eFax Corporate is the world's leading online faxing service which lets your business fax online by email securely and cost-effectively.
Healthcare covered entities and their Business Associates now need to prepare for two threats; the growing threat of cyber-attacks, and the ramp-up of the HIPAA Compliance Phase 2 Audits by the Office of Civil Rights of the Department of Health & Human Services (OCR-HHS).
Healthcare Business Associates in particular need to be aware that the program to extend the audit program to BAs got underway in the fall of 2016.
The fact is, healthcare is a prize target of cyber-criminals. No one is immune from this threat. And the government is taking the threat to the privacy and security of patient information very seriously. Any provider who does not make all reasonable efforts to protect confidential patient information could find themselves the subject of an audit investigation.
Those that have assumed that traditional methods such as fax were a safe way to communicate protected healthcare information (PHI) may be in for a surprise, because the OCR receives numerous complaints about breaches of privacy involving traditional fax processes. And sending patient information over unsecure email is a clear violation of HIPAA privacy and security regulations.
The latest updates on the HHS-OCR HIPAA Compliance Audit Program
Practical strategies, tips and techniques for implementing the HIPAA Security Rule
Whether or not cloud services really compliant, plus the latest guidance from HHS
The difference between TLS and SSL Encryption and why you should care
The surprising things the OCR regulators had to say about Fax
How to ensure HIPAA-compliant faxing with eFax Corporate
Contact eFax Corporate Today to Learn More
https://enterprise.efax.com/
or
Call (888) 532-9265
1. Webinar & Live Q&A
Healthcare
CyberSecurity Update:
EnsuringHIPAACompliancewithCloud Services
2. 2
Brad Spannbauer
Senior Director, Product Development
HIPAA Privacy Officer
eFax Corporate®
David Hold
Senior Product Marketing Manager
eFax Corporate®
Your Speakers
3. 3
Agenda
1 Present State of Healthcare Cybersecurity: The latest stats
on data breaches and HIPAA Violations
2 HHS-OCR Audit Program & Enforcement Actions
3 Cloud Service Providers and HIPAA Compliance
4 Cyber hacking, Data Breaches and Ransomware
5 HIPAA standard on encryption and integrity
strategies, tips and techniques
Common compliance and security pitfalls –
8 places your ePHI might be hiding
6
How Cloud Faxing is more secure AND compliant7
4. 4
The information provided in this presentation does not constitute,
and is no substitute for, legal or other professional advice. We
strongly encourage you to consult your own legal or other
professional advisors for individualized guidance regarding the
application of the law to your particular situations, and in
connection with any compliance-related concerns.
5. 5
Source:
Healthcare Is Under Attack!
Healthcare is in the Cross-hairs of the
Cyber-criminals
• PHI commands 10-20 times value of credit card data
• Credit cards can be easily cancelled, numbers changed
• Personal health records are more or less permanent
6. 6
Dept. of Health & Human Services
Office of Civil Rights:
144,662 Complaints -- 97% resolved
24,617 cases (17%) corrective action
1688 large breaches >500 records
41 cases settled – $48.7 million
589 Criminal Referrals to DoJ
Identity Theft Resource Center
2016 Data Breach Summary
Healthcare Industry
376 Data Breaches
34.4% of Total
16 million PHI records affected
43.6% of Total
Healthcare CyberSecurity & Compliance Stats
Enforcement is ramping up!
Record Number Of Settlements and Corrective Action Plans
Source:
7. 7
OCR Audit Program Update
“We can open a compliance review
for any reason whatsoever.”
Deven McGraw, Deputy Director, Health Information Privacy,
HHS Office for Civil Rights
• Phase 2 of the HIPAAAudit Program began in 2nd half 2016
• Business Associates are now included in audits
• New Guidance -- Cloud Service Providers are BAs
• If Audited, must document applicable policies, procedures, and evidence
of implementation
Source:
8. 8
$5.55M Advocate Health Care
No company is too big or too small to escape…
$2.75M University of Miss. Medical Center
$25K Complete P.T. Physical Therapy
Source:
9. 9
$2.1M St. Joseph’s Health System
Lessons Learned
$2.7M Oregon State University Health Services
$650K Catholic Health Care of Philadelphia
Source:
10. 10
Source:
Cloud Service Provider Compliance
Q. When is a CSP a BA?
A. When it “creates, receives, maintains or
transmits ePHI, for, or on behalf of, a CE or BA”
1. Cloud Service Providers (CSPs) that do any of the above are Business
Associates (BAs) and need to comply with applicable HIPAA regulations.
2. When a CSP stores and/or processes ePHI for a CE or BA, that CSP is a BA
and needs to sign a Business AssociateAgreement.
3. CSPs are not ‘conduits’ if they store ePHI on more than a temporary basis.
11. 11
Source:
Sources of Data Breaches
Large data breaches affecting more than >500 individuals
2009 – 2016:
Theft
45%
Unauthorized
Access/Disclos
ure
25%
Hacking
13%
Loss
8%
Other
6%
Improper
disposal
3%
12. 12
Cyber Hacking Risks - Ransomware
Ransomware emerged as a major threat in 2016
Questions –
• Is a ransomware attack same as a data breach?
• Does it trigger the reporting requirement?
• What is the probability ePHI was compromised?
13. 13
$221
Patients were affected in 2016
Cyber Hacking Risks
49% Of organizations were victims of
data breaches in 2016
1 in 3
Average cost of breached data
record in 2016
Source:
14. 14
A Data Breach can have substantial
consequences to revenues,
customers, reputation
Economic Consequences of Data Breach
42% lost 20% or more
opportunities
38% lost 20% or more
customers
39% lost 20% or more
revenues
49% had to manage public
scrutiny following a breach
Source:
17. 17
Compliance is necessary but not
sufficient to protect ePHI
Compliance Alone is Not Enough
Regulations will always be
many steps behind the latest threat
18. 18
The HIPAA Standard:
Source:
45 CFR 164.306:
• Ensure ePHI confidentiality
• Protect from reasonably anticipated threats
• Use any security measures that comply
Security Standards:
Encryption and Integrity of ePHI Transmissions
TIP: Treat Addressable Standards as Required
19. 19
Source:
1. Encryption and decryption -- 45 CFR § 164.312(a)(2)(iv)
2. Integrity controls -- 45 CFR § 164.312(e)(2)(i)
2 Secure-Transmission Requirements:
Encryption and Integrity
ePHI Encryption:
The covered entity must:
“Implement a mechanism to
encrypt and decrypt electronic
protected health information.” 1
ePHI Integrity:
The covered entity must:
“Implement security measures
to ensure that electronically
transmitted electronic protected
health information is not
improperly modified without
detection until disposed of.” 2
HIPAA’s Demand for Encryption and Integrity
20. 20
So, is Encryption Required under HIPAA?
Required? No, but…
“Although encryption is an addressable issue, encryption
remains the Gold Standard for protection of ePHI.”
Jocelyn Samuels, Director,
Office for Civil Rights
Department of Health & Human Services
Source:
21. 21
What’s Considered a “Secure” ePHI Transmission?
Federal agencies generally follow the
encryption standards set forth by
The National Institute of Standards & Technology
24. 24
The HIPAA Security Rule:
45 CFR 164.308(a)(1)(ii)(A):
• Conduct accurate and thorough
assessment of potential risks and
vulnerabilities to the confidentiality,
integrity and availability of ePHI
held by the organization
(Required)
Administrative Safeguards:
SOURCE:
45 CFR 164.308(a)(1)(i):
• Security Management Process:
Implement policies and procedures
to Prevent, Detect, Contain and
Correct Security Violations
(Required)
• See Also: 164.312(e)(2)(ii)(B)
25. 25
Fax Transmissions
(fax machine or fax servers)
Desktop
Virtualization
Roaming
desktop/SSO
Secure fax by email
(with TLS encryption)
BYOD
(text, email,
file sharing apps)
Paper
Voice Health
Information
Exchange
EHRs
(e.g., Cerner,
Athena Health)
Email
(via corporate
network or personal
email client)
@
How Do Businesses Access and Disclose ePHI?
26. 26
8 Places Your ePHI Might be Hiding
USB drives and other
portable media devices1 Your staff’s text
messages
2
Your staff’s email
accounts3
The hard drives of copiers,
scanners and fax machines4
27. 27
Your voice files and
recordings5 Your old EMR system6
Your medical equipment’s
hard drives7
Your ePHI data held by
third-party providers8
8 Places Your ePHI Might be Hiding
29. 29
Problem: A doctor's office mistakenly faxed medical records disclosing patient's
HIV status to the patient's employer instead of to the patient's new health care
provider.
OCR Enforcement – Fax Compliance Example
Physician Revises Faxing Procedures to Safeguard PHI
OCR also required the practice to revise the office's fax cover page to underscore a
confidential communication for the intended recipient.
The office informed all its employees of the incident and counseled staff on proper faxing
procedures.
Remedy: The employee responsible received a written disciplinary warning, and
both the employee and the physician apologized to the patient.
30. 30
Virtually no
IT administration,
maintenance and
troubleshooting
Brings faxing into alignment with HIPAA
Employs the most secure encryption
Provides clear audit trails
Allows easy retrieval of archived faxes
Protects fax data in-flight and at rest
Eliminates security vulnerabilities in
traditional fax machines and servers
eFax Corporate®:
The HIPAA–compliant Cloud Faxing Solution
Will Sign BAA
31. 31
eFax Corporate®
The world’s #1 online fax
company – and the
industry’s most experienced
hosted
fax service
The most widely deployed
online fax service for the
Fortune 500
Trusted by more major
healthcare, legal,
financial and other highly-
regulated firms trust than
any other online fax
provider to transmit
sensitive documents
Inbound /
Outbound
Faxes
Hosted Fax Service
Encrypted Fax Storage
via eFax Secure
(optional)
Email, Secure Browser,
Mobile App & eFax
Messenger User
Interfaces
Encrypted in
Transit with
TLS
PSTN Telco
Service
32. 32
Helpful Resources
Ponemon Institute: Data Security
Report
Identity Theft Resource Center 2016
Breach Report
Cisco 2017 Annual Cybersecurity
Report
HIPAA Privacy Rule
The HIPAA Security Rule Toolkit
NIST Special Pub 800-52
(Transport Layer Security)
NIST’s Special Pub 800-111
(Storage Encryption)
HHS Guidance on HIPAA &
Cloud Computing