Upload File

audits/hipaa violations responding to an ocr breach ... · responding to an ocr breach...

  • Home
  • Documents
  • AUDITS/HIPAA VIOLATIONS Responding to an OCR breach ... · Responding to an OCR breach investigation ... compromised by a hacker. Further analysis determined that ePHI was exposed
2
:::::::: AUDITS/HIPAA VIOLATIONS Responding to an OCR breach investigation with an OCR-quality risk analysis Health organizations continue to struggle meeting OCR’s expectations for risk analysis as required by the HIPAA Security Rule. OCR findings of an insufficient risk analysis can delay resolution of a breach investigation and can lead to monetary settlements or civil money penalties. By Jon Moore is conducted under attorney/ client privilege in breach investigation cases, the name of the organization must remain confidential. For this case study, we will refer to our client as Unnamed Healthcare Organization (UHCO). Two years ago, UHCO’s IT staff discovered they were unable to communicate with one of their servers. They quickly determined an account on the server was compromised by a hacker. Further analysis determined that ePHI was exposed as a result of the hack. UHCO’s Privacy Officer, “Jane Doe,” reported the breach on the OCR website and UHCO retained an outside contractor to investigate. Two months later, UHCO’s Privacy Officer received for- mal notice from OCR of an investigation of the breach. The notice cited eight potential HIPAA violations and asked UHCO to provide: A description of any investigation and actions taken following the breach Relevant policies and procedures A copy of the breach notification sent to affected individuals Every risk analysis conducted over the last three years Documentation of security measures in place and any post-breach changes OCR also provided notice of the poten- tial penalties for violations and asked that UHCO respond within 14 days. UHCO’s Privacy Officer responded by providing an account of actions taken post breach, copies of policies and procedures, a copy of the notice sent to affected individuals, and the execu- tive summaries of security assessments conducted by a third-party contractor in 2013, 2014, and 2015. The executive sum- maries described findings and deficien- cies discovered during technical testing. I n April, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a newsletter enti- tled “Risk Analyses vs. Gap Analyses – What is the difference?” The newslet- ter explained what distinguishes a risk analysis, as required under the HIPAA Security Rule, from a gap analysis. 1 OCR’s effort to educate the industry was in response to continuing confusion around what constitutes an acceptable risk analysis under HIPAA. The confusion focuses on the differ- ences between technical evaluation, non-technical evaluation, and risk analysis. Technical evaluation includes activities such as penetration testing and vulnerability scanning. Nontechni- cal evaluation includes gap analysis, i.e., a high-level evaluation of compli- ance. A true risk analysis, on the other hand, requires an enterprise-wide look at all devices and systems used to cre- ate, receive, maintain, or transmit ePHI. In addition, the risk analysis must document the threats and vulnerabili- ties to and within those systems, and the likelihood and impact of a threat acting on each identified vulnerability. Lack of sufficient risk analysis is a common violation identified during OCR investigations. In fact, during the past 10 years, 88% of the 42 organizations that have incurred monetary settlements or civil money penalties related to disclo- sure of ePHI were found to have failed to conduct a sufficient risk analysis. 2 As a result, many health organizations are turning to third-party information risk management (IRM) specialists for help in responding to the risk analysis requirement. An OCR breach investigation/risk analysis case study Clearwater Compliance recently assisted a healthcare organization in meeting OCR’s requirement for a risk analysis after a breach investigation was initiated. Because Clearwater Compliance’s work

Upload: others

Post on 27-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: AUDITS/HIPAA VIOLATIONS Responding to an OCR breach ... · Responding to an OCR breach investigation ... compromised by a hacker. Further analysis determined that ePHI was exposed

:::::::::: AUDITS/HIPAA VIOLATIONS

Responding to an OCR breach investigation with an OCR-quality risk analysisHealth organizations continue to struggle meeting OCR’s expectations for risk analysis as required by the HIPAA Security Rule. OCR findings of an insufficient risk analysis can delay resolution of a breach investigation and can lead to monetary settlements or civil money penalties.By Jon Moore

is conducted under attorney/client privilege in breach investigation cases, the name of the organization must remain confidential. For this case study, we will refer to our client as Unnamed Healthcare Organization (UHCO).

Two years ago, UHCO’s IT staff discovered they were unable to communicate with one of their servers. They quickly determined an account on the server was compromised by a hacker. Further analysis determined that ePHI was exposed as a result of the hack. UHCO’s Privacy Officer, “Jane Doe,” reported the breach on the OCR website and UHCO retained an outside contractor to investigate.

Two months later, UHCO’s Privacy Officer received for-mal notice from OCR of an

investigation of the breach. The notice cited eight potential HIPAA violations and asked UHCO to provide:

• A description of any investigation and actions taken following the breach

• Relevant policies and procedures • A copy of the breach notification sent to

affected individuals • Every risk analysis conducted over the

last three years • Documentation of security measures in

place and any post-breach changes OCR also provided notice of the poten-

tial penalties for violations and asked that UHCO respond within 14 days.

UHCO’s Privacy Officer responded by providing an account of actions taken post breach, copies of policies and procedures, a copy of the notice sent to affected individuals, and the execu-tive summaries of security assessments conducted by a third-party contractor in 2013, 2014, and 2015. The executive sum-maries described findings and deficien-cies discovered during technical testing.

In April, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a newsletter enti-

tled “Risk Analyses vs. Gap Analyses – What is the difference?” The newslet-ter explained what distinguishes a risk analysis, as required under the HIPAA Security Rule, from a gap analysis.1 OCR’s effort to educate the industry was in response to continuing confusion around what constitutes an acceptable risk analysis under HIPAA.

The confusion focuses on the differ-ences between technical evaluation, non-technical evaluation, and risk analysis. Technical evaluation includes activities such as penetration testing and vulnerability scanning. Nontechni-cal evaluation includes gap analysis, i.e., a high-level evaluation of compli-ance. A true risk analysis, on the other hand, requires an enterprise-wide look at all devices and systems used to cre-ate, receive, maintain, or transmit ePHI. In addition, the risk analysis must

document the threats and vulnerabili-ties to and within those systems, and the likelihood and impact of a threat acting on each identified vulnerability.

Lack of sufficient risk analysis is a common violation identified during OCR investigations. In fact, during the past 10 years, 88% of the 42 organizations that have incurred monetary settlements or civil money penalties related to disclo-sure of ePHI were found to have failed to conduct a sufficient risk analysis.2 As a result, many health organizations are turning to third-party information risk management (IRM) specialists for help in responding to the risk analysis requirement.

An OCR breach investigation/risk analysis case studyClearwater Compliance recently assisted a healthcare organization in meeting OCR’s requirement for a risk analysis after a breach investigation was initiated. Because Clearwater Compliance’s work

Page 2: AUDITS/HIPAA VIOLATIONS Responding to an OCR breach ... · Responding to an OCR breach investigation ... compromised by a hacker. Further analysis determined that ePHI was exposed

AUDITS/HIPAA VIOLATIONS ::::::::::

Reprinted with permission from Health Management Technology - September/October 2018 - www.healthmgttech.com

Jon Moore Senior Vice President , Professional Services, Clearwater Compliance

Technical testing does not qualify as risk analysisEight months later, OCR sent a follow-up notice to UHCO’s Privacy Officer notifying her that the security assess-ment executive summaries she had pro-vided did not depict an enterprise-wide evaluation of all potential threats and vulnerabilities and therefore did not meet the requirements for risk analysis set forth in the HIPAA Security Rule. OCR again requested that UHCO pro-vide risk analysis performed before and after the breach and documentation that UHCO implemented security measures to sufficiently address risks identified in the requested risk analysis. UHCO was given 20 days to respond.

UHCO’s Privacy Officer responded by providing a 2014 Security Assessment (the full technical testing assessment which formed the basis of the execu-tive summary previously provided). This assessment detailed the results of external and internal penetration testing, web application assessments, wireless network testing, and social engineering.

She also provided OCR with the results of a 2016 HIPAA Risk Assess-ment conducted by a second third-party contractor. This assessment was in fact a compliance gap assessment conducted relative to ISO/IEC 27000 information technology security standards.

Compliance gap assessment does not qualify as risk analysisOne month later OCR responded, stating that the risk assessments UHCO pro-vided did not:

• Include an enterprise-wide risk analysis • Cover all devices and systems that con-

tained ePHI in transit or at rest • Identify all threats and vulnerabilities

to these devices and systems • Include probabilities or impacts for

those threats and vulnerabilitiesOCR again requested that UHCO’s

Privacy Officer provide a risk analysis and documentation that UHCO had implemented security measures to address the risks identified in the risk analysis. UHCO was given another 20 days to respond.

UHCO’s Privacy officer responded by providing additional information including:

• Results of penetration, web applica-tion, and vulnerability testing by a third contractor

• A hardware and software inventory • Lists of threats and vulnerabilities

maintained by the IT staff • A remediation plan resulting from the

penetration and vulnerability testingUHCO’s privacy officer hoped this

new documentation would finally meet

OCR’s requirements. However, once again, she was disappointed. Despite submitting “risk analysis” documenta-tion from three different third-party contractors, UHCO was still not in compliance.

Understanding what an OCR-qual-ity risk analysis involvesWithin a month, OCR let UHCO know they had still not met the risk analysis requirement. OCR gave UHCO addi-tional time to respond. It was at this point that UHCO engaged the services of Clearwater Compliance.

Clearwater Compliance specializes in helping healthcare organizations establish, operationalize, and mature their HIPAA compliance and cyber risk management programs. Some organiza-tions engage Clearwater’s services pro-actively, before a breach occurs. Others, like UHCO, reach out for help after an OCR breach investigation is initiated.

As UHCO reviewed OCR’s correspon-dence and better understood the compre-hensive nature of a bona fide risk analy-sis, they realized they had neither the software tools nor the in-house expertise they needed to meet OCR’s expectations. One of the reasons they chose Clearwa-ter Compliance was because Clearwater Compliance has developed a proprietary software suite that simplifies and sup-ports the risk analysis process.

Per the HIPAA Security Rule, risk analysis documentation must include an inventory of all information assets used to create, maintain, retrieve, or transmit ePHI and the threats, vulnerabilities, likelihood, impacts, and controls associ-ated with each. Many organizations end up spending weeks developing endless iterations of Excel spreadsheets in an attempt to capture the level of detail required for a bona fide risk analysis. Clearwater’s IRM|Analysis Software has been specifically designed to meet the HIPAA Security Rule risk analysis requirements and is pre-populated with device, threat, vulnerability, and controls information.

In this particular case, UHCO already had a comprehensive hardware and software inventory that could be loaded into the software. All that was necessary to complete the risk analysis was the identification of security controls, prob-abilities, and impacts. UHCO quickly completed this work over a few days in a workshop setting facilitated by the Clearwater Compliance team, with minimal impact on UHCO’s day-to-day operations.

Acknowledging the confusion around what is required for proper risk analysis, UHCO’s General Counsel commented,

“When we submitted a risk analysis and risk management plan from Clearwater, OCR approved them and closed our case.”

Key takeaways: OCR’s patience, UHCO’s persistenceUHCO did many things right in this case. They took prompt action to inves-tigate and implement corrective actions once the breach was discovered. They had appropriate policies and procedures in place before the breach. They regu-larly conducted penetration and vulner-ability testing and corrected issues when identified. Perhaps most importantly, they were responsive to OCR’s ongoing requests and tried to get it right. And to their credit, OCR was patient as UHCO made continuing good-faith efforts to meet the risk analysis requirement.

UHCO’s main issue was that they failed to perform risk analysis as required under the HIPAA Security Rule and described in OCR Guidance. Perform-ing enterprise-wide risk analysis is not the same as performing technical testing or gap analysis. It is also not a trivial undertaking, since an OCR-quality risk analysis requires:

• Identification of all systems or devices used to create, retrieve, maintain, and/or transmit ePHI

• Identification and documentation of all potential threats and vulnerabilities to the organization’s systems and devices

• Assessment and documentation of cur-rent security controls associated with the organization’s systems and devices

• Determination of the likelihood of threat occurrences

• Determination of the potential impact of the threat occurrences

• Determination of level of risk • Detailed documentation, ongoing

review and documented updating of the risk analysis

As UHCO experienced, anything less than this is not—in OCR’s opinion—a true risk analysis. HMT

REFERENCES:

1. U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Risk Analyses vs. Gap Analyses – What is the differ-ence?” April 2018.2. Clearwater Compliance. Statistical Analysis. July 2018.


Too many organizations noncompliant OCR releases data from ...€¦ · 20 HIPAA compliance audits ... the HIPAA Security Rule, and breach notification requirements. The 20 initial

Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)

Data Security Compliance and Responding To a Data Breach ...media.straffordpub.com/products/data-security-compliance...2018/01/23  · •Health/medical = HIPAA (60 days notice) •covered

Breach Prevention: The Root Cause of the Data Breach Epidemic€¦ · Breach Prevention: The Root Cause of the Data Breach Epidemic According to the 2012 Verizon Data Breach Investigations

2016 HIPAA Year In Review: Audits, Fines, and …...the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice

Factsheet: Responding to online reviews - racgp.org.au a practice... · Factsheet: Responding to online reviews 3 How much can I edit a review before I breach the advertising requirements

2012 OCR HIPAA Privacy and Security Audit Program · to 115 audits of covered entities to assess HIPAA privacy, security and breach notification performance • Audits are conducted

Preparing for and Responding to a Breach...Preparing for and Responding to a Breach Ohio Information Security Conference March 15, 2017, Dayton Ohio

Navigating States & HIPAA Breach Notification Compliance · 2019 state breach notification regulatory trends OCR & State AGs enforcement trends Unified framework for incident response

Emerging Cyber Risk: Can Insurers “Hack” It? · ecommerce insurance. Now there is not only data breach coverage for the expenses of responding to and remediating a data breach,

THE FIRST 48 HOURS: Responding to a Data Breach in 2015 · 2 2 Fact: What happens in the first 48 hours after you learn of a data breach is entirely dependent upon what you have done

Responding to the Public after a Breach of Personal ...€¦ · • Action of one VA employee affects 26.5 million veterans and dependents. Office of Citizen Services and Communications

Responding to Global Cyber Incidents in a Legally ... · Responding to Global Cyber Incidents in a Legally Defensible Manner. SOP-W05. ... RECOVERY & POST BREACH. ... Pre-Breach Compliance/policies

Cyber Liability: 5LVNV 5DPL4FDWLRQV …i.crn.com/custom/Cyber_Liability___Risks__Ramifications...a. Responding to a cyber attack or data breach 6. Protecting Yourself from Cyber attacks

Responding to a HIPAA Investigation-What to do …Responding to a HIPAA Investigation-What to do When OCR Comes Knocking? Marc D. Goldstone, Esq. Hoagland, Longo, Moran, Dunst & Doukas,

Data Breach Response Guide€¦ · RESPONDING TO A DATA BREACH 19 The first 24-hours 20 Next steps 21 Managing communications & protecting reputation 22 Protecting legal privilege

L-OCR & M-OCR 360°

Office of the Secretary Office for Civil Rights (OCR) Federal … · 2011-03-10 · OCR Recent OCR HITECH Activities Guidance on Unsecured PHI (April 2009) Breach Notification Interim

OFFICE OF INSPECTOR GENERAL information and then initiates its breach investigation. OCR has discretion on how to investigate breach cases and the techniques ... Office of Inspector

Responding to a Breach of Contract Lawsuit - · PDF fileResponding to a Breach of Contract Lawsuit . This Guide includes instructions and sample forms. ... Answer-Contract >>Home >>Law

GW-GWTDOCS-#4398954-v1-HIMSS - Significant ......Lack of Timely Breach Notification In January 2017, the OCR announced the first HIPAA settlement based on the untimely reporting of

HIPAA Breach Notification and Enforcement Rules Iliana ...HIPAA Enforcement –February 7, 2019 OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR

Responding to a Data Breach - SCCE Official Site...Steps company is taking to protect the information from further unauthorized access Further developments since the data of the breach

Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner

Identifying and Responding to HIPAA Breaches · 2017-01-15 · Preliminaries • Written materials – .ppt presentations – Article, Responding to HIPAA Violations – Sample Breach

INFORMATION SECURITY AND SECURITY BREACH ......Preventing, Preparing for, and Responding to Breaches of Information Security The Office of Illinois Attorney General Lisa Madigan has

OCR Is Coming! Be Prepared for OCR and Breach …...2014/09/29  · OCR Audits Phase II • Approx. 200 (maybe less) audits of CEs. • Includes on-site audits (many desk audits)

Defense Logistics Agency€¦ · (CERT) reporting” of PII breaches is met. OMB Memorandum 07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable

The GDPR - Breach Notification and Global Breach Response

Detect and Respond… Steps to preparing and responding to a breach Detect and Respond… Steps to preparing and responding to a breach Jeff Lockwood, CISSP

Compliance Institute - Fried Frank > Home · Williamson, MD, MJ, CHC, Healthcare Consultant 503 Surviving a HIPAA Breach Investigation – Celeste Davis, Regional Manager, HHS‑OCR

RESPONDING TO A DATA BREACH - tlta.com · involved with a data breach and who will coordinate response efforts. 2. REVIEW ... § Maintain a database of file hashes for the files of

Data Breach Response Checklist - Empower IT Solutions€¦ · Data breach response checklist2 A step-by-step guide to responding to a data breach No matter how strong a company’s

OCR Enforcement Update: Under 500 Breach Investigations and Inner Workings of an OCR Settlement

Responding to a Data Breach