Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

Published byDwight Louie Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group."— Presentation transcript:

1 HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group

2 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Agenda History – The HIPAA Security Rule – Changes Due To The HITECH Act Recent Enforcement Functions Meaningful Use and OIG Audit Activity Vulnerability Overview Key Technical Findings & Mitigation Steps In Summary HIPAA Security Services Questions / Discussion

3 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org HIPAA Regulation Requirements 45 CFR § 164.306(a) define general requirements for covered entities, which include hospitals, and clinics – Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

4 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org History 2005: HIPAA Security Rule – Administrative, Physical, Technical Safeguards – Minimal enforcement – Insignificant monetary fines 2009: ARRA – Included the Health Information Technology for Economic and Clinical Health (HITECH) Act

5 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org History HITECH Act – Applies HIPAA to BAs – Mandatory data breach reporting requirements – Civil and criminal penalties for noncompliance – Enforcement responsibilities – New privacy requirements – Meaningful Use Adopt Certified EHR Technology Use it to achieve specific objectives

6 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Recent Enforcement Functions “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections”. -- OCR Director Georgina Verdugo

7 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Meaningful Use Risk Assessment Requirement and OIG Audits Providers are required to conduct, or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. OIG currently conducting Meaningful Use attestation desk audits/questionnaires

8 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org OIG Audits Seven hospitals were audited 151 vulnerabilities were uncovered 124 were high impact, and impacted confidentiality, integrity and availability of protected health information (PHI)

9 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Vulnerability Definitions High—Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. Medium—Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. Low—Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

10 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org High Impact Vulnerabilities 124 high-impact vulnerabilities from the 7 hospital reports according to their Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule definitions of technical, 1 physical, 2 and administrative 3 safeguards as follows: – 106 technical safeguard vulnerabilities related to the wireless electronic communications network and to other security measures management implemented in their computerized information systems; – Physical safeguard vulnerabilities involving physical access to electronic information systems and the facilities in which they are housed; and – 11 administrative safeguard vulnerabilities related to the hospitals’ policies and procedures for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

11 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Types of Vulnerabilities Wireless Access Vulnerabilities Access Control Vulnerabilities Audit Control Vulnerabilities Integrity Control Vulnerabilities Person or Entity Authentication Vulnerabilities Transmission Security Vulnerabilities

12 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Types of Vulnerabilities continued… Facility Access Control Vulnerabilities Device and Media Control Vulnerabilities Security Management Process Workforce Security Vulnerabilities Security Incident Procedures Vulnerabilities Contingency (Disaster)Plan Vulnerabilities

13 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Technical Findings Wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, broadcasted service set identifiers (SSID) Laptops were not encrypted Audit logs were not monitored (Please see Epic BTG Reports) Access control vulnerabilities – Inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI Inadequate password length and expiration

14 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Data Integrity Findings Latest security patches were not installed Outdated anti-virus Unrestricted Internet activity by employees and providers Unchanged user ID and passwords No email encryption

15 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Physical Security and Risk Assessments Unsecured data center access Lack of completed risk assessments Lack of polices regarding conducting annual risk assessments

16 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Device and Media Controls No computer equipment inventory No written plan for electronic media disposal, including computer hard drives, thumb drives, CDs Unencrypted backup tapes/media

17 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Inadequate Workforce Security 36 network user accounts with inappropriate access to the hospital’s network. The user accounts belonged to employees on long-term disability. Three of these individuals had accessed ePHI while on long-term disability. Delayed termination of employee network access after the employee no longer worked at the facility

18 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org In Summary An increase in OCR complaints, investigations, corrective actions, enforcement functions all indicate: – Managing compliance with the HIPAA Security Rule is challenging: Threats are emerging and dynamic Documentation is required Vulnerabilities and risks are going undiscovered and/or unresolved Staff is tapped – Ignoring the requirements is not a strategy for success

19 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org HIPAA Security Services HIPAA Security Risk Assessment Checklist (free) Template policies and procedures (free) Performing Administrative HIPAA Security risk assessments (scalable fees based on complexity of the organization) Discounted Technical Risk Assessments for OCHIN Customers through Summit Security Group Interim Information Security Officer for OCHIN Customers through Summit Security Group

20 1881 SW Naito Parkway Portland OR 97201-5195 Phone 503.943.2542 Fax 503.943.2501 Email: info@ochin.org www.ochin.org Questions? Lynne Shoemaker, RHIA, CHP,CHC – shoemakerl@ochin.org shoemakerl@ochin.org – 503-943-2500 Daniel M. Briley, CISSP, CIPP – dan.briley@summitinfosec.com dan.briley@summitinfosec.com – 503-577-1076

Download ppt "HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Hipaa privacy and Security

Hipaa privacy and Security
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.

HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Similar presentations

Ads by Google