Bringing Box into HIPAA Alignment · 4/1/2014 · Myth #2 – You can be certified HIPAA...
Transcript of Bringing Box into HIPAA Alignment · 4/1/2014 · Myth #2 – You can be certified HIPAA...
Bob Flynn & Anurag Shankar University Information Technology Services
Indiana University
Bringing Box into HIPAA Alignment
Internet2 MM: 4/7/2014 University Information Technology Services
Outline
1. Introduction 2. Service Partnership 3. Legal Requirements 4. Risk Management Framework 5. Box Evaluation 6. Conclusions
Internet2 MM: 4/7/2014 University Information Technology Services
1. Introduction
Internet2 MM: 4/7/2014 University Information Technology Services
Nature abhors a vacuum! The lack of HIPAA compliant campus
services that support external collaborations is forcing biomedical
researchers to share sensitive data using email and cloud services such as Google
docs, Dropbox, etc.
Internet2 MM: 4/7/2014 University Information Technology Services
• The lure of free or cheap cloud storage is irresistible, even for HIPAA regulated entities.
• Cloud providers have been unaware or unwilling to address HIPAA compliance, but ...
• Market pressures are forcing many vendors to reconsider HIPAA. Chief among these are Amazon, Microsoft, and now Box.
• We at IU have also been revisiting our stance of keeping our sensitive data out of the cloud, specifically as regards Box.
HIPAA in the Cloud?
Internet2 MM: 4/7/2014 University Information Technology Services
• With growing security threat, (Governance, Risk, and) Compliance is now the new frontier for IT.
• If you handle biomedical data, you not only face HIPAA, but possibly FISMA also.
• Recent changes to HIPAA have put more teeth into enforcement = more motivation for us.
Current Regulatory Climate
Internet2 MM: 4/7/2014 University Information Technology Services
Recent HIPAA Changes • A new HIPAA Omnibus Rule was enacted in
2013. • It adds new requirements for a business
associate (BA) who handles your sensitive data. It greatly ramps up civil penalties.
• The government will initiate random HIPAA audits in 2014. (They were triggered only in response to a breach earlier.)
Internet2 MM: 4/7/2014 University Information Technology Services
2. Service Partnership
Internet2 MM: 4/7/2014 University Information Technology Services
• Implemented at IU in 2012, Box became wildly popular for sharing data with collaborators within and outside IU.
• Researchers in the IU School of Medicine (second largest medical school in the U.S.) soon wanted to use Box to share clinical data. (Biomedical research grants from NIH require data sharing.)
• Since identifiable clinical research data is subject to HIPAA, we asked – Is Box HIPAA compliant?
Box@IU & HIPAA
Internet2 MM: 4/7/2014 University Information Technology Services
• In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits.
• In late 2013, they began signing contracts promising to comply with HIPAA.
• Internet2 has negotiated a BAA and revised contract with Box.
Box & HIPAA
Internet2 MM: 4/7/2014 University Information Technology Services
IU Basics • 8 Campuses (2 Core, 6 Regional) • 115K Students, 20K Faculty/Staff • 1.3M Credit Hours (Fall 2013) • $533M in external research funding (2012) • Strong Central IT and good partnership with
distributed IT operations.
Internet2 MM: 4/7/2014 University Information Technology Services
Box@IU Basics • Program rollout April 2012 • Reached 50,000 users by October 2013 • Currently
64,000 internal users 7,000 external collaborators 120,000 collaborations 50TB in storage
• All this without FERPA or HIPAA data
Internet2 MM: 4/7/2014 University Information Technology Services
Box@IU Basics
Internet2 MM: 4/7/2014 University Information Technology Services
3. Legal Requirements
Internet2 MM: 4/7/2014 University Information Technology Services
HIPAA • Health Insurance Portability & Accountability Act,
passed in 1996, became law in 2001. • Enforced by the Office for Civil Rights (OCR) in the
U.S. Dept. of Health & Human Services (HHS). • Modified in 2013 by including provisions from the
2006 Health Information Technology for Economic & Clinical Health (HITECH) Act & the 2008 Genetic Information Nondiscrimination Act (GINA).
• Consists of the HIPAA Privacy Rule and the HIPAA Security Rule.
Internet2 MM: 4/7/2014 University Information Technology Services
The HIPAA Security Rule The Security Rule regulates electronic protected health information* (ePHI). It requires (1) administrative, (2) physical, and (3) technical safeguards to
• Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures;
• Ensure compliance by the workforce; and • Provide a means for managing risk in an ongoing fashion.
* Data with one or more of 18 patient identifiers such as name, DOB, etc.
Internet2 MM: 4/7/2014 University Information Technology Services
The HIPAA Security Rule
Internet2 MM: 4/7/2014 University Information Technology Services
Covered Entities & Business Associates
• Healthcare providers, health plans, and health clearinghouses are called HIPAA “covered entities”.
• Universities are often hybrid covered entities, with covered components that do healthcare and components that are not covered.
• If you serve a covered component within your organization, chances are that you too are covered.
• If you are not part of a covered entity but handle their data, you are a business associate (BA).
In the Box context, you are a covered entity and Box is a BA.
Internet2 MM: 4/7/2014 University Information Technology Services
Security Rule Safeguards • Administrative – security organization,
policies, training, responsibilities, incident response, etc.
• Physical – data center access, equipment/media disposal, inventory control, etc.
• Technical – firewalls, patching, auditing, scanning, monitoring, accounts, etc.
+ organizational/policies/documentation requirements
Internet2 MM: 4/7/2014 University Information Technology Services
Required & Addressable • Each Security Rule safeguard is either “required”
or “addressable”. • Required = what it says. • Addressable = should address, but ok if you
describe why it is not in place or how you will otherwise address the risk.
• A risk assessment (RA) identifies where to concentrate mitigation effort.
Internet2 MM: 4/7/2014 University Information Technology Services
Breach Notification • HIPAA requires that a breach of ePHI be
reported ASAP: 1. To everyone whose privacy is breached. 2. For breaches affecting > 500 patients, to the
media and the Secretary of the U.S. Dept. of Health & Human Services.
• The BA must notify you if the breach occurs at their end.
Internet2 MM: 4/7/2014 University Information Technology Services
Business Associates
• HIPAA requires a business associate agreement (BAA) with any external entity that touches your ePHI.
• The BAA must include language that your BA & their BAs will protect your ePHI.
• Due diligence also means ensuring that the BA is capable of protecting your ePHI in conformance with HIPAA.
Internet2 MM: 4/7/2014 University Information Technology Services
Enforcement • HIPAA violations can result in civil monetary
penalties up to $1.5 million/violation against a HIPAA covered entity and/or individual criminal penalties up to10 yrs in jail.
• For large breaches, the OCR imposes a (potentially very expensive) corrective action plan (CAP).
• Random govt. HIPAA audits are coming this year.
Internet2 MM: 4/7/2014 University Information Technology Services
The Corrective Action Plan (CAP) signed by Idaho State University
Breaches reported by universities
ì
But the worst is being in the newspapers!
Internet2 MM: 4/7/2014 University Information Technology Services
• NO. Identifiable health data outside a healthcare context (e.g. what you upload to Google Health, Microsoft HealthVault) is not ePHI. Only healthcare providers, facilities, and insurers are bound by HIPAA.
• Data, if properly de-identified, is not subject to HIPAA.
If unsure, contact your HIPAA Compliance office!
Is All Identifiable Health Data ePHI?
Internet2 MM: 4/7/2014 University Information Technology Services
Just Good Security?
Q: So, the HIPAA Security Rule means we just need to provide good IT security? A: NO. The Security Rule is about managing risk, and security is only PART of that management. HIPAA requires ongoing administrative controls, training, governance, policies, formal review, etc.
Internet2 MM: 4/7/2014 University Information Technology Services
HIPAA Security Rule Myths Myth #1 – Security Rule compliance is a boolean. Truth: There is no threshold where you suddenly become compliant. Myth #2 – You can be certified HIPAA compliant. Truth: No company or federal agency is authorized to certify you as being HIPAA “compliant”. (The only way to know for sure is to survive a HIPAA audit!)
So you align with the HIPAA rules as best as you can and usually “self assert” compliance.
Internet2 MM: 4/7/2014 University Information Technology Services
HIPAA Security Rule Myths Myth #3 – Once compliant, you stay compliant. Truth: No. Compliance is an ongoing process; once started, it never stops so long as you have ePHI. Myth #4 – You must have an external third party do risk/security assessment. Truth: No. You can do them internally, so long as you follow accepted practices and document it all.
Internet2 MM: 4/7/2014 University Information Technology Services
4. Risk Management Framework
Internet2 MM: 4/7/2014 University Information Technology Services
HIPAA requires that you manage risk intelligently
Internet2 MM: 4/7/2014 University Information Technology Services
Information Security Risk Management
• Identify, assess, prioritize, and mitigate risk to information security on an ongoing basis.
• Think in terms of managing risk, not plugging security holes.
Risk = {Threat/Vulnerability x Likelihood x Impact} • A big threat due to an existing vulnerability that is
highly unlikely to be exploited/has little impact is low risk. You don’t kill yourself over it.
Internet2 MM: 4/7/2014 University Information Technology Services
Risk Management Framework You should have a mature, standards-based* RMF consisting of: • Good governance = institutional security organization,
policies, sanctions, enforcement • Risk management = assessment, mitigation through
appropriate physical, administrative, technical controls, documentation
• Review = regular monitoring, reviews, assessment, and mitigation
• Awareness and training * = NIST 800-30
Internet2 MM: 4/7/2014 University Information Technology Services
Do I need an entire RMF even if I just want to align Box?
• YES! If there is a breach and an OCR audit, they will first look at your general HIPAA safeguards, not just what you do with Box.
• Penalties are often levied due to risk not being managed properly.
• Having an RMF in place is an essential pre-requisite to any HIPAA compliance work.
Internet2 MM: 4/7/2014 University Information Technology Services
Implementing the RMF at IU 1. Assign ownership
2. Form partnerships
3. Inventory/document
4. Hire external consultant
5. Perform gap analysis/fill gaps
6. Assess risk
7. Create & execute risk management
plan
8. Get official blessing & advertize
Follow NIST Standards
(Much of this is usually already in place at most places but not documented in a compliance-oriented form.)
Internet2 MM: 4/7/2014 University Information Technology Services
① Assign Ownership • Dedicated resources commensurate with
the scale. At IU, we spent around 1.5 FTE-year for the initial effort and 1.0 FTE on an ongoing basis.
• Assigned someone to lead the project. • Empowered the leader to be able to do
the job.
Internet2 MM: 4/7/2014 University Information Technology Services
② Form Partnerships • Got to know all IU Compliance folks. • Formed an oversight committee; put all
stakeholders on it – Compliance, Counsel, Information Security Office, Information Policy Office, School of Medicine CIO/Security Office, staff/faculty, and central IT senior management.
Internet2 MM: 4/7/2014 University Information Technology Services
③ Inventory/Document • Spent a lot of time on developing a
documentation strategy/format. • Inventoried all assets, current policies and
procedures, physical, administrative, and technical controls in place already.
• Consulted with line managers & key staff. • Instituted a secure document management
system (DMS).
Internet2 MM: 4/7/2014 University Information Technology Services
Identify Dependencies • Inventoried infrastructure pieces on which
systems/services depend. • This means identity management,
messaging, the network, data centers, etc. on which the systems/services to be aligned depend.
• Included as many of them as we could.
Internet2 MM: 4/7/2014 University Information Technology Services
④ Hire External Consultant* • Asked IU Compliance folks for references. • Got referred to a consultant from DC, who
also serves on national HIPAA committees, etc.
• Consultant was given information about the organization, documentation, etc.
• Consultant visited IU a couple times to do in-person interviews.
* = optional
Internet2 MM: 4/7/2014 University Information Technology Services
⑤ Perform Gap Analysis
• The Gap Analysis (GA) measures gaps between actual security and what the HIPAA Security Rule requires.
• Involved on-site interviews. • Consultant used the data to identify gaps. • We received the GA report.
Internet2 MM: 4/7/2014 University Information Technology Services
Fill Gaps
• Reviewed gap analysis report. • Filled as many holes as we could,
especially the serious ones. • Updated documentation. • Got everything ready for a risk
assessment.
Internet2 MM: 4/7/2014 University Information Technology Services
⑥ Assess Risk • Everything done so far went into the risk
assessment exercise. • Submitted updated documentation and
other information as requested to the external consultant.
• On-site interviews followed. • Received a risk assessment report listing
identified risks and risk scores.
Internet2 MM: 4/7/2014 University Information Technology Services
⑦ Create a Risk Management Plan
• Reviewed risk assessment report. • Addressed all risks and documented
mitigation, reason for not mitigating, or alternatives.
• Submitted the RM plan to the external consultant for review.
• Modified RM plan as per consultant recommendations.
Internet2 MM: 4/7/2014 University Information Technology Services
Execute Risk Management Plan • Execution involved some short term
actions that addressed many high/medium risk items immediately.
• Instituted long term processes such as regular reviews, risk monitoring, risk avoidance strategies, etc.
• Documented everything (again) …
Internet2 MM: 4/7/2014 University Information Technology Services
⑧ Get Official Blessing & Advertize
• Submitted everything to the oversight committee.
• Received an official letter of approval from Compliance in January 2009.
• Advertized internally and targeted only IUSM researchers to avoid unnecessary attention.
Internet2 MM: 4/7/2014 University Information Technology Services
Follow Standards • We used the NIST 800-53 information
security standard since it is often used for complying with HIPAA and is the basis for FISMA.
• It put an “official seal” & added rigor to the process.
• We also looked at other standards such as ISO 27001, COBIT, etc.
Internet2 MM: 4/7/2014 University Information Technology Services
NIST 800-53
Internet2 MM: 4/7/2014 University Information Technology Services
HIPAA - Ongoing • Semi-annual, internal reviews, documentation
updates. Risk reassessment. External reviews every 5 years.
• Annual, mandatory HIPAA training in the HIPAA regulation, how it applies to us, and our policies and procedures, etc.
• Self-assertion process for new services requires risk analysis, risk mitigation, documentation, security screening, & training/reviews.
Internet2 MM: 4/7/2014 University Information Technology Services
Future • Expand the mature, standards-based NIST
approach. • Provide NIST-based risk and security
assessment tools for units to do their own internal assessments.
• Centralize documentation. • Establish baseline risk profile, evaluate risks,
update continuously as risks change.
Internet2 MM: 4/7/2014 University Information Technology Services
5. Box Evaluation
Internet2 MM: 4/7/2014 University Information Technology Services
While Box said they were HIPAA compliant, due diligence (to us) meant evaluating whether Box
meets the same NIST standards we follow ourselves.
Internet2 MM: 4/7/2014 University Information Technology Services
Method • We asked Box for documentation of their
information security practices, audit reports, etc. • We reviewed the documents thoroughly. • We used the NIST HIPAA Security Rule Toolkit
to answer nearly 1000 questions about Box’s security/risk management practices.
• Some of these answers came from the Box documentation, some from Box’s Compliance folks.
Internet2 MM: 4/7/2014 University Information Technology Services
NIST HIPAA Security Rule
Toolkit Questionnaire
Internet2 MM: 4/7/2014 University Information Technology Services
Results • Box satisfies > 95% of HIPAA Security Rule
requirements. • They have the necessary “Required” and
“Addressable” safeguards in place. • It helps greatly that they encrypt all data in
transit and at rest for enterprise customers (i.e. us) and secure the encryption keys.
Internet2 MM: 4/7/2014 University Information Technology Services
Current Status • We are waiting on a HIPAA compliant BAA with
Box. • After a BAA is in place, we will submit the
paperwork to the IU HIPAA Compliance Office to approve Box’s suitability for storing ePHI.
• After approval, we expect to make Box available to biomedical researchers as a HIPAA aligned collaboration tool.
Internet2 MM: 4/7/2014 University Information Technology Services
6. Conclusions
Internet2 MM: 4/7/2014 University Information Technology Services
Conclusions • Cloud computing is imminent; be prepared. • Box provides an ideal data sharing
environment for biomedical researchers. • Our own NIST based evaluation found Box
to be capable of keeping our ePHI secure. • We are using our existing RMF to satisfy
dependencies and ensure end to end security.
Internet2 MM: 4/7/2014 University Information Technology Services
Conclusions • Follow your own institutional process, but an
institutional RMF is an essential pre-requisite. • Implementing a RMF also provides resources
that can be used to align with any current/future regulation.
• It also makes breaches less likely, lowering liability and the chance of damaging institutional reputation.
Internet2 MM: 4/7/2014 University Information Technology Services
We are more than happy to help in any way we can
Internet2 MM: 4/7/2014 University Information Technology Services
Resources • The HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html • NIST 800-66: Guide to Implementing the HIPAA Security
Rule http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
• NIST 800-53: Recommended Security Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
• NIST 800-53A: Guide for Assessing Security Controls http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf
• FIPS 200: Federal Systems Minimum Security Requirements http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
• NIST HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/
• IU HIPAA Documentation Templates (email us) • IU HIPAA Risk Assessment Template (email us)
Internet2 MM: 4/7/2014 University Information Technology Services
Contact
Bob Flynn [email protected] 812-856-3792
Anurag Shankar [email protected]
812-325-8629