Training Your BA Workforce: Understanding Obligations and Risk

Exposure

June 26, 2014

Phyllis A. Patrick, MBA, FACHE,CISM, CHCRobert J. Michalsky, CISSP, CSSLP

Session Topics

• Training and Awareness Requirements: HIPAA Security and Privacy Rules

• Key Components of Effective Security and Privacy Awareness Programs

• Breach Cases: Developing Strategies to Use Training and Awareness Programs to Minimize Risk Exposure

2Understanding HIPAA Omnibus Obligations of Business Associates

Training and Awareness Requirements

Understanding HIPAA Omnibus Obligations of Business Associates 3

Legislative History and BA Obligations

HIPAASecurity Rule

ARRA &HITECH

1996 2005 2009 2003 2013

Privacy Rule

Omnibus Rule

2010

BA Liability

BAs required to comply with interim final breach notification rule (9/23/09); BAs liable for certain privacy and security requirements under HITECH (2/18/10).

Understanding HIPAA Omnibus Obligations of Business Associates 4

The Omnibus (Final) Rule

• Most significant change in the four Rules (privacy, security, breach, enforcement) is the impact on Business Associates.

• BAs have had contractual obligations to comply with HIPAA Privacy Rule (2003) and Security Rule (2005).

• HITECH BAs subject to statutory penalties for failure to comply with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164, subpart E; 45 CFR parts 160 and 164, subpart C; 45 CFR parts 160 and 164, subpart D).

• HITECH implementing regs proposed including subcontractors in definition of BA.

• BAs now subject to legal obligations and enforcement risk.Understanding HIPAA Omnibus Obligations of Business

Associates5

Who are sub-contractors?• “Sub-contractor” includes those acting on behalf of a

sub-contractor.• HIPAA requirements apply all the way down the sub-

contracting chain as far as the PHI flows.• Covered Entities must ensure that they obtain

satisfactory assurances (in the form of a BAA) from their Business Associates, and Business Associates must do the same with regard to Sub-contractors, and so on, no matter how far down the chain the PHI flows.

• Both the contractor and all of sub-contractors are Business Associates under the Final Rule to the extent they create, receive, maintain, or transmit PHI.

Understanding HIPAA Omnibus Obligations of Business Associates 6

Sub-contractor Issues

• Sub-contractors must understand their responsibilities re. HIPAA compliance who communicates this information to the sub-contractor and how? What is included in the contract and/or the BAA to codify this?

• Business Associates must enter into agreements with their sub-contractors that include the same terms that have always been required for Business Associate Agreements.

Understanding HIPAA Omnibus Obligations of Business Associates 7

Sub-contractor Issues (Cont’d)

• Challenge: HHS does not address the difficulty that companies handling information might face if they never know that they are a Subcontractor handling PHI.

• Service providers handling identifiable should consider seeking representations and warranties from their customers that such customers are not Business Associates under HIPAA.

• Subcontractors must take care to include appropriate privacy and security language in their agreements where they are sharing PHI with vendors and suppliers.

Understanding HIPAA Omnibus Obligations of Business Associates 8

HIPAA Security Rule• Covered entities (and business associates) must

“Implement a security awareness and training program for all members of its workforce (including management).”CFR 164.308(a)(5)(i)

• Implementation Specifications include: Security Reminders – “Periodic security updates” Protection from Malicious Software – “Procedures for

guarding against, detecting, and reporting malicious software”

Log-in Monitoring – “Procedures for monitoring log-in attempts and reporting discrepancies”

Password Management – “Procedures for creating, changing, and safeguarding passwords.”

CFR 143.308(a)(5)(ii)(A), (B),(C ), and (D)Understanding HIPAA Omnibus Obligations of Business Associates 9

Training & Awareness Requirements

• Security training required for all new and existing members of the covered entity’s (and business associate’s and sub-contractor’s) workforce

• Periodic retraining should be given whenever environmental or operational changes affect security of ePHI.

• Changes may include: new or updated policies and procedures; new or

upgraded software or hardware; new security technology; or changes in the Security Rule.

Understanding HIPAA Omnibus Obligations of Business Associates 10

Security Awareness Training Documentation

• Covered entities (and BAs and sub-contractors) must document the security reminders they implement. Documentation: include type of reminder, message, date of implementation.

• Examples: Notices (electronic or printed) Agenda Items and Discussion Topics (Monthly Meetings) Postings/focused reminders Formal re-training on policies and procedures

• Consider if practices are reasonable and appropriate.

• Determine if other forms of security reminders are needed.Understanding HIPAA Omnibus Obligations of Business

Associates 11

Security awareness training must be ongoing….

• Workforce must be trained regarding its role in protecting against malicious software and system protection capabilities.

• Training must be ongoing for all organizations.• Workforce must be aware of log-in attempts that

are not appropriate.• Workforce must be trained in how to safeguard

password information, including guidelines for creating passwords and changing them during periodic change cycles.

Understanding HIPAA Omnibus Obligations of Business Associates 12

HIPAA Privacy Rule• Workforce Training and Management

Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).

45 CFR 160.103

• A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. 45 CFR 164.530(b)

• A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.45 CFR 164.530(e)

Understanding HIPAA Omnibus Obligations of Business Associates 13

Privacy Rule Training Requirements

• Requires training so that workforce members understand the privacy procedures.

• Training may be scaled to the type of organization and size of workforce.

• Privacy training must be provided to all workforce members, as necessary and appropriate to their functions.

• Rule does not specify how often training should be conducted or specific content.

• Suggest that training include Minimum Necessary standard and requirements (45 CFR 164.502(b), 164.514(d))

• Training must be documented.Understanding HIPAA Omnibus Obligations of Business

Associates 14

Interrelationships: Privacy and Security Rules

• Security requirements include a set of tools for ensuring compliance with the Privacy Rule as well as the Security Rule.

• The Security Rule provides detailed requirements, which protect only ePHI.

• The Privacy Rule safeguards provision, 45 CFR § 164.530(c), is more general and protects the privacy of all PHI, not just ePHI.

• Both Rules require covered entities (and BAs) to: Implement policies Ensure accountability for compliance Limit access to PHI Conduct workforce training Safeguard PHI

Understanding HIPAA Omnibus Obligations of Business Associates 15

Effective Privacy and Security Awareness Training Programs

Understanding HIPAA Omnibus Obligations of Business Associates 16

Key Components of Effective Training Programs

• Engage the workforce.• Make training interesting.• Use Scenario-based training modules lessons

learned.• Apply headline and prominent cases to the

organization’s work environment. Include cases where BAs have been involved in data breaches.

• Establish a mix of media and teaching approaches.

• Training should emphasize security and privacy requirements of all laws that apply to the organization. HIPAA is just one.

Understanding HIPAA Omnibus Obligations of Business Associates 17

Key Components (Cont’d)

• Make training personal – how do these concepts fit with employees’ life outside work? Make it relevant to protecting employees’ confidential information.

• Include everyone from senior leaders to front-line staff.

• Train in small doses and train often.• Select key themes and develop a mix of

awareness materials to emphasize and reinforce key concepts, and help employees to know what to do in cases of possible data breaches or other situations which can harm confidential material.

• Cover contemporary threats.Understanding HIPAA Omnibus Obligations of Business Associates 18

Key Components (Cont’d)• Test knowledge, not just after the training module,

but later…. • Include good behaviors that protect the individual’s

privacy and that of the organization.• Provide links to resources for those who want to go

further.• Train on policies. Make sure policies are easily

accessed and employees know where they are.• Be sure to include contractors and sub-contractors in

training programs.• Document training for all workforce members.Remember: Employees may be the weak link in your

security.Understanding HIPAA Omnibus Obligations of Business

Associates 19

Understanding HIPAA Omnibus Obligations of Business Associates 20

Consulting consortium providing strategic planning, information security, and privacy services to the healthcare industry and business associates.

Practical approach to information security and privacy program development and enhancement based on consultants’ experiences as senior executives in healthcare organizations.

Expertise in information security and privacy program development, technical security, legal services, hospital management, healthcare operations, compliance, information technology, disaster recovery and business continuity, cyber security, health information management, hospital and commercial clinical laboratory operations, physician practice development, government sector, medicine, pharmaceutical compliance, health information exchange.

Working relationships with industry leaders and government agencies, including CMS and OCR. Successful work history with regulators.

SECURITY | PRIVACY | CULTURE

USING DATA BREACHESTO RAISE AWARENESS

Security IncidentAn event that compromise the Confidentiality, Integrity, Availability (CIA) of PHI

21

BreachAn incident that results in the disclosure or potential exposure of data

Data disclosureA breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party

Understanding HIPAA Omnibus Obligations of Business Associates

HIPAA Breach“The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI

Current state of Data Breaches

• Wide range of threat actions (footprint)– Over 20 distinct attack methods found in data set of

confirmed security incidents

• Attack methods change every year– E.g. Brute force #1 method in 2009, # 12 in 2013

• Financial motivations still highest factor• Network devices are only a conduit in breaches

– Servers, user devices are prime targets

• ‘Time to compromise’ is far less than ‘time to discovery’

Understanding HIPAA Omnibus Obligations of Business Associates 22

Source: 2014 Verizon Data Breach Investigations Report

(DBIR)

Why focus on training users?• Healthcare has the highest data breach cost per capita than

any other industry ($359, avg = $145)• Strong security posture has the single greatest influence

on reducing the cost of a data breach• Reputation and loss of customer loyalty does the most

damage to the bottom line

Understanding HIPAA Omnibus Obligations of Business Associates 23

Source: Ponemon Institute Reports

And yet…

• Only 68% of organizations have a formal privacy training program

– 32% designate such training as mandatory– 38% provide specialized training– 44% assess the program for effectiveness

Role of Business Associates• Over 20% of ALL HHS breach incidents on the ‘Wall of

Shame’ involve BA– Approximately 200 of the more than 1000 posted incidents (June,

2014)

Understanding HIPAA Omnibus Obligations of Business Associates 24

Source: Health & Human Services (HHS)

Most notably…• The all time largest event

– TRICARE Sept 2011 breach of 4.9 m records– Due to a BA

90% of all healthcare organizations report one or more data

breaches

38% of all healthcare organizations report five or more data

breaches

Source: Ponemon Institute

Macro perspectives

• 94% of confirmed data breaches fall into only nine patterns of compromise– POS Intrusions– Web app-attacks– Insider Misuse– Physical Theft/loss– Miscellaneous errors– Crimeware– Card skimmers– DoS Attacks– Cyber espionage– Everything else

Understanding HIPAA Omnibus Obligations of Business Associates 25

Healthcare Industry

46% of ALL

incidentsThis is more than twice the rate of ANY other industry

Next highest pattern: Insider Misuse

(15%)

Physical Theft and Loss• Incidents due to ‘loss’ are an astounding 15 times

the volume due to ‘theft’– Two mitigation options: 1. Reduce quantity of events2. Reduce impact of each event

• For #1 - Awareness and training can be a key first step• For #2 – Encryption is essential – a ‘no brainer’

Understanding HIPAA Omnibus Obligations of Business Associates 26

Legal and regulatory reporting

requirements suggests a high

degree of compliance

Primary root cause:Carelessness

Keep data close, PHI closer

Devices in work areas are not ‘safe’ – even

servers

Include law enforcement crime reduction tips in awareness training

Move PHI to secure storage locations

The Solution?Awareness• Loss, theft of data• Insider misuse

– Where is PHI?– How can PHI be accessed

and used?– Why is that data on a

mobile device?– How is that mobile

device protected?– Is PHI protected on every

storage device and server?

– How are user privilege abuses discovered?

Encryption• Across all phases

– Data at rest– Data in use– Data in transit

• Need proof for auditors

Understanding HIPAA Omnibus Obligations of Business Associates 27

Relative Fixes:Loss of data – EASY

Insider misuse - HARD

28

Corporate Overview Leading Technology Services Integrator

• Founded 2001• Origins in the Intelligence Community, Military and Federal markets• Focus on IT automation for enterprise level engagements

Dedicated Workforce of over 1400 • Majority hold security clearances• 625 hold one or more professional Cyber Security certifications• Over 80 full time cyber security engineers

Developer of Advanced Cyber Analytics Capabilities• Network scanning, device and malware detection algorithms• Data log and sensor feed integration• Cyber Dashboard visualization

With over $500 million in annual revenue, NJVC has a proven record of providing performance, commitment and value to our clients.

Tools and Resources• CMS, HIPAA Security Series, Volume 2, Paper 2, Security

Standards: Administrative Safeguards, May 2005. Revised March 2007

– http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

• NJVC White paper “Raising Cyber Security Awareness for Healthcare Professionals”

– http://www.njvc.com/resource-center/white-papers-and-case-studies

• SAS Training Modules – Awareness Training Modules – http://www.securingthehuman.org/enduser/demo-training-lab

• Examples of SANS Modules:– You Are A Target– Social Engineering– Email & Instant Messaging– Browsing– Social Networking– Mobile Device Security– Passwords– Encryption– ETC…

29Understanding HIPAA Omnibus Obligations of Business Associates

Tools and Resources (Cont’d)

• Symantec Security Awareness Tech Center. Examples: Security awareness while traveling, Social Media Awareness, ETC.

–http://techcenter.symantec.com/ecampus/enterprise?siteName=sena&partNo=SA1000

• Ponemon Institute, Digital Defense SecurED: Experimental Analysis of Training Effectiveness, July 16, 2013.

• Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis– http://

www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis

• Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security

– http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/

• Verizon Data Breach Investigations Report (2014)– http://www.verizonenterprise.com/DBIR/2014/?

gclid=CL2nwPqfhr4CFYt9Ogod7QUAaw

• Redspin Breach Report 2013 (Protected Health Information – PHI – Feb 2014)

– http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-Protected-Health-Information-PHI-Redspin.php

Understanding HIPAA Omnibus Obligations of Business Associates 30

Contact Information

Robert Michalsky

Principal, Cyber Security

NJVC

Robert.michalsky@njvc.com

703-429-9593

Twitter: RobertMichalsky

Phyllis Patrick

Phyllis A. Patrick & Associates LLC

Phyllis@phyllispatrick.com

914-696-3622

31Understanding HIPAA Omnibus Obligations of Business Associates