Transcript Information Risk Management -- The Key Component for HIPAA
Information Risk Management Key Component for HIPAA Security Compliance
Ann Geyer Tunitas Group 209-754-9130 [email protected]
www.tunitas.com
Federal Law Mandates Security Controls for Health Information
HIPAA Statutory Requirement -- 1996
• •
General requirement to safeguard all PHI Framework for security regulation
–
Privacy Rule -- 2003
•
General requirement for admin, physical, and technical safeguards
• •
Covers
all PHI
(paper, electronic, spoken) Emphasis on Patient Rights and Appropriate Use
–
Security Rule -- 2005
•
Specific standards and implementation specifications
• •
Covers
electronic PHI
Emphasis on Confidentiality, Integrity, and Availability
1
Information Subject to Security Rule
Electronic Protected Health Information (EPHI)
–
Is PHI that is electronically maintained or transmitted by a Covered Entity
–
PHI is any individually identifiable information about a patient that is created, received, processed, or stored by a health plan, clearinghouse, or healthcare provider (or their business associates)
Not Included
–
Any PHI that is not stored electronically, and
–
Information that was not in electronic form prior to transmission (e.g. oral communications, telephone conversations, paper faxes, film images)
2
HIPAA Security Purpose
Ensure Confidentiality, Integrity (Authenticity) and Availability
Information security is now a patient safety requirement
Elevate Information Risk Management to the level of other compliance areas
3
HIPAA Security Rule
General Rule
§164.306(a)
Covered Entities must:
1. Ensure the confidentiality, integrity [authenticity], and availability of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits 2. Protect against any reasonably anticipated threats or hazards to the security or integrity [authenticity] of EPHI 3. Protect against any reasonably anticipated uses or disclosures of EPHI that are prohibited by the HIPAA Privacy Rule 4. Ensure compliance by the workforce
4
General Rule Significance
Congress intends the Rule to set a high standard
–
Ensure means to “Make Inevitable”
But Rule also permits Flexibility
§164.306(b) –
CE may use any measures that implement the Rule requirements, and
–
CE must take into account certain factors:
• •
Size, complexity, and capabilities Technical infrastructure, hardware and software security capabilities
• •
Costs of security measures Probability and criticality of potential risks
5
Acceptable Level of Risk
CE must use formal risk analysis methodology to determine the acceptable level of risk
CE can live within the limits of existing IS capabilities, or Current limitations that permit undue risks must be changed The risk mitigation costs too much, or The CE didn’t allocate sufficient budget to address the risk CE can reject security measures that are too complex, or CE must develop the skills and experience to apply best available measures
6
Security Compliance
Compliance means a well designed and integrated Information Risk Management program
–
Necessary to demonstrate understanding of risks to the EPHI
•
CE must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities”
§ 164.308 (a)(1)(ii)(A) –
Non-compliant if
•
Not thorough -- failure to consider all significant threats
• •
Not accurate -- failure to adequately estimate the likelihood or impact of a threat
Not responsive
– failure to mitigate risk to an acceptable level
7
Information Risk Management
Program Components 1. Risk Assessment
–
Determine the risk level 2. Risk Mitigation
–
Identify how risk will be reduced to an acceptable level
Risk Analysis
3. Information Management Policy and Procedures
–
Combination of privacy and security policy that accomplishes the following:
–
Prevents PHI use or disclosure without authorization
–
Prevents PHI modification or tampering that could result in integrity/authenticity or availability issues
–
Ensures workforce is trained, supervised, monitored, and appropriately sanctioned;
–
Ensures organization is able to monitor PHI activity to determine when and how a compromise has occurred; and
–
Ensures known risks are appropriately addressed
8
Information Risk Management
Program Components 4. Standards
–
Establish minimum security control sets based on risk classification
–
Develop process for requesting and approving deviation from a required control set 5. Audit and/or Re-assessment
–
Periodically evaluate whether safeguards and minimum controls sets are still effective
–
Determine whether a new risk assessment is warranted
–
Audit high risk areas, known problem areas, new technology, new applications 6. Management Review
– – –
Objective and conflict-free Focused on acceptable risk Clearly considers patient safety and confidentiality factors
9
Information Risk Management
What’s Acceptable Risk
–
Rule says acceptable risk is that which satisfies the General Rule §164.306(a)
–
No objective standard; organization must rely on industry best practices and its own determination of risk and consequences
Key Organizational Requirements
–
Understand how information security failures impact the organization
• • •
Patient care and safety Revenue lifecycle Management and financial functions
• •
Operations and workflow Compliance, risk management, legal
10
Risk-based Business Decisions
Would you manage differently if you knew that PHI would be compromised?
–
HIPAA expects PHI to be treated as securely as financial or tax information
–
Healthcare organizations will be evaluated on the basis of how well they manage their fiduciary responsibilities to protect patient information
–
Electronic PHI is becoming the norm
• •
Email and data transfer EMR, CPOE, E-prescriptions, PAMF online for patients, Sutter’s virtual ICU
–
Securing EPHI has to become as important as paper based records management
11
Conducting a Risk Analysis
Risk Assessment
1. Impact Analysis (Business Manager)
–
What is the business impact of a loss of confidentiality, integrity, availability 2. Exposure and Controls (Technical Manager)
– – –
Where is the system located What are the big picture exposures What security controls are in place
12
Conducting a Risk Analysis
Risk Mitigation
3. Risk Characterization (Security, Compliance, Risk Management or Other Management)
•
Greatest impact determines the required security level
• • • •
Security level determines the required control set Risk is mitigated by the implementation of a control Missing controls create unaddressed risk Organizational risk decisions
– – – –
Accept the risk (not implement a control) Mitigate the risk (fix a missing control) Reduce the exposure (isolate the system) Reduce the impact (reduce dependency)
13
Conclusion
Information Risk Management
–
Represent the basic set of responsibilities for addressing information security
–
Permit each organization to determine specific details for how to best achieve an acceptable security level
–
Important to take security seriously; integrate security requirements into all aspects of information use within the organization
–
Business functions must learn how to make risk based operational decisions
–
Using PHI without due regard for its security is no longer an option
14