Your SlideShare is downloading. ×
0
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Fundamentals of HIPAA Privacy & Security Risk Management

279

Published on

The Fundamentals of HIPAA Privacy & Security Risk Management

The Fundamentals of HIPAA Privacy & Security Risk Management

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
279
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
  • In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
  • Patients who are well informed of their medical condition are more likely to comply with their provider’s recommended regimen.  They are also better able to communicate important health information to their providers, which can assist providers with their diagnosis and care plans.  Informed and educated patients and their families can take an active role in healthcare decision making; for example, when faced with multiple treatment options (e.g., choice of breast or prostate cancer treatments), educational materials and tools can help them share in treatment decisions.  They are also more likely to effectively manage their own care, as healthy behaviors and chronic care are ongoing, everyday activities.  Patients’ participation in chronic care self-management programs can have a substantial impact on their health 
  • Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure. Eighty-one percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. On average, 51 percent of employees are bringing their own devices to the healthcare facility.
  • Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) or patient information. As is revealed in the Third Annual Benchmark Study on Patient Privacy and Data Security, many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks. Since first conducting this study in 2010 the percentage of healthcare organizations reporting a data breach has increased and not declined. Further, there are more reports of multiple breaches and only 40 percent of organizations in this study have confidence that they are able to prevent or quickly detect all patient data loss or theft. Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Employee mistakes and negligence also continue to be a significant cause of data breach incidents. The price tag for dealing with these breaches can be staggering. While the cost can range from $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this benchmark study is $2.4 million over a two-year period. This year 80 healthcare organizations participated in this benchmark research and 324 interviews were conducted1. Respondents interviewed work in all areas of the organization: security, administrative, privacy, compliance, finance and clinical.
  • Visual picture would be nice here
  • Scope of the AnalysisThe scope of risk analysis that the Security Rule encompasses includes the potential risksand vulnerabilities to the confidentiality, availability and integrity of all e-PHI that anorganization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) Thisincludes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs,DVDs, smart cards or other storage devices, personal digital assistants, transmissionmedia, or portable electronic media. Electronic media includes a single workstation aswell as complex networks connected between multiple locations. Thus, an organization’srisk analysis should take into account all of its e-PHI, regardless of the particularelectronic medium in which it is created, received, maintained or transmitted or thesource or location of its e-PHI.Data CollectionAn organization must identify where the e-PHI is stored, received, maintained ortransmitted. An organization could gather relevant data by: reviewing past and/or existingprojects; performing interviews; reviewing documentation; or using other data gatheringtechniques. The data on e-PHI gathered using these methods must be documented. (See45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)Identify and Document Potential Threats and VulnerabilitiesOrganizations must identify and document reasonably anticipated threats to e-PHI. (See45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify differentthreats that are unique to the circumstances of their environment. Organizations must alsoidentify and document vulnerabilities which, if triggered or exploited by a threat, wouldcreate a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)Assess Current Security MeasuresOrganizations should assess and document the security measures an entity uses tosafeguard e-PHI, whether security measures required by the Security Rule are already inplace, and if current security measures are configured and used properly. (See 45 C.F.R.§§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)The security measures implemented to reduce risk will vary among organizations. Forexample, small organizations tend to have more control within their environment. Smallorganizations tend to have fewer variables (i.e. fewer workforce members andinformation systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk toPosted July 14, 2010the confidentiality, availability and integrity of e-PHI in a small organization may differfrom those that are appropriate in large organizations.Determine the Likelihood of Threat OccurrenceThe Security Rule requires organizations to take into account the probability of potentialrisks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment,combined with the initial list of threats, will influence the determination of which threatsthe Rule requires protection against because they are “reasonably anticipated.”The output of this part should be documentation of all threat and vulnerabilitycombinations with associated likelihood estimates that may impact the confidentiality,availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Potential Impact of Threat OccurrenceThe Rule also requires consideration of the “criticality,” or impact, of potential risks toconfidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)An organization must assess the magnitude of the potential impact resulting from a threattriggering or exploiting a specific vulnerability. An entity may use either a qualitative orquantitative method or a combination of the two methods to measure the impact on theorganization.The output of this process should be documentation of all potential impacts associatedwith the occurrence of threats triggering or exploiting vulnerabilities that affect theconfidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R.§§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Level of RiskOrganizations should assign risk levels for all threat and vulnerability combinationsidentified during the risk analysis. The level of risk could be determined, for example, byanalyzing the values assigned to the likelihood of threat occurrence and resulting impactof threat occurrence. The risk level determination might be performed by assigning a risklevel based on the average of the assigned likelihood and impact levels.The output should be documentation of the assigned risk levels and a list of correctiveactions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2),164.308(a)(1)(ii)(A), and 164.316(b)(1).)Finalize DocumentationThe Security Rule requires the risk analysis to be documented but does not require aspecific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is adirect input to the risk management process.Periodic Review and Updates to the Risk AssessmentThe risk analysis process should be ongoing. In order for an entity to update anddocument its security measures “as needed,” which the Rule requires, it should conductcontinuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e)and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to performrisk analysis as part of a comprehensive risk management process. The frequency ofperformance will vary among covered entities. Some covered entities may perform theseprocesses annually or as needed (e.g., bi-annual or every 3 years) depending oncircumstances of their environment.
  • Transcript

    • 1. THE FUNDAMENTALS OF HIPAA PRIVACY & SECURITY RISK MANAGEMENT The journey toward compliance
    • 2. WHY IT’S SO IMPORTANT Federal Requirement Alabama is one of only 4 states without additional State-mandated breach notification legislation • Changing Patient Environment • Changing Technology Environment • Practice Exposure due to a Breach  Reputational  Financial  Operational
    • 3. FEDERAL REQUIREMENT The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 and for assuring compliance with the Rule (45 C.F.R. 164.302 – 318.) The Security Management Process standard in the Security Rule requires organizations to :: “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. 164.308(a)(1).)
    • 4. FEDERAL REQUIREMENT All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) • An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable & appropriate, the organization must document why it is not reasonable & appropriate and adopt an equivalent measure if it is reasonable & appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. 164.306(d)(3).) • Meaningful Use Core Set requirement
    • 5. CHANGING PATIENT ENVIRONMENT The engagement of patients and their families in their own health care is a prominent goal of the CMS Incentive Program (Meaningful Use)  Greater acceptance by patients of electronically sharing medical information among multiple providers & care settings to improve care coordination & adherence to care plans  Increased awareness by patients of their right to timely access to their health information
    • 6. CHANGING TECHNOLOGY ENVIRONMENT 81% of organizations permit employees & medical staff to use their own mobile devices, such as smartphones or tablets, to connect to their networks or enterprise systems such as email.
    • 7. PACE OF CHANGE ACCELERATING 1. The Internet eclipsed all technologies in pace of adoption Consider:  Radio – in existence 38 yrs before 50M people tuned in  TV - took 13 yrs to reach 50M viewers  PCs – needed 16 yrs to hit 50M users  Internet – in 4 yrs - 50M users logged on (current estimate is 2B users worldwide, as high as 78.6% of population of N. America) 2. 2nd wave of innovation was in 2007 – introduction of the Iphone  42M smartphones were sold in the 4th Qtr of 2012  1M Iphone apps on the market (18,000 health & wellness apps)
    • 8. PRACTICE EXPOSURES Since 2009 as published by CMS: 477 breaches reported affecting > 500 people’s records 55,000 breaches reported involving < 500 people’s records representing 20,970,222 people‟s records 6 health care organizations reported security breaches of > 1M+ records (TriCare’s breach alone involved 4.9M records) Summary of Other Key Research Findings: • Vast majority of healthcare organizations have had at least one data breach in the past two years • The economic impact can exceed $1 Million (man hours to resolve incidents, fines, legal, credit monitoring fees, etc.) • Insider negligence continues to be at the root of most data breach – employee carelessness • Patient identity theft growing – medical & financial information
    • 9. WHERE ARE THE RISKS? Stolen laptop (1.9M records) Hard drive went missing (1.22M records) External drive stolen ( 1.02M records) Data backup tapes lost (1.05M records) Network server hacked (31, 700 records) theft 54% unauthor ized access 20% lost records/ devices 11% hacking 6% improper disposal 5% other 4% types of breaches
    • 10. FROM THE RULE Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process Since Practices vary in terms of technical sophistication and security capabilities – the Rule is designed to be flexible & scalable
    • 11. FLEXIBLE AND SCALABLE That‟s me! Flexible I‟ll do it whenever Scalable I‟ll just assess my EMR (which is already certified, right??)
    • 12. CONSEQUENCES  Willful Neglect  Potential Breach • Must Identify  Internal and external areas of the practice that store, use or transmit PHI, not just your EMR or EHR • Must protect  Confidentially, Integrity & Availability of ePHI OVERLY FLEXIBLE OVERLY SIMPLIFIED
    • 13. CLINICAL RISK MANAGEMENT THE PERFECT ANALOGY • Focused on identifying adverse events (clinical risks), prevention & control • Uses root cause analysis – systemic causal factors • Develop corrective action plans • Devise risk reduction strategies • Training
    • 14. THE ELEMENTS OF A PRIVACY AND SECURITY RISK MANAGEMENT PROCESS Risk Assessment & Analysis (against controls defined in HIPAA) Evaluating risk to the confidentiality, availability or integrity of PHI (determine vulnerability for gaps in compliance) Develop a Remediation Plan (close the gaps) Create Evidence (training, policy and procedure documentation, track risk mitigation activities, etc.) Monitor Effectiveness of Controls and Periodic Review (Ongoing Risk Management process)
    • 15. RISK ANALYSIS Numerous methods of performing risk analysis are available • None „guarantee‟ compliance Ultimately, risk is a function of:  the likelihood of a given threat triggering or exploiting a particular vulnerability. (gap in compliance requirements)  the anticipated impact on the organization (usually high, medium or low) Risk is not a single factor or event, but rather a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
    • 16. FUNDAMENTAL STEPS IN RISK ANALYSIS  Identify the scope of the analysis (any resources used to create, receive, maintain or transmit PHI)  Gather data (inventories)  Assess current security measures against required controls and standards (ad hoc, in-place, or non-existent)  Determine the level of risk (likelihood of threat occurrence and potential impact)  Identify security gaps to be remediated to minimize risks and document the analysis (remediation plan)
    • 17. 1ST STEP TOWARD COMPLIANCE The first step in an organization‟s Security Rule compliance efforts Develop an ongoing risk management process that provides the organization with detailed understanding of the risks to the confidentiality, integrity, & availability of e-PHI. RISK ANALYSIS
    • 18. DEVELOPING A REMEDIATION WORK PLAN TO MANAGE RISK 1 Utilize the highest rated (priority) risks identified in the risk analysis to develop an Initial Remediation Work Plan or blueprint of projects that define ongoing risk mitigation efforts 2 Institute a disciplined Project Management Process in order to assure progress is tracked and achieved on remediation efforts and to demonstrate an ongoing risk management process Documentation, Documentation, Documentation!!!!
    • 19. EXECUTING A WORK PLAN  Assign a Project Manager to be in charge of each risk remediation project  Customize/develop & document policies and procedures  Establish Review & Monitoring Procedures  Develop & help execute implementation plans (contingency plan, disaster recovery plan, workforce training plan, etc.)  Coach & train personnel on new or revised policies, procedures and plans
    • 20. EXECUTING A WORK PLAN  Revisit what was done & do it all again!  Continue Review & Monitoring Procedures
    • 21. REMEDIATION REQUIRED Conduct or review a security risk analysis AND Implement security updates as necessary AND Correct identified security deficiencies as part of its risk management process
    • 22. RISK MANAGEMENT A JOURNEY NOT A PROJECT Not a static event: • Ongoing evaluation & monitoring • Outputs of a risk assessment & analysis are the inputs to the ongoing risk management program GOAL : Reasonable & appropriate risk mitigation actions that assure the confidentiality and security of PHI
    • 23. CULTURE OF SECURITY AWARENESS  Leadership  Knowledge & Understanding of HIPAA Privacy & Security and HITECH Act Requirements  Implement changes based on credible threats & obvious vulnerabilities  Training :: onboarding, annual and supplemental  Vigilence :: ongoing reassessment, upgrading, updating
    • 24. VALUE OF SECURITY AWARENESS a) What is in it for me? b) What is in it for my people? c) What is in it for my practice?
    • 25. THE RISK OF DOING NOTHING Recent CMS announcement  Approx. 1 out of 20 practices (5%) that attested to Meaningful Use will be audited for compliance  Both pre-payment and post-payment audits OCR Perspective  Audit eligible = All covered entities & their business associates Harm to patients, potential fines, civil suits in the event of breach, costs to mitigate an incident, loss of patients, reputation!
    • 26. CONTACT: KeySys Health, LLC Susan Pretnar, President 4268 Cahaba Heights Court Suite 190 Vestavia, Al 35243 www.keysyshealth.com spretnar@keysyshealth.com

    ×