HITRUST, HIPAA, & HITECH TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE Mark Fulford, Partner Thomas Lewis, Partner LBMC Risk Services www.lbmc.com Welcome and Presentation Topics • Why you should care • HIPAA & HITECH - update on new regulation • Insight into the HITRUST Common Security Framework • How independent assurance can result in fewer audits and a competitive advantage for your organization • How LBMC can help www.lbmc.com 90% Of organizations have experienced a computer security incident in the last 12 months. Cybercrime statistics from 12th Annual Computer Crime and Security Survey www.lbmc.com 71% Of organizations have no external insurance coverage to cover computer security incidents losses. Cybercrime statistics from 12th Annual Computer Crime and Security Survey www.lbmc.com $1B Cybercrime profits – that have surpassed those of drug smuggling in a year. Cybercrime statistics from 12th Annual Computer Crime and Security Survey www.lbmc.com $234,244 Annual average loss due to security incidents per respondent Cybercrime statistics from 2009 CSI Computer Crime and Security Survey www.lbmc.com What is HIPAA? www.lbmc.com What is HITECH? The HITECH Act is legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). As part of the American Recovery and Reinvestment Act of 2009, the HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules. 8 www.lbmc.com What is HITECH? • Extends HIPAA directly to Business Associates • Establishes first national data security breach notification law (500 or more records is nasty) • Grants State AGs authority to bring civil actions 9 www.lbmc.com What is HITECH? • HITECH authorizes increased civil monetary penalties for HIPAA violations. The Act establishes tiers of penalties based upon: whether or not a covered entity (including physicians) knew of a breach of privacy; whether the breach was due to reasonable cause and not willful neglect; or whether the breach was due to willful neglect. • The tiers of penalties are as follows: – $100/violation not to exceed $25,000/calendar year. – $1,000/violation not to exceed $100,000/calendar year. – $10,000/violation not to exceed $250,000/calendar year. – $50,000/violation not to exceed $1,500,000/calendar year. 10 www.lbmc.com What is HITRUST • The Health Information Trust Alliance (HITRUST) has been created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system. www.lbmc.com Strategic Objectives of HITRUST Establish a fundamental and holistic change in the way the healthcare industry manages information security risks: • Rationalize regulations and standards into a single overarching framework tailored for the industry • Deliver a prescriptive, scalable and certifiable process • Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the process • Enable ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements • Provide support and facilitate sharing of ideas, feedback and experiences within the industry www.lbmc.com Who is HITRUST? HITRUST Executive Council www.lbmc.com Why the Need? Healthcare organizations are facing multiple challenges with regards to information security: • Costs and complexities of redundant and inconsistent requirements and standards • Critical systems not incorporating appropriate controls or safeguards • Confusion around implementation and acceptable baseline controls • Information security audits subject to different interpretations of control objectives and safeguards • Increasing scrutiny and similar queries from regulators, auditors, underwriters, customers and business partners • Growing risk and liability www.lbmc.com “The List” www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html 1 www.lbmc.com HITRUST CSF The HITRUST CSF is a framework that normalizes the security requirements of healthcare organizations, including federal (e.g., HITECH Act and HIPAA), state (e.g., MA 201 CMR 17.00), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS). The CSF is built to provide scalable security requirements based on the different risks and exposures of organizations in the industry. The CSF also makes security manageable and practical by prioritizing one-third of the controls in the CSF as a starting point for organizations. These priorities are based on industry input and analysis of breach information in the industry. www.lbmc.com Standards and Regulations Overlap COBIT ISO 27001/2 HITECH Act PCI HIPAA Security Mngfl. Use States NIST www.lbmc.com CSF Standards and Regs Coverage COBIT ISO 27001/2 HITECH HITRUST CSF Act HIPAA Security Mngfl. Use PCI States NIST www.lbmc.com CSF Compared with Other Standards Requirement CSF COBIT PCI ISO NIST HIPAA Comprehensive – general security Yes Yes Yes Yes Yes Partial Comprehensive – regulatory, statutory, and business security requirements Yes No No No No No Prescriptive Yes No Yes Partial Yes No Practical and scalable Yes Yes No No No Yes Audit or assessment guidelines Yes Yes Yes Yes Yes No Certifiable Yes Yes Yes Yes No* No Support for third-party assurance Yes Yes Yes Yes No No Open and transparent update process Yes No Yes Yes Yes Yes Cost Free Subsc. Free Subsc. Free Free *Certifiable only for government agencies and organizations doing business with the government www.lbmc.com CSF Sample Structured in accordance with ISO 27001 / 27002 standard Multiple levels of implementation requirements Risk factors tailored for healthcare organizations Cross-references to industry standards and regulations 20 www.lbmc.com Introduction to CSF Assurance Program www.lbmc.com Overview of CSF Assurance Program • Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations. • Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments. • The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place. www.lbmc.com Strategic Objectives of CSF Assurance Program Provide assurance that controls to limit the exposure of a breach are in place and operating effectively. Recipients of this assurance include: • • • • Executive management Auditors Federal and state regulators Customers of business associates Simplify compliance efforts for organizations • Assess once and report to many constituents: - Federal (e.g., HIPAA/HITECH or meaningful use information) and state regulators Credit card companies (i.e., PCI requirements) CMS (i.e., Core Security Requirements) Internal or external auditors • Comprehensively leverage assessments (i.e., leverage internal audit or other certifications such as PCI to streamline audits and testing) Provide this assurance in a more cost-effective manner with additional rigor than existing processes www.lbmc.com Resources www.lbmc.com HITRUST Central (HITRUSTcentral.net) Access to the CSF online. A professional network for: • Understanding industry issues and events • Sharing knowledge • Exchanging ideas and best practices • Discovering new ways to solve business problems • Downloading documentation and training materials Providing support: • What does this control mean? • How do I implement these requirements? • What do I do if I cannot meet a requirement? www.lbmc.com Additional Resources Visit HITRUSTalliance.net for information and materials on: • Common Security Framework www.hitrustalliance.net/csf/ • CSF Assurance Program www.hitrustalliance.net/assurance/ www.lbmc.com For More Information For more information on HITRUST and the CSF visit: www.HITRUSTalliance.net/csf/ To access the CSF and HITRUST Central visit: www.HITRUSTCentral.net For a list of HITRUST CSF Assessors visit: www.hitrustalliance.net/Assessors_List.pdf For assistance, contact: Thomas Lewis – tlewis@lbmc.com Mark Fulford – mfulford@lbmc.com www.lbmc.com