Performing HIPAA Security Reviews

Similar documents
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

HIPAA Privacy, Security and Breach Notification

HIPAA Federal Security Rule H I P A A

HIPAA-HITECH: Privacy & Security Updates for 2015

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The Relationship Between HIPAA Compliance and Business Associates

The HIPAA Omnibus Rule

Putting It All Together:

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security & Privacy

Security and Privacy Breach Notification

HIPAA & Privacy Compliance Update

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Healthcare Privacy and Security:

Breach Notification Remember State Law

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

University of Wisconsin-Madison Policy and Procedure

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance


EXHIBIT A. - HIPAA Security Assessment Template -

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Tips and Advice for Your. Medical Practice

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

All Aboard the HIPAA Omnibus An Auditor s Perspective

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

HIPAA Compliance Checklist

Checklist: Credit Union Information Security and Privacy Policies

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Support for the HIPAA Security Rule

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Federal Breach Notification Decision Tree and Tools

The ABCs of HIPAA Security

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

QUALITY HIPAA December 23, 2013

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA FOR BROKERS. revised 10/17

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

A Panel Discussion. Nancy Davis

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security Rule Policy Map

The Common Controls Framework BY ADOBE

Altius IT Policy Collection Compliance and Standards Matrix

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA Security Checklist

HIPAA Security Checklist

Regulation P & GLBA Training

What s New with HIPAA? Policy and Enforcement Update

The simplified guide to. HIPAA compliance

Summary Analysis: The Final HIPAA Security Rule

HIPAA Privacy, Security and Breach Notification 2017

Data Backup and Contingency Planning Procedure

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Privacy Breach Policy

HIPAA Security Manual

Altius IT Policy Collection Compliance and Standards Matrix

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Cyber Risk Emerging Trends and Regulatory Update

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Audits Accounting of disclosures

Hospital Council of Western Pennsylvania. June 21, 2012

Cybersecurity in Higher Ed

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

HIPAA COMPLIANCE FOR VOYANCE

Summary Comparison of Current Data Security and Breach Notification Bills

HIPAA Cloud Computing Guidance

Transcription:

Performing HIPAA Security Reviews H PAA Mike Cullen, Baker Tilly Session objectives > Define HIPAA and provide security overview > Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review > Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) > Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner 1

Define HIPAA and provide security overview Objective #1 Regulatory response over time 1934 SEC Act 1996 HIPAA 1999 GLBA 2006 PCI DSS v1 2009 HITECH 2014 Kentucky 47 th State Data Breach Law 1974 Privacy Act & FERPA 1998 Safe Harbor European Union 2001 Cybersecurity Enhancement Act 2003 California Data Breach Law 2010 Massachusetts Privacy Law 2015 PCI DSS v3 2

Brief history of HIPAA HIPAA (1996) Title I Title II Title III Title IV Title V American Recovery and Reinvestment Act (2009) HITECH Preventing Healthcare Fraud and Abuse Medical Liability Reform Admin. Simplification Electronic Data Interchange Transactions Identifiers Code Sets Security (2003) Privacy (2000) Genetic Information Nondiscrimination Act (2008) Improved Privacy and Security Provisions Enforcement Breach Notification Final Rule Proposed Accounting of Disclosures Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25th, 2013 (Effective March 26th, 2013, compliance required by September 23rd, 2013) Ponemon Institute Medical Identity Theft Study (2015) 3

Ponemon Institute Medical Identity Theft Study (2015) Ponemon Institute Medical Identity Theft Study (2015) 4

HIPAA related reported breaches (Jan 2012 Mar 2015) Impacts of data breaches Deceptive or unfair trade charges Regulator scrutiny Damage to brand! Regulatory sanctions Negative publicity Damaged employee relationships Legal liability Refusal to share personal information Damaged customer relationships Fines 5

HIPAA Rules > Privacy Rule* > Security Rule > Breach Notification Rule > Enforcement Rule* 6

Security Rule > 164.308 Administrative Safeguards > 164.310 Physical Safeguards > 164.312 Technical Safeguards Administrative Safeguards > Security management > Security responsibility > Workforce security > Information access management > Security awareness and training > Security incident procedures > Contingency plans > Evaluation > BA contracts 7

Physical Safeguards > Facility access controls > Workstation use > Workstation security > Device and media controls Technical Safeguards > Access control > Audit controls > Integrity > Person or entity authentication > Transmission security 8

Breach Notification Rule > 164.404 Notification to individuals > 164.406 Notification to the media > 164.408 Notification to the Secretary > 164.410 Notification by a business associate Breach Notification Rule Details > Defines breach (45 CFR 164.402) as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI > An unauthorized acquisition, access, use, or disclosure of PHI (with enumerated exceptions) is presumed to be a breach unless the covered or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. 9

Breach Notification Rule Details > This risk assessment must address at least the following factors: > The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re identification; > The unauthorized person(s) who used the PHI or to whom the disclosure was made; > Whether the PHI was actually acquired or viewed; and > The extent to which the risk to the PHI has been mitigated. Breach Notification Rule Exceptions > Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and within the scope of authority, and if it does not result in further impermissible use or disclosure > Any inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information is not further impermissibly used or disclosed 10

Breach Notification Rule Exceptions > A disclosure of PHI where a covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not reasonably have been able to retain the information. 11

12

Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review Objective #2 Who must comply? > Covered Entities (CE) Health plans, health care clearinghouses and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards > Business Associate (BA) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate 13

Who must comply? > Hybrid Entity A single legal entity that is a covered entity; whose business activities include both covered and non covered functions; and that designates health care components in accordance with HIPAA requirements > Hybrid Entities must: > Designate the health care component > Health care component complies with all requirements > Create separations from the non covered functions > Ensure only limited allowed disclosures between health care component and noncovered functions, including workforce members with duties on both sides Hybrid entities in Higher Education Advantages > Limit scope of HIPAA compliance > Target training and procedures to only health care component > Include services as the health care component to share PHI without BAAs Disadvantages > Effort to identify and define health care component > Create additional separations from the non covered functions > Limited disclosures outside of health care component still must be tracked > Customer/partner road blocks when dealing with non covered functions > Challenges with common physical space and computer systems 14

Hybrid entities and research (from NIH) > Research components of a hybrid entity that function as health care providers and conduct certain standard electronic transactions must be included in the health care components and be subject to the Privacy Rule > Research components that function as health care providers, but do not conduct these electronic transactions may, but are not required to, be included in the health care components. > The hybrid entity is not permitted to include in its health care component, a research component that does not function as a health care provider or does not conduct business associate like functions. As such authorizations are generally required for use or disclosure of PHI for research purposes. CEs Covered entities should: > Understand BA compliance, up- and downstream > Build collaboration and understanding with the BAs beyond the agreement > Complete a HIPAA Security Risk Assessment BAs Business associates should : > Understand CE expectations, as documented in the Business Associate Agreement (BAA) > Ensure HIPAA compliance for downstream Bas > Complete a HIPAA Security Risk Assessment 15

Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) Objective #3 Latest Developments > BA increased compliance requirements > Omnibus rule > Enforcement > OCR audits 16

BA increased compliance requirements > All provisions of the Security Rule are now applicable > BAs can be directly liable for HIPAA noncompliance > BAs are required to have appropriate agreements in place with subcontractors who access ephi > Breach risk analysis is more comprehensive than the previous harm threshold > Requirement to provide a copy of ephi to a covered entity or individual upon request > Requirement to maintain an accounting of disclosures Omnibus Ruling 2013: What s changed? > Broader definition of business associate > New limits on how information can be used for marketing and fundraising purposes > Tiered civil penalty structure > Breach is redefined > When PHI is disclosed or used impermissibly, it will be considered a breach unless the CE or BA can show that there was a low probability that the PHI was compromised > How to prove this? Conduct a breach risk assessment > Four factor risk assessment replaces harm threshold for identifying a breach 17

Omnibus Ruling 2013: What s changed? > Subcontractors to CEs are defined as BAs, as such they require Business Associate Agreements (BAA) > Defined PHI as individually identifiable health information that is: > Transmitted or maintained in electronic media > Transmitted or maintained in any other form or medium > PHI excludes individually identifiable health information in the following: > FERPA educational records > FERPA records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional > Employment records held by a CE > A person deceased for more than 50 years PHI Elements > Names > Geographic subdivisions smaller than a state> Certificate/license numbers > All elements of dates (except year) > Vehicle identifiers > Telephone numbers > Device identifiers > Fax numbers > Web URLs > Email addresses > IP Address numbers > SSN > Biometric identifiers > Medical record numbers > Full face photographs > Health plan beneficiary numbers > Any other unique identifying number, > Account numbers characteristic, code > Individually identifying genetic information 18

Increased civil money penalties Violation Category Each Violation Max Violation of Identical Provision in Calendar Year (a) Did not know $100 $50,000 $1,500,000 (b) Reasonable cause $1,000 $50,000 $1,500,000 (c)(i) Willful neglect corrected $10,000 $50,000 $1,500,000 (c)(ii) Willful neglect not corrected $50,000 $1,500,000 Enforcement: Idaho State University Findings > ephi of approx. 17,500 patients was unsecured for at least 10 months after firewall was disabled > ISU risk assessments of clinics were incomplete and inadequately identified potential risk and vulnerabilities Results > $400,000 penalty > Corrective Action Plan 19

Enforcement: Columbia and NY Presbyterian Findings > Columbia failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ephi, including the server accessing NYP ephi. > Columbia failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient databases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level. Results > $1,500,000 penalty for Columbia > 3 year Corrective Action Plan Enforcement: Oregon Health & Science University Findings > Two data breaches in 2013 that involved more than 7,000 patients; occurred within three months of each other > Surgeon's laptop was stolen from a Hawaii vacation rental, which had information on 4,022 patients; not encrypted > Newly minted physicians in residency programs for both plastic surgery and urology, and kidney transplants; used an internet based cloud service to maintain a spreadsheet of 3,044 patients Results > $2,700,000 penalty > 3 year Corrective Action Plan 20

Enforcement: University of Mississippi Medical Center Findings > Stolen laptop; investigation revealed an unsecured network drive accessible by generic username and password to wireless network users; drive contained the ephi of an estimated 10,000 individuals > Resolution agreement said failure to implement safeguards against known risks and vulnerabilities in the systems storing ephi > Corrective action plan is requirement to draft an enterprise wide risk analysis and risk management plan for ephi Results > $2,750,000 penalty > 3 year Corrective Action Plan Enforcement: Catholic Health Care Services of the Archdiocese of Philadelphia Findings > Theft of an iphone compromised the health information of more than 400 nursing home residents > Resolution agreement marked the first time that OCR entered into a settlement with a business associate directly > OCR highlighted that CHSH had not completed a risk analysis or risk management plan; no policy mobile devices containing PHI; no security incident response plan Results > $650,000 penalty > Corrective Action Plan 21

OCR Audits Phase I > Only 13 of the 115 organizations audited had no findings > 58 of 59 healthcare providers had at least one finding or observation in the area of security > Most common cause of findings was the CE was unaware of the requirement OCR Audits Phase II What to Know > Timing is now; 2016! > Exact number of entities to be audited not determined yet > Security risk assessments and breach notification will be key areas of focus > Vet the audit protocol (on HHS OCR s website) > Inventory all current business associates > Document! Most audits will probably be executed via desk audits or review of documentation alone > If you are selected, don t ignore the federal government 22

Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner Objective #4 Three Recommended HIPAA Security Project Types > HIPAA Security Risk Analysis (Assessment) > HIPAA Incident/Breach Response Review > Other HIPAA assurance activities 23

HIPAA Security Risk Analysis (Assessment) First project Purpose of HIPAA security risk analysis > Trace the flow of PHI inside and outside the organization > Focus on four critical areas: processes, people, technology and governance > Help organizations understand the level of risk, determine how to manage risk and help them manage their main areas of risk > Meet requirements of HIPAA security and breach notification rules 24

Key phases to complete a HIPAA security risk analysis 1 2 3 4 PLAN PROJECT DETERMINE RISKS ANALYZE GAPS PRESENT RESULTS > Define in scope systems > Review policies and procedures > Review past and present projects > Build understanding of the PHI environment > Conduct interviews with key stakeholders > Identify risks and vulnerabilities of PHI the organization creates, receives, maintains or transmits > Evaluate risks and vulnerabilities in administrative, technical and physical safeguards > Assess security measures > Determine the risks impact and likelihood > Document findings related to threats and vulnerabilities > Document corrective action plans > Review results with key stakeholders Plan Project How do you demonstrate compliance to the OCR? > Document and retain the risk assessment, as well as policies, plans, procedures > Consider using the OCR tools and templates Key questions to ask: > What are the boundaries of your HIPAA/ePHI environment (critical step)? > Have you identified the ephi within your organization? > What are the external sources of ephi? > What are the human, natural and environmental threats to information systems that contain ephi? 1 25

Determine Risk > Identify all assets, processes, and systems that process PHI and ephi > Focus on the confidentiality, integrity, and availability of ephi created, received, maintained or transmitted > Determine the associated risk related to potential vulnerabilities, threats, and critical impacts > Determine controls in place to address the threats/vulnerabilities and likelihood of risk occurring 2 Analyze Gaps > Administrative safeguards security management process, security awareness & training, incident management, and contingency planning > Physical safeguards facility access controls, workstation security, laptop and mobile device controls, and media disposal > Technical safeguards network, application, operating system, and databases 3 26

Analyze Gaps > Additional areas of focus: > Access controls, audit controls, integrity controls, authentication techniques and encryption for data in transit and data at rest > State of Safe Harbor controls to determine if client meets the criteria to be exempt from breach notification requirements > Organizational requirements business associate contracts with outsourced service providers > Policies, procedures, and documentation requirements 3 Example Risk Analysis Matrix Asset Asset Description Threats Vulnerabilities Likelihood (Inherent Risk) Desktops Desktops are used for accessing the company s environment. Sensitive data generally should generally not be stored locally on the machines, however, it is possible and does occur. All equipment is owned by the Company. Adversarial internal or external: Someone could steal a desktop which has sensitive data and gain access. Non-adversarial internal or external: A desktop could be repurposed and someone could access stored sensitive data. A desktop could be lost. Desktops could be stolen or their hard drives removed. Desktops could not be adequately erased when no longer needed. Desktops may have spy-ware, viruses, or malware installed which allows for unauthorized access or data loss. 5 Very High Impact (Inherent Risk) 5 Very High Impact Description Unauthorized access to or disclosure of sensitive data. Combined Risk 5 Very High Control Activities or Gaps IT control environment (organization, training, policies, etc) 4.1.a - A security incident monitoring tool is in place that notifies management of unusual or suspicious activity. GAP: 8.10.b - Encryption is installed on all desktops. 3 Current Risk 3 Medium Future Risk 1 Very Low 27

Example Risk Analysis Matrix Items > Asset (or Asset class) a high level description of the IT asset. 3 > Examples might include windows servers, smartphones/tablets, ABC applications, Oracle databases, etc. > As part of the methodology, teams should identify and group wherever possible IT assets that share similar risk elements. > Asset Description a more detailed description of the asset that includes descriptions of the types of data the asset holds and the functions it performs. > Threats The threats to how the information on the asset could be compromised. Example Risk Analysis Matrix Items > Vulnerabilities The inherent vulnerabilities with the asset that need to be mitigated. > Likelihood (Inherent Risk) based on the asset description (which will include inherent information about the sensitivity of the data), the threats, and the vulnerabilities > Impact (Inherent Risk) based on the asset description, this is the impact if a cyber event occurred. > Impact Description a description of the impact. Typically this would be Permanent loss or corruption of key data, Temporary loss or corruption of key data, and/or Unauthorized access to view key data. 3 28

Example Risk Analysis Matrix Items > Combined Risk the combined inherent risk based on one of the risk scoring models. > Control Activities or Gaps the control activities that are either in place or that should be in place (identified as gaps). It may be helpful to create a master table of control activities and gaps to cross reference. > Align to Security Rule administrative, physical, and technical safeguards > Current Risk current risk based on how well the control activities in place mitigate the threats and vulnerabilities. > Future Risk risk if all identified gaps/controls are put in place. 3 Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) 29

Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangement Security Reminders (A) Protection from Malicious Software (A) Log in Monitoring (A) Password Management (A) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (R) Written Contract or Other Arrangement (R) Physical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Facility Access Controls Workstation Use Workstation Security Device and Media Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (R) Workstation Security (R) Disposal (R) Media Re use (R) Accountability (A) Data Backup and Storage (A) 30

Technical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption (A) Present Results > Document risk analysis findings related to threats and vulnerabilities > Review results with key stakeholders > Develop and document a risk management plan to address each gap, with residual risk being identified 4 31

Lessons Learned/Common Mistakes > Incomplete ephi inventory and inadequate scoping of the assessment > Lack of strong, executive sponsorship to complete the assessment > Poor understanding of the HIPAA Security Implementation Specifications > Inability to effectively prioritize remediation activities > Assessor lacks adequate knowledge and independence HIPAA Incident/Breach Response Review Second project 32

Incident/breach Response Plan What is an incident/breach response plan? > Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits ISACA Why does your institution need an incident/breach response plan? > It is not a matter of if you will have an incident/breach, it is a matter of when > Decentralized organizations with numerous stakeholders increase the likelihood of ad hoc responses > Inappropriate or inadequate response can lead to reputational and financial damage What Is a HIPAA Breach Requiring Notification? > Minimum Necessary Violations May Require Breach Notification > Nature and Extent of PHI Involved > Unauthorized Person Who Used PHI > Whether PHI Was Actually Acquired or Viewed > Extent to Which Risk to PHI is Mitigated > Exceptions 33

What about State Breach Laws? > Many states include PHI as data elements covered by law > Potential conflicts between HIPAA and state law > HIPAA preempts state law > 47 states, DC, Guam, Puerto Rico, and the US Virgin Islands have data breach laws > Exception Alabama, New Mexico, South Dakota Incident/Breach Response Key Components > Policy establishes goals and vision for the breach response process, defined scope (to whom it applies and under what circumstances), roles and responsibilities, standards, metrics, feedback, remediation and requirements for awareness training > Plan covers all phases of the response activities > Procedures derives from the Plan and codifies specific tasks, actions and activities that are part of the breach response effort. 34

Why should an incident/breach response be audited? > Ensures that the plan contains accurate, current information > Allows the response process to be assessed and fine tuned > Identifies potential issues in advance; before the breach occurs > Should a breach subsequently occur, it allows the process to operate more efficiently What should the incident/breach response plan contain? > Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred > Emergency contacts > Information on relevant regulatory and law enforcement agencies that must be contacted > Steps required to assess scope of breach and preparation of response (including containment, eradication and recovery) > Post mortem assessment, remediation, ongoing training 35

What should the incident/breach response plan contain? > There should be a well known mechanism for all employees to report a suspected breach of sensitive information > There should be recurring training for all staff, that includes: > What constitutes a breach > HIPAA has 19 types of PHI > What does NOT constitute a breach > Accidental disclosure > Plan should be tested/rehearsed (table top testing) not less than once per year Incident/Breach Response OCR Questions > What approach did you use to conduct the HIPAA Security Risk assessment? > Has an ephi data inventory been created and data flows tracked? > What are your vendor risk management practices? > What are the human, natural, and environmental threats to information systems that contain ephi? > How is ephi on remote devices protected? Is encryption utilized? > Describe your breach/incident management procedures? How are these coordinated with any third party vendors? 36

Other HIPAA assurance activities Third project Additional Attestation and Certification Projects 37

Questions? Contact Info > Mike Cullen, CISA, CISSP, CIPP/US > Senior Manager, Baker Tilly > mike.cullen@bakertilly.com > 703 923 8339 38

Required disclosure and Circular 230 Prominent Disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback