presentation, part 1 ( format)

advertisement
David Assee BBA, MCSE
Florida International University
University Health Services
Security Officer
davida@fiu.edu
June 2, 2011
Purpose of this Training
 To train you on HIPAA Security Regulations and
why security is necessary for billing.
 HIPAA Security regulations were created to
address the need to increase security standards for
electronic protected health information.
Security & HIPAA
 Due to the seamless nature of most IT
networks HIPAA security rules should
apply to all software, users and
computers that access EPHI.
 By taking a proactive approach to
computer security now, you will be able
to detect and prevent trouble later.
Defining IT Security
 IT security is about protecting information assets by
effectively managing risks.
 How much protection is provided depends on the risk
and magnitude of harm that could result if the data
were lost, misused, disclosed, or modified.
 Assets are computers and data.
 Risks are managed by evaluating vulnerabilities and
threats.
Defining IT Security
Vulnerabilities: Weaknesses in a computer or network that leave it
susceptible to potential exploitation such as unauthorized use or
access. Vulnerabilities include but are not limited to weaknesses in
security procedures, administrative or internal controls, or physical
configuration; or features or bugs that enable an attacker to bypass
security measures.
Threats - Threats generally fall into three broad categories:
• A person (careless oversight, lack of training, malicious or criminal
intent)
• A thing (a faulty piece of equipment)
• An event (a power outage, fire, or flood)
A threat is the means through which a weakness can be exploited to
adversely affect a network or supported systems. A threat is possible only
because the system is vulnerable to that particular threat.
HIPAA Security Rule
 There are three components of security to guard data
integrity, confidentiality, and access:
 Administrative safeguards
 Physical safeguards
 Technical safeguards
 These components work together to establish a unified
security approach based on the principle of “defense
in depth.”
Defense in Depth Layers
Administrative
Physical
Firewalls
Router Configuration
Operating System Login
User Login
Database Access Settings
Technical
Administrative Safeguards
 Administrative safeguards make up 50% of
the Security Rule’s Standard. They require
documented policies and procedures for
managing the day-to-day operations, the
conduct and access of workforce members
to EPHI, and the selection, development,
and use of security controls.
Administrative Safeguards
Security management process - An overall
requirement to implement policies and procedures to
prevent, detect, contain, and correct security
violations.
Have written policies and procedures for security
violations.
Assigned Security Responsibility - A single individual
must be designated as having overall responsibility for
the security of a CE’s EPHI.
Assign a security designee.
Administrative Safeguards
Workforce Security – Policies and procedures ensure
that only properly authorized workforce members
have access to EPHI.
Set up procedures to ensure new employees have sign-on
to systems which store EPHI only if authorized.
Administrative Safeguards
• Information access management – Policies and
procedures detail how access to EPHI is established
or modified.
Access to medical management is documented,
including changes in an employee’s role.
Security awareness and training – All workforce
members must undergo security awareness
education and training.
Employees are often the biggest threat to a network.
Let them know what they can and cannot do.
Administrative Safeguards
• Security incident procedures – Policies and
procedures provide means for reporting, responding
to, and managing security incidents.
Set up a method for reporting security incidents to the
appropriate designee.
Administrative Safeguards
OTHER Policies
• Contingency Plan
Backup systems need to be maintained for disaster
recovery. Review your backup plan to ensure it’s
feasible.
• Business Associate contracts and other arrangements
Contracts completed with external vendors to ensure the
privacy and confidentiality of EPHI.
Physical Safeguards
 The physical safeguards are a series of
requirements meant to protect a CE's
electronic information systems and EPHI
from unauthorized physical access. CEs
must limit physical access while permitting
properly authorized access.
Physical Safeguards
Facility access controls - An overall
requirement that limits physical access to
electronic information systems while
ensuring that properly authorized access is
allowed.
Only clinic employees should be allowed to
access areas or equipment that store EPHI
without approval.
Physical Safeguards
Workstation use - Policies and procedures must
provide physical safeguards for all workstations that can
access PHI.
Specify characteristics of the physical environment &
appropriate use of the workstations that can access
EPHI.
Consider:
• Location of computer screens
• Fax machines & display devices
• Use of screen savers
• Use of privacy filters
Physical Safeguards
Device and media controls – Policies and procedures
must specify how hardware and electronic media
containing EPHI are received or removed within or
outside of a CE.
Storage Media Sanitization policy.
Restrictions on the removable media: Workstations
should be designed to limit the easy removal of PHI. Eg.
Storage devices (USB Thumb Drives) and via e-mail.
Must also provide for appropriate destruction (i.e.,
shredding) of any hard copies of PHI.
Some photocopiers can store information.
Technical Safeguards
 The technical safeguards are requirements
for using technology to protect EPHI,
particularly controlling access to it.
Technical Safeguards
Access control – Information systems that contain
EPHI must only allow access to persons or software
programs that have appropriate access rights.
Passwords, set at the OS and application levels, Biometric
solution can add greater security.
Audit controls – Information systems that contain or
use EPHI must have mechanisms to record and
examine activity.
IT audits done on multiple levels. (Firewall, Operating
System, Intrusion Detection System, Application *.)
Audit/Enforcement Examples
 16 Employees Fired by Texas Hospital District For HIPAA
Violations
(December 3, 2009) 16 employees have been fired by the Harris County
Hospital District for violating patient privacy laws, a hospital
spokeswoman confirmed. They include managers, nurses, clerks and
other employees. {Source: www.compliancehome.com}
 Five Hospital Employees to be Fired over HIPAA Violations
(June 11, 2011) Tri-City Medical Center’s chief executive says the hospital
has sent letters of intent to fire five employees, and has disciplined a
sixth, for allegedly posting information about hospital patients online.
“employees must come to understand and truly appreciate the huge risks involved
and penalties at stake if they "taking a peek" at a patient's medical record for no
legitimate purpose.”
Audit/Enforcement Examples (Cont’d)
 (February 14, 2011) Mass General Hospital to pay U.S.
government $1 million. It also entered into a
Corrective Action Plan that includes requirement to
submit policies and procedures to HHS for review and
approval. Policies must include and specifically
address:
Violations



Physical removal and transport of PHI
No laptop encryption
No USB drive encryption
Technical Safeguards
Integrity – EPHI must be protected from improper
modification or destruction.
Tools Used: Firewalls , Anti-Virus Software, intrusion
detection systems, Application Audits and locks.
Person or entity authentication - Must be able to
verify that persons or entities seeking access to EPHI
are who or what they claim to be.
Tools Used: Passwords, audit controls.
Technical Safeguards
Transmission security - Unauthorized access to EPHI
being transmitted over an electronic communications
network (e.g., the Internet) must be prevented.
Tools Used: Firewalls, secure communications via
encryption.
Conclusion
 Computer security is not just something you do if you
have extra time.
 Developing a good security program is a good start,
but employees need to understand and follow it.
 Even if you are NOT covered by HIPAA, your medical
data still needs to be secure.
 Your security model is only as good as its weakest link.
(IT or human).
Download