HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE Amanda Foster Erin Frankenberger.
Protecting PHI with encryption for HIPAA compliance
-
Upload
todd-merrill -
Category
Technology
-
view
4.899 -
download
0
description
Transcript of Protecting PHI with encryption for HIPAA compliance
SIMPLE. STRONG. ENCRYPTION.
Todd Merrill
Protecting PHI with encryption for HIPAA compliance
August / 18 / 2010 GlobalCrypto.com
© 2010. GlobalCrypto.
Todd Merrill, CEO GlobalCrypto
@ToddMerrill
http://www.linkedin.com/in/toddmerrill
© 2010. GlobalCrypto.
HIPAA, seriously?
What does one experience once they’ve grown cold to HIPAA compliance threats?
HIPAAthermia
What do you call someone who complains incessantly about HIPAA?
HIPAAchondriac
© 2010. GlobalCrypto.
The Bailout Bill of 2009 (ARRA)
The Financial Stimulus bill of Feb. 2009
(American Recovery and Reinvestment Act)
Title XIII, Subtitle D (Privacy and Security)
Subtitle A (Promotion of HIT)
http://hipaanews.org/
© 2010. GlobalCrypto.
The Players
Covered Entities
Business Associates
“The Secretary” HHS
© 2010. GlobalCrypto.
Timeline
Feb 17, 2009 ARRA passed, new tiered civil penalties, state enforcement
April 2009 +60d list of encryption technologies published
Aug 2009 +180d breach notification regs published
Dec 31 2009 HHS must adopt certain technical standards
Feb 18, 2010 + 1yr several studies due
© 2010. GlobalCrypto.
Timeline continued
Feb 18, 2010 +1yr
BA accountability rules effective
BA requirements clarified
Right to restrict disclosures to health plans
Limited set of data is minimum to satisfy standard
Right to electronic access/copy
Clarification of imposition of criminal penalties on individuals
Civil penalty money flows to OCR to fund enforcement
Requirement for Secretary to periodically audit CE & BA
© 2010. GlobalCrypto.
Timeline (part 3)
Aug 18, 2010 +18 mo
Prohibition on sale of data
Report due on how to give some HIPAA penalty $ to victims
Regs on imposition of civil penalties for willful neglect
Jan 1, 2011 accounting for new disclosure rules effective
Feb 18, 2011 +2yr
Clarification on ability to pursue civil penalties vs. criminal
Requirement for monetary civil penalties for willful neglect
© 2010. GlobalCrypto.
Timeline (part 4)
Feb 18, 2012 +3yr
Regulations for giving victims a % of HIPAA penalties
2013: Newer systems must comply with disclosure rules
2014: Older systems must comply with disclosure rules
Feb 2014 +5yr: GAO study on ARRA impact
2016: Extended deadline for older systems to comply with disclosure rules
© 2010. GlobalCrypto.
The Changes
Privacy and Security
Enforcement
Non-HIPAA entity provisions
Admin/studies/reports/education
© 2010. GlobalCrypto.
The Information: PHI
Permitted UseIncidental Use
Public Benefit
Research
DisclosuresPatient may request Logs of all Disclosures
Safeguards
© 2010. GlobalCrypto.
Business Associate Agreements
What are they
What is covered
Who is covered
Section 13401 changes things
© 2010. GlobalCrypto.
Breach of Protected Health Information
Definition of a Breach
“The unauthorized acquisition, access, use or disclosure of protected health information”
Unless the breach occurs within the scope of a professional relationship
Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case - MarketWatch (press release) - Tue, 27 Jul 2010 18:11:39 GMT+00:00
© 2010. GlobalCrypto.
Breach Notification
Was it a breach?
1. Meets the definition
2. Info was not protected by encryption-like technology
Without Encryption:
BA’s report breaches to the Covered Entity
The Covered Entity reports to the compromised individuals
© 2010. GlobalCrypto.
Notification Requirements
Notice must be given within 60 days of discovery
Discovery happens when one employee knows
All breaches are reported to the HHS Secretary via the CE• In an annual log if fewer than 500 records are breached• Immediately if 500 records are breached
(The media will be alerted & you will be famous)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
© 2010. GlobalCrypto.
© 2010. GlobalCrypto.
© 2010. GlobalCrypto.
HIPAA Enforcement changes
Direct Accountability for BAs (Section 13401/13404)
Criminal Penalties (Section 13409)
HIPAA violation leads to jail time
The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.
By Pamela Lewis Dolan, amednews staff. Posted June 7, 2010.
© 2010. GlobalCrypto.
Civil Penalties
Section 13410(a) requires the HHS Secretary formally investigate any credible complaint of willful neglect and impose civil monetary penalties if guilty.
Section 13410(c) gives civil monetary penalties to the HHS to be used for enforcement purposes (vs. the general treasury)
GAO must develop a way for victims to receive a portion of penalties collected by Feb 2012.
© 2010. GlobalCrypto.
Penalties
Old law:
$100 / violation
$25,000 annual max
Post ARRA law:
$50,000 / violation possible
$1.5M annual max
Unless violation is corrected within 30 days or
willful neglect criminal penalties
© 2010. GlobalCrypto.
Penalties--detailsType of Offense Minimum Maximum
Person didn’t know, but should have
$100/violation ,$25k annual max
$50k/violation$1.5M annual max
Reasonable cause, but not willful neglect
$1000/violation$100k annual max
$50k/violation$1.5M annual max
Willful neglect, butCorrected quickly
$10k/violation$250k annual max
$50k/violation$1.5M annual max
Willful neglect, not corrected
$50k/violation$1.5M annual max
$50k/violation$1.5M annual max
© 2010. GlobalCrypto.
Audits
HHS Secretary must now conduct periodic compliance audits.
State AGs are empowered to enforce too.
Penalty money now flows into an enforcement fund.
Remuneration will be given to those who were compromised.
© 2010. GlobalCrypto.
Security Rule—Administrative (164.308(a) )
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
• http://www.sans.org/security-resources/policies/#hipaa
© 2010. GlobalCrypto.
Security Rule—Incident Procedures (164.308)
Contingency Plan
Evaluation
BA Contracts and other Arrangements
© 2010. GlobalCrypto.
Security Rule—Physical (164.310)
Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls
Confidential data of thousands of hospital employees compromised by data breach
July 27, 2010 12:17 AM
A Boise, Idaho-based hospital announced last week that a computer server backup tape containing the personal information of thousands of its employees has gone missing.
© 2010. GlobalCrypto.
Security Rule—Technical (section 164.312)
Access control
Audit controls
Integrity
Person or entity authentication
Transmission security
• http://privacy.med.miami.edu/glossary/xd_technical_safeguards_matrix.htm
© 2010. GlobalCrypto.
Simple ways PHI gets compromised
Loss of equipment, laptops, servers, flash drives, phone
Improper disposal of paper records
Emailing information between organizations
Lack of HTTPS on a web site with forms
Emailing web forms back to your office
Compromise of Web Server Database
Sharing of login credentials / lack of controls
Open Wi-fi (home/office/coffee shops/hotels)
© 2010. GlobalCrypto.
Encryption is a technical Silver Bullet
© 2010. GlobalCrypto.
Encryption at Rest
Encrypt information while it’s being stored
On a server (web, email, network share)
On a local hard drive
On local removable media
In your email inbox
© 2010. GlobalCrypto.
Encryption in Motion
Encrypt information as it moves across the web
Point to Point (HTTPS, sFTP, Web Portals)
End to End (encrypted Email, document encryption)
© 2010. GlobalCrypto.
Ideal technical solution
Encrypts at rest
Encrypts in motion, end-to-end
Provides audit logging, robust audit trail
Housed in a secure data center
Provides encrypted, automated archival
Enforces strong, unique access controls
Simple to use