You and HIPAA - Get the Facts

376 views
280 views

Published on

The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
376
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

You and HIPAA - Get the Facts

  1. 1. The HIPAA Security Rule An Overview and Preview for 2014 Daniel M. Briley, CISSP Managing Director Summit Security Group
  2. 2. Agenda • Introduction • HIT Security Compliance Landscape – From 2005 - 2014 • • • • • Enforcement Actions Breach Stats 2014 Action Plan Focus on Risk Questions / Discussion
  3. 3. Introduction: Summit Security Group • Local Information Security Advisory Firm – HQ: Beaverton, Oregon • Deep expertise in IT Security, Governance, Risk Management & Compliance • We can help if you… – Would like a risk or vulnerability assessment to discover gaps – Are concerned about a data breach – Would like help with security operations, ePHI log monitoring, secure email, etc. • We participate in training events similar to this one to support DIY a approach but please give us a call if you would like some help
  4. 4. The Changing Landscape • 2005: HIPAA Security Rule – Administrative, Physical, Technical Safeguards – Minimal enforcement – Insignificant monetary fines • 2009: ARRA – Included the Health Information Technology for Economic and Clinical Health (HITECH) Act
  5. 5. The Changing Landscape • HITECH Act – Applies HIPAA to BAs – Mandatory data breach reporting requirements – Civil and criminal penalties for noncompliance – Enforcement responsibilities – New privacy requirements – Meaningful Use • Adopt Certified EHR Technology • Use it to achieve specific objectives
  6. 6. The Changing Landscape • 2009: CMS Delegates Authority to OCR
  7. 7. The Changing Landscape • 2011: OIG: CMS’ oversight and enforcement actions not sufficient to ensure CEs effectively implemented HIPAA Security Rule • Hospitals audited: 7 • Vulnerabilities identified: 151 – High impact: 124
  8. 8. The Changing Landscape • 2012: OCR Taps KPMG to Audit CEs • Audits are ongoing – CEs only in 2012 pilot program – BAs in the future* * http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
  9. 9. The Changing Landscape • 2013: HITECH Act changes codified in the HIPAA Omnibus Final Rule – BAs now subject to HIPAA – Increased & tiered civil money penalties ($100 $1.5M) – Clarifies the definition of a data breach
  10. 10. Enforcement Actions
  11. 11. Enforcement Actions
  12. 12. Enforcement Actions
  13. 13. Enforcement Actions “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo
  14. 14. Breach Stats
  15. 15. Breach Stats • The healthcare industry loses $7 billion a year due to HIPAA data breaches • The average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010 • 94% of healthcare organizations have had at least one data breach in the last two years • The average number of lost or stolen records per breach is 2,769 Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
  16. 16. Breach Stats • Only 40% of organizations have confidence that they are able to prevent or quickly detect all patient data loss or theft • Top 3 causes of data breaches: Lost or stolen computing device (46%), Employee mistakes or unintentional actions (42%), Third party snafus (42%) • 18% of healthcare organizations say medical identity theft was a result of a data breach Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
  17. 17. Breach Stats • Annual security risk assessments are done by less than half (48%) of organizations • 48% of data breaches in 2012 involved medical files • The primary activity conducted by healthcare organizations to comply with annual or periodic HIPAA privacy and security is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%) Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
  18. 18. Breach Stats from HHS • HHS Breach Database • ≥ 500 individuals impacted
  19. 19. Common Thread • An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: – Managing compliance with the HIPAA Security Rule is challenging: • Threats are emerging and dynamic • Vulnerabilities and risks are going undiscovered and/or unresolved • Staff is tapped – Ignoring the requirements is not a strategy for success
  20. 20. Common Thread • WSJ: Security Compliance is not easy
  21. 21. 2014 Action Plan • Align operations with requirements set forth in the Omnibus Rule: – Confirm Privacy & Security Official – Update BAAs & NPP – Perform / Update Risk Assessment – Update P&P documents – Develop Breach Response
  22. 22. 2014 Action Plan • Align operations, continued… – Understand where all PHI is stored – Understand who can access PHI – Implement Technology that enhances the security of ePHI – Execute BAAs as needed – Train staff on updates – Retain evidence of actions
  23. 23. Focus on Risk • Proper Risk Management  Delivers Value From: Improving Healthcare Risk Assessments to Maximize Security Budgets White Paper
  24. 24. Focus on Risk • Risk-based Approach to Security Management – Assess risk (§ 164.308(a)(1)(ii)(A)) • Technical / Administrative / Physical • Determine Impact – Manage Risk (§ 164.308(a)(1)(ii)(B)) • Recommend improvements • Remediate gaps / mitigate risk • Document improvements – Re-assess The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).
  25. 25. Approach • Proper risk assessment and management drives prioritization of key services: – – – – – Policy and Procedure Development Education, Awareness and Training Incident Response Vulnerability Remediation Safeguards Enhancement • Key activities support and demonstrate compliance with the HIPAA Security Rule
  26. 26. Discussion Proper planning & preparation prevents pandemonium
  27. 27. Thank you! http://summitinfosec.com/

×