helping companies protect their information, people, and facilities. hipaa and sb 1386: the new...

Helping companies protect their information, people, and facilities.

HIPAA and SB 1386: The New Security

Imperatives

Presented by:Russell L. Rowe

[email protected]

2

www.chiefsecurityofficers.com

04/19/23

Background

Chief Security Officers, LLC is a full-

service IT firm specializing in security

compliance and auditing services. We

help companies protect their

information, people, and facilities

3


04/19/23

Seminar Objectives

Define HIPAA and SB 1386 and their impact on your business.

Provide specific techniques to aid in planning and implementing security measures to meet HIPAA and SB 1386 requirements.

4


04/19/23

HIPAA

Healthcare Insurance Portability and Accountability Act (HIPAA)

Privacy Compliance Dates 2/26/03 Healthcare Clearinghouses 4/14/04 Large Covered Entities 4/14/04 Small Covered Entities

Security Compliance Dates 4/20/05 Large Covered Entities 4/20/06 Small Covered Entities

5


04/19/23

HIPAA’s Goals

Ensure health insurance portability

Reduce health care fraud and abuse

Guarantee security and privacy of personal health information

Enforce standards for health information, i.e., medical records use and release

6


04/19/23

“It is the responsibility of organizations that

are entrusted with health information to

protect it against deliberate or inadvertent

misuse or disclosure. The

final regulation requires

covered organizations to

establish clear procedures to protect

patients' privacy, including designating an

official to establish and monitor the entity's

privacy practices and training.”

A Simple Mandate

7


04/19/23

Affected Healthcare Organizations

Health Plans Individual or group plans that provide for or

pays the cost of medical care Employers that self-insure

Providers (furnish healthcare services or supplies) Hospitals, medical groups, physicians’ LLPs,

clinics,eEmergency care facilities Clearinghouses

Public or private organizations that process or facilitate processing of health information

Other Entities Employers that want to utilize medical

information for data mining Pharmaceutical companies conducting

clinical research

8


04/19/23

All individually identifiable information relating to past, present, or future: Health conditions

Treatment

Payment for treatment

Demographic data collected by plans or providers

Affected Business Processes

9


04/19/23

Administrative Procedure Standards

Certification Chain of Trust Agreements Contingency Planning Record Processing Information Access Control Internal Audit Security Management Personal Security Training Termination Procedures Security Incident Response Security Configuration Management

10


04/19/23

Physical Safeguards

Assigned security responsibility

Media controls Physical access controls Policy/guideline on

workstation use Secure workstation location Security awareness training Business continuity & disaster

recovery plans

11


04/19/23

Technical Security Services Standards

Access Control

Authorization Control

Data Authentication

(Integrity)

Entity Authentication

12


04/19/23

Technical Security for Network Communications

Basic networking safeguards Confidentiality Integrity Availability

Network security issues Integrity (message corruption) and

confidentiality (message interception) Protection from unauthorized remote

access

13


04/19/23

Why Comply?

Statutory Penalties Standards: Up to $25,000 per violation per year Wrongful disclosure: Up to $250,000 and 10 years

in prison

Cost Savings Reduction in processing costs Simplification of manual processing

Improved Customer Service Fewer errors Quicker turnaround

Enabler of e-commerce

14


04/19/23

79% say HIPAA is the top business issue in healthcare industry

Two-thirds say upgrading security to meet HIPAA is a top priority

Healthcare IT Professionals Understand HIPAA’s Importance

Source: HIMSS leadership survey, 1/01

15


04/19/23

Structural Impact

Cultural transformation for handling, using, communicating, and sharing patient information

Major revamping of business/security policies and procedures

Must rethink how to protect security and privacy of patient and consumer information

Additional information security technology solutions (e.g., PKI, VPNs, Business Continuity)

Standard formats for most common transactions among healthcare organizations

Replacement or substantial change to providers’ current systems and processes

16


04/19/23

Financial Impact

Establish “Privacy Official” Extraordinary budget and

staff requirements for next two years

More extensive than Y2K efforts: $5B in spending by end of 2003 (IDC)

Large healthcare providers and/or payers could spend $50-$200 million each to become HIPAA compliant

17


04/19/23

20 Steps to Compliance

1. Identify gaps between current practices and proposed rules.

2. Identify key individuals to spearhead compliance efforts. Include senior management to insure top-down support.

3. Educate staff, physicians, and other key constituents.

4. Make a comprehensive inventory of individually identifiable electronic health information your organization maintains. Include information kept on PCs and in research databases.

18


04/19/23


5. Conduct a risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information. Include the possibility of outside attacks.

6. Develop tactical plan to address identified risks, with highest priority on areas of greatest vulnerability.

7. Collect and organize existing information security policies into the four categories outlined in the security standards. Evaluate for currency, consistency, and adequacy.

8. Develop checklist of policies to be developed. Assign responsibility to appropriate individuals.

19


04/19/23


9. Educate staff about security policies - enforce them.

10. Establish confidential reporting system to report

security breaches without fear of repercussion.

11. Impose sanctions for violations. Prepare for system

disruptions or data corruption that may result from

security violations.

12. Assess accuracy of master patient index (MPI) for

duplication (patients assigned more than one number)

and overlays (more than one patient assigned the same

number). Out-task if necessary.

13. Evaluate current billing system for EDI transaction

standard and modifications.

20


04/19/23


14. Compare current health information disclosure procedures with proposed privacy standards.

Are individuals allowed to inspect and copy their health information? Are reasonable fees charged?

Does the organization account for all disclosures of protected health information other than for treatment, payment, or healthcare operations?

Is there a procedure in place to allow individuals to request amendments or corrections to their health information?

Is there a mechanism for individuals to complain about possible violations of privacy?

15. Designate a privacy officer.

16. Review/revise existing vendor contracts to ensure HIPAA compliance. Ensure that business partners also protect privacy of identifiable health information.

21


04/19/23


17. Evaluate new information security technologies.

18. Consider biometric identifiers (fingerprints, voiceprints, retinal scans) for secure authentication of users, and single sign-on technology to eliminate multiple passwords and logons.

19. Evaluate audit trails on existing information systems. Audit trails must record every access (including read-only access) to patient information, not just additions or deletions.

20. Look for audit trail technologies that can analyze large amounts of information and flag suspicious patterns.

22


04/19/23

California SB 1386

California SB 1386 provides Californians with immediate notification, when confidential information about them has been compromised due to a breach on any computer system that stores such information, and this breach is discovered.

23


04/19/23

Why was it created?

Early, in 2002, the State of California's Data Center that runs the Payroll application for the State of California, was breached. For many weeks, confidential information about 265,000 employees of the state was available to the hackers – names, addresses, bank account numbers, social security numbers, etc.

The Data Center did not notify anybody about this breach for many weeks, leaving state employees and lawmakers open to identity theft attacks longer than they needed to be.

24


04/19/23

Who does the Bill impact?

Any business, government or non-profit agency, or individual that stores confidential information about California residents on their computers.

25


04/19/23

When does it become effective?

The Bill was approved by the Governor on September 25, 2002, while its provisions became effective July 01, 2003.

26


04/19/23

What’s considered to be “confidential personal information”?

Social Security numbers, California Driver's License numbers or Identification Card numbers, Account numbers, Credit or Debit card numbers, etc.Information that is lawfully available to the general public, from government records, is not considered confidential personal information.

27


04/19/23

What constitutes a breach of a computer system?

Any unauthorized access of a computer and its data, constitutes a breach of a computer system.

Typically, if a policy exists within a business or agency, authorizing access to a computer and its data, any access outside the scope of that policy is unauthorized.

28


04/19/23

What if a computer was breached, but the confidential personal information was not stolen?

While possible, this would be very difficult to

prove. It would depend on the technology used

to store the confidential personal information

and the security policies and procedures in

force within that infrastructure.

29


04/19/23

What if I don’t monitor the systems and thus, do not detect a breach?

Unfortunately, you will not be able to get away with such an argument. In general, businesses have a responsibility to exercise a certain level of care in protecting its information especially information deemed confidential. By not monitoring your systems, and thus, not detecting a breach, you can be accused on negligence - for not applying what is considered to be the standard level of care within the industry.

30


04/19/23

Does SB 1386 apply to me if I do not have an office in California?

As long as you have a single employee or customer that resides in California, and as long as you store any confidential personal information about that employee or customer on a computer, you will need to comply with SB 1386.

It doesn't matter if you do not have an office in California, or do not maintain any computers in California – you're still responsible to uphold the provisions of SB 1386 as long as the above conditions are true.

31


04/19/23

What if I am just a small business, and not a large corporation?

SB 1386 does not discriminate based on size of

the business. If you are a Sole Proprietorship, a

Partnership, an LLC, LLP, a Corporation, a Non-

Profit or any form of Government agency – and

maintain confidential personal information

about a California resident on a computer –

SB 1386 applies to you.

32


04/19/23

What if the data is encrypted?

Where the confidential data is encrypted on the computer, and in the transmissions between the computer and its use by authorized users, the company may be exempted from disclosure. Notice the emphasis on the word "may". The reason is - there are many different kinds of encryption technologies, ranging from being relatively trivial to break, to being "computationally infeasible". Depending on the kind of encryption you use, you may be judged to have exercised sufficient, or insufficient, standard-of-care in protecting the data.

33


04/19/23

What if the confidential data is separated from the name and password?

In the event that your database maintains confidential data about Californians, but does not store either the password or the name of the Californian in the same database or computer, then SB 1386 disclosure rules will not apply to you.

The rationale for this is obvious - if an attacker stumbled upon social security numbers or account numbers, but did not know who they belonged to, then it would make the attackers job much harder in attempting to steal identities.

34


04/19/23

What preventive measures are available?

Implementing rigorous policies and controls

Re-architecting the critical infrastructure and/or

applications

Elimination of User ID's and Passwords

Use of encryption beyond the network

35


04/19/23

Questions

Russell Rowe

President

Chief Security Officers

11445 E. Via Linda

Scottsdale, AZ 85259

480-344-2635

[email protected]

helping companies protect their information, people, and facilities. hipaa and sb 1386: the new...

Documents

security violations

security breaches

security standards

privacy of patient

checklist of policies

healthcare industry

staff requirements

hipaa compliant