David Assee BBA, MCSE Florida International University University Health Services Security Officer...
-
Upload
gillian-shemwell -
Category
Documents
-
view
218 -
download
0
Transcript of David Assee BBA, MCSE Florida International University University Health Services Security Officer...
David Assee BBA, MCSEFlorida International University
University Health ServicesSecurity [email protected]
June 2, 2011
Purpose of this TrainingPurpose of this TrainingTo train you on HIPAA Security
Regulations and why security is necessary for billing.
HIPAA Security regulations were created to address the need to increase security standards for electronic protected health information.
Security & HIPAASecurity & HIPAADue to the seamless nature of most IT networks HIPAA security rules should apply to all software, users and computers that access EPHI.
By taking a proactive approach to computer security now, you will be able to detect and prevent trouble later.
Defining IT SecurityDefining IT SecurityIT security is about protecting information assets by effectively managing risks.
How much protection is provided depends on the risk and magnitude of harm that could result if the data were lost, misused, disclosed, or modified.
Assets are computers and data.
Risks are managed by evaluating vulnerabilities and threats.
Defining IT SecurityDefining IT SecurityVulnerabilities: Weaknesses in a computer or network
that leave it susceptible to potential exploitation such as unauthorized use or access. Vulnerabilities include but are not limited to weaknesses in security procedures, administrative or internal controls, or physical configuration; or features or bugs that enable an attacker to bypass security measures.
Threats - Threats generally fall into three broad categories: • A person (careless oversight, lack of training, malicious or
criminal intent)
• A thing (a faulty piece of equipment)
• An event (a power outage, fire, or flood) A threat is the means through which a weakness can be
exploited to adversely affect a network or supported systems. A threat is possible only because the system is vulnerable to that particular threat.
HIPAA Security RuleHIPAA Security RuleThere are three components of security to
guard data integrity, confidentiality, and access:
Administrative safeguards Physical safeguardsTechnical safeguards
These components work together to establish a unified security approach based on the principle of “defense in depth.”
Defense in Depth LayersAdministrative
Physical
Technical
Firewalls
Router Configuration
Operating System Login
User Login
Database Access Settings
Administrative SafeguardsAdministrative SafeguardsAdministrative safeguards make up
50% of the Security Rule’s Standard. They require documented policies and procedures for managing the day-to-day operations, the conduct and access of workforce members to EPHI, and the selection, development, and use of security controls.
Administrative SafeguardsAdministrative SafeguardsSecurity management process - An overall
requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.
Have written policies and procedures for security violations.
Assigned Security Responsibility - A single individual must be designated as having overall responsibility for the security of a CE’s EPHI.
Assign a security designee.
Administrative SafeguardsAdministrative SafeguardsWorkforce Security – Policies and procedures
ensure that only properly authorized workforce members have access to EPHI.
Set up procedures to ensure new employees have sign-on to systems which store EPHI only if authorized.
Administrative SafeguardsAdministrative Safeguards• Information access management – Policies
and procedures detail how access to EPHI is established or modified.
Access to medical management is documented, including changes in an employee’s role.
Security awareness and training – All workforce members must undergo security awareness education and training.
Employees are often the biggest threat to a network. Let them know what they can and cannot do.
Administrative SafeguardsAdministrative Safeguards• Security incident procedures – Policies
and procedures provide means for reporting, responding to, and managing security incidents.
Set up a method for reporting security incidents to the appropriate designee.
Administrative SafeguardsAdministrative SafeguardsOTHER Policies• Contingency PlanBackup systems need to be maintained for
disaster recovery. Review your backup plan to ensure it’s feasible.
• Business Associate contracts and other arrangements
Contracts completed with external vendors to ensure the privacy and confidentiality of EPHI.
Physical SafeguardsPhysical SafeguardsThe physical safeguards are a series
of requirements meant to protect a CE's electronic information systems and EPHI from unauthorized physical access. CEs must limit physical access while permitting properly authorized access.
Physical SafeguardsPhysical SafeguardsFacility access controls - An overall
requirement that limits physical access to electronic information systems while ensuring that properly authorized access is allowed.
Only clinic employees should be allowed to access areas or equipment that store EPHI without approval.
Physical SafeguardsPhysical SafeguardsWorkstation use - Policies and procedures must
provide physical safeguards for all workstations that can access PHI.
Specify characteristics of the physical environment & appropriate use of the workstations that can access EPHI.
Consider: • Location of computer screens • Fax machines & display devices• Use of screen savers• Use of privacy filters
Physical SafeguardsPhysical SafeguardsDevice and media controls – Policies and
procedures must specify how hardware and electronic media containing EPHI are received or removed within or outside of a CE.
Storage Media Sanitization policy. Restrictions on the removable media: Workstations
should be designed to limit the easy removal of PHI. Eg. Storage devices (USB Thumb Drives) and via e-mail.
Must also provide for appropriate destruction (i.e., shredding) of any hard copies of PHI.
Some photocopiers can store information.
Technical SafeguardsTechnical SafeguardsThe technical safeguards are
requirements for using technology to protect EPHI, particularly controlling access to it.
Technical SafeguardsTechnical SafeguardsAccess control – Information systems that contain
EPHI must only allow access to persons or software programs that have appropriate access rights.
Passwords, set at the OS and application levels, Biometric solution can add greater security.
Audit controls – Information systems that contain or use EPHI must have mechanisms to record and examine activity.
IT audits done on multiple levels. (Firewall, Operating System, Intrusion Detection System, Application *.)
Audit/Enforcement Examples16 Employees Fired by Texas Hospital District For HIPAA
Violations(December 3, 2009) 16 employees have been fired by the Harris
County Hospital District for violating patient privacy laws, a hospital spokeswoman confirmed. They include managers, nurses, clerks and other employees. {Source: www.compliancehome.com}
Five Hospital Employees to be Fired over HIPAA Violations(June 11, 2011) Tri-City Medical Center’s chief executive says the
hospital has sent letters of intent to fire five employees, and has disciplined a sixth, for allegedly posting information about hospital patients online.
“employees must come to understand and truly appreciate the huge risks involved and penalties at stake if they "taking a peek" at a patient's medical record for no legitimate purpose.”
Audit/Enforcement Examples (Cont’d)(February 14, 2011) Mass General Hospital
to pay U.S. government $1 million. It also entered into a Corrective Action Plan that includes requirement to submit policies and procedures to HHS for review and approval. Policies must include and specifically address:Violations
Physical removal and transport of PHI No laptop encryption No USB drive encryption
Technical SafeguardsTechnical SafeguardsIntegrity – EPHI must be protected from
improper modification or destruction. Tools Used: Firewalls , Anti-Virus Software,
intrusion detection systems, Application Audits and locks.
Person or entity authentication - Must be able to verify that persons or entities seeking access to EPHI are who or what they claim to be.
Tools Used: Passwords, audit controls.
Technical SafeguardsTechnical SafeguardsTransmission security - Unauthorized access
to EPHI being transmitted over an electronic communications network (e.g., the Internet) must be prevented.
Tools Used: Firewalls, secure communications via encryption.
ConclusionComputer security is not just something you
do if you have extra time. Developing a good security program is a
good start, but employees need to understand and follow it.
Even if you are NOT covered by HIPAA, your medical data still needs to be secure.
Your security model is only as good as its weakest link. (IT or human).