Homework

http://www.healthit.gov/providers-professionals/worried-about-using-mobile-device-work-heres-what-do-video


Questions?

David Holtzman

[email protected]

512.405.8550 x.7020

Questions?

?

overview of hipaa security and breach notification rules · cynergistek, inc. 11410 jollyville...

Documents