DON’T GET STUNG BY A BREACH! · •Catholic Health Care Services of the Arch. of ... THE WAGES OF...
Transcript of DON’T GET STUNG BY A BREACH! · •Catholic Health Care Services of the Arch. of ... THE WAGES OF...
9/23/2016
1
DON’T GET STUNG BY A BREACH!WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
JASON YUNGTUM
Practice Areas:• Healthcare• Labor and Employment
[email protected](402) 397‐1700
JILL JENSEN
Practice Areas:• Healthcare• Labor and Employment
[email protected](402) 474‐6900
9/23/2016
2
9/23/2016
3
9/23/2016
4
OBJECTIVES:
• Identify current developments
• Analyze your HIPAA compliance program for risks
• Apply existing and updated tools to limit exposure in a breach or audit
9/23/2016
5
CURRENT DEVELOPMENTS• Enforcement ramping up
–Notable examples –Big, Small, In‐between
–Small breaches, no breaches – no problem?
ENFORCEMENT
• OCR Phase 2 Audits
• Ransomware guidance
• Updated risk assessment
ENFORCEMENT
• Did not know/could not know
–$100 to $50,000 each violation
–$1.5M cap for identical violations in same calendar year
9/23/2016
6
ENFORCEMENT
• Reasonable cause/not willful neglect
–$1000 to $50,000 each
–$1.5M cap for identical violations incalendar year
•WILLFUL NEGLECT, CORRECTED WITHIN 30‐DAY PERIOD
–$10,000 to $50,000 per violation
–$1.5M cap for identical violations per calendar year
ENFORCEMENT
•WILLFUL NEGLECT, NOT CORRECTED
–$50,000 each violation–$1.5M cap for identical violations in calendar year
ENFORCEMENT
9/23/2016
7
•Willful Neglect
–conscious, intentional failure or
–reckless indifference to the obligation to comply
ENFORCEMENT
• Nature, extent of violation
–Number of individuals affected
–When it occurred
ENFORCEMENT FACTORS
• Nature and extent of harm from violation
–Physical
–Financial
–Reputational
–Ability to obtain health care
ENFORCEMENT FACTORS
9/23/2016
8
• History of prior compliance, any violations
–Same or similar to before
–Whether and to what extent prior issues have been corrected or attempts made to correct
ENFORCEMENT FACTORS
FROM THE FILES OF THE OCR
• August 4, 2016• Advocate Health Care Network• Multiple potential violations—ePHI
• $5.55M settlement + CAP• Large health system• Many affected• Long‐term noncompliance
9/23/2016
9
THE BACK STORY
• OCR began investigation in 2013• 3 breach reports from sub, Advocate Medical Group• Combined breaches=4.1M individuals
• PHI included demographic, clinical, health insurance, patient names, addresses, credit card numbers with expiration dates, DOBs
THE MORAL TO THE STORY . . . .
• Accurate, thorough risk assessments
• Implement policies/procedures and facility access controls
• Signed BA Agreements
• Don’t be stupid. –Don’t keep an unencrypted laptop in an unlocked vehicle
9/23/2016
10
CAN YOU SAY “WILLFUL NEGLECT?”
A NEW CLAIM TO FAME?
• $2.75 Million to resolve + CAP• Aware of risks, vulnerabilities since 2005• No significant risk management until after the breach• Organizational deficiencies• Insufficient institutional oversight
DO YOU SEE A PATTERN HERE?
• Password protected laptop stolen
• ePHI vulnerable to unauthorized access via wireless network
• Access to 67,000 files after entering generic username and password
• 328 files with ePHI
• 10,000 patients dating to 2008
9/23/2016
11
HERE’S MY SHOCKED FACE• Failed to implement policies/procedures
• Failed to implement physical safeguard for all workstations
• Didn’t assign unique usernames or numbers to ID or track user identity
• Failed to notify each individual about the breach
WHAT ABOUT BUSINESS ASSOCIATES?
• Catholic Health Care Services of the Arch. of Philadelphia ‐‐ OCR notified of breach April 2014
• Theft of a unencrypted, non‐password protected iPhone
WHAT ABOUT BUSINESS ASSOCIATES?
• Compromised PHI of 412 NF residents
–Management/IT services for 6 SNFs
–SSNs, Dx, Tx, procedures, family member names, guardian names, medication information
• $650,000 + CAP
9/23/2016
12
WHAT ABOUT BUSINESS ASSOCIATES?
• TAKE AWAYS:
–Business Associates need enterprise‐wide risk Assessments and Risk Management Plans too
• ENCRYPT ALL MOBILE DEVICES
• HAVE/IMPLEMENT POLICIES ABOUT MOBILE DEVICES AND PHI
• POLICIES/PROCEDURES FOR SECURITY INCIDENTS
$650,000 – NOT CHUMP CHANGE• WHY THE “LIGHT” RESOLUTION AMOUNT?
–BA provided unique, much needed services in region
–To elderly, DD, young adults aging out of foster care, individuals living with HIV/AIDS
• TWO YEARS OF OCR MONITORING
• RA AGREEMENT + CAP
PHYSICIAN PRACTICES• Physician practice and ASC in NC
• $750,000 resolution amount
• PHI of 17,300 patients provided to potential business partner without a signed BA Agreement
9/23/2016
13
• Breach report in April 2013• X‐ray films/related PHI sent to BA–For transfer of images to electronic media
–Harvesting silver from the films
• Get the BA Agreement signed first and then disclose
THE WAGES OF NO BA AGREEMENT IS
• $750,000 + Resolution Agreement + CAP
• Revise policies and procedures
• Establish a BA determination process
THE WAGES OF NO BA AGREEMENT
• Designate a person in charge of BA Agreements
• Establish a process for BA Agreement retention –at least 6 years after termination
• Minimum necessary applies
9/23/2016
14
WHAT’S NEXT?
• CLOSER LOOK AT SMALL “BREACHES”
–Those affecting less than 500 persons
WHAT’S NEXT FOR THE OCR AND US
• OCR ROS WILL LOOK INTO ROOT CAUSES
–Seek corrective action for “systemic” noncompliance
WHAT? NO BREACHES?
Sorry. The Coast is not clear.
9/23/2016
15
NO FLYING UNDER THE RADAR
How does your entity compare to similar covered entities or BAs?
NO BREACH. NO PROBLEM?
• How is your documentation?
• Do you have risk assessments completed?
THE OCR AUDITS
• Began in earnest this summer• Notices sent to 167 auditees on July 11, 2016• Redesigned audit process reflecting experience and new law
9/23/2016
16
PHASE 2 AUDIT PROCESS
• FOR BOTH COVERED ENTITIES AND BUSINESS ASSOCIATES
• MOSTLY DESK AUDITS
• UP TO 250 AUDITS TOTAL ‐‐ WITH 50 OF THOSE TO BE ONSITE
WHAT IS OCR LOOKING FOR?
• Compliance mechanisms and best practices
• ID risks/vulnerabilities not identified through breach notices or enforcement
OCR’S MISSION
• GET OUT IN FRONT OF PROBLEMS BEFORE A BREACH OCCURS
• A COMPLIANCE IMPROVEMENT ACTIVITY
–ID what technical assistance may be needed
–State of compliance on aspects of HIPAA
–Further tool development to aid in compliance efforts and breach prevention
9/23/2016
17
OCR AUDIT FOCUS• DESK AUDITS ONGOING THROUGH END OF 2016
• DESK AUDIT SCOPE LOOKING AT 7 CONTROLS– Security
– Privacy
– Breach notification compliance
• ONSITE AUDITS BEGIN IN EARLY 2017– Comprehensive set of HIPAA compliance controls
– Desk auditees are subject to onsite audit as well
OCR AUDIT FOCUS
• BA DESK AUDITS BEGIN IN LATE SEPTEMBER 2016
• MOSTLY FROM A POOL OF BAS IDENTIFIED BY COVERED ENTITIES
• 10 DAY RESPONSE TIME FOR REQUESTED RECORDS
OCR AUDIT FOCUS• DESK AUDIT REQUESTS
– List of BAs to be returned by email within 10 days– Documents – policies/procedures, etc. submitted through secure portal• No credit for late submissions• Only what’s relevant is to be submitted• If auditee doesn’t have it, must explain deficiency
• POOL OF BAS IDENTIFIED BY COVERED ENTITIES• 10 DAY RESPONSE TIME FOR REQUESTED RECORDS
9/23/2016
18
Desk Audit Controls
Privacy
Breach Notification
Security
DESK AUDIT PROCESS
• AFTER REVIEW OF SUBMITTED DOCUMENTS,
–OCR will develop and share draft findings
–Entity may respond
–Responses will be included in the final audit report
DESK AUDIT PROCESS
• AUDIT REPORTS WILL DESCRIBE HOW THE AUDIT WAS CONDUCTED, PRESENT ANY FINDINGS, AND CONTAIN ENTITY RESPONSES TO THE DRAFT FINDINGS –Based only on what is submitted–No late submissions allowed
9/23/2016
19
AFTER THE DESK AUDIT
• AFTER AUDIT, OCR COULD OPEN A SEPARATE COMPLIANCE REVIEW
–Depending on what the audit finds
–Significant threats to privacy and security will likely get a compliance review
• COMPREHENSIVE ONSITE AUDITS OF BOTH CES AND BAS WILL BEGIN IN EARLY 2017
RANSOMWARE
• 4000 DAILY ATTACKS SINCE EARLY 2016
–300% increase over 2015
• Exploits human and technological weakness
9/23/2016
20
RANSOMWARE
• Denies access through encryption by malware
• Only the bad guy has the “key”
• You can have key for a “price”
OTHER BAD THINGS THAT CAN HAPPEN
• Ransomware or Malware may also “exfiltrate” data (i.e., steal it and transfer it)
WHAT CAN YOU DO?
• HAVE A SECURITY MANAGEMENT PROCESS
–Conduct a risk analysis, ID threats, vulnerabilities
–Implement process to protect against malicious software
9/23/2016
21
SECURITY MANAGEMENT PROCESS
• TRAIN YOUR PEOPLE TO DETECT MALWARE
• IMPLEMENT ACCESS CONTROLS TO LIMIT WHO CAN USE EPHI
WEAKEST LINKS
WHAT ELSE?
• IMPLEMENT POLICIES/PROCEDURES FOR FREQUENT BACK‐UPS
–For recovery if/when you are attacked
• TEST RECOVERY ABILITY OFTEN
• MAINTAIN BACK‐UP OFFLINE/AWAY FROM YOUR NETWORK
9/23/2016
22
WHAT ELSE?
• UPDATE WHEN PATCHES AVAILABLE
• HAVE A DISASTER RECOVERY PLAN
–Emergency Operations
–ID criticality of applications and data
–Test readiness
SECURITY INCIDENTS• SECURITY INCIDENT PROCEDURES ALSO REQUIRED BY SECURITY RULE–Procedures to respond–Detection–Containment –Eradication–Mitigation–Remediation–Post‐incident activities – obligations/lessons learned
ARE YOUR PEOPLE
LIKE THIS? Or this?
9/23/2016
23
TRAINING THE DETECTIVES• WHEN WAS THE LAST TIME YOUR TEAM WAS TRAINED?– Alert to the dangers of unknown links
– Phishing expeditions
– Computer weirdness – slow running – overburdened CPU
• Disappearing files• Getting locked‐out of files
Where’s your documentation of completed training?
TRAINING THE DETECTIVES
• QUICKLY DETECT AND REPORT
• ACTIVATE YOUR SECURITY INCIDENT RESPONSE PLAN
–Contact the professionals:
•FBI, local law enforcement, U.S. Secret Service field office
RANSOMWARE = HIPAA SECURITY INCIDENT
• ACTIVATE YOUR RESPONSE PLAN
–You need to have one–What is yours?
9/23/2016
24
YOUR MONEY OR YOUR LIFE• ID THE SCOPE OF INCIDENT –WHAT’S AFFECTED?
–Origin
–Is it over or still going on?
–How did it happen?
–Prioritize your response
RANSOMWARE AFTERMATH
• IS A SECURITY INCIDENT A HIPAA BREACH?
–It depends
• IF EPHI IS ENCRYPTED BY RANSOMWARE, OCR SAYS, “YES.”
IS IT A BREACH?• BREACH PRESUMED UNLESS LOW PROBABILITY OF COMPROMISE–Do the breach risk assessment–Get professional help• Type and variant of malware• How it operates• Communications, transfers of data by malware to outside servers • Did it propagate?
9/23/2016
25
BREACH RISK ASSESSMENT TOOL
• DO YOU HAVE ONE?
“GLOBAL” RISK ASSESSMENT TOOL
• Recently updated • Windows 10, Apple iOS, iPad• Save‐as feature• Paper too• https://www.healthit.gov/providers‐professionals/security‐risk‐assessment‐tool
RISK ASSESSMENT TOOL
9/23/2016
26
RISK ASSESSMENT TOOL
RISK ASSESSMENT TOOL
YOUR QUESTIONS
9/23/2016
27
THANK YOU!