hipaa and cybersecurity best practices · security risk analysis (sra) – healthit services §...
TRANSCRIPT
HIPAAandCybersecurityBestPracticesandLessonsLearned
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 2
Speakers
MollieMcCammon,RHIA,CHPOutreachSpecialist,AFMCHealthIT
WinnieAlobuia,RHIAHIPAASRASpecialist,AFMCHealthIT
TobyEdwards,CCFE,MSCybersecuritySecurityRiskAssessor,AFMCIT
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 3
TopicsofDiscussion
§ CommonHIPAArisksandvulnerabilitiesandhowtoavoidthem
§ Cybersecurity
§ 2016onsiteriskassessmentresultsandlessonslearned
§ SecurityRiskAnalysis(SRA)– HealthIT services
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 4
ExposedRecordsandDataBreachintheU.S.from2005to2016
Imageviastatista.com https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 5
2017“WallofShame”ListContinuestoGrow– AHIMA
§ BreachesreportedtoHHSOCRfromthebeginningoftheyeartoMarch22include:• 66newreportsaffecting500ormoreindividuals• About440,000individualshavebeenaffectedby2017breachesalone• Over170millionindividualshavebeenaffectedsincebreachreportingbeganin2009
§ Typesofbreaches:• Unauthorizedaccess/disclosure:41%• Hacking/ITincident:27%• Theft:23%• Loss:6%• Improperdisposal:3%
‘WallofShame’ListContinuestoGrow.JournalofAHIMAMay,2017
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 6
CommonHIPAARisksandVulnerabilitiesandHowtoAvoidThem
§ Noticeofprivacypracticesdistribution
§ Lackofriskanalysis
§ Inappropriateuseanddisclosure
§ HIPAAtraininganddocumentation
§ Cybersecurity
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 7
NoticeofPrivacyPracticesDistribution
§ Updateyournoticeofprivacypractices
§ Contentofthenoticeofprivacypractices
§ Followrequirementsfordistributionandposting:• Providetonewpatientsandobtaingoodfaithacknowledgementofreceipt• Makecopiesavailabletopatientsinthewaitingroom• Havecopiesavailableuponrequest• Postinaclearandprominentlocationlikeawaitingroomorcommonarea• Postonwebsiteandelectronicallyavailable
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 8
LackofRiskAnalysis
§ PerformriskanalysisonceayearforMU/ACI,and
§ Ongoingthroughouttheyear,anytimeyouhavechangestoyourbuilding,staffing,hardware,softwareetc.thatcouldeffectthesecurityofyourPHI
§ Documentthefindingsandworktocorrectthedeficiencies
§ Implementandupdatepoliciesandproceduresbasedonthosefindings
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 9
ImpermissibleUsesandDisclosures
§ Employeesaccessingpatientfileswithoutaneedtoknow
§ Thentakingthenextstepandsharingtheinformationwiththewrongpeople
§ Givingrecordstothewrongpatient
§ Socialmedia
§ ReleaseofInformation
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 10
LackofHIPAATraining
§ HIPAA-requiredtraining• newemployeeswhentheystartatyourorganizationshouldbetrainedongeneralHIPAAandHIPAArelevanttothejobdutiestheywillbeperforming
• AnytimeHIPAAisupdatedoryourpoliciesandproceduresareupdated• WhenemployeeschangejobdutiestheyshouldreceiveHIPAAtrainingspecifictotheirnewjob
• Periodictrainingtoexistingstaff• Updatestostaffwhenprivacyandsecurityissuesarise
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 11
HIPAATrainingDocumentation
§ Trainingcanbedoneindifferentformats§ Besureanddocumentthetraining:when,where,who,what§ Keepthisdocumentationforsixyears
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 12
Cybersecurity
§ Databasebreaches
§ Lostorstolendevices
§ Hacking
§ Trainstafftowatchforattacks
HHSOCRinActionforFebruary2017– ReportingandMonitoringCyberThreats
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 13
2016OnsiteRiskAssessmentResultsandLessonsLearned
FacilityAssessments
Performedin2016360
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 14
CommonHIPAADeficiencies,RisksandVulnerabilities
§ Lackofencryption§ Sharinglogincredentials,unattendedcomputersnotlocked,unsecuredwrittenpasswords
§ UnsecuredITequipment§ Outdatedoperatingsystems§ UnsecuredpaperPHI,medicalrecords,X-rays§ PaperPHIandX-raystobedestroyed
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 15
2016OnsiteRiskAssessmentResultsandLessonsLearned
82
224
34
166
160
124
204
PHIDISPOSAL
PHISTORAGE
OUTDATEDOPERATINGSYSTEMS
NETWORKEQUIPMENTSTORAGE
WORKSTATIONACCESSCONTROL
ENCRYPTION
NOTICEOFPRIVACYPRACTICES
0 50 100 150 200 250 300 350
2016OnsiteAssessmentResults
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 16
CommonHIPAADeficiencies,RisksandVulnerabilities
§ Lackofencryption
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 17
CommonHIPAADeficiencies,RisksandVulnerabilities
§ Sharinglogincredentials,unattendedcomputersnotlocked,unsecuredwrittenpasswords
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 18
CommonHIPAADeficiencies,RisksandVulnerabilities
§ UnsecuredITequipment
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 19
CommonHIPAADeficiencies,RisksandVulnerabilities
§ Outdatedoperatingsystems
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 20
CommonHIPAADeficiencies,RisksandVulnerabilities
§ UnsecuredpaperPHI,medicalrecords,X-rays
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 21
CommonHIPAADeficiencies,RisksandVulnerabilities
§ PaperPHIandX-raysto-be-destroyed
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 22
UncommonHIPAADeficiencies,RisksandVulnerabilities
§ VOIPservers§ Homeeditionoperatingsystems§ TransportingPHIinemployeevehicles§ UsingMicrosoftWord
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 23
UncommonHIPAADeficiencies,RisksandVulnerabilities
§ VOIPservers
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 24
UncommonHIPAADeficiencies,RisksandVulnerabilities
§ Homeeditionoperatingsystems
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 25
UncommonHIPAADeficiencies,RisksandVulnerabilities
§ TransportingPHI inemployeevehicles
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 26
UncommonHIPAADeficiencies,RisksandVulnerabilities
§ UsingMicrosoftWord
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 27
TriggersforFollow-upAssessmentsin2017
§ PHI§ Lackofencryption§ UnsecuredITequipment§ Outdatedoperatingsystems
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 28
RoleoftheAssessor
§ Thinklikeathief
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 29
RoleoftheAssessor
§ Wearenot HIPAAauditors!§ HIPAAisnotoptional§ Don’tsugarcoatthings
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 30
SecurityRiskAnalysis(SRA)– HealthITServices
§ MeaningfulUse:ProtectPatientHealthInformation:Conductorreviewasecurityriskanalysisper45CFR164.308(a)(1),includingaddressingthesecurity(toincludeencryption)ofelectronicpersonalhealthinformation(ePHI)createdormaintainedinCEHRTinaccordancewith45CFR164.312(a)(2)(iv)and45CFR164.306(d)(3)
§ HealthITworkswithclinicsandhospitalsacrossthestateonannualSRAstomeetthemeaningfulusemeasure
§ WeprovidetemplateHIPAAsecuritypoliciesthatcanbecustomizedforyourpractice,guidancethroughtheSRAprocessandadditionaltoolstohelpwithHIPAA
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 31
ContactInformation
Ifyouareinterestedintheseservicesorhavequestions,pleasecontactHealthIT HIPAASRAspecialistWinnieAlobuia at:§ (501)212-8785§ [email protected]
5/23/17 Copyright©2017AFMC,Inc.AllRightsReserved. 32
References
§ Primeau,Debra."HowSmallOrganizationsHandleHIPAACompliance" JournalofAHIMA88,no.4(April2017):18-21.
§ [email protected]§ AFMCHealthITsecurityriskassessors§ JournalofAHIMA,May2017– ‘WallofShame’ListContinuestoGrow.