Transcript Security & Privacy Beyond HIPAA

Security and Privacy
Requirements Beyond HIPAA
Tom Walsh, CISSP
Tom Walsh Consulting, LLC
Overland Park, KS
Objectives
• Understand some of the potential impacts on
information security and privacy as a result
of the new ARRA or “stimulus bill” on
covered entities and their business associates
• Gain awareness and an understanding of the
requirements for:
– FTC’s Identity Theft Red Flags Rule
– PCI Data Security Standards
– Data breach disclosure laws
Copyright © 2009, Tom Walsh Consulting, LLC
2
Objectives (cont.)
• Identify some potential sources of identity
theft and data breaches
• Determine who in your organization needs to
be included and the key departments for
your organization’s (renewed) compliance
efforts
• Locate resources for additional information
Copyright © 2009, Tom Walsh Consulting, LLC
3
a.k.a. “Stimulus Bill”
American Recovery and Reinvestment Act
• Other names or references
–
–
–
–
ARRA
Public Law 111-5
H.R. 1
Stimulus Bill
• Date of enactment: February 17, 2009
– Key date for the timing of future deadlines
• Appropriations Provisions – 16 Titles
– Title XIII – Health Information Technology
• Subtitle D - Privacy
Implications and future changes have yet to be fully comprehended
5
Copyright © 2009, Tom Walsh Consulting, LLC
Brief History
(Why Privacy is in the Stimulus Bill?)
• 1996 – HIPAA is passed; Congress has three years to enact medical
privacy protection standards; fails to do so; too busy trying to
impeach Bill Clinton; by default DHHS creates Privacy standards
• 1998 (Aug) – Proposed HIPAA Security Rule is released for comment
• 1999 (Nov) – Proposed HIPAA Privacy Rule is released for comment
• 2002 – Final HIPAA Privacy Rule is released
• 2003 (Feb) – Final HIPAA Security Rule is released
• 2003 (Apr 14) – Deadline for compliance with HIPAA Privacy Rule
• 2005 (Apr 20) – Deadline for compliance with HIPAA Security Rule
No changes to the rules since the final release
What was the computing environment like back then versus now?
Copyright © 2009, Tom Walsh Consulting, LLC
6
Promotion of Health Information Technology
Office of the National Coordinator (ONC) for
Health Information Technology (HIT) (Section 3001)
– Chief Privacy Officer
• Appointed by the Secretary of HHS
• To advise on privacy, security, and data stewardship
– HIT Policy Committee (Section 3002)
• Appointed positions
• Make recommendations for nation-wide health
information technology infrastructure
– HIT Standards Committee (Section 3003)
7
• Appointed positions
• Make recommendations for electronic exchange and use
of health information
Copyright © 2009, Tom Walsh Consulting, LLC
Privacy – Subtitle D
Section 13400 – Definitions of 18 terms
Many have the same definition as found in HIPAA,
but unique to ARRA are:
•
•
•
•
•
8
Breach
Unsecured Protected Health Information
Electronic Health Record (EHR)
Personal Health Record (PHR)
Vendor of Personal Health Record
Copyright © 2009, Tom Walsh Consulting, LLC
New Definitions
• Breach – In general terms means the
unauthorized acquisition, access, use, or
disclosure of protected health information
which compromises the security or privacy of
such information
• Unsecured Protected Health Information –
protected health information (PHI) that is not
secured through the use of a technology or
methodology specified by the Secretary
9
Copyright © 2009, Tom Walsh Consulting, LLC
Breach
• Covered entity must notify each individual
whose unsecured PHI has been, or is
reasonably believed to have been accessed,
acquired, or disclosed as a result of a breach
• Notifications
– Who? What? How? (based upon number of individuals)
– When? Must be made without reasonable delay
and no later than 60 days from discovery
• Discovery - Key concept, “…should reasonably
have been known…”
10
Copyright © 2009, Tom Walsh Consulting, LLC
Breach – Non Covered Entities
• Includes vendors of PHR
• Includes 3rd parties that provide services to a
vendor of PHR
• Requirements for reporting breaches same as
covered entities except that the notification
is made to the Federal Trade Commission
(FTC) rather than the Secretary of HHS
• The FTC will also notify the Secretary of HHS
11
Copyright © 2009, Tom Walsh Consulting, LLC
Business Associates
Application of Security Provisions (Section 13401)
• HIPAA security applies to Business Associates
–
–
–
–
12
§164.308 Administrative Safeguards
§164.310 Physical Safeguards
§164.312 Technical Safeguards
§164.316 Policies and Procedures and
Documentation Requirements
Copyright © 2009, Tom Walsh Consulting, LLC
Business Associates
• Business Associate Agreement (BAA) will
need to be updated to incorporate the new
HIPAA Security Rule requirements into the
agreement
• Must respond to Privacy noncompliance
issues the same as a Covered Entity
• Business Associate will now also be subject
to the civil and criminal penalties for
violating any of the security provisions
13
Copyright © 2009, Tom Walsh Consulting, LLC
Disclosures
• Secretary will issue guidance on “minimum
necessary”
• Accounting of Disclosures – HIPAA revision
– Old “…except for TPO” (Treatment, Payment, and
healthcare Operations)
– New – If the Covered Entity uses or maintains an
electronic health record (EHR), then the
exception for Accounting of Disclosures for TPO
no longer applies (Note: Disclosure vs. Use)
– Two deadlines: January 2014 or January 2011
based upon when the EHR was implemented
14
Copyright © 2009, Tom Walsh Consulting, LLC
Enforcement
• Clarification of Application of Wrongful
Disclosures Criminal Penalties (Section 13409)
– Individuals can be prosecuted under HIPAA and ARRA
• Improved Enforcement (Section 13410)
– “Willful neglect” by employees – now can be held liable
– State Attorney Generals may bring civil action
• Audits (Section 13411)
– Periodic audits to ensure that covered entities and
business associates comply with HIPAA and ARRA
15
Copyright © 2009, Tom Walsh Consulting, LLC
Identity Theft Red Flags Rule
• Implements sections of the Fair and Accurate
Credit Transactions Act of 2003 (FACT Act)
• Applies to financial institutions and creditors
that hold any consumer account
• Applies if a healthcare provider:
– Permits payment of services to be deferred
– Allows payment in multiple installments
• Must comply by May 1, 2009
Things to Consider
• Types of patient billing accounts
• Methods used to allow installment payments
(may be considered “covered accounts”)
• How a covered account is accessed
– Example: Web portal for patient bill paying
• Previous incidents of identity theft
• Privacy safeguards and security controls
currently in place to protect an individual’s
identity and personal information (i.e. HIPAA)
PCI Security Standards Council, LLC
• Responsible for the security standards
• Formed in September 2006 by the five major
credit card companies:
–
–
–
–
–
Visa International
MasterCard Worldwide
American Express
Discover Financial Services
JCB (Europe)
www.pcisecuritystandards.org
PCI Data Security Standard
• 12 requirements that must be followed
– State law in Minnesota; other states next?
• If the merchant lacks adequate controls:
– May be fined (payments withheld)
– May be held liable for credit card losses
– Could lose merchant status – ability to accept credit cards
• Merchants fall into one of the four merchant levels
based on transaction volume over a 12-month period
– Regardless of level, all merchants must comply
Copyright © 2009, Tom Walsh Consulting, LLC
21
PCI Terminologies
• Merchant – Any business that accepts credit
cards for payment
• POS – Point of Sale terminal – used for swiping
credit cards; usually connected to the bank via a
modem
• PAN – Primary Account Number
• CVV – Card Verification Value – the last three
digits printed on the signature panel on the back
side of credit cards for transaction authorization
when the payment is not made in person
Copyright © 2009, Tom Walsh Consulting, LLC
22
Conducting a PCI Self-Assessment
• Determine the volume of transactions
• Inventory where credit card transactions
occur
• Conduct a self-assessment
• Remediate identified issues
• Create a Credit Card Handling policy
• Create, deliver, and document user training
on Credit Card Handling
Key Departments – Workflows
•
•
•
•
•
Patient financial services (billing)
Admitting, registration, or cashier
Gift shop
Cafeteria
Outpatient services
– Pharmacy
– Durable medical equipment (DME) and other
medical supplies
– Urgent care centers
Copyright © 2009, Tom Walsh Consulting, LLC
24
State Data Breach Disclosure Laws
• California – leading the way…
• 44 States now have some type of law
• Wisconsin
– Act 138 requires notification in the event that
personal information is lost or illegally accessed
– Office of Privacy Protection
www.privacy.wi.gov
• Other Wisconsin resources:
http://www.legis.wisconsin.gov/lrb/pubs/ttp/ttp-04-2008.html
Copyright © 2009, Tom Walsh Consulting, LLC
26
Identity Theft in the Workplace
Some possible sources:
• Carelessness – loss of mobile computing devices
• Stealing (and in some cases, selling) employee records
from their employer
• Conning information out of employees
• Unsecured data – paper or electronic
• Rummaging through trash
• Improper disposal or resale of computing
devices and/or media
• Hacking into computers
Copyright © 2009, Tom Walsh Consulting, LLC
28
Preventing Identity Theft
People, Processes, and Technology
• Background and clearance checks on key
employees
– System administrators
– Patient Financial Services or Patient Accounting
• Proper handling and disposal of media
• Encrypt data at rest and while in transmission
• Auditing and monitoring
Copyright © 2009, Tom Walsh Consulting, LLC
29
Renewed Compliance Efforts
•
•
•
•
•
•
Corporate Compliance Officer
Privacy and Information Security Officer
Risk Management / Legal Counsel
Patient Access (Registration / Admitting)
Patient Financial Services (Accounting)
Others? ______
Copyright © 2009, Tom Walsh Consulting, LLC
31
Governance, Risk, and Compliance (GRC)
ARRA
HIPAA
SOX
PCI DSS
FISMA
= Governance framework for an information security program for
__consistency in satisfying multiple regulations and requirements
Resources
• An electronic copy of ARRA (PDF format)
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf
• PCI Security Standards Council, LLC
www.pcisecuritystandards.org
• PCI Frequently Asked Questions
www.pcisecuritystandards.org/about/faqs.htm
• FTC’s Identity Theft Site
www.ftc.gov/bcp/edu/microsites/idtheft/
• Identity Theft Resource Center
www.idtheftcenter.org
Copyright © 2009, Tom Walsh Consulting, LLC
34
Summary
During this session we discussed:
• Privacy and security highlights of the new
ARRA or “stimulus bill”
• An awareness of:
– FTC’s Identity Theft Red Flags Rule
– PCI Data Security Standards
– Data breach disclosure laws
• Ideas for preventing identity theft
• Renewed involvement for compliance
• Resources for more information
Copyright © 2009, Tom Walsh Consulting, LLC
36
Questions?
Copyright © 2009, Tom Walsh Consulting, LLC
37
Tom Walsh, CISSP
[email protected]
913-696-1573
Good News!
Because of the current global economic crisis,
hackers, creators of malicious code,
spammers, and disgruntled former
employees have all pledged to be
compassionate to businesses and individuals
by cutting back on their harmful and
disruptive activities by at least 30%.
More Good News!
Additionally, Congress has urged that all
American employees who still have a job to
temporarily suspend any of their
unauthorized activities that could disrupt or
significantly impact businesses until after the
current economic crisis has passed.
Even More Good News!
It was announced yesterday that the United
Nations overwhelming passed a measure,
which can only be described as an
extraordinary act of reconciliation, that with
Barack Obama now as president of the
United States, all nations vow to no longer
harbor any hostilities toward the United
States government and its people.
Sad Reality
• While everything else in our economy is
declining, threats to information security are
on the rise
• Desperate times result in desperate
measures
– People are willing to do whatever it takes to ensure
their own personal wellbeing
– Employees on the verge of being laid off or former
employees that recently lost their job represent a
significant threat to security