HITECH Management Briefing

June 23, 2010

Karen Pagliaro-MeyerPrivacy Officer

kpagliaro@columbia.edu(212) 305-7315

Soumitra SenguptaInformation Security Officer

sen@columbia.edu(212) 305-7035

AGENDA1. HITECH update2. Privacy & Information Security Training3. Privacy Issue Log Summary4. Encryption 5. Risk Assessment6. Data Leakage Prevention

Administrative Simplification

(Accountability)

InsuranceReform

(Portability)

Health Insurance Portability and Accountability Act

(HIPAA)

Transactions, Code Sets, & Identifiers

Compliance Date: 10/16/2002

and 10/16/03

Privacy

Compliance Date: 4/14/2003

Security

Compliance Date: 4/20/2005

Fraud and Abuse

(Accountability)

HITECHHealth Information Technology for Economic and Clinical Health

9/18/2009

HITECH Act (ARRA)

REQUIREMENT COMPLIANCE DATE1. Breach Notification September 20092. Self-Payment Disclosures February 20103. Business Associates February 20104. Minimum Necessary August 20105. Marketing6. Fundraising7. Accounting of Disclosures January 2011/20148. Performance Measures for EHR

– enhanced reimbursement rate

4

HITECH Act (ARRA)

5

New Federal Breach Notification Law – Effective Sept 2009 Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government

if more than 500 individuals effected Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients

Criminal penalties - apply to individual or employee of a covered entity

6

Self Payment Disclosures If patient pays for service – has the right to limit the

disclosure of that information to their health insurance Business Associates

Standards apply directly to Business Associates Statutory obligation to comply with restrictions on use and

disclosure of PHINew HITECH provisions must be incorporated into BAA

Minimum Necessary StandardsNew Definition of Minimum Necessary, determined by the

disclosing party, encourage the use of limited data sets

HITECH Act (ARRA)

HITECH Act (ARRA) Accounting of Disclosures

Right to request copy of record in any format and to know who viewed, accessed, used or disclosed their medical information

Electronic Health Record Performance Measures for EHR enhanced reimbursement Patient has a right to electronic copy of records Electronic copy transmission Delivery options 96 hours or 48 hours w/o ancillary - information available to the patient Meet Meaningful Use Standards

7

Who is a Business Associate?

• Individuals who do business with CUMC and have access to protected health information.

• Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.

Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditation consultants Software used for medical data

9

10

Summary of Breaches Reported to Office of Civil Rights

Sept. 2009 – June 2010Breaches of over 500 records: 100• 72% of breaches are computer related• 64% of breaches the result of a theft

Type of Facility• 39% from hospital / medical center• 29% from a private practice / corporation• 20% from a health plan / insurance company

13

34%

20%

14% 11%

9%

6%

5%

2%

HITECH Breach Notification Reports 9/09 – 6/10 Laptops

PaperDesktopPortable DeviceOtherNetworkEmailBackup tapes

Privacy & Information Security Training

• HITECH changed the definition and reporting requirements of Protect Health Information

• Technology has increased the potential exposure of data theft / loss (portable data)

• All staff benefit from refresher HIPAA training

• Tracking of workforce members to verify that they complete HIPAA training has improved

Privacy & Information Security Training2008 2009

Welcome Program 787 1,585

Students 146 409

Dept/Role Specific 506 573

HCCS on-line Training 425 662

TOTAL 1,864 3,229

2008 20090

500100015002000

HCCS on-line TrainingDept/Role SpecificStudentsWelcome Program

ANNUAL HIPAA Training

Num

ber o

f Sta

ff

Privacy & Information Security Training

Management Follow-up• Scheduling refresher HIPAA training for staff• Verify that all new workforce members (employees,

faculty, students, volunteers) receive HIPAA training• Review policies and procedures related to

information security and privacy• Distribute “HIPAA reminders” to staff

Privacy Issue Summary 2010

• Privacy Breach Allegation 15• Access to Medical Record 9 • Theft of Electronic Device 8• Registration Issue 5• Medical Record Sent to wrong patient 3• Paper Data Loss 1• Development 1• Marketing 1

Cost of Data Breach

• Ponemon annual study on breach costs

• Loss of 10,000 records means $2,000,000• The cost includes Detection, Notification, Post-response &

Lost business• Qn: Who will pay this cost?

FY 2005 FY 2006 FY 2007 FY 2008 FY 20090

50

100

150

200

250

Cost per record

What does OCR’s Privacy Breach reporting tells us?

• 46% of reported breaches are for lost/stolen laptops, PDA, and Back up tapes

• HITECH permits non-notification if the information is “encrypted.”

• So, encrypt already, or stop carrying sensitive data • Our encryption help page is:

https://secure.cumc.columbia.edu/cumcit/secure/security/encryption.html

Encryption

Risk of incurring

a breach cost

What’s new from OCR?

• Office for Civil Rights Guidance– May 7, 2010– HIPAA Security Standards

• Guidance on Risk Analysis– Based on NIST recommendation

NIST 800 Special Publication 30Risk Management Guide for Information

Technology Systems

OCR Risk Analysis Guidance Steps

• Scope of the Analysis• Collect all Assets• Identify and document Potential Threats and

Vulnerabilities• Assess current Security Measures (Controls)• Determine the Likelihood and Impact of Threat

Occurrence to determine the Level of Risk• Finalize Documentation• Periodic Review and Updates to the Risk Assessment

Scope of the Analysis at CUMC

• G.R.O.W.I.N.G…– Protected Health Information– Personally Identifiable Information

(SSN, Driver’s License, Credit cards)– Payment Card Industry Data Security Standard– FDA Approved Research - 21 CFR Part 11– FERPA (Student information)– Etc.

• Has to fit in a common framework

Threats and Vulnerabilities + Likelihoods + Impact

• Original analysis of HIPAA issues at CUMC• Used a classification method

– Threat Source: Internal/External – Type: Opportunistic/Accidental/Deliberate/Environmental– Likelihood: Very likely/Likely/Unlikely/Very unlikely– Costs/Severity: Operational Impact/Monetary

Impact/Regulatory Impact/Reputation Impact• New threats

– Social networks– Wireless devices

Threats and Vulnerabilities + Likelihoods + Impact

• Examples:– Internal user, accidentally, infects a workstation

with a virus through a personal USB drive– External user, deliberately, uses a server to

distribute music or DVD or to send SPAM– Internal user, deliberately, looks up clinical data of

a celebrity

Security Controls

• Examples of controls that address threats

Asset Inventory Program at CUMC

• Work starts July 2010• Ask departments to Identify a Primary Person

responsible for all matters Privacy and Security communications, incidents, and resolutions

• Ask Primary Person to identify Servers and Workstations with PII, PHI, FDA Research– Description, responsibility, IP address, etc.

Asset Inventory

• CUMC IT will establish Asset inventory database of PHI, PII, and FDA systems

• IT Security group will conduct vulnerability scans using automated tools, and return results and recommendations to Primary Person

• Departments will address deficiencies with their IT custodians and take corrective actions; with follow up re-scan

• Departments will be provided with a comprehensive list of assets from the inventory

Asset Inventory

• Non-compliant systems after a specified time period will be disconnected from the network

• Non-compliant systems after a specified time period will be reported to CUMC HIPAA/InfoSec Committee, department management, and CUMC senior management

• The inventory will be updated by self-reporting and by annual recertification

New control: Data Leakage Prevention

• DLP technology is a set of tools that look at– Our networks– Our incoming and outgoing emails– Our workstations and servers

And – Alert on leakage of PHI, PII and other sensitive data

(Data at rest)– Report on where such data reside

(Data in motion)– Control how such data are used

(Data in use)

Data Leakage Statistics

Data Leakage Prevention

• A pilot study showed– Sensitive PHI data are sent to billers, vendors

without encryption– Sensitive data are accidentally left on workstations– Old, forgotten, sensitive data stay forever on

servers– Users are using social networks and systems such

as wikis and GoogleDocs to store sensitive, institutional data without proper authorization

Data Leakage Prevention

• A 2010 project to start alerting on what is found on the networks

• Reports to the department Primary Person• Reports to CUMC senior management• Development of a process to address the findings comprehensively

HITECH Management Briefing

Karen Pagliaro-MeyerPrivacy Officer

kpagliaro@columbia.edu(212) 305-7315

Soumitra SenguptaInformation Security Officer

sen@columbia.edu(212) 305-7035