security and privacy requirements beyond hipaa tom walsh, cissp tom walsh consulting, llc overland...
TRANSCRIPT
Security and Privacy Requirements Beyond HIPAA
Tom Walsh, CISSPTom Walsh Consulting, LLC
Overland Park, KS
Objectives• Understand some of the potential impacts on
information security and privacy as a result of the new ARRA or “stimulus bill” on covered entities and their business associates
• Gain awareness and an understanding of the requirements for:– FTC’s Identity Theft Red Flags Rule– PCI Data Security Standards– Data breach disclosure laws
2Copyright © 2009, Tom Walsh Consulting, LLC
Objectives (cont.)• Identify some potential sources of identity
theft and data breaches• Determine who in your organization needs to
be included and the key departments for your organization’s (renewed) compliance efforts
• Locate resources for additional information
3Copyright © 2009, Tom Walsh Consulting, LLC
a.k.a. “Stimulus Bill”
American Recovery and Reinvestment Act
• Other names or references– ARRA– Public Law 111-5– H.R. 1– Stimulus Bill
• Date of enactment: February 17, 2009– Key date for the timing of future deadlines
• Appropriations Provisions – 16 Titles– Title XIII – Health Information Technology
• Subtitle D - Privacy
5 Copyright © 2009, Tom Walsh Consulting, LLC
Implications and future changes have yet to be fully comprehended
Brief History (Why Privacy is in the Stimulus Bill?)
• 1996 – HIPAA is passed; Congress has three years to enact medical privacy protection standards; fails to do so; too busy trying to impeach Bill Clinton; by default DHHS creates Privacy standards
• 1998 (Aug) – Proposed HIPAA Security Rule is released for comment• 1999 (Nov) – Proposed HIPAA Privacy Rule is released for comment• 2002 – Final HIPAA Privacy Rule is released• 2003 (Feb) – Final HIPAA Security Rule is released • 2003 (Apr 14) – Deadline for compliance with HIPAA Privacy Rule • 2005 (Apr 20) – Deadline for compliance with HIPAA Security Rule
No changes to the rules since the final release
What was the computing environment like back then versus now?
Copyright © 2009, Tom Walsh Consulting, LLC 6
Promotion of Health Information Technology
Office of the National Coordinator (ONC) for Health Information Technology (HIT) (Section 3001)– Chief Privacy Officer
• Appointed by the Secretary of HHS• To advise on privacy, security, and data stewardship
– HIT Policy Committee (Section 3002)• Appointed positions• Make recommendations for nation-wide health information
technology infrastructure– HIT Standards Committee (Section 3003)
• Appointed positions• Make recommendations for electronic exchange and use of health
information
7 Copyright © 2009, Tom Walsh Consulting, LLC
Privacy – Subtitle D
Section 13400 – Definitions of 18 terms Many have the same definition as found in HIPAA, but unique to ARRA are:
• Breach• Unsecured Protected Health Information• Electronic Health Record (EHR)• Personal Health Record (PHR)• Vendor of Personal Health Record
8 Copyright © 2009, Tom Walsh Consulting, LLC
New Definitions
• Breach – In general terms means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information
• Unsecured Protected Health Information – protected health information (PHI) that is not secured through the use of a technology or methodology specified by the Secretary
9 Copyright © 2009, Tom Walsh Consulting, LLC
Breach • Covered entity must notify each individual
whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach
• Notifications – Who? What? How? (based upon number of individuals)– When? Must be made without reasonable delay
and no later than 60 days from discovery• Discovery - Key concept, “…should reasonably
have been known…”10 Copyright © 2009, Tom Walsh Consulting, LLC
Breach – Non Covered Entities
• Includes vendors of PHR• Includes 3rd parties that provide services to a
vendor of PHR• Requirements for reporting breaches same as
covered entities except that the notification is made to the Federal Trade Commission (FTC) rather than the Secretary of HHS
• The FTC will also notify the Secretary of HHS
11 Copyright © 2009, Tom Walsh Consulting, LLC
Business Associates
Application of Security Provisions (Section 13401) • HIPAA security applies to Business Associates
– §164.308 Administrative Safeguards– §164.310 Physical Safeguards– §164.312 Technical Safeguards – §164.316 Policies and Procedures and
Documentation Requirements
12 Copyright © 2009, Tom Walsh Consulting, LLC
Business Associates
• Business Associate Agreement (BAA) will need to be updated to incorporate the new HIPAA Security Rule requirements into the agreement
• Must respond to Privacy noncompliance issues the same as a Covered Entity
• Business Associate will now also be subject to the civil and criminal penalties for violating any of the security provisions
13 Copyright © 2009, Tom Walsh Consulting, LLC
Disclosures• Secretary will issue guidance on “minimum
necessary”• Accounting of Disclosures – HIPAA revision
– Old “…except for TPO” (Treatment, Payment, and healthcare Operations)
– New – If the Covered Entity uses or maintains an electronic health record (EHR), then the exception for Accounting of Disclosures for TPO no longer applies (Note: Disclosure vs. Use)
– Two deadlines: January 2014 or January 2011 based upon when the EHR was implemented
14 Copyright © 2009, Tom Walsh Consulting, LLC
Enforcement
• Clarification of Application of Wrongful Disclosures Criminal Penalties (Section 13409)– Individuals can be prosecuted under HIPAA and ARRA
• Improved Enforcement (Section 13410)– “Willful neglect” by employees – now can be held liable– State Attorney Generals may bring civil action
• Audits (Section 13411)– Periodic audits to ensure that covered entities and
business associates comply with HIPAA and ARRA
15 Copyright © 2009, Tom Walsh Consulting, LLC
Identity Theft Red Flags Rule
• Implements sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)
• Applies to financial institutions and creditors that hold any consumer account
• Applies if a healthcare provider:– Permits payment of services to be deferred– Allows payment in multiple installments
• Must comply by May 1, 2009
Things to Consider
• Types of patient billing accounts• Methods used to allow installment payments
(may be considered “covered accounts”)• How a covered account is accessed
– Example: Web portal for patient bill paying• Previous incidents of identity theft• Privacy safeguards and security controls currently
in place to protect an individual’s identity and personal information (i.e. HIPAA)
PCI Security Standards Council, LLC
• Responsible for the security standards• Formed in September 2006 by the five major
credit card companies:– Visa International– MasterCard Worldwide – American Express– Discover Financial Services– JCB (Europe)
www.pcisecuritystandards.org
PCI Data Security Standard• 12 requirements that must be followed
– State law in Minnesota; other states next?• If the merchant lacks adequate controls:
– May be fined (payments withheld)– May be held liable for credit card losses– Could lose merchant status – ability to accept credit cards
• Merchants fall into one of the four merchant levels based on transaction volume over a 12-month period– Regardless of level, all merchants must comply
21Copyright © 2009, Tom Walsh Consulting, LLC
PCI Terminologies • Merchant – Any business that accepts credit
cards for payment• POS – Point of Sale terminal – used for swiping
credit cards; usually connected to the bank via a modem
• PAN – Primary Account Number• CVV – Card Verification Value – the last three
digits printed on the signature panel on the back side of credit cards for transaction authorization when the payment is not made in person
22Copyright © 2009, Tom Walsh Consulting, LLC
Conducting a PCI Self-Assessment
• Determine the volume of transactions• Inventory where credit card transactions
occur• Conduct a self-assessment• Remediate identified issues• Create a Credit Card Handling policy• Create, deliver, and document user training
on Credit Card Handling
Key Departments – Workflows
• Patient financial services (billing)• Admitting, registration, or cashier• Gift shop• Cafeteria• Outpatient services
– Pharmacy– Durable medical equipment (DME) and other
medical supplies – Urgent care centers
24Copyright © 2009, Tom Walsh Consulting, LLC
State Data Breach Disclosure Laws
• California – leading the way…• 44 States now have some type of law• Wisconsin
– Act 138 requires notification in the event that personal information is lost or illegally accessed
– Office of Privacy Protectionwww.privacy.wi.gov
• Other Wisconsin resources:http://www.legis.wisconsin.gov/lrb/pubs/ttp/ttp-04-2008.html
26Copyright © 2009, Tom Walsh Consulting, LLC
Identity Theft in the Workplace
Some possible sources:• Carelessness – loss of mobile computing devices
• Stealing (and in some cases, selling) employee records from their employer
• Conning information out of employees• Unsecured data – paper or electronic • Rummaging through trash• Improper disposal or resale of computing
devices and/or media• Hacking into computers
28Copyright © 2009, Tom Walsh Consulting, LLC
Preventing Identity Theft
People, Processes, and Technology• Background and clearance checks on key
employees– System administrators– Patient Financial Services or Patient Accounting
• Proper handling and disposal of media• Encrypt data at rest and while in transmission• Auditing and monitoring
29Copyright © 2009, Tom Walsh Consulting, LLC
Renewed Compliance Efforts
• Corporate Compliance Officer• Privacy and Information Security Officer• Risk Management / Legal Counsel• Patient Access (Registration / Admitting)• Patient Financial Services (Accounting)• Others? ______
31Copyright © 2009, Tom Walsh Consulting, LLC
Governance, Risk, and Compliance (GRC)
JCAHO Red Flags
Rule
SOX
FISMAPCI DSS
HIPAA
= Governance framework for an information security program for __consistency in satisfying multiple regulations and requirements
ARRA
Resources• An electronic copy of ARRA (PDF format)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf
• PCI Security Standards Council, LLCwww.pcisecuritystandards.org
• PCI Frequently Asked Questions www.pcisecuritystandards.org/about/faqs.htm
• FTC’s Identity Theft Site www.ftc.gov/bcp/edu/microsites/idtheft/
• Identity Theft Resource Center www.idtheftcenter.org
34Copyright © 2009, Tom Walsh Consulting, LLC
SummaryDuring this session we discussed:• Privacy and security highlights of the new
ARRA or “stimulus bill” • An awareness of:
– FTC’s Identity Theft Red Flags Rule– PCI Data Security Standards– Data breach disclosure laws
• Ideas for preventing identity theft• Renewed involvement for compliance• Resources for more information
36Copyright © 2009, Tom Walsh Consulting, LLC
Questions?
37Copyright © 2009, Tom Walsh Consulting, LLC
Tom Walsh, [email protected]
913-696-1573
Good News!
Because of the current global economic crisis, hackers, creators of malicious code, spammers, and disgruntled former employees have all pledged to be compassionate to businesses and individuals by cutting back on their harmful and disruptive activities by at least 30%.
More Good News!
Additionally, Congress has urged that all American employees who still have a job to temporarily suspend any of their unauthorized activities that could disrupt or significantly impact businesses until after the current economic crisis has passed.
Even More Good News!
It was announced yesterday that the United Nations overwhelming passed a measure, which can only be described as an extraordinary act of reconciliation, that with Barack Obama now as president of the United States, all nations vow to no longer harbor any hostilities toward the United States government and its people.
Sad Reality
• While everything else in our economy is declining, threats to information security are on the rise
• Desperate times result in desperate measures– People are willing to do whatever it takes to ensure their
own personal wellbeing– Employees on the verge of being laid off or former
employees that recently lost their job represent a significant threat to security