Transcript Performance Management and Engineering

Helping companies protect their information, people,
and facilities.
HIPAA and SB 1386:
The New Security
Imperatives
Presented by:
Russell L. Rowe
[email protected]
Background
Chief Security Officers, LLC is a fullservice IT firm specializing in security
compliance and auditing services. We
help companies protect their
information, people, and facilities
www.chiefsecurityofficers.com
2
7/17/2015
Seminar Objectives
 Define HIPAA and SB 1386 and their
impact on your business.
 Provide specific techniques to aid in
planning and implementing security
measures to meet HIPAA and SB 1386
requirements.
www.chiefsecurityofficers.com
3
7/17/2015
HIPAA
 Healthcare Insurance Portability and
Accountability Act (HIPAA)
 Privacy Compliance Dates
 2/26/03 Healthcare Clearinghouses
 4/14/04 Large Covered Entities
 4/14/04 Small Covered Entities
 Security Compliance Dates
 4/20/05 Large Covered Entities
 4/20/06 Small Covered Entities
www.chiefsecurityofficers.com
4
7/17/2015
HIPAA’s Goals

Ensure health insurance
portability

Reduce health care fraud
and abuse

Guarantee security and
privacy of personal health
information

Enforce standards for
health information, i.e.,
medical records use and
release
www.chiefsecurityofficers.com
5
7/17/2015
A Simple Mandate
“It is the responsibility of organizations that
are entrusted with health information to
protect it against deliberate or inadvertent
misuse or disclosure. The
final regulation requires
covered organizations to
establish clear procedures to protect
patients' privacy, including designating an
official to establish and monitor the entity's
privacy practices and training.”
www.chiefsecurityofficers.com
6
7/17/2015
Affected Healthcare Organizations
 Health Plans
 Individual or group plans that provide for or
pays the cost of medical care
 Employers that self-insure
 Providers (furnish healthcare services or supplies)
 Hospitals, medical groups, physicians’ LLPs,
clinics,eEmergency care facilities
 Clearinghouses
 Public or private organizations that process or
facilitate processing of health information
 Other Entities
 Employers that want to utilize medical
information for data mining
 Pharmaceutical companies conducting
clinical research
www.chiefsecurityofficers.com
7
7/17/2015
Affected Business Processes
 All individually identifiable
information relating to past,
present, or future:
 Health conditions
 Treatment
 Payment for treatment
 Demographic data collected by
plans or providers
www.chiefsecurityofficers.com
8
7/17/2015
Administrative Procedure Standards

Certification

Chain of Trust Agreements

Contingency Planning

Record Processing

Information Access Control

Internal Audit

Security Management

Personal Security

Training

Termination Procedures

Security Incident Response

Security Configuration Management
www.chiefsecurityofficers.com
9
7/17/2015
Physical Safeguards

Assigned security
responsibility

Media controls

Physical access controls

Policy/guideline on
workstation use

Secure workstation location

Security awareness training

Business continuity & disaster
recovery plans
www.chiefsecurityofficers.com
10
7/17/2015
Technical Security
Services Standards
Woman at Computer

Access Control

Authorization Control

Data Authentication
(Integrity)

Entity Authentication
www.chiefsecurityofficers.com
11
7/17/2015
Technical Security for
Network Communications
 Basic networking
safeguards
 Confidentiality
 Integrity
 Availability
 Network security issues
 Integrity (message
corruption) and
confidentiality (message
interception)
 Protection from unauthorized
remote access
www.chiefsecurityofficers.com
12
7/17/2015
Why Comply?
 Statutory Penalties
 Standards: Up to $25,000 per violation per year
 Wrongful disclosure: Up to $250,000 and 10
years in prison
 Cost Savings
 Reduction in processing costs
 Simplification of manual processing
 Improved Customer Service
 Fewer errors
 Quicker turnaround
 Enabler of e-commerce
www.chiefsecurityofficers.com
13
7/17/2015
Healthcare IT Professionals
Understand HIPAA’s Importance

79% say HIPAA is the top
business issue in healthcare
industry

Two-thirds say upgrading
security to meet HIPAA is a
top priority
Source: HIMSS leadership survey, 1/01
www.chiefsecurityofficers.com
14
7/17/2015
Structural Impact
 Cultural transformation for handling, using,
communicating, and sharing patient
information
 Major revamping of business/security
policies and procedures
 Must rethink how to protect security and privacy
of patient and consumer information
 Additional information security technology
solutions (e.g., PKI, VPNs, Business Continuity)
 Standard formats for most common transactions
among healthcare organizations
 Replacement or substantial change to providers’
current systems and processes
www.chiefsecurityofficers.com
15
7/17/2015
Financial Impact




Establish “Privacy Official”
Extraordinary budget and
staff requirements for next
two years
More extensive than Y2K
efforts: $5B in spending by
end of 2003 (IDC)
Large healthcare providers
and/or payers could spend
$50-$200 million each to
become HIPAA compliant
www.chiefsecurityofficers.com
16
7/17/2015
20 Steps to Compliance
1. Identify gaps between current practices and
proposed rules.
2. Identify key individuals to spearhead compliance
efforts. Include senior management to insure topdown support.
3. Educate staff, physicians, and other key
constituents.
4. Make a comprehensive inventory of individually
identifiable electronic health information your
organization maintains. Include information kept on
PCs and in research databases.
www.chiefsecurityofficers.com
17
7/17/2015
20 Steps to Compliance
5. Conduct a risk assessment to evaluate potential
risks and vulnerabilities to individually identifiable
electronic health information. Include the possibility
of outside attacks.
6. Develop tactical plan to address identified risks, with
highest priority on areas of greatest vulnerability.
7. Collect and organize existing information security
policies into the four categories outlined in the
security standards. Evaluate for currency,
consistency, and adequacy.
8. Develop checklist of policies to be developed.
Assign responsibility to appropriate individuals.
www.chiefsecurityofficers.com
18
7/17/2015
20 Steps to Compliance
9. Educate staff about security policies - enforce them.
10. Establish confidential reporting system to report
security breaches without fear of repercussion.
11. Impose sanctions for violations. Prepare for
system disruptions or data corruption that may
result from security violations.
12. Assess accuracy of master patient index (MPI) for
duplication (patients assigned more than one
number) and overlays (more than one patient
assigned the same number). Out-task if necessary.
13. Evaluate current billing system for EDI transaction
standard and modifications.
www.chiefsecurityofficers.com
19
7/17/2015
20 Steps to Compliance
14. Compare current health information disclosure
procedures with proposed privacy standards.

Are individuals allowed to inspect and copy their health
information? Are reasonable fees charged?

Does the organization account for all disclosures of
protected health information other than for treatment,
payment, or healthcare operations?

Is there a procedure in place to allow individuals to request
amendments or corrections to their health information?

Is there a mechanism for individuals to complain about
possible violations of privacy?
15. Designate a privacy officer.
16. Review/revise existing vendor contracts to ensure
HIPAA compliance. Ensure that business partners
also protect privacy of identifiable health
information.
www.chiefsecurityofficers.com
20
7/17/2015
20 Steps to Compliance
17. Evaluate new information security technologies.
18. Consider biometric identifiers (fingerprints,
voiceprints, retinal scans) for secure authentication
of users, and single sign-on technology to eliminate
multiple passwords and logons.
19. Evaluate audit trails on existing information
systems. Audit trails must record every access
(including read-only access) to patient information,
not just additions or deletions.
20. Look for audit trail technologies that can analyze
large amounts of information and flag suspicious
patterns.
www.chiefsecurityofficers.com
21
7/17/2015
California SB 1386
California SB 1386 provides Californians with
immediate notification, when confidential
information about them has been
compromised due to a breach on any
computer system that stores such
information, and this breach is discovered.
www.chiefsecurityofficers.com
22
7/17/2015
Why was it created?
Early, in 2002, the State of California's Data
Center that runs the Payroll application for the
State of California, was breached. For many
weeks, confidential information about 265,000
employees of the state was available to the
hackers – names, addresses, bank account
numbers, social security numbers, etc.
The Data Center did not notify anybody about
this breach for many weeks, leaving state
employees and lawmakers open to identity theft
attacks longer than they needed to be.
www.chiefsecurityofficers.com
23
7/17/2015
Who does the Bill impact?
Any business, government or non-profit
agency, or individual that stores confidential
information about California residents on their
computers.
www.chiefsecurityofficers.com
24
7/17/2015
When does it become effective?
The Bill was approved by the Governor on
September 25, 2002, while its provisions
became effective July 01, 2003.
www.chiefsecurityofficers.com
25
7/17/2015
What’s considered to be “confidential
personal information”?
Social
Security numbers, California Driver's
License numbers or Identification Card
numbers, Account numbers, Credit or Debit
card numbers, etc.
Information that is lawfully available to the
general public, from government records, is
not considered confidential personal
information.
www.chiefsecurityofficers.com
26
7/17/2015
What constitutes a breach of a
computer system?
Any unauthorized access of a computer and its
data, constitutes a breach of a computer system.
Typically, if a policy exists within a business or
agency, authorizing access to a computer and its
data, any access outside the scope of that policy is
unauthorized.
www.chiefsecurityofficers.com
27
7/17/2015
What if a computer was breached, but the
confidential personal information was not stolen?
While possible, this would be very difficult to
prove. It would depend on the technology used
to store the confidential personal information
and the security policies and procedures in
force within that infrastructure.
www.chiefsecurityofficers.com
28
7/17/2015
What if I don’t monitor the systems
and thus, do not detect a breach?
Unfortunately, you will not be able to get
away with such an argument. In general,
businesses have a responsibility to exercise
a certain level of care in protecting its
information especially information deemed
confidential. By not monitoring your systems,
and thus, not detecting a breach, you can be
accused on negligence - for not applying
what is considered to be the standard level of
care within the industry.
www.chiefsecurityofficers.com
29
7/17/2015
Does SB 1386 apply to me if I do not
have an office in California?
As long as you have a single employee or
customer that resides in California, and as long
as you store any confidential personal
information about that employee or customer on
a computer, you will need to comply with SB
1386.
It doesn't matter if you do not have an office in
California, or do not maintain any computers in
California – you're still responsible to uphold
the provisions of SB 1386 as long as the above
conditions are true.
www.chiefsecurityofficers.com
30
7/17/2015
What if I am just a small business,
and not a large corporation?
SB 1386 does not discriminate based on size of
the business. If you are a Sole Proprietorship, a
Partnership, an LLC, LLP, a Corporation, a NonProfit or any form of Government agency – and
maintain confidential personal information
about a California resident on a computer –
SB 1386 applies to you.
www.chiefsecurityofficers.com
31
7/17/2015
What if the data is encrypted?
Where the confidential data is encrypted on the
computer, and in the transmissions between the
computer and its use by authorized users, the
company may be exempted from disclosure.
Notice the emphasis on the word "may". The
reason is - there are many different kinds of
encryption technologies, ranging from being
relatively trivial to break, to being
"computationally infeasible". Depending on the
kind of encryption you use, you may be judged
to have exercised sufficient, or insufficient,
standard-of-care in protecting the data.
www.chiefsecurityofficers.com
32
7/17/2015
What if the confidential data is separated
from the name and password?
In the event that your database maintains
confidential data about Californians, but does
not store either the password or the name of
the Californian in the same database or
computer, then SB 1386 disclosure rules will
not apply to you.
The rationale for this is obvious - if an attacker
stumbled upon social security numbers or
account numbers, but did not know who they
belonged to, then it would make the attackers
job much harder in attempting to steal
identities.
www.chiefsecurityofficers.com
33
7/17/2015
What preventive measures are
available?
Implementing
rigorous policies and controls
Re-architecting
the critical infrastructure and/or
applications
Elimination
Use
of User ID's and Passwords
of encryption beyond the network
www.chiefsecurityofficers.com
34
7/17/2015
Questions
Russell Rowe
President
Chief Security Officers
11445 E. Via Linda
Scottsdale, AZ 85259
480-344-2635
[email protected]
www.chiefsecurityofficers.com
35
7/17/2015