Bridging the HIPAA/HITECH Compliance Gap · 2 CyberSheath - Bridging the HIPAA/HITECH Compliance...

-65

CyberSheath Healthcare Compliance Paper

www.cybersheath.com

Bridging the HIPAA/HITECH Compliance Gap

Security insights that help covered entities and business associates achieve compliance

2

CyberSheath - Bridging the HIPAA/HITECH Compliance Gap

According to the 2014 Healthcare Breach Report by Bitglass1, the healthcare

industry accounts for 44% of all reported breaches over the past 18 years with

costs per HIPAA violation up to $50,000 and $1,500,000 for reoccurring violations.

These breaches risk the medical and financial well-being of breach victims and

the credibility and future business of healthcare providers.

As a result, federal and state governments are responding to the growing public concern

with stronger compliance regulations. The most sweeping of these regulations is the long-a

Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule2. The

Omnibus represents landmark legislation that impacts nearly every aspect of healthcare data

security and patient privacy. It consists of four rules:

1. Modification of the HIPAA Privacy, Security, and Enforcement Rules to include HITECH requirements

2. Modification of the Breach Notification Rule

3. Modification of the HIPAA Privacy Rule regarding the Genetic Information Discrimination Act of 2008

4. Additional modifications to the HIPAA Rules

These rules increase the privacy and security protections available under HIPAA by

strengthening security standards, expanding the scope of accountability, financial incentives

for achieving compliance, and steep penalties for non-compliance.

The History of HIPAA and HITECH

HIPAA was brought into law in 1996 to help protect against the breach of personal medical

information. It introduced a set standards for medical privacy that went into effect over the

next 10 years. The American Recovery and Reinvestment Act (ARRA), put into law February

2009, raised the bar for cybersecurity with the Health Information Technology for Economic

and Clinical Health Act (HITECH), which at the time experts called “the biggest change to the

healthcare privacy and security environment since the original HIPAA privacy rule.

1 2014 Healthcare Breach Report by Bitglass, http://pages.bitglass.com/healthcare-breach-report.html

2 The Final Rule can be found at: www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

3


The below figure, created by the team over at ID Experts, illustrates HPAA’s evolution since its start.

https://www2.idexpertscorp.com/

4


5


HITECH’s Impact on HIPAA

Specific thresholds, response

timeline, and methods or

breach victim notification.

Expansion of contractual

obligation for security and

privacy of PHI to

subcontractors of business

associates

6


Broader Accountability

Organizations that are subject to HIPAA are referred to as “covered entities”. This extends to

the organizations that deliver services to covered entities, they are known as “business

associates” and per the HITECH Act, include:

Healthcare providers such as doctors, hospitals, etc.

Healthcare insurance and health plan clearinghouses

Businesses who self-insure

Businesses that sponsor a group health plan and assist their employees on medical coverage

Businesses that deliver services to other healthcare providers

A new definition of business

associates and extension of the

HIPAA privacy and security

requirements to include

business associates.

Explicit authority for state

Attorneys General to enforce

HIPAA Rules and to pursue

HIPAA criminal and civil cases

against HIPAA covered entities

(CEs), employees of CEs, or

their business associates.

Tiered increase in penalties for

violations of these rules, some

of them mandatory, with

potential fines ranging from

$25,000 to as much as $1.5

million, effective immediately.

Provisions for more aggressive

enforcement by the federal

government.

7


Furthermore, per these regulatory laws, covered entities and business associates are required

to ensure the following safeguards to protect patient data (electronic protected health

information, or ePHI) in order to achieve compliance:

Administrative safeguards to protect data integrity, confidentiality and availability of ePHI

Physical safeguards to protect data integrity, confidentiality and availability of ePHI

Technical safeguards to protect data integrity, confidentiality and availability of ePHI

Countdown to Compliance

The HITECH Act was signed into law in 2009 and increases the use of Electronic Health

Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in

2011, through which eligible healthcare providers are offered financial incentives for adopting,

implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments

will continue through 2016, which is the last year to begin participation in the program.

Incentives will be offered until 2015, after which time penalties may be levied for failing to

demonstrate meaningful use. Covered entities and business associates that struggled to

reach compliance with HIPAA, now face an even greater challenge with HITECH.HIPAA /

HITECH Compliance Requirements.

HITECH Introduced…

Tiered increase in penalties for violations of

these rules, some of them mandatory, with

potential fines ranging from $25,000 to as

much as $1.5 million, effective immediately.

8


Compliance Requirement Breakdown

Covered entities and business associates must abide to the following list of requirements:

# Requirement Description

1. Breach Notification Policy

Define how Covered Entity will respond to security

and/or privacy incidents or suspected privacy and/or

security incidents that result in a breach.

2. Security Management Process

Describes processes the organization implements to

prevent, detect, contain and correct security violations

relative to its ePHI.

3. Risk Analysis

Discusses what the organization should do to identify,

define and prioritize risks to the confidentiality, integrity

and availability of its ePHI.

4. Risk Management Defines what the organization should do to reduce the

risks to its ePHI to reasonable and appropriate levels.

5. Sanction Policy

Indicates actions that are to be taken against employees

who do not comply with organizational security policies

and procedures.

6. Information System Activity Review Describes processes for regular organizational review of

activity on its information systems containing ePHI.

7. Assigned Security Responsibility Describes the requirements for the responsibilities of the

Information Security Officer.

8. Workforce Security

Describes what the organization should do to ensure

ePHI access occurs only by employees who have been

appropriately authorized

9



9. Authorization and/or Supervision

Identifies what the organization should do to ensure that

all employees who can access its ePHI are appropriately

authorized or supervised.

10. Workforce Clearance Procedure Reviews what the organization should do to ensure that

employee access to its ePHI is appropriate.

11. Termination Procedures Defines what the organization should do to prevent

unauthorized access to its ePHI by former employees.

12 Information Access Management

Indicates what the organization should do to ensure that

only appropriate and authorized access is made to its

ePHI.

13 Access Authorization Defines how the organization provides authorized access

to its ePHI.

14 Access Establishment and

Modification

Discusses what the organization should do to establish,

document, review and modify access to its ePHI.

15 Security Awareness & Training

Describes elements of the organizational program for

regularly providing appropriate security training and

awareness to its employees.

16 Security Reminders

Defines what the organization should do to provide

ongoing security information and awareness to its

employees.

17 Protection from Malicious Software

Indicates what the organization should do to provide

regular training and awareness to its employees about its

process for guarding against, detecting and reporting

malicious software.

10



18 Log-in Monitoring

Discusses what the organization should do to inform

employees about its process for monitoring log-in

attempts and reporting discrepancies.

19 Password Management

Describes what the organization should do to maintain

an effective process for appropriately creating, changing

and safeguarding passwords.

20 Security Incident Procedures

Discusses what the organization should do to maintain a

system for addressing security incidents that may impact

the confidentiality, integrity or availability of its ePHI.

21 Response and Reporting

Defines what the organization should do to be able to

effectively respond to security incidents involving its

ePHI.

22 Contingency Plan

Identifies what the organization should do to be able to

effectively respond to emergencies or disasters that

impact its ePHI.

23 Data Backup Plan Discusses organizational processes to regularly back up

and securely store ePHI.

24 Disaster Recovery Plan

Indicates what the organization should do to create a

disaster recovery plan to recover ePHI that was impacted

by a disaster.

25 Emergency Mode Operation Plan

Discusses what the organization should do to establish a

formal, documented emergency mode operations plan

to enable the continuance of crucial business processes

that protect the security of its ePHI during and

immediately after a crisis situation.

11



25 Emergency Mode Operation Plan

Discusses what the organization should do to establish a

formal, documented emergency mode operations plan

to enable the continuance of crucial business processes

that protect the security of its ePHI during and

immediately after a crisis situation.

26 Testing and Revision Procedure

Describes what the organization should do to conduct

regular testing of its disaster recovery plan to ensure that

it is up-to-date and effective.

27 Applications and Data Criticality

Analysis

Reviews what the organization should do to have a

formal process for defining and identifying the criticality

of its information systems.

28 Evaluation

Describes what the organization should do to regularly

conduct a technical and non-technical evaluation of its

security controls and processes in order to document

compliance with its own security policies and the HIPAA

Security Rule.

29 Business Associate Contracts and

Other Arrangements

Describes how to establish agreements that should exist

between the organization and its various business

associates that create, receive, maintain or transmit ePHI

on its behalf.

30 Facility Access Controls

Describes what the organization should do to

appropriately limit physical access to the information

systems contained within its facilities, while ensuring that

properly authorized employees can physically access

such systems.

12


Getting the Right Resources and Skills

Healthcare industry's migration to Electronic Health Records (HER) will enable providers to

deliver better care more efficiently, but cybersecurity will become a critical success factor in

every health organization's future. Everyone stands to gain in this prodigious shift and no one

can afford to lose.

It can often become overwhelming for a healthcare provider to ensure that all systems and

processes meet the criteria for HIPAA and the HITECH Act. Even when the minimum criteria is

met, it doesn’t necessarily mean that PHI is secure Covered entities and business associates

must partner with established and proven cybersecurity services providers who can ensure

their migration, implementation, operations, and maintenance fulfil their promises. Covered

entities and business associated should look for the following key skill-sets and resources

when evaluating potential partnerships for cybersecurity services:

Professional services that go beyond technical proficiency

A “healthcare-friendly” partner with a proven track-record

An ability to work seamlessly with other integrators, as well as plug into existing programs

An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults

A Defense-in-Depth approach that includes physical and logical access and policy controls;

Multiple facility fail-over provisions that support the organization’s plan across regions

Continuous monitoring, including operational and security staffing that’s 24x7x365

Third Party Attestation for Vendor Compliance in HIPAA, FISMA, PCI DSS, and DIACAP

Achieving HIPAA and HITECH Compliance with CyberSheath

At CyberSheath, we understand the cybersecurity challenges covered entities and business

associates face in ensuring ePHI is protected and we enable our customers to have the

confidence that they are able to comply with HIPAA/HITECH obligations. Our industry

leading security services help covered entities and business associates understand their

regulatory responsibilities and achieve compliance.

13


Mapping CyberSheath’s Security Services to the

HIPAA and HITECH Security Standards & Rules

14


HIPAA Security Standards and Rules CyberSheath Service Delivery Outcomes

Business Associate Contracts and Other

Arrangements (§ 164.308(b)(1)), (§ 164.314(a)(1))

Third Party Security and Oversight

Identification of Critical Vendors

Vendor Security Due Diligence Program

Documentation Review Process

Contingency Plan (§ 164.308(a)(7))

Access Control (§ 164.312(a)(1))

Business Continuity Management

Cradle to Grave Data Backup Process

Business Impact Analysis Process

Disaster Recovery Planning and Testing

Recovery Time Objectives for Critical Functions

Security Management Process (§ 164.308(a)(1))

Assigned Responsibility (§ 164.308(a)(2))

Security Incident Procedures (§ 164.308(a)(6))

Security Operations

Contextual Access Controls

Cradle to Grave Patch Management

Efficient Asset Management

Intrusion Detection and Endpoint Protection

Facility Access Controls (§ 164.310(a)(1))

Workstation Use (§ 164.310(b))

Workstation Security (§ 164.310(c))

Physical Security

Holistic Environment Protections

Reliable Facility Access Control Capability

Geographical Risks for Critical Assets

15


HIPAA Security Standards and Rules CyberSheath Service Outcomes

Workforce Security (§ 164.308(a)(3))

Security Awareness and Training (§ 164.308(a)(5))

Human Resource Security

Secure Hire and Term Processes

Security Awareness Training

Specialized Training for Security Organization

Increased Resilency with InsiderThreats

Access Control (§ 164.312(a)(1))

Audit Controls (§ 164.312(b))

Integrity (§ 164.312(c)(1))

Person or Entity Authentication (§ 164.312(d))

Security Architecture

Infrastructure Design and Review Process

System Hardening for At-Risk / Critical Assets

Least Privilege Model Enforcement

Robust Identify Management Capability

Optimized Deployment of Security Tools

Security Management Process (§ 164.308(a)(1))

Assigned Responsibility (§ 164.308(a)(2))

Security Incident Procedures (§ 164.308(a)(6))

Evaluation (§ 164.308(a)(8))

Audit Controls (§ 164.312(b))

Policies and Procedures (§ 164.316(a))

Documentation (§ 164.316(b)(1))

Comprehensive Cybersecurity Program

Process Alignment

Strategic Security Roadmap

Defined Security Organization Hierarchy

Established Security Policies and Standards

Custom-fit Security Programs and Capabilities

Clear and Concise Security Metrics and Reporting

16


Cybersecurity Beyond Compliance

Checking the right boxes on your annual compliance audit does not mean you are immune

from data breaches. Security must go beyond compliance and our comprehensive suite of

security services and solutions far and exceed the required mandates. We integrate your

compliance and threat mitigation efforts to eliminate redundant security practices and

increase security operations efficiency. Our services are delivered by some of the best experts

in the industry and will work closely to understand your unique challenges and provide

pragmatic security solutions that tangibly address your specific risks.

17 | P a g e

© Copyright 2015 CyberSheath, for permission to reproduce, please contact CyberSheath at [email protected]

About CyberSheath

Co-founded by a Chief Information Security Officer for a Global Fortune 500

company & Chief Executive Officer for an Inc. 500 company, CyberSheath applies

business discipline to cyber security, enabling our customers to measure risk, meet

compliance goals, prioritize investments, and improve overall security posture.

We’ve built a global network of best-in-class partners that we leverage as a force

multiplier to deliver pragmatic, end to end solutions for our customers. Having been

in the trenches as security practitioners and business executives, CyberSheath goes

beyond the WHAT (best practices) and delivers the HOW (measurable results).

Bridging the HIPAA/HITECH Compliance Gap · 2 CyberSheath - Bridging the HIPAA/HITECH Compliance...

Documents

Transcript of Bridging the HIPAA/HITECH Compliance Gap · 2 CyberSheath - Bridging the HIPAA/HITECH Compliance...