Getting serious…? - Clearwater · 3/20/2012 · © 2010-12 Clearwater Compliance LLC | All...
Transcript of Getting serious…? - Clearwater · 3/20/2012 · © 2010-12 Clearwater Compliance LLC | All...
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 1
Getting serious…?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 2
Bob Chaput, CISSP, MA, CHP, CHSS, MCSE [email protected]
How to Establish Your HITECH Data Breach Notification Program
March 20, 2012
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
So there!
3
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, MA, CHP, CHSS, MCSE
4
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal
• Member: HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn why you should care
2. Discover the HITECH Breach
Notification requirements
3. Provide practical, actionable next steps
to create your notification program
5
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Why Should You Care?
1. It’s the law… HIPAA & HITECH!
6
2. Your stakeholders trust and expect
you to do this
3. Your revenues, assets and
reputation depends on it!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
• 1Street cost for a stolen Record • Medical:$50 vs SSN:$1
• 1Payout for identity theft • Medical:$20,000 vs Regular: $2,000
• 1Medical records can be
exploited 4x longer • Credit cards can be cancelled; medical
records can’t
7
1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse
consequences Prescription Fraud
Embarrassment
Financial Fraud
Personal Data Resale
Blackmail / Extortion
Medical Claims Fraud
Job loss / reputational
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
• BCBS Tennessee to pay $1.5 million in HIPAA settlement
• Sutter Health Hit With $1B Class-Action Lawsuit
• Patient files $20M lawsuit against Stanford Hospital
• TRICARE Health Management Sued for $4.9B
• UCLA Health System Enters into $865K Resolution Agreement & CAP with OCR
• Cignet Health Fined for Violation of HIPAA Privacy Rule: $4.3M
• MGH entering into a resolution agreement; includes a $1 million settlement
8 Lawsuits and Enforcement are on the upswing…
• AvMed Health sued over 'one of the largest medical breaches in history‘
• Health Net keeps paying for its data breach in 2009… $625K and counting
• WellPoint's notification delay following data breach brings action by Attorney General's office
Legal Activity
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
9
Pri
vacy
Sec
uri
ty
Data
Bre
ach
Noti
fica
tio
n
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 60 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Breach laws across the land…
• 46 states now with disclosure laws
– Massachusetts (210 CMR 17.00)
– Nevada (NRS 1603a), others to follow
• Lots of Federal Activity
– Consumer Privacy Bill of Rights
– Cybersecurity Legislative Proposal
Who’s not affected?
10
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn why you should care
2. Discover the HITECH Breach
Notification requirements
3. Provide practical, actionable next steps
to create your prevention program
11
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key definitions (ISO 27001)
• “Information security event" "an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant"
12
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key definitions (ISO 27001)
• “Information security incident“ "a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security"
13 March 2, 2011
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Breach definition (45 C.F.R. § 164.402)
• Acquisition, access, use, or disclosure” of PHI in a manner not permitted by the HIPAA Privacy Rule “which compromises the security or privacy of the protected health information”.
• Compromise means: “poses a significant risk of financial, reputational, or other harm to the individual.”
14
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Keep it in Perspective
Event
15
Incident
Breach
?
?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Your Breach Investigation & Notification Obligations
Obligations Description Readiness
45 C.F.R. §164.402 Breach Definition ☐
45 C.F.R. §164.404 Individual Notification ☐
45 C.F.R. §164.406 Media Notification ☐
45 C.F.R. §164.408 Secretary Notification ☐
45 C.F.R. §164.410 Notification by a Business Associate
☐
45 C.F.R. §164.414 Administrative Burden of Proof ☐
45 C.F.R. §164.530 Administrative Requirements ☐
45 C.F.R. §160.310(b) Complaint Investigation & Review (Office for Civil Rights-OCR)
☐
16 March 2, 2011
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Where HIPAA Security and Breach Notification Meet
17
45 C.F.R. §164.308(a)(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. (ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
45 C.F.R. §164.414 Administrative requirements and burden of proof. (a) Administrative requirements. A covered
entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart.*
(b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402.
• Training • Complaints • Sanctions • Refraining from
Intimidation • Waiver of Rights • Policies & Procedures • Documentation
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Presumed Guilty: Administrative Burden Of Proof
The CE has the burden of demonstrating (documenting)
that all notifications were made as required by new Subpart D;
Or by completing a risk-of-harm assessment and documenting that
the impermissible acquisition, access, use, or disclosure could not pose a “significant risk of financial, reputational, or other harm to the
individual”;
Or by establishing that the PHI was secured or one of the
exclusions were met
18
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Learn why you should care
2. Discover the HITECH Breach
Notification requirements
3. Provide practical, actionable next steps
to create your prevention program
19
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Actions Plan to Meet Requirements
1. Get Educated on Regulations
2. Become HIPAA Privacy and Security
Compliant Conduct Assessments
3. Secure all media with PHI: Encrypt –
Encrypt – Encrypt (but not a panacea!)
4. Ensure BAs / Subs Secure PHI
5. Develop or Buy Policies and Procedures
(pre and post)
20
6. Develop a training and awareness program
7. Build or Buy Tool to log, triage and manage incidents
8. Build or Buy Tool to aid in notification must be made
9. Hope for the best; Prepare for the worst
10.Evaluate services to help in the event the worst occurs
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Balanced Breach Notification Program
Policy defines an
organization’s values & expected behaviors.
People must include
talented privacy & security & technical staff, supportive management and trained/aware colleagues.
Procedures or
process provide the actions required to deliver on organization’s values.
Technology includes the various families of technical security controls
including encryption, firewalls, antivirus, intrusion
detection, AND Incident management tools
Balanced
Security
Program
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Solutions to Help Establish Your Breach Notification Program
22
Reactive
Breach
• Triage
• Risk-of-Harm Assessments
• Forensics
• Notification
• Support
• Medical/Identity Theft Protection
• Damage Control
Proactive
• Oversight Council
• Risk Management
• Process Mapping
• Inventories & Gap Assessments
• Corrective Action Plans
• Policies & Procedures
• Training
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. HITECH Breach Notification Assessment™ 2. HITECH Breach Notification PnP ToolKit™ 3. RADAR™
23
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. HITECH Breach Notification Assessment™
24
Take Stock of Where You Stand | Auto Plan Remediation Steps
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HITECH Breach Notification Policy & Procedures ToolKit™
25
Demo
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What You Receive – HITECH Breach Notification Policy ToolKit™
• HIPAA-HITECH Privacy and Security Glossary • Data Breach Notification Policy Development QuickStart • Data Breach Notification Interim Final Rule_E9-20169 • 6 Data Breach Notification Policy and Procedures templates • 60 minutes of complimentary email, telephone or web-
meeting support • Very Latest Updates on HITECH Act and Breach Notification
IFR Changes
26
HITECH Breach Notification Policy & Procedures ToolKit™
More Information at:
http://clearwatercompliance.com/products-and-services/risk-management-
solutions/hitech-breach-notification-policy-procedures-247-00/
Comprehensive digital download tool…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
ID Experts RADAR
• Incident Documentation Repository
• Guided Incident Risk Analysis
• Automated Incident Report Generation
• Management Dashboard & Reporting
27
Best Practices & Efficiency
Compliance with HITECH Breach Notification
(164.400 – 164.414); 164.530;
HIPAA Security Rule 45C FR 164.308
(a) (6) (ii);
Meaningful Use Qualification
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 29
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 30
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 31
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Maintain Your HHS/OCR Investigation Data In RADAR
Example Data Request
Primary designated contact with OCR
Detailed explanation of the breach
Copy of Notice of Privacy Practices (NPP)
Copy of policies & procedures for safeguarding PHI
Copy of policies & procedures for accounting of PHI disclosures
Copy of notification of the breach as required by 45 C.F.R. 164.404
Copy of media notification as required by 45 C.F.R. 164.406
Evidence of any action taken to determine root cause of the breach
Evidence of any steps to ensure it does not recur
Evidence & tracking of the notification of affected individuals
32
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
RADAR Supports Healthcare Organizational structures
33
Clinic
Hospital
Integrated Delivery System
Support for Centralized and/or Distributed Incident Management
Access Control
• Role Based
• Configurable
• Secure
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Our Solutions Support All Your Breach Obligations
Obligations Description Clearwater
45 C.F.R. §164.402 Breach Definition
45 C.F.R. §164.404 Individual Notification
45 C.F.R. §164.406 Media Notification
45 C.F.R. §164.408 Secretary Notification
45 C.F.R. §164.414 Administrative Burden of Proof
45 C.F.R. §164.530 Administrative Requirements
45 C.F.R. §160.310(b)
Complaint Investigation & Review
34
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Balanced Breach Notification Program
Policy defines an
organization’s values & expected behaviors.
People must include
talented privacy & security & technical staff, supportive management and trained/aware colleagues.
Procedures or
process provide the actions required to deliver on organization’s values.
Technology includes the various families of technical security controls
including encryption, firewalls, antivirus, intrusion
detection, AND Incident management tools
Balanced
Security
Program
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. HHS Breach notification interim Final Rule (http://abouthipaa.com/wp-content/uploads/Breach-Notification-for-Unsecured-PHI-Interim-Final-Rule.pdf)
2. Instructions for Submitting Notice of a Breach to the Secretary (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html)
3. Health Information Technology for Economic and Clinical Health Act (http://abouthipaa.com/wp-content/uploads/The_HITECH_Act.pdf)
4. National Institute of Standards and Technology (NIST) Federal Information Processing Standards - FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems” (http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf)
36
Breach Notification Resources
5. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3 Final, "Recommended controls for Federal Information Systems and Organizations " (http://abouthipaa.com/wp-content/uploads/10.-NIST-SP800-53-rev3-final_updated-errata_05-01-2010.pdf)
6. National Institute of Standards and Technology (NIST) Special Publication 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (http://abouthipaa.com/wp-content/uploads/NIST-Special-Publications-800-52_Guidelines-for-the-Selection-and-Use-of-Transport-Layer-Security-TLS-Implementations_SP800-52.pdf)
7. National Institute of Standards and Technology (NIST) Special Publication 800-111 Guide to Storage Encryption Technologies for End User Devices (http://abouthipaa.com/wp-content/uploads/NIST-Special-Publication-800-111_Guide-to-Storage-Encryption-Technologies-for-End-User-Devices._SP800-1111.pdf)
8. National Institute of Standards and Technology (NIST) Special Publication 800-77_Guide to IPsec VPNs (http://abouthipaa.com/wp-content/uploads/NIST-Special-Publication-800-77_Guide-to-IPsec-VPNs_SP800-77.pdf)
9. National Institute of Standards and Technology (NIST) Special Publication 800-88_Guidelines for Media Sanitization_SP800-88_rev1 (http://abouthipaa.com/wp-content/uploads/NIST-Special-Publication-800-88_Guidelines-for-Media-Sanitization_SP800-88_rev1.pdf)
10. National Institute of Standards and Technology (NIST) Special Publication 800-113 Guide to SSL VPNs_SP800-113 (http://abouthipaa.com/wp-content/uploads/NIST-Special-Publication-800-113-Guide-to-SSL-VPNs_SP800-113.pdf)
11. National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1, "A Resource Guide for Implementing The HIPAA Security Rule" (http://csrc.nist.gov/publications/PubsSPs.html)
12. National Institute of Standards and Technology (NIST) Special Publication 800-122 Revision 3 Final, " Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf )
13. State Security Breach Laws http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/FederalStateandOtherProfessionalRegulations/StatePrivacyRegulations/Pages/State%20Security%20Breach%20Laws.aspx
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. HITECH Breach Notification Assessment™ 2. HITECH Breach Notification PnP ToolKit™ 3. RADAR™
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
38
1. Take Stock of Where You
Are; Complete Assessment
2. Stay Business Risk
Management-Focused
3. Follow 10-point Plan to Get
Started
4. Large or Small: Get Help
(Tools, Experts, etc)
…Simply Makes Good
Business Sense…Risk
Management
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED:
1. http://AboutHIPAA.com/about-hipaa/resources/
2. http://AboutHIPAA.com/webinars/ 39
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater Co-Sponsored Seminal Report
40
http://webstore.ANSI.org/PHI
03-22-12 How to Calculate the Cost of a
Data Breach and What to Do About It
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Our Passion
41
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and
private healthcare
information of
millions of fellow
Americans…
We’re excited about
what we do
because…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Register Now! … at: http://abouthipaa.com/webinars/upc
oming-live-webinars/
42
Upcoming HIPAA HITECH Webinars
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
43
Contact
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal? • 1Street cost for a stolen Record
• Medical:$50 vs SSN:$1
• 1Payout for identity theft • Medical:$20,000 vs Regular: $2,000
• 1Medical records can be
exploited 4x longer • Credit cards can be cancelled; medical
records can’t
44
1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse
consequences Prescription Fraud
Embarrassment
Financial Fraud
Personal Data Resale
Blackmail / Extortion
Medical Claims Fraud
Job loss / reputational
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal - $$$
• A clerk in a medical clinic in Florida hospital stole the
medical IDs of 1,100 patients and sold them. The
numbers were subsequently used to bill Medicare for
$2.8 million in false claims1
45
1McKay, Jim. “Identity Theft Steals Millions from Government Health Programs.” GovTech.com. 12 Feb. 2008. Web. 6 6 Sept. 2011
http://www.govtech.com/security/Identity-Theft-Steals-Millions-from-Government.html
2Brodkin, Jon. “ChoicePoint Details Data Breach Lessons.” PCWorld. 11 June 2007. Web. 7 Sept. 2011
http://www.pcworld.com/article/132795/choicepoint_details_data_breach_lessons.html
• In 2005, the records of 163,000 consumers were compromised after criminals
pretending to be legitimate ChoicePoint customers sought details about
individuals listed in the company's database of personal information.
ChoicePoint agreed to pay $10 million in civil penalties and $5 million for
consumer redress2.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
46
• Based on a recent Ponemon Institute study, the
average cost per lost healthcare record was projected
to be $282 per record in 2008, or nearly $3MM for a
breach of 10,000 records
• A recent study found that over the past six years, data
breaches have cost organizations well in excess of
$155 billion1. These losses do not even include
actual losses sustained by the victims of the
breach, but account for only the organizations'
costs.
1“Beware of Costly Data Breaches” by William B. Baker, Kathleen A. Kirby &247 Amy E. Worlton, Sept 2011/Mass Media Headlines
http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=5&id=7505&&elq_mid=16002&elq_cid=1094517#page=1