Chris Allman, JD
Director of Risk Management, Compliance & Insurance
Garden City Hospital
callman@primehealthcare.com
1
Conflict of Interest Disclosure
Chris Allman does not have any real or perceived conflicts of interest to
this presentation.
2
Learning Objectives
3
HIPAA Requires A Risk-Based Approach
to Security
4
Risk Assessment Process
• Identify threats
• Identify vulnerabilities
5
Elements of a Risk Assessment
Evaluate HIPAA
security compliance Document findings &
• Assess compliance with the recommendations
rules
• Evaluate policies, procedures,
Present to leadership
training, practices for risk management
process
Evaluate each
department & each
application
6
Risk Management Process
8
Why a Risk Assessment is Essential
NOT ENOUGH
9
Effective Policies & Procedures
1. Compliance
2. Identification of user & system weaknesses before
an adverse event occurs
11
1. Compliance
• What’s the first thing an auditor asks for when they are
there for a survey?
• Why?
– The auditor wants to know if your policy is up to date with
current rules and regulations
– Does it reflect your actual practice?
– Is your workforce educated about the policy?
• Having effective policies & procedures can reduce the
risk that your organization is out of compliance and the
fines, program exclusion, etc. that stem from failure to
comply
12
2. Identification of User & System
Weaknesses Before Adverse Event
• After the risk assessment is complete, you should know
what your user and systems weaknesses are
14
4. Framework to Gather Data
15
5. Adverse Events Reduction
16
FBI Private Industry Notification
Content for
Presentation Only
17
Ponemon Fifth Annual Benchmark Study
on Patient Privacy & Data Security
• 90% had a data breach in the past 2
years. 40% had more than 5
• Avg. economic impact due to data
breaches is 2.1 million dollars / HC org
and 1 million dollars / BA org over 2 yrs.
• Criminal attacks are now the #1 cause
of data breaches
• Reported root cause of breaches: 45%
criminal attacks, 12% malicious insider
• 56% of HC orgs. and 59% of BAs don’t
believe their incident response process
has adequate funding and resources
18 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
Conclusions from the Ponemon Study
• Cyber criminals recognize two critical facts of the
healthcare industry:
1. Healthcare organizations manage a treasure trove of
financially lucrative personal information
2. Healthcare organizations do not have the resources,
processes, and technologies to prevent and detect attacks and
adequately protect patient data.
• The pace of investments is not fast enough to keep up
with the threats to achieve a stronger security posture.
• Need to address two serious but different root causes of
security incidents and data breaches: employee
negligence and hackers.
1. Intensive employee training and awareness programs
2. Investments in technologies and security expertise.
3. Innovative solutions are required to achieve both goals..
19 https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
NIST Cybersecurity Framework
Identify: Asset Management,
Business Environment,
Governance, Risk Assessment,
Risk Management Strategy
Protect: Access Control,
Awareness and Training, Data
Security, Information Protection
Processes and Procedures
Detect: Anomalies and Events,
Security Continuous Monitoring,
Detection Processes
Respond: Response Planning,
Communications, Analysis,
Mitigation, Improvements
Recover: Recovery Planning,
Improvements, Communications
20 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
Cybersecurity Framework (NIST)
FRAMEWORK CORE
23 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
Cybersecurity Framework (NIST)
Benefits of using the CSF
24 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
Five Actions to Quickly Reduce Risk of
Cyber Crime
1. Secure configuration
2. Vulnerability management
3. Strong authentication
4. Security monitoring to detect indicators of compromise
25
Common Information Security Threats
Data from the Office of Civil Rights
Reported breaches over 500 records – as of Feb. 15, 2015
Email (72)
6%
Portable
Loss (94) Electronic
8% Device (100) Paper/Films (263)
9% 23%
Other (99)
9% Theft (598) Desktop Computer
53% (128)
11%
Unauthorized
Access/Disclosure Laptop (240)
(205) Network Server
21%
18% (138)
12%
26 www.hhs.gov/ocr
Recently Reported Breaches and
Settlement Agreements
Date Organization Description Cost / Penalty
Breach of 2,743 patient records due to
malware infection. “Successful HIPAA
compliance requires a common sense
Anchorage approach to assessing and addressing the $150,000
Community risks to ePHI on a regular basis,” said OCR settlement
12/2/14 Mental Director, Jocelyn Samuels. “This includes amount &
Health reviewing systems for unpatched corrective
Services vulnerabilities and unsupported software that action plan
can leave patient information susceptible to
malware and other risks.”
Breach of 6,800 patients of NYP caused by
New York-
server misconfiguration. A physician employed $3,300,000
Presbyterian
by CUMC, who developed applications for settlement for
Hospital both NYP and CUMC, attempted to deactivate NYP
5/7/14 a personally-owned computer server on the
Columbia network containing NYP patient ePHI. $1,500,000
University Because of a lack of technical safeguards, settlement for
Medical deactivation of the server resulted in ePHI CUMC
Center being accessible on internet search engines.
27
Recently Reported Breaches and
Settlement Agreements
Date Organization Description Cost / Penalty
Unencrypted laptop stolen from the facility.
OCR found that Concentra had previously
recognized in multiple risk analyses that a On 4/22/14 OCR
Concentra lack of encryption on its laptops, desktop announced a
Health computers, medical equipment, tablets penalty of
Services - and other devices containing (ePHI) was a $1,725,220, plus
Springfield critical risk. While steps were taken to costs to deal with
11/30/11 begin encryption, Concentra's efforts were
Missouri the breach
Physical incomplete and inconsistent over time,
leaving patient PHI vulnerable throughout Number of records
Therapy the organization. OCR's investigation
Center breached was not
further found Concentra had insufficient
security management processes in place
disclosed
to safeguard patient information.
Breach Notification
There are new breach notification requirements for all covered
entities (CE’s). CE’s must report most security breaches directly to
individuals. If the individual cannot be contacted they must post to
the hospital web site or notify local media. Large security breaches
(500 or more records) must be reported to HHS and prominent
media outlets. HHS will post all large breaches to their web site.
The regulations provide for a safe harbor if data is encrypted
or destroyed and not likely to be compromised.
30
Breach Notification Risk Assessment
31
Breach Risk Assessment Factors
32
Risk Assessment Factor #1
33
Risk Assessment Factor #1
34
Risk Assessment Factor #2
35
Risk Assessment Factor #2
36
Risk Assessment Factor #3
“ Whether the protected health information was actually
acquired or viewed. ”
In the risk assessment, consider the distinction between actual
acquisition or view of unsecured protected health information versus
the opportunity for the information to be acquired or viewed, to
determine the probability of impermissible use or disclosure, as the
following example in the Final Rule illustrates:
Fines
• HHS will investigate all cases of possible willful neglect
• HHS will impose penalty on all violations due to willful
neglect
40
HIPAA Security Compliance
• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto
col.html
• Target areas include: risk analysis, risk management, breach
notification including content and timeliness of the notification,
providing patients with Notice of Privacy Practice and access
to health information
41
OCR Audit Protocol
42
Questions?
www.gch.org
www.caretech.com
43