TRICARE Your Military Health Plan: TRICARE Self-Service Options
Driving Information Governance: Compliance, Security, and...
Transcript of Driving Information Governance: Compliance, Security, and...
© 2015 © 2015
Driving Information Governance: Compliance, Security, and Privacy as a Base for Information Governance
Kathy Downing, MA, RHIA, CHPS, PMP Director Practice Excellence AHIMA Twitter: HIPAAqueen #IGNOW
© 2015 © 2015
• Discuss information governance as used in other industries
• Outline how the IG Principles of Compliance and Information Protection lay a framework for enterprise wide information governance
• Identify links from security and privacy
Objectives for this Webinar
© 2015 © 2015
• MasterCard • Motorola • AutoTrader • McKesson • UBS
Information Governance – Not just HealthCare
© 2015 © 2015
HIPAA Penalty Tiers Show the Importance of Information Governance
• Each Violation - $100-$50,000 • All such violations/yr $1,500,000
Did not know or by reasonable diligence
would not have known
• Each Violation - $1,000-$50,000 • All such violations/yr $1,500,000
Reasonable Cause
• Each Violation - $10,000-$50,000 • All such violations/yr $1,500,000
Willful Neglect – Corrected 30 days
• Each Violation - $50,000 • All such violations/yr $1,500,000
Willful Neglect – Not corrected
4
© 2015 © 2015
• St. Joseph Health System reports that as many as 405,000 records may have been compromised, but actual damage remains speculative.
• Massive breach at health care company Anthem Inc
The Year of the HealthCare Hack
© 2015 © 2015
• HIPAA data breaches climb 138 percent • Information on 4.9 million Tricare Management Activity
beneficiaries was stolen from a Science Applications International Corporation employee’s car in 2011.
• This year, Complete Health Systems, based in Tennessee, reported that a network server was hacked and personal information was stolen, affecting 4.5 million people around the country.
• Illinois-based Advocate Health and Hospitals Corporation reported the theft of company computers, which impacted almost 4.03 million individuals in 2013.
• Health Net in California had a data breach in 2011 that affected 1.9 million people. In that case, IBM alerted Health Net that several unencrypted server hard drives were missing from a California-based data center.
HIPAA Breaches Reach 30M Patients
© 2015 © 2015
• If your organization has a breach and patient information is not the target of the attack there is still reputational damage and local concern.
• Enterprise wide effort to protect information, not just clinical information.
Information Governance – How could it help?
© 2015 © 2015
• Consider the insider threat • Malicious • Accidental • Solution
– Trust and policy are not enough. – Organizations must invest in security, risk,
and information governance training and enforcement.
Insider Threat
© 2015 © 2015
• Discover and classify sensitive data – and uncover compliance risks – automatically
• Know who is accessing data, spot anomalies, and stop data loss with real-time data, application, and file activity monitoring
• Rapidly analyze data usage patterns to uncover and remediate risks
Analyze sensitive data:
© 2015 © 2015
Overall the average cost of a data breach across all industries was $194 per record. The cost of a data breach in healthcare was $240 per record. Before we examine what makes up these costs, let’s look at some of the financial impact of a data breach.
• # of records / Cost • 1 $240 • 10 $2,400 • 100 $24,000 • 1,000 $240,000 • 10,000 $2,400,000
Ponemon Study on Cost of a Breach
© 2015 © 2015
• Turnover of existing customers • Diminished customer acquisition • Detection and escalation costs • Notification costs • Post data breach costs
Cost of a Breach Per Ponemon
© 2015 © 2015
Appropriate levels of protection from breach, corruption and loss must be provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection...
Protection
AHIMA.ORG/INFOGOV
Must address all sources, all media and must apply throughout the life of the information.
© 2015 © 2015
• Security Officers often focus efforts on: – Clinical data – Electronic data
• Expansion of the security officer’s role to Information Governance
• Involvement in business continuity and disaster recovery planning
• Involvement in access management
Security Roles and Information Governance
© 2015 © 2015
• Does your organization have technical controls in place to safeguard information?
• Are technical controls defined, implemented and managed centrally?
• Are advanced controls and systems like encryption, master data management being evaluated and implemented?
• Is there a program of continuous monitoring, auditing, and improvement of technical safeguards?
Exercise #1
© 2015 © 2015
OCR Audit Outcomes By Issue
12%
14%
7%
18% 4% 14%
8%
14%
9% Risk Analysis
Access Management
Security Incident Procedures
Contingency Planning and Backups
Workstation Security
Media Movement and Destruction
Encryption
Audit Controls and Monitoring
Integrity Controls
© 2015 © 2015
• Administrative - Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
• Physical – physical measures, policies, and procedures to protect a
covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
• Technical issues – The technology and the policy and procedures for its
use that protect electronic protected health information and control access to it.
Security Safeguards
16
© 2015 © 2015
Every organization handles confidential information – If a risk analysis is not conducted, then:
• How will you effectively know what the risks are to your
information?
• How will you adequately determine if controls are implemented and appropriate?
• How will management and stakeholders make informed decisions?
• How will you establish an acceptable level of risk?
Risk Assessment and Information Governance
© 2015 © 2015
Assessment A judgment about
something based on an understanding of
the situation
Analysis The close
examination of something in detail in
order to draw conclusions from it
Assessment vs. Analysis
© 2015 © 2015
1. Nature and extent of PHI involved 2. Unauthorized person who used the PHI
or to whom it was disclosed 3. Whether the PHI was actually acquired
or used 4. Extent to which the risk to the PHI has
been mitigated
4 New Risk Assessment Factors (§164.402)[78FR5639]
19
© 2015 © 2015
Vulnerability or Gap
Asset, Process or Capability Something
Bad Happening Control or
Safeguard
RISK
Threat 1. Exploits or compromises a......
2. which leads to a........
3. that can damage an.....
4. and result in.... 5. But this can be
minimized by a....
6. which protects against a......
Relationships Surrounding Risk
© 2015 © 2015
Using Infection As An Example
Threat • Germ • Bacteria • Microorganism
Vulnerability • Mouth • Nose • Wounds
Impact • Rash • Infection • Disease
Control • Medication • Hand washing • Surgery
© 2015 © 2015
International Organization of Standardization (ISO) provides guidance in the ISO 27005
standard which specifies a structured, systematic process for analyzing risks to
create a risk treatment plan
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Guide for Conducting Risk Assessments
provides guidance for carrying out each of the steps in their risk analysis process
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) provides a
standard approach for a risk-driven and practice-based information security evaluation
Industry Recognized Risk Analysis Methodologies
© 2015 © 2015
• Information Governance for mobile computing can include building security into the mobile applications.
• Are your nurses texting your physicians? • How are they identifying patients? • Do you offer encrypted texting options?
Information Governance for Mobile Devices
© 2015 © 2015
Smart Phones with personal computer-like functionality
Laptops, netbooks and ultrabooks
Tablet computers
Universal Serial Bus (USB) devices (thumb drives)
Digital cameras
Radio frequency identification (RFID) devices
What Are Mobile Devices?
Source: Mobile Device Security, 2013 AHIMA Convention, Brian Evans , CISSP, CISM, CISA, CGEIT
© 2015 © 2015
Greatest Data Protection Risks
Only 19 percent say their organizations actually know how much regulated data is on mobile devices
Source: The Risk of Regulated Data on Mobile Devices & in the Cloud – Ponemon Institute June 2013
© 2015 © 2015
Theft or physical loss
Stored/synchronized data to a public cloud
Inadvertent or maliciously leaked information
Eavesdropped or intercepted communication
Unauthorized access
Unauthorized or unlicensed software
Malware and malicious code
Jail breaking (Apple) or Rooting (Android)
Mobile Device Threats
© 2015
Use a password or other user authentication Install or enable encryption Install or activate wiping and/or remote disabling
Disable and do not install file-sharing applications Install or enable a firewall Install or enable security software
Keep security software up-to-date Research mobile applications (apps) before downloading Maintain physical control of your mobile device Use VPNs to send or receive health information over public Wi-Fi networks Delete all stored health information before discarding or reusing the mobile device
Ensure Minimum Security Requirements
Source: Office of National Coordinator
© 2015 © 2015
• Requires a cross functional IG team • Clarify how mobile devices are being used
– EHR Access – Financial system access – Email
• Consider legal and compliance issues • Consider Mobile Device Management • Develop your Communications and Training
Plan • Update and Fine-Tune – this one can’t stay on
the shelf!
Information Governance Mobile Device Policy
© 2015 © 2015
• An MDM solution would enforce certain security control settings on a personally-owned device to comply with organizational policy – Concern: Users may consider this unacceptable since it
manages the entire device – “Once you become part of our network, we are going to
apply our network policies to your device” – A wipe or kill command could erase personal data
• MDM can control what apps are allowed on a device – Some organizations have created their own “App store”
Mobile Device Management (MDM)
29
© 2015 © 2015
• HIPAA privacy rule 2003 • Privacy Officer, Privacy Official in Place • Time to expand this role outside of clinical
information. • Enterprise wide standards • Enterprise wide access • Paper and electronic
Privacy Roles and Information Governance
© 2015
OCR Audit Outcomes By Issue
18%
8%
17%
7%
9%
11%
4% 2%
Business Associates
Identify Verification
Minimum Necessary
Authorizations
Deceased Individuals
Personal Representatives
Judical and AdministrativeProcedures
Group Health Plan Requirements
Source: ocr.gov
© 2015 © 2015
• Has your organization fully implemented identity access management?
• Is access managed through a central process according to minimum necessary?
• Do you have “access creep”?
Exercise #2
© 2015 © 2015
• Gather all the facts of the potential breach • Document specifically who, when, where, why
and how the situation occurred • Identify those impacted and what PHI was
potentially compromised • Analyze & evaluate all the facts objectively to
determine whether or not an impermissible access, use, or disclosure of PHI can be substantiated.
Breach Investigation Process
33
© 2015 © 2015
• Once a violation is substantiated outline the mitigation, sanctions, education, and prevention remediation actions that will be taken
• Confirm your notification processes • Document all actions and communications (internal
and/or external)
Breach Investigation Process – More than just clinical
34
© 2015
Breach Response / Incident Management Process
© 2015
Discovery and Report
• Workforce shall report any potential event that adversely affects the confidentiality, integrity, or availability of Institutional Information, regardless of form (electronic or paper).
© 2015
Breach Response / Incident Management Team • Chief Information Officer • Chief Information Security Officer • Chief Medical Information Officer • Corporate Compliance Officer • Director, Health Information & Privacy • Director, Internal Audit • Director, Office of Institutional Assurances • Director, Risk Management • General Counsel • Hospital President • SCRI President • Research Integrity Officer • VP Human Resources • VP Marketing & Communications • Leaders from affected departments
© 2015 © 2015
• Not just Facebook! • Web Publishing
– Blogs, wikispaces – microblogging (twitter)
• Social Networking – LinkedIn • File Sharing / storage
– Google drive – Drop Box – Photo libraries
Information Governance & Social Media
© 2015 © 2015
• Lack of a Social Media Policy – Who can use social media – What they can state / discuss – Training is key
• Employees – accidental or intentional • Legal Risks
– This risk is avoidable with an information governance policy, guidelines, monitoring
Biggest Risks of Social Media
© 2015 © 2015
• Specifies authorized individuals • Clear distinctions between business and personal
use of social media and whether a person can use social media while at work.
• Strictly forbids any profanity, statements that could be defamatory, inflammatory,
• Outlines sanctions • Draws clear rules on use of company logos • Instructs employees shall not have an
expectation of privacy when using social media for company purposes.
• Outlines negative impact on brand.
IG Social Media Guideline Examples
© 2015 © 2015
• In Gartner's report from March of 2013 on the "Six Questions to Drive Records Management in Your Social Initiatives," it is clearly stated that social media content requires records management, just like all other content, but many organizations don't know how to create an effective management process.
• In 2015, more organizations will look to incorporate social media content in their policy definition and explore methods on enforcing the policy across the various systems.
Social Media Will Be Governed According to Policy
© 2015
Information practices and processes must comply with organization policies and all applicable laws, regulations, and standards.
Compliance
© 2015
• Share passwords or user credentials
• Allow the use of mobile devices by unauthorized users
• Store or send unencrypted confidential information
• Ignore security software updates
• Download applications from untrusted sources
• Leave mobile devices unattended
• Use unsecured Wi-Fi networks for sharing confidential information
• Discard devices without wiping all confidential information
• Ignore organizational policies and procedures
Enhance IG Awareness and Training
Source: Office of National Coordinator
Ensure users know what NOT to do:
© 2015 © 2015
• Information is being created at a pace faster than organizations can analyze and extract value from it, which means that the potential value of the information may be far greater than the actual value an organization is able to derive.
• Organizations simply cannot afford to ignore the value of their information assets.
Valuation of Information Assets
© 2015 © 2015
• In the last few years, there has been a tremendous uptick in the creation of information governance steering committees; however, there is still a need for an executive in each organization to drive the information governance initiative across their company.
• This executive must have the authority (and oversight) to manage the program.
New Leaders Will Continue to Emerge / The Evolution of the Privacy, Security, and Compliance Officer
© 2015 © 2015
• Formal IG Training • Awareness Program • Monitoring and Accountability • Regulatory and Legal Response
Workforce Awareness
© 2015 © 2015
• Information assets inventory • Information asset classification • Total cost of ownership • Managed inventory of information • Patient information request response
Compliance Expanded
© 2015 © 2015
• Compliance + • Privacy + • Security= • Chief Information Governance Officer
Wrap Up
© 2015 © 2015
• The Final HITECH Omnibus Rule (January 25, 2013) http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-
01073.pdf
• Combined HIPAA/Omnibus Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/co
mbined/index.html
• U.S. Department of Health and Human Services Office for Civil Rights: HIPAA Administrative Simplification - 45 CFR Parts 160, 162, and 164
• Information Governance, 2014. Robert F. Smallwood
Resources
49
© 2015 © 2015
IG PulseRate – a quick check into your organization’s IG maturity.
•Free instant assessment of the maturity level of IG in your organization available at www.IGIQ.com •Review and rate the key success measures that impact organizational IG maturity •Evaluate your organization’s strengths and help identify weaknesses that may be impeding your organization’s path to enterprise information governance
© 2015 © 2015
Driving IG for HealthCare: Recommended Reading
• Enterprise Health Information Management and Data Governance, 2015. Merida L Johns, PhD, RHIA.
• The Information Governance Initiative. “The Information Governance Initiative Annual Report”. 2014 and 2015 . New York, NY. www.IGinitiative.com
• The Joint Commission. “Information Management (IM) Chapter”, Comprehensive Accreditation Manual for Hospitals, 2014, Oakbrook Terrace, IL: The Joint Commission, 2014, pp.IM-1—IM-10.
• The Sedona Conference. “Commentary on Information Governance” The Sedona Conference® Working Group Series. A project of The Sedona Conference® Working Group on Electronic Document Retention and Production (WGI)
• AHIMA. “Information Governance Principles for Healthcare™” 2014. Chicago, IL. AHIMA, 2014. Available at: www.ahima.org/infogov
• ARMA International. “Generally Accepted Recordkeeping Principles”. ARMA International, 2013. Available at www.arma.org
• Cohasset Associates and AHIMA. “A Call to Adopt Information Governance Practices.” 2014 Information Governance in Healthcare. Minneapolis, MN.
• Cohasset Associates, 2015. Cohasset Associates and AHIMA. “Professional Readiness and Opportunity” 2015 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, 2015.
• Implementing Health Information Governance, 2015. Linda Kloss, MA, RHIA, FAHIMA
© 2015