As healthcare data breaches continue to rise in number and negative attention generated, understanding the importance of training your business associate workforce as well as implementing the best practices of cyber security through your organization is a requisite for every healthcare provider. Phyllis A. Patrick, founder and president of Phyllis A. Patrick Associates and NJVC Cyber Security Principal Robert J. Michalsky, explain how to implement an effective business associate training program to help ensure compliance with the HIPAA omnibus rule, and explain why improving your cyber security posture is just as important as regulatory compliance.
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure
1. Training Your BA Workforce:
Understanding Obligations and Risk Exposure
June 26, 2014
Phyllis A. Patrick, MBA, FACHE,CISM, CHC
Robert J. Michalsky, CISSP, CSSLP
2. Session Topics
• Training and Awareness Requirements: HIPAA
Security and Privacy Rules
• Key Components of Effective Security and
Privacy Awareness Programs
• Breach Cases: Developing Strategies to Use
Training and Awareness Programs to Minimize
Risk Exposure
2
Understanding HIPAA Omnibus Obligations of Business
Associates
3. Training and Awareness Requirements
Understanding HIPAA Omnibus Obligations of Business
Associates
3
4. Legislative History and
BA Obligations
1996 2005 20092003 20132010
BAs required to comply with interim final breach notification
rule (9/23/09); BAs liable for certain privacy and security
requirements under HITECH (2/18/10).
Understanding HIPAA Omnibus Obligations of Business Associates 4
5. The Omnibus (Final) Rule
• Most significant change in the four Rules (privacy,
security, breach, enforcement) is the impact on
Business Associates.
• BAs have had contractual obligations to comply with
HIPAA Privacy Rule (2003) and Security Rule (2005).
• HITECH BAs subject to statutory penalties for failure
to comply with the HIPAA Privacy, Security, and Breach
Notification Rules (45 CFR Parts 160 and 164, subpart E; 45 CFR
parts 160 and 164, subpart C; 45 CFR parts 160 and 164, subpart D).
• HITECH implementing regs proposed including
subcontractors in definition of BA.
• BAs now subject to legal obligations and enforcement
risk.
Understanding HIPAA Omnibus Obligations of Business Associates 5
6. Who are sub-contractors?
• “Sub-contractor” includes those acting on behalf of a
sub-contractor.
• HIPAA requirements apply all the way down the sub-
contracting chain as far as the PHI flows.
• Covered Entities must ensure that they obtain
satisfactory assurances (in the form of a BAA) from their
Business Associates, and Business Associates must do
the same with regard to Sub-contractors, and so on, no
matter how far down the chain the PHI flows.
• Both the contractor and all of sub-contractors are
Business Associates under the Final Rule to the extent
they create, receive, maintain, or transmit PHI.
Understanding HIPAA Omnibus Obligations of Business Associates 6
7. Sub-contractor Issues
• Sub-contractors must understand their responsibilities
re. HIPAA compliance who communicates this
information to the sub-contractor and how? What is
included in the contract and/or the BAA to codify this?
• Business Associates must enter into agreements with
their sub-contractors that include the same terms that
have always been required for Business Associate
Agreements.
Understanding HIPAA Omnibus Obligations of Business Associates 7
8. Sub-contractor Issues (Cont’d)
• Challenge: HHS does not address the difficulty that
companies handling information might face if they never
know that they are a Subcontractor handling PHI.
• Service providers handling identifiable should consider
seeking representations and warranties from their
customers that such customers are not Business
Associates under HIPAA.
• Subcontractors must take care to include appropriate
privacy and security language in their agreements where
they are sharing PHI with vendors and suppliers.
Understanding HIPAA Omnibus Obligations of Business Associates 8
9. HIPAA Security Rule
• Covered entities (and business associates) must
“Implement a security awareness and training program
for all members of its workforce (including
management).”
CFR 164.308(a)(5)(i)
• Implementation Specifications include:
Security Reminders – “Periodic security updates”
Protection from Malicious Software – “Procedures for guarding
against, detecting, and reporting malicious software”
Log-in Monitoring – “Procedures for monitoring log-in attempts
and reporting discrepancies”
Password Management – “Procedures for creating, changing,
and safeguarding passwords.”
CFR 143.308(a)(5)(ii)(A), (B),(C ), and (D)
Understanding HIPAA Omnibus Obligations of Business Associates
9
10. Training & Awareness Requirements
• Security training required for all new and existing
members of the covered entity’s (and business
associate’s and sub-contractor’s) workforce
• Periodic retraining should be given whenever
environmental or operational changes affect security
of ePHI.
• Changes may include:
new or updated policies and procedures; new or upgraded
software or hardware;
new security technology; or
changes in the Security Rule.
Understanding HIPAA Omnibus Obligations of Business
Associates 10
11. Security Awareness Training Documentation
• Covered entities (and BAs and sub-contractors) must
document the security reminders they implement.
Documentation: include type of reminder, message, date
of implementation.
• Examples:
Notices (electronic or printed)
Agenda Items and Discussion Topics (Monthly Meetings)
Postings/focused reminders
Formal re-training on policies and procedures
• Consider if practices are reasonable and appropriate.
• Determine if other forms of security reminders are needed.
Understanding HIPAA Omnibus Obligations of Business Associates
11
12. Security awareness training must be
ongoing….
• Workforce must be trained regarding its role in protecting
against malicious software and system protection
capabilities.
• Training must be ongoing for all organizations.
• Workforce must be aware of log-in attempts that are not
appropriate.
• Workforce must be trained in how to safeguard
password information, including guidelines for creating
passwords and changing them during periodic change
cycles.
Understanding HIPAA Omnibus Obligations of Business
Associates 12
13. HIPAA Privacy Rule
• Workforce Training and Management
Workforce members include employees, volunteers, trainees, and
may also include other persons whose conduct is under the direct
control of the entity (whether or not they are paid by the entity).
45 CFR 160.103
• A covered entity must train all workforce members on its
privacy policies and procedures, as necessary and
appropriate for them to carry out their functions.
45 CFR 164.530(b)
• A covered entity must have and apply appropriate
sanctions against workforce members who violate its
privacy policies and procedures or the Privacy Rule.
45 CFR 164.530(e)
Understanding HIPAA Omnibus Obligations of Business Associates
13
14. Privacy Rule Training Requirements
• Requires training so that workforce members understand
the privacy procedures.
• Training may be scaled to the type of organization and
size of workforce.
• Privacy training must be provided to all workforce
members, as necessary and appropriate to their
functions.
• Rule does not specify how often training should be
conducted or specific content.
• Suggest that training include Minimum Necessary
standard and requirements (45 CFR 164.502(b), 164.514(d))
• Training must be documented.
Understanding HIPAA Omnibus Obligations of Business Associates
14
15. Interrelationships: Privacy and Security
Rules
• Security requirements include a set of tools for ensuring
compliance with the Privacy Rule as well as the Security
Rule.
• The Security Rule provides detailed requirements, which
protect only ePHI.
• The Privacy Rule safeguards provision, 45 CFR §
164.530(c), is more general and protects the privacy of all
PHI, not just ePHI.
• Both Rules require covered entities (and BAs) to:
Implement policies
Ensure accountability for compliance
Limit access to PHI
Conduct workforce training
Safeguard PHI
Understanding HIPAA Omnibus Obligations of Business Associates
15
16. Effective Privacy and Security
Awareness Training Programs
Understanding HIPAA Omnibus Obligations of Business
Associates 16
17. Key Components of Effective Training
Programs
• Engage the workforce.
• Make training interesting.
• Use Scenario-based training modules lessons
learned.
• Apply headline and prominent cases to the
organization’s work environment. Include cases where
BAs have been involved in data breaches.
• Establish a mix of media and teaching approaches.
• Training should emphasize security and privacy
requirements of all laws that apply to the organization.
HIPAA is just one.
Understanding HIPAA Omnibus Obligations of Business Associates
17
18. Key Components (Cont’d)
• Make training personal – how do these concepts fit with
employees’ life outside work? Make it relevant to
protecting employees’ confidential information.
• Include everyone from senior leaders to front-line staff.
• Train in small doses and train often.
• Select key themes and develop a mix of awareness
materials to emphasize and reinforce key concepts, and
help employees to know what to do in cases of possible
data breaches or other situations which can harm
confidential material.
• Cover contemporary threats.
Understanding HIPAA Omnibus Obligations of Business Associates
18
19. Key Components (Cont’d)
• Test knowledge, not just after the training module, but later….
• Include good behaviors that protect the individual’s privacy
and that of the organization.
• Provide links to resources for those who want to go further.
• Train on policies. Make sure policies are easily accessed
and employees know where they are.
• Be sure to include contractors and sub-contractors in training
programs.
• Document training for all workforce members.
Remember: Employees may be the weak link in your security.
Understanding HIPAA Omnibus Obligations of Business Associates
19
20. Understanding HIPAA Omnibus Obligations of Business
Associates
20
Consulting consortium providing strategic planning, information security,
and privacy services to the healthcare industry and business associates.
Practical approach to information security and privacy program
development and enhancement based on consultants’ experiences as
senior executives in healthcare organizations.
Expertise in information security and privacy program development,
technical security, legal services, hospital management, healthcare
operations, compliance, information technology, disaster recovery and
business continuity, cyber security, health information management,
hospital and commercial clinical laboratory operations, physician practice
development, government sector, medicine, pharmaceutical compliance,
health information exchange.
Working relationships with industry leaders and government agencies,
including CMS and OCR. Successful work history with regulators.
SECURITY | PRIVACY | CULTURE
21. USING DATA BREACHES
TO RAISE AWARENESS
Security Incident
An event that
compromise the
Confidentiality,
Integrity,
Availability (CIA)
of PHI
21
Breach
An incident that
results in the
disclosure or
potential exposure of
data
Data disclosure
A breach for which it
was confirmed that
data was actually
disclosed (not just
exposed) to an
unauthorized party
Understanding HIPAA Omnibus Obligations of Business Associates
HIPAA Breach
“The acquisition, access, use, or disclosure of PHI in a manner not
permitted by the Privacy Rule which compromises the security or privacy
of the PHI
22. Current state of Data Breaches
• Wide range of threat actions (footprint)
– Over 20 distinct attack methods found in data set of confirmed
security incidents
• Attack methods change every year
– E.g. Brute force #1 method in 2009, # 12 in 2013
• Financial motivations still highest factor
• Network devices are only a conduit in breaches
– Servers, user devices are prime targets
• ‘Time to compromise’ is far less than ‘time to discovery’
Understanding HIPAA Omnibus Obligations of Business Associates
22
Source: 2014 Verizon Data Breach
Investigations Report (DBIR)
23. Why focus on training users?
• Healthcare has the highest data breach cost per capita than any
other industry ($359, avg = $145)
• Strong security posture has the single greatest influence on
reducing the cost of a data breach
• Reputation and loss of customer loyalty does the most damage to
the bottom line
Understanding HIPAA Omnibus Obligations of Business Associates
23
Source: Ponemon Institute Reports
And yet…
• Only 68% of organizations have a formal privacy training program
– 32% designate such training as mandatory
– 38% provide specialized training
– 44% assess the program for effectiveness
24. Role of Business Associates
• Over 20% of ALL HHS breach incidents on the ‘Wall of Shame’
involve BA
– Approximately 200 of the more than 1000 posted incidents (June, 2014)
Understanding HIPAA Omnibus Obligations of Business Associates
24
Source: Health & Human Services (HHS)
Most notably…
• The all time largest event
– TRICARE Sept 2011 breach of 4.9 m records
– Due to a BA
90% of all healthcare
organizations report one
or more data breaches
38% of all healthcare
organizations report five
or more data breaches
Source: Ponemon Institute
25. Macro perspectives
• 94% of confirmed data breaches fall into only nine
patterns of compromise
– POS Intrusions
– Web app-attacks
– Insider Misuse
– Physical Theft/loss
– Miscellaneous errors
– Crimeware
– Card skimmers
– DoS Attacks
– Cyber espionage
– Everything else
Understanding HIPAA Omnibus Obligations of Business Associates
25
Healthcare
Industry
46% of
ALL
incidents
This is more than
twice the rate of ANY
other industry
Next highest pattern:
Insider Misuse (15%)
26. Physical Theft and Loss
• Incidents due to ‘loss’ are an astounding 15 times the
volume due to ‘theft’
– Two mitigation options:
1. Reduce quantity of events
2. Reduce impact of each event
• For #1 - Awareness and training can be a key first step
• For #2 – Encryption is essential – a ‘no brainer’
Understanding HIPAA Omnibus Obligations of Business Associates
26
Legal and regulatory
reporting requirements
suggests a high degree
of compliance
Primary root cause:
Carelessness
Keep data close, PHI closer
Devices in work areas are
not ‘safe’ – even servers
Include law enforcement crime reduction
tips in awareness training
Move PHI to secure storage locations
27. The Solution?
Awareness
• Loss, theft of data
• Insider misuse
– Where is PHI?
– How can PHI be accessed
and used?
– Why is that data on a mobile
device?
– How is that mobile device
protected?
– Is PHI protected on every
storage device and server?
– How are user privilege
abuses discovered?
Encryption
• Across all phases
– Data at rest
– Data in use
– Data in transit
• Need proof for auditors
Understanding HIPAA Omnibus Obligations of Business Associates
27
Relative Fixes:
Loss of data – EASY
Insider misuse - HARD
28. Corporate Overview
28
Leading Technology Services Integrator
• Founded 2001
• Origins in the Intelligence Community, Military and Federal markets
• Focus on IT automation for enterprise level engagements
Dedicated Workforce of over 1400
• Majority hold security clearances
• 625 hold one or more professional Cyber Security certifications
• Over 80 full time cyber security engineers
Developer of Advanced Cyber Analytics Capabilities
• Network scanning, device and malware detection algorithms
• Data log and sensor feed integration
• Cyber Dashboard visualization
With over $500 million in annual revenue, NJVC has a proven record of providing
performance, commitment and value to our clients.
29. Tools and Resources
• CMS, HIPAA Security Series, Volume 2, Paper 2, Security Standards:
Administrative Safeguards, May 2005. Revised March 2007
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
• NJVC White paper “Raising Cyber Security Awareness for Healthcare
Professionals”
– http://www.njvc.com/resource-center/white-papers-and-case-studies
• SAS Training Modules – Awareness Training Modules
– http://www.securingthehuman.org/enduser/demo-training-lab
• Examples of SANS Modules:
– You Are A Target
– Social Engineering
– Email & Instant Messaging
– Browsing
– Social Networking
– Mobile Device Security
– Passwords
– Encryption
– ETC…
29
Understanding HIPAA Omnibus Obligations of Business
Associates
30. Tools and Resources (Cont’d)
• Symantec Security Awareness Tech Center. Examples: Security awareness
while traveling, Social Media Awareness, ETC.
– http://techcenter.symantec.com/ecampus/enterprise?siteName=sena&partNo=SA1000
• Ponemon Institute, Digital Defense SecurED: Experimental Analysis of
Training Effectiveness, July 16, 2013.
• Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis
– http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-
analysis
• Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data
Security
– http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/
• Verizon Data Breach Investigations Report (2014)
– http://www.verizonenterprise.com/DBIR/2014/?gclid=CL2nwPqfhr4CFYt9Ogod7QUAaw
• Redspin Breach Report 2013 (Protected Health Information – PHI – Feb 2014)
– http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-
Protected-Health-Information-PHI-Redspin.php
Understanding HIPAA Omnibus Obligations of Business Associates
30
31. Contact Information
Robert Michalsky
Principal, Cyber Security
NJVC
Robert.michalsky@njvc.com
703-429-9593
Twitter: RobertMichalsky
Phyllis Patrick
Phyllis A. Patrick & Associates LLC
Phyllis@phyllispatrick.com
914-696-3622
31Understanding HIPAA Omnibus Obligations of Business Associates