Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway
Agenda Topics: Using risk assessments to improve security and efficiency in clinical record exchange Meeting Meaningful Use Stage 2 (MUS2) requirements Governance and visibility of information and health records exchange to minimize risk Considerations to drive efficient information exchange to improve care and reduce costs 2
HIPAA Omnibus Final Rule HIPAA Privacy, Security and Enforcement Rules mandated by HITECT ACT Business Associates directly liable for compliance with HIPAA Privacy and Security Rules requirements Enforcement of noncompliance with HIPAA rules due to willful neglect Disclosure Strengthen limitations on use & disclosure of PHI for marketing and fundraising Prohibit sale of PHI without individual authorization Expand individual rights to receive electronic copies of their health information Restrict disclosures to a health plan if individual paid out of pocket in full Require modifications to, redistribution, of CE s notice of privacy practices Facilitate research & disclosure of child immunization proof to schools Enable access to decedent information by family members 3
HIPAA Omnibus Rule Effective Effective March 26, 2013 Covered Entities (CE) and Business Associates (BA) of all sizes will have 180 days beyond the effective date to comply September 2013 Including Breach Notification Rule HIPAA Privacy Rule changes under GINA (Genetic Information) 4
Risk Assessment HIPAA Regulations: All electronic protected health information (EPHI) created, received, maintained or transmitted by a covered entity is subject to the Security Rule. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. The Security Rule requires covered entities to evaluate risks & vulnerabilities in their environments and to implement policies & procedures to address those risks and vulnerabilities. 5
Risk Assessment 6 HIPAA The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management. The required implementation specification at 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, [c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The required implementation specification at 164.308(a)(1)(ii)(B), for Risk Management, requires a covered entity to [i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [(the General Requirements of the Security Rule)]. these processes will form the foundation upon which an entity s necessary security activities are built. (68 Fed. Reg. 8346.)
Risk Assessment HITECH Meaningful Use Stage 2 "Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process" for EPs "at 495.6(j)(16)(ii) and eligible hospitals and CAHs at 495.6(l)(15)(ii). We proposed this measure because the implementation of CEHRT has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider's risk management process and implemented or corrected as dictated by that process. 7 Federal Register, 2012-21050_PI page 132-134
Risk Assessment HITECH Meaningful Use Stage 2 Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches (breaches affecting 500 or more individuals) involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this requirement under 45 CFR 164.308(a)(1). 8 Federal Register, 2012-21050_PI page 132-134
Getting Started The NIST Risk Assessment Methodology Flowchart in NIST SP 800-30 contains 9 steps: Risk Assessment Activities System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation Output Boundary, Functions, Criticality Threat Statement List of potential Vulnerabilities List of current, planned controls Likelihood rating Impact rating Risks and risk levels Recommended controls Assessment report 9
Risk Assessment Key Components What? Include all forms of electronic media, all devices, networks Where? Identify where PHI is stored, received, maintained or transmitted. Include physical security to systems and human access to the data. How? Assess effectiveness of current policy, procedures Who? Identify threats, holes, weaknesses both human, system & environmental When? Determine the probability of a loss How much? Identify risk level and scope of potential loss Results Document findings both pros and cons Assign risk level Identify corrective actions 10
Plan for the Unexpected As part of the Risk Assessment and regular policy, procedures, you need to Identify risk in your infrastructure Have a plan to reduce the risk If you decide not to, document why What is risk? Vulnerability Threat Probability 11
Identify Vulnerabilities Vulnerability [a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Non-technical vulnerabilities: Gaps or flaws in operational processes, work flows Technical vulnerabilities: holes, flaws or weaknesses in the application software, technical infrastructure or system provisioning 12
Identify Threats Threat [t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Natural threats: Floods, earthquakes, tornadoes, and landslides. Environmental threat: Unforeseen disruption due to power failures, excess water, fire Human threats: Theft, errors, accidents 13
Quantify Risk Risk is The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur.... [R]isks arise from legal liability or mission loss due to 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. 14
Do Something About Risk If you know you have a risk, You must mitigate it OR Document why NO action is required Reasonable Expectation That a similar IT shop would Willful Neglect Penalties, Fines and Damages 15
Doing something OCR says Risk Analysis is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Design appropriate personnel screening processes. (45 C.F.R. 164.308(a)(3)(ii)(B).) Identify what data to backup and how. (45 C.F.R. 164.308(a)(7)(ii)(A).) Decide whether and how to use encryption. (45 C.F.R. 164.312(a)(2)(iv) and (e)(2)(ii).) Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. 164.312(c)(2).) Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. 164.312(e)(1).) 16
Risk Assessments Related Links http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/riskassessment.pdf http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/rafinalguidancepdf.pdf http://www.ofr.gov/(x(1)s(uzclbwrx5fwqm2w2mipkysrh))/ OFRUpload/OFRData/2012-21050_PI.pdf 17
Considerations for Governance & Visibility The New World of Compliance Provisioning to standards Service Management Encrypted Channels Walk the Talk Policy Compliance Managing Access The 3 A s Rise of Human Consistent User Experience Multiple Connections Delivery Assurance Restart/Retry Non-repudiation Rise of Real-Time Right Channel, Right Time View, Download, Transmit Patient access Mobile Access Inside your world Outside your world 18
Governance and Visibility The value of standardization access and connections Access Multi-location physician must record encounters live Managing patient identity is essential Trust Lifecycle Connectivity Standardized approaches increase speed of connecting and improve IT productivity Walt the Talk essential to meet audit requirements Integrate consent with collaboration 19 Monitoring Quickly assess impact of potential breach Calculated Service Level Agreements Minimize impact on downstream, scheduled processes
4 Questions for Governance & Visibility???? How long does it take to produce a system inventory? Which systems contain sensitive data? Which have critical access or DR characteristics? How many access points exist in your network? Batch? Real-time? Web Service? FTP? Portals? Are role and access rights the same regardless? Do you know where your ephi, PII data? How long does it take to troubleshoot message delivery issues? Is patient consent considered before exchange of data? In 25 words or less, do you have a single consistent strategy to protect data at rest and in motion? Does critical data always use a consistent safe route? Are policy and reality aligned? 20
2013 Enterprise Risk Checklist B2B Channels Clearinghouses, Gateways BA Agreement in place? Length of Msg Storage Training for Offshore staff Ad Hoc File Transfer Exec, Business, Provider Connectivity training Revenue Cycle Mgmt feeds email Attachments Endpoints Data Loss Prevention program Mobile, Cloud, Portal Policy, Training BYOD Patient Consent forms Centralized Identity Management Same roles, access regardless Single Front Door API Policy Filter for cloud, mobile app integration Firewalls, intrusion detection White lists/ Black Lists 21
Bottom Line Securing patient records is critical and requires a plan Risk Assessments are required and incented Consolidation of access points and connection processes into gateways offers measureable efficiency Achieving Meaningful Use Stage 2, Telepresence and BYOD will scatter patient records across your enterprise and your community 22
Control the Edge with Axway mhealth Cloud Identity Management IAM Coordinated Care Community 23 Manage & Secure Connections to improve service & productivity
Questions? Ruby Raley, Director Healthcare Solutions rraley@axway.com, 404-933-2282 www.axway.com 24