closing the loop on healthcare data breach detection...
TRANSCRIPT
Closing the Loop on Healthcare Data Breach Detection & Management Using integrated software tools for detecting, analyzing and responding to privacy breaches
July 24, 2012 ID Experts Webinar www.idexpertscorp.com
Mahmood Sher-Jan, CHPC
VP of Product Management Alliance Solutions Manager
Sonna Fredriksen
3
Agenda
• Automating patient privacy breach monitoring & management • FairWarning® privacy breach detection & metrics • Privacy incident management (PIM)
– ID Experts RADARTM
• Closed-loop process: incident detection & management • Q&A
4
Automating Patient Privacy Breach Monitoring & Management
• EHR Systems Adoption Spurred by Meaningful-Use Incentives • Increasing Patient Privacy Risks
– Healthcare Data Breaches – Regulatory Obligations & Enforcement – Reputational Risks – Patient Concerns and Expectation
CONNECTOR AUTOMATION
5
FairWarning®’s mission is to
continue to be the world’s
leading supplier of solutions
which monitor and protect
patient privacy in Electronic
Health Records.
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
Privacy Breach Detection
Consolidating and reconciling healthcare providers’ EHR applications and other data sources for streamlined privacy auditing
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Full featured turn-key solution
Patient and user investigations
Proactive alerting with filtering
Ad hoc reporting
Incident tracking and reporting
Zero FTE system operation requirement
Remediation expertise or training is required
175+ Production supported EHRs and healthcare applications
Affordable support – high touch 1-cost model
Proven deployment methodology and documentation
FairWarning® invented and leads the category, reference KLAS Research, Gartner
Over 170 customers representing over 900 leading hospitals, 100% growth
Privacy monitoring & breach detection
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
PATIENT PRIVACY SURVEY
The first and largest of its kind patient surveys in the United States, the United Kingdom, France and Canada exploring how the privacy-based behaviors of patients impact the treatment they receive and outcomes they experience. In the United States… 28% say patient postpones treatment due to privacy
concerns 51% say patient willing to travel outside of community
for care due to privacy concerns 27% say patient withholds medical information due to
privacy concerns 97% surveyed say they believe care provider has ethical
obligation to protect patient’s privacy Click the graphic to get the full US survey results and the media logos for the global news coverage:
As cited to the US Senate Committee on the Judiciary Subcommittee on Privacy, Technology & Law.
The bigger picture on privacy
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Mounting mandates for privacy auditing HIPAA Security Rule (2003 / 2005): 164.308 (a)(1)(ii)(D) Information system activity review. Implement procedures to regularly review records of information system
activity, such as audit logs, access reports, and security incident tracking reports. 164.312(b) Technical safeguards. Implement hardware, software, and/or procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health information.
ARRA HITECH Privacy (2009): Definition of privacy breach Willful neglect Patient disclosure Governmental notification required Media Notification (500 or more) Increased fines and precedent Ability of state attorney general offices to bring lawsuits against care providers Increased systemic audits
Meaningful Use Criteria (2010): Level 1 certification requires an EHR to produce an audit log HITECH 45 CFR 170.302(r). Conduct a security risk analysis per HIPAA 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies… Proposed Accounting of Disclosure Rule (2011): Under the May27th, 2011 proposed accounting of disclosure rule care providers will be responsible for providing access reports for disclosures of information even for treatment, payment and healthcare operations. Providers, plans and their business associates will be required to maintain for 3 years the information required to produce the reports. The rule is available for public comment in the Federal Register through July 2011.
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Security Compliance Top Issues
Initial 20 KPMG Audit Findings
0 5
10 15 20 25 30 35 40 45 50
Security Issues by Area
HH
S/O
CR 2
012
HIP
AA P
riva
cy &
Sec
urity
Aud
it Fi
ndin
gs fr
om 2
0 In
itial
KPM
G A
udits
Li
nda
Sanc
hes;
OCR
Sen
ior
Advi
sor,
Hea
lth In
form
atio
n Pr
ivac
y, L
ead
HIP
AA
Co
mpl
ianc
e Au
dits
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Challenges of emerging regulation
Extracting privacy related audit log data
Differing field formats
Extreme data volume
Stovepipes of information
Manual processes are incomplete, error-prone processes, time consuming
$$$$ and burdensome
AGFA, Allscripts, Cerner, GE, Epic, MEDITECH, McKesson, Siemens and dozens, perhaps hundreds of others
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Consolidation with advanced reporting
How we do it.
EHR Audit Logs and other authoritative
data sources
AGFA, Allscripts, Cerner, GE, Epic, MEDITECH, McKesson, Siemens and dozens, perhaps hundreds of others
FairWarning® Data Definition Guide
FairWarning® Ready for Healthcare Applications Standardized data across all applications Rapid integration of data sources with advanced analytics Lower fully loaded expenses
FairWarning® Ready Certified and Production Supported Applications http://www.fairwarningaudit.com/subpages/Applications_and_Systems.asp
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Example best practices Privacy Breach Detection
Regulatory Investigations and Auditing
Detecting “Snooping” Patterns
Detecting Identity Theft Patterns
Individual patients
Individual user
GP / Physician
Consultants / Contractors
Random patients
Random users
Others
VIP Scenarios: Prominent government officials, celebrities
Family member snooping
Employee as patient snooping
Executive snooping
Neighbor snooping
Break-the-Glass functions
Self examination
Sensitive function codes
Others
Sequential patient records
Patient access thresholds
Printed records thresholds
Deceased patient records
Discharged patient records
Address changes Out-of-dept accounting,
billing accesses
Expired logins
Simultaneous logins
Other demographic changes
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Privacy breach findings based on FairWarning® customer deployments
• Privacy breach – Confirmed and intentional access of patient information through EHRs not in the course of patient care
• Privacy breaches are ubiquitous – Geography, care provider specialty, EHR vendor, locality (rural or urban) and size did not matter
• Wide-scale and systemic – Every health system had at least 25 to 100+ confirmed privacy breaches per month
• Privacy breaches decreased 35% to 65 % with general communications to staff
• Privacy breaches decreased 85% to 99+ % with targeted training & sanctions with staff
Privacy breach monitoring together with targeted communications and staff sanctions mandatory to virtually eliminate EHR misuse
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
2012
Mandatory for Success
Ability to audit large numbers of application audit sources
Massive scale-ability
Ability to filter false positive based on
user data as well as non-log file
patient data
Advanced analytics
High availability for care providers that
require breach detection to be
mission critical
Workflow that is fortified by reporting, remediation, sanctioning and audits
2012
© F
airW
arni
ng, I
nc. –
Priv
ate
and
Conf
iden
tial
Explaining the Network and System Architecture
FairWarning®
Users at Customer Site
• Browser based user access • Role-based access control • Privacy, Risk, Security
https – Port 443
File back-up and store per customer preference
(backup agent, SAN, NAS, etc.)
Secure FTP – Port 15109
• Audit logs and data source files from clinical and non-clinical applications
• FairWarning® Data File Standards
• Files fed to a staging directory in secure, automated, scheduled job
AGFA, Allscripts, Cerner, Epic, GE, Eclipsys, McKesson, MEDITECH, Siemens and 175+ others
Customer Managed
VPN
VPN
• FairWarning® connects via secure point-to-point VPN connection
• Always-on Health-Check Monitoring • Software and hardware support and
maintenance
FairWarning® Admin
Hot-spare
Optional Configuration for High Availability and Scaling
FAIRWARNING® READY Patient privacy incidents detected by FairWarning®
optionally sent to Certified Partner Solutions:
17
Privacy Incident Management (PIM) Lifecycle & Automation
RADAR: - Risk of Harm - Obligations - Due Dates - Documentation
Au
tom
ated
Det
ecti
on &
In
vest
igat
ion
Dat
a F
low
18
Incident Investigation & Analysis HITECH Act Regulatory Checklist
Obligations Description Readiness
45 C.F.R. §164.402 Breach Definition ☐
45 C.F.R. §164.404 Individual Notification ☐
45 C.F.R. §164.406 Media Notification ☐
45 C.F.R. §164.408 Secretary Notification ☐
45 C.F.R. §164.414 Administrative Burden of Proof ☐
45 C.F.R. §164.530 Administrative Requirements ☐
45 C.F.R. §160.310(b) Complaint Investigation & Review (Office for Civil Rights-OCR)
☐
19
Incident Investigation & Analysis
• All breaches start as incidents, but not all incidents end up as breaches
• "Incident" = attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI/PII
• "Breach" = acquisition, access, use, or disclosure of PHI/PII that poses a significant risk of financial, reputational, or other harm
Incident vs. Breach
20
Incident Investigation & Analysis (Cont.)
HITECH Act Burden of Proof
Demonstrate (document) that all notifications were made as required;
Or demonstrate that the PHI disclosure did not constitute a “significant risk of
harm to the individual(s)”;
Or establish that the PHI was encrypted; met LDS definition; or at least one of the
exceptions were met
21
OCR HIPAA Audit Protocol Top 10 Items on Privacy & Breach
• Breach Notification Rule is in Scope of the OCR HIPAA Audit!
• Can You Demonstrate Your Compliance?
22
Privacy Incident Management (PIM) Solutions Low-Tech and High-Tech Tools
Solution Scope & Automation
Eas
e of
Use
& A
ffor
dab
ilit
y
Regulatory
HIPAA/HITECH States
Ethical
Mission Reputation
Org. Culture
RADARTM
23
ID Experts RADAR
• Incident Capture, Analysis and Tracking
• Documentation of Incident Specific Risk Assessment – PHI / PII Data Sensitivity; Incident Severity & Risk of Harm
• Retention of Incident:
– Description – Analysis – Outcome & Reports
Complying with HITECH and States Breach Laws
24
RADARTM
25
Incident Specific Assessment PHI & PII Data Sensitivity
26
RADARTM
HITECH Breach Notification Rule Compliance
FairWarning Ready® for Privacy and Compliance Reporting
Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association
27
RADARTM
FairWarning Ready® for Privacy and Compliance Reporting
State Breach Notification Law(s) Compliance
Our Data Breach Preparedness and Response Solutions are endorsed by the American Hospital Association
28
THE CONNECTOR: FairWarning® + RADARTM
C
ON
NE
CT
OR
29
Privacy Incident Monitoring & Management Summary of Things You Must Do
Build an Incident Response Plan (IRP) & Designate a Team
Train your team members on your plan and procedures for compliance
Document your process/procedure for incident risk assessment, documentation & reporting
30
Resources
• ID Experts RADAR: http://www2.idexpertscorp.com/RADAR • Privacy Incident Management Solution Guide:
http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/ • ID Experts: http://www2.idexpertscorp.com • FairWarning® Resources: http://www.fairwarning.com/solutions-and-
compliance/resources • FairWarning® Applications: http://www.fairwarning.com/solutions-and-
compliance/applications • OCR audit website:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
31
Mahmood Sher-Jan, CHPC
VP of Product Management Alliance Solutions Manager
Sonna Fredriksen
Questions & Answers
971-242-4706
727-576-6700
ID Experts FairWarning Inc.