helping companies protect their information, people, and facilities. hipaa and sb 1386: the new...
TRANSCRIPT
Helping companies protect their information, people, and facilities.
HIPAA and SB 1386: The New Security
Imperatives
Presented by:Russell L. Rowe
2
www.chiefsecurityofficers.com
04/19/23
Background
Chief Security Officers, LLC is a full-
service IT firm specializing in security
compliance and auditing services. We
help companies protect their
information, people, and facilities
3
www.chiefsecurityofficers.com
04/19/23
Seminar Objectives
Define HIPAA and SB 1386 and their impact on your business.
Provide specific techniques to aid in planning and implementing security measures to meet HIPAA and SB 1386 requirements.
4
www.chiefsecurityofficers.com
04/19/23
HIPAA
Healthcare Insurance Portability and Accountability Act (HIPAA)
Privacy Compliance Dates 2/26/03 Healthcare Clearinghouses 4/14/04 Large Covered Entities 4/14/04 Small Covered Entities
Security Compliance Dates 4/20/05 Large Covered Entities 4/20/06 Small Covered Entities
5
www.chiefsecurityofficers.com
04/19/23
HIPAA’s Goals
Ensure health insurance portability
Reduce health care fraud and abuse
Guarantee security and privacy of personal health information
Enforce standards for health information, i.e., medical records use and release
6
www.chiefsecurityofficers.com
04/19/23
“It is the responsibility of organizations that
are entrusted with health information to
protect it against deliberate or inadvertent
misuse or disclosure. The
final regulation requires
covered organizations to
establish clear procedures to protect
patients' privacy, including designating an
official to establish and monitor the entity's
privacy practices and training.”
A Simple Mandate
7
www.chiefsecurityofficers.com
04/19/23
Affected Healthcare Organizations
Health Plans Individual or group plans that provide for or
pays the cost of medical care Employers that self-insure
Providers (furnish healthcare services or supplies) Hospitals, medical groups, physicians’ LLPs,
clinics,eEmergency care facilities Clearinghouses
Public or private organizations that process or facilitate processing of health information
Other Entities Employers that want to utilize medical
information for data mining Pharmaceutical companies conducting
clinical research
8
www.chiefsecurityofficers.com
04/19/23
All individually identifiable information relating to past, present, or future: Health conditions
Treatment
Payment for treatment
Demographic data collected by plans or providers
Affected Business Processes
9
www.chiefsecurityofficers.com
04/19/23
Administrative Procedure Standards
Certification Chain of Trust Agreements Contingency Planning Record Processing Information Access Control Internal Audit Security Management Personal Security Training Termination Procedures Security Incident Response Security Configuration Management
10
www.chiefsecurityofficers.com
04/19/23
Physical Safeguards
Assigned security responsibility
Media controls Physical access controls Policy/guideline on
workstation use Secure workstation location Security awareness training Business continuity & disaster
recovery plans
11
www.chiefsecurityofficers.com
04/19/23
Technical Security Services Standards
Access Control
Authorization Control
Data Authentication
(Integrity)
Entity Authentication
12
www.chiefsecurityofficers.com
04/19/23
Technical Security for Network Communications
Basic networking safeguards Confidentiality Integrity Availability
Network security issues Integrity (message corruption) and
confidentiality (message interception) Protection from unauthorized remote
access
13
www.chiefsecurityofficers.com
04/19/23
Why Comply?
Statutory Penalties Standards: Up to $25,000 per violation per year Wrongful disclosure: Up to $250,000 and 10 years
in prison
Cost Savings Reduction in processing costs Simplification of manual processing
Improved Customer Service Fewer errors Quicker turnaround
Enabler of e-commerce
14
www.chiefsecurityofficers.com
04/19/23
79% say HIPAA is the top business issue in healthcare industry
Two-thirds say upgrading security to meet HIPAA is a top priority
Healthcare IT Professionals Understand HIPAA’s Importance
Source: HIMSS leadership survey, 1/01
15
www.chiefsecurityofficers.com
04/19/23
Structural Impact
Cultural transformation for handling, using, communicating, and sharing patient information
Major revamping of business/security policies and procedures
Must rethink how to protect security and privacy of patient and consumer information
Additional information security technology solutions (e.g., PKI, VPNs, Business Continuity)
Standard formats for most common transactions among healthcare organizations
Replacement or substantial change to providers’ current systems and processes
16
www.chiefsecurityofficers.com
04/19/23
Financial Impact
Establish “Privacy Official” Extraordinary budget and
staff requirements for next two years
More extensive than Y2K efforts: $5B in spending by end of 2003 (IDC)
Large healthcare providers and/or payers could spend $50-$200 million each to become HIPAA compliant
17
www.chiefsecurityofficers.com
04/19/23
20 Steps to Compliance
1. Identify gaps between current practices and proposed rules.
2. Identify key individuals to spearhead compliance efforts. Include senior management to insure top-down support.
3. Educate staff, physicians, and other key constituents.
4. Make a comprehensive inventory of individually identifiable electronic health information your organization maintains. Include information kept on PCs and in research databases.
18
www.chiefsecurityofficers.com
04/19/23
20 Steps to Compliance
5. Conduct a risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information. Include the possibility of outside attacks.
6. Develop tactical plan to address identified risks, with highest priority on areas of greatest vulnerability.
7. Collect and organize existing information security policies into the four categories outlined in the security standards. Evaluate for currency, consistency, and adequacy.
8. Develop checklist of policies to be developed. Assign responsibility to appropriate individuals.
19
www.chiefsecurityofficers.com
04/19/23
20 Steps to Compliance
9. Educate staff about security policies - enforce them.
10. Establish confidential reporting system to report
security breaches without fear of repercussion.
11. Impose sanctions for violations. Prepare for system
disruptions or data corruption that may result from
security violations.
12. Assess accuracy of master patient index (MPI) for
duplication (patients assigned more than one number)
and overlays (more than one patient assigned the same
number). Out-task if necessary.
13. Evaluate current billing system for EDI transaction
standard and modifications.
20
www.chiefsecurityofficers.com
04/19/23
20 Steps to Compliance
14. Compare current health information disclosure procedures with proposed privacy standards.
Are individuals allowed to inspect and copy their health information? Are reasonable fees charged?
Does the organization account for all disclosures of protected health information other than for treatment, payment, or healthcare operations?
Is there a procedure in place to allow individuals to request amendments or corrections to their health information?
Is there a mechanism for individuals to complain about possible violations of privacy?
15. Designate a privacy officer.
16. Review/revise existing vendor contracts to ensure HIPAA compliance. Ensure that business partners also protect privacy of identifiable health information.
21
www.chiefsecurityofficers.com
04/19/23
20 Steps to Compliance
17. Evaluate new information security technologies.
18. Consider biometric identifiers (fingerprints, voiceprints, retinal scans) for secure authentication of users, and single sign-on technology to eliminate multiple passwords and logons.
19. Evaluate audit trails on existing information systems. Audit trails must record every access (including read-only access) to patient information, not just additions or deletions.
20. Look for audit trail technologies that can analyze large amounts of information and flag suspicious patterns.
22
www.chiefsecurityofficers.com
04/19/23
California SB 1386
California SB 1386 provides Californians with immediate notification, when confidential information about them has been compromised due to a breach on any computer system that stores such information, and this breach is discovered.
23
www.chiefsecurityofficers.com
04/19/23
Why was it created?
Early, in 2002, the State of California's Data Center that runs the Payroll application for the State of California, was breached. For many weeks, confidential information about 265,000 employees of the state was available to the hackers – names, addresses, bank account numbers, social security numbers, etc.
The Data Center did not notify anybody about this breach for many weeks, leaving state employees and lawmakers open to identity theft attacks longer than they needed to be.
24
www.chiefsecurityofficers.com
04/19/23
Who does the Bill impact?
Any business, government or non-profit agency, or individual that stores confidential information about California residents on their computers.
25
www.chiefsecurityofficers.com
04/19/23
When does it become effective?
The Bill was approved by the Governor on September 25, 2002, while its provisions became effective July 01, 2003.
26
www.chiefsecurityofficers.com
04/19/23
What’s considered to be “confidential personal information”?
Social Security numbers, California Driver's License numbers or Identification Card numbers, Account numbers, Credit or Debit card numbers, etc.Information that is lawfully available to the general public, from government records, is not considered confidential personal information.
27
www.chiefsecurityofficers.com
04/19/23
What constitutes a breach of a computer system?
Any unauthorized access of a computer and its data, constitutes a breach of a computer system.
Typically, if a policy exists within a business or agency, authorizing access to a computer and its data, any access outside the scope of that policy is unauthorized.
28
www.chiefsecurityofficers.com
04/19/23
What if a computer was breached, but the confidential personal information was not stolen?
While possible, this would be very difficult to
prove. It would depend on the technology used
to store the confidential personal information
and the security policies and procedures in
force within that infrastructure.
29
www.chiefsecurityofficers.com
04/19/23
What if I don’t monitor the systems and thus, do not detect a breach?
Unfortunately, you will not be able to get away with such an argument. In general, businesses have a responsibility to exercise a certain level of care in protecting its information especially information deemed confidential. By not monitoring your systems, and thus, not detecting a breach, you can be accused on negligence - for not applying what is considered to be the standard level of care within the industry.
30
www.chiefsecurityofficers.com
04/19/23
Does SB 1386 apply to me if I do not have an office in California?
As long as you have a single employee or customer that resides in California, and as long as you store any confidential personal information about that employee or customer on a computer, you will need to comply with SB 1386.
It doesn't matter if you do not have an office in California, or do not maintain any computers in California – you're still responsible to uphold the provisions of SB 1386 as long as the above conditions are true.
31
www.chiefsecurityofficers.com
04/19/23
What if I am just a small business, and not a large corporation?
SB 1386 does not discriminate based on size of
the business. If you are a Sole Proprietorship, a
Partnership, an LLC, LLP, a Corporation, a Non-
Profit or any form of Government agency – and
maintain confidential personal information
about a California resident on a computer –
SB 1386 applies to you.
32
www.chiefsecurityofficers.com
04/19/23
What if the data is encrypted?
Where the confidential data is encrypted on the computer, and in the transmissions between the computer and its use by authorized users, the company may be exempted from disclosure. Notice the emphasis on the word "may". The reason is - there are many different kinds of encryption technologies, ranging from being relatively trivial to break, to being "computationally infeasible". Depending on the kind of encryption you use, you may be judged to have exercised sufficient, or insufficient, standard-of-care in protecting the data.
33
www.chiefsecurityofficers.com
04/19/23
What if the confidential data is separated from the name and password?
In the event that your database maintains confidential data about Californians, but does not store either the password or the name of the Californian in the same database or computer, then SB 1386 disclosure rules will not apply to you.
The rationale for this is obvious - if an attacker stumbled upon social security numbers or account numbers, but did not know who they belonged to, then it would make the attackers job much harder in attempting to steal identities.
34
www.chiefsecurityofficers.com
04/19/23
What preventive measures are available?
Implementing rigorous policies and controls
Re-architecting the critical infrastructure and/or
applications
Elimination of User ID's and Passwords
Use of encryption beyond the network
35
www.chiefsecurityofficers.com
04/19/23
Questions
Russell Rowe
President
Chief Security Officers
11445 E. Via Linda
Scottsdale, AZ 85259
480-344-2635