Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure
-
Upload
njvc-llc -
Category
Healthcare
-
view
181 -
download
0
description
Transcript of Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure
Training Your BA Workforce: Understanding Obligations and Risk
Exposure
June 26, 2014
Phyllis A. Patrick, MBA, FACHE,CISM, CHCRobert J. Michalsky, CISSP, CSSLP
Session Topics
• Training and Awareness Requirements: HIPAA Security and Privacy Rules
• Key Components of Effective Security and Privacy Awareness Programs
• Breach Cases: Developing Strategies to Use Training and Awareness Programs to Minimize Risk Exposure
2Understanding HIPAA Omnibus Obligations of Business Associates
Training and Awareness Requirements
Understanding HIPAA Omnibus Obligations of Business Associates 3
Legislative History and BA Obligations
HIPAASecurity Rule
ARRA &HITECH
1996 2005 2009 2003 2013
Privacy Rule
Omnibus Rule
2010
BA Liability
BAs required to comply with interim final breach notification rule (9/23/09); BAs liable for certain privacy and security requirements under HITECH (2/18/10).
Understanding HIPAA Omnibus Obligations of Business Associates 4
The Omnibus (Final) Rule
• Most significant change in the four Rules (privacy, security, breach, enforcement) is the impact on Business Associates.
• BAs have had contractual obligations to comply with HIPAA Privacy Rule (2003) and Security Rule (2005).
• HITECH BAs subject to statutory penalties for failure to comply with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164, subpart E; 45 CFR parts 160 and 164, subpart C; 45 CFR parts 160 and 164, subpart D).
• HITECH implementing regs proposed including subcontractors in definition of BA.
• BAs now subject to legal obligations and enforcement risk.Understanding HIPAA Omnibus Obligations of Business
Associates5
Who are sub-contractors?• “Sub-contractor” includes those acting on behalf of a
sub-contractor.• HIPAA requirements apply all the way down the sub-
contracting chain as far as the PHI flows.• Covered Entities must ensure that they obtain
satisfactory assurances (in the form of a BAA) from their Business Associates, and Business Associates must do the same with regard to Sub-contractors, and so on, no matter how far down the chain the PHI flows.
• Both the contractor and all of sub-contractors are Business Associates under the Final Rule to the extent they create, receive, maintain, or transmit PHI.
Understanding HIPAA Omnibus Obligations of Business Associates 6
Sub-contractor Issues
• Sub-contractors must understand their responsibilities re. HIPAA compliance who communicates this information to the sub-contractor and how? What is included in the contract and/or the BAA to codify this?
• Business Associates must enter into agreements with their sub-contractors that include the same terms that have always been required for Business Associate Agreements.
Understanding HIPAA Omnibus Obligations of Business Associates 7
Sub-contractor Issues (Cont’d)
• Challenge: HHS does not address the difficulty that companies handling information might face if they never know that they are a Subcontractor handling PHI.
• Service providers handling identifiable should consider seeking representations and warranties from their customers that such customers are not Business Associates under HIPAA.
• Subcontractors must take care to include appropriate privacy and security language in their agreements where they are sharing PHI with vendors and suppliers.
Understanding HIPAA Omnibus Obligations of Business Associates 8
HIPAA Security Rule• Covered entities (and business associates) must
“Implement a security awareness and training program for all members of its workforce (including management).”CFR 164.308(a)(5)(i)
• Implementation Specifications include: Security Reminders – “Periodic security updates” Protection from Malicious Software – “Procedures for
guarding against, detecting, and reporting malicious software”
Log-in Monitoring – “Procedures for monitoring log-in attempts and reporting discrepancies”
Password Management – “Procedures for creating, changing, and safeguarding passwords.”
CFR 143.308(a)(5)(ii)(A), (B),(C ), and (D)Understanding HIPAA Omnibus Obligations of Business Associates 9
Training & Awareness Requirements
• Security training required for all new and existing members of the covered entity’s (and business associate’s and sub-contractor’s) workforce
• Periodic retraining should be given whenever environmental or operational changes affect security of ePHI.
• Changes may include: new or updated policies and procedures; new or
upgraded software or hardware; new security technology; or changes in the Security Rule.
Understanding HIPAA Omnibus Obligations of Business Associates 10
Security Awareness Training Documentation
• Covered entities (and BAs and sub-contractors) must document the security reminders they implement. Documentation: include type of reminder, message, date of implementation.
• Examples: Notices (electronic or printed) Agenda Items and Discussion Topics (Monthly Meetings) Postings/focused reminders Formal re-training on policies and procedures
• Consider if practices are reasonable and appropriate.
• Determine if other forms of security reminders are needed.Understanding HIPAA Omnibus Obligations of Business
Associates 11
Security awareness training must be ongoing….
• Workforce must be trained regarding its role in protecting against malicious software and system protection capabilities.
• Training must be ongoing for all organizations.• Workforce must be aware of log-in attempts that
are not appropriate.• Workforce must be trained in how to safeguard
password information, including guidelines for creating passwords and changing them during periodic change cycles.
Understanding HIPAA Omnibus Obligations of Business Associates 12
HIPAA Privacy Rule• Workforce Training and Management
Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).
45 CFR 160.103
• A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. 45 CFR 164.530(b)
• A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.45 CFR 164.530(e)
Understanding HIPAA Omnibus Obligations of Business Associates 13
Privacy Rule Training Requirements
• Requires training so that workforce members understand the privacy procedures.
• Training may be scaled to the type of organization and size of workforce.
• Privacy training must be provided to all workforce members, as necessary and appropriate to their functions.
• Rule does not specify how often training should be conducted or specific content.
• Suggest that training include Minimum Necessary standard and requirements (45 CFR 164.502(b), 164.514(d))
• Training must be documented.Understanding HIPAA Omnibus Obligations of Business
Associates 14
Interrelationships: Privacy and Security Rules
• Security requirements include a set of tools for ensuring compliance with the Privacy Rule as well as the Security Rule.
• The Security Rule provides detailed requirements, which protect only ePHI.
• The Privacy Rule safeguards provision, 45 CFR § 164.530(c), is more general and protects the privacy of all PHI, not just ePHI.
• Both Rules require covered entities (and BAs) to: Implement policies Ensure accountability for compliance Limit access to PHI Conduct workforce training Safeguard PHI
Understanding HIPAA Omnibus Obligations of Business Associates 15
Effective Privacy and Security Awareness Training Programs
Understanding HIPAA Omnibus Obligations of Business Associates 16
Key Components of Effective Training Programs
• Engage the workforce.• Make training interesting.• Use Scenario-based training modules lessons
learned.• Apply headline and prominent cases to the
organization’s work environment. Include cases where BAs have been involved in data breaches.
• Establish a mix of media and teaching approaches.
• Training should emphasize security and privacy requirements of all laws that apply to the organization. HIPAA is just one.
Understanding HIPAA Omnibus Obligations of Business Associates 17
Key Components (Cont’d)
• Make training personal – how do these concepts fit with employees’ life outside work? Make it relevant to protecting employees’ confidential information.
• Include everyone from senior leaders to front-line staff.
• Train in small doses and train often.• Select key themes and develop a mix of
awareness materials to emphasize and reinforce key concepts, and help employees to know what to do in cases of possible data breaches or other situations which can harm confidential material.
• Cover contemporary threats.Understanding HIPAA Omnibus Obligations of Business Associates 18
Key Components (Cont’d)• Test knowledge, not just after the training module,
but later…. • Include good behaviors that protect the individual’s
privacy and that of the organization.• Provide links to resources for those who want to go
further.• Train on policies. Make sure policies are easily
accessed and employees know where they are.• Be sure to include contractors and sub-contractors in
training programs.• Document training for all workforce members.Remember: Employees may be the weak link in your
security.Understanding HIPAA Omnibus Obligations of Business
Associates 19
Understanding HIPAA Omnibus Obligations of Business Associates 20
Consulting consortium providing strategic planning, information security, and privacy services to the healthcare industry and business associates.
Practical approach to information security and privacy program development and enhancement based on consultants’ experiences as senior executives in healthcare organizations.
Expertise in information security and privacy program development, technical security, legal services, hospital management, healthcare operations, compliance, information technology, disaster recovery and business continuity, cyber security, health information management, hospital and commercial clinical laboratory operations, physician practice development, government sector, medicine, pharmaceutical compliance, health information exchange.
Working relationships with industry leaders and government agencies, including CMS and OCR. Successful work history with regulators.
SECURITY | PRIVACY | CULTURE
USING DATA BREACHESTO RAISE AWARENESS
Security IncidentAn event that compromise the Confidentiality, Integrity, Availability (CIA) of PHI
21
BreachAn incident that results in the disclosure or potential exposure of data
Data disclosureA breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party
Understanding HIPAA Omnibus Obligations of Business Associates
HIPAA Breach“The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI
Current state of Data Breaches
• Wide range of threat actions (footprint)– Over 20 distinct attack methods found in data set of
confirmed security incidents
• Attack methods change every year– E.g. Brute force #1 method in 2009, # 12 in 2013
• Financial motivations still highest factor• Network devices are only a conduit in breaches
– Servers, user devices are prime targets
• ‘Time to compromise’ is far less than ‘time to discovery’
Understanding HIPAA Omnibus Obligations of Business Associates 22
Source: 2014 Verizon Data Breach Investigations Report
(DBIR)
Why focus on training users?• Healthcare has the highest data breach cost per capita than
any other industry ($359, avg = $145)• Strong security posture has the single greatest influence
on reducing the cost of a data breach• Reputation and loss of customer loyalty does the most
damage to the bottom line
Understanding HIPAA Omnibus Obligations of Business Associates 23
Source: Ponemon Institute Reports
And yet…
• Only 68% of organizations have a formal privacy training program
– 32% designate such training as mandatory– 38% provide specialized training– 44% assess the program for effectiveness
Role of Business Associates• Over 20% of ALL HHS breach incidents on the ‘Wall of
Shame’ involve BA– Approximately 200 of the more than 1000 posted incidents (June,
2014)
Understanding HIPAA Omnibus Obligations of Business Associates 24
Source: Health & Human Services (HHS)
Most notably…• The all time largest event
– TRICARE Sept 2011 breach of 4.9 m records– Due to a BA
90% of all healthcare organizations report one or more data
breaches
38% of all healthcare organizations report five or more data
breaches
Source: Ponemon Institute
Macro perspectives
• 94% of confirmed data breaches fall into only nine patterns of compromise– POS Intrusions– Web app-attacks– Insider Misuse– Physical Theft/loss– Miscellaneous errors– Crimeware– Card skimmers– DoS Attacks– Cyber espionage– Everything else
Understanding HIPAA Omnibus Obligations of Business Associates 25
Healthcare Industry
46% of ALL
incidentsThis is more than twice the rate of ANY other industry
Next highest pattern: Insider Misuse
(15%)
Physical Theft and Loss• Incidents due to ‘loss’ are an astounding 15 times
the volume due to ‘theft’– Two mitigation options: 1. Reduce quantity of events2. Reduce impact of each event
• For #1 - Awareness and training can be a key first step• For #2 – Encryption is essential – a ‘no brainer’
Understanding HIPAA Omnibus Obligations of Business Associates 26
Legal and regulatory reporting
requirements suggests a high
degree of compliance
Primary root cause:Carelessness
Keep data close, PHI closer
Devices in work areas are not ‘safe’ – even
servers
Include law enforcement crime reduction tips in awareness training
Move PHI to secure storage locations
The Solution?Awareness• Loss, theft of data• Insider misuse
– Where is PHI?– How can PHI be accessed
and used?– Why is that data on a
mobile device?– How is that mobile
device protected?– Is PHI protected on every
storage device and server?
– How are user privilege abuses discovered?
Encryption• Across all phases
– Data at rest– Data in use– Data in transit
• Need proof for auditors
Understanding HIPAA Omnibus Obligations of Business Associates 27
Relative Fixes:Loss of data – EASY
Insider misuse - HARD
28
Corporate Overview Leading Technology Services Integrator
• Founded 2001• Origins in the Intelligence Community, Military and Federal markets• Focus on IT automation for enterprise level engagements
Dedicated Workforce of over 1400 • Majority hold security clearances• 625 hold one or more professional Cyber Security certifications• Over 80 full time cyber security engineers
Developer of Advanced Cyber Analytics Capabilities• Network scanning, device and malware detection algorithms• Data log and sensor feed integration• Cyber Dashboard visualization
With over $500 million in annual revenue, NJVC has a proven record of providing performance, commitment and value to our clients.
Tools and Resources• CMS, HIPAA Security Series, Volume 2, Paper 2, Security
Standards: Administrative Safeguards, May 2005. Revised March 2007
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
• NJVC White paper “Raising Cyber Security Awareness for Healthcare Professionals”
– http://www.njvc.com/resource-center/white-papers-and-case-studies
• SAS Training Modules – Awareness Training Modules – http://www.securingthehuman.org/enduser/demo-training-lab
• Examples of SANS Modules:– You Are A Target– Social Engineering– Email & Instant Messaging– Browsing– Social Networking– Mobile Device Security– Passwords– Encryption– ETC…
29Understanding HIPAA Omnibus Obligations of Business Associates
Tools and Resources (Cont’d)
• Symantec Security Awareness Tech Center. Examples: Security awareness while traveling, Social Media Awareness, ETC.
–http://techcenter.symantec.com/ecampus/enterprise?siteName=sena&partNo=SA1000
• Ponemon Institute, Digital Defense SecurED: Experimental Analysis of Training Effectiveness, July 16, 2013.
• Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis– http://
www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
• Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security
– http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/
• Verizon Data Breach Investigations Report (2014)– http://www.verizonenterprise.com/DBIR/2014/?
gclid=CL2nwPqfhr4CFYt9Ogod7QUAaw
• Redspin Breach Report 2013 (Protected Health Information – PHI – Feb 2014)
– http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-Protected-Health-Information-PHI-Redspin.php
Understanding HIPAA Omnibus Obligations of Business Associates 30
Contact Information
Robert Michalsky
Principal, Cyber Security
NJVC
703-429-9593
Twitter: RobertMichalsky
Phyllis Patrick
Phyllis A. Patrick & Associates LLC
914-696-3622
31Understanding HIPAA Omnibus Obligations of Business Associates