HIPAAandCybersecurityBestPracticesandLessonsLearned

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 2

Speakers

MollieMcCammon,RHIA,CHPOutreachSpecialist,AFMCHealthIT

WinnieAlobuia,RHIAHIPAASRASpecialist,AFMCHealthIT

TobyEdwards,CCFE,MSCybersecuritySecurityRiskAssessor,AFMCIT

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 3

TopicsofDiscussion

§ CommonHIPAArisksandvulnerabilitiesandhowtoavoidthem

§ Cybersecurity

§ 2016onsiteriskassessmentresultsandlessonslearned

§ SecurityRiskAnalysis(SRA)– HealthIT services

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 4

ExposedRecordsandDataBreachintheU.S.from2005to2016

Imageviastatista.com https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 5

2017“WallofShame”ListContinuestoGrow– AHIMA

§ BreachesreportedtoHHSOCRfromthebeginningoftheyeartoMarch22include:• 66newreportsaffecting500ormoreindividuals• About440,000individualshavebeenaffectedby2017breachesalone• Over170millionindividualshavebeenaffectedsincebreachreportingbeganin2009

§ Typesofbreaches:• Unauthorizedaccess/disclosure:41%• Hacking/ITincident:27%• Theft:23%• Loss:6%• Improperdisposal:3%

‘WallofShame’ListContinuestoGrow.JournalofAHIMAMay,2017

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 6

CommonHIPAARisksandVulnerabilitiesandHowtoAvoidThem

§ Noticeofprivacypracticesdistribution

§ Lackofriskanalysis

§ Inappropriateuseanddisclosure

§ HIPAAtraininganddocumentation

§ Cybersecurity

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 7

NoticeofPrivacyPracticesDistribution

§ Updateyournoticeofprivacypractices

§ Contentofthenoticeofprivacypractices

§ Followrequirementsfordistributionandposting:• Providetonewpatientsandobtaingoodfaithacknowledgementofreceipt• Makecopiesavailabletopatientsinthewaitingroom• Havecopiesavailableuponrequest• Postinaclearandprominentlocationlikeawaitingroomorcommonarea• Postonwebsiteandelectronicallyavailable

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 8

LackofRiskAnalysis

§ PerformriskanalysisonceayearforMU/ACI,and

§ Ongoingthroughouttheyear,anytimeyouhavechangestoyourbuilding,staffing,hardware,softwareetc.thatcouldeffectthesecurityofyourPHI

§ Documentthefindingsandworktocorrectthedeficiencies

§ Implementandupdatepoliciesandproceduresbasedonthosefindings

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 9

ImpermissibleUsesandDisclosures

§ Employeesaccessingpatientfileswithoutaneedtoknow

§ Thentakingthenextstepandsharingtheinformationwiththewrongpeople

§ Givingrecordstothewrongpatient

§ Socialmedia

§ ReleaseofInformation

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 10

LackofHIPAATraining

§ HIPAA-requiredtraining• newemployeeswhentheystartatyourorganizationshouldbetrainedongeneralHIPAAandHIPAArelevanttothejobdutiestheywillbeperforming

• AnytimeHIPAAisupdatedoryourpoliciesandproceduresareupdated• WhenemployeeschangejobdutiestheyshouldreceiveHIPAAtrainingspecifictotheirnewjob

• Periodictrainingtoexistingstaff• Updatestostaffwhenprivacyandsecurityissuesarise

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 11

HIPAATrainingDocumentation

§ Trainingcanbedoneindifferentformats§ Besureanddocumentthetraining:when,where,who,what§ Keepthisdocumentationforsixyears

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 12

Cybersecurity

§ Databasebreaches

§ Lostorstolendevices

§ Hacking

§ Trainstafftowatchforattacks

HHSOCRinActionforFebruary2017– ReportingandMonitoringCyberThreats

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 13

2016OnsiteRiskAssessmentResultsandLessonsLearned

FacilityAssessments

Performedin2016360

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 14

CommonHIPAADeficiencies,RisksandVulnerabilities

§ Lackofencryption§ Sharinglogincredentials,unattendedcomputersnotlocked,unsecuredwrittenpasswords

§ UnsecuredITequipment§ Outdatedoperatingsystems§ UnsecuredpaperPHI,medicalrecords,X-rays§ PaperPHIandX-raystobedestroyed

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 15

2016OnsiteRiskAssessmentResultsandLessonsLearned

82

224

34

166

160

124

204

PHIDISPOSAL

PHISTORAGE

OUTDATEDOPERATINGSYSTEMS

NETWORKEQUIPMENTSTORAGE

WORKSTATIONACCESSCONTROL

ENCRYPTION

NOTICEOFPRIVACYPRACTICES

0 50 100 150 200 250 300 350

2016OnsiteAssessmentResults

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 16

CommonHIPAADeficiencies,RisksandVulnerabilities

§ Lackofencryption

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 17

CommonHIPAADeficiencies,RisksandVulnerabilities

§ Sharinglogincredentials,unattendedcomputersnotlocked,unsecuredwrittenpasswords

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 18

CommonHIPAADeficiencies,RisksandVulnerabilities

§ UnsecuredITequipment

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 19

CommonHIPAADeficiencies,RisksandVulnerabilities

§ Outdatedoperatingsystems

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 20

CommonHIPAADeficiencies,RisksandVulnerabilities

§ UnsecuredpaperPHI,medicalrecords,X-rays

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 21

CommonHIPAADeficiencies,RisksandVulnerabilities

§ PaperPHIandX-raysto-be-destroyed

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 22

UncommonHIPAADeficiencies,RisksandVulnerabilities

§ VOIPservers§ Homeeditionoperatingsystems§ TransportingPHIinemployeevehicles§ UsingMicrosoftWord

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 23

UncommonHIPAADeficiencies,RisksandVulnerabilities

§ VOIPservers

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 24

UncommonHIPAADeficiencies,RisksandVulnerabilities

§ Homeeditionoperatingsystems

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 25

UncommonHIPAADeficiencies,RisksandVulnerabilities

§ TransportingPHI inemployeevehicles

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 26

UncommonHIPAADeficiencies,RisksandVulnerabilities

§ UsingMicrosoftWord

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 27

TriggersforFollow-upAssessmentsin2017

§ PHI§ Lackofencryption§ UnsecuredITequipment§ Outdatedoperatingsystems

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 28

RoleoftheAssessor

§ Thinklikeathief

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 29

RoleoftheAssessor

§ Wearenot HIPAAauditors!§ HIPAAisnotoptional§ Don’tsugarcoatthings

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 30

SecurityRiskAnalysis(SRA)– HealthITServices

§ MeaningfulUse:ProtectPatientHealthInformation:Conductorreviewasecurityriskanalysisper45CFR164.308(a)(1),includingaddressingthesecurity(toincludeencryption)ofelectronicpersonalhealthinformation(ePHI)createdormaintainedinCEHRTinaccordancewith45CFR164.312(a)(2)(iv)and45CFR164.306(d)(3)

§ HealthITworkswithclinicsandhospitalsacrossthestateonannualSRAstomeetthemeaningfulusemeasure

§ WeprovidetemplateHIPAAsecuritypoliciesthatcanbecustomizedforyourpractice,guidancethroughtheSRAprocessandadditionaltoolstohelpwithHIPAA

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 31

ContactInformation

Ifyouareinterestedintheseservicesorhavequestions,pleasecontactHealthIT HIPAASRAspecialistWinnieAlobuia at:§ (501)212-8785§ walobuia@afmc.org

5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 32

References

§ Primeau,Debra."HowSmallOrganizationsHandleHIPAACompliance" JournalofAHIMA88,no.4(April2017):18-21.

§ OCR-SECURITY-LIST@LIST.NIH.GOV§ AFMCHealthITsecurityriskassessors§ JournalofAHIMA,May2017– ‘WallofShame’ListContinuestoGrow.