2
Introductions
• Gant Redmon, CIPP/US General Counsel & VP of Business Development, Co3 Systems
• Amy Derlink, Chief Privacy Officer, IOD Incorporated
© IOD Incorporated. All rights reserved.
3
About Co3 – Incident Response Management
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
PREPARE
Improve Organizational Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table tops)
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
• Log evidence
4
• IOD serves as a trusted partner for more than 2,000 hospitals, clinics and integrated delivery networks (IDNs) nationwide.
• Specializes exclusively in healthcare so they understand the myriad of challenges associated with patient records management and patient confidentiality.
• Provides customized solutions that are precisely designed and scaled to help you achieve your business goals.
About IOD
© IOD Incorporated. All rights reserved.
6
Reported Breaches 2009 – To Date (Involving >500 individuals)
1136 Reported Breaches
39M
Patient Records affected
64% theft or loss - of which 34% was due
to unencrypted portable devices
29% breach by BA
44% of
breaches stem from the five
largest incidents
© IOD Incorporated. All rights reserved.
7
The Purpose of the OCR Audits
• Not for enforcement
• Lead to compliance activity
• Bring to light the security and privacy responsibilities
• Share best practices amongst CEs and BAs
© IOD Incorporated. All rights reserved.
8
Who is eligible for being audited?
• Every CE is eligible for an audit
• OCR starts with 200 Desk Audits
• Surveyed over 1200 entities governed by HIPAA
– 800 Covered Entities
– 400 Business Associates
• Of the 1200 OCR selects, 350 CEs and 50 BAs for comprehensive audits
© IOD Incorporated. All rights reserved.
10
Who is the auditor?
Summarize
findings & results,
highlight
consistent
The CE and BA
sends Final reportIssues found
How the audit was conducted;
What the findings were and;
What actions the covered
entity is taking in response
to those Findings.
© IOD Incorporated. All rights reserved.
11
OCR Audit Notification
• For on-site audits – OCR will call to verify contact info
• Letter is sent registered mail
– 30-90 days pror to the audit
• Who gets the letter?
– CEO…
– Clerical staff…
© IOD Incorporated. All rights reserved.
12
OCR Notification Clock Starts
Date of signature
= TIME CLOCK Covered Entity
has 10-14Days to provide documentation
to the OCR
© IOD Incorporated. All rights reserved.
13
How Does the Audit Program Work?
ELAPSED TIME
Notification letter sent to
Covered Entities
Receiving and Reviewing Documentation and Planning
the Audit Field Work
on-site fieldwork
Draft Audit Report
Covered Entities Reviews and Comment on Draft Audit
Report
Final Audit Report
1 DayMinimum
of 10 Days
3 – 10 Days
20 – 30 Days
10 Days 30 Days
DAY 1 DAY 10 DAY 30/90 Dependent on completion of fieldwork
START TIME
© IOD Incorporated. All rights reserved.
14
What is the audit protocol?
• It is a compliance initiative that:
– Targets certain failures
– Includes policy and procedure review and sit visit
• The audit may uncover vulnerabilities and weaknesses that can be appropriately addressed through corrective action on the part of the entity.
© IOD Incorporated. All rights reserved.
15
Audit Protocol
• Analyzes processes, controls and policies of selected CEs pursuant to the HITECH Act audit mandate.
• OCR provides the set requirements to be assessed through these performance audits.
• Organized around modules, representing separate elements of privacy, security, and breach notification.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
© IOD Incorporated. All rights reserved.
16
Audit Protocol Basis
• Analysis of Finding by Rules
– The OCR collected findings and data by looking at each of three modules:
26%Security
9%Breach
65%Privacy
© IOD Incorporated. All rights reserved.
17
What’s being audited? 169 criteria
81 criteriafor Privacy Rule Requirements
78 criteriafor Security Rule Requirementsadministrative, physical, and technical safeguards
10 criteriafor Breach Notification Rule
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
© IOD Incorporated. All rights reserved.
19
The procedure the auditors will use:
• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
© IOD Incorporated. All rights reserved.
20
Desk Audit Process
• All P&P and strategic plans are due within 15 days of receipt of the letter
– Any signed after the date of the letter do not count
• On-site Audit and data collection occurs 3-10 days after the desk audit
– on-site audits last up to 10 business days and involve up to five auditors
© IOD Incorporated. All rights reserved.
21
On-Site Review
• Interview personnel and random staff
– Site walk thru
– Operational reviews
– After interview request supporting documentation
• Consistency must be evident between what Management states, what the policy states and what is being practiced in the organization
© IOD Incorporated. All rights reserved.
22
Post On-Site Audit Activity
• Audit team will deliver draft report to CE/BA within 20-30 days post on-site review
• Your Audit Response Team should expect additional questions and data collection
• Prepare to respond to the findings from the OCR and their recommendation
© IOD Incorporated. All rights reserved.
23
Audit Response Team
• Review the Draft Report and respond to all deficiencies noted
• Identify clarifying questions, mitigating information and plans for remediation
• Team should utilize advice from consultants and legal when developing response
© IOD Incorporated. All rights reserved.
25
Audit Readiness: Team
• Establish an Audit Response Team or Committee for auditor to meet with
• Audit Response Team identifies all potential auditors:
– State laws
– HIPAA
– SOC
– OCR
– HITECH
– Attorney Generals
– Meaningful Use
– etc
© IOD Incorporated. All rights reserved.
If you have an audit
task force in place to
respond to
complaints or
inquiries and are you
a member of it?
POLL
27
Who is our Audit Response Team?
• Not IT driven
• HR - Education
• Privacy Officer
• Physicians
• Nursing
• Compliance Officer
• Security Officer
• CEO
© IOD Incorporated. All rights reserved.
28
Audit Response Readiness: Response
• Develop plan for interaction with audit team
• Identify key personnel who will handle coordination activities
• Identify clear roles and responsibilities
• Conduct mock audits to exercise plan and keep personnel current
© IOD Incorporated. All rights reserved.
29
Audit Response Team: Tasks
• Conduct a risk analysis to determine exposure and how to best manage risks appropriately
– Confidentiality
– Integrity
– Technical infrastructure, hardware and software security, mobile devices
– Availability of ePHI
– Privacy concerns
• Determine how to sufficiently reduce the risks and vulnerabilities to a reasonable and appropriate level
© IOD Incorporated. All rights reserved.
31
Current Findings of Audits by OCR
• Impermissible uses and disclosures of protected health information (PHI);
• Lack of safeguards of PHI;
• Lack of patient access to their PHI;
• Uses or disclosures of more than the Minimum Necessary PHI; and
• Lack of administrative safeguards of electronic PHI.
© IOD Incorporated. All rights reserved.
32
Problem with Meeting Protocol
• Non Prioritization of HIPAA compliance
• Documentation of P&P
• Evidence of compliance
• Consistency in all areas of the CE and their BAs
• Management unaware of P&P
© IOD Incorporated. All rights reserved.
35
Audit Readiness: Ensuring Success
Leadership is Key
• Positive attitude
• Good preparation creates successful audit outcomes
• Develop a process that ensures
• Communication and feedbackwithin your organization
© IOD Incorporated. All rights reserved.
36
Audit Response: Ensuring Success
Response Preparation is Key
• Conduct frequent meeting to collect observations and staff input
• Note deficiencies the team has had with responding to an audit question
• Engage consultants and seek legal advice when creating responses
• Focus on plans for remediation and timelines
© IOD Incorporated. All rights reserved.
37
Audit Readiness: Ensuring Success
Audit plan
+ Audit response team
= SUCCESS
© IOD Incorporated. All rights reserved.
38
IOD’s Approach to OCR Compliance
• Environmental Scan: Monitoring of Privacy Compliance and Investigations into Privacy Violations
• Conduct internal audits and risk assessments
• Focus on your BAs
• Manage 3rd party Risks
• Address Privacy Challenges
© IOD Incorporated. All rights reserved.
39
IOD’s Approach
• OCR Audit Protocol as Internal Tool
– Downloaded and created as an organizational reference tool
– Identify and document how the organization meets compliance to the protocol criteria/standards through activities, plans, policies, procedures, etc.
© IOD Incorporated. All rights reserved.
40
Refined Business Associate Management
• Identify all Business Associates (BA) and Business Associate Agreements (BAA)
• Developed Compliant BAAs
• Address Assurances that BA is Compliant
– Consider size and scope of BA arrangement and potential impact of breach/security incidents (e.g., ROI and collections vendors)
– Monitor industry reported breaches for BA concerns
– Consider annual communications to key BA contacts
© IOD Incorporated. All rights reserved.
41
Refined Breach Management Process
• Breach Management
• What Is Happening in Industry
• Increasing Investigations
• Increasing EHR Access Issues
• What are Key Risk Areas
• Targeted Training, Education, and Awareness Activities
• High Risk Events – Prepare and Document in Anticipation of External Audit (OCR, State Licensing Bureau, Joint Commission, etc.)
© IOD Incorporated. All rights reserved.
42
Target High Risk Areas
• Refocus Training, Education and Awareness
• All Staff – Reduced “Academics” of Privacy and Security and Focused on Breach Scenarios
– Focused Newsletter Articles
• High Risk/Problematic Areas
– Unauthorized EHR Access, Use, Disclosure EHRs
– Lost/Stolen Devices (new reporting checklists)
– Social Media (strong policy/education)
© IOD Incorporated. All rights reserved.
43
Evaluate P&Ps and Refine as Necessary
• Create, Review, Revise Privacy and Security P&P
– Templates need to be customized!
• Share with Business Associates and Partners
• Hold Workforce Members Accountable
• Strong Breach and Sanctions Guidance Required
© IOD Incorporated. All rights reserved.
44
Lack of Compliance… at what cost?
$4.3 million HHS Civil Money Penalty for HIPAA Privacy Rule Violations
$3.3 millionNew York Presbyterian Hospital settles HIPAA case
$1.7 millionConcentra Health Services settles HIPAA case
$1.7 millionWellPoint Inc. settles HIPAA case
$1.5 million Massachusetts provider settles HIPAA case
$800,000Parkview Health System Settles HIPAA Case
© IOD Incorporated. All rights reserved.
45
Handling the Audit Challenge
• Recognize that security is a good thing
• Recognize that you can’t do it alone
• Recognize that you can’t do it overnight
• Believe that you can make it happen
© IOD Incorporated. All rights reserved.
47
Upcoming Co3 Events
• FS-ISAC EU Summit, London, UK: November 3-5
• QCon, San Francisco, CA: November 3-5
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Amy Derlink, RHIA, CHA
Chief Privacy Officer
IOD Incorporated
49
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Co3…defines what software packages for privacy look like.”
– Gartner
“Platform is comprehensive, user friendly, and very well designed.”
– Ponemon Institute
“One of the most important startups in security…”
– Business Insider
“...an invaluable weapon when responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...it has knocked one out of the park.”
– SC Magazine
“Most Innovative Company 2014 Top 10 “
– RSA Conference
Top Related