Closing the Loop on Healthcare Data Breach Detection & Management Using integrated software tools for detecting, analyzing and responding to privacy breaches

July 24, 2012 ID Experts Webinar www.idexpertscorp.com

Mahmood Sher-Jan, CHPC

VP of Product Management Alliance Solutions Manager

Sonna Fredriksen

mahmood.sher-jan@idexpertscorp.com

sonna@fairwarning.com

3

Agenda

• Automating patient privacy breach monitoring & management • FairWarning® privacy breach detection & metrics • Privacy incident management (PIM)

– ID Experts RADARTM

• Closed-loop process: incident detection & management • Q&A

4

Automating Patient Privacy Breach Monitoring & Management

• EHR Systems Adoption Spurred by Meaningful-Use Incentives • Increasing Patient Privacy Risks

– Healthcare Data Breaches – Regulatory Obligations & Enforcement – Reputational Risks – Patient Concerns and Expectation

CONNECTOR AUTOMATION

5

FairWarning®’s mission is to

continue to be the world’s

leading supplier of solutions

which monitor and protect

patient privacy in Electronic

Health Records.

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

Privacy Breach Detection

Consolidating and reconciling healthcare providers’ EHR applications and other data sources for streamlined privacy auditing

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Full featured turn-key solution

Patient and user investigations

Proactive alerting with filtering

Ad hoc reporting

Incident tracking and reporting

Zero FTE system operation requirement

Remediation expertise or training is required

175+ Production supported EHRs and healthcare applications

Affordable support – high touch 1-cost model

Proven deployment methodology and documentation

FairWarning® invented and leads the category, reference KLAS Research, Gartner

Over 170 customers representing over 900 leading hospitals, 100% growth

Privacy monitoring & breach detection

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

PATIENT PRIVACY SURVEY

The first and largest of its kind patient surveys in the United States, the United Kingdom, France and Canada exploring how the privacy-based behaviors of patients impact the treatment they receive and outcomes they experience. In the United States… 28% say patient postpones treatment due to privacy

concerns 51% say patient willing to travel outside of community

for care due to privacy concerns 27% say patient withholds medical information due to

privacy concerns 97% surveyed say they believe care provider has ethical

obligation to protect patient’s privacy Click the graphic to get the full US survey results and the media logos for the global news coverage:

As cited to the US Senate Committee on the Judiciary Subcommittee on Privacy, Technology & Law.

The bigger picture on privacy

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Mounting mandates for privacy auditing HIPAA Security Rule (2003 / 2005): 164.308 (a)(1)(ii)(D) Information system activity review. Implement procedures to regularly review records of information system

activity, such as audit logs, access reports, and security incident tracking reports. 164.312(b) Technical safeguards. Implement hardware, software, and/or procedural mechanisms that record and examine activity in

information systems that contain or use electronic protected health information.

ARRA HITECH Privacy (2009): Definition of privacy breach Willful neglect Patient disclosure Governmental notification required Media Notification (500 or more) Increased fines and precedent Ability of state attorney general offices to bring lawsuits against care providers Increased systemic audits

Meaningful Use Criteria (2010): Level 1 certification requires an EHR to produce an audit log HITECH 45 CFR 170.302(r). Conduct a security risk analysis per HIPAA 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies… Proposed Accounting of Disclosure Rule (2011): Under the May27th, 2011 proposed accounting of disclosure rule care providers will be responsible for providing access reports for disclosures of information even for treatment, payment and healthcare operations. Providers, plans and their business associates will be required to maintain for 3 years the information required to produce the reports. The rule is available for public comment in the Federal Register through July 2011.

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Security Compliance Top Issues

Initial 20 KPMG Audit Findings

0 5

10 15 20 25 30 35 40 45 50

Security Issues by Area

HH

S/O

CR 2

012

HIP

AA P

riva

cy &

Sec

urity

Aud

it Fi

ndin

gs fr

om 2

0 In

itial

KPM

G A

udits

Li

nda

Sanc

hes;

OCR

Sen

ior

Advi

sor,

Hea

lth In

form

atio

n Pr

ivac

y, L

ead

HIP

AA

Co

mpl

ianc

e Au

dits

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Challenges of emerging regulation

Extracting privacy related audit log data

Differing field formats

Extreme data volume

Stovepipes of information

Manual processes are incomplete, error-prone processes, time consuming

$$$$ and burdensome

AGFA, Allscripts, Cerner, GE, Epic, MEDITECH, McKesson, Siemens and dozens, perhaps hundreds of others

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Consolidation with advanced reporting

How we do it.

EHR Audit Logs and other authoritative

data sources

AGFA, Allscripts, Cerner, GE, Epic, MEDITECH, McKesson, Siemens and dozens, perhaps hundreds of others

FairWarning® Data Definition Guide

FairWarning® Ready for Healthcare Applications Standardized data across all applications Rapid integration of data sources with advanced analytics Lower fully loaded expenses

FairWarning® Ready Certified and Production Supported Applications http://www.fairwarningaudit.com/subpages/Applications_and_Systems.asp

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Example best practices Privacy Breach Detection

Regulatory Investigations and Auditing

Detecting “Snooping” Patterns

Detecting Identity Theft Patterns

Individual patients

Individual user

GP / Physician

Consultants / Contractors

Random patients

Random users

Others

VIP Scenarios: Prominent government officials, celebrities

Family member snooping

Employee as patient snooping

Executive snooping

Neighbor snooping

Break-the-Glass functions

Self examination

Sensitive function codes

Others

Sequential patient records

Patient access thresholds

Printed records thresholds

Deceased patient records

Discharged patient records

Address changes Out-of-dept accounting,

billing accesses

Expired logins

Simultaneous logins

Other demographic changes

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Privacy breach findings based on FairWarning® customer deployments

• Privacy breach – Confirmed and intentional access of patient information through EHRs not in the course of patient care

• Privacy breaches are ubiquitous – Geography, care provider specialty, EHR vendor, locality (rural or urban) and size did not matter

• Wide-scale and systemic – Every health system had at least 25 to 100+ confirmed privacy breaches per month

• Privacy breaches decreased 35% to 65 % with general communications to staff

• Privacy breaches decreased 85% to 99+ % with targeted training & sanctions with staff

Privacy breach monitoring together with targeted communications and staff sanctions mandatory to virtually eliminate EHR misuse

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

2012

Mandatory for Success

Ability to audit large numbers of application audit sources

Massive scale-ability

Ability to filter false positive based on

user data as well as non-log file

patient data

Advanced analytics

High availability for care providers that

require breach detection to be

mission critical

Workflow that is fortified by reporting, remediation, sanctioning and audits

2012

© F

airW

arni

ng, I

nc. –

Priv

ate

and

Conf

iden

tial

Explaining the Network and System Architecture

FairWarning®

Users at Customer Site

• Browser based user access • Role-based access control • Privacy, Risk, Security

https – Port 443

File back-up and store per customer preference

(backup agent, SAN, NAS, etc.)

Secure FTP – Port 15109

• Audit logs and data source files from clinical and non-clinical applications

• FairWarning® Data File Standards

• Files fed to a staging directory in secure, automated, scheduled job

AGFA, Allscripts, Cerner, Epic, GE, Eclipsys, McKesson, MEDITECH, Siemens and 175+ others

Customer Managed

VPN

VPN

• FairWarning® connects via secure point-to-point VPN connection

• Always-on Health-Check Monitoring • Software and hardware support and

maintenance

FairWarning® Admin

Hot-spare

Optional Configuration for High Availability and Scaling

FAIRWARNING® READY Patient privacy incidents detected by FairWarning®

optionally sent to Certified Partner Solutions:

17

Privacy Incident Management (PIM) Lifecycle & Automation

RADAR: - Risk of Harm - Obligations - Due Dates - Documentation

Au

tom

ated

Det

ecti

on &

In

vest

igat

ion

Dat

a F

low

18

Incident Investigation & Analysis HITECH Act Regulatory Checklist

Obligations Description Readiness

45 C.F.R. §164.402 Breach Definition ☐

45 C.F.R. §164.404 Individual Notification ☐

45 C.F.R. §164.406 Media Notification ☐

45 C.F.R. §164.408 Secretary Notification ☐

45 C.F.R. §164.414 Administrative Burden of Proof ☐

45 C.F.R. §164.530 Administrative Requirements ☐

45 C.F.R. §160.310(b) Complaint Investigation & Review (Office for Civil Rights-OCR)

☐

19

Incident Investigation & Analysis

• All breaches start as incidents, but not all incidents end up as breaches

• "Incident" = attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI/PII

• "Breach" = acquisition, access, use, or disclosure of PHI/PII that poses a significant risk of financial, reputational, or other harm

Incident vs. Breach

20

Incident Investigation & Analysis (Cont.)

HITECH Act Burden of Proof

Demonstrate (document) that all notifications were made as required;

Or demonstrate that the PHI disclosure did not constitute a “significant risk of

harm to the individual(s)”;

Or establish that the PHI was encrypted; met LDS definition; or at least one of the

exceptions were met

21

OCR HIPAA Audit Protocol Top 10 Items on Privacy & Breach

• Breach Notification Rule is in Scope of the OCR HIPAA Audit!

• Can You Demonstrate Your Compliance?

22

Privacy Incident Management (PIM) Solutions Low-Tech and High-Tech Tools

Solution Scope & Automation

Eas

e of

Use

& A

ffor

dab

ilit

y

Regulatory

HIPAA/HITECH States

Ethical

Mission Reputation

Org. Culture

RADARTM

23

ID Experts RADAR

• Incident Capture, Analysis and Tracking

• Documentation of Incident Specific Risk Assessment – PHI / PII Data Sensitivity; Incident Severity & Risk of Harm

• Retention of Incident:

– Description – Analysis – Outcome & Reports

Complying with HITECH and States Breach Laws

24

RADARTM

25

Incident Specific Assessment PHI & PII Data Sensitivity

26

RADARTM

HITECH Breach Notification Rule Compliance

FairWarning Ready® for Privacy and Compliance Reporting

Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association

27

RADARTM

FairWarning Ready® for Privacy and Compliance Reporting

State Breach Notification Law(s) Compliance

Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association

28

THE CONNECTOR: FairWarning® + RADARTM

C

ON

NE

CT

OR

29

Privacy Incident Monitoring & Management Summary of Things You Must Do

Build an Incident Response Plan (IRP) & Designate a Team

Train your team members on your plan and procedures for compliance

Document your process/procedure for incident risk assessment, documentation & reporting

30

Resources

• ID Experts RADAR: http://www2.idexpertscorp.com/RADAR • Privacy Incident Management Solution Guide:

http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/ • ID Experts: http://www2.idexpertscorp.com • FairWarning® Resources: http://www.fairwarning.com/solutions-and-

compliance/resources • FairWarning® Applications: http://www.fairwarning.com/solutions-and-

compliance/applications • OCR audit website:

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

31

Mahmood Sher-Jan, CHPC

VP of Product Management Alliance Solutions Manager

Sonna Fredriksen

mahmood.sher-jan@idexpertscorp.com

sonna@fairwarning.com

Questions & Answers

971-242-4706

727-576-6700

ID Experts FairWarning Inc.