www.lbmc.com

HITRUST, HIPAA, & HITECH

TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE

Mark Fulford, PartnerThomas Lewis, Partner

LBMC Risk Services

www.lbmc.com

Welcome and Presentation Topics

• Why you should care• HIPAA & HITECH - update on new

regulation• Insight into the HITRUST Common Security

Framework • How independent assurance can result in

fewer audits and a competitive advantage for your organization

• How LBMC can help

www.lbmc.com

90%Of organizations have experienced a computer security incident in the last 12 months.

Cybercrime statistics from 12th Annual Computer Crime and Security Survey

www.lbmc.com

71%Of organizations have no external insurance coverage to cover computer security incidents losses.

Cybercrime statistics from 12th Annual Computer Crime and Security Survey

www.lbmc.com

$1BCybercrime profits – that have surpassed those of drug smuggling in a year.

Cybercrime statistics from 12th Annual Computer Crime and Security Survey

www.lbmc.com

$234,244Annual average loss due to security incidents per respondent

Cybercrime statistics from 2009 CSI Computer Crime and Security Survey

www.lbmc.com

What is HIPAA?

www.lbmc.com

What is HITECH?

The HITECH Act is legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). As part of the American Recovery and Reinvestment Act of 2009, the HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules.

8

www.lbmc.com

What is HITECH?

• Extends HIPAA directly to Business Associates

• Establishes first national data security breach notification law (500 or more records is nasty)

• Grants State AGs authority to bring civil actions

9

www.lbmc.com

What is HITECH?

• HITECH authorizes increased civil monetary penalties for HIPAA violations. The Act establishes tiers of penalties based upon: whether or not a covered entity (including physicians) knew of a breach of privacy; whether the breach was due to reasonable cause and not willful neglect; or whether the breach was due to willful neglect.

• The tiers of penalties are as follows:– $100/violation not to exceed $25,000/calendar year.– $1,000/violation not to exceed $100,000/calendar year.– $10,000/violation not to exceed $250,000/calendar year.– $50,000/violation not to exceed $1,500,000/calendar year.

10

www.lbmc.com

What is HITRUST

• The Health Information Trust Alliance (HITRUST) has been created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system.

www.lbmc.com

Strategic Objectives of HITRUSTEstablish a fundamental and holistic change in the way the healthcare industry manages information security risks: •Rationalize regulations and standards into a single overarching framework tailored for the industry •Deliver a prescriptive, scalable and certifiable process•Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the process •Enable ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements •Provide support and facilitate sharing of ideas, feedback and experiences within the industry

www.lbmc.com

Who is HITRUST?

HITRUST Executive Council

www.lbmc.com

Why the Need?

Healthcare organizations are facing multiple challenges with regards to information security:•Costs and complexities of redundant and inconsistent requirements and standards•Critical systems not incorporating appropriate controls or safeguards•Confusion around implementation and acceptable baseline controls•Information security audits subject to different interpretations of control objectives and safeguards •Increasing scrutiny and similar queries from regulators, auditors, underwriters, customers and business partners •Growing risk and liability

www.lbmc.com

“The List”

15

www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

www.lbmc.com

HITRUST CSF

The HITRUST CSF is a framework that normalizes the security requirements of healthcare organizations, including federal (e.g., HITECH Act and HIPAA), state (e.g., MA 201 CMR 17.00), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS).

The CSF is built to provide scalable security requirements based on the different risks and exposures of organizations in the industry.

The CSF also makes security manageable and practical by prioritizing one-third of the controls in the CSF as a starting point for organizations. These priorities are based on industry input and analysis of breach information in the industry.

www.lbmc.com

Standards and Regulations Overlap

ISO 27001/2

PCI

COBIT

NIST

HIPAASecurity

HITECH Act

Mngfl.Use States

www.lbmc.com

CSF Standards and Regs Coverage

ISO 27001/2

PCI

COBIT

NIST

HIPAASecurity

HITECH Act

Mngfl.Use States

HITRUST CSF

www.lbmc.com

CSF Compared with Other Standards

Requirement CSF COBIT PCI ISO NIST HIPAA

Comprehensive – general security Yes Yes Yes Yes Yes Partial

Comprehensive – regulatory, statutory, and business security requirements

Yes No No No No No

Prescriptive Yes No Yes Partial Yes No

Practical and scalable Yes Yes No No No Yes

Audit or assessment guidelines Yes Yes Yes Yes Yes No

Certifiable Yes Yes Yes Yes No* No

Support for third-party assurance Yes Yes Yes Yes No No

Open and transparent update process Yes No Yes Yes Yes Yes

Cost Free Subsc. Free Subsc. Free Free

*Certifiable only for government agencies and organizations doing business with the government

www.lbmc.com

CSF Sample Structured in accordance with ISO 27001 / 27002 standard

Structured in accordance with ISO 27001 / 27002 standard

Multiple levels of implementation requirements

Multiple levels of implementation requirements

Risk factors tailored for healthcare organizations

Risk factors tailored for healthcare organizations

Cross-references to industry standards and regulations

Cross-references to industry standards and regulations

20

www.lbmc.com

Introduction to CSF Assurance Program

www.lbmc.com

Overview of CSF Assurance Program

• Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations.

• Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments.

• The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place.

www.lbmc.com

Strategic Objectives of CSF Assurance Program

Provide assurance that controls to limit the exposure of a breach are in place and operating effectively. Recipients of this assurance include:•Executive management•Auditors•Federal and state regulators•Customers of business associates

Simplify compliance efforts for organizations•Assess once and report to many constituents:

­ Federal (e.g., HIPAA/HITECH or meaningful use information) and state regulators­ Credit card companies (i.e., PCI requirements)­ CMS (i.e., Core Security Requirements)­ Internal or external auditors

•Comprehensively leverage assessments (i.e., leverage internal audit or other certifications such as PCI to streamline audits and testing)

Provide this assurance in a more cost-effective manner with additional rigor than existing processes

www.lbmc.com

Resources

www.lbmc.com

HITRUST Central (HITRUSTcentral.net)

Access to the CSF online.

A professional network for:•Understanding industry issues and events•Sharing knowledge•Exchanging ideas and best practices•Discovering new ways to solve business problems•Downloading documentation and training materials

Providing support: •What does this control mean?•How do I implement these requirements?•What do I do if I cannot meet a requirement?

www.lbmc.com

Additional Resources

Visit HITRUSTalliance.net for information and materials on:

•Common Security Framework - www.hitrustalliance.net/csf/

•CSF Assurance Program - www.hitrustalliance.net/assurance/

www.lbmc.com

For more information on HITRUST and the CSF visit:www.HITRUSTalliance.net/csf/

To access the CSF and HITRUST Central visit:www.HITRUSTCentral.net

For a list of HITRUST CSF Assessors visit:www.hitrustalliance.net/Assessors_List.pdf

For assistance, contact:Thomas Lewis – tlewis@lbmc.comMark Fulford – mfulford@lbmc.com

For More Information