McMillan ppt
Transcript of McMillan ppt
12/8/2014
1
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Omnibus, Enforcement, Audits and Other Hot Topics
Presented by:
Mac McMillan
CEO, CynergisTek
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 2
Agenda
1Key HITECH & Omnibus Rule Challenges
2 Enforcement Heats Up
3Audits, Audits & More Audits
4 Hot Issues for 2014
5 Final Discussion
Agenda
2
3
4
5
1
Questions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Key HITECH & Omnibus Challenges
3
Agenda
2
3
4
5
1
Questions
12/8/2014
2
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 4
Key Areas That Are Challenging
Business Associates
Breach Notification
Right to Access &
Restrictions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 5
• Expands definition of business associate (BA) to include:
– any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (CE)
– subcontractors
– patient safety organizations
– health information organizations
– e-prescribing gateways
– vendors of personal health records
• Omnibus makes BAs directly liable for the Security Rule and with use and disclosure provisions of the contract and the Privacy Rule
• Omnibus makes CEs and BAs responsible for the actions of their “Agents”
• Omnibus reminds CEs to use Business Associate Agreements (BAA), but makes it clear that BAs are liable regardless
• Deadline for updating BAAs September 23, 2014
Business Associates
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 6
Breach Notification
An impermissible acquisition, access, use or disclosure of protected
health information
Presumed to be
reportable
Safe Harbor for
encrypted PHI
Unless the entity can
demonstrate that there is
a low probability that PHI
has been compromised
Exceptions for certain
inadvertent and
incidental uses &
disclosures
12/8/2014
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 7
Breach Notification
A risk assessment is required to demonstrate a low probability of
compromise.
The nature and extent of
PHI involved
The unauthorized person
who used the PHI or to
whom the disclosure was
made
The extent of mitigation
present
Additional factors can be
considered
Whether the PHI was
actually acquired or
viewed
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 8
Access & Restrictions: A Patient’s Right
Omnibus provides for expanded rights of access and to request restrictions:
Electronic PHI Copies
Expands the right to an
electronic copy of any PHI
stored electronically in a
designated record set
Directing Personal
Information
Individual has a right to direct
the information be sent to
another individual
30/30 Rule
Provides 30 days fewer to
provide offsite information
Health Plan Disclosure
Provides for restrictions of
disclosure to a health plan if
individual pays in full and in
cash, and is requested
Unencrypted Email
Transmission
Information may be transmitted
using unencrypted email so long
as the entity warns the recipient
of the risks
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Enforcement Heats Up
9
Agenda
2
3
4
5
1
Questions
12/8/2014
4
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 10
Enforcement
Business associates (including their
subcontractors) are subject to civil money
penalties and other enforcement actions
for noncompliance with applicable
provisions of HIPAA.
Omnibus Rule retains the definition of
willful neglect as “conscious, intentional
failure or reckless indifference to the
obligation to comply” with HIPAA.
Requirement that OCR first attempt
informal resolution through voluntary
compliance was removed.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 11
Breach Notification
Omnibus redefines reasonable cause for determination of
penalties:
Nature and Extent of
Violation
Including the number of
individuals affected and the
duration of the violation
Nature and Extent of
Violation (Harm)
Including the results of harm to
an individual, either physical,
financial, or reputational, as well
as any hindrance to the
individual’s ability to obtain
healthcare
Financial Condition of
Offending Party
Including difficulties that could
have affected compliance or if
a monetary penalty could
jeopardize the future provision
of healthcare
History of Prior
Noncompliance
Including similar prior
indications of noncompliance
and the offending party’s
responses to them
Such other matters as justice
may require
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 12
FTC settles cases through Consent Orders
Enforcement
Improper disposal
of hard copy PHI
P2P file sharing
software on
workstation exposing
personal information
(Appealed to ALJ)
Unencrypted
laptop
CVS20 Years
of Monitoring
Rite Aid20 Years
of Monitoring
Accretive Health20 Years
of Monitoring
LabMD20 Years
of Monitoring
Failure to monitor
overseas business
associate’s information
security
GMR Transcription
20 Years
of Monitoring
12/8/2014
5
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Audits, Audits & More Audits
13
Agenda
2
3
4
5
1
Questions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 14
OCR Phase 2 Audit Program
Budget for audit activities has
been approved
Greater number of on-site
audits, but no specific
number given yet
Permanent audit program
slated to begin in FY 2015
(some time after October 1)
Equal number or less BAs
selected for desk audits
Pre-audit survey to pre-screen
1200 entities
Implementing technology to
facilitate data collection
phases of audit process
~200 covered entities to be
selected for desk audits
Carried out by HHS
personnel with contractor
support
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 15
Desk Audit Expectations
Data request will specify
content and other electronic
document submission
requirements.
Only documentation that is
submitted on time is
reviewed.
All documentation must be
current as of the date of the
request.
Auditors will not be able to
contact the entity for
clarifications or ask for
additional information, so
it’s critical that
documentation accurately
reflects the program.
Submission of extraneous
information increases
difficulty for auditor in
finding and assessing
required items.
Failure to submit responses
leads to compliance review.
12/8/2014
6
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 16
• FY 2015 Desk Audits of Covered Entities
– Security – Risk analysis and risk management
– Breach - Content and timeliness of breach
notifications
• FY 2015 Desk Audits of Business Associates
– Security – Risk analysis and risk management
– Breach - Breach reporting to covered entities
• FY 2015-16 On-Site Comprehensive Audits
– Covered entities
– Business associates
Phase 2 Audit Scope
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 17
Focused Audits 2016 & Beyond
Security
• Device and media controls
• Transcription security
• Encryption of data at rest
Privacy
• Administrative and physical safeguards
• Workforce training to HIPAA policies &
procedures
Other Areas
• High risk areas identified through:
• 2015 audits
• Breach reports submitted to OCR
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 18
MU Audits
Proof of EHR certification and method
chosen to support reporting ED admissions.
Documentation regarding completion of
core set objectives and measures and
completion of “menu” voluntary set
objectives/measures.
Figliozzi & Co. conducts audits on behalf of
CMS. Entities chosen for audit receive
letters requesting documentation within two
weeks:
12/8/2014
7
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 19
MU Audits
All organizations that have attested are
subject to pre-payment, desk or onsite
audit.
Figliozzi & Co. on-site audits have been very
strenuous and detail oriented.
Documentation, interviews, data
calculations.
Organizations have received requests to
return funds and have two weeks to
respond before penalties are added.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 20
CMS SNF/NF Performance Surveys
CMS conducts surveys
of skilled nursing
facilities and nursing
facilities for
compliance.
Region IV pilot
expands scope of
Standard Survey to
include HIPAA Privacy
& Security Rule
compliance.
Facilities are required
to complete a Directed
Plan of Correction
(DPOC) to resolve
deficiency(s).
Failure to comply could
lead to suspension of
participation in
Medicare and Medicaid
programs.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 21
• The Office of the Inspector General audits how
CMS & OCR enforce compliance with their
regulations:
– Provider use and protection of USB drives and
port security
– CMS audit of user submissions for Meaningful Use
– OCR enforcement of HIPAA security rules
• Results are provided to OIG as well as the
appropriate offices within OCR/CMS
• If deemed warranted OCR/CMS can take action
on issues identified through further investigation
OIG Audits
12/8/2014
8
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Hot Issues for 2014 & Beyond
22
Agenda
2
3
4
5
1
Questions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 23
If you know the enemy, and know yourself, then you may not fear
the results of a hundred battles. If you know yourself but not the
enemy, for every victory gained you will suffer a defeat.
– Sun Tzu
He went on to say,
If you know neither the enemy or yourself you will suffer a
hundred defeats.
A hundred of anything in a Chinese Proverb is very good or
very bad…
We Are Fighting a Cyber War
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 24
• 12 y/o learning computers in middle
school
• 14 y/o home schooled girl tired of
social events
• 15 y/o in New Zealand just joined a
defacement group
• 16 y/o in Tokyo learning programming
in high school
• 19 y/o in college putting course work
to work
• 20 y/o fast food employee that is
bored
• 22 y/o in Mali working in a carding
ring
• 24 y/o black hat trying to hack
whoever he can
• 25 y/o soldier in East European
country
• 26 y/o contractor deployed over seas
• 28 y/o in Oregon who believes in
hacktivism
• 30 y/o white hat who has a black hat
background
• 32 y/o researcher who finds
vulnerabilities in systems
• 35 y/o employee who sees a target of
opportunity
• 37 y/o rouge intelligence officer
• 39 y/o disgruntled admin passed over
• 41 y/o private investigator
• 44 y/o malware author paid per
compromised host
• 49 y/o pharmacist in midlife crisis
• 55 y/o nurse with a drug problem
The Face of Cybercriminals in Healthcare
12/8/2014
9
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 25
• 4M medical records maintained on
four workstations
• Physician loses laptop with
psychiatric patients records
• Neurologic institute accidentally
emails 10,000 patient records to 200
patients
• Phishing/hacking nets nearly $3M
from six healthcare entities
• University reports laptop with patient
information stolen out of a student’s
car
• Vendor sells hospital’s X-rays (films)
to third party
• Resident loses track of USB with over
500 orthopedic patients information
• Portable electronic device with
patient data stolen from hospital
• Physician has laptop stolen from
vacation home
• 2200 physicians victims of ID
theft/tax fraud
• Stolen laptop from nurse’s home with
patient data
• Printers returned to leasing company
compromise thousands of patient
records
• Health System reports third stolen
laptop with 13,000 patient records
• 400 hospitals billings delayed as
clearinghouse hit with ransom
ware
• And, on and on it goes…
USCERT Estimates 47% of All Cybercrime is
Directed at Healthcare
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 26
Black Hat 2014
• Snatching passwords w/ Google Glass
• Screen scraping VDI anonymously
• Compromising AD through Kerberos
• Remote attacks against cars
• Memory scraping for credit cards
• Compromising USB controller chips
• Cellular compromise through control code
• Free cloud botnets for malware
• Mobile device compromise through MDM flaws
• Cryptographic flaws and a Rosetta Stone
New Threats Emerge
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 27
Hyper-connectivity, data sharing, extended supply lines, increased partnering, engagement strategies, etc. Create opportunity and risk.
Increased Reliance
27
BYOD
Physician Alignment
Business Associates
Patient Engagement
HIPAA/HITECH
Accountable Care
Organization
Meaningful Use ICD-10
Research
Telemedicine
FISMA
Health Information Exchanges
12/8/2014
10
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 28
Trust, But Verify: The Insider Threat Erodes Confidence
It is estimated that more
than half of all security
incidents involve staff.
More than 70% of identity
theft and fraud were
committed by
knowledgeable insiders –
physicians, nurses,
pharmacy techs,
admissions, billing, etc.
2013 witnessed a 20%
increase in medical identity
theft.
Traditional audit methods &
manual auditing is
completely inadequate.
Behavior modeling, pattern
analysis and anomaly
detection is what is needed.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 29
Resilient Supply Chains: Vendor Management is Critical
Greater due diligence in
vetting vendors
Security requirements in
contracting should be SLA
based
Particular attention to cloud,
SaaS, infrastructure
support, critical service
providers
Life cycle approach to data
protection
Detailed breach and
termination provisions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 30
• In June 2013 the DHS tested 300 devices from 40
vendors, and ALL failed.
• In response, the FDA issued guidance for
manufacturers and consumers addressing design,
implementation and radio frequency considerations.
Medical Devices Threaten People & Information
The headline read:
“Yes, Terrorists Could Have Hacked
Dick Chaney’s Heart.”
The Washington Post
October 21, 2013
12/8/2014
11
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 31
Administrative Discipline: Process – Discipline - Vigilance
• 3.4 million BotNets identified
• 20-40% of recipients in phishing exercises fall for scam
• 26% of malware delivered via HTML, one in less than 300
emails infected
• Malware analyzed was found undetectable by nearly 50%
of all anti-virus engines tested
• As of April 2014 Microsoft no longer provides patches for
WN XP, WN 2003 and WN 2000, NT, etc.
• EOL systems still prevalent in healthcare networks
• Hardening, patching, configuration, change
management…all critical
• Objective testing and assessment
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 32
Embrace Mobility of Data: Manage The Data, Not The Device
• Medical staff are turning to their mobile devices to
communicate because its easier, faster, more
efficient…but it is not secure
• Sharing lab or test results, locating another physician for
a consult, sharing images of wounds and radiology
images, updating attending staff on patient condition,
getting direction for treatment, locating a specialist and
collaborating with them, transmitting trauma information
or images to EDs, prescribing or placing orders
• Priority placed on the data first and the device second
• Restrict physical access where possible, encrypt the rest
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 33
Lose Assets, Not Data
• 1 in 4 houses is burglarized, a B&E happens every 9
minutes, more than 20,000 laptops left in airports
• First rule of security: no one is immune
• 138%: the % increase in records exposed in 2013
• 83%: the % of large breaches involving theft
• 6 – 10%: the average shrinkage rate for mobile
devices
• Typical assets inventories are off by 60%
“That’s a big number because its meant to
drive home the point that unencrypted
laptops and mobile devices pose significant
risk to the security of patient information.”
Sue McAndrew, OCR
12/8/2014
12
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 34
Targeted Attacks Are Rising: Lower Your Risk Profile
• Defenses are not keeping pace
• Three most common attacks:
spear phishing, Trojans &
Malvertising
• APTs, phishing, water cooler
attacks, fraud, etc.
• Most organizations can’t detect
or address these threats
effectively
• An advanced incident response
capability is required
• Results in losses of time, dollars,
downtime, reputation, breaches,
litigation, etc.
• Conduct independent risk
assessments regularly
“I feel like I am a targeted class, and I
want to know what this institution is doing
about it!”
Anonymous Doctor, FAHC
Organizations
suffering a
targeted attack
Sophistication of
attack hardest
element to…
No increase in
budget for
defenses
0 50 100
Targeted Attacks
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 35
Making The Right Investment
• In a 2014 study HC CISOs gave themselves an
average maturity rating of 4.35 on a scale of 1-7
• Many report missing critical technologies to fight
today’s threats
• More than half of healthcare entities spend less than
3% of their IT budget on data protection
• Less than half have a full time CISO or information
security manager
• Many healthcare security managers are first timers
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 36
Regulations
• OCR’s permanent audit program will resume in FY 2015 with new
capabilities.
• Improvements and automation in reporting and handling complaints.
• Meaningful Use audits are evolving in scope and impact.
• The FTCs enforcement has been upheld by the courts.
• Business associates will present new risks for covered entities.
• States continue to create new laws
• When organizations tell consumers they will protect their personal
information, the FTC can and will take enforcement action to ensure
they live up these promises.
“Covered entities and business associates
must understand that security is their
obligation.”
Sue McAndrew, OCR
12/8/2014
13
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 37
The Cost of Security
Discovery, Notification &
Response
Business Disruption
ID Theft Monitoring
Investigation/Review Law Suit Defense
State Actions
Federal CAP/RA
Civil Penalties Criminal Penalties
Insurance
Degradation of Brand/Image
Distraction of StaffPhysician
Alignment/Nurses and Staff Agreement
Patient Confidence/Loyalty
HCAPPS Score Impacts
VBP Payments Impacts
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek
Final Discussion
38
Agenda
2
3
4
5
1
Questions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com ' @CynergisTek 39
Questions
Contact [email protected]
512.405.8555
Questions?
Agenda
2
3
4
5
1
Questions
?