by: greg williams building a practical and meaningful ... · hipaa security program by: greg...
TRANSCRIPT
Copyright 2012 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
Building a Practical and Meaningful
HIPAA Security Program
By: Greg Williams
Security & Compliance
Consultant
Copyright 2012 MMIC • All rights reserved
What is Risk?
• Risk is the potential of losing something of value
Copyright 2012 MMIC • All rights reserved
Slow Pace of Regulation Timeline 1996 ‘98 2000 ‘03 ‘05 ‘08 ‘09 ‘10 2013
HIPAA signed into Law
PR
IVA
CY
Notice of Proposed Rule Making
Final Rule Published
Final Modifications Published
Compliance Deadline
Interim Rule Modifications (HITECH)
Final Rule Modifications (HITECH)
SE
CU
RIT
Y
Notice of Proposed Rule Making
Security Standards Published
Compliance Deadline
Interim Rule Modifications (HITECH)
Final Rule Modifications (Omnibus)
EN
FO
RC
E-
ME
NT
Civil Money Penalties Procedures
Breach Notification
Priva
cy R
ule
Fin
aliz
ed
First R
eso
lutio
n A
gre
em
en
t
First C
ivil
Mo
ne
y P
en
altie
s
Se
cu
rity
Ru
le F
ina
lize
d
Fin
al O
mn
ibu
s R
ule
HIP
AA
Be
co
me
s L
aw
AR
RA
/HIT
EC
H
Copyright 2012 MMIC • All rights reserved
Timeline of Compliance Audits Date Action Taken
2008 – 2009 CMS HIPAA Compliance Reviews
2012 HIPAA Security audits conducted by KPMG
June 2012 HIPAA Audit Program Protocol released
November 2012 Medicate HER incentive program audits
Copyright 2012 MMIC • All rights reserved
HIPAA Audit Program Protocol
• Three components:
– Privacy
– Security
– Breach Notification
“OCR established a comprehensive audit protocol that
contains the requirements to be assessed through these
performance audits.
Copyright 2012 MMIC • All rights reserved
1996 Technology
Copyright 2012 MMIC • All rights reserved
Missing from the Protocol?
• Smart phones
• Mobile devices
• Personally owned devices
• Portable media
• Data Loss Prevention
• Data Leakage
• Change Control
• Configuration Management
• BYOD
• MDM
• Wireless
• Texting
• Secure Messaging
• Web Portals
• Secure Web Sites
• Router, switches, firewalls
• Network Scans
Copyright 2012 MMIC • All rights reserved
Also missing
• Biomed or Biomedical Devices
• Cloud
• Remote Access
• Telemedicine
• Social Security Numbers
• Credit Card Numbers – PCI/DSS
• Software Licensing
Copyright 2012 MMIC • All rights reserved
Audit Test Procedures
• The three “P’s” to align: – Perception
– Policy
– Practice
• Policies – Updated
– Reviewed
– Approved
• Create the “Book of Evidence” – First impressions – Audits are conduced by humans!
– Proof of compliance
– Speed of response
Copyright 2012 MMIC • All rights reserved
Government Audit
• OCR – Office for Civil Rights
– Our clients may receive a notice from OCR to their CEO stating
the organization is scheduled to be audited.
– List of requests – 15 days to respond
– Three Types of Audits (1200 for 2014)
• Investigation
– Trigger: reported breach or patient complaint
• Random
– Trigger: Not sure how entitlements get “selected”
• Meaningful Use
– Trigger: Entity received incentive money
– 2014 the OCR will conduct survey’s of CE and BA’s
Copyright 2012 MMIC • All rights reserved
Most Common Areas of Concern
• Risk Assessment (Analysis)
– Should have been doing this since 2005
• Currency/Relevance of Policies and Procedures
• Security Awareness Training
• Workforce Clearance
• Workstation Security
• Encryption
• Business Associate Contracts & Other Agreements
Copyright 2012 MMIC • All rights reserved
Case Example: December 27, 2013
Adult & Pediatric Dermatology, P.C., of Concord, Mass.,
(APDerm)
• Dermatology practice settles for HIPAA violations
– $150,000 Agreed Resolution Payment
– (OCR) opened an investigation of APDerm after reported
unencrypted thumb drive stolen from a staff vehicle
– Health Information of 2,200 individuals
• 1st Settlement for violation of HITECH (American Recovery and
Reinvestment Act) of 2009 (ARRA)
Copyright 2012 MMIC • All rights reserved
Follow up Requirements
• In addition to a $150,000 resolution amount, the
settlement includes a corrective action plan requiring
APDerm to develop a:
– risk analysis and
– risk management plan
• to address and mitigate any security risks
• and vulnerabilities,
– as well as to provide an implementation report to OCR.
13
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
How to Create a Practical & Meaningful
Information Security Program
Copyright 2012 MMIC • All rights reserved
Focus on the 4 “P”’s
Copyright 2012 MMIC • All rights reserved
Risk Management
• Identify Assets
• Risk Analysis
• Plan Remediation
• Create Controls
• Track your risks
Copyright 2012 MMIC • All rights reserved
Policy
• Develop Policies & Procedures from Best Practice
– Not a checklist
• Avoid the Danger of - Templates
• Review, Approve, Implement & Track
• Mapped to the organization’s controls
• Empowers audit process
Copyright 2012 MMIC • All rights reserved
Processes
• Develop and Track
• Assign Ownership
• Include Vendor in the Training
• Create checks/balances
Copyright 2012 MMIC • All rights reserved
Vulnerability Assessment
• Monthly Vulnerability Scan
• Monthly Report with Recommendations
• Update to Risk Management
Copyright 2012 MMIC • All rights reserved
Vendor Management
• Manage Documents or Agreements
– Dates sent / received
• Create Master List
• Verify Controls
• Hosted Controls are Hosted Liability
Copyright 2012 MMIC • All rights reserved
Training
• Make it Fun!
• Make it simple
• Do it often
• Create the Curriculum
• Log the Training
• Test for competency
• Create fire-drills
Copyright 2012 MMIC • All rights reserved
Compliance Mapping
• Create Map of Governance
– HIPAA
– PIC / DSS
– Social Security Number Disclosure Act
– Breach Notification
• Logically Group Controls
Copyright 2012 MMIC • All rights reserved
Incident Tracking
• Issues = Good Learning
• Create a good form
• Document all issues
• Use as Training Tools
Copyright 2012 MMIC • All rights reserved
Audit
• Assess controls for effectiveness
• Show evidence
• Create Corrective Actions
• Technical and Non-Technical
• Include Vendors
Copyright 2012 MMIC • All rights reserved
Services Process
Assess
Plan
Remediate
Controls Communicate
Train
Monitor
Security Committee
• Risk
• Policy & Process
• Vulnerability
• Vendor
• Training
• Compliance
• Incident
• Audit
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
Changing Controls
What does tomorrow bring?
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
Copyright 2012 MMIC • All rights reserved
Copyright 2012 MMIC • All rights reserved
Copyright 2012 MMIC • All rights reserved
Copyright 2012 MMIC • All rights reserved
STRENGTH. SERVICE. KNOW-HOW. VISION.
Questions? Greg Williams
Security & Compliance Consultant
952-838-6778 [email protected]