Privacy & Information Security Management Briefing

Report
HIPAA
Privacy and Information Security
Management Briefing
Karen Pagliaro-Meyer
Soumitra Sengupta
Privacy Officer
Information Security Officer
[email protected]
[email protected]
(212) 305-7315
(212) 305-7035
Tuesday, June 14, 2011
Agenda
Privacy
Recent Cases reported –Office for Civil Rights
HITECH Update
Potential Areas of Risk
Information Security
Breach Details
Risk Assessments
Common Security Controls
HITECH = HIPAA Act II
and this time we really mean it!
3
4
5
6
7
HITECH Update
• Breach Notification
– As reported by the Office for Civil Rights
– At CUMC
• Business Associate Agreements
– New proposed regulations
• Accounting of Disclosures
– New Regulations Issued Friday May 28, 2011
8
9
10
11
12
HITECH Breach Notification at CUMC
• One case reported involved over 500 records
required immediate disclosure to the Office for
Civil Rights, patient notification and other
corrective actions
• Additional cases (< 500) requiring annual
disclosure in 2010
– Lost/stolen unencrypted laptop (s)
– Unauthorized use or disclosure of medical information
– Patient information available on the internet
13
In Response to Breach Reports
• New CUMC Policy on system registration and
system risk assessment
• New Breach risk assessment tool to determine
if notification is required
• New Confidentiality Agreement for staff
• Increased education and staff communication
regarding risk areas for breach
• Use of new controls to prevent breaches
14
Business Associates
OCR issued a Proposed Rule
- NPRM Published July 14, 2010
HIPAA civil and criminal enforcement and penalties
apply directly to BAs (and to subcontractors) in
addition to contractual liability
– Final Rule expected in 3rd quarter 2011
15
Business Associates
• NPRM modifies BA definition under HIPAA
Privacy & Security Rules and clarifies when a
BA relationship exists
• New duties for Business Associate in NPRM
- BAA must directly comply with all HIPAA
Security Rule administrative, physical, &
technical safeguards & documentation
requirements
16
HITECH & Business Associates
• Additional parties added to definition of “BA”
– E prescribing gateways
– Vendors that offer personal health records to
patients on behalf of a covered entity
– Organizations that provide data transmission
services and that require routine access to PHI
including health information organizations
– Regional and State Health Information Exchanges
17
18
Accounting of Disclosures
• Patient has the right to receive a report of workforce
members that accessed, used or disclosed
information from their “designated record set”
including medical and billing records for up to a 3
year period
• Includes Business Associates access of the
designated record set !
• Must include date, time, name of individual and if
available the reason for access
• Response must be provided within 30 days to the
patient
• 60 day comment period – August 2011
• Effective Compliance Date 1/1/2013 or 1/1/2014
19
20
21
Additional Proposed HITECH Regulations
• Patient Right to Request restrictions on disclosures to
Insurance Companies
– CE Must agree to a restriction on disclosure to a insurance
company if the patient paid out of pocket in full
• HITECH and Fundraising Disclosures
– Clear and conspicuous opportunity to opt out
– Recommend language changes for Notice of Privacy
Practices and statement on fundraising communications
22
Privacy / Medical Record Management
• ERH = Availability of all medical info to all staff
• Medical information sent is not consistent with the
authorization signed by patient.
• Medical information sent to wrong person
• Medical information mailed to wrong address
• Medical information given to wrong person
• Management of medical records of departing faculty
23
Next Steps / Areas of Risk
•
•
•
•
•
•
Business Associates
Staff education
Medical Record Management
Security of Devices with medical information
Social Media Policy Development
Guidance for removing paper documents with
protected health information from CUMC
- taking work home or transporting to other
locations
24
25
26
27
Incidents and breaches
• Departmental files on NOAA
• Departmental computer in Albany
• Use of Google calendar (Two clinical
departments)
• Lost Blackberry of an administrator
28
Departmental files on NOAA
• Pre-HIPAA activity
• A physician, leaving CUMC in 2005, wanted to
copy electronic copies of journal articles
• Relative copied a folder to NOAA public FTP site
• Folder contained clinical reports
• In 2011, a patient, searching on self, found the
files and issued a complaint
• HIPAA breach reported to the OCR
29
Departmental Computer in Albany
• Pre-HIPAA activity
• In 2004-2005, a division moved location, and
purchased new Macintosh desktops
• An old desktop was picked up in Albany curbside in
2011. Computer person looking through the content
contacted CUMC
• Desktop was that of the divisional administrator, and
one particular file had grant investigator information,
including SSN
• Significant faculty of CUMC were listed
• Reported to State attorney general’s office
30
Use of Google Calendar
•
•
•
•
•
Use of Google calendar to schedule patients
Care schedule, as well as, research schedule
Patient name or ID or Initials
Location or Clinic name or Physician name
Google agreement permits Google to read and analyze
content and use it for whatever they deem appropriate
• Google will not sign Business Associate Agreement
• All non-institutional storage (DropBox, Wikis, Blogs,
Calendars, Emails) without encryption and/or BAA have
the same risks
31
Lost Blackberry
• Loss or theft of a blackberry, did not have password
• Billing administrator communicated PHI using email for
billing verification
• Blackberry remained silent for a while, and then it did
come back up, and was wiped
• Lack of password meant Blackberry encryption was
useless as a protection
• Identify patients by going through emails on the server
• Reported as breach to OCR
32
33
CUMC Risk Assessment
Program Objective
• To assess the information security fitness of
CUMC’s systems and advance our collective
compliance posture for HIPAA & HITECH
• AKA Certification Program
• Identified 265 systems that use Protected
Healthcare Information (PHI) and or
Personally Identifiable Information (PII)
• 185 have been evaluated so far
34
Execution
• The Information Security group is executing
the program in departmental groups
• We have certifications in progress with 19
academic and administrative departments,
schools, and centers
• Results are discussed with the Chair or Head
of the department by the COO of CUMC
• Progress and results are reported to the Audit
committee of the Columbia University Board
35
What is Risk Assessment or
Certification?
• HITRUST Alliance, LLC provided us with a
control list to use in the assessments
• We also included questions from the previous
2003 HIPAA questionnaire
• We perform vulnerability management scans:
– Infrastructure
– Web applications
• We review basic architecture, physical
security, etc.
36
Sample Questions
1. Do you host PHI or PII?
2. Is your server in a locked room accessible via a
badge reader?
3. Does one person control every aspect of your
system?
4. Does your system publish any information to the
Internet?
5. Does your system require authentication?
6. Do you have audit logs?
37
The Process
Discovery
NYPH
Interfaces
Clinical Data
Warehouse
System
Inventory
2007 HIPAA
Inventory
Assess
Interview
Sponsors
Interview
System
Custodians
Vulnerability
Scans
Report
Identify
Risks
Develop
Impact
Make
Recommendations
38
Report Outcomes
PASS
• Your system is protected
with adequate system
controls
• Security will return in one
year’s time to perform a
new assessment
REMEDIATION
• Your system has risks to be
corrected
• Implement the
recommendations within 90
days or sunset the system
• Security will return in one
year’s time to perform a
new assessment after
remediation
39
40
Program Summary
• The program is changing IT security operations in the
departments at CUMC
• Many defunct systems have been decommissioned
• Risks are dealt with based on severity
• CUMC IT has developed a security solutions catalog
• Systems are being remediated
• Senior leaders are engaged in the compliance process
• Current inventory will be assessed by Nov. 1st, 2011
• Departments are responsible for annual risk assessment
• The program is being incorporated into standard business
practice at CUMC
41
CUMC Privacy and Security Initiatives
Management Controls
Technical Controls
• System Registration and Certification
Policy
• established May 13, 2011
• Notices sent to all Deans, Chairs
and Department Administrators
• Published in DA Manual
• Training and Awareness Events
• New employee orientation
• Online training for faculty
• New student orientation
• HIPAA training in CUMC schools’
curriculum
• Annual Privacy and Information
Security Management Briefing
• Information bulletins
• Data Loss Prevention - Scan CUMC
websites for the presence of patient
data and SSNs
• Anti Virus - Monitoring PC system
health for n systems with Symantec
Central AV Server.
• Vulnerability Management - Scanning
CUMC IT hosts for missing patches
and configuration errors
• Bluecoat Internet Proxy - Limit
Internet use to safe sites
• Bradford Network Access Control Register and scan student devices
• CUMC IT managed Smart Phones Enforce strong password
• Email forwarding and DLP on Email
42
Control – coming this year
http://www.cumc.columbia.edu/hipaa/
43
Information Security & Privacy
Management Briefing
44

similar documents