Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

Similar presentations


Presentation on theme: "HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group."— Presentation transcript:

1 HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group

2 1881 SW Naito Parkway Portland OR Phone Fax Agenda History – The HIPAA Security Rule – Changes Due To The HITECH Act Recent Enforcement Functions Meaningful Use and OIG Audit Activity Vulnerability Overview Key Technical Findings & Mitigation Steps In Summary HIPAA Security Services Questions / Discussion

3 1881 SW Naito Parkway Portland OR Phone Fax HIPAA Regulation Requirements 45 CFR § (a) define general requirements for covered entities, which include hospitals, and clinics – Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

4 1881 SW Naito Parkway Portland OR Phone Fax History 2005: HIPAA Security Rule – Administrative, Physical, Technical Safeguards – Minimal enforcement – Insignificant monetary fines 2009: ARRA – Included the Health Information Technology for Economic and Clinical Health (HITECH) Act

5 1881 SW Naito Parkway Portland OR Phone Fax History HITECH Act – Applies HIPAA to BAs – Mandatory data breach reporting requirements – Civil and criminal penalties for noncompliance – Enforcement responsibilities – New privacy requirements – Meaningful Use Adopt Certified EHR Technology Use it to achieve specific objectives

6 1881 SW Naito Parkway Portland OR Phone Fax Recent Enforcement Functions “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo

7 1881 SW Naito Parkway Portland OR Phone Fax Meaningful Use Risk Assessment Requirement and OIG Audits Providers are required to conduct, or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. OIG currently conducting Meaningful Use attestation desk audits/questionnaires

8 1881 SW Naito Parkway Portland OR Phone Fax OIG Audits Seven hospitals were audited 151 vulnerabilities were uncovered 124 were high impact, and impacted confidentiality, integrity and availability of protected health information (PHI)

9 1881 SW Naito Parkway Portland OR Phone Fax Vulnerability Definitions High—Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. Medium—Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. Low—Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

10 1881 SW Naito Parkway Portland OR Phone Fax High Impact Vulnerabilities 124 high-impact vulnerabilities from the 7 hospital reports according to their Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule definitions of technical, 1 physical, 2 and administrative 3 safeguards as follows: – 106 technical safeguard vulnerabilities related to the wireless electronic communications network and to other security measures management implemented in their computerized information systems; – Physical safeguard vulnerabilities involving physical access to electronic information systems and the facilities in which they are housed; and – 11 administrative safeguard vulnerabilities related to the hospitals’ policies and procedures for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

11 1881 SW Naito Parkway Portland OR Phone Fax Types of Vulnerabilities Wireless Access Vulnerabilities Access Control Vulnerabilities Audit Control Vulnerabilities Integrity Control Vulnerabilities Person or Entity Authentication Vulnerabilities Transmission Security Vulnerabilities

12 1881 SW Naito Parkway Portland OR Phone Fax Types of Vulnerabilities continued… Facility Access Control Vulnerabilities Device and Media Control Vulnerabilities Security Management Process Workforce Security Vulnerabilities Security Incident Procedures Vulnerabilities Contingency (Disaster)Plan Vulnerabilities

13 1881 SW Naito Parkway Portland OR Phone Fax Technical Findings Wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted service set identifiers (SSID) Laptops were not encrypted Audit logs were not monitored (Please see Epic BTG Reports) Access control vulnerabilities – Inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI Inadequate password length and expiration

14 1881 SW Naito Parkway Portland OR Phone Fax Data Integrity Findings Latest security patches were not installed Outdated anti-virus Unrestricted Internet activity by employees and providers Unchanged user ID and passwords No encryption

15 1881 SW Naito Parkway Portland OR Phone Fax Physical Security and Risk Assessments Unsecured data center access Lack of completed risk assessments Lack of polices regarding conducting annual risk assessments

16 1881 SW Naito Parkway Portland OR Phone Fax Device and Media Controls No computer equipment inventory No written plan for electronic media disposal, including computer hard drives, thumb drives, CDs Unencrypted backup tapes/media

17 1881 SW Naito Parkway Portland OR Phone Fax Inadequate Workforce Security 36 network user accounts with inappropriate access to the hospital’s network. The user accounts belonged to employees on long-term disability. Three of these individuals had accessed ePHI while on long-term disability. Delayed termination of employee network access after the employee no longer worked at the facility

18 1881 SW Naito Parkway Portland OR Phone Fax In Summary An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: – Managing compliance with the HIPAA Security Rule is challenging: Threats are emerging and dynamic Documentation is required Vulnerabilities and risks are going undiscovered and/or unresolved Staff is tapped – Ignoring the requirements is not a strategy for success

19 1881 SW Naito Parkway Portland OR Phone Fax HIPAA Security Services HIPAA Security Risk Assessment Checklist (free) Template policies and procedures (free) Performing Administrative HIPAA Security risk assessments (scalable fees based on complexity of the organization) Discounted Technical Risk Assessments for OCHIN Customers through Summit Security Group Interim Information Security Officer for OCHIN Customers through Summit Security Group

20 1881 SW Naito Parkway Portland OR Phone Fax Questions? Lynne Shoemaker, RHIA, CHP,CHC – – Daniel M. Briley, CISSP, CIPP – –


Download ppt "HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group."

Similar presentations


Ads by Google