SIMPLE. STRONG. ENCRYPTION.

Todd Merrill

Protecting PHI with encryption for HIPAA compliance

August / 18 / 2010 GlobalCrypto.com

© 2010. GlobalCrypto.

Todd Merrill, CEO GlobalCrypto

@ToddMerrill

http://www.linkedin.com/in/toddmerrill

© 2010. GlobalCrypto.

HIPAA, seriously?

What does one experience once they’ve grown cold to HIPAA compliance threats?

HIPAAthermia

What do you call someone who complains incessantly about HIPAA?

HIPAAchondriac

© 2010. GlobalCrypto.

The Bailout Bill of 2009 (ARRA)

The Financial Stimulus bill of Feb. 2009

(American Recovery and Reinvestment Act)

Title XIII, Subtitle D (Privacy and Security)

Subtitle A (Promotion of HIT)

http://hipaanews.org/

© 2010. GlobalCrypto.

The Players

Covered Entities

Business Associates

“The Secretary” HHS

© 2010. GlobalCrypto.

Timeline

Feb 17, 2009 ARRA passed, new tiered civil penalties, state enforcement

April 2009 +60d list of encryption technologies published

Aug 2009 +180d breach notification regs published

Dec 31 2009 HHS must adopt certain technical standards

Feb 18, 2010 + 1yr several studies due

© 2010. GlobalCrypto.

Timeline continued

Feb 18, 2010 +1yr

BA accountability rules effective

BA requirements clarified

Right to restrict disclosures to health plans

Limited set of data is minimum to satisfy standard

Right to electronic access/copy

Clarification of imposition of criminal penalties on individuals

Civil penalty money flows to OCR to fund enforcement

Requirement for Secretary to periodically audit CE & BA

© 2010. GlobalCrypto.

Timeline (part 3)

Aug 18, 2010 +18 mo

Prohibition on sale of data

Report due on how to give some HIPAA penalty $ to victims

Regs on imposition of civil penalties for willful neglect

Jan 1, 2011 accounting for new disclosure rules effective

Feb 18, 2011 +2yr

Clarification on ability to pursue civil penalties vs. criminal

Requirement for monetary civil penalties for willful neglect

© 2010. GlobalCrypto.

Timeline (part 4)

Feb 18, 2012 +3yr

Regulations for giving victims a % of HIPAA penalties

2013: Newer systems must comply with disclosure rules

2014: Older systems must comply with disclosure rules

Feb 2014 +5yr: GAO study on ARRA impact

2016: Extended deadline for older systems to comply with disclosure rules

© 2010. GlobalCrypto.

The Changes

Privacy and Security

Enforcement

Non-HIPAA entity provisions

Admin/studies/reports/education

© 2010. GlobalCrypto.

The Information: PHI

Permitted UseIncidental Use

Public Benefit

Research

DisclosuresPatient may request Logs of all Disclosures

Safeguards

© 2010. GlobalCrypto.

Business Associate Agreements

What are they

What is covered

Who is covered

Section 13401 changes things

© 2010. GlobalCrypto.

Breach of Protected Health Information

Definition of a Breach

“The unauthorized acquisition, access, use or disclosure of protected health information”

Unless the breach occurs within the scope of a professional relationship

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case - MarketWatch (press release) - Tue, 27 Jul 2010 18:11:39 GMT+00:00

© 2010. GlobalCrypto.

Breach Notification

Was it a breach?

1. Meets the definition

2. Info was not protected by encryption-like technology

Without Encryption:

BA’s report breaches to the Covered Entity

The Covered Entity reports to the compromised individuals

© 2010. GlobalCrypto.

Notification Requirements

Notice must be given within 60 days of discovery

Discovery happens when one employee knows

All breaches are reported to the HHS Secretary via the CE• In an annual log if fewer than 500 records are breached• Immediately if 500 records are breached

(The media will be alerted & you will be famous)

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

© 2010. GlobalCrypto.

© 2010. GlobalCrypto.

© 2010. GlobalCrypto.

HIPAA Enforcement changes

Direct Accountability for BAs (Section 13401/13404)

Criminal Penalties (Section 13409)

HIPAA violation leads to jail time

The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.

By Pamela Lewis Dolan, amednews staff. Posted June 7, 2010.

© 2010. GlobalCrypto.

Civil Penalties

Section 13410(a) requires the HHS Secretary formally investigate any credible complaint of willful neglect and impose civil monetary penalties if guilty.

Section 13410(c) gives civil monetary penalties to the HHS to be used for enforcement purposes (vs. the general treasury)

GAO must develop a way for victims to receive a portion of penalties collected by Feb 2012.

© 2010. GlobalCrypto.

Penalties

Old law:

$100 / violation

$25,000 annual max

Post ARRA law:

$50,000 / violation possible

$1.5M annual max

Unless violation is corrected within 30 days or

willful neglect criminal penalties

© 2010. GlobalCrypto.

Penalties--detailsType of Offense Minimum Maximum

Person didn’t know, but should have

$100/violation ,$25k annual max

$50k/violation$1.5M annual max

Reasonable cause, but not willful neglect

$1000/violation$100k annual max

$50k/violation$1.5M annual max

Willful neglect, butCorrected quickly

$10k/violation$250k annual max

$50k/violation$1.5M annual max

Willful neglect, not corrected

$50k/violation$1.5M annual max

$50k/violation$1.5M annual max

© 2010. GlobalCrypto.

Audits

HHS Secretary must now conduct periodic compliance audits.

State AGs are empowered to enforce too.

Penalty money now flows into an enforcement fund.

Remuneration will be given to those who were compromised.

© 2010. GlobalCrypto.

Security Rule—Administrative (164.308(a) )

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness and Training

• http://www.sans.org/security-resources/policies/#hipaa

© 2010. GlobalCrypto.

Security Rule—Incident Procedures (164.308)

Contingency Plan

Evaluation

BA Contracts and other Arrangements

© 2010. GlobalCrypto.

Security Rule—Physical (164.310)

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

Confidential data of thousands of hospital employees compromised by data breach

July 27, 2010 12:17 AM

A Boise, Idaho-based hospital announced last week that a computer server backup tape containing the personal information of thousands of its employees has gone missing.

© 2010. GlobalCrypto.

Security Rule—Technical (section 164.312)

Access control

Audit controls

Integrity

Person or entity authentication

Transmission security

• http://privacy.med.miami.edu/glossary/xd_technical_safeguards_matrix.htm

© 2010. GlobalCrypto.

Simple ways PHI gets compromised

Loss of equipment, laptops, servers, flash drives, phone

Improper disposal of paper records

Emailing information between organizations

Lack of HTTPS on a web site with forms

Emailing web forms back to your office

Compromise of Web Server Database

Sharing of login credentials / lack of controls

Open Wi-fi (home/office/coffee shops/hotels)

© 2010. GlobalCrypto.

Encryption is a technical Silver Bullet

© 2010. GlobalCrypto.

Encryption at Rest

Encrypt information while it’s being stored

On a server (web, email, network share)

On a local hard drive

On local removable media

In your email inbox

© 2010. GlobalCrypto.

Encryption in Motion

Encrypt information as it moves across the web

Point to Point (HTTPS, sFTP, Web Portals)

End to End (encrypted Email, document encryption)

© 2010. GlobalCrypto.

Ideal technical solution

Encrypts at rest

Encrypts in motion, end-to-end

Provides audit logging, robust audit trail

Housed in a secure data center

Provides encrypted, automated archival

Enforces strong, unique access controls

Simple to use

© 2010. GlobalCrypto.

Questions & Follow up

Todd Merrill

todd.merrill@globalcrypto.com

678-521-5305