Overview of Presentation

Transcription

1 A HIPAA Security Incident and Investigation. It Can Happen to You. Sandra a L. Sessoms, RN, CPHQ, CHC Interim Vice President, System Compliance West Penn Allegheny Health System Robert R. Michalski, CHC Chief Compliance Officer Baylor Health Care System 1

2 Disclaimer This presentation and the opinions expressed are not necessarily those of the West Penn Allegheny Health System nor the Baylor Health Care System and it is not intended to provide all the information that is needed to audit or comply with various information privacy or security requirements. 2

3 Overview of Presentation 1. The Breach 2. Response to Breach 3. Corrective Actions 4. Notification of Audit 5. Audit Process 6. Response/Corrective Actions 7. Lessons Learned 8. Questions and Discussion 3

4 Course Objectives This presentation will provide the participant with: An overview of an actual federal investigation from the viewpoint of a healthcare provider. The role of the internal audit and compliance department in auditing i to validate ai aeallegations. The role of the internal audit and compliance department in developing a response to findings and an action plan for correction. Strategies to effectively communicate findings and corrective actions to external agents or auditors. 4

5 West Penn Allegheny Health System 5 Key Statistics Located in Pittsburgh, Pennsylvania Tertiary Hospitals: Allegheny General Hospital The Western Pennsylvania Hospital Community Hospital Campuses: AGH Suburban Campus Alle Kiski Medical Center Canonsburg General Hospital WPH Forbes Regional Campus Houses nearly 2,000 beds Employs over 13,000 people Admits nearly 79,000 patients per year Logs over 200,000 emergency visits

6 The Breach: November 2007 Home Care Employee s business laptop computer was stolen from home during robbery Computer was in process of synchronizing that could occur with the edatabase open or closed 6

7 Self Investigation Implemented Security Incident Response Policy with ihidentified d Team Members Tested computer settings to determine if computer timed out or logged off automatically ti Computer was on and database to patient information was open 7

8 Self Investigation Evaluated database size and elements Findings: 42,630 patients with PHI, social security numbers, etc. Examined disclosure requirements PA Breach of Personal Information Notification Act 8

9 PA Law for Disclosure Requirements Report Breaches to any resident whose unencrypted and unredacted dpersonal information was or is reasonably believed to have been accessed and acquired by an unauthorized person the disclosure notice shall be made without unreasonable delay. 9

10 PA Law for Disclosure Requirements When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act 22 (Public Law , 15 U.S.C. 1681a), of the timing, distribution and number of notices. 10

11 Federal Trade Commission The FTC website provides a model letter re: notification of people whose names and Social Security numbers (may) have been stolen. Recommendations: fraud alerts be placed on credit reports review credit reports periodically to keep track of whether their information is being misused. 11

12 Response to Breach: December Notification of Patients by Letter Offer of Credit Monitoring i Services The patients were offered credit fraud alerts and monitoring at no cost for 1 year by any of the 3 major credit bureaus including Equifax, Experian or TransUnion. Establishment of Call Center Interviews with Media Daily conference calls to discuss and mitigate issues

13 Response to Breach: January 2008 Second Distribution of Returned Notification Letters 11,500 returned 2, had forwarding address 2,276 located in national change of address database Notification of Guarantors 5,000 guarantors identified 13

14 Discussion i with Software Vendor Encryption technology Removal of social security number field 14

15 Discussion i with PA Department of Health 15 Considered infrastructure failure Condition of Medicare Mdi Participation i (d)(1) The patient has the right to the confidentiality of his or her clinical records. Interpretive Guidelines The right to confidentiality means safeguarding the content of information, including patient paper records, video, audio, and/or computer stored information from unauthorized disclosure without specific informed consent. Required reporting and corrective action plan

16 Root Cause Analysis Issues identified: Lack of automatic sign off Lack of modern encryption methodology Lack of limits it on the number of patients t maintained in database Storing of social security numbers of patients and guarantors 16

17 Corrective Ati Actions Implemented 17 Auto Log Off mandated and installed Medicare and Social Security numbers removed Storage of patient data limited i to current and recent patients Staff re educated don changes

18 Fast Forward: April Audit Notification: April 30, 2008 Letter Sent by CMS; Auditor: PricewaterhouseCoopers Phone Call Received: May 14, 2008 Conference Call Held: May 19, 2008 Scope of Audit Expectations Initial List of Documents Entrance Conference: May 27, 2008 Areas of review Primary criteria for evaluation Reporting poe process Clarification of documents requested

19 Documents Requested for Review: Administrative Safeguards 19 Policies and Procedures on: protection of PHI and EPHI monitoring of access, violations, and follow up activities granting access, role based profiles and remote access profiles transfer of access; promotions recertification of access annually virus identification software passwords

20 Documents Requested for Review: Administrative Safeguards Risk Assessments Job Description for Privacy/HIPAA Official Training Materials Internal Audit review of HIPAA compliance 20

21 Documents Requested for Review: Administrative Safeguards Lists Incident Response Team Members Employees (name, dept/cost center and job title, hire date) IS organization chart, including HIPAA Security Officer 21

22 Documents Requested for Review: Physical and Technical Safeguards Policies and Procedures (Physical Safeguards) 22 Maintenance of hardware Workstation security Policies i and Procedures (Technical Safeguards) Use of generic, group or system IDs Disabling vendor supplied defaults Dial up remote access Encryption/decryption Transmission security

23 Documents Requested for Review: Physical and Technical Safeguards Configuration standards for platforms which store, transmit or process EPHI Evidence of implementation of password policies on platforms which store, transmit or process EPHI List of all users with dial up/remote access Listing of all user IDs with access to all datasets/files within scope application and General Support Systems 23

24 Documents Requested for Review: Remote Access Policies and Procedures Back up of data into remote devices Downloading of EPHI on remote devices Protecting ti lost or stolen credentials Granting remote access Entity wide configuration management Entity wide patch management 24

25 Documents Requested for Review: Remote Access Rules of behavior/personal security for laptop users Firewall protection on laptops Connection settings for secure website Lists of providers with remote access and laptops 25

26 Onsite Audit: May 27 June 9, 2008 Opening Meeting Discussion of Breach and Response Interviews Informal Updates Formal Updates 26

27 Standards Used by Auditors HIPAA Security Rules National linstitute for Standards d and Technology (NIST) CMS HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information 27

28 Testing of Policies Granting of Access Password Management Log On Procedure Auto Log off 28

29 Audit Findings 29 Corporate wide policies not updated at specific hospital site Not abiding by internal policy for use of locking cables Access authorization forms not completed for users who were part of a conversion Lack of system wide patch management policy

30 Audit Findings Password policy did not require complex passwords Laptops did not have auto log off although h the software application was updated for this after the incident. Lack of detailed guidance on acceptable storage mediums for EPHI 30

31 Corrective Action Plan Draft report submitted from PWC to WPAHS for review Confirmed agreement on findings Report submitted to CMS by PWC Corrective Action Plan required to be submitted within ihi 4 weeks 31

32 Corrective Action Plan Established policy for: Access authorization Patch management Annual user recertification Purchased locking cables Added formal approval page for risk assessment Added review dates to all policies/procedures to track changes; addressed timely updating of policies promulgated by HIPAA Security Officer Education and Auditing 32

33 Corrective Action Plan Hired a full time dedicated HIPAA Security Officer! 33

34 CMS Response Received letter dated April 2009 Requested evidence of completion of corrective action plans Response submitted June

35 Lessons Learned Limit storage of data on mobile devices Monitor vendors for maintaining compliance with HIPAA security standards Do not permit deviation from policy; require notification of HIPAA Security Officer Audit compliance with policies Audit corrective action plans 35

36 Lessons Learned Working with Auditors: Timely response Organization Dialogue Honesty 36

37 Lessons Learned: Cost of a Security Breach Labor estimate to staff call center: $40,000 (4,074 calls, s, voic s) il Credit Monitoring Services: $57,385 (842 people selected dti Triple Alert/Credit Check) Mailings: $28,000 News Story: priceless 37

38 Best Suggested Practices Perform Risk Assessment to address ephi in terms of database size and duration that it will be stored on mobile devices Require approval for remote access with signed attestation by user regarding responsibilities Educate user on responsibilities of use of mobile devices with return demonstration 38

39 Best Suggested Practices Require encryption technology for portable or remote devices that store ephi Password protect files and portable devices that store ephi Deploy security updates to portable devices Test for password sign on and auto log off Actively Audit Live Situations 39

40 Audit Tools Audit checklist for security of portable devices with or without remote access Sample policy on Locking Cables Sample policy on Patch Management 40

41 References 41 (Computer Security Resource Center Special Publication (SP) and SP ) (The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information) html (Office of Civil Rights HIPAA Laws) p// / / / ecurityguidanceforremoteusefinal pdf (Security Guidance for Remote Use and Access of ephi)

42 Thanks for joining us today! Sandra L. Sessoms West Penn Allegheny Health System Robert R. Michalski edu Baylor Health Care System 42