Ohio Hospital Association Centennial Annual Meeting

Privacy & Security

Risk Management Strategies
for Healthcare Data

Chris Allman, JD
Director of Risk Management, Compliance & Insurance
Garden City Hospital
callman@primehealthcare.com

Jeff Bell, CISSP, GSLC, CPHIMS, ACHE

Director of IT Security & Risk Services
CareTech Solutions
jeff.bell@caretech.com
@JeffBell_CTS

1
 Conflict of Interest Disclosure

Chris Allman does not have any real or perceived conflicts of interest to
this presentation.

Jeff Bell is an employee of CareTech Solutions, an information

technology (IT) and Web products and services provider for U.S.
hospitals and health systems.
www.caretech.com

2
 Learning Objectives

• Identify current healthcare privacy threats

• Understand risk management strategies and how

effective policies and procedures can mitigate healthcare
privacy threats and risks

• Identify current healthcare cybersecurity threats and

risks

• Understand risk management strategies to effectively

mitigate healthcare cybersecurity threats and risks

3
 HIPAA Requires A Risk-Based Approach
to Security

Protect against any reasonably anticipated threats or

hazards 164.306(a)

Conduct a risk analysis: Conduct an accurate and

thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability
of [ePHI] held by the covered entity 164.308(a)(1)(ii)(A)

Risk management: Implement security measures

sufficient to reduce risks and vulnerabilities to a reasonable
and appropriate level 164.308(a)(1)(ii)(B)

4
 Risk Assessment Process

• Identify assets / ePHI / other sensitive data

• Identify threats

• Identify vulnerabilities

• Likelihood * impact = risk

5
 Elements of a Risk Assessment

 Evaluate all three  Perform a technical

aspects of security assessment
1. Confidentiality • Interviews with IT Subject Matter
2. Integrity Experts
3. Availability • Vulnerability scan of all
equipment
• Wireless assessment
 ALL ePHI • Web application assessment

 Evaluate HIPAA
security compliance  Document findings &
• Assess compliance with the recommendations
rules
• Evaluate policies, procedures,
 Present to leadership
training, practices for risk management
process
 Evaluate each
department & each
application
6
 Risk Management Process

 Risk Management: Is the risk level acceptable?

• Risk acceptance
• Risk mitigation
• Risk transference
• Risk avoidance
 Which risks will you mitigate?
 How will you mitigate?
 Who will mitigate?
 When will you mitigate?
 Budget / resources?
 Ongoing impact to operations?
7
 Why a Risk Assessment is Essential

• Meaningful Use Stage 1 and 2 require a risk assessment

of your certified EHR and correction of deficiencies

• HIPAA requires a risk assessment of all ePHI and

development of a plan to implement sufficient security
measures to reduce risks and comply with HIPAA

• Audit and enforcement activities

• Breaches are costly, must be

reported, and impact reputation

• Threats to cybersecurity are high

8
 Why a Risk Assessment is Essential

Just doing a risk assessment is…

NOT ENOUGH

9
 Effective Policies & Procedures

• Effective policies and procedures are key to a robust

cybersecurity program and reduction of risk

• Policies are not “effective” when they are drafted (or

purchased) then put on a shelf to collect dust

• Polices should be living, breathing entities that are

subject to change as technology and the risks of
technology change

• Policies should reflect your actual practices

• HIPAA Security Rule is a great start, but it is not the end
of the road!
10
 How Can Effective Policies & Procedures
Reduce Risk?

Effective policies & procedures can help you in 5 areas:

1. Compliance
2. Identification of user & system weaknesses before
an adverse event occurs

3. Mitigation or reduction in risk of potential loss after

an event

4. Provide a framework to gather data

5. Reduce the number & type of adverse events

11
 1. Compliance

• What’s the first thing an auditor asks for when they are
there for a survey?

• Why?
– The auditor wants to know if your policy is up to date with
current rules and regulations
– Does it reflect your actual practice?
– Is your workforce educated about the policy?
• Having effective policies & procedures can reduce the
risk that your organization is out of compliance and the
fines, program exclusion, etc. that stem from failure to
comply

12
 2. Identification of User & System
Weaknesses Before Adverse Event
• After the risk assessment is complete, you should know
what your user and systems weaknesses are

• Once you know your weaknesses, then you can set

priorities about how to address the weaknesses

• Priorities should be set by the perceived severity of the

weakness and the “risk appetite” of the organization

• Priorities should also consider the potential for adverse

event occurrence (i.e., breach, hack, security, etc.)
• Your policies should reflect your priorities, and therefore,
may need to be amended more than is required by
accreditation, etc.
13
 3. Mitigation or Reduction in Risk of
Potential Loss After an Event

• Your policies should also realistically reflect how you will

react should an event occur
• Being able to follow written guidelines in a crisis can
reduce the chance of a misstep that may exacerbate the
issue
• You policy should reflect your game plan:
– Who is the “go-to” and chain of command
– What steps should be taken
– When steps should be taken
– Who needs to know (includes formal/required reporting)
– Media strategy

14
 4. Framework to Gather Data

• Effective policies should also set out what data is

important to your organization

• They may include specific data points to be tracked

and/or audited to ensure security

• What data should roll up

to committees and
leadership for review

15
 5. Adverse Events Reduction

• If effective policies are followed and updated to reflect

current regulation and actual practice in your
organization, the likelihood of adverse events can be
reduced

• When adverse events do occur, effective policies should

learn from those events and be updated with current
knowledge in order to avoid repeats

16
FBI Private Industry Notification

Content for
Presentation Only

Contact speaker for

copy.

17
 Ponemon Fifth Annual Benchmark Study
on Patient Privacy & Data Security
• 90% had a data breach in the past 2
years. 40% had more than 5
• Avg. economic impact due to data
breaches is 2.1 million dollars / HC org
and 1 million dollars / BA org over 2 yrs.
• Criminal attacks are now the #1 cause
of data breaches
• Reported root cause of breaches: 45%
criminal attacks, 12% malicious insider
• 56% of HC orgs. and 59% of BAs don’t
believe their incident response process
has adequate funding and resources

18 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
 Conclusions from the Ponemon Study
• Cyber criminals recognize two critical facts of the
healthcare industry:
1. Healthcare organizations manage a treasure trove of
financially lucrative personal information
2. Healthcare organizations do not have the resources,
processes, and technologies to prevent and detect attacks and
adequately protect patient data.
• The pace of investments is not fast enough to keep up
with the threats to achieve a stronger security posture.
• Need to address two serious but different root causes of
security incidents and data breaches: employee
negligence and hackers.
1. Intensive employee training and awareness programs
2. Investments in technologies and security expertise.
3. Innovative solutions are required to achieve both goals..
19 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
 NIST Cybersecurity Framework
Identify: Asset Management,
Business Environment,
Governance, Risk Assessment,
Risk Management Strategy
Protect: Access Control,
Awareness and Training, Data
Security, Information Protection
Processes and Procedures
Detect: Anomalies and Events,
Security Continuous Monitoring,
Detection Processes
Respond: Response Planning,
Communications, Analysis,
Mitigation, Improvements
Recover: Recovery Planning,
Improvements, Communications

20 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
 Cybersecurity Framework (NIST)
FRAMEWORK CORE

Framework Core : a set of cybersecurity activities, desired outcomes, and

applicable references that are common across critical infrastructure sectors.
21 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
 Cybersecurity Framework (NIST)
Framework Implementation Tiers (“Tiers”) Tiers describe the degree to
which an organization’s cybersecurity risk management practices exhibit
the characteristics defined in the Framework.
These Tiers reflect a progression from informal, reactive responses to
approaches that are agile and risk-informed.
Tier 1 Partial Risk management is ad hoc, with limited awareness of risks
and no collaboration with others
Tier 2 Risk Risk-management processes and program are in place but
Informed are not integrated enterprise-wide; collaboration is
understood
but organization lacks formal capabilities
Tier 3 Repeatable Formal policies for risk-management processes and
programs are in place enterprise-wide, with partial external
collaboration
Tier 4 Adaptive Risk-management processes and programs are based on
lessons learned and embedded in culture, with proactive
collaboration
22
22 Why you should adopt the NIST Cybersecurity Framework, PWC, May 2014
 Cybersecurity Framework (NIST)
Framework Profile (“Profile”) represents the [security]
outcomes based on business needs that an organization has
selected from the Framework Categories and
Subcategories…
Profiles can be used to identify opportunities for improving
cybersecurity posture by comparing a “Current” Profile (the
“as is” state) with a “Target” Profile (the “to be” state).

The Current Profile can then be used to support prioritization

and measurement of progress toward the Target Profile, while
factoring in other business needs including cost-effectiveness
and innovation.
Profiles can be used to conduct self-assessments and
communicate within an organization or between organizations.

23 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
 Cybersecurity Framework (NIST)
Benefits of using the CSF

• Improve Cybersecurity: The CSF core is up to date in

terms of cyber threats / risks / effective controls – with an
emphasis on Detect, Respond, Recover – not just
Protect. It is much more up to date and comprehensive than
the HIPAA rule.
• Reduce Legal Exposure: This process can demonstrate
due care in case of a breach and federal / state investigation
or even law suit. The Framework is founded on a
presidential order and represents best practices.
• Improve collaboration and communication of security
posture with executives and others.

24 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
 Five Actions to Quickly Reduce Risk of
Cyber Crime

Jeff’s Quick Wins

1. Secure configuration

2. Vulnerability management

3. Strong authentication
4. Security monitoring to detect indicators of compromise

5. Incident response capabilities

25
 Common Information Security Threats
Data from the Office of Civil Rights
Reported breaches over 500 records – as of Feb. 15, 2015

Hacking/IT Improper Unknown (13) No Cause Listed EMR (38)

Incident (84) Disposal (43) 1% in HHS Data (3) 4%
7% 4% 0%

Email (72)
6%
Portable
Loss (94) Electronic
8% Device (100) Paper/Films (263)
9% 23%

Other (99)
9% Theft (598) Desktop Computer
53% (128)
11%
Unauthorized
Access/Disclosure Laptop (240)
(205) Network Server
21%
18% (138)
12%

26 www.hhs.gov/ocr
 Recently Reported Breaches and
Settlement Agreements
Date Organization Description Cost / Penalty
Breach of 2,743 patient records due to
malware infection. “Successful HIPAA
compliance requires a common sense
Anchorage approach to assessing and addressing the $150,000
Community risks to ePHI on a regular basis,” said OCR settlement
12/2/14 Mental Director, Jocelyn Samuels. “This includes amount &
Health reviewing systems for unpatched corrective
Services vulnerabilities and unsupported software that action plan
can leave patient information susceptible to
malware and other risks.”
Breach of 6,800 patients of NYP caused by
New York-
server misconfiguration. A physician employed $3,300,000
Presbyterian
by CUMC, who developed applications for settlement for
Hospital both NYP and CUMC, attempted to deactivate NYP
5/7/14 a personally-owned computer server on the
Columbia network containing NYP patient ePHI. $1,500,000
University Because of a lack of technical safeguards, settlement for
Medical deactivation of the server resulted in ePHI CUMC
Center being accessible on internet search engines.
27
 Recently Reported Breaches and
Settlement Agreements
Date Organization Description Cost / Penalty
Unencrypted laptop stolen from the facility.
OCR found that Concentra had previously
recognized in multiple risk analyses that a On 4/22/14 OCR
Concentra lack of encryption on its laptops, desktop announced a
Health computers, medical equipment, tablets penalty of
Services - and other devices containing (ePHI) was a $1,725,220, plus
Springfield critical risk. While steps were taken to costs to deal with
11/30/11 begin encryption, Concentra's efforts were
Missouri the breach
Physical incomplete and inconsistent over time,
leaving patient PHI vulnerable throughout Number of records
Therapy the organization. OCR's investigation
Center breached was not
further found Concentra had insufficient
security management processes in place
disclosed
to safeguard patient information.

Est. cost of $2.8

MDF Transcription Services operated a
Boston website which was accessed by million based on
3/4/14 Medical physicians to view patient reports. The $188 / record
Center website was not password protected. 15K
Vendor fired after
patients affected.
10 yr. relationship
28
 Recently Reported Breaches and
Settlement Agreements
Date Organization Description Cost / Penalty
A cyber attack in April and June 2014 resulted
in the theft of an estimated 4.5 million patient
records. CHS describes the attack this way:
[CHS] “believes the attacker was an
‘Advanced Persistent Threat’ group originating
Community from China, which used highly sophisticated Estimated
8/18/14 Health malware technology to attack CHSPSC’s cost exceeds
Systems systems. The intruder was able to bypass the $100 million
company’s security measures and
successfully copy and transfer some data
existing on CHSPSC’s systems.” They believe
that no credit card or medical information was
taken.

Unencrypted USB drive containing the PHI of

Estimated
nearly 34,000 patients was stolen from an
Santa Rosa cost: approx.
employee's unlocked locker. The employee
6/2/14 Memorial $6.4 million
had backed up the X-ray records on the
Hospital unencrypted drive in preparation for their based on
migration to an EMR. $188 / record
29
 Final Omnibus HIPAA / HITECH Rule of
2013
HITECH = Health Information Technology for Economic & Clinical
Health

Part of the American Reinvestment and Recovery Act (ARRA) 2009

Breach Notification
There are new breach notification requirements for all covered
entities (CE’s). CE’s must report most security breaches directly to
individuals. If the individual cannot be contacted they must post to
the hospital web site or notify local media. Large security breaches
(500 or more records) must be reported to HHS and prominent
media outlets. HHS will post all large breaches to their web site.
The regulations provide for a safe harbor if data is encrypted
or destroyed and not likely to be compromised.

Omnibus rule of 2013: If data is “compromised” notification is

required. (Previously likelihood of “harm” was considered.)

30
 Breach Notification Risk Assessment

• There are four risk assessment factors that must be

considered as set forth in the definition of breach.

• The four factors are the required factors that must be

considered.

• There may be others the covered entity or business

associate should consider as necessary based on
particular circumstances related to or characteristics of
the covered entity or business associate.

31
 Breach Risk Assessment Factors

“ Except as provided in paragraph (1) of this definition, an

acquisition, access, use, or disclosure of protected health
information in a manner not permitted under subpart E
[HIPAA Privacy Rule] is presumed to be a breach unless
the covered entity or business associate, as applicable,
demonstrate that there is a low probability that the
protected health information has been compromised based
on a risk assessment of at least the following factors: ”
[78 Federal Register 5695]

32
 Risk Assessment Factor #1

“ The nature and extent of the protected health information

involved, including the types of identifiers and the likelihood
of re-identification. ”
In the risk assessment, examine the sensitivity of the
identifiers involved and the likelihood of re-identification or
linkage to other information to determine probability of
impermissible use or disclosure. The “identifiers of the
individual or of relatives, employers, or household
members of the individual” are at 45 CFR 164.514(b)(2)(i):
• Names, geographic subdivisions, all elements of dates,
telephone numbers, social security numbers, MRN,
account numbers, etc.

33
 Risk Assessment Factor #1

Note footnote 12 on page 5642 of the Final Rule:

“ Information that has been de-identified in accordance

with 45 CFR 164.514(a)-(c) is not protected health
information, and thus, any inadvertent or unauthorized
use or disclosure of such information is not considered
a breach for purposes of this rule. ”

In other words, de-identified data are without any of the

identifiers noted above in (a)-(r).

34
 Risk Assessment Factor #2

“ The unauthorized person who used the protected health

information or to whom the disclosure was made. ”

In the risk assessment, examine “whether the

unauthorized person who received the information has
obligations to protect the privacy and security of the
information,” [78 Federal Register 5643] and the likelihood of
re-identification, to determine probability of impermissible
use or disclosure.

35
 Risk Assessment Factor #2

“ The final rule expressly includes a factor that would

require consideration of the re-identifiability of the
information, as well a factor that requires an assessment of
the unauthorized person who used the protected health
information or to whom the disclosure was made (i.e.,
whether this person has the ability to re-identify the
affected individuals). ” [78 Federal Register 5644]

36
 Risk Assessment Factor #3
“ Whether the protected health information was actually
acquired or viewed. ”
In the risk assessment, consider the distinction between actual
acquisition or view of unsecured protected health information versus
the opportunity for the information to be acquired or viewed, to
determine the probability of impermissible use or disclosure, as the
following example in the Final Rule illustrates:

“ [I]f a laptop computer was stolen and later recovered and

a forensic analysis shows that the protected health
information on the computer was never accessed, viewed,
acquired, transferred, or otherwise compromised, the entity
could determine that the information was not actually
acquired by an unauthorized individual event though the
opportunity existed. ” [78 Federal Register 5643]
37
 Risk Assessment Factor #4
“ The extent to which the risk to the protected health
information has been mitigated. ”
In the risk assessment, “consider the extent and efficacy of the
mitigation when determining the probability that the protected health
information has been compromised,” [78 Federal Register 5643] as the
following example in the Final Rule illustrates:

“ Covered entities and business associates should attempt to

mitigate the risks to the protected health information following any
impermissible use or disclosure, such as by obtaining the recipient’s
satisfactory assurances that the information will not be further used
or disclosed (through a confidentiality agreement or similar means)
or will be destroyed,”… and “acknowledge that the recipient of the
information will have an impact on whether the covered entity [or
business associate] can conclude that an impermissible use or
disclosure has been appropriately mitigated. ”
38
 Final Omnibus HIPAA Rule of 2013
Fines

• “willful neglect”: conscious, intentional failure or reckless

indifference
• Consideration for violations corrected within 30 days
A Comprehensive Summary of the Final Omnibus HIPAA/HITECH Rules: Key Provisions and What They Mean for You , Elizabeth Johnson JD,
39 http://www.poynerspruill.com/publications/Pages/SummaryofNewHIPAARules.aspx
 Final Omnibus HIPAA Rule of 2013

Fines
• HHS will investigate all cases of possible willful neglect
• HHS will impose penalty on all violations due to willful
neglect

• HHS may fine any covered entities (CE), business

associations (BA), and subcontractors responsible for a
violation (it need not select only one party)

• HHS also notes that, in cases of a breach, there often

will have been at least 2 violations:
1. impermissible use or disclosure of PHI
2. safeguards violation

40
 HIPAA Security Compliance

• Resumption of HIPAA Compliance Audits in 2014 by OCR

(Continues to be delayed by OCR)
• Initial target: 350 CEs and 50 BAs
– 232 providers, 109 health plans, 9 clearing houses
– 2 weeks to respond
• Narrowly focused “desk audits” and some comprehensive
onsite audits “as resources allow”

• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto
col.html
• Target areas include: risk analysis, risk management, breach
notification including content and timeliness of the notification,
providing patients with Notice of Privacy Practice and access
to health information
41
 OCR Audit Protocol

42
 Questions?

Chris Allman, JD Jeff Bell, CISSP, GSLC, CPHIMS, ACHE

Director of Risk Management, Director of IT Security & Risk Services
Compliance & Insurance CareTech Solutions
Garden City Hospital jeff.bell@caretech.com
callman@primehealthcare.com @JeffBell_CTS

www.gch.org
www.caretech.com

43