Comment from Bill: The message on the image seems very condescending to doctors. Am I reading that wrong?
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule:Yes, It’s Your ProblemAn overview for office administrators, receptionists, doctors, and IT professionals
About Us• SecurityMetrics– Regulatory securitycompliance assessmentsand consulting– Digital forensics &penetration testing– Regulatory complianceprograms (validation,tracking, training, support)– Helped over 1 million small tolarge entities managesecurity compliance
Scenario• Office managers/receptionists access Facebook,personal email, etc.• Accessed on same computer with patient records• All it takes is for a single click on a malicious linkand a key logger is installed• Key logger listens in for any sensitive data
The Looming Problem“I’m alreadydoing HIPAA.”“I don’t have thetime or budgetfor this.”“My affiliatestake care ofHIPAA.”
The Unfortunate Reality• Small covered entity (SCE)merchant processor, EHRvendor, IT specialists:– Don’t fulfill HIPAArequirements for a business– Won’t pay for a compromise– Don’t suffer brand damage ifa business is compromised• Risk and liability restentirely upon the SCE
Why Would Anyone Steal From Me?• “My business isn’t large or importantenough for a criminal to steal from!”• Actually…hackers go after smaller entitiesbecause they spend less resources onbeefing up security• Criminals steal from entitiesthey know won’t catch them
HIPAA Fines*U.S. Dept. of Health and Human Services
Privacy vs. Security• Healthcare entities haven’t separatedSecurity/Privacy regulation, and leave manySecurity Rule regulations unfulfilled• Privacy Rule compliance doesn’t extend toSecurity Rule• To be truly HIPAA compliant,must comply with BOTH aspects.
The HIPAA Privacy Rule• Federally protects healthinformation and patient rightsfrom unauthorized disclosure• Written policy proceduresmust include safeguards foradministration of PHI,electronic health information(ePHI), physical security, etc.• Implemented in healthcareindustry in 1996• Healthcare entities well-trained, understand PrivacyRule
The HIPAA Security Rule• Requires covered entities,business associates,subcontractors to protectePHI• Implemented 2003-2005• HITECH Act 2009:increased the legal liabilityof non-compliance• Completely separate fromPrivacy Rule
Security Rule Implementation Examples• As per HIPAA regulations:– Passwords must be changed every 90 days– Substantially different from last password– Contain 6 characters (min.)– Can’t use dictionary words, slang, propernames– Each user must use a different usernameand password• As per HIPAA regulations:– CE must protect electronic networks withWPA2– WEP must never be used• Are you implementing these policies?
Policy vs. Implementation• Common to conglomerateHIPAA policies andimplementation• Healthcare religiouslygenerates Privacy Rulepolicies, but few implementprinciples• A policy doesn’t coverbusiness from compromise,but through implementation,you stand a fair chanceagainst data thieves
Best Practices: Find Help• Acknowledge you (or IT specialist)don’t have the training/time topursue true HIPAA compliance• Find a provider to guide you– Caution: many HIPAA vendors don’t careabout policy implementation because itincreases their costs. Ensure your providerleads you through policy implementation.
Best Practices: Who’s In Charge?• Identify who holds the assigned HIPAASecurity Rule responsibility• If you don’t have someone, assign aHIPAA Security ambassador
Best Practices: What’s Your Budget?• Determine implementation budget:– Weigh ROI against custom loss estimate– This will tell you how much a breach wouldcost your organization.• Use NIST risk calculation worksheet:– http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
Best Practices: Record• Review current policy and proceduredocumentation• Take record of which policies you currentlyimplement• What policies pertain toPrivacy and what pertainto Security?
Best Practices: Don’t Assume• Don’t assume new technology issecure– “But the package says its a safeproduct!”– “But everyone says it’s invincible toviruses!”– “But the salesman at the HIPAA tradeshow says it follows HIPAA standards!”• Can’t believe what you read inmarketing materials, or what peopletell you about the security of a productor technology.• Counsel with your HIPAA advisor tolearn how to safely implement newtechnology
Best Practices: Where Are The Gaps?• Discover current security gaps– Get a HIPAA audit– Easiest, most thorough way to discover gaps• Take action– Come up with a plan to remediate gaps
The True Cost• How expensive isimplementation whencompared to cost ofcompromise?• Are you willing tosacrifice patient trust?
Sound Familiar?• “If you want a healthy body, you have two choices”– Diet, exercise, healthy foods now (inexpensive)– Hospital, surgery, personal trainer later (expensive)• Identical to HIPAA• “If you want to be secure, you have two choices”– Take necessary security precautions now(inexpensive)– Pay for forensic investigations, auditing, fineslater(expensive)