DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Size: px

Start display at page:

Download "DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY"

Hector Washington
5 years ago
Views:

1 DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) Practice Areas: Healthcare Labor and Employment JILL JENSEN jjensen@clinewilliams.com (402)

2 2

3 3

4 OBJECTIVES: Identify current developments Analyze your HIPAA compliance program for risks Apply existing and updated tools to limit exposure in a breach or audit 4

CURRENT DEVELOPMENTS Enforcement ramping up Notable

Updated risk assessment ENFORCEMENT Did not know/could

5 CURRENT DEVELOPMENTS Enforcement ramping up Notable examples Big, Small, In between Small breaches, no breaches no problem? ENFORCEMENT OCR Phase 2 Audits Ransomware guidance Updated risk assessment ENFORCEMENT Did not know/could not know $100 to $50,000 each violation $1.5M cap for identical violations in same calendar year 5

6 ENFORCEMENT Reasonable cause/not willful neglect $1000 to $50,000 each $1.5M cap for identical violations in calendar year ENFORCEMENT WILLFUL NEGLECT, CORRECTED WITHIN 30 DAY PERIOD $10,000 to $50,000 per violation $1.5M cap for identical violations per calendar year ENFORCEMENT WILLFUL NEGLECT, NOT CORRECTED $50,000 each violation $1.5M cap for identical violations in calendar year 6

ENFORCEMENT Willful Neglect conscious, intentional

comply ENFORCEMENT FACTORS Nature, extent of violation

ENFORCEMENT FACTORS Nature and extent of harm from

7 ENFORCEMENT Willful Neglect conscious, intentional failure or reckless indifference to the obligation to comply ENFORCEMENT FACTORS Nature, extent of violation Number of individuals affected When it occurred ENFORCEMENT FACTORS Nature and extent of harm from violation Physical Financial Reputational Ability to obtain health care 7

ENFORCEMENT FACTORS History of prior compliance, any violations Same or similar to before Whether and to what extent prior issues have been corrected or attempts made to correct FROM

8 ENFORCEMENT FACTORS History of prior compliance, any violations Same or similar to before Whether and to what extent prior issues have been corrected or attempts made to correct FROM THE FILES OF THE OCR August 4, 2016 Advocate Health Care Network Multiple potential violations ephi $5.55M settlement + CAP Large health system Many affected Long term noncompliance 8

THE BACK STORY OCR began investigation in 2013 3 breach reports from sub, Advocate Medical Group Combined breaches=4.

expiration dates, DOBs THE MORAL TO THE STORY.

9 THE BACK STORY OCR began investigation in breach reports from sub, Advocate Medical Group Combined breaches=4.1m individuals PHI included demographic, clinical, health insurance, patient names, addresses, credit card numbers with expiration dates, DOBs THE MORAL TO THE STORY.... Accurate, thorough risk assessments Implement policies/procedures and facility access controls Signed BA Agreements Don t be stupid. Don t keep an unencrypted laptop in an unlocked vehicle 9

10 CAN YOU SAY WILLFUL NEGLECT? A NEW CLAIM TO FAME? $2.75 Million to resolve + CAP Aware of risks, vulnerabilities since 2005 No significant risk management until after the breach Organizational deficiencies Insufficient institutional oversight DO YOU SEE A PATTERN HERE? Password protected laptop stolen ephi vulnerable to unauthorized access via wireless network Access to 67,000 files after entering generic username and password 328 files with ephi 10,000 patients dating to

HERE S MY SHOCKED FACE Failed to implement policies/procedures Failed to implement physical safeguard for all workstations Didn t assign unique usernames or numbers to ID or track user identity

11 HERE S MY SHOCKED FACE Failed to implement policies/procedures Failed to implement physical safeguard for all workstations Didn t assign unique usernames or numbers to ID or track user identity Failed to notify each individual about the breach WHAT ABOUT BUSINESS ASSOCIATES? Catholic Health Care Services of the Arch. of Philadelphia OCR notified of breach April 2014 Theft of a unencrypted, non password protected iphone WHAT ABOUT BUSINESS ASSOCIATES? Compromised PHI of 412 NF residents Management/IT services for 6 SNFs SSNs, Dx, Tx, procedures, family member names, guardian names, medication information $650,000 + CAP 11

12 WHAT ABOUT BUSINESS ASSOCIATES? TAKE AWAYS: Business Associates need enterprise wide risk Assessments and Risk Management Plans too ENCRYPT ALL MOBILE DEVICES HAVE/IMPLEMENT POLICIES ABOUT MOBILE DEVICES AND PHI POLICIES/PROCEDURES FOR SECURITY INCIDENTS $650,000 NOT CHUMP CHANGE WHY THE LIGHT RESOLUTION AMOUNT? BA provided unique, much needed services in region To elderly, DD, young adults aging out of foster care, individuals living with HIV/AIDS TWO YEARS OF OCR MONITORING RA AGREEMENT + CAP PHYSICIAN PRACTICES Physician practice and ASC in NC $750,000 resolution amount PHI of 17,300 patients provided to potential business partner without a signed BA Agreement 12

Breach report in April 2013 X ray films/related PHI sent to BA For transfer of images to electronic media Harvesting silver from the films Get the BA Agreement signed first and then disclose THE

13 Breach report in April 2013 X ray films/related PHI sent to BA For transfer of images to electronic media Harvesting silver from the films Get the BA Agreement signed first and then disclose THE WAGES OF NO BA AGREEMENT IS $750,000 + Resolution Agreement + CAP Revise policies and procedures Establish a BA determination process THE WAGES OF NO BA AGREEMENT Designate a person in charge of BA Agreements Establish a process for BA Agreement retention at least 6 years after termination Minimum necessary applies 13

14 WHAT S NEXT? CLOSER LOOK AT SMALL BREACHES Those affecting less than 500 persons WHAT S NEXT FOR THE OCR AND US OCR ROS WILL LOOK INTO ROOT CAUSES Seek corrective action for systemic noncompliance WHAT? NO BREACHES? Sorry. The Coast is not clear. 14

NO FLYING UNDER THE RADAR How does your entity compare

THE OCR AUDITS Began in earnest this summer Notices

15 NO FLYING UNDER THE RADAR How does your entity compare to similar covered entities or BAs? NO BREACH. NO PROBLEM? How is your documentation? Do you have risk assessments completed? THE OCR AUDITS Began in earnest this summer Notices sent to 167 auditees on July 11, 2016 Redesigned audit process reflecting experience and new law 15

16 PHASE 2 AUDIT PROCESS FOR BOTH COVERED ENTITIES AND BUSINESS ASSOCIATES MOSTLY DESK AUDITS UP TO 250 AUDITS TOTAL WITH 50 OF THOSE TO BE ONSITE WHAT IS OCR LOOKING FOR? Compliance mechanisms and best practices ID risks/vulnerabilities not identified through breach notices or enforcement OCR S MISSION GET OUT IN FRONT OF PROBLEMS BEFORE A BREACH OCCURS A COMPLIANCE IMPROVEMENT ACTIVITY ID what technical assistance may be needed State of compliance on aspects of HIPAA Further tool development to aid in compliance efforts and breach prevention 16

17 OCR AUDIT FOCUS DESK AUDITS ONGOING THROUGH END OF 2016 DESK AUDIT SCOPE LOOKING AT 7 CONTROLS Security Privacy Breach notification compliance ONSITE AUDITS BEGIN IN EARLY 2017 Comprehensive set of HIPAA compliance controls Desk auditees are subject to onsite audit as well OCR AUDIT FOCUS BA DESK AUDITS BEGIN IN LATE SEPTEMBER 2016 MOSTLY FROM A POOL OF BAS IDENTIFIED BY COVERED ENTITIES 10 DAY RESPONSE TIME FOR REQUESTED RECORDS OCR AUDIT FOCUS DESK AUDIT REQUESTS List of BAs to be returned by within 10 days Documents policies/procedures, etc. submitted through secure portal No credit for late submissions Only what s relevant is to be submitted If auditee doesn t have it, must explain deficiency POOL OF BAS IDENTIFIED BY COVERED ENTITIES 10 DAY RESPONSE TIME FOR REQUESTED RECORDS 17

final audit report DESK AUDIT PROCESS AUDIT REPORTS WILL DESCRIBE HOW THE AUDIT WAS CONDUCTED, PRESENT ANY

18 Desk Audit Controls Privacy Breach Notification Security DESK AUDIT PROCESS AFTER REVIEW OF SUBMITTED DOCUMENTS, OCR will develop and share draft findings Entity may respond Responses will be included in the final audit report DESK AUDIT PROCESS AUDIT REPORTS WILL DESCRIBE HOW THE AUDIT WAS CONDUCTED, PRESENT ANY FINDINGS, AND CONTAIN ENTITY RESPONSES TO THE DRAFT FINDINGS Based only on what is submitted No late submissions allowed 18

review COMPREHENSIVE ONSITE AUDITS OF BOTH CES AND BAS WILL BEGIN IN EARLY 2017 4000 DAILY

19 AFTER THE DESK AUDIT AFTER AUDIT, OCR COULD OPEN A SEPARATE COMPLIANCE REVIEW Depending on what the audit finds Significant threats to privacy and security will likely get a compliance review COMPREHENSIVE ONSITE AUDITS OF BOTH CES AND BAS WILL BEGIN IN EARLY DAILY ATTACKS SINCE EARLY % increase over 2015 Exploits human and technological weakness RANSOMWARE 19

RANSOMWARE Denies access through encryption by malware Only the

THINGS THAT CAN HAPPEN Ransomware or Malware may also exfiltrate

HAVE A SECURITY MANAGEMENT PROCESS Conduct a risk analysis, ID

20 RANSOMWARE Denies access through encryption by malware Only the bad guy has the key You can have key for a price OTHER BAD THINGS THAT CAN HAPPEN Ransomware or Malware may also exfiltrate data (i.e., steal it and transfer it) WHAT CAN YOU DO? HAVE A SECURITY MANAGEMENT PROCESS Conduct a risk analysis, ID threats, vulnerabilities Implement process to protect against malicious software 20

21 SECURITY MANAGEMENT PROCESS TRAIN YOUR PEOPLE TO DETECT MALWARE IMPLEMENT ACCESS CONTROLS TO LIMIT WHO CAN USE EPHI WEAKEST LINKS WHAT ELSE? IMPLEMENT POLICIES/PROCEDURES FOR FREQUENT BACK UPS For recovery if/when you are attacked TEST RECOVERY ABILITY OFTEN MAINTAIN BACK UP OFFLINE/AWAY FROM YOUR NETWORK 21

applications and data Test readiness SECURITY INCIDENTS SECURITY INCIDENT PROCEDURES ALSO REQUIRED

22 WHAT ELSE? UPDATE WHEN PATCHES AVAILABLE HAVE A DISASTER RECOVERY PLAN Emergency Operations ID criticality of applications and data Test readiness SECURITY INCIDENTS SECURITY INCIDENT PROCEDURES ALSO REQUIRED BY SECURITY RULE Procedures to respond Detection Containment Eradication Mitigation Remediation Post incident activities obligations/lessons learned ARE YOUR PEOPLE LIKE THIS? Or this? 22

TRAINING THE DETECTIVES Where s your documentation of completed training?

Alert to the dangers of unknown links Phishing expeditions Computer weirdness slow running

QUICKLY DETECT AND REPORT ACTIVATE YOUR SECURITY INCIDENT RESPONSE PLAN Contact the

23 TRAINING THE DETECTIVES Where s your documentation of completed training? WHEN WAS THE LAST TIME YOUR TEAM WAS TRAINED? Alert to the dangers of unknown links Phishing expeditions Computer weirdness slow running overburdened CPU Disappearing files Getting locked out of files TRAINING THE DETECTIVES QUICKLY DETECT AND REPORT ACTIVATE YOUR SECURITY INCIDENT RESPONSE PLAN Contact the professionals: FBI, local law enforcement, U.S. Secret Service field office RANSOMWARE = HIPAA SECURITY INCIDENT ACTIVATE YOUR RESPONSE PLAN You need to have one What is yours? 23

It depends IF EPHI IS ENCRYPTED BY RANSOMWARE, OCR SAYS, YES. IS IT A BREACH?

24 YOUR MONEY OR YOUR LIFE ID THE SCOPE OF INCIDENT WHAT S AFFECTED? Origin Is it over or still going on? How did it happen? Prioritize your response RANSOMWARE AFTERMATH IS A SECURITY INCIDENT A HIPAA BREACH? It depends IF EPHI IS ENCRYPTED BY RANSOMWARE, OCR SAYS, YES. IS IT A BREACH? BREACH PRESUMED UNLESS LOW PROBABILITY OF COMPROMISE Do the breach risk assessment Get professional help Type and variant of malware How it operates Communications, transfers of data by malware to outside servers Did it propagate? 24

Apple ios, ipad Save as feature Paper too https://www.

25 BREACH RISK ASSESSMENT TOOL DO YOU HAVE ONE? GLOBAL RISK ASSESSMENT TOOL Recently updated Windows 10, Apple ios, ipad Save as feature Paper too risk assessment tool RISK ASSESSMENT TOOL 25

26 RISK ASSESSMENT TOOL RISK ASSESSMENT TOOL YOUR QUESTIONS 26

27 THANK YOU! 27

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,