HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.
-
date post
18-Dec-2015 -
Category
Documents
-
view
222 -
download
0
Transcript of HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.
First Consulting Group
Presentation Agenda
Security Introduction
Security Component Requirements and Impacts– Administrative Procedures– Physical Safeguards– Technical Security Services– Technical Security Mechanisms
Summary
First Consulting Group
Presentation Objectives
At the end of this presentation, you should:
Understand the background for the security regulations
Understand the specific HIPAA security components
Understand the business and technology impacts of the HIPAA security components
Begin to understand the gaps between the current environment and the HIPAA security requirements
Security Introduction
DefinitionOrganizational ThreatsPrinciplesKey Points of Security RuleStructureCategories
First Consulting Group
Definition
“The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.” –draft Security Rule
Security also protects information from alteration, destruction or loss
Security should reasonably ensure the confidentiality, integrity and availability of health care information
First Consulting Group
Type of Threat Description Examples
Accidental
No intent; usually carelessness, low awareness or lack of training
Employee leaves application logged on to patient record and walks away
Employee leaves patient charts in open area in clear view of patients
Employee discards confidential information in regular trash receptacle where others can access
Abuse of privileges
Authorized access for unauthorized purpose with no malicious intent or personal gain
Employee accesses colleague’s medical record with concern about his recent hospitalization In
tern
al
Intentional
Malicious intent or personal gain
Authorized access for unauthorized purpose with malicious intent or for personal gain
Supervisor accesses employee’s medical record to determine mental health status so that she can potentially be fired
Targeted
Unauthorized access by accessible means
Terminated employee whose password was never deleted from the system uses access privileges to uncover confidential information about former boss
Employee imposter steals PC database containing HIV patients E
xte
rnal
Random Unauthorized access by pure technical means
Hacker breaks into network and accesses confidential information
Organizational Threats
First Consulting Group
Principles
Healthcare security is about risk mitigation– Operational risk– Financial risk– Regulatory risk– Fraud risk
“The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” –draft Security Rule
First Consulting Group
Key Points of Security Rule:Source Security requirements were taken from the National
Research Council’s report For the Record: Protecting Electronic Health Information
“This report presents findings and recommendations related to health data security, and…concludes that appropriate security practices are highly dependent on individual circumstances…
“It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another.”
First Consulting Group
Key Points of Security Rule:Standards
Organizations must therefore establish a reasonable “defensible position” for security compliance– Develop specifications for security requirements– Determine what technologies to implement to meet
those specifications– Balance usability and cost with risk
We can set the community standard for these practices in the Pacific Northwest
First Consulting Group
The standards are not only scalable, but technology neutral as well
Covered entities must establish and maintain reasonable and appropriate…safeguards
Healthcare organizations must ensure the protection of all electronic PHI– Final rule may also cover PHI in paper format to
align with final HIPAA Privacy rule
Policies and procedures must be developed to implement both the Privacy and Security Rules
Key Points of Security Rule:Standards (cont.)
First Consulting Group
Business processes related to security functions within the organization must be formally documented, implemented, and enforced throughout the organization
Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately
The final Security Rule will be harmonized with the final Privacy Rule
Key Points of Security Rule:More Standards
First Consulting Group
Structure
The current HIPAA Security standards are organized into five categories:
1. Administrative Procedures2. Physical Safeguards3. Technical Security Services (applications)4. Technical Security Mechanisms (networks)5. Electronic Signatures *
* For the purposes of this discussion only the first four categories will be addressed
First Consulting Group
Administrative Procedures: formal policies and procedures to address operating procedures, management controls, personnel requirements, audit mechanisms and disciplinary procedures
– Security management/maintenance– Security training– Internal system certification– Procedures upon employee hire, transfer, or termination– System security audits– Chain of trust partner agreements– Contingency plan– Information access control– Security incident procedures
Administrative Procedures
First Consulting Group
Physical Safeguards
Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access
– Security responsibility and accountability– Media control– Physical access to data– Workstation use and location– Security awareness training
First Consulting Group
Technical Security Services
Technical Security Services: measures to control and monitor information access
– Employee access controls, such as passwords– System audits– Intrusion and detection alarms– Automatic logoffs– Telephone callback procedures– Message authentication– Integrity contols– Data authentication
First Consulting Group
Technical Security Mechanisms
Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network
– Employee access controls– Entity authentication– Message authentication– Integrity contols– Encryption– Alarms– Audit trail– Event reporting
Security Requirements and Impacts
Administrative ProceduresPhysical SafeguardsTechnical Security ServicesTechnical Security Mechanisms
First Consulting Group
Administrative Procedures – Rules
Certification: technical evaluation certifying that systems and network meet pre-defined criteria– Example: Annual certification audit
Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties– Example: Claims processing
Contingency Plan: Includes application and data criticality analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures– Example: Business continuity plans
Formal Record Processing Mechanisms: Policies and procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information– Example: PC hard drive disposal
First Consulting Group
Administrative Procedures – Rules (cont.) Information Access Controls: Policies and procedures for
granting different levels of access to health care information– Example: Application profile documentation
Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents)– Example: Proactive, defensible review of PHI activity
Personnel Security: Granting of access to health information via an authorization process– Example: Card key access systems to file rooms, background
checks maintenance of security personnel
Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses– Example: Routine pre- and post-implementation procedures
First Consulting Group
Administrative Procedures – Rules (cont.)
Security Incident Procedures: Documented instructions for reporting and reviewing security breaches– Example: Reporting pathways (anonymous if necessary)
Security Management Process: Processes to ensure the prevention, detection, containment and correction of security breaches. Includes risk analysis, risk management, sanction policy and security policy– Example: Annual risk level reviews
Termination Procedures: Procedures for securing systems upon employee termination– Example: Exit interviews and checklists
Training: User education and awareness training– Example: Incorporated awareness training with existing programs
First Consulting Group
Administrative Procedures – Impact
Most organizations have inadequate security policies and procedures
This requires additional resources for updates and development efforts
Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels
Integration of chain of trust partner agreement language may require new contracts with third parties
Providing security awareness training for all employees requires a detailed training program with ongoing maintenance
First Consulting Group
Physical Safeguards – Rules
Assigned Security Responsibility: Security responsibility assigned to a specific individual(s) – Example: Security committee
Media Controls: Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal– Example: Property accountability documentation
Physical Access Controls: Limiting physical access to systems. Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification, maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components– Example: Data center restrictions
First Consulting Group
Physical Safeguards – Rules (cont.)
Workstation Use: Instructions and procedures delineating secure use of computer workstations– Example: Acceptable workstation usage guidelines
Workstation Location: Safeguards for secure location of computer workstations– Example: Monitor position in public areas
Security Awareness Training: Security awareness training for all employees, agents and contractors– Example: Incorporated awareness training with existing programs
First Consulting Group
Physical Safeguards – Impacts
In order to properly address security issues organizational charts and individual responsibilities may need review
Workstation use must be addressed through employee education and consistent enforcement of policies and procedures
Physical access controls and secure workstation locations may affect current business practices
First Consulting Group
Technical Security Services – Rules
Access Control: Restricted access to health information by need-to-know– Example: Application access based on job description
Audit Controls: Audit control mechanisms to record and examine system activity– Example: Turn on network event logs to allow for appropriate audits
Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information– Example: Application functionality which allows “flagging”
Data Authentication: Ability to corroborate that data have not been altered or destroyed– Example: Use or check sum, double keying or digital signature to assure
the data are not altered
Entity Authentication: Ability to corroborate that user is who he claims he is – Example: Biometric ID or unique usernames and passwords
First Consulting Group
Technical Security Services –Impact
Some systems in use today may not have adequate security controls to comply
Implementation of access controls for systems must be an integrated effort between business and IT
System processing and storage requirements may increase to support enhanced auditing capabilities
Group ID’s and shared passwords will not be permitted
First Consulting Group
Technical Security Mechanisms – General Rules
For all systems:
Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored– Example: Approved/unapproved network protocols
Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent– Example: Verification that data packet sent is received
Access Controls or Encryption: Protection of sensitive communications over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient ORtransforming confidential plaintext into ciphertext to protect it– Example: VANs may eliminate the need for certain encryption technologies
First Consulting Group
Technical Security Mechanisms – Network Rules
If using a network for communications:
Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality– Example: Devices that sense abnormal conditions
Audit Trail: The data collected and potentially used to facilitate a security audit– Example: Audit log retention
First Consulting Group
Technical Security Mechanisms – Network Rules (cont.)
If using a network for communications:
Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes– Example: Unique identification
Event Reporting: A network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information– Example: Network messages indicating operational abnormalities
First Consulting Group
Technical Security Mechanisms – Impacts
Implementation of access controls to the network must be an integrated effort between the business and IT
Use of new network security technologies (e.g. encryption) will require significant end user training
Group ID’s and shared passwords will not be permitted
Network alarms, audit trail, and event reporting requirements may require additional resources and technologies to ensure compliance
First Consulting Group
Summary
Areas of impact on health care organizations will be:– Development, documentation and training of policies
and procedures– Assignment and operation of security responsibility– Identifying and contracting chain of trust agreements
with trading partners– Training workforce members on information security
and altering the confidentiality culture– Implementing access controls, authorization controls
and entity authentication for all systems– Identifying and implementing the “right” technical
solutions
First Consulting Group
The Bottom Line
The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002
Compliance is 26 months after the final rule is published
At the present time, there is no indication who will be the enforcement agency, when enforcement will be effective, and how enforcement will be conducted
First Consulting Group
Resources
Association for Electronic Health Care Transactions (AFEHCT):
–Impacts of HIPAA (particularly EDI)–Security Self-Evaluation Checklist
http://www.afehct.org
American Health Information Management Association (AHIMA):
–Benchmark information and case studies–Interim Steps for Getting Started
http://www.ahima.org/hipaa.html
American Society for Testing and Materials (ASTM):–Standards guides for security
http://www.astm.org
Center for Healthcare Information Management (CHIM):–Up-to-date industry perspective on proposed rules and their status
http://www.chim.org
Computer-Based Patient Record Institute (CPRI):–CPRI Security Toolkit
http://www.cpri-host.org
Department of Health and Human Services HIPAA Administrative Simplification:
–Latest News on Regulations–Current proposed and final rules
http://aspe.hhs.gov/admnsimp/index.htm
Electronic Healthcare Network Accreditation Commission (EHNAC):
–Certification Program for HIPAA Compliance (under development)
http://www.ehnac.org
First Consulting Group
Resources (cont.)
For the Record: Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242
–Full Report
http://www.nap.edu
Health Privacy Forum–Comparison of Privacy proposed and final rules–Comparison of state privacy laws
http://www.healthprivacy.org
HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998)
–Articles
http://www.himss.org
HIPAA Home Page http://www.hcfa.gov/hipaa/hippahm.htm
HIPAA Transaction Implementation Guides from the Washington Publishing Company
http://www.wpc-edi.com
Joint Healthcare Information Technology Alliance (JHITA)–Summary of Privacy rules–Upcoming HIPAA conferences
http://www.jhita.org
Links to other HIPAA sites http://www.hcfa.gov/medicare/edi/hipaaedi.htm
Medicare EDI http://www.hcfa.gov/medicare/edi/edi.htm
First Consulting Group
Resources (cont.)
National Uniform Billing Committee http://www.nubc.org
National Uniform Claims Committee http://www.nucc.org
Washington Publishing Company–ANSI ASC X12N HIPAA Implementation Guides
http://www.wpc-edi.com/hipaa
Subscribe to email release of HIPAA documents (such as notice of proposed rule making)
http://www.hcfa.gov/medicare/edi/admnlist.htm
Workgroup for Electronic Data Interchange (WEDI):–Details of SNIP effort (Strategic National Implementation Pilot)
http://www.wedi.org