Introduction Angela Holzworth, RHIA, CISA, GSEC Sr. IT Infrastructure Analyst Kimberly Gray, Esq., CIPP/US Chief Privacy Officer, Global, IMS Health 1 Incorporating Privacy into the CSF: Approach and Benefits
Outline Privacy and Security How Security and Privacy Relate Current State of Privacy and Security Drivers for Integration / Current Trends HITRUST Privacy Working Group State Laws NIST SP 800-53, Appendix J HIPAA Privacy Rule Next Steps Privacy Domain Implementation 2 Incorporating Privacy into the CSF: Approach and Benefits
How Security and Privacy Relate (i) Fair Information Practice Principles (FIPPs) Over the past 30 years, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" and the safeguards required to assure those practices are fair and provide adequate privacy protection. Privacy Principles have been established world wide: Health, Education and Welfare (HEW) - Fair Information Principles Organization for Economic Cooperation and Development (OECD) Guidelines Health Insurance Portability and Accountability Act (HIPAA) Privacy Office of the National Coordinator for Health Information Technology (ONC) Privacy Framework 3 Incorporating Privacy into the CSF: Approach and Benefits
How Security and Privacy Relate (ii) Top 10 most common principles include; 1. Openness / Transparency 2. Notice / Choice 3. Collection Limitation / Data Minimization 4. Specified Purposes 5. Data Integrity 6. Security Safeguards 7. Individuals Rights 8. Preventing Harm 9. Privacy-by-Design 10. Accountability. 4 Incorporating Privacy into the CSF: Approach and Benefits
How Security and Privacy Relate (iii) HIPAA Privacy Rule Safeguards A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. 5 Incorporating Privacy into the CSF: Approach and Benefits
How Security and Privacy Relate (iv) HIPAA Security Rule Safeguards Administrative safeguards are administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures... Physical safeguards are physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment... Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 6 Incorporating Privacy into the CSF: Approach and Benefits
7 Incorporating Privacy into the CSF: Approach and Benefits Current State & Trends
Current State of Privacy and Security Security functions are typically: Typically embedded within IT department Director or manager-level IT-centric Focused on controls based on security frameworks Not always responsible to a Board-level committee Privacy functions are typically: Stand-alone or embedded within compliance function VP or director-level Legal & Compliance-centric Focused on regulatory compliance Responsible to Board-level audit committee 8 Incorporating Privacy into the CSF: Approach and Benefits
Drivers for Integration Individual privacy is dependent upon security Separate functions are not always efficient Overlapping education, training & awareness programs Overlapping incident response applications and functions Overlapping security controls and privacy safeguards New requirements due to HITECH Increased collaboration is necessary to fulfill Breach Notification requirements. 9 Incorporating Privacy into the CSF: Approach and Benefits
Drivers for Integration - Current Trends Overlapping Programs Increased cooperation between traditionally siloed security and privacy functions Breach Notification Legislators beginning to supplement privacy / data breach legislation with complementary security legislation Federal Government Integrating privacy requirements into security control standard, NIST SP 800-53 10 Incorporating Privacy into the CSF: Approach and Benefits
11 Incorporating Privacy into the CSF: Approach and Benefits Privacy Working Group
HITRUST Privacy Working Group (2012) Growing reliance on EHRs and interoperable HIEs Improve patient care, reduce errors, control costs Increased risk to patient information HITRUST will incorporate privacy requirements into CSF Ensure better alignment between security and privacy programs Ensure an integrated approach for protecting health information HITRUST Privacy Working Group Identify and document new CSF controls and/or enhancements Uniform and practical approach to implementing privacy controls Provide additional recommendations, e.g., assessment guidance 12 Incorporating Privacy into the CSF: Approach and Benefits
HITRUST Privacy Working Group (2014) State Law Challenges Variations exist regarding, but not limited to; breaches (including definition of a breach), authorizations, consents, access/amendment, restriction requests, who must comply and who the requirements apply to. States identified social security numbers and sensitive date, such as mental health, HIV/AIDs, drug and alcohol abuse/treatment as having increased privacy concerns and requirements. Results: HITRUST CSF to include references to and adhere to applicable state law, as required. 13 Incorporating Privacy into the CSF: Approach and Benefits
HITRUST Privacy Working Group (2014) NIST SP 800-53, Appendix J Provides a structured set of privacy controls for federal government Establishes a linkage and relationship between privacy and security controls Demonstrates the applicability of the NIST Risk Management Framework Promotes closer cooperation between privacy and security officials within the federal government Results: While NIST may present a uniform approach, it is not practical for universal healthcare industry implementation Privacy Working Group to revisit NIST 800-53, Appendix J, possibly add as level 2 or 3 requirement CSF controls 14 Incorporating Privacy into the CSF: Approach and Benefits
HITRUST Privacy Working Group (2014) HIPAA Privacy Rule Universally acceptable and applicable standards in the healthcare industry Includes Final Omnibus Rule Achieves a uniform and practical approach Utilizes OCR Audit Protocol as the basis for control language Results: HIPAA Privacy Rule requirements will be used as level 1 controls in the HITRUST CSF HITRUST CSF Level 1 compliance may now satisfy HIPAA Compliance with both the Privacy and Security Rule. 15 Incorporating Privacy into the CSF: Approach and Benefits
16 Incorporating Privacy into the CSF: Approach and Benefits Next Steps
Privacy Domain Implementation Privacy Domain HIPAA Privacy Rule requirements Implement/revise controls related to; Review existing controls that relate to Privacy NIST SP 800-53 controls HIE requirements Achieves well-rounded Common Security Framework consistent with industry trends. 17 Incorporating Privacy into the CSF: Approach and Benefits
Questions? Kim Gray, Esq., kgray@us.imshealth.com, 610-244-3149 Angela Holzworth angela.holzworth@highmark.com 412-544-7815 18 Incorporating Privacy into the CSF: Approach and Benefits