McMillan ppt

12/8/2014

1

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek

Omnibus, Enforcement, Audits and Other Hot Topics

Presented by:

Mac McMillan

CEO, CynergisTek

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 2

Agenda

1Key HITECH & Omnibus Rule Challenges

2 Enforcement Heats Up

3Audits, Audits & More Audits

4 Hot Issues for 2014

5 Final Discussion

Agenda

2

3

4

5

1

Questions


Key HITECH & Omnibus Challenges

3

Agenda

2

3

4

5

1

Questions

12/8/2014

2


Key Areas That Are Challenging

Business Associates

Breach Notification

Right to Access &

Restrictions


• Expands definition of business associate (BA) to include:

– any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (CE)

– subcontractors

– patient safety organizations

– health information organizations

– e-prescribing gateways

– vendors of personal health records

• Omnibus makes BAs directly liable for the Security Rule and with use and disclosure provisions of the contract and the Privacy Rule

• Omnibus makes CEs and BAs responsible for the actions of their “Agents”

• Omnibus reminds CEs to use Business Associate Agreements (BAA), but makes it clear that BAs are liable regardless

• Deadline for updating BAAs September 23, 2014

Business Associates


Breach Notification

An impermissible acquisition, access, use or disclosure of protected

health information

Presumed to be

reportable

Safe Harbor for

encrypted PHI

Unless the entity can

demonstrate that there is

a low probability that PHI

has been compromised

Exceptions for certain

inadvertent and

incidental uses &

disclosures

12/8/2014

3


Breach Notification

A risk assessment is required to demonstrate a low probability of

compromise.

The nature and extent of

PHI involved

The unauthorized person

who used the PHI or to

whom the disclosure was

made

The extent of mitigation

present

Additional factors can be

considered

Whether the PHI was

actually acquired or

viewed


Access & Restrictions: A Patient’s Right

Omnibus provides for expanded rights of access and to request restrictions:

Electronic PHI Copies

Expands the right to an

electronic copy of any PHI

stored electronically in a

designated record set

Directing Personal

Information

Individual has a right to direct

the information be sent to

another individual

30/30 Rule

Provides 30 days fewer to

provide offsite information

Health Plan Disclosure

Provides for restrictions of

disclosure to a health plan if

individual pays in full and in

cash, and is requested

Unencrypted Email

Transmission

Information may be transmitted

using unencrypted email so long

as the entity warns the recipient

of the risks


Enforcement Heats Up

9

Agenda

2

3

4

5

1

Questions

12/8/2014

4


Enforcement

Business associates (including their

subcontractors) are subject to civil money

penalties and other enforcement actions

for noncompliance with applicable

provisions of HIPAA.

Omnibus Rule retains the definition of

willful neglect as “conscious, intentional

failure or reckless indifference to the

obligation to comply” with HIPAA.

Requirement that OCR first attempt

informal resolution through voluntary

compliance was removed.


Breach Notification

Omnibus redefines reasonable cause for determination of

penalties:

Nature and Extent of

Violation

Including the number of

individuals affected and the

duration of the violation

Nature and Extent of

Violation (Harm)

Including the results of harm to

an individual, either physical,

financial, or reputational, as well

as any hindrance to the

individual’s ability to obtain

healthcare

Financial Condition of

Offending Party

Including difficulties that could

have affected compliance or if

a monetary penalty could

jeopardize the future provision

of healthcare

History of Prior

Noncompliance

Including similar prior

indications of noncompliance

and the offending party’s

responses to them

Such other matters as justice

may require


FTC settles cases through Consent Orders

Enforcement

Improper disposal

of hard copy PHI

P2P file sharing

software on

workstation exposing

personal information

(Appealed to ALJ)

Unencrypted

laptop

CVS20 Years

of Monitoring

Rite Aid20 Years

of Monitoring

Accretive Health20 Years

of Monitoring

LabMD20 Years

of Monitoring

Failure to monitor

overseas business

associate’s information

security

GMR Transcription

20 Years

of Monitoring

12/8/2014

5


Audits, Audits & More Audits

13

Agenda

2

3

4

5

1

Questions


OCR Phase 2 Audit Program

Budget for audit activities has

been approved

Greater number of on-site

audits, but no specific

number given yet

Permanent audit program

slated to begin in FY 2015

(some time after October 1)

Equal number or less BAs

selected for desk audits

Pre-audit survey to pre-screen

1200 entities

Implementing technology to

facilitate data collection

phases of audit process

~200 covered entities to be

selected for desk audits

Carried out by HHS

personnel with contractor

support


Desk Audit Expectations

Data request will specify

content and other electronic

document submission

requirements.

Only documentation that is

submitted on time is

reviewed.

All documentation must be

current as of the date of the

request.

Auditors will not be able to

contact the entity for

clarifications or ask for

additional information, so

it’s critical that

documentation accurately

reflects the program.

Submission of extraneous

information increases

difficulty for auditor in

finding and assessing

required items.

Failure to submit responses

leads to compliance review.

12/8/2014

6


• FY 2015 Desk Audits of Covered Entities

– Security – Risk analysis and risk management

– Breach - Content and timeliness of breach

notifications

• FY 2015 Desk Audits of Business Associates

– Security – Risk analysis and risk management

– Breach - Breach reporting to covered entities

• FY 2015-16 On-Site Comprehensive Audits

– Covered entities

– Business associates

Phase 2 Audit Scope


Focused Audits 2016 & Beyond

Security

• Device and media controls

• Transcription security

• Encryption of data at rest

Privacy

• Administrative and physical safeguards

• Workforce training to HIPAA policies &

procedures

Other Areas

• High risk areas identified through:

• 2015 audits

• Breach reports submitted to OCR


MU Audits

Proof of EHR certification and method

chosen to support reporting ED admissions.

Documentation regarding completion of

core set objectives and measures and

completion of “menu” voluntary set

objectives/measures.

Figliozzi & Co. conducts audits on behalf of

CMS. Entities chosen for audit receive

letters requesting documentation within two

weeks:

12/8/2014

7


MU Audits

All organizations that have attested are

subject to pre-payment, desk or onsite

audit.

Figliozzi & Co. on-site audits have been very

strenuous and detail oriented.

Documentation, interviews, data

calculations.

Organizations have received requests to

return funds and have two weeks to

respond before penalties are added.


CMS SNF/NF Performance Surveys

CMS conducts surveys

of skilled nursing

facilities and nursing

facilities for

compliance.

Region IV pilot

expands scope of

Standard Survey to

include HIPAA Privacy

& Security Rule

compliance.

Facilities are required

to complete a Directed

Plan of Correction

(DPOC) to resolve

deficiency(s).

Failure to comply could

lead to suspension of

participation in

Medicare and Medicaid

programs.


• The Office of the Inspector General audits how

CMS & OCR enforce compliance with their

regulations:

– Provider use and protection of USB drives and

port security

– CMS audit of user submissions for Meaningful Use

– OCR enforcement of HIPAA security rules

• Results are provided to OIG as well as the

appropriate offices within OCR/CMS

• If deemed warranted OCR/CMS can take action

on issues identified through further investigation

OIG Audits

12/8/2014

8


Hot Issues for 2014 & Beyond

22

Agenda

2

3

4

5

1

Questions


If you know the enemy, and know yourself, then you may not fear

the results of a hundred battles. If you know yourself but not the

enemy, for every victory gained you will suffer a defeat.

– Sun Tzu

He went on to say,

If you know neither the enemy or yourself you will suffer a

hundred defeats.

A hundred of anything in a Chinese Proverb is very good or

very bad…

We Are Fighting a Cyber War


• 12 y/o learning computers in middle

school

• 14 y/o home schooled girl tired of

social events

• 15 y/o in New Zealand just joined a

defacement group

• 16 y/o in Tokyo learning programming

in high school

• 19 y/o in college putting course work

to work

• 20 y/o fast food employee that is

bored

• 22 y/o in Mali working in a carding

ring

• 24 y/o black hat trying to hack

whoever he can

• 25 y/o soldier in East European

country

• 26 y/o contractor deployed over seas

• 28 y/o in Oregon who believes in

hacktivism

• 30 y/o white hat who has a black hat

background

• 32 y/o researcher who finds

vulnerabilities in systems

• 35 y/o employee who sees a target of

opportunity

• 37 y/o rouge intelligence officer

• 39 y/o disgruntled admin passed over

• 41 y/o private investigator

• 44 y/o malware author paid per

compromised host

• 49 y/o pharmacist in midlife crisis

• 55 y/o nurse with a drug problem

The Face of Cybercriminals in Healthcare

12/8/2014

9


• 4M medical records maintained on

four workstations

• Physician loses laptop with

psychiatric patients records

• Neurologic institute accidentally

emails 10,000 patient records to 200

patients

• Phishing/hacking nets nearly $3M

from six healthcare entities

• University reports laptop with patient

information stolen out of a student’s

car

• Vendor sells hospital’s X-rays (films)

to third party

• Resident loses track of USB with over

500 orthopedic patients information

• Portable electronic device with

patient data stolen from hospital

• Physician has laptop stolen from

vacation home

• 2200 physicians victims of ID

theft/tax fraud

• Stolen laptop from nurse’s home with

patient data

• Printers returned to leasing company

compromise thousands of patient

records

• Health System reports third stolen

laptop with 13,000 patient records

• 400 hospitals billings delayed as

clearinghouse hit with ransom

ware

• And, on and on it goes…

USCERT Estimates 47% of All Cybercrime is

Directed at Healthcare


Black Hat 2014

• Snatching passwords w/ Google Glass

• Screen scraping VDI anonymously

• Compromising AD through Kerberos

• Remote attacks against cars

• Memory scraping for credit cards

• Compromising USB controller chips

• Cellular compromise through control code

• Free cloud botnets for malware

• Mobile device compromise through MDM flaws

• Cryptographic flaws and a Rosetta Stone

New Threats Emerge


Hyper-connectivity, data sharing, extended supply lines, increased partnering, engagement strategies, etc. Create opportunity and risk.

Increased Reliance

27

BYOD

Physician Alignment

Business Associates

Patient Engagement

HIPAA/HITECH

Accountable Care

Organization

Meaningful Use ICD-10

Research

Telemedicine

FISMA

Health Information Exchanges

12/8/2014

10


Trust, But Verify: The Insider Threat Erodes Confidence

It is estimated that more

than half of all security

incidents involve staff.

More than 70% of identity

theft and fraud were

committed by

knowledgeable insiders –

physicians, nurses,

pharmacy techs,

admissions, billing, etc.

2013 witnessed a 20%

increase in medical identity

theft.

Traditional audit methods &

manual auditing is

completely inadequate.

Behavior modeling, pattern

analysis and anomaly

detection is what is needed.


Resilient Supply Chains: Vendor Management is Critical

Greater due diligence in

vetting vendors

Security requirements in

contracting should be SLA

based

Particular attention to cloud,

SaaS, infrastructure

support, critical service

providers

Life cycle approach to data

protection

Detailed breach and

termination provisions


• In June 2013 the DHS tested 300 devices from 40

vendors, and ALL failed.

• In response, the FDA issued guidance for

manufacturers and consumers addressing design,

implementation and radio frequency considerations.

Medical Devices Threaten People & Information

The headline read:

“Yes, Terrorists Could Have Hacked

Dick Chaney’s Heart.”

The Washington Post

October 21, 2013

12/8/2014

11


Administrative Discipline: Process – Discipline - Vigilance

• 3.4 million BotNets identified

• 20-40% of recipients in phishing exercises fall for scam

• 26% of malware delivered via HTML, one in less than 300

emails infected

• Malware analyzed was found undetectable by nearly 50%

of all anti-virus engines tested

• As of April 2014 Microsoft no longer provides patches for

WN XP, WN 2003 and WN 2000, NT, etc.

• EOL systems still prevalent in healthcare networks

• Hardening, patching, configuration, change

management…all critical

• Objective testing and assessment


Embrace Mobility of Data: Manage The Data, Not The Device

• Medical staff are turning to their mobile devices to

communicate because its easier, faster, more

efficient…but it is not secure

• Sharing lab or test results, locating another physician for

a consult, sharing images of wounds and radiology

images, updating attending staff on patient condition,

getting direction for treatment, locating a specialist and

collaborating with them, transmitting trauma information

or images to EDs, prescribing or placing orders

• Priority placed on the data first and the device second

• Restrict physical access where possible, encrypt the rest


Lose Assets, Not Data

• 1 in 4 houses is burglarized, a B&E happens every 9

minutes, more than 20,000 laptops left in airports

• First rule of security: no one is immune

• 138%: the % increase in records exposed in 2013

• 83%: the % of large breaches involving theft

• 6 – 10%: the average shrinkage rate for mobile

devices

• Typical assets inventories are off by 60%

“That’s a big number because its meant to

drive home the point that unencrypted

laptops and mobile devices pose significant

risk to the security of patient information.”

Sue McAndrew, OCR

12/8/2014

12


Targeted Attacks Are Rising: Lower Your Risk Profile

• Defenses are not keeping pace

• Three most common attacks:

spear phishing, Trojans &

Malvertising

• APTs, phishing, water cooler

attacks, fraud, etc.

• Most organizations can’t detect

or address these threats

effectively

• An advanced incident response

capability is required

• Results in losses of time, dollars,

downtime, reputation, breaches,

litigation, etc.

• Conduct independent risk

assessments regularly

“I feel like I am a targeted class, and I

want to know what this institution is doing

about it!”

Anonymous Doctor, FAHC

Organizations

suffering a

targeted attack

Sophistication of

attack hardest

element to…

No increase in

budget for

defenses

0 50 100

Targeted Attacks


Making The Right Investment

• In a 2014 study HC CISOs gave themselves an

average maturity rating of 4.35 on a scale of 1-7

• Many report missing critical technologies to fight

today’s threats

• More than half of healthcare entities spend less than

3% of their IT budget on data protection

• Less than half have a full time CISO or information

security manager

• Many healthcare security managers are first timers


Regulations

• OCR’s permanent audit program will resume in FY 2015 with new

capabilities.

• Improvements and automation in reporting and handling complaints.

• Meaningful Use audits are evolving in scope and impact.

• The FTCs enforcement has been upheld by the courts.

• Business associates will present new risks for covered entities.

• States continue to create new laws

• When organizations tell consumers they will protect their personal

information, the FTC can and will take enforcement action to ensure

they live up these promises.

“Covered entities and business associates

must understand that security is their

obligation.”

Sue McAndrew, OCR

12/8/2014

13


The Cost of Security

Discovery, Notification &

Response

Business Disruption

ID Theft Monitoring

Investigation/Review Law Suit Defense

State Actions

Federal CAP/RA

Civil Penalties Criminal Penalties

Insurance

Degradation of Brand/Image

Distraction of StaffPhysician

Alignment/Nurses and Staff Agreement

Patient Confidence/Loyalty

HCAPPS Score Impacts

VBP Payments Impacts


Final Discussion

38

Agenda

2

3

4

5

1

Questions


Questions

Contact [email protected]

512.405.8555

Questions?

Agenda

2

3

4

5

1

Questions

?

McMillan ppt

Documents

Transcript of McMillan ppt