Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Size: px

Start display at page:

Download "Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance"

Rosanna Kelley
6 years ago
Views:

1 Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin Moriarty, Esq. FTC Division of Privacy & Identity Protection David Holtzman, JD, CIPP/G CynergisTek, Inc. Session Sections 1 HIP Models of Risk Assessment 2 Lessons Learned from Recent HIPAA Breaches 3 Start With Security Lessons Learned from FTC Enforcement CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 2 HIP Models of Risk Assessment CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 3 1

2 Information Security Risk Analysis HIPAA Security Rule CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX HIPAA Security Risk Assessment An assessment of threats and vulnerabilities to information systems that handle e PHI. This provides the starting point for determining what is appropriate and reasonable. Organizations determine their own technology and administrative choices to mitigate their risks. The risk analysis process should be ongoing and repeated as needed when the organization experiences changes in technology or operating environment. CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 5 What is Risk Analysis? The process of: Analyzing threats and vulnerabilities in a specified environment, Determining the impact or magnitude, and Identifying areas needing safeguards or controls CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 6 2

3 Performing a Risk Analysis Gather Information Prepare inventory lists of information assets data, hardware and software. Determine potential threats to information assets. Identify organizational and information system vulnerabilities. Document existing security controls and processes. Develop plans for targeted security controls. Analyze Information Evaluate and measure risks associated with information assets. Rank information assets based on asset criticality and business value. Develop and analyze multiple potential threat scenarios. Develop Remedial Plans Prioritize potential threats based on importance and criticality. Develop remedial plans to combat potential threat scenarios. Repeat risk analysis to evaluate success of remediation and when there are changes in technology or operating environment. CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 7 Example of Security Risk Analysis Administrative Safeguards Security Management Process Risk Analysis Has a policy, procedure or plan been documented & implemented that requires annual risk analysis? Is a risk analysis conducted annually or whenever significant modifications made to a system, facility or network? If yes, then when was the last date? Risk Management Has a risk management policy, procedure or plan been documented and implemented to ensure security measures are in place to reduce risk to an acceptable level? Findings Comments CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 8 Approaches to Privacy Assessment CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 9 3

4 HIPAA Privacy Standards Set Bright Line Privacy Rule s Prime Directive Use and disclose PHI when permitted or required by the rule Provide individuals right to access, amend and authorize disclosure of their PHI Covered Entity must adopt and implement policies that support each standard &processes to support each implementation specification CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 10 Example of HIPAA Privacy Assessment Uses & Disclosures: Organizational Requirements Business Associate Contracts Has a policy and procedure been documented & implemented to identify contractor/vendor relationships where PHI created/maintained? Policy and procedure for reviewing, analyzing and responding to reports where a BA is alleged to have not complied with terms of BA Agreement? Business Associate Agreements Has a procedure been documented and implemented to review the contract with business associates to ensure that each of the required elements are addressed? Findings Comments CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 11 Risk Based Approach to Assess Privacy NIST IR 8062 (Draft) IR 8062 Engineering privacy into design of information systems and information assurance of data in any form Risk based approach to identify threats, impacts and the context in which data is used Developed for needs of federal information systems Baseline FIPPS & NIST SP Appendix J Concepts applicable to sensitive data in any form CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 12 4

Risk Based Approach to Privacy (NIST) Privacy Risk = Likelihood of a Problematic Data Action * Impact Likelihood is determined by contextually based analysis that a data action is likely to create a

5 Risk Based Approach to Privacy (NIST) Privacy Risk = Likelihood of a Problematic Data Action * Impact Likelihood is determined by contextually based analysis that a data action is likely to create a problem for representative set of individuals Impact is determined by an analysis of the adverse affects on an organization of creating the potential for privacy problems Note: Contextual analysis is the comparison of Data Actions, the personal information on which they act, and contextual considerations CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 13 Risk Based Privacy Assessment Condition: CSRs given access to EHR treatment notes Likelihood Significant use >minimum necessary Impact Vulnerable to misuse, inadvertant disclosure, migration of data within CE Risk High risk of compromise CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 14 Risk Based Privacy Assessment Condition: Quality review staff takes paper PHI home Likelihood Moderate to high threat of disclosure due to loss or theft Impact Stigmitization if information revealed through unauthorized disclosure Risk High risk of compromise in absence of appropriate physical safeguards CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 15 5

Breach Assessment CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.

6 Breach Assessment CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX Breach Notification An impermissible acquisition, access, use or disclosure of protected health information Presumed to be reportable Unless the entity can demonstrate that there is a low probability that protected health information has been compromised Safe harbor for encrypted PHI Exceptions for certain inadvertent and incidental uses & disclosures CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 17 Breach Notification Risk Assessment required to demonstrate low probability of compromise 1 2 The nature and extent of PHI involved The unauthorized person who used the PHI or to whom the disclosure was made 3 4 Whether the PHI was actually acquired or viewed The extent of mitigation present Additional factors can be considered CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 18 6

7 Breach Assessment as Yardstick of Risk Goal is to document the findings from the risk assessment using analysis set out in BNR Presented as a systematic and analytical approach to assessing probability of compromise: Gain understanding of type of data lost Identify resources to reduce or correct threats to PHI Measure the risk of compromise Balance the probability of compromise vs. tolerance of risk CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 19 Data Classification What was the nature and extant of the PHI involved in the unauthorized access or disclosure? Was the information of a less sensitive nature like a list of patient names without additional identifying data like, DOB, addresses, or diagnosis? OR Was the information of a highly sensitive nature like patient name and diagnosis or description of treatment encounter, financial information, DOB or SSN#? CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 20 Where Did The Data Go & Who Viewed It? Can it be determined who was the unauthorized person who used the PHI or to whom the disclosure was made? Can each individual who accessed, acquired, used or disclosed the PHI be identified? Do the individuals who accessed the information have obligations to protect the information because they are HIPAA covered entities, business associates, or have some other legal obligation that prevents redisclosure of personally identifiable information? CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 21 7

8 Was the Data Compromised? Was the PHI actually acquired or viewed? Was the media or device containing the unsecured PHI returned prior to being accessed? Does forensic analysis prove that the recovered media or device containing the PHI unsecured PHI was not opened, altered, transferred or compromised? If paper or hard copy PHI was lost, stolen or misdirected, was it in a sealed box or envelope that was returned unopened? CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 22 Mitigation of Risk of Compromise Extent to which the risk to the PHI has been mitigated Was there an opportunity to immediately identify and control further impermissible use or disclosure? Was there assurance obtained from the recipient that information would not be disclosed (NDA)? Did the unauthorized recipient provide assurance that PHI would be securely destroyed? Has the CE or BA obtained a certificate of destruction? CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 23 Resources & Tools CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX info@cynergistek.com 24 8

9 Resources & Tools HIPAA Security Rule Risk Assessment HHS Risk Assessment Tool for Small Providers professionals/securityrisk assessment NIST HIPAA Security Risk Assessment Tool Sample HIPAA Privacy and Security Policies HIPAA Collaborative of Wisconsin (HIPAA COW) California Office of Health Information Integrity State Health Information Privacy Manual shipm manual.htm CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX Questions? Questions? David Holtzman (240)720 CynergisTek, Inc Jollyville Road, Suite 2201, Austin TX Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights 9

10 BREACH NOTIFICATION RULE Breach: Impermissible acquisition, access, use, or disclosure of PHI (paper or electronic). Breach Presumed UNLESS: The CE or BA can demonstrate (through a documented risk assessment) that there is a low probability that the PHI has been compromised based on: Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. HIPAA Covered Entity must notify of all breaches of unsecured PHI. Focus on risk to the data, instead of risk of harm to the individual. HCCA Breaches by Type of Breach as of 7/29/2015 Improper Disposal 4% Unknown 1% Other 8% Hacking/IT 9% Theft 48% Unauthorized Access/Disclosure 20% Loss 9% HCCA Breaches by Location as of 7/29/2015 EMR 4% Other 11% 8% Paper Records 22% Network Server 13% Desktop Computer 12% Laptop 20% Portable Electronic Device 10% HCCA 30 10

BREACH HIGHLIGHTS September 2009 through July 29, 2015 Approximately 1,276 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 57% of large breaches Laptops and

11 BREACH HIGHLIGHTS September 2009 through July 29, 2015 Approximately 1,276 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 57% of large breaches Laptops and other portable storage devices account for 30% of large breaches Paper records are 22% of large breaches Approximately 177,000+ reports of breaches of PHI affecting fewer than 500 individuals HCCA 31 CLOSED INVESTIGATED CASES HCCA 32 RECENT ENFORCEMENT ACTIONS St. Elizabeth s Medical Center (electronic) Cornell Prescription Pharmacy (paper) Anchorage (electronic) Parkview (paper) NYP/Columbia (electronic) Concentra (electronic) QCA (electronic) Skagit County (electronic and paper) HCCA 33 11

RECENT ENFORCEMENT ACTIONS Lessons Learned: HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to

Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health

12 RECENT ENFORCEMENT ACTIONS Lessons Learned: HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health data using the Internet. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected as well as the confidentiality of their health data. HCCA 34 LESSONS LEARNED Appropriate Safeguards Prevent Breaches Evaluate the risk to e-phi when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-phi Store all e-phi to a network Encrypt data stored on portable/movable devices & media Employ a remote device wipe to remove data when lost or stolen Implement appropriate data backup Train workforce members on how to effectively safeguard data and timely report security incidents HCCA 35 RISK ANALYSIS /providersprofessionals/securityrisk-assessment HCCA 36 12

13 MOBILE DEVICES gov/mobiledevices HCCA 37 PUBLIC OUTREACH INITIATIVES OCR Security Rule Resource Center: HCCA 38 QUESTIONS? HCCA 39 13

14 14

15 Don t collect personal information you don t need. Hold on to information only as long as you have a legitimate business need. Don t use personal information when it s not necessary. Restrict access to sensitive data. Limit administrative access. 15

16 Insist on complex and unique passwords. Store passwords securely. Guard against brute force attacks. Protect against authentication bypass. 16

17 Keep sensitive information secure throughout its lifecycle. Use industry tested and accepted methods. Ensure proper configuration. Segment your network. Monitor activity on your network. 17

18 Ensure endpoint security. Put sensible access limits in place. 18

19 Train your engineers in secure coding. Follow platform guidelines for security. Verify that privacy and security features work. Test for common vulnerabilities. Put it in writing. Verify compliance. 19

20 Update and patch third party software. Heed credible security warnings and move quickly to fix them. 20

21 Securely store sensitive files. Protect devices that process personal information. Keep safety standards in place when data is en route. Dispose of sensitive data securely. ftc.gov/datasecurity business.ftc.gov 21

22 business.ftc.gov business.ftc.gov business.ftc.gov 22

23 business.ftc.gov business.ftc.gov business.ftc.gov 23

24 business.ftc.gov bulkorder.ftc.gov 24

25 25

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?