Performing HIPAA Security Reviews H PAA Mike Cullen, Baker Tilly Session objectives > Define HIPAA and provide security overview > Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review > Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) > Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner 1
Define HIPAA and provide security overview Objective #1 Regulatory response over time 1934 SEC Act 1996 HIPAA 1999 GLBA 2006 PCI DSS v1 2009 HITECH 2014 Kentucky 47 th State Data Breach Law 1974 Privacy Act & FERPA 1998 Safe Harbor European Union 2001 Cybersecurity Enhancement Act 2003 California Data Breach Law 2010 Massachusetts Privacy Law 2015 PCI DSS v3 2
Brief history of HIPAA HIPAA (1996) Title I Title II Title III Title IV Title V American Recovery and Reinvestment Act (2009) HITECH Preventing Healthcare Fraud and Abuse Medical Liability Reform Admin. Simplification Electronic Data Interchange Transactions Identifiers Code Sets Security (2003) Privacy (2000) Genetic Information Nondiscrimination Act (2008) Improved Privacy and Security Provisions Enforcement Breach Notification Final Rule Proposed Accounting of Disclosures Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25th, 2013 (Effective March 26th, 2013, compliance required by September 23rd, 2013) Ponemon Institute Medical Identity Theft Study (2015) 3
Ponemon Institute Medical Identity Theft Study (2015) Ponemon Institute Medical Identity Theft Study (2015) 4
HIPAA related reported breaches (Jan 2012 Mar 2015) Impacts of data breaches Deceptive or unfair trade charges Regulator scrutiny Damage to brand! Regulatory sanctions Negative publicity Damaged employee relationships Legal liability Refusal to share personal information Damaged customer relationships Fines 5
HIPAA Rules > Privacy Rule* > Security Rule > Breach Notification Rule > Enforcement Rule* 6
Security Rule > 164.308 Administrative Safeguards > 164.310 Physical Safeguards > 164.312 Technical Safeguards Administrative Safeguards > Security management > Security responsibility > Workforce security > Information access management > Security awareness and training > Security incident procedures > Contingency plans > Evaluation > BA contracts 7
Physical Safeguards > Facility access controls > Workstation use > Workstation security > Device and media controls Technical Safeguards > Access control > Audit controls > Integrity > Person or entity authentication > Transmission security 8
Breach Notification Rule > 164.404 Notification to individuals > 164.406 Notification to the media > 164.408 Notification to the Secretary > 164.410 Notification by a business associate Breach Notification Rule Details > Defines breach (45 CFR 164.402) as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI > An unauthorized acquisition, access, use, or disclosure of PHI (with enumerated exceptions) is presumed to be a breach unless the covered or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. 9
Breach Notification Rule Details > This risk assessment must address at least the following factors: > The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re identification; > The unauthorized person(s) who used the PHI or to whom the disclosure was made; > Whether the PHI was actually acquired or viewed; and > The extent to which the risk to the PHI has been mitigated. Breach Notification Rule Exceptions > Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and within the scope of authority, and if it does not result in further impermissible use or disclosure > Any inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information is not further impermissibly used or disclosed 10
Breach Notification Rule Exceptions > A disclosure of PHI where a covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not reasonably have been able to retain the information. 11
12
Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review Objective #2 Who must comply? > Covered Entities (CE) Health plans, health care clearinghouses and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards > Business Associate (BA) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate 13
Who must comply? > Hybrid Entity A single legal entity that is a covered entity; whose business activities include both covered and non covered functions; and that designates health care components in accordance with HIPAA requirements > Hybrid Entities must: > Designate the health care component > Health care component complies with all requirements > Create separations from the non covered functions > Ensure only limited allowed disclosures between health care component and noncovered functions, including workforce members with duties on both sides Hybrid entities in Higher Education Advantages > Limit scope of HIPAA compliance > Target training and procedures to only health care component > Include services as the health care component to share PHI without BAAs Disadvantages > Effort to identify and define health care component > Create additional separations from the non covered functions > Limited disclosures outside of health care component still must be tracked > Customer/partner road blocks when dealing with non covered functions > Challenges with common physical space and computer systems 14
Hybrid entities and research (from NIH) > Research components of a hybrid entity that function as health care providers and conduct certain standard electronic transactions must be included in the health care components and be subject to the Privacy Rule > Research components that function as health care providers, but do not conduct these electronic transactions may, but are not required to, be included in the health care components. > The hybrid entity is not permitted to include in its health care component, a research component that does not function as a health care provider or does not conduct business associate like functions. As such authorizations are generally required for use or disclosure of PHI for research purposes. CEs Covered entities should: > Understand BA compliance, up- and downstream > Build collaboration and understanding with the BAs beyond the agreement > Complete a HIPAA Security Risk Assessment BAs Business associates should : > Understand CE expectations, as documented in the Business Associate Agreement (BAA) > Ensure HIPAA compliance for downstream Bas > Complete a HIPAA Security Risk Assessment 15
Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) Objective #3 Latest Developments > BA increased compliance requirements > Omnibus rule > Enforcement > OCR audits 16
BA increased compliance requirements > All provisions of the Security Rule are now applicable > BAs can be directly liable for HIPAA noncompliance > BAs are required to have appropriate agreements in place with subcontractors who access ephi > Breach risk analysis is more comprehensive than the previous harm threshold > Requirement to provide a copy of ephi to a covered entity or individual upon request > Requirement to maintain an accounting of disclosures Omnibus Ruling 2013: What s changed? > Broader definition of business associate > New limits on how information can be used for marketing and fundraising purposes > Tiered civil penalty structure > Breach is redefined > When PHI is disclosed or used impermissibly, it will be considered a breach unless the CE or BA can show that there was a low probability that the PHI was compromised > How to prove this? Conduct a breach risk assessment > Four factor risk assessment replaces harm threshold for identifying a breach 17
Omnibus Ruling 2013: What s changed? > Subcontractors to CEs are defined as BAs, as such they require Business Associate Agreements (BAA) > Defined PHI as individually identifiable health information that is: > Transmitted or maintained in electronic media > Transmitted or maintained in any other form or medium > PHI excludes individually identifiable health information in the following: > FERPA educational records > FERPA records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional > Employment records held by a CE > A person deceased for more than 50 years PHI Elements > Names > Geographic subdivisions smaller than a state> Certificate/license numbers > All elements of dates (except year) > Vehicle identifiers > Telephone numbers > Device identifiers > Fax numbers > Web URLs > Email addresses > IP Address numbers > SSN > Biometric identifiers > Medical record numbers > Full face photographs > Health plan beneficiary numbers > Any other unique identifying number, > Account numbers characteristic, code > Individually identifying genetic information 18
Increased civil money penalties Violation Category Each Violation Max Violation of Identical Provision in Calendar Year (a) Did not know $100 $50,000 $1,500,000 (b) Reasonable cause $1,000 $50,000 $1,500,000 (c)(i) Willful neglect corrected $10,000 $50,000 $1,500,000 (c)(ii) Willful neglect not corrected $50,000 $1,500,000 Enforcement: Idaho State University Findings > ephi of approx. 17,500 patients was unsecured for at least 10 months after firewall was disabled > ISU risk assessments of clinics were incomplete and inadequately identified potential risk and vulnerabilities Results > $400,000 penalty > Corrective Action Plan 19
Enforcement: Columbia and NY Presbyterian Findings > Columbia failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ephi, including the server accessing NYP ephi. > Columbia failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient databases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level. Results > $1,500,000 penalty for Columbia > 3 year Corrective Action Plan Enforcement: Oregon Health & Science University Findings > Two data breaches in 2013 that involved more than 7,000 patients; occurred within three months of each other > Surgeon's laptop was stolen from a Hawaii vacation rental, which had information on 4,022 patients; not encrypted > Newly minted physicians in residency programs for both plastic surgery and urology, and kidney transplants; used an internet based cloud service to maintain a spreadsheet of 3,044 patients Results > $2,700,000 penalty > 3 year Corrective Action Plan 20
Enforcement: University of Mississippi Medical Center Findings > Stolen laptop; investigation revealed an unsecured network drive accessible by generic username and password to wireless network users; drive contained the ephi of an estimated 10,000 individuals > Resolution agreement said failure to implement safeguards against known risks and vulnerabilities in the systems storing ephi > Corrective action plan is requirement to draft an enterprise wide risk analysis and risk management plan for ephi Results > $2,750,000 penalty > 3 year Corrective Action Plan Enforcement: Catholic Health Care Services of the Archdiocese of Philadelphia Findings > Theft of an iphone compromised the health information of more than 400 nursing home residents > Resolution agreement marked the first time that OCR entered into a settlement with a business associate directly > OCR highlighted that CHSH had not completed a risk analysis or risk management plan; no policy mobile devices containing PHI; no security incident response plan Results > $650,000 penalty > Corrective Action Plan 21
OCR Audits Phase I > Only 13 of the 115 organizations audited had no findings > 58 of 59 healthcare providers had at least one finding or observation in the area of security > Most common cause of findings was the CE was unaware of the requirement OCR Audits Phase II What to Know > Timing is now; 2016! > Exact number of entities to be audited not determined yet > Security risk assessments and breach notification will be key areas of focus > Vet the audit protocol (on HHS OCR s website) > Inventory all current business associates > Document! Most audits will probably be executed via desk audits or review of documentation alone > If you are selected, don t ignore the federal government 22
Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner Objective #4 Three Recommended HIPAA Security Project Types > HIPAA Security Risk Analysis (Assessment) > HIPAA Incident/Breach Response Review > Other HIPAA assurance activities 23
HIPAA Security Risk Analysis (Assessment) First project Purpose of HIPAA security risk analysis > Trace the flow of PHI inside and outside the organization > Focus on four critical areas: processes, people, technology and governance > Help organizations understand the level of risk, determine how to manage risk and help them manage their main areas of risk > Meet requirements of HIPAA security and breach notification rules 24
Key phases to complete a HIPAA security risk analysis 1 2 3 4 PLAN PROJECT DETERMINE RISKS ANALYZE GAPS PRESENT RESULTS > Define in scope systems > Review policies and procedures > Review past and present projects > Build understanding of the PHI environment > Conduct interviews with key stakeholders > Identify risks and vulnerabilities of PHI the organization creates, receives, maintains or transmits > Evaluate risks and vulnerabilities in administrative, technical and physical safeguards > Assess security measures > Determine the risks impact and likelihood > Document findings related to threats and vulnerabilities > Document corrective action plans > Review results with key stakeholders Plan Project How do you demonstrate compliance to the OCR? > Document and retain the risk assessment, as well as policies, plans, procedures > Consider using the OCR tools and templates Key questions to ask: > What are the boundaries of your HIPAA/ePHI environment (critical step)? > Have you identified the ephi within your organization? > What are the external sources of ephi? > What are the human, natural and environmental threats to information systems that contain ephi? 1 25
Determine Risk > Identify all assets, processes, and systems that process PHI and ephi > Focus on the confidentiality, integrity, and availability of ephi created, received, maintained or transmitted > Determine the associated risk related to potential vulnerabilities, threats, and critical impacts > Determine controls in place to address the threats/vulnerabilities and likelihood of risk occurring 2 Analyze Gaps > Administrative safeguards security management process, security awareness & training, incident management, and contingency planning > Physical safeguards facility access controls, workstation security, laptop and mobile device controls, and media disposal > Technical safeguards network, application, operating system, and databases 3 26
Analyze Gaps > Additional areas of focus: > Access controls, audit controls, integrity controls, authentication techniques and encryption for data in transit and data at rest > State of Safe Harbor controls to determine if client meets the criteria to be exempt from breach notification requirements > Organizational requirements business associate contracts with outsourced service providers > Policies, procedures, and documentation requirements 3 Example Risk Analysis Matrix Asset Asset Description Threats Vulnerabilities Likelihood (Inherent Risk) Desktops Desktops are used for accessing the company s environment. Sensitive data generally should generally not be stored locally on the machines, however, it is possible and does occur. All equipment is owned by the Company. Adversarial internal or external: Someone could steal a desktop which has sensitive data and gain access. Non-adversarial internal or external: A desktop could be repurposed and someone could access stored sensitive data. A desktop could be lost. Desktops could be stolen or their hard drives removed. Desktops could not be adequately erased when no longer needed. Desktops may have spy-ware, viruses, or malware installed which allows for unauthorized access or data loss. 5 Very High Impact (Inherent Risk) 5 Very High Impact Description Unauthorized access to or disclosure of sensitive data. Combined Risk 5 Very High Control Activities or Gaps IT control environment (organization, training, policies, etc) 4.1.a - A security incident monitoring tool is in place that notifies management of unusual or suspicious activity. GAP: 8.10.b - Encryption is installed on all desktops. 3 Current Risk 3 Medium Future Risk 1 Very Low 27
Example Risk Analysis Matrix Items > Asset (or Asset class) a high level description of the IT asset. 3 > Examples might include windows servers, smartphones/tablets, ABC applications, Oracle databases, etc. > As part of the methodology, teams should identify and group wherever possible IT assets that share similar risk elements. > Asset Description a more detailed description of the asset that includes descriptions of the types of data the asset holds and the functions it performs. > Threats The threats to how the information on the asset could be compromised. Example Risk Analysis Matrix Items > Vulnerabilities The inherent vulnerabilities with the asset that need to be mitigated. > Likelihood (Inherent Risk) based on the asset description (which will include inherent information about the sensitivity of the data), the threats, and the vulnerabilities > Impact (Inherent Risk) based on the asset description, this is the impact if a cyber event occurred. > Impact Description a description of the impact. Typically this would be Permanent loss or corruption of key data, Temporary loss or corruption of key data, and/or Unauthorized access to view key data. 3 28
Example Risk Analysis Matrix Items > Combined Risk the combined inherent risk based on one of the risk scoring models. > Control Activities or Gaps the control activities that are either in place or that should be in place (identified as gaps). It may be helpful to create a master table of control activities and gaps to cross reference. > Align to Security Rule administrative, physical, and technical safeguards > Current Risk current risk based on how well the control activities in place mitigate the threats and vulnerabilities. > Future Risk risk if all identified gaps/controls are put in place. 3 Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) 29
Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangement Security Reminders (A) Protection from Malicious Software (A) Log in Monitoring (A) Password Management (A) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (R) Written Contract or Other Arrangement (R) Physical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Facility Access Controls Workstation Use Workstation Security Device and Media Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (R) Workstation Security (R) Disposal (R) Media Re use (R) Accountability (A) Data Backup and Storage (A) 30
Technical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption (A) Present Results > Document risk analysis findings related to threats and vulnerabilities > Review results with key stakeholders > Develop and document a risk management plan to address each gap, with residual risk being identified 4 31
Lessons Learned/Common Mistakes > Incomplete ephi inventory and inadequate scoping of the assessment > Lack of strong, executive sponsorship to complete the assessment > Poor understanding of the HIPAA Security Implementation Specifications > Inability to effectively prioritize remediation activities > Assessor lacks adequate knowledge and independence HIPAA Incident/Breach Response Review Second project 32
Incident/breach Response Plan What is an incident/breach response plan? > Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits ISACA Why does your institution need an incident/breach response plan? > It is not a matter of if you will have an incident/breach, it is a matter of when > Decentralized organizations with numerous stakeholders increase the likelihood of ad hoc responses > Inappropriate or inadequate response can lead to reputational and financial damage What Is a HIPAA Breach Requiring Notification? > Minimum Necessary Violations May Require Breach Notification > Nature and Extent of PHI Involved > Unauthorized Person Who Used PHI > Whether PHI Was Actually Acquired or Viewed > Extent to Which Risk to PHI is Mitigated > Exceptions 33
What about State Breach Laws? > Many states include PHI as data elements covered by law > Potential conflicts between HIPAA and state law > HIPAA preempts state law > 47 states, DC, Guam, Puerto Rico, and the US Virgin Islands have data breach laws > Exception Alabama, New Mexico, South Dakota Incident/Breach Response Key Components > Policy establishes goals and vision for the breach response process, defined scope (to whom it applies and under what circumstances), roles and responsibilities, standards, metrics, feedback, remediation and requirements for awareness training > Plan covers all phases of the response activities > Procedures derives from the Plan and codifies specific tasks, actions and activities that are part of the breach response effort. 34
Why should an incident/breach response be audited? > Ensures that the plan contains accurate, current information > Allows the response process to be assessed and fine tuned > Identifies potential issues in advance; before the breach occurs > Should a breach subsequently occur, it allows the process to operate more efficiently What should the incident/breach response plan contain? > Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred > Emergency contacts > Information on relevant regulatory and law enforcement agencies that must be contacted > Steps required to assess scope of breach and preparation of response (including containment, eradication and recovery) > Post mortem assessment, remediation, ongoing training 35
What should the incident/breach response plan contain? > There should be a well known mechanism for all employees to report a suspected breach of sensitive information > There should be recurring training for all staff, that includes: > What constitutes a breach > HIPAA has 19 types of PHI > What does NOT constitute a breach > Accidental disclosure > Plan should be tested/rehearsed (table top testing) not less than once per year Incident/Breach Response OCR Questions > What approach did you use to conduct the HIPAA Security Risk assessment? > Has an ephi data inventory been created and data flows tracked? > What are your vendor risk management practices? > What are the human, natural, and environmental threats to information systems that contain ephi? > How is ephi on remote devices protected? Is encryption utilized? > Describe your breach/incident management procedures? How are these coordinated with any third party vendors? 36
Other HIPAA assurance activities Third project Additional Attestation and Certification Projects 37
Questions? Contact Info > Mike Cullen, CISA, CISSP, CIPP/US > Senior Manager, Baker Tilly > mike.cullen@bakertilly.com > 703 923 8339 38
Required disclosure and Circular 230 Prominent Disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 39