Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a...
Transcript of Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a...
![Page 1: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/1.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Recovering from a Breach: Strategies for Reporting and
Responding to OCRPresented by:David HoltzmanVice President for Compliance
![Page 2: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/2.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
SynergisticThe name “CynergisTek”
came from the
synergy realized by combining the
expertise of the two co‐founders –
building scalable, mature information
security programs and architecting
enterprise technical solutions.
Founded in 2004CynergisTek has been providing services
to our clients since 2004, but many
of our clients have been with one or
both of the founders since well before
the company was founded.
2
Securing the Mission of CareCynergisTek Services are specifically
geared to address the needs of the
healthcare community including
providers, payers, and their business
associates who provide services into
those entities.
Consulting ServicesCynergisTek provides consulting services
and solutions around information
security, privacy, IT architecture, and
audit with specific focus on regulatory
compliance in healthcare.
CynergisTek, Inc.
![Page 3: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/3.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 3
Today’s Presenter
• Vice President of Compliance Services,
CynergisTek, Inc.
• Subject matter expert in health information
privacy policy and compliance issues involving
the HIPAA Privacy, Security and Breach
Notification Rules
• Over 12 years of experience in developing,
implementing and evaluating health
information privacy and security compliance
programs
• Former senior advisor for health information
technology and the HIPAA Security Rule,
Office for Civil Rights
David HoltzmanCynergisTek, Inc.
![Page 4: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/4.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Agenda
4
![Page 5: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/5.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 5
Agenda
Considerations of Timing of Notice
OCR Breach Reporting Portal
Prepare for the Omnibus Request
Priorities for Preparation
![Page 6: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/6.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Considerations of Timing of Breach Notification
6
![Page 7: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/7.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 7
• Without unreasonable delay to individuals affected
• In no case later than 60 days following discovery
• Notification to OCR when individual notice is sent
• Breach “at or by a business associate”
– Covered entity is ultimately responsible for ensuring individuals are notified
– Covered entity may delegate responsibility of providing individual notices to the business associate
HIPAA Notification & the BA Trap
![Page 8: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/8.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 8
State Notification Triggers HIPAA Notice
![Page 9: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/9.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Approaches to Reporting on OCR Breach Portal
9
![Page 10: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/10.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 10
Covered Entity or Business Associate?
![Page 11: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/11.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 11
Breach Start and Discovery Dates
![Page 12: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/12.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 12
Type of PHI Involved in Breach
![Page 13: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/13.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 13
What Safeguards in Place?
![Page 14: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/14.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 14
What Breach Actions Have Been Taken?
![Page 15: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/15.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 15
Attesting to Accuracy of Information
![Page 16: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/16.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Prepare for the Investigation
16
![Page 17: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/17.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 17
• OCR Breach Investigation Document Request Letter
– 15 – 20 separate interrogatories for documentation to meet a
specific standard or specification
– Documentation of incident and response
– LoProCo breach risk assessment
– Notification letters to patient and media (if needed)
– Last HIPAA Security Rule enterprise‐wide risk assessment
– Steps taken to address gaps in last risk assessment
– Policies, procedures and safeguards to demonstrate
administrative, physical & technical safeguards are in place
The “Omnibus Request”
![Page 18: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/18.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 18
• Business Associate Agreements
• Risk Analysis
• Failure to Manage Identified Risk, e.g. Encrypt
• Lack of Transmission Security
• Lack of Appropriate Auditing
• No Patching of Software
• Insider Threat
• Improper Disposal
• Insufficient Data Backup and Contingency Planning
Key Issues in OCR’s Enforcement Cases
![Page 19: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/19.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 19
• Most resolution agreements cite to Security Rule
– Enterprise wide risk analysis is foundation
– Expectation that encryption is used on all portable and mobile devices & media
– Encryption of network servers when reasonable and appropriate
– Managing/controls of device & media
– Contingency planning
OCR Corrective Action Plans
![Page 20: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/20.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Priorities For Preparation
20
![Page 21: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/21.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 21
• Does each breach response member know his/her responsibilities?
• Do you have documentation to support that there is not unreasonable delay in notification?
• Have you considered what state breach issues will be triggered?
• Do you have your response to the breach portal practiced and planned?
• Are you prepared for OCR’s Omnibus Request?
Get Prepared: Practice Response
![Page 22: Recovering from a Breach: Strategies for Reporting and … · 2016. 3. 21. · Recovering from a Breach: ... • Insufficient Data Backup and Contingency Planning Key Issues in OCR’s](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fef9d2cb6007759e6023123/html5/thumbnails/22.jpg)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 22
Questions?
David Holtzman
512.405.8550 x7020
@HITprivacy
Questions?
?