HIPAA security risk assessments
Download as PPT, PDF4 likes2,952 views
This document outlines the importance of HIPAA security risk assessments for covered entities, emphasizing compliance with the final HIPAA omnibus rule, which requires risk assessments to avoid significant fines. It details various safeguards, including administrative, physical, and technical measures, and outlines procedures for risk management, incident response, and employee training to protect electronic protected health information (ePHI). Additionally, it highlights the necessity for continuous monitoring and documentation to ensure adherence to HIPAA regulations.
![Risk Management
§ 164.308(a)(1)(ii)(B)
"“[i]mplement security measures sufficient to reduce risks and vulnerabilities to
a reasonable and appropriate level to comply with 164.306(a) [(the General
Requirements of the Security Rule)].”
• Develop and implement a risk management plan.
• Implement security measures.
• Evaluate and maintain security measures.](https://image.slidesharecdn.com/hipaasecurityriskassessments-140422065959-phpapp02/85/HIPAA-security-risk-assessments-15-320.jpg)
![Administrative Safeguards
Security Management Process 164.308(a)(
1)
Risk Analysis (R)
Risk Management
(R)
Sanction Policy (R)
Information System
Activity Review (R)
Assigned Security Responsibility 164.308(a)(
2)
[None]
Workforce Security 164.308(a)(
3)
Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(A)
(4)
Isolating Health Care Clearinghouse
Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(
5)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)](https://image.slidesharecdn.com/hipaasecurityriskassessments-140422065959-phpapp02/85/HIPAA-security-risk-assessments-21-320.jpg)
![Administrative Safeguards
Continuation
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis A)
Evaluation 164.308(a)(8) [None]
Business Associate Contracts and
Other Arrangements
164.308(b)(1) Written Contract or Other Arrangement (R)](https://image.slidesharecdn.com/hipaasecurityriskassessments-140422065959-phpapp02/85/HIPAA-security-risk-assessments-22-320.jpg)
![Physical Safeguards
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) [None]
Workstation Security 164.310(c) [None]
Device and Media Controls 164.310(D)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)](https://image.slidesharecdn.com/hipaasecurityriskassessments-140422065959-phpapp02/85/HIPAA-security-risk-assessments-32-320.jpg)
![Technical Safeguards
Access Control 164.312(a)
(1)
Unique User Identification
(R)
Emergency Access
Procedure (R)
Automatic Logoff (A)
Encryption and
Decryption (A)
Audit Controls 164.312(b) [None]
Integrity 164.312(c)
(1)
Mechanism to Authenticate Electronic Protected
Health Information (A)
Person or Entity
Authentication
164.312(d) [None]
Transmission Security 164.312(e)
(1)
Integrity Controls (A) Encryption (A)](https://image.slidesharecdn.com/hipaasecurityriskassessments-140422065959-phpapp02/85/HIPAA-security-risk-assessments-34-320.jpg)
HIPAA security risk assessments
- 1. HIPAA Security Risk Assessment Dr. Jose I. Delgado Dr. Jose I. Delgado
- 2. Introduction • HIPAA Background – Privacy – Security • Risk Assessment • Risk Management – Omnibus Rule • Meaningful Use
- 3. Must Know • Every Covered Entity (CE) must identify a HIPAA Security Officer • Every CE entity must be in compliance with the final HIPAA Omnibus Rule • Every CE must have a Risk Assessment Completed with all components covered • A covered entity can be fined $1,000 to $50,000 per patient record up to $1,500,000 if patient records are breached
- 4. HIPAA Audits • Audits will be conducted by Office for Civil Rights instead of contractor • Number of audits to increase • Monies collected to be used to fund further audits • Audits to include Covered Entities and Business Associates • 2014 first time a Government Entity was fined
- 5. Meaningful Use • Ties HIPAA Security to Attestation • Fraud charges possibility based on answers • Part of Meaningful Use and Records Review Audits
- 6. HIPAA
- 7. Title II – Administrative Simplification
- 8. Security Categories Administrative safeguards Physical safeguards Technical safeguards
- 9. Basic Concepts Scalability – flexibility to adopt implementing measures appropriate to their situation. “Required” and “Addressable” Under no conditions should any covered entity considered addressable specifications as optional requirements.
- 10. Risk Analysis CFR 164.308(a)(1) "Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity." • Perform Risk Assessment • Formalized/Document Risk Assessment Process • Update Risk Assessment Process • Address all potential areas of risk
- 11. Risk Analysis • Gap/risk assessment – Audit of security based on HIPAA Security Components – Document findings on all areas – Use initial analysis as baseline – Base Security Management on findings
- 12. Resources • HHS Security Risk Assessment Tool – http://www.healthit.gov/providers- professionals/security-risk-assessment • Taino Consultants Compliance Tool – Forms – Policies – Security Reminders – Monthly instructions
- 13. Security Risk Assessment HIPAA Meets Requirem ent Not Review of Current Procedure Citation Guidelines for Policy Yes No Reqd . Person Responsible Task 1 Identify Relevant Information System - Has all hardware and software for which the organization is responsible been identified? - Is the current information system configuration documented, including connections to other systems? - Have the types of information and uses of that information been identified and the sensitivity of each type of information been evaluated? §164.30 8 (a)(1) - Identify all information systems that house individually identifiable health information. - Include all hardware and software that are used to collect, store, process, or transmit protected health information. - Analyze business functions and verify ownership and control of information system elements as necessary.
- 14. Security Risk Report Sample Risk Analysis
- 15. Risk Management § 164.308(a)(1)(ii)(B) "“[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [(the General Requirements of the Security Rule)].” • Develop and implement a risk management plan. • Implement security measures. • Evaluate and maintain security measures.
- 16. Policies • Live Documents • Review as needed • Document reviews and updates • Having policies alone will not suffice
- 17. Forms/Documentation • Not Required • Useful to document actions • Prevents adding too much information “Anything you say can be used against you”
- 18. Training • Initial Training • Security Reminders • Annual Training
- 19. Monthly Actions • Easier to keep track • Easier to document • Easier to manage
- 20. Administrative Safeguards • Security management process (CFR §164.308(a)(1)): Prevent, detect, contain, and correct security violations • Assigned security responsibility (CFR §164.308(a)(2)) • Workforce security (CFR §164.308(a)(3)): Employees and access to EPHI. • Information access management (CFR §164.308(a)(4)): ePHI access. • Security awareness and training (CFR §164.308(a)(5)) • Security incident procedures (CFR §164.308(a)(6)) • Contingency plan (CFR §164.308(a)(7)) • Evaluation (CFR §164.308(a)(8)): Periodic evaluations. • Business associate contracts and other arrangements (CFR §164.308(b)(1))
- 21. Administrative Safeguards Security Management Process 164.308(a)( 1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility 164.308(a)( 2) [None] Workforce Security 164.308(a)( 3) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Information Access Management 164.308(A) (4) Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training 164.308(a)( 5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)
- 22. Administrative Safeguards Continuation Security Incident Procedures 164.308(a)(6) Response and Reporting (R) Contingency Plan 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis A) Evaluation 164.308(a)(8) [None] Business Associate Contracts and Other Arrangements 164.308(b)(1) Written Contract or Other Arrangement (R)
- 23. Sanction Policy CFR 164.308(a)(1) • Every covered entity must "have and apply appropriate sanctions against members of its workforce who fail to comply”. • Any system of penalties should be reasonable in relation to the violations to which they apply, particularly with regard to deterrence.
- 24. System Activity Review “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” • What are the audit and activity review functions of the current information systems? • Are the information systems functions adequately used and monitored to promote continual awareness of information system activity? • What logs or reports are generated by the information systems? • Is there a policy that establishes what reviews will be conducted? • Is there a procedure that describes specifics of the reviews?
- 25. Assigned Security Responsibility The HIPAA Security Officer is responsible for: • Understanding the HIPAA Security Rule and how it applies. • Developing appropriate policies and procedures. • Overseeing the security of EPHI. • Monitoring each Covered Component for compliance. • Identifying and evaluating threats. • Responding to actual or suspected breaches.
- 26. AUTHORIZATION AND/OR SUPERVISION §164.308(a)(3)(ii)(A) “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.” • Detailed job descriptions with level of access to EPHI? • Policy that identifies the authority to determine who can access EPHI
- 27. Security Reminders CFR 164.308(a)(5) Security reminders are just tidbits of information given to employees of covered entities throughout the year. Recommendations: Bulletin board in the break room or main office is a start. “org chart” showing who is in charge of HIPAA Emergency contact phone numbers HIPAA Breach checklist Changing HIPAA security reminders Use e-mail to sent security reminders
- 28. Protection from Malicious Software “Procedures for guarding against, detecting, and reporting malicious software.” • Policies covering antivirus protection • Software used against malicious software • Updates and logs • Employee training
- 29. Log-in Monitoring CFR 164.308(a)(5) Procedures for monitoring log-in attempts and reporting discrepancies. • Identify multiple unsuccessful attempts to log-in. • Record attempts in a log or audit trail. • Resetting of a password after a specified number of unsuccessful log- in attempts.
- 30. Contingency Plans 164.308(a)(7) • Data Backup Plan • Disaster recovery plan • Emergency Mode Operation Plan • Testing and Revision Procedure • Applications and Data Criticality Analysis: procedures for assessing the criticality of applications and systems.
- 31. Physical Safeguards • Facility access controls: limit physical access to systems. • Workstation use: specify the proper workstation functions. • Workstation security: limit access to only authorized users. • Device and media controls: receipt and removal of hardware and electronic media.
- 32. Physical Safeguards Facility Access Controls 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use 164.310(b) [None] Workstation Security 164.310(c) [None] Device and Media Controls 164.310(D)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)
- 33. Technical Safeguards • Access control: Implementing policies and procedures for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights. • Audit controls: Implementing hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use EPHI. • Integrity: Implementing policies and procedures to protect EPHI from improper modification or destruction. • Person or entity authentication: Implementing procedures to verify that persons or entities seeking access to EPHI are who or what they claim to be. • Transmission security: Implementing security measures to prevent unauthorized access to EPHI that is being transmitted over an electronic communications network.
- 34. Technical Safeguards Access Control 164.312(a) (1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls 164.312(b) [None] Integrity 164.312(c) (1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication 164.312(d) [None] Transmission Security 164.312(e) (1) Integrity Controls (A) Encryption (A)
- 35. Key Items to Remember • Policies and Procedures not enough • Documentation is key – Evidence book • Follow the steps – Risk Assessment – Risk Management – Training ACT NOW!!
- 36. Dr. Jose I Delgado Tel 904-794-7830 DrDelgado@Tainoconsultants.com www.tainoconsultants.com
Editor's Notes
- #5: Covered entity audits in 2015 will focus on issues including computing device and storage media security controls, transmission security, and HIPAA safeguards such as procedures and staff training. The focus in 2016 will include physical access, encryption, decryption and other issues, according to the article. OCR recently levied its first fine against a local government for HIPAA non-compliance. Skagit County in Washington state was ordered to pay $215,000 for failing to act after a hospital's September 2011 self-reported breach compromised the electronic protected health information of close to 1,600 people served by the public health department.
- #7: The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was sponsored by Sen. Nancy Kassebaum (R-Kan.). Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
- #8: To improve the effectiveness and efficiency of the nation’s healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes a series of “administrative simplification” provisions requiring HHS to adopt national standards for electronic healthcare transactions. By ensuring consistency throughout the industry, the national standards will make it easier for health care organizations to process transactions electronically. The law also requires the adoption of privacy and security standards in order to protect individually identifiable health information. HIPAA requires that “covered entities” e.g. health plans, healthcare clearinghouses, and those healthcare providers conducting electronic financial and administrative transactions (such as eligibility, referral authorizations, and claims) comply with each set of standards. Other businesses may choose to comply with the standards, but the law does not mandate that they do so.
- #9: Administrative safeguards: Administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. Physical safeguards: Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. Technical safeguards: Automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
- #11: CEs did not perform a risk assessment; CEs did not have a formalized, documented risk assessment process; CEs had outdated risk assessments; and, CEs did not address all potential areas of risk.
- #16: Develop and Implement a Risk Management Plan The first step in the risk management process should be to develop and implement a risk management plan. The purpose of a risk management plan is to provide structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. For the risk management plan to be successful, key members of the covered entity’s workforce, including senior management and other key decision makers, must be involved. The outputs of the risk analysis process will provide these key workforce members with the information needed to make risk prioritization and mitigation decisions. The risk prioritization and mitigation decisions will be determined by answering questions such as: Should certain risks be addressed immediately or in the future? Which security measures should be implemented? Many of the answers to these questions will be determined using data gathered during the risk analysis. The entity has already identified, through that process, what vulnerabilities exist, when and how a vulnerability can be exploited by a threat, and what the impact of the risk could be to the organization. This data will allow the covered entity to make informed decisions on how to reduce risks to reasonable and appropriate levels. An important component of the risk management plan is the plan for implementation of the selected security measures. The implementation component of the plan should address: Risks (threat and vulnerability combinations) being addressed; Security measures selected to reduce the risks; Implementation project priorities, such as: required resources; assigned responsibilities; start and completion dates; and maintenance requirements. The implementation component of the risk management plan may vary based on the circumstances of the covered entity. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. Cost is one of the factors a covered entity must consider when determining security measures to implement. However, cost alone is not a valid reason for choosing not to implement security measures that are reasonable and appropriate. The output of this step is a risk management plan that contains prioritized risks to the covered entity, options for mitigation of those risks, and a plan for implementation. The plan will guide the covered entity’s actual implementation of security measures to reduce risks to EPHI to reasonable and appropriate levels. 2. Implement Security Measures Once the risk management plan is developed, the covered entity must begin implementation. This step will focus on the actual implementation of security measures (both technical and non-technical) within the covered entity. The projects or activities to implement security measures should be performed in a manner similar to other projects, i.e., these projects or activities should each have an identified scope, timeline and budget. Covered entities may also want to consider the benefits, if any, of implementing security measures as part of another existing project, such as implementation of a new information system. A covered entity may choose to use internal or external resources to perform these projects. The Security Rule does not require or prohibit either method. It is important to note that, even if it uses outside vendors to implement the security measures selected, the covered entity is responsible for its compliance with the Security Rule. 3. Evaluate and Maintain Security Measures The final step in the risk management process is to continue evaluating and monitoring the risk mitigation measures implemented. Risk analysis and risk management are not one-time activities. Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment. The risk analysis will identify new risks or update existing risk levels resulting from environmental or operational changes. The output of the updated risk analysis will be an input to the risk management processes to reduce newly identified or updated risk levels to reasonable and appropriate levels.
- #21: Security management process (CFR §164.308(a)(1)): Implementing policies and procedures to prevent, detect, contain, and correct security violations. Assigned security responsibility (CFR §164.308(a)(2)): A single individual must be designated as having overall responsibility for the security of a Covered Entity's (CE) Electronic Patient Health Information (EPHI). Workforce security (CFR §164.308(a)(3)): Implementing policies and procedures to ensure that employees have only appropriate access to EPHI. Information access management (CFR §164.308(a)(4)): Implementing policies and procedures for authorizing access to EPHI. Security awareness and training (CFR §164.308(a)(5)): Implementing a security awareness and training program for a CE's entire workforce. Security incident procedures (CFR §164.308(a)(6)): Implementing policies and procedures to handle security incidents. Contingency plan (CFR §164.308(a)(7)): Implementing policies and procedures for responding to an emergency or other occurrence that damages systems containing EPHI. Evaluation (CFR §164.308(a)(8)): Performing periodic technical and non-technical evaluations that determine the extent to which a CE's security policies and procedures meet the ongoing requirements of the Security Rule. Business associate contracts and other arrangements (CFR §164.308(b)(1)): A CE may permit a business associate to create, receive, maintain, or transmit EPHI on the CE's behalf only if the CE has satisfactory assurance that the business associate will appropriately safeguard the data.
- #26: The HIPAA Security Officer is responsible for: Understanding the HIPAA Security Rule and how it applies within each Covered Component. Developing appropriate policies and procedures to comply with the HIPAA Security Rule Overseeing the security of EPHI within each Covered Component. Monitoring each Covered Component for compliance with EPHI security policies and procedures. Identifying and evaluating threats to the confidentiality and integrity of EPHI. Responding to actual or suspected breaches in the confidentiality or integrity of EPHI.
- #28: Security reminders are just that, a refresh of the annual HIPAA awareness training