The HIPAA Security Rule - An overview and preview for 2014, from Summit Security Group. Summit Security Group is a business partner to Resource One, managed IT services provider for over 15 years to small and mid-sized businesses in the Portland Metro and Southwest Washington area.
Falcon Invoice Discounting: Unlock Your Business Potential
You and HIPAA - Get the Facts
1. The HIPAA Security Rule
An Overview and Preview for 2014
Daniel M. Briley, CISSP
Managing Director
Summit Security Group
2. Agenda
• Introduction
• HIT Security Compliance Landscape
– From 2005 - 2014
•
•
•
•
•
Enforcement Actions
Breach Stats
2014 Action Plan
Focus on Risk
Questions / Discussion
3. Introduction: Summit Security Group
• Local Information Security Advisory Firm
– HQ: Beaverton, Oregon
• Deep expertise in IT Security, Governance, Risk
Management & Compliance
• We can help if you…
– Would like a risk or vulnerability assessment to
discover gaps
– Are concerned about a data breach
– Would like help with security operations, ePHI log
monitoring, secure email, etc.
• We participate in training events similar to this one
to support DIY a approach but please give us a call
if you would like some help
4. The Changing Landscape
• 2005: HIPAA Security Rule
– Administrative, Physical,
Technical Safeguards
– Minimal enforcement
– Insignificant monetary fines
• 2009: ARRA
– Included the Health Information
Technology for Economic and
Clinical Health (HITECH) Act
5. The Changing Landscape
• HITECH Act
– Applies HIPAA to BAs
– Mandatory data breach reporting
requirements
– Civil and criminal penalties for
noncompliance
– Enforcement responsibilities
– New privacy requirements
– Meaningful Use
• Adopt Certified EHR Technology
• Use it to achieve specific objectives
7. The Changing Landscape
• 2011: OIG: CMS’
oversight and
enforcement actions
not sufficient to
ensure CEs effectively
implemented HIPAA
Security Rule
• Hospitals audited: 7
• Vulnerabilities
identified: 151
– High impact: 124
8. The Changing Landscape
• 2012: OCR Taps KPMG to Audit CEs
• Audits are ongoing
– CEs only in 2012 pilot program
– BAs in the future*
* http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
9. The Changing Landscape
• 2013: HITECH Act
changes codified in the
HIPAA Omnibus Final
Rule
– BAs now subject to HIPAA
– Increased & tiered civil
money penalties ($100 $1.5M)
– Clarifies the definition of
a data breach
13. Enforcement Actions
“Covered entities need to realize that HIPAA privacy protections are real and OCR
vigorously enforces those protections”. -- OCR Director Georgina Verdugo
15. Breach Stats
• The healthcare industry loses $7 billion a year
due to HIPAA data breaches
• The average economic impact of a data
breach has increased by $400,000 to a total
of $2.4 million since 2010
• 94% of healthcare organizations have had at
least one data breach in the last two years
• The average number of lost or stolen records
per breach is 2,769
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
16. Breach Stats
• Only 40% of organizations have
confidence that they are able to prevent or
quickly detect all patient data loss or theft
• Top 3 causes of data breaches: Lost or
stolen computing device (46%), Employee
mistakes or unintentional actions (42%),
Third party snafus (42%)
• 18% of healthcare organizations say medical
identity theft was a result of a data breach
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
17. Breach Stats
• Annual security risk assessments are done
by less than half (48%) of organizations
• 48% of data breaches in 2012 involved medical
files
• The primary activity conducted by healthcare
organizations to comply with annual or
periodic HIPAA privacy and security is
awareness training of all staff (56%), followed
by vetting and monitoring of third parties,
including business associates (49%)
Source: Third Annual Benchmark Study on Patient Privacy & Data Security by the Ponemon Institute
19. Common Thread
• An increase in OCR complaints, investigations,
corrective actions, enforcement functions all
indicate:
– Managing compliance with the HIPAA Security Rule is
challenging:
• Threats are emerging and dynamic
• Vulnerabilities and risks are going undiscovered and/or
unresolved
• Staff is tapped
– Ignoring the requirements is not a strategy for success
21. 2014 Action Plan
• Align operations with requirements
set forth in the Omnibus Rule:
– Confirm Privacy & Security Official
– Update BAAs & NPP
– Perform / Update Risk Assessment
– Update P&P documents
– Develop Breach Response
22. 2014 Action Plan
• Align operations, continued…
– Understand where all PHI is stored
– Understand who can access PHI
– Implement Technology that enhances
the security of ePHI
– Execute BAAs as needed
– Train staff on updates
– Retain evidence of actions
23. Focus on Risk
• Proper Risk Management Delivers Value
From: Improving Healthcare Risk Assessments to Maximize Security Budgets White Paper
24. Focus on Risk
• Risk-based Approach to Security Management
– Assess risk (§ 164.308(a)(1)(ii)(A))
• Technical / Administrative / Physical
• Determine Impact
– Manage Risk (§ 164.308(a)(1)(ii)(B))
• Recommend improvements
• Remediate gaps / mitigate risk
• Document improvements
– Re-assess
The risk analysis process should be ongoing. In order for an entity to update and document its
security measures “as needed,” which the Rule requires, it should conduct continuous risk
analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).
25. Approach
• Proper risk assessment and management drives
prioritization of key services:
–
–
–
–
–
Policy and Procedure Development
Education, Awareness and Training
Incident Response
Vulnerability Remediation
Safeguards Enhancement
• Key activities support and demonstrate compliance
with the HIPAA Security Rule
