Download Best Practices for Healthcare Incident Response: HIPAA Compliance & Breach Management and more Study notes Innovation in PDF only on Docsity!
Incident Response:
Best Practices in Breach Management
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, VP of Privacy,
Compliance and HIM Policy, MRO
Melissa Landry, RHIA, Assistant Vice President of Health Information
Management, Ochsner Health System
Agenda
- Current Environment and Statistics related to Healthcare Breaches
- Breaches under HIPAA and State Law
- HIPAA Security Rule Safeguards that Address Incident Response
Plans
- Best Practices for Incident Response Plans
- The First 24 Hours Following a Breach
- Questions
2 Reputation. People. Innovation. Outcomes.
Data Breach Landscape
- Data breaches cost companies an average of $221 per compromised
record
- $145 pertains to indirect costs, which include abnormal turnover or churn of customers
- $76 represents the direct costs incurred to resolve the data breach, such as investments in technologies or legal fees
- Heavily regulated industries such as healthcare, life science and
financial services, tend to have a per capita data breach cost
substantially above the overall mean of $
- The total average organizational cost of a data breach is $7.
million
Reputation. People. Innovation. Outcomes.
Statistics
3
The Cybersecurity Threat to Healthcare
- 89% of healthcare organizations surveyed by the Ponemon
Institute report suffering at least one data breach in the past 2 years
- Data breaches could be costing the healthcare industry upwards of
$6.2 billion per year
- A breach of medical information costs healthcare organizations an
average of $2.2 million per breach
- Interestingly, the value of medical information on the black market has
recently plummeted, one reason hackers are resorting to ransomware
4 Reputation. People. Innovation. Outcomes.
Breaches under HIPAA – 45 CFR §§ 164.400-
- CEs and BAs must only provide the required notifications if the breach involved “Unsecured PHI” - “Unsecured PHI” is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS’ Guidance on Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
- The Guidance specifies encryption and destruction as the technologies and methodologies for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals
7 Reputation. People. Innovation. Outcomes.
2018 OCR Activities
8 Reputation. People. Innovation. Outcomes.
- OCR stated that 2018 was a “ record year ” for
enforcing HIPAA.
- Ten cases were settled by OCR and an Administrative Law Judge
granted summary judgment on a case as well. These 2018
enforcement actions resulted in $28.7 million in fines , a 22 percent
increase from the earlier record year of $23.5 million in 2016.
- Included in this settlement figure was an American health insurance company settlement, which resulted in a $16 million fine, the largest fine yet.
Recent Resolution Agreements and Civil
Money Penalties involving Breaches
9 Reputation. People. Innovation. Outcomes.
ANTHEM, INC
A record HIPAA settlement following largest health data breach in history - October 15, 2018
Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest health data breach in history and exposed the electronic protected health information of almost 79 million people.
settlement, a $16 million fine , the largest fine yet.
http:anthem/index.html://www.hhs.gov/hipaa/for-
professionals/compliance-enforcement/agreements/a
The $16 million settlement eclipses the previous
high of $5.55 million paid to OCR in 2016
- This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.
- On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.
- After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.
10 Reputation. People. Innovation. Outcomes.
Potential financial impact of HIPAA noncompliance
on covered entities and business associates
- Is not limited to fines from OCR. These record figures do not include
the costs covered entities and business associates incur when
required to respond to an OCR investigation that does not result in
direct fines and penalties.
13 Reputation. People. Innovation. Outcomes.
14 Reputation. People. Innovation. Outcomes.
- The increasing demands on technology infrastructure and capabilities as well as the accompanying demands on information technology staff have created a complex environment to manage for entities that must comply with HIPAA. Entities subject to HIPAA should: - Recognize the importance of a robust HIPAA compliance plan that is regularly reviewed and updated by all relevant internal parties; - Ensure that sufficient resources are allocated to implement adequate security measures to address identified risks and vulnerabilities; - Establish processes to regularly conduct system reviews for all systems and applications that maintain ePHI to reduce the chance that human error results in such a significant breach of ePHI; and - Ensure that those responsible for contracting and procurement are fully apprised of the nature and scope of services a particular vendor is providing and that they work with information technology staff and business partners to properly address regulatory obligations, like business associate agreements » Taken from Hall Render Killian Heath & Lyman PC
Potential financial impact of HIPAA noncompliance
on covered entities and business associates
State Breach Notification Laws
15 Reputation. People. Innovation. Outcomes.
- Not only do CEs and BAs have to follow the HIPAA Breach Notification Rule, they also have to comply with state laws regarding health data breaches
- The law of the state in which the CE and BA are located AND
- The state in which the impacted residents reside
- 50 states have data breach notification laws
- 14 states have notification requirements for breaches involving PHI
- The definition of breach under some of these state laws is broader than HIPAA
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards
- Security Management Process - 45 CFR § 164.308(a)(1)
- Risk Analysis (Required)
- The scope of the Risk Analysis is key
- Document where ePHI is stored, received, maintained or transmitted
- Identify and document potential threats and vulnerabilities
- Document how well your current security measures address the potential threats and vulnerabilities
- Determine the likelihood of threat occurrence, the threat’s level of risk, and the potential impact of such an occurrence
- Identify next steps that need to be taken to mitigate risk
- Risk Management (Required) The actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI and to meet the general security standards
16 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards
- Security Management Process - 45 CFR § 164.308(a)(1)
- Sanction Policy (Required)
- “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the CE” - Require workforce members to sign a Statement of Adherence to your organization’s HIPAA Security Policies & Procedures - Statement of Adherence should state that the workforce member acknowledges that violations of HIPAA Security P&Ps may lead to disciplinary action, for example, up to and including termination - Sanction Policy should include examples of potential violations of HIPAA Security P&Ps - Sanction Policy should adjust the disciplinary action based on the severity of the violation
- Information System Activity Review (Required)
- “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports”
- The information system activity review enables CEs to determine if any e-PHI is used or disclosed in an inappropriate manner - Information system activity review procedures may be different for each CE and BA - The procedure should be customized to meet your organization’s risk management strategy and take into account the capabilities of all information systems with e-PHI
19 Reputation. People. Innovation. Outcomes.
20 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards
- Security Management Process - 45 CFR § 164.308(a)(1)
- Assigned Security Responsibility (Required)
- “Identify the security official who is responsible for the
development and implementation of the policies and procedures
required by this subpart [the Security Rule] for the entity”
21 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards
Security Awareness and Training - 45 CFR § 164.308(a)(5) — “Implement a security awareness and training program for all members of its workforce (including management)”
- Security Reminders (Addressable) — Notices in printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders posted in affected areas, as well as formal retraining on your organization’s HIPAA Security P&Ps — It is recommended that your organization review how it currently reminds the workforce of current P&Ps, and then decide whether these practices are reasonable and appropriate, or if other forms of security reminders are needed
NOTE: At the Spring 2017 HIPAA Summit, the OCR stated, “Addressable does not mean optional!!!”
22 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards
- Security Incident Procedures (Required) – 45 CFR § 164.308(a)(6)
- Train all workforce members on how to identify potential security incidents and who to report them to
- When a report of a potential security incident is received …
- Determine and document what happened
- Identify and classify the severity of the Security Incident
- Determine the actual risk to Individually Identifiable Health Information, and the subject(s) thereof
- Repair, patch, or otherwise correct the condition or error that created the Security Incident
- Retrieve or limit the dissemination of Individually Identifiable Health Information, if possible
- Determine if the Security Incident rises to the level of a Breach under the HIPAA and HITECH regulations
- Mitigate any harmful effects of the Security Incident
- Fully document the causes of and responses to Security Incidents
- Expand knowledge of Security Incident prevention through research, analyses of Security Incidents, and improved training and awareness programs for Workforce members
25 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Administrative Safeguards- Evaluation
(Required) – 45 CFR § 164.308(a)(8)
- “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic PHI (e-PHI), that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule]” - It is crucial to know if the security plans and procedures implemented continue to adequately protect e-PHI - Organizations must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments
26 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Physical Safeguards – Encryption – 45 CFR § 164.312(e)(2)(ii) - Where encryption is a reasonable and appropriate safeguard for organizations, they must: - “Implement a mechanism to encrypt ePHI whenever deemed appropriate” - Encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text - There are various types of encryption technology available - The Security Rule allows CEs the flexibility to determine when, with whom, and what method of encryption to use
NOTE: At the Spring 2017 HIPAA Summit, the OCR stated, “Addressable does not mean optional!!!”
27 Reputation. People. Innovation. Outcomes.
HIPAA Security Rule Safeguards that Address
Incident Response Plans
- HIPAA Physical Safeguards - Device and Media Controls (Addressable) – 45 CFR § § 164.310(d)(1) - “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI, into and out of a facility, and the movement of these items within the facility” - Disposal (Required) - Media Re-Use (Required) - Accountability (Addressable)
28 Reputation. People. Innovation. Outcomes.
OHS – Best Practices for Incident Prevention
Access Controls – EMR/PHI
- Break the Glass (BTG)
- Offers a higher level of protection for a patient’s private information -Attempted access will prompt for a reason and password to gain entry -Closely monitored to ensure that only authorized individuals are accessing
Triggers for BTG Security
a) Patient Level
- When the patient is marked with BTG – Celebrity or BTG – all other
- When a patient is associated with one service area and access is attempted by a user associated with another service area via the user’s default log in settings in the EMP record b) Encounter Level
- When a patient currently or has ever had an encounter within a psych department
31 Reputation. People. Innovation. Outcomes.
OHS – Best Practices for Incident Prevention
Access Controls – EMR/PHI
-Private encounter flag
-Default setting vs. end user initiated
-Access to view controlled by security
- Social Security Number Masking
-Limited display of SS# - controlled through security
32 Reputation. People. Innovation. Outcomes.
OHS – Best Practices for Incident Prevention
Access Controls – EMR/PHI
- Shared EMR – Service Area Build
- SA matrix defines the access
33 Reputation. People. Innovation. Outcomes.
OHS – Best Practices for Incident Prevention
Access Controls – EMR/PHI
- Security Provisioning – Role-Based Access
- OHS Policy: EMR User Access Provisioning
- Access granted based upon job role and contingent upon proper training/application template assigned
- Residents and students completing clinical rotations are granted time-limited access based upon start/end dates of rotation
- OHS Policy: DGProc.023 – Access to PHI Non-OHS Individuals
- Community and Referral providers , office staff, outside reviewers granted limited “view only” EMR
- User Access Agreement – “SWAAG”
- Limited access based upon needs (First Access, Managed access, insurance restricted)
- OHS Policy: Workforce Access to PHI
34 Reputation. People. Innovation. Outcomes.
Best Practices for Incident Response Plans
2. Create a Patient Data Protection Committee - The Committee should be charged with conducting some patient
privacy functions for the healthcare organization:
- Overseeing the organization’s patient privacy compliance program
- Conducting the organization’s quarterly risk analyses and
assessments
- Reviewing policies and procedures annually
- Serving as the organization’s incident response team
- Doing mock audits using the new Phase II protocols from OCR
37 Reputation. People. Innovation. Outcomes.
Best Practices for Incident Response Plans
3. Provide On-Going Education and Training for Workforce Members - Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information
38 Reputation. People. Innovation. Outcomes.
Best Practices for Incident Response Plans
4. Provide On-Going Education and Training for Workforce Members - Creating a culture of compliance is key - Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state law - Provide regular reminders of P&Ps - Emails, posters, and patient privacy awareness events and activities - Investigations into “Close Calls” - Root Cause Analysis
39 Reputation. People. Innovation. Outcomes.
Best Practices for Incident Response Plans
5. Provide On-Going Education and Training for Workforce Members - Helpful Tools - Your cyber-liability insurance carrier may have free tools for training and education - OCR’s YouTube Channel: https://www.youtube.com/user/USGovHHSOCR
40 Reputation. People. Innovation. Outcomes.
