HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

Transcription

1 HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

2 Are You a Covered Entity Or a Business Associate to a Covered Entity? OCR has Direct Jurisdiction over your company, that means your organization must be HIPAA Compliant. You can even go to prison for mishandling patient records.

3 Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients health information. OCR Former Director Jocelyn Samuels

4 Covered Entities Must Have a Risk Management Plan Manage Risks by Appling Appropriate Safeguards Commercial Grade Firewall Commercial Grade Anti-Virus Patch Critical Vulnerabilities Harden the Network on Routine Basis Audit Access to Patient Records Apply Least Privileges Train Staff on HIPAA Requirements Apply Compensating Controls

5 Covered Entities Must Encrypt or Document Compensating Controls Encryption Screen Shots Showing Data is Encrypted Document Method of Encryption Describe Reasoning for Encryption Method Used Show Key Management Process

6 Covered Entities Must Plan for Contingencies Administrative Safeguards. (7) Standard: (i) Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

7 Covered Entities Must Have a Documented Security Incident Plan 45 CFR Administrative Safeguards. Security Incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Incident Response Objectives Preserve Data Investigate the behavior of the malware/incident Determine if PHI was exfiltrated or compromised

8 Covered Entities Must Have A Business Associate Agreement with Your Company It is Recommended that they vet your Organization for HIPAA compliance. It is a HIPAA violation, Impermissible Disclosure for a Covered Entity to have a Business Associate without a Business Associate Agreement.

9 Covered Entities Must Use Unique identifiers for Windows (OS) and EHR.

10 Documentation is Key If it s not documented, It s not done. We ask for a lot of documentation because the law requires it. Iliana Peters: Health Information Privacy Specialist Office for Civil Rights U.S. Department of Health & Human Services

11 Documentation is Key HIPAA Documentation Retention Requirement is 6 Years.

12 The Bigger the Practice, the bigger the fine. OCR will treat a single practice that is part of a larger organization as a big practice. All practices in an organization are responsible for the other practices in the group.

13 Business Associates Must Report Security Incidents to the Covered Entity. HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Attempts (either failed or successful) to gain unauthorized access to electronic PHI (ephi) or a system that contains ephi. Unwanted disruption or denial of service to systems that contain ephi. Unauthorized use of a system for the processing or storage of ephi data. Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. Improper Disposal Loss/Theft

14 Business Associates Must Report Security Incidents to the Covered Entity. The reporting requirement for Security Incidents shall not include inconsequential incidents that occur on a frequent basis such as port scans or pings, unsuccessful logon attempts, broadcast attacks on Business Associate s firewall, malware, denials of service or any combination thereof that are detected and neutralized by Business Associate s anti-virus and other defensive software and not allowed past Business Associate s firewall, unless such incident results in unauthorized access, use, destruction, modification or disclosure of PHI.

15 Breaches of PHI Hacking and IT Incidents Account for 17% (2017 Update) of Major Breaches Major Breach 500 Records or More Major Attack Vector Weak Passwords Reduce/Control/Accept Known Vulnerabilities

16 RANSOMWARE Ransomware is a HIPAA Breach. Access of PHI meets the definition of a Breach. Covered Entities need to have a documented Security Incident Plan in Place. Costs are staggering.

17 RANSOMWARE Every incident of Ransomware must be documented with a Breach Risk Assessment to determine if a Reportable Breach has occurred. Items to document include: Variant of the Ransomware Number of Patient Records Affected Network Activity Does the organization have a Syslog Server? Did the Malware Communicate with the Attacker Number of Days In the System A Network Activity Review Review for Other Malware such as Backdoors Data Integrity Checks Reasonable Security Measures in Place Boot Drive Locked or Files Locked

18 RANSOMWARE & Other Breaches of PHI The following information is helpful to obtain from employees who are reporting a known or suspected breach involving PHI. Person reporting the incident Person who discovered the incident Date and time the incident was discovered Nature of the incident Name of system and possible interconnectivity with other systems Description of the information lost or compromised Storage medium from which information was lost or compromised Controls in place to prevent unauthorized use of the lost or compromised information Number of individuals potentially affected Whether law enforcement was contacted.

19 RANSOMWARE & Other Breaches of PHI PHI should not be sanitized until a determination has been made about whether the PHI must be preserved as evidence. Particular attention should be paid to using proper forensics techniques to ensure preservation of evidence.

20 MINIMUM SECURITY REQUIREMENTS The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. These areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting PHI.

21 Security Controls to Review Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Malware Defenses Wireless Access Control Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Router, and Switches

22 Security Controls to Review Limitation and Control of Network Ports, Protocols and Services Controlled Use of Administrative Privileges Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on Minimum Necessary Account Monitoring and Control Incident Response and Management Vulnerability Scans and Penetration Testing

23 Cloud Computing When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ephi (such as to process and/or store ephi), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ephi on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ephi and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA compliant Business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

24 Cloud Computing Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as: System availability and reliability; Backup and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation); Manner in which data will be returned to the customer after service use termination; Security responsibility; and Use, retention and disclosure limitations.

25 Cloud Computing Service Level Agreement should include: Availability Backup Security Controls Accounting of Disclosures Return/Destroy

26 Cloud Computing Privacy Rule Considerations A business associate may only use and disclose PHI as permitted by its BAA and the Privacy Rule, or as otherwise required by law. While a CSP that provides only no view services to a covered entity or business associate customer may not control who views the ephi, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ephi by blocking or terminating access by the customer to the ephi.

27 Cloud Computing Further, a BAA must include provisions that require the business associate to, among other things, make available PHI as necessary for the covered entity to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of PHI in compliance with 45 CFR (e)(2)(ii)(E)(G). The BAA between a noview CSP and a covered entity or business associate customer should describe in what manner the noview CSP will meet these obligations for example, a CSP may agree in the BAA that it will make the ephi available to the customer for the purpose of incorporating amendments to ephi requested by the individual, but only the customer will make those amendments.

28 Cloud Computing Further, a CSP that meets the definition of a business associate that is a CSP that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate must comply with all applicable provisions of the HIPAA Rules, regardless of whether it has executed a BAA with the entity using its services. See 78 Fed. Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ephi. The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any noncompliance within 30 days (or such additional period as OCR may determine appropriate based on the nature and extent of the noncompliance) of the time that it knew or should have known of the violation (e.g., at the point the CSP knows or should have known that a covered entity or business associate customer is maintaining ephi in its cloud). 45 CFR This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.

29 Mobile Device Management 1. Enable encryption to protect health information stored or sent by mobile devices. 2. Use a password or other user authentication. 3. Install and activate wiping and/or remote disabling to erase the data on your mobile device if it is lost or stolen. 4. Disable and do not install or use filesharing applications. 5. Install and enable a firewall to block unauthorized access. 6. Install and enable security software to protect against malicious applications, viruses, spyware, and malware-based attacks. 7. Keep your security software up to date. 8. Research mobile applications (apps) before downloading. 9. Maintain physical control of your mobile device. 10. Use adequate security to send or receive health information over public Wi-Fi networks. 11. Delete all stored health information on your mobile device before discarding it.

30 Patching You Must Manage Known Software Vulnerabilities Deciding what to prioritize is a critical business decision. Most vulnerabilities being exploited today are at least a year old and some have been around for several years. Having a Patch Program In Place is a HIPAA Requirement of the Security Rule.

31 System Activity Review - Auditing REQUIRED by The HIPAA Security Rule INFORMATION SYSTEM ACTIVITY REVIEW Section (a)(1)(ii)(D) "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." Section (1)(b), Audit controls (required), which states organizations must "implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

32 System Activity Review - Auditing Application audit trails Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ephi. System-level audit trails Usually capture successful or unsuccessful log-on attempts, logon ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed. User audit trails Normally monitor and log user activity in a ephi system or application by recording events initiated by the user, such as all commands directly initiated by the user, log-on attempts with identification and authentication, and access to ephi files and resources. Is Windows Audit Logging Turned On???

33 System Activity Review - Auditing Performance of periodic reviews of audit logs is useful for: 1. Detecting unauthorized access to patient information 2. Establishing a culture of responsibility and accountability 3. Reducing the risk associated with inappropriate accesses (Note: Behavior may be altered when individuals know they are being monitored) 4. Providing forensic evidence during investigations of suspected and known security incidents and breaches to patient privacy, especially if sanctions against a workforce member, business associate, or other contracted agent will be applied 5. Tracking disclosures of PHI 6. Responding to patient privacy concerns regarding unauthorized access by family members, friends, or others 7. Evaluating the overall effectiveness of the organization s policy and user education regarding appropriate access and use of patient information (Note: This includes comparing actual workforce activity to expected activity and discovering where additional training or education may be necessary to reduce errors) 8. Detecting new threats and intrusion attempts 9. Identifying potential problems 10. Addressing compliance with regulatory and accreditation requirements

34 System Activity Review - Auditing The breach is considered discovered by a covered entity or business associate as of the first day on which a breach is or should have reasonably been known to have occurred It is a difficult concept basically prompting covered entities and business associates to have robust programs in place to identify when breaches happen and to respond immediately to these breaches BECAUSE THEY CAN T PUT THEIR HEAD IN THE SAND AND SAY WE DIDN T KNOW. Iliana Peters: Health Information Privacy Specialist Office for Civil Rights U.S. Department of Health & Human Services

35 Minimum Necessary The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. Use Test/Dummy Data Instead of Actual Patient Data When Possible.

36 February 1, 2017 Lack of timely action risks security and costs money The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty against Children s Medical Center of Dallas (Children s) based on its impermissible disclosure of unsecured electronic protected health information (ephi) and non-compliance over many years with multiple standards of the HIPAA Security Rule. OCR issued a Notice of Proposed Determination in accordance with 45 CFR , which included instruction for how Children s could file a request for a hearing. Children s did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children have paid the full civil money penalty of $3.2 million. Children s is a pediatric hospital in Dallas, Texas, and is part of Children s Health, the seventh largest pediatric health care provider in the nation. On January 18, 2010, Children s filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, The device contained the ephi of approximately 3,800 individuals. On July 5, 2013, Children's filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, Children's reported the device contained the ephi of 2,462 individuals. Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ephi. OCR s investigation revealed Children s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, Despite Children's knowledge about the risk of maintaining unencrypted ephi on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until The Notice of Proposed Determination and Notice of Final Determination may be found on the OCR website at

37 $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ephi) after a laptop bag was stolen from an employee s car. The bag contained the employee s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

38 Train Staff on Internet Usage Restrictions and the danger of s with Attachments and Hyperlinks. HIPAA settlement $750,000 The U.S. Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (ephi) of approximately 90,000 individuals was accessed after an employee downloaded an attachment that contained malicious malware. The malware compromised the organization s IT system, affecting the data of two different groups of patients: 1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

39 HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications St. Elizabeth s Medical Center (SEMC) will pay $218,400 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. OCR received a complaint alleging noncompliance with the HIPAA Rules by SEMC workforce members. Specifically, the complaint alleged that workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ephi) of at least 498 individuals without having analyzed the risks associated with such a practice. Additionally, OCR s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

40 Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ephi stored on a former SEMC workforce member s personal laptop and USB flash drive, affecting 595 individuals.

41 HHS settles with health plan in photocopier breach case Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

42 NYP agrees to pay HHS the amount of three million three hundred thousand dollars ($3,300,000.00) ( Resolution Amount ). NYP agrees to pay the Resolution Amount on the Effective Date of this Agreement as defined in paragraph 14 by automated clearing house transaction pursuant to written instructions to be provided by HHS. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ephi. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient data bases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ephi to a reasonable and appropriate level. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management.

43 HIPAA Settlement Reinforces Lessons for Users of Medical Devices Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey s Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals. Evidence obtained through OCR s subsequent investigation indicated widespread noncompliance with the HIPAA rules, including:

44 Failure to conduct a thorough risk analysis of all of its ephi; Failure to physically safeguard a workstation that accessed ephi; Failure to implement and maintain policies and procedures regarding the safeguarding of ephi maintained on workstations utilized in connection with diagnostic/laboratory equipment; Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident; Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and

45 BULLETIN: HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

46 Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement OCR s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries PHI; Impermissible disclosure of its beneficiaries PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ephi; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ephi to a reasonable and appropriate level.

47 Overlooking risks leads to breach, $400,000 settlement MCPN filed a breach report with OCR indicating that a hacker accessed employees' accounts and obtained 3,200 individuals' ephi through a phishing incident. OCR s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-february Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ephi environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

48 April 24, 2017 $2.5 million settlement shows that not understanding HIPAA requirements creates risk HHS Office for Civil Rights (OCR) that a workforce member s laptop was stolen from a parked vehicle outside of the employee s home. The laptop contained the ephi of 1,391 individuals. OCR s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ephi, including those for mobile devices.

49 April 20, 2017 No Business Associate Agreement? $31K Mistake HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

50 February 16, 2017 $5.5 million HIPAA settlement shines light on the importance of audit controls HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician s office had been used to access the ephi maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

51 Forms to Review Audit Management Report by IT Professional Breach Risk Assessment Computer Incident Reporting Form Security Incident Plan Security Incident Report HIPAA Network Hardening Report Ransomware Defense Sheet

52 Thank You For Your Time and Attention Levco Technologies is dedicated to simplifying the HIPAA regulations and offering compliance services, security risk assessments and detailed documentation as required by the HIPAA Audit Protocol. For more information, please contact us at: (407) * (312) * (813)