Transcript Nassar Nizami Chief Information Security Officer

Karen Sunderland, CHPS
Senior Auditor, Electronic Information Privacy
1
Yale New Haven Health System
Who We Are
•
•
•
•
Three Member Delivery Network
Multiple Clinical Affiliations
Affiliated with Yale University
Destination Hospital for Patients Throughout the
United States
• Currently Going Through an Affiliation and
Acquisition Period
2
Facts & Figures
•
•
•
•
•
•
Medical staff
Employees
Total Licensed Beds
Inpatient Discharges
Outpatient Visits
Software Applications
5675
18,435
2130
93,923
1,397,632
……
3
Enterprise-Wide Clinical Systems
4
Auditing…
Where the rubber meets the road
Privacy, Security, and Meaningful Use
5
Meaningful Use Stage 1 & 2
Audit Logging - Privacy and Security
Many regulatory responsibilities depend on the availability of audit
logs for systems that access ePHI. Meaningful Use Stage 1 (2011-2012)
& Stage 2 (2013-2014) set a firm foundation for audit controls by
specifying the availability of audit logs:
• Meaningful Use Stage 1 (2011-2012)
– Certified EHRs must produce audit log
– Specification of required data elements
– Human readable form
• Meaningful Use Stage 2 (2013-2014)
–
–
–
–
–
–
–
EHR audit logging must be enabled by default
EHR audit log integrity
Tamper proof
Alterations detected
Network time protocol (NTP) and event ordering
Controlled administration for enabling & disabling
Patient portal access review
6
Protecting Patient Information
Balancing Act
• Proactive
• Can be Risky for
Patient Care
• Reactive
• Required as a
Detective Control
• Most non-Clinical Systems (HR,
Finance etc.)
• Most Clinical Systems
7
Access Audit Program
Up Until 2011
•
•
•
•
Random Audits
Family Members
Co-workers
VIPs
– News
– Known Community
Leaders
• Neighbors
• Manual
• One System at a Time
• No Correlation of
Events
– Between Various
Systems
– With HR Data
• Dependent on Staff
Skills
8
2011
• Decision made
• Key Requirements
– Correlation with HR Data
– Multiple System
• FairWarning®
9
Implementation Plan
•
•
•
•
•
•
Management Buy In
Resource Allocation
User Communication
Audit Policy Review
Sanctions Policy Review
System Feeds
– Different systems have different requirements
– Log Formats are different
•
•
•
•
Data Validation / QA
Complaint Driven Audits
Proactive Audits
Random Audits
10
User Communication
• Management
– Medical Records Committee
– Compliance Committee
•
•
•
•
•
Newsletters
Email Blasts
Special Mandatory Training Module
Annual Mandatory Training
Presentations to Target Groups
– Nursing Council, Leadership Forum, Physician Advisory
Board
11
Proactive vs. Reactive Audits
Complaint
Driven Audits
Proactive
Monitoring
and Alerts
12
Process
• Investigation, coordination with Managers, HR, OPCC,
University HIPAA Privacy/Security and Physician practices
• If inappropriate access is confirmed
– Breach Notification Risk Assessment based on the
NCHICA Tool/Template (need to revise) – low
probability test
– Identify policy violation, HIPAA violation, breach
• If breach is determined: notify patient(s), HHS and media
as necessary
• Report Out
13
Grey Areas
Self
With Release of Information
Prior to or post access
Family
Curbside Consult
14
Eliminating False Positives
15
Deterrent
Login Banner
16
Deterrent
Break the Glass
17
Lessons Learned
Resource Requirements
• Dedicated & Skilled Team
– Collaboration with application DBAs & analysts
• Source system data definitions
• Extract data validation is imperative
– Must be able to eliminate false positives
– FairWarning® is only the 1st step in the process
• Roles & Responsibilities of Related Departments
– Legal, Compliance, HIM, Security, HR, Patient Relations
• YNHHS Managers/Supervisors
• Co-ordination with Yale University (Privacy, Security, Legal)
• Co-ordination with contracting organizations (YNHHS acting as
the BA)
18
Lessons Learned
• No Such Thing as Enough User Communication
• Sanctions Policy
• Q/A (quality assurance) between FairWarning®
extracts and clinical applications audit log data
• Integration of multiple authoritative user sources
(YNHHS & University HR, multiple credentialing sources)
• Scalability
– Log Data Grows QUICKLY
– Processing Power
• Track Metrics from Day 1
19
Wish List
Future of Our Audit Program
• Optimized & Closed Loop Auditing
• Integration with Other Security System
– Security SIEM
• Integration with other incident management systems
– ComplyTrack
– Governance, Risk & Compliance (Modulo)
• Real Time Alerts
–
–
–
–
When bad things happen
When SIEM learns about it
When Someone takes Action
Resources to manage the volume of real-time application
level alerts
20
Wish List
Real Time Alerts
Access Happens
& Is Logged
Monday 8AM
Log Sent to SIEM
SIEM Processes
Someone Takes
Action
Tuesday 6AM
Tuesday 5PM
??
24 – 48 Hours Delay
21
Legislation
•
•
•
1996 HIPAA (Health Information Portability and
Accountability Act)
2002 FISMA (Federal Information Security Management
Act)
44 State CT HIPAA Security Breach Disclosure Laws
—
•
•
CT 05-148 An Act Requiring Consumer Credit Bureaus To Offer Security
Freezes
Red Flag Rule (Identity Theft)
Various State PII (Personal Identifiable Information) or
SSN laws
—
CT 08-167 An Act Concerning the Confidentiality of Social Security
Numbers
22
Legislation
(continued)
• Stimulus Legislation: American Recovery and Reinvestment
Act/Health Information Technology for Economic and Clinical Health
of 2009 (ARRA/HITECH 2009) requires government audits –
meaningful use requirements for stimulus dollars.
• HIPAA HITECH Final Rule: On January 17th, 2013, HHS released its
Omnibus Final Rule which modifies provisions of HIPAA, the HITECH
Act, and GINA. The Omnibus Final Rule became effective on March
26, 2013. Although, the first compliance deadline is not scheduled
until later this year (September 23, 2013).
• Government Enforcement – KPMG auditing (150 random covered
entities)
• FTC Consumer Protection (unfair/deceptive) Attorney General prebreach
23
ARRA / HITECH 2009
• Security / Privacy Breach
— Notification, not required in HIPAA, now required within 60 days
• Penalties and Audits
— Unknown: $100 to $50,000 per violation; max $1.5M by type
— Reasonable Cause: $1,000 to $50,000 per violation; max $1.5M by type
— Willful Neglect (Corrected within 30 days): $10,000 to $50,000 per
violation; max $1.5M by type
— Willful Neglect (Not corrected): $50,000; max $1.5M by type
— Civil and monetary penalties can be levied against individuals, including
possible imprisonment
— State’s Attorney General authorized to file suit on behalf of residents
— Health and Human Services to conduct periodic audits (KPMG)
• Business Associates (BAs)
— Subject to administrative, physical, and technical safeguards under HIPAA
— Subject to civil and criminal penalties
• Accounting Requirements
— Accounting of disclosures of (PHI) in EHR system for 3 years prior to
request
• Access to Electronic Health Record (EHR)
— Patients rights to electronic format of record if covered entity uses or
maintains EHR
• Incentive aid (Meaningful Use) for EHR estimated at $17B+
24
Cost of a security incident
• Financial costs
— Average breach cost in the range of $7.2 million (Ponemon Institute]
— Sample breach response costs
 $287.00 per medical record
 Credit monitoring and protections
— Reimbursing direct costs of identity theft
— Increase in business insurance
— Fines and penalties
• Less quantifiable costs
—
—
—
—
Public reputation and lost business
Lost productivity responding to breach
Increased regulator scrutiny
Compliance plan/consent decree costs may exceed direct legal
penalties
— Jail time
— Loss of employment
25
Impact of HITECH Final Rule
• “Significant risk of financial, reputational or other harm.”
• Harm test is gone, and must not be used after September 23, 2013.
• Presumption of reportable breach unless low probability that PHI has
been compromised after risk assessment.
– Low probability test
•
•
•
•
Nature and extent of the types of PHI, and likelihood of re-identification
Who received the PHI improperly
Whether PHI was actually acquired or viewed
Extent risk is mitigated
• Business Associate security requirements
– BAs and subcontractors must be fully compliant with all new rule
requirements, including full Security Rule compliance, by September 23, 2013.
– Definition of BA clarified
– New BAA template
• Starting March 26, 2013, for any new relationships, or when existing contract runs out,
you must apply the new rule
– Subcontractors to BAs
• Held to same standards as BA
26
Information Security in Healthcare
Availability
Security
Security
Availability
• Information Availability
o Quality of Patient Care
o Most of the Time Trumps
Security and
Confidentiality
27
Protecting Patient Information
Balancing Act II
• Most Industries Err on the Side of
Access Controls
• Proactive
• High
Maintenance
• Risky
• Reactive
• Time
Consuming
• Resource
Intensive
• Required to
Detect
• Healthcare is Opposite
• What if ……
28
Access Audit Program
•
•
•
•
Self Audit
Family Members
Co-workers
VIPs
– News
– Known Community Leaders
• Neighbors
• Random
• Odd Pairs
– Pediatrician looking @ Adult Male Record
• High volume / one-offs
29
Audit Process
Complaint Driven or Proactive Audit
Open a Case in Incident Management System
Eliminate false positives
Email Managers/Supervisors Incident Response Form to Complete
Manager Completes the Form & Email it Back
Information Entered Into Incident Management System
If HR Needs to Get Involved, They Enter Information in HR Database
Notification and reporting if breach is identified
Metrics Tracked in True and Tested Excel
30
Awareness and Training
• Objective: Create an awareness and training
program consisting of the following:
—Awareness and Training Plan Design
—Awareness and Training Material Development
—Program implementation - including options for
delivery methods (web-based, on-site presentations,
class room, video, articles, etc…) and establishing
metrics
—Post-implementation – monitoring effectiveness and
achieving established metrics (AKA Audits, Phishing
tests)
—Modify Training methods and content based on audit
results
31
Training vs. Awareness
• Training is direct and measurable. It strives to produce relevant and
needed security skills and competencies. The following are
examples of possible training methodologies:
— HealthStream modules (this is the primary training strategy for YNHHS)
— Presentations
— Classes/Work shops
• Awareness is subtly changing people over time. Awareness is not
training. The purpose of awareness is simply to focus attention on
security and is intended to allow individuals to recognize IT security
concerns and respond accordingly. Much more difficult to
measure. The following are examples of possible methods to
achieve awareness:
—
—
—
—
—
—
—
Email reminders
Videos
Posters
Contests
Articles
Screen savers
Web Site/Intranet
32
Questions?
33