Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations."— Presentation transcript:

1 HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations

2 First Consulting Group Presentation Agenda w Security Introduction w Security Component Requirements and Impacts –Administrative Procedures –Physical Safeguards –Technical Security Services –Technical Security Mechanisms w Summary

3 First Consulting Group Presentation Objectives At the end of this presentation, you should: w Understand the background for the security regulations w Understand the specific HIPAA security components w Understand the business and technology impacts of the HIPAA security components w Begin to understand the gaps between the current environment and the HIPAA security requirements

4 Security Introduction Definition Organizational Threats Principles Key Points of Security Rule Structure Categories

5 First Consulting Group Definition w “The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.” –draft Security Rule w Security also protects information from alteration, destruction or loss w Security should reasonably ensure the confidentiality, integrity and availability of health care information

6 First Consulting Group Organizational Threats

7 First Consulting Group Principles w Healthcare security is about risk mitigation –Operational risk –Financial risk –Regulatory risk –Fraud risk w “The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” –draft Security Rule

8 First Consulting Group Key Points of Security Rule: Source w Security requirements were taken from the National Research Council’s report For the Record: Protecting Electronic Health Information w “This report presents findings and recommendations related to health data security, and…concludes that appropriate security practices are highly dependent on individual circumstances… w “It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another.”

9 First Consulting Group Key Points of Security Rule: Standards w Organizations must therefore establish a reasonable “defensible position” for security compliance –Develop specifications for security requirements –Determine what technologies to implement to meet those specifications –Balance usability and cost with risk w We can set the community standard for these practices in the Pacific Northwest

10 First Consulting Group w The standards are not only scalable, but technology neutral as well w Covered entities must establish and maintain reasonable and appropriate…safeguards w Healthcare organizations must ensure the protection of all electronic PHI –Final rule may also cover PHI in paper format to align with final HIPAA Privacy rule w Policies and procedures must be developed to implement both the Privacy and Security Rules Key Points of Security Rule: Standards (cont.)

11 First Consulting Group w Business processes related to security functions within the organization must be formally documented, implemented, and enforced throughout the organization w Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately w The final Security Rule will be harmonized with the final Privacy Rule Key Points of Security Rule: More Standards

12 First Consulting Group Structure w The current HIPAA Security standards are organized into five categories: 1. Administrative Procedures 2. Physical Safeguards 3. Technical Security Services (applications) 4. Technical Security Mechanisms (networks) 5. Electronic Signatures * * For the purposes of this discussion only the first four categories will be addressed

13 First Consulting Group w Administrative Procedures: formal policies and procedures to address operating procedures, management controls, personnel requirements, audit mechanisms and disciplinary procedures –Security management/maintenance –Security training –Internal system certification –Procedures upon employee hire, transfer, or termination –System security audits –Chain of trust partner agreements –Contingency plan –Information access control –Security incident procedures Administrative Procedures

14 First Consulting Group Physical Safeguards w Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access –Security responsibility and accountability –Media control –Physical access to data –Workstation use and location –Security awareness training

15 First Consulting Group Technical Security Services w Technical Security Services: measures to control and monitor information access –Employee access controls, such as passwords –System audits –Intrusion and detection alarms –Automatic logoffs –Telephone callback procedures –Message authentication –Integrity contols –Data authentication

16 First Consulting Group Technical Security Mechanisms w Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network –Employee access controls –Entity authentication –Message authentication –Integrity contols –Encryption –Alarms –Audit trail –Event reporting

17 Security Requirements and Impacts Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms

18 Administrative Procedures Rules Impacts

19 First Consulting Group Administrative Procedures – Rules w Certification: technical evaluation certifying that systems and network meet pre-defined criteria –Example: Annual certification audit w Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties –Example: Claims processing w Contingency Plan: Includes application and data criticality analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures –Example: Business continuity plans w Formal Record Processing Mechanisms: Policies and procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information –Example: PC hard drive disposal

20 First Consulting Group Administrative Procedures – Rules (cont.) w Information Access Controls: Policies and procedures for granting different levels of access to health care information –Example: Application profile documentation w Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents) –Example: Proactive, defensible review of PHI activity w Personnel Security: Granting of access to health information via an authorization process –Example: Card key access systems to file rooms, background checks maintenance of security personnel w Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses –Example: Routine pre- and post-implementation procedures

21 First Consulting Group Administrative Procedures – Rules (cont.) w Security Incident Procedures: Documented instructions for reporting and reviewing security breaches –Example: Reporting pathways (anonymous if necessary) w Security Management Process: Processes to ensure the prevention, detection, containment and correction of security breaches. Includes risk analysis, risk management, sanction policy and security policy –Example: Annual risk level reviews w Termination Procedures : Procedures for securing systems upon employee termination –Example: Exit interviews and checklists w Training : User education and awareness training –Example: Incorporated awareness training with existing programs

22 First Consulting Group Administrative Procedures – Impact w Most organizations have inadequate security policies and procedures w This requires additional resources for updates and development efforts w Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels w Integration of chain of trust partner agreement language may require new contracts with third parties w Providing security awareness training for all employees requires a detailed training program with ongoing maintenance

23 Physical Safeguards Rules Impacts

24 First Consulting Group Physical Safeguards – Rules w Assigned Security Responsibility : Security responsibility assigned to a specific individual(s) –Example: Security committee w Media Controls : Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal –Example: Property accountability documentation w Physical Access Controls: Limiting physical access to systems. Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification, maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components –Example: Data center restrictions

25 First Consulting Group Physical Safeguards – Rules (cont.) w Workstation Use: Instructions and procedures delineating secure use of computer workstations –Example: Acceptable workstation usage guidelines w Workstation Location: Safeguards for secure location of computer workstations –Example: Monitor position in public areas w Security Awareness Training: Security awareness training for all employees, agents and contractors –Example: Incorporated awareness training with existing programs

26 First Consulting Group Physical Safeguards – Impacts w In order to properly address security issues organizational charts and individual responsibilities may need review w Workstation use must be addressed through employee education and consistent enforcement of policies and procedures w Physical access controls and secure workstation locations may affect current business practices

27 Technical Security Services Rules Impacts

28 First Consulting Group Technical Security Services – Rules w Access Control: Restricted access to health information by need-to-know –Example: Application access based on job description w Audit Controls: Audit control mechanisms to record and examine system activity –Example: Turn on network event logs to allow for appropriate audits w Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information –Example: Application functionality which allows “flagging” w Data Authentication: Ability to corroborate that data have not been altered or destroyed –Example: Use or check sum, double keying or digital signature to assure the data are not altered w Entity Authentication: Ability to corroborate that user is who he claims he is –Example: Biometric ID or unique usernames and passwords

29 First Consulting Group Technical Security Services – Impact w Some systems in use today may not have adequate security controls to comply w Implementation of access controls for systems must be an integrated effort between business and IT w System processing and storage requirements may increase to support enhanced auditing capabilities w Group ID’s and shared passwords will not be permitted

30 Technical Security Mechanisms Rules Impacts

31 First Consulting Group Technical Security Mechanisms – General Rules For all systems: w Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored –Example: Approved/unapproved network protocols w Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent –Example: Verification that data packet sent is received w Access Controls or Encryption: Protection of sensitive communications over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient OR transforming confidential plaintext into ciphertext to protect it –Example: VANs may eliminate the need for certain encryption technologies

32 First Consulting Group Technical Security Mechanisms – Network Rules If using a network for communications: w Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality –Example: Devices that sense abnormal conditions w Audit Trail: The data collected and potentially used to facilitate a security audit –Example: Audit log retention

33 First Consulting Group Technical Security Mechanisms – Network Rules (cont.) If using a network for communications: w Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes –Example: Unique identification w Event Reporting: A network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information –Example: Network messages indicating operational abnormalities

34 First Consulting Group Technical Security Mechanisms – Impacts w Implementation of access controls to the network must be an integrated effort between the business and IT w Use of new network security technologies (e.g. encryption) will require significant end user training w Group ID’s and shared passwords will not be permitted w Network alarms, audit trail, and event reporting requirements may require additional resources and technologies to ensure compliance

35 Summary The Bottom Line Questions

36 First Consulting Group Summary w Areas of impact on health care organizations will be: –Development, documentation and training of policies and procedures –Assignment and operation of security responsibility –Identifying and contracting chain of trust agreements with trading partners –Training workforce members on information security and altering the confidentiality culture –Implementing access controls, authorization controls and entity authentication for all systems –Identifying and implementing the “right” technical solutions

37 First Consulting Group The Bottom Line w The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002 w Compliance is 26 months after the final rule is published w At the present time, there is no indication who will be the enforcement agency, when enforcement will be effective, and how enforcement will be conducted

38 Questions and Discussion ? ? ? ? ? ? ? ?

39 Resources

40 First Consulting Group Resources Association for Electronic Health Care Transactions (AFEHCT): –Impacts of HIPAA (particularly EDI) –Security Self-Evaluation Checklist http://www.afehct.org American Health Information Management Association (AHIMA): –Benchmark information and case studies –Interim Steps for Getting Started http://www.ahima.org/hipaa.html American Society for Testing and Materials (ASTM): –Standards guides for security http://www.astm.org Center for Healthcare Information Management (CHIM): –Up-to-date industry perspective on proposed rules and their status http://www.chim.org Computer-Based Patient Record Institute (CPRI): –CPRI Security Toolkit http://www.cpri-host.org Department of Health and Human Services HIPAA Administrative Simplification: –Latest News on Regulations –Current proposed and final rules http://aspe.hhs.gov/admnsimp/index.htm Electronic Healthcare Network Accreditation Commission (EHNAC): –Certification Program for HIPAA Compliance (under development) http://www.ehnac.org

41 First Consulting Group Resources (cont.) For the Record: Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242 –Full Report http://www.nap.edu Health Privacy Forum –Comparison of Privacy proposed and final rules –Comparison of state privacy laws http://www.healthprivacy.org HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998) –Articles http://www.himss.org HIPAA Home Pagehttp://www.hcfa.gov/hipaa/hippahm.htm HIPAA Transaction Implementation Guides from the Washington Publishing Company http://www.wpc-edi.com Joint Healthcare Information Technology Alliance (JHITA) –Summary of Privacy rules –Upcoming HIPAA conferences http://www.jhita.org Links to other HIPAA siteshttp://www.hcfa.gov/medicare/edi/hipaaedi.htm Medicare EDIhttp://www.hcfa.gov/medicare/edi/edi.htm

42 First Consulting Group Resources (cont.) National Uniform Billing Committeehttp://www.nubc.org National Uniform Claims Committeehttp://www.nucc.org Washington Publishing Company –ANSI ASC X12N HIPAA Implementation Guides http://www.wpc-edi.com/hipaa Subscribe to email release of HIPAA documents (such as notice of proposed rule making) http://www.hcfa.gov/medicare/edi/admnlist.htm Workgroup for Electronic Data Interchange (WEDI): –Details of SNIP effort (Strategic National Implementation Pilot) http://www.wedi.org

Download ppt "HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Privacy, Confidentiality, and Security M8120 Fall 2001.

Privacy, Confidentiality, and Security M8120 Fall 2001.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
HIPAA Strategy Methodologies and Tools. 1 Presentation Agenda  Review of HIPAA Objectives  Overview and Update on the Status of HIPAA  Components/Objectives.

HIPAA Strategy Methodologies and Tools. 1 Presentation Agenda  Review of HIPAA Objectives  Overview and Update on the Status of HIPAA  Components/Objectives.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google