Post on 15-Dec-2015
www.lbmc.com
HITRUST, HIPAA, & HITECH
TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE
Mark Fulford, PartnerThomas Lewis, Partner
LBMC Risk Services
www.lbmc.com
Welcome and Presentation Topics
• Why you should care• HIPAA & HITECH - update on new
regulation• Insight into the HITRUST Common Security
Framework • How independent assurance can result in
fewer audits and a competitive advantage for your organization
• How LBMC can help
www.lbmc.com
90%Of organizations have experienced a computer security incident in the last 12 months.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
71%Of organizations have no external insurance coverage to cover computer security incidents losses.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
$1BCybercrime profits – that have surpassed those of drug smuggling in a year.
Cybercrime statistics from 12th Annual Computer Crime and Security Survey
www.lbmc.com
$234,244Annual average loss due to security incidents per respondent
Cybercrime statistics from 2009 CSI Computer Crime and Security Survey
www.lbmc.com
What is HIPAA?
www.lbmc.com
What is HITECH?
The HITECH Act is legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). As part of the American Recovery and Reinvestment Act of 2009, the HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules.
8
www.lbmc.com
What is HITECH?
• Extends HIPAA directly to Business Associates
• Establishes first national data security breach notification law (500 or more records is nasty)
• Grants State AGs authority to bring civil actions
9
www.lbmc.com
What is HITECH?
• HITECH authorizes increased civil monetary penalties for HIPAA violations. The Act establishes tiers of penalties based upon: whether or not a covered entity (including physicians) knew of a breach of privacy; whether the breach was due to reasonable cause and not willful neglect; or whether the breach was due to willful neglect.
• The tiers of penalties are as follows:– $100/violation not to exceed $25,000/calendar year.– $1,000/violation not to exceed $100,000/calendar year.– $10,000/violation not to exceed $250,000/calendar year.– $50,000/violation not to exceed $1,500,000/calendar year.
10
www.lbmc.com
What is HITRUST
• The Health Information Trust Alliance (HITRUST) has been created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system.
www.lbmc.com
Strategic Objectives of HITRUSTEstablish a fundamental and holistic change in the way the healthcare industry manages information security risks: •Rationalize regulations and standards into a single overarching framework tailored for the industry •Deliver a prescriptive, scalable and certifiable process•Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the process •Enable ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements •Provide support and facilitate sharing of ideas, feedback and experiences within the industry
www.lbmc.com
Who is HITRUST?
HITRUST Executive Council
www.lbmc.com
Why the Need?
Healthcare organizations are facing multiple challenges with regards to information security:•Costs and complexities of redundant and inconsistent requirements and standards•Critical systems not incorporating appropriate controls or safeguards•Confusion around implementation and acceptable baseline controls•Information security audits subject to different interpretations of control objectives and safeguards •Increasing scrutiny and similar queries from regulators, auditors, underwriters, customers and business partners •Growing risk and liability
www.lbmc.com
“The List”
15
www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
www.lbmc.com
HITRUST CSF
The HITRUST CSF is a framework that normalizes the security requirements of healthcare organizations, including federal (e.g., HITECH Act and HIPAA), state (e.g., MA 201 CMR 17.00), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS).
The CSF is built to provide scalable security requirements based on the different risks and exposures of organizations in the industry.
The CSF also makes security manageable and practical by prioritizing one-third of the controls in the CSF as a starting point for organizations. These priorities are based on industry input and analysis of breach information in the industry.
www.lbmc.com
Standards and Regulations Overlap
ISO 27001/2
PCI
COBIT
NIST
HIPAASecurity
HITECH Act
Mngfl.Use States
www.lbmc.com
CSF Standards and Regs Coverage
ISO 27001/2
PCI
COBIT
NIST
HIPAASecurity
HITECH Act
Mngfl.Use States
HITRUST CSF
www.lbmc.com
CSF Compared with Other Standards
Requirement CSF COBIT PCI ISO NIST HIPAA
Comprehensive – general security Yes Yes Yes Yes Yes Partial
Comprehensive – regulatory, statutory, and business security requirements
Yes No No No No No
Prescriptive Yes No Yes Partial Yes No
Practical and scalable Yes Yes No No No Yes
Audit or assessment guidelines Yes Yes Yes Yes Yes No
Certifiable Yes Yes Yes Yes No* No
Support for third-party assurance Yes Yes Yes Yes No No
Open and transparent update process Yes No Yes Yes Yes Yes
Cost Free Subsc. Free Subsc. Free Free
*Certifiable only for government agencies and organizations doing business with the government
www.lbmc.com
CSF Sample Structured in accordance with ISO 27001 / 27002 standard
Structured in accordance with ISO 27001 / 27002 standard
Multiple levels of implementation requirements
Multiple levels of implementation requirements
Risk factors tailored for healthcare organizations
Risk factors tailored for healthcare organizations
Cross-references to industry standards and regulations
Cross-references to industry standards and regulations
20
www.lbmc.com
Introduction to CSF Assurance Program
www.lbmc.com
Overview of CSF Assurance Program
• Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations.
• Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments.
• The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place.
www.lbmc.com
Strategic Objectives of CSF Assurance Program
Provide assurance that controls to limit the exposure of a breach are in place and operating effectively. Recipients of this assurance include:•Executive management•Auditors•Federal and state regulators•Customers of business associates
Simplify compliance efforts for organizations•Assess once and report to many constituents:
Federal (e.g., HIPAA/HITECH or meaningful use information) and state regulators Credit card companies (i.e., PCI requirements) CMS (i.e., Core Security Requirements) Internal or external auditors
•Comprehensively leverage assessments (i.e., leverage internal audit or other certifications such as PCI to streamline audits and testing)
Provide this assurance in a more cost-effective manner with additional rigor than existing processes
www.lbmc.com
Resources
www.lbmc.com
HITRUST Central (HITRUSTcentral.net)
Access to the CSF online.
A professional network for:•Understanding industry issues and events•Sharing knowledge•Exchanging ideas and best practices•Discovering new ways to solve business problems•Downloading documentation and training materials
Providing support: •What does this control mean?•How do I implement these requirements?•What do I do if I cannot meet a requirement?
www.lbmc.com
Additional Resources
Visit HITRUSTalliance.net for information and materials on:
•Common Security Framework - www.hitrustalliance.net/csf/
•CSF Assurance Program - www.hitrustalliance.net/assurance/
www.lbmc.com
For more information on HITRUST and the CSF visit:www.HITRUSTalliance.net/csf/
To access the CSF and HITRUST Central visit:www.HITRUSTCentral.net
For a list of HITRUST CSF Assessors visit:www.hitrustalliance.net/Assessors_List.pdf
For assistance, contact:Thomas Lewis – tlewis@lbmc.comMark Fulford – mfulford@lbmc.com
For More Information