Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

Transcription

1 Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention Presented by John Whalen CISSP, CISA, CRISC

2 Contents Objectives Risk exercise Breaches Meaningful Use What is an assessment? Risk Next steps

3 Key objectives To remove mystery To illuminate info-sec aspects of Meaningful Use To help Montana hospitals avoid breaches

4 Exercise loss of PHI 1. Imagine that your hospital has been hacked. Please consider the ramifications. 2. What would this breach cost your hospital? Would it affect your hospital s reputation? Would it affect patient retention?

5 Healthcare breaches Frequency of data breaches increased 32% in 2011.

6 2012 breaches from Identity Theft Resource Center # of Breaches YTD: 160 # of Records Exposed YTD: 11.5 million 2012 Breaches Healthcare - 47 breaches YTD # of Records Exposed YTD: 1.4 million Healthcare Breaches

7 2012 Hospital breaches from Identity Theft Resource Center Oregon State Hospital Emory University Hospital North Shore-Long Island Jewish Health System Memorial Healthcare System Thomas Jefferson University Hospitals University of Arkansas Medical Sciences St. Joseph s Medical Center St. Elizabeth s Medical Center Sequoia Hospital Ohio State University Medical Center Howard University Hospital Robley Rex VA Medical Center Medical College of Georgia Kern Medical Center Hackensack University Medical Center

8 2011 Hospital breaches from Identity Theft Resource Center Swedish Medical Center Boulder Community Hospital Mount Sinai Hospital Texas Presbyterian Hospital Wake Forest Medical Center Loyola University Medical Center Provena Covenant Medical Center Methodist Charlton Medical Center Reid Hospital UMass Memorial Healthcare Fairview Southdale Hospital Jacobi Medical Center Trinity Medical Center Barnes Jewish Hospital Brigham and Women s Hospital Nyack Hospital Gunhill Medical Center North Central Bronx Hospital Tremont Health Center Texas Children s Hospital Saint Francis Broken Arrow Hospital Henry Ford Health System Charleston Area Medical Center VA Medical Centers in Akron, OH, Portland, OR and Lexington, KY Beth Israel Deaconess Medical Center Dekalb Medical Center Troy Regional Medical Center

9 Wall of shame at HHS Breaches Affecting 500 or More Individuals As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. ative/breachnotificationrule/breachtool.html

10 Hospital breaches-types Computer hackers through public website Lost or stolen paper medical records Lost or stolen laptops with ephi Stolen workstations Stolen thumb dives Stolen hard drives Computer hackers through viruses PHI stolen by employee Lost back up tapes Shared workstation breached Improper disposal of paper medical records

11 Increase in data breaches Paper records to digital less stable environment Push to digitize Outsourcing of data processing to cloud providers Increase in mobile devices to conduct business

12 Negative impact of breach What best describes the negative impact of breaches you experienced. Check all that apply. Brand or reputation diminishment 78% Time and productivity loss 81% Loss of patient goodwill 75% Loss of revenues 41% Cost of outside consultants and lawyers 40% Fines and penalties paid to regulators 26% lawsuits 19% Poor employee morale 15% No impact 16%

13 Per-record cost of healthcare breach $240

14 Breach cost breakdown Legal fees Consumer notifications Credit monitoring services Decreased patient retention Decreased patient acquisition -from Ponemon Institute

15 Patient churn 4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident. $113,400 Estimated average lifetime value of one lost patient. from Ponemon Institute

16 Survey of 400 breach victims 55% trusted the organization less 29% will terminate future relationship

17 Healthcare security 55 % of health care organizations say they have little or no confidence they are able to detect all privacy incidents. 61 % of organizations are not confident they know where their patient data is physically located.

18 IT s perspective My organization s senior management does not view privacy and data security as a top priority. 70% My organization does not have ample resources to ensure privacy and data security requirements are met. 61% My organization does not have adequate policies and procedures to protect health information. 54%

19 $1.5 M HIPAA fine Blue Cross Blue Shield TN This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. OCR Director Leon Rodriguez

20 Meaningful Use HIPAA Privacy & security of patient info HITECH Breach notification, penalties, legal remedies Meaningful Use Protect patient info, conduct security assessment Security assessment Document current state, discover vulnerabilities Baseline & roadmap Mitigate. Put controls in place.

21 Hitech: Changes to HIPAA As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. Increased penalties based on three levels of culpability: 1) unknowing violation 2) violation due to reasonable cause 3) violation due to willful neglect

22 Hitech: Changes to HIPAA Civil penalties for the people involved ranging from $100 to $50,000 per violation, up to a maximum of $25,000 to $1,500,000 per year for the same violation. State Attorneys General authorized to bring civil actions under HIPAA on behalf of state residents. Business associates subject to HIPAA

23 HITECH and Meaningful Use = added enforcement "HIPAA wasn't being enforced anyway, so organizations felt they could do whatever they wanted and call themselves HIPAA compliant and secure, because nobody was ever going to knock on their doors." Paul Proctor, Gartner Inc.

24 Enforcement by complaint Periodic audits by Center for Medicare/ Medicaid HHS Office of Civil Rights began reporting its Security Rule enforcement results in October 2009: 436 complaints received 198 complaints closed 304 open complaints and compliance reviews

25 OCR enforcement Most investigated compliance issues: 1. Impermissible uses and disclosures of protected health information 2. Lack of safeguards of protected health information 3. Lack of patient access to their protected health information 4. Uses or disclosures of more than the minimum necessary protected health information 5. Lack of administrative safeguards of electronic protected health information

26 Remediation Entities with health information reported the following remedial action steps after the breaches: Revise policies and procedures Improve physician security by installing new security systems or relocation of equipment to safer places Train workers how to handle protected health information Provide free credit monitoring for customers Adopt encryption technology Improve sanctions against violators of policies and procedures Change passwords Perform a new risk assessment Revise business associate contracts to more explicitly require protection of confidential information

27 Enforcement by audit May 2011 HHS Office of Inspector General criticizes CMS oversight on HIPAA and HITECH as insufficient and recommends Office of Civil Rights implement random audits June 2011 OCR contracts with Booze Allen Hamilton to identify candidates June 2011 $9.2 million awarded to KPMG for 150 audits by end of 2012

28 HITECH & Incentive Payments HITECH (Health Information Technology for Economic and Clinical Health Act) Established programs under Medicare and Medicaid to provide incentive payments to EPs, hospitals, and critical access hospitals for the meaningful use of certified EHR technology. Electronic Health Record (EHR) Incentive Program The American Recovery and Reinvestment Act of 2009 (Recovery Act)

29 Medicaid Eligible Hospitals Eligible hospitals will qualify for incentive payments if they adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology during the first participation year or successfully demonstrate meaningful use of certified EHR technology in subsequent participation years.

30 Reimbursement rates Providers failing to demonstrate meaningful use by 2014 will face Medicare penalties in the form of reductions in reimbursement rates starting in For year 2015, adjusted reimbursement rates will be 99%, % and %.

31 Core Objectives For eligible hospitals, there are a total of 24 meaningful use objectives. To qualify for an incentive payment, 19 of these 24 objectives must be met. There are 14 required core objectives. The remaining 5 objectives may be chosen from the list of 10 menu set objectives.

32 Core Set Objective # 14 Conduct or review a security risk analysis per 45 CFR ( (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

33 Administrative safeguards. (a) A covered entity must, in accordance with : (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

34 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

35 For reference Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.

36 What is a security assessment? Baseline Roadmap

37 Think home inspection.

38 Ethical hackers Same tools as the hackers use An audit perspective

39 Assessment phases External vulnerability testing Internal testing Interviews Review of policies Wireless, passwords, physical security Remote offices visited

40 Deliverable Executive summary Tools and methodology Rating criteria Managerial and operational Technical Physical HIPAA-Readiness Technical reports

41 Risk matrix Vulnerability Risk rating Difficulty rating Description Action plan

42 What s your appetite for risk?

43 It s all about risk! Is $50,000 expensive? Is a long password too much to ask? Is a security policy too much trouble?

44 The Risk Executive Function

45 The Risk Executive Function Provides senior leadership input and oversight Integrates security organization-wide Risk-based protection strategies beyond single systems Visibility into mission/business processes and systems

46 Risk-Based Protection Strategies Identifying Understanding Mitigating Explicitly accepting residual risk

47 The CIA Triad Confidentiality prevents unauthorized disclosure of sensitive information Integrity prevents unauthorized modification of sensitive information Availability prevents disruption of service and productivity

48 Risk Analysis Risk analysis is a tool to: Identify the company s assets Calculate their values Identify vulnerabilities Estimate the threats and associated risks Assess the impact on the company if threat agents took advantage of current vulnerabilities

49 Risk assessment Gather stakeholders Analyze risk Hospital assets Potential threats Likelihood of threats acting against assets

50 Next steps Risk assessment: an internal effort to determine what is at risk. Gives context for security costs, disaster recovery and business continuity. Security assessment: use an independent team Discover vulnerabilities Prioritize vulnerabilities according to risk to your hospital / clinic Fix the holes in security Test again Ongoing: Submit your hospital to an infosec audit regime as you do with ongoing financial audits.

51 Hack: Hyundai Capital South Korea s largest consumer-finance company Hack occurred April 2011 According to CEO Biggest mistake: treating the IT department as simply one of many units that helped the company get its main job done Today he treats it as central to everything the company does Now the new IT security group reports directly to CEO From Wall Street Journal 6/21/11

52 CEO, Ted Chung What I learned from the hack: 1. Trust the authorities 2. Stay open and transparent 3. Learn IT and know where the vulnerabilities are 4. Create a philosophy that drives IT decisions 5. Reassess plans for products and services How things look and how they work is now secondary. Security is now first. From Wall Street Journal 6/21/11

53 Calculate your risk Multiply the number of records in the EMR by $240

54 Thank you! Have a great conference! John Whalen Security Practice Leader jwhalen@ceriumnetworks.com