Encrypt! Encrypt! Encrypt! - Columbia University Medical Center

advertisement
HIPAA & HITECH Briefing
Information Security & Privacy
Soumitra Sengupta, PhD
Information Security Officer
Karen Pagliaro-Meyer
Privacy Officer
Columbia University Medical Center
Thursday, June 28, 2012
AGENDA
Information
Security
Privacy
• Office for Civil Rights HIPAA Audit Program
• CUMC Risk Management Program
• Security Trends
• Office for Civil Rights Update
• Breach Notification
• Omnibus Regulations
• Business Associates
• Training & Education
Latest on HIPAA Information Security
•
•
•
•
Increase in healthcare data breaches
Higher fines from the Office of the Civil Rights (OCR)
Cost of breaches at the healthcare organizations is higher
Breaches are more likely with mobile devices and with
business associates
• Unprotected Protected Health Information (PHI) on cloud
has become a breach
• OCR has initiated the HIPAA audit program
• (More regulations are coming !)
HIPAA timeline of events
HIPAA Privacy
2003
HIPAA Security
2005
HITECH 2009
Breach
Notification
(ARRA)
First fine of
$4.3M to Cignet
Health Feb 2011
OIG letter to OCR
and ONC May
2011
OCR HIPAA audit
planning July
2011
Booz Allen
Hamilton selects
150 audit
candidates Dec
2011
KPMG completes
first 20 audits
Mar 2012
KPMG will
complete 115
audits
Dec 2012
Initial 20 Findings Analysis
Findings by Rule
Breach
9%
Privacy
26%
65%
Covered Entity Type
Security
Findings by Tier
4%
16%
8%
Clearinghouse
Health Plan
81%
Level 1
11%
Provider
15%
66%
Level 2
Level 3
Level 4
Security: Initial 20 Findings Analysis
Findings by Security Rule
41%
Administrative
Safeguards
Physical
Safeguards
Technical
Safeguards
43%
16%
Covered Entity Type
5%
Findings by Tier
Level 1
15%
15%
Health Plan
Provider
79%
Clearinghouse
61%
10%
14%
Level 2
Level 3
Level 4
OCR published Audit program protocol… June 2012
Section
Established Performance
Criteria
Key Activity
Audit Procedures
Implementation
Specification
§164.308(a)(1): Security
Management Process
§164.308(a)(1)(ii)(a) - Conduct
an accurate and thorough
§164.308 assessment of the potential
Conduct Risk Assessment
risks and vulnerabilities to the
confidentiality, integrity, and
availability of electronic
protected health infor...
Inquire of management as to
whether formal or informal
policies or practices exist to
conduct an accurate
assessment of potential risks
and vulnerabilities to the
confidentiality, integrity, and
availability of ePHI. Obtain and
review relevant doc...
Required
§164.308(a)(1)(i): Security
Management Process Although the HIPAA Security
Rule does not require
purchasing any particular
Acquire IT Systems and
§164.308
technology, additional
Services
hardware, software, or services
may be needed to adequately
protect information.
Consideration...
Inquire of management as to
whether formal or informal
policy and procedures exist
covering the specific features of
the HIPAA Security Rule
information systems
§164.306(a) and (b). Obtain and
review formal or informal policy
and procedures and eval...
Required
§164.308(a)(1)(ii)(D): Security
Management Process Implement procedures to
Develop and Deploy the
regularly review records of
§164.308
Information System Activity
information system activity,
Review Process
such as audit logs, access
reports, and security incident
tracking reports.
Inquire of management as to
whether formal or informal
policy and procedures exist to
review information system
activities; such as audit logs,
access reports, and security
incident tracking reports.
Obtain and review formal or
informal policy and p...
Required
…to conduct
…77
bullet points
an accurate
for information
assessment
ofsecurity
potential risks and vulnerabilities
…88
to
the
bullet
confidentiality,
points for privacy
integrity, and
availability of ePHI.
CUMC OCR Risk Management Process
• Initiated in Fall 2010
• Center-wide PHI asset discovery processes
• A risk management (security) questionnaire based on HIPAA,
HITECH, CoBIT, PCIDSS for PHI applications (HITRUST)
• Application owners and custodians fill the questionnaire
• Information security evaluates responses, conducts
vulnerability scans (“hacking activity”)
• Critical and High risks are addressed with owners and
custodians with urgency
• Application is certified and is permitted to operate officially
• Rinse and repeat
CUMC OCR Risk Management: New steps
• Risk analysis process identifies common, high risk areas
• Institution must have a Risk compliance committee consisting
of senior management
• … which deliberates, discusses, addresses and mitigates PHI
risks, helps prioritize risks and controls, allocates funds, and
manages the risk management program
• Examples of risks include:
Generic
• PHI leakage
• Improper access of
PHI
• Unavailability of PHI
Specific
• Use of personal mobile devices at
workplace
• Inadequacy of business continuity
plan for research
CUMC Application Risk Analysis status
Information security trends
• The Bring Your Own Device (“BYOD”) revolution,
• …but, separate personal storage systems from work
place data, and vice versa
• No gmail for PHI, period
• No personal tax forms in cubmail
• Share control of personal devices if used to access
work place data
• Mobile Device Management
• Network Access Control
Information security trends
• How to hold 3rd party (including Business Associates)
responsible for security at their end - Cloud
• Contracts need to be specific for HITECH
• If BA’s are required to follow HIPAA explicitly, it will help
• Choose 3rd party who understand HIPAA, and will sign
the BAA
• Monitoring user behavior with institutional access
and data
• Monitoring and Surveillance are related
• Try not to conduct personal business at workplace
Information security trends
• Application security is a big issue with SQL injection
and Cross-site scripting
• It is important to hire a programmer who knows security
• It is important to hire system administrator who knows
security
• It is crazy to hire a programmer who knows no security
• It is crazy to hire system administrator who knows no
security
• Observation:
We are in the midst of a culture change !!
Information security trends
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt! Encrypt!
We better encrypt (with strong passwords) !!
Privacy
HIPAA
Program
Information
Security
Hot Topics and Potential Risk Areas
•
•
•
•
Security Breaches
Security Incident Response
Physical Security
Disaster Recovery and
Business Continuity Planning
• Increased Enforcement
• Privacy & Security Training
•
•
•
•
•
•
Cyber Security Incidents
Disposal of Device Security
Mobile Healthcare
Use of Social Media
Cloud Computing
Meeting Meaningful Use
Requirements
• Business Associates, Vendors,
Contractors
27
HIPAA/HITECH
Fines, Penalties & Enforcement
• 2003 – 2010 - Minimal enforcement reported
• 2011 - OCR reaches four (4) settlements and
issued one Civil Monitory Penalties (CMP)
• 2012
BCBS Tennessee fined $1.5 mil for stolen unencrypted hard drive (3/13/2012)
HHS Settles Case with Phoenix Cardiac Surgery for lack of HIPAA safeguards
fined $100,000 (4/13/2012)
South Shore Hospital Mass fined $750,000 for unencrypted tapes (5/30/2012)
June 25, 2012
Business Associate
Business Associate - a person or
entity that performs or assists with
certain functions or activities that
involve the use or disclosure of
protected health information (PHI)
on behalf of, or provides services to,
a covered entity. 45 CFR 160.103.
OCR proposed rule to apply HIPAA civil and criminal
enforcement and penalties directly to BA’s in
addition to contractual liability.
42
Business Associates
• Important for departments to identify when a
business associate agreement is needed.
• Proposed new rule may require new agreement
with existing business associates.
• Proposed rule includes e-Prescribing Gateways,
Personal Health Records (PHR), subcontractors of
Business Associates & Health Information
Exchange (HIE) organizations.
Examples of Business Associates
• Billing organizations, collection vendors & claims
processing companies
• Software Support / Data Administration
(electronic applications with access to PHI)
– examples include: CROWN, GE, Siemens & IDX
• Data analysis / processing – e.g. research
• Quality Assurance & Customer Satisfaction svs
• Medical record/information storage and
destruction companies
• Accreditation organizations
• Consultants – business, financial, medical etc.
Breaches Affecting Over 500 Individuals
Number of Breaches
Reported
Affected Individuals
21%
41%
59%
79%
Covered Entity
Business Associate
Covered Entity
Business Associate
Basic Elements of a Privacy Program
• Areas of Risk
• Policies
• Sanctions
•Effective
•Communicated
•Enforced
•Enforce
•Consistent
• Corrective Action
Policies
Training
Sanctions
Audit
• Controls
• Evaluate
• Monitor
Workforce Training & Education
Faculty, staff & student education include both HIPAA
Privacy & Information Security requirements
1. Welcome Program for new faculty & staff
2. New student education
•
3.
4.
5.
6.
7.
8.
medical, nursing, dental & physical therapy
On-line training for new faculty, staff and students
Refresher /remedial HIPAA training
Department, role & program specific training
HIPAA training for research staff
Periodic Email reminders
Annual Officers & Faculty Briefing
Mark McDougle
COLUMBIA UNIVERSITY MEDICAL CENTER CONFIDENTIALITY AGREEMENT
I understand that I may have access to electronic, printed, or spoken confidential information, which may include, but is not limited to, information relating to:
• Patients - including Protected Heath Information (PHI), records, conversations, patient financial information, etc.;
• Employees - including salaries, employment records, disciplinary actions, etc.;
• Students - including enrollment, grade and disciplinary information;
• Research - including PHI created, collected, or used for research purposes;
• CUMC - including but not limited to financial and statistical records, strategic plans, internal reports, memos, peer review information, communications, proprietary computer programs,
source code, proprietary technology, etc.;
• Third party information - including computer programs, client and vendor proprietary information, source code, proprietary technology, etc.;
• PHI and Personal Identifying Information (PII) used in other contexts.
Accordingly, as a condition of, and in consideration of my access to confidential information, I promise that:
1. I will use confidential information only as needed by me to perform my legitimate duties as defined by my relationship (faculty, employment, student, visitor, consulting, etc.) with CUMC.
• I will not access confidential information which I have no legitimate need to know.
• I will not in any way divulge, copy, release, alter, revise, or destroy any confidential information except as properly authorized within the scope of my relationship with CUMC.
• I will not misuse or carelessly handle confidential information.
• I understand that it is my responsibility to assure that confidential information in my possession is maintained in a physically secure environment.
2. I will safeguard and will not disclose to any other person my access code (password) or any other authorization code that allows me access to confidential information. I will be responsible
for misuse or wrongful disclosure of confidential information that may arise from sharing access codes with another person and/or for failure appropriately to safeguard my access code or
other authorization to access confidential information.
• I will log off computer systems after use.
• I will not log on to a system or access confidential information to allow another person access to use that system.
• I will report any suspicion or knowledge that my access code, authorization, or any confidential information has been misused or disclosed without CUMC authorization.
• I will not download or transfer computer files containing confidential information to any non-NYP/CUMC authorized computer, data storage device, portable device, telephone, or other
device capable of storing digitized data.
• I will only print documents containing confidential information in a physically secure environment, will not allow other persons’ access to printed confidential information, will store all
printed confidential information in a physically secure environment, and will destroy all printed confidential information when my legitimate need for that information ends in a way that
protects the confidentiality of the information.
3. I will follow CUMC policies and procedures regarding the use of any portable devices that may contain confidential information including the use of encryption or other equivalent method of
protection.
4. I acknowledge my obligation to report to the CUMC Privacy Officer any practice by another person that violates these obligations or puts CUMC, its personnel, or its patients at risk of a
disclosure of confidential information.
5. I will only use my Columbia email account to send and receive message that may include
confidential information and will not use email to send confidential information to other parties
outside of Columbia/NYP without protection to prevent unauthorized access.
6. If I am involved in research, any research utilizing individually identifiable protected health information will be performed in accordance with federal, state, local and Institutional Review
Board policies.
7. If I no longer need confidential information, I will dispose in a way that assures others cannot use or disclose it including following the Information Technology policy for disposal of printed
confidential information or electronic equipment that may contain confidential information.
8. I understand that my communication using the Columbia University information network is not private and the content of my communication may be monitored to protect the confidentiality
and security of the data.
9. I understand that my obligation under this Agreement will continue after termination of my relationship with CUMC.
10. I understand that I have no right or ownership interest in any confidential information referred to in this Agreement. CUMC may at any time revoke my access code, or access to confidential
information. At all times during my relationship, I will act in the best interests of CUMC.
May 2011
Additional Training Information
New online
training program
to be purchased
by Columbia
University
The training
program will
• Rocket Ready
• Implementation expected in 2013
• include HIPAA Privacy & IT training modules
• track staff completion
• produce reminders, reports etc.
• provide an effective method to deliver regular
education for all workforce members
What is your responsibility?
• Evaluate education of your workforce
• Review / monitor high risk / problem areas
– encryption, portable devices, paper record
storage, business associates and access to
medical information
• Enforce policies & procedures with staff
• Request assistance / additional guidance
when indicated
Additional Resources
• HIPAA web page:
http://www.cumc.columbia.edu/hipaa/index.html
• Information Security web page:
http://www.cumc.columbia.edu/it/
• Office for Civil Rights web page:
http://www.hhs.gov/ocr/
• Research and HIPAA web page:
http://privacyruleandresearch.nih.gov/research_repositories.asp
Soumitra Sengupta
Karen Pagliaro-Meyer
Information Security Officer
Privacy Officer
sen@columbia.edu
kpagliaro@columbia.edu
security@mail.cumc.columbia.edu
HIPAA@columbia.edu
(212) 305-7035
(212) 305-7315
Download