HIPAA Security: Does Anybody Really, Really Care ? Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer National Government Services HIPAA COW Fall Conference Stevens Point, WI September 21, 2007 9 AM-10: 15 AM
Company Background • Largest Processor of Medicare Claims contracted by the Centers for Medicare & Medicaid Services (CMS) – Serve over 22. 5 Million people with Medicare in 26 states and 5 US Territories – Processed over 208 million Medicare claims totaling $87. 9 Billion in 2006 • ISO 9001: 2000 certified company • Part of the Well. Point (NYSE: WLP) - nation’s largest health insurer (43, 000+ associates) Fortune 50 Company (#35) HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 2
My Bio Employment The Past 6 Years…. • Currently Medicare Systems Security Officer for National Government Services – Formerly known as United Government Services (UGS) prior to Well. Point/Anthem merger; Admina. Star Federal, Empire Medicare Services & UGS combined to form NGS The Prior X Years… • Odd Information Technology Jobs in Wisconsin, Oklahoma, Texas, Pennsylvania & Delaware The Other Stuff • Speak and write on security issues I find interesting (and EVERYONE ELSE should also) • 2 Kids, both have Health Insurance because they are in college • I think I live in Downtown Milwaukee • Started HIPAA COW Security Taskforce; HIPAA COW Board Member HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 3
Ok, Back To Why We Are Here. . The Question: HIPAA SECURITY: Does Anybody REALLY, REALLY CARE? 4 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 4
And The Answer IS…. (This slide is intended to be blank. Or was it ? Was it here originally ? Did one of you take it ? ) 5 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 5
Security Is THE Enabler of Healthcare Transactions HIPAA E-Health Initiatives RHIOs Healthcare Quality Patient Safety Information Access Information Exchange Privacy Rights Electronic Medical Record/Personal Health Record HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 6
Medicare Cares About Security • 450 Security Controls • Medicare Reform consolidating 15+ data centers into 3 • Rigorous security selfassessments • Continuous audits • Staff dedicated to security HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 7
Medicare Contracting Reform Consolidating Regions HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 8
Remember HCOW Security Rule Presentation ? January… 200 X Administrative Procedures Physical Safeguards Technical Security Services Protected Health Information Technical Security Mechanisms HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 9
5 years of HIPAA Security Accomplishments • Increased Organizational awareness and education of security issues • Assignment of security responsibility • Communication of the concept of “risk” • More thoughtful attention to need-to-know principles of security • Mapping between HIPAA controls and other frameworks HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 10
Healthcare Security Breaches Making The Headlines. . • Inadequate Security Attention • Staff Improperly Trained • Misplacement of Data • Access beyond that required for job HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 11
2006 Top 10 Healthcare Security Breaches 1. Theft of computer disks and tapes containing 365, 000 Providence Home Services Patients 2. Veteran Affairs’ stolen laptop from home containing 26. 5 Million names and claims data 3. Sisters of St. Francis, Indiana temporarily lost 3 CDs containing 260, 000 patients when computer returned to store. HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 12
2006 Top 10 Healthcare Security Breaches 4. Stolen laptop Vassar Brothers Medical Center – 257, 800 former patients 5. 2 Employees stole 25, 000 patient records from Kaiser Permanente to apply for credit cards 6. Georgia-based PSA Healthcare reported 51, 000 records on stolen laptop left in car 7. Nurse from Beaumont Hospital – 28, 000 records from laptop in car HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 13
2006 Top 10 Healthcare Security Breaches 8. Aetna – 59, 000 members from laptop in car 9. Hospital Chain HCA Inc, 10 computers stolen containing 15 -18 K Medicare beneficiaries 10. Front-desk operator sold patient information on 1, 100 people to a cousin for submitting fraudulent Medicare Claims. Source: Report on Patient Privacy, December 2006 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 14
Healthcare Is Not Alone… Bank of America DSW retail Card Services TJX Stores UCLA Fidelity 1. 3 million consumers exposed 1. 2 million consumers exposed 40 million consumers exposed 45 million consumers exposed 800, 000 consumers exposed 196, 000 consumers exposed – Lost back-up tape – Hacking – Internal theft – Human error – Stolen laptop HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 15
A Who’s Who of Fortune 500 Companies. . And The List Is Growing California Department of Health California Department of Mental Health St. Joseph's Hospital HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 16
CMS Rationale for Publishing Guidance for Remote Use and Access to EPHI q Increased risk to protected health information q Associated with increased remote access to EPHI q. Increase in workforce mobility q. Increase in offsite availability of EPHI q. Increase in use of portable media storage devices q Recent remote access security related incidents q Reported loss or theft of laptops containing EPHI q High profile incident involving Medicare Beneficiary data being “left” on a hotel computer by an employee of contracted health plan q Reported access to health information by unauthorized users Source: Presentation, Office of e. Health Standards and Services, CMS 17 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 17
CMS Responds December 28, 2006 With Portable Device/Remote Access Security Guidance • Risk analysis determines business necessity • Policies, procedures, workforce training, permitted access must be consistent with Privacy/Security Rule • Access, storage, and transmission processes must be in place HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 18
CMS Guidance Highlights The Risks Of Portable Device/Remote Access of EPHI Access • Logon/Password lost or stolen • Employee unauthorized offsite access • Unattended workstations • Contamination of remote access system Storage • Laptop/portable device lost or stolen • Loss of data Transmission • Data intercepted or modified • Contamination • Inappropriate device disposal • Data left on public external device • Contamination HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 19
CMS Suggests Potential Mitigation Strategies To Address The Risk Areas Access Storage Two-factor authentication Track hardware Technical user name processes Password protect files Clearance procedures, role-based access, sanctions, training Lock mechanisms Encryption Ensure security updates Transmission Prohibit open network transmission Prohibit offsite devices for email Prohibit wireless access points Session termination Backup and archival policies Secure email Personal firewalls/antivirus Prohibit download w/o justification SSL, HTTPS strong encryption for EPHI Training, anti-virus Anti-virus HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 20
Medicare Does Not Like Headlines Either, Hence The Following Internet Policy: “Transmission of and/or receipt of health care transactions (claims, remittances, etc. ) or other CMS sensitive data over the Internet is prohibited at Medicare business partners (or their agents). Practically, this prohibition means that CMS requires the use of private networks or dial-up connections with any entity that transmits or receives health care transactions and/or CMS sensitive data to or from the Medicare contractor. CMS is closely following the healthcare industry’s movement toward the adoption of industry-wide security technologies that ensure the confidentiality, integrity, and availability of data moved over the Internet and will reconsider the policy at the appropriate time. - CMS Business Partners Systems Security Manual HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 21
Percentage of Those Reporting Compliancy With Security Rule High Source: AHIMA State of HIPAA Privacy and Security Compliance April, 2006 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 22
More AHIMA Findings Indicate Security Compliance Is Improving • 100% have security officer, 65% full-time • Security task forces decreasing (86% in 2004 to 59% in 2006) • 54. 3% updated systems/applications to comply with security rule – – – Firewalls (40. 4%) VPNs (25. 9%) Anti-virus/spam (38. 2%) Data backup technologies (30. 2%) 31% involved in RHIO’s • Newsletters (64. 6%), staff meetings (68. 8%) and reminders (56. 3%) predominant method of training • “It appears security regulations were easier to implement than the privacy rule. ” Source: AHIMA State of HIPAA Privacy and Security Compliance April, 2006 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 23
Phoenix Health Survey Indicates Attention Still Needed • Providers are of particular concern – 56% implemented security standards (80% of payers) – 49% of hospitals with 400 more beds compliant – 70% of hospitals with <100 beds and large physician groups compliant • Breaches remain concern – 39% of providers and 33% of payers experienced breach in last 6 months • Claims of full compliance; gaps remain • Agree that HIPAA implementation created greater attention to patient privacy and security • Budget constraints, other higher priority projects, complex infrastructures slowing progress Source: Phoenix Health Systems/HIMSS Summer 2006 survey HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 24
And WEDI Notes There Are Still HIPAA Gaps H P A A • PHI Data Posted on Bulletin Boards for Training • Lack of policies and procedures • Portable devices being used without training • Lack of remote device/storage media inventories • Visitor access to PHI areas • Out of date disaster recovery planning • Lack of formal audit process • Lack of regular, periodic security assessments, risk analysis with security rule Source: WEDI Testimony 5/1/2007 to NCVHS Subcommittee HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 25
Are We Improving Security ? At What Level Do We Have Minimum Security ? Policy Today’s Key Challenge In Many Organizations Procedure Implemented Tested Integrated HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 26
Or. . Are We Improving Security Compliance ? POLICY CLOSE AND LOCK WINDOWS AT THE END OF THE DAY PROCEDURE CHECK LATCH LOG WINDOW CHECKED IMPLEMENTATION MAINTAIN EVIDENCE IN LOG BOOK FOR AUDITORS HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 27
CMS Office of External Affairs Enforcement Statistics • Complaint driven • 28, 000 Privacy complaints filed with OCR since HIPAA Privacy Rule Issued • 244 Security complaints • FAQs Issued, outreach activities • NIST 800 -66 Document revision expected March 2008 • Complaint compliance by attestation vs. inspection/review HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 28
Most of The CMS HIPAA Security Complaints Issued Are Due To Human Error • Poor judgment, not malicious intent • Company needs to stress users are the keepers of very confidential data • Good job of documenting policies & procedures, but not training • Access by foolishness • Company has no way to protect • Protections may be complex, company still has responsibility • Wireless devices, USB drives are next large concern area HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 29
Security Litigation: What Is The Herd Doing ? Do We Know ? ü Reviewed Final HIPAA Security Rule ü Established security officer role ü Identified gaps ü Created mitigation plan ü Implemented security controls ü No right of private action under HIPAA ……. BUT HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 30
RIPPED From The Headlines 2006 North Carolina Appeals Court Allows New Use Of HIPAA In Lawsuit Source: Amednews. com 3/12/2007 • Psychiatric records disclosed • Patient sues clinic owner for providing password to an office manager • Claim used HIPAA as the standard of care • Suing under negligence, new avenue for plaintiffs? HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 31
Piedmont Hospital Audited In March 2007 For Security By DHHS OIG • “HIPAA Audit Riles Health IT” …Reported June 15, 2007 – Was it a HIPAA Audit ? – Will there be more of them ? – Is security enforcement being done by the OIG in the private sector ? – What is the standard of care ? – What implications are there for heath care entities ? HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 32
Policies & Procedures Requested For 24 e-PHI Security-Related Issues • • • Establish/Terminate User Access Emergency IT System Access Inactive Sessions Recording/examining activity Risk Assessments Employee violations/sanctions Electronic transmission Incident prevention, detection, containing Regular access review Security violation logging Monitoring systems and network Physical access to systems • • • Types of security access controls Remote access Internet usage Wireless security Firewalls, routers, switches Physical security repair Encryption/decryption Transmission Password and sever configurations • Antivirus software • Network remote access • Patch management HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 33
…And Please Provide A List of… • • • Information systems, network diagrams • Terminated employees • New hires • Encryption mechanisms • Authentication methods • Outsourced/contractor access • • Transmission methods Org chart for IT, Security Systems Security Plans All users with access, including rights System Administrators, backup operators Antivirus servers Internet access control software Desktop antivirus software Users with remote access Database security requirements/settings Domain controllers, servers Authentication approaches Source: “HIPAA Audit: The 42 Questions HHS might ask”, Computerworld June 19, 2007 HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 34
Security Audits Necessary To Ensure Controls Are Functioning Audit Implement Policies & Controls Audit Assess Risk & Determine Needs Central Management Audit Monitor & Evaluate Promote Awareness Audit Source: “Learning from Leading Organizations” GAO/AIMD-98 -68 Information Security Management HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 35
DHHS Office of Inspector General Audits Have An Integrity Mandate • Authority established in 1978 under Inspector Generals Act of 1978 (Public Law 95 -542) to: – Conduct & supervise audits related to DHHS programs/operations – Recommend policies to: • Promote efficiency/effectiveness • Prevent/detect fraud and abuse – Provide a means to: • Inform Head of DHHS and congress of problems and corrective actions • Protect integrity of DHHS programs HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 36
OIG Conducts/Oversees Multiple Audit Types and Standards • Government Audits – Driven by security standards OMB A-123 – Chief Financial Officer’s Audit (FISCAM/NIST) – Medicare Modernization Act of 2003( Section 912 ) Audit – Federal Information Security Management Act of 2002 – SAS 070 – HIPAA-based Reviews of nongovernment entities ? HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 37
What Is An OIG-Led Audit Like ? Agreed Upon Procedure 1. Request List Sample Selection Testing Findings Corrective Action May be co-sourced, or completely outsourced to external auditor 2. Audit Entrance conference scheduled 2 weeks in advance 3. Agreed Upon Procedures (AUP) issued 4. Prepared By Client (PBC) list requested by auditor 5. Multiple meetings/interviews scheduled 6. Samples selected 7. Policies/Procedures requested/evidence requested 8. Exit Conference/Draft Report 9. Corrective Actions prepared 10. Follow-up meetings 11. Closure at next audit cycle of findings, new sample pulled HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 38
FINAL THOUGHTS: Security Is Ongoing, and It Is Hard To Make Sure NOTHING HAPPENS SUCCESS FAILURE HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 39
Our Security Future… • Increased guidance driven by security events • HIT will drive enforcement/audits • Government audits continue to get more detailed • Company must protect (itself) against human error through: – Policies – Procedures – Training • “Standard of care” bar is increasing HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 40
Final Thoughts: Does Anybody Really Care ? • YOU BET ! E-PHI E-PHI – – Headlines: Trust Inhibitor Office of Inspector General Financial Statements Federal Information Security Management Act (Medicare Reform Mandated Compliance) – Private Litigation, Impacted Consumers – Health Information Technology Success PHI HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 41
Thank You !! TODD FITZGERALD Todd Fitzgerald, CISSP, CISA, CISM Medicare Systems Security Officer 6775 W. Washington St Milwaukee, WI 53214 Todd. fitzgerald@ugswlp. com Todd_fitzgerald@yahoo. com HIPAA Security: Does Anybody Really, Really Care? HIPAA COW Fall Conference 9/21/07 Copyright © 2007 Todd Fitzgerald All rights reserved. Slide 42
Скачать презентацию HIPAA Security Does Anybody Really Really Care
58e62175fd6798a56637645d0bf4f8e3.ppt