Remediation Steps Post Preliminary Security Risk Assessment for FQHCs

Transcription

1 in partnership with April 24, 2014 MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series Webinar 5 Remediation Steps Post Preliminary Security Risk Assessment for FQHCs

2 About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCA s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan

3 About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501(c)3 non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide compliance/security related, IT, EPM and EHR services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare x1223

4 Presented by: Jay Trinckes, CISO, OSIS Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) Author: Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA Regional Upcoming: PMI National Conference, Chicago, IL May 2014 Experience: risk assessments, vuln/pen tests, information security management, former law enforcement officer.

5 Overview of MPCA Webinar Series Series of five Webinars to assist members with HIPAA Compliance and Meaningful Use 1. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1) 2. HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 2) 3. Meaningful Use Requirements for FQHCs 4. Preliminary Assessment Tool for FQHCs 5. Remediation Steps Post PSRA

6 Webinar 5: Topics Overview of Preliminary Assessment Exceptions Specific Issues Identified Specific Recommendations Next Steps Questions/Answers

7 Review

8 Goal Review Report NOT Goals Provide baseline Direction for Information Security Management Process Privacy Risk Management Information System Activity Review Security Awareness Training Contingency Planning Facility Access Business Associate Contracts Security Policies/Procedures Provide High Level Overview Recommendations A replacement for full risk assessment

9 Process Submit Documents Review Documents Interview Contact Report/Recommend

10 Overview

11 Participating Members 1. Alcona Health Center 2. Baldwin Family Health Care 3. Cassopolis Family Clinic Network 4. Center for Family Health 5. Cherry Street Health Services 6. East Jordan Family Health Center 7. Hackley Community Care 8. Ingham Community Health Center 9. InterCare Community Health Network 10. Sterling Area Health Center 11. Thunder Bay Community Health Service

12 Privacy Area Reviewed Uses/Disclosures Required Uses/Disclosures Permitted Uses/Disclosures Limitations on Use/Disclosures Individual Rights Notice of Privacy Practices Content of the Notice Administrative Requirements Privacy Personnel

13 Security Area Reviewed Administrative Safeguards Risk Analysis Risk Management Information System Activity Review Assigned Security Responsibility Security Incident Procedures Workforce Security Contingency Plan Security Awareness Training Evaluation

14 Security Area Reviewed Physical Safeguards Facility Access Control Workstation Use Disposal

15 Security Area Reviewed Technical Safeguards Unique User Identification Encryption and Decryption Integrity Controls

16 Organization/Documentation Area Business Associate Agreements Policies Procedures Documentation

17 Risk Ratings

18 Results BY THE NUMBERS: 11 Participating Member Centers 311 Total Providers 85 Total Sites 2,606 Total Staff members Average Rating Not Secured Median Security Very Secure 2 Centers 3 Centers 6 Centers

19 Primary Recommendation Resources? Get Help Can t Be Ignored Cost of Doing Business

20 Detailed Exceptions Privacy

21 Notice of Privacy Practices Required Header Plain Language Treatment, Payment, and Healthcare Operations More Stringent State Laws Written Authorization Appointment reminders, treatment alternatives, or health related benefits Rights to: Access, Amend, Accounting of Disclosures, Paper Copy of NPP Required by Law to Maintain Privacy Abide by NPP Amend NPP Filing a Complaint Effective Dates

22 Website NPP Exceptions Posting NPP on Website Quarter of participating members did not post the NPP on their website (45 CFR c(3)(i)) EPHI Right of Individuals to receive electronic copy Recommend to add to statement about right to access PHI (in both paper and electronic form) Fund Raising If provided, right to opt out Recommend to add statement/procedure on how to opt-out of receiving information on fund raising if center provides for such activities Prohibit Sale of PHI Breach Right of Individual to receive notification of breach Recommend adding statement that individual has a right to receive notification in case of a breach of their unsecured protected health information

23 Privacy Policies/Procedures Documentation Privacy Policies/Procedures NOT Provided for Review Reviewed all policies/procedures provided Utilized what was reviewed in other areas such as the NPP Utilized interview to capture additional information as appropriate

24 Required by Law Notice of Privacy Practice May use or disclose PHI as required by law Notify Patient of Use Recommend ensuring policies/procedures indicate notifying the patient of use/disclosure if notice is required by law

25 Permitted Uses and Disclosures Incidental TPO Caregivers Facility Directories Required by Law Public Health Activities Victims of Abuse, Neglect, or Domestic Abuse Health Oversight Activities Judicial and Administrative Activities Law Enforcement Coroners, Medical Examiners, and Funeral Directories Cadaveric Organ, Eye, and Tissue Donation Research Averting a Serious Threat to Health or Safety Specialized Government Functions Workers Compensation

26 Pursuant to Authorization

27 Minimum Necessary Roles Limit

28 Pursuant to TPO Disclose to Caregivers Treatment, Payment, Healthcare Operations Use/Disclosure without authorization Opportunity to agree/object Public interest and benefit activities Data use agreements safeguards for limited data set Caregiver Disclosure Include in Notice of Privacy Practice Implied consent when family accompanies patient into exam room

29 Shared EHR - HIE Same Database Health Information Exchange

30 Privacy Personnel Assigned Privacy Official Role detailed in job description Approved by Executive Management or BoD Complaints handled through Privacy Official Standard Form Indicated on Notice of Privacy Practices

31 Detailed Exceptions Security - Administrative

32 Risk Analysis/Risk Management Evaluation Not Performed/Outdated Risk Assessment Independent Review Control Decisions Risk Management Implementation Technical Evaluation Non-Technical

33 Security Incident Possible Incidences Inappropriate use of passwords Corrupted backups Virus attacks Physical break-ins Failure to terminate accounts Providing media to unauthorized individual Formal Policy Incident Response Team Specific Responsibilities Specific Actions/Timeframes Escalation Procedures Notifications Reporting

34 Information System Review Reviewed only as needed Audit Logs, Access Reports, Security Incident Tracking System Log Server (SysLog)

35 Contingency Plan Procedures to restore loss data Address specific issues Include Business Impact Analysis Identify Critical Functions/Systems Identify Critical Personnel Establish Command Centers Include Time Metrics Recovery Time/Point Objectives

36 Security Official Workforce Awareness Training Security Official Assigned Approved Clearance Checks Workforce Security Account Management Awareness Training New Hires Annual/Updates

37 Detailed Exceptions Security - Physical

38 Positives Facility Access Utilize badge access/metal keys Install fire alarms/extinguishers/sprinklers Dedicated secure room for servers Dedicated secure paper records areas Proper inventory control Some Exceptions Surveillance Equipment Alarms with motion detection/glass break Visitor logs/visitor badges

39 Workstation Use Limited Access USB External Drives

40 Disposal Document Destruction Internal through use of cross cut shredders Utilize third party shred company Hard Drives Wiped Destroyed

41 Detailed Exceptions Security - Technical

42 IDS/IPS IDS/IPS 24/7/365 Integrity External Internal Monitored

43 Encryption/Decryption Addressable Perform Analysis Encrypt FIPS Compliant

44 Unique User Identifier Web Filtering Unique User ID Anonymizer or Proxy Avoidance Pornography Chat Web mail Hacking Social Sites On-line Storage Sites

45 Detailed Exceptions Business Associate Agreement

46 Business Associate Agreement Permitted Required Appropriate Safeguards Termination Subcontractors Reporting Availability Amendment Accounting of Disclosures Obligations Available to Secretary Return or Destruction

47 BAA Exceptions Notification Costs Reimburse Indemnification Right to Audit Central Accountability Vendor Due Diligence

48 Review Next Steps Preliminary Security Risk Assessment Conduct a Full Assessment - Technical Decide Determine appropriate controls Get Executive Management approval Implement Implement Controls Assign ownership over solutions - processes Measure Test/Evaluate Update

49 Service Offerings HIPAA/ HITECH Risk Assessment VAPT Policy/ Procedures Training Ancillary Administrative Internal Privacy/ Security Privacy/ Security Security Incident Vendor Due Diligence Physical Development BCP/DR External Development Technical Performance Consulting

50 Questions (direct)