Bringing Box into HIPAA Alignment · 4/1/2014 · Myth #2 – You can be certified HIPAA...

Bob Flynn & Anurag Shankar University Information Technology Services

Indiana University

Bringing Box into HIPAA Alignment

Internet2 MM: 4/7/2014 University Information Technology Services

Outline

1.  Introduction 2.  Service Partnership 3.  Legal Requirements 4.  Risk Management Framework 5.  Box Evaluation 6.  Conclusions


1. Introduction


Nature abhors a vacuum! The lack of HIPAA compliant campus

services that support external collaborations is forcing biomedical

researchers to share sensitive data using email and cloud services such as Google

docs, Dropbox, etc.


•  The lure of free or cheap cloud storage is irresistible, even for HIPAA regulated entities.

•  Cloud providers have been unaware or unwilling to address HIPAA compliance, but ...

•  Market pressures are forcing many vendors to reconsider HIPAA. Chief among these are Amazon, Microsoft, and now Box.

•  We at IU have also been revisiting our stance of keeping our sensitive data out of the cloud, specifically as regards Box.

HIPAA in the Cloud?


•  With growing security threat, (Governance, Risk, and) Compliance is now the new frontier for IT.

•  If you handle biomedical data, you not only face HIPAA, but possibly FISMA also.

•  Recent changes to HIPAA have put more teeth into enforcement = more motivation for us.

Current Regulatory Climate


Recent HIPAA Changes •  A new HIPAA Omnibus Rule was enacted in

2013. •  It adds new requirements for a business

associate (BA) who handles your sensitive data. It greatly ramps up civil penalties.

•  The government will initiate random HIPAA audits in 2014. (They were triggered only in response to a breach earlier.)


2. Service Partnership


•  Implemented at IU in 2012, Box became wildly popular for sharing data with collaborators within and outside IU.

•  Researchers in the IU School of Medicine (second largest medical school in the U.S.) soon wanted to use Box to share clinical data. (Biomedical research grants from NIH require data sharing.)

•  Since identifiable clinical research data is subject to HIPAA, we asked – Is Box HIPAA compliant?

Box@IU & HIPAA


•  In 2013, Box began talking about the possibility of HIPAA alignment after conducting thirty party security and HIPAA audits.

•  In late 2013, they began signing contracts promising to comply with HIPAA.

•  Internet2 has negotiated a BAA and revised contract with Box.

Box & HIPAA


IU Basics •  8 Campuses (2 Core, 6 Regional) •  115K Students, 20K Faculty/Staff •  1.3M Credit Hours (Fall 2013) •  $533M in external research funding (2012) •  Strong Central IT and good partnership with

distributed IT operations.


Box@IU Basics •  Program rollout April 2012 •  Reached 50,000 users by October 2013 •  Currently

64,000 internal users 7,000 external collaborators 120,000 collaborations 50TB in storage

•  All this without FERPA or HIPAA data


Box@IU Basics


3. Legal Requirements


HIPAA •  Health Insurance Portability & Accountability Act,

passed in 1996, became law in 2001. •  Enforced by the Office for Civil Rights (OCR) in the

U.S. Dept. of Health & Human Services (HHS). •  Modified in 2013 by including provisions from the

2006 Health Information Technology for Economic & Clinical Health (HITECH) Act & the 2008 Genetic Information Nondiscrimination Act (GINA).

•  Consists of the HIPAA Privacy Rule and the HIPAA Security Rule.


The HIPAA Security Rule The Security Rule regulates electronic protected health information* (ePHI). It requires (1) administrative, (2) physical, and (3) technical safeguards to

•  Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted;

•  Identify and protect against reasonably anticipated threats to the security or integrity of the information;

•  Protect against reasonably anticipated, impermissible uses or disclosures;

•  Ensure compliance by the workforce; and •  Provide a means for managing risk in an ongoing fashion.

* Data with one or more of 18 patient identifiers such as name, DOB, etc.


The HIPAA Security Rule


Covered Entities & Business Associates

•  Healthcare providers, health plans, and health clearinghouses are called HIPAA “covered entities”.

•  Universities are often hybrid covered entities, with covered components that do healthcare and components that are not covered.

•  If you serve a covered component within your organization, chances are that you too are covered.

•  If you are not part of a covered entity but handle their data, you are a business associate (BA).

In the Box context, you are a covered entity and Box is a BA.


Security Rule Safeguards •  Administrative – security organization,

policies, training, responsibilities, incident response, etc.

•  Physical – data center access, equipment/media disposal, inventory control, etc.

•  Technical – firewalls, patching, auditing, scanning, monitoring, accounts, etc.

+ organizational/policies/documentation requirements


Required & Addressable •  Each Security Rule safeguard is either “required”

or “addressable”. •  Required = what it says. •  Addressable = should address, but ok if you

describe why it is not in place or how you will otherwise address the risk.

•  A risk assessment (RA) identifies where to concentrate mitigation effort.


Breach Notification •  HIPAA requires that a breach of ePHI be

reported ASAP: 1.  To everyone whose privacy is breached. 2.  For breaches affecting > 500 patients, to the

media and the Secretary of the U.S. Dept. of Health & Human Services.

•  The BA must notify you if the breach occurs at their end.


Business Associates

•  HIPAA requires a business associate agreement (BAA) with any external entity that touches your ePHI.

•  The BAA must include language that your BA & their BAs will protect your ePHI.

•  Due diligence also means ensuring that the BA is capable of protecting your ePHI in conformance with HIPAA.


Enforcement •  HIPAA violations can result in civil monetary

penalties up to $1.5 million/violation against a HIPAA covered entity and/or individual criminal penalties up to10 yrs in jail.

•  For large breaches, the OCR imposes a (potentially very expensive) corrective action plan (CAP).

•  Random govt. HIPAA audits are coming this year.


The Corrective Action Plan (CAP) signed by Idaho State University

Breaches reported by universities

ì

But the worst is being in the newspapers!


•  NO. Identifiable health data outside a healthcare context (e.g. what you upload to Google Health, Microsoft HealthVault) is not ePHI. Only healthcare providers, facilities, and insurers are bound by HIPAA.

•  Data, if properly de-identified, is not subject to HIPAA.

If unsure, contact your HIPAA Compliance office!

Is All Identifiable Health Data ePHI?


Just Good Security?

Q: So, the HIPAA Security Rule means we just need to provide good IT security? A: NO. The Security Rule is about managing risk, and security is only PART of that management. HIPAA requires ongoing administrative controls, training, governance, policies, formal review, etc.


HIPAA Security Rule Myths Myth #1 – Security Rule compliance is a boolean. Truth: There is no threshold where you suddenly become compliant. Myth #2 – You can be certified HIPAA compliant. Truth: No company or federal agency is authorized to certify you as being HIPAA “compliant”. (The only way to know for sure is to survive a HIPAA audit!)

So you align with the HIPAA rules as best as you can and usually “self assert” compliance.


HIPAA Security Rule Myths Myth #3 – Once compliant, you stay compliant. Truth: No. Compliance is an ongoing process; once started, it never stops so long as you have ePHI. Myth #4 – You must have an external third party do risk/security assessment. Truth: No. You can do them internally, so long as you follow accepted practices and document it all.


4. Risk Management Framework


HIPAA requires that you manage risk intelligently


Information Security Risk Management

•  Identify, assess, prioritize, and mitigate risk to information security on an ongoing basis.

•  Think in terms of managing risk, not plugging security holes.

Risk = {Threat/Vulnerability x Likelihood x Impact} •  A big threat due to an existing vulnerability that is

highly unlikely to be exploited/has little impact is low risk. You don’t kill yourself over it.


Risk Management Framework You should have a mature, standards-based* RMF consisting of: •  Good governance = institutional security organization,

policies, sanctions, enforcement •  Risk management = assessment, mitigation through

appropriate physical, administrative, technical controls, documentation

•  Review = regular monitoring, reviews, assessment, and mitigation

•  Awareness and training * = NIST 800-30


Do I need an entire RMF even if I just want to align Box?

•  YES! If there is a breach and an OCR audit, they will first look at your general HIPAA safeguards, not just what you do with Box.

•  Penalties are often levied due to risk not being managed properly.

•  Having an RMF in place is an essential pre-requisite to any HIPAA compliance work.


Implementing the RMF at IU 1. Assign ownership

2. Form partnerships

3. Inventory/document

4. Hire external consultant

5. Perform gap analysis/fill gaps

6. Assess risk

7. Create & execute risk management

plan

8. Get official blessing & advertize

Follow NIST Standards

(Much of this is usually already in place at most places but not documented in a compliance-oriented form.)


① Assign Ownership •  Dedicated resources commensurate with

the scale. At IU, we spent around 1.5 FTE-year for the initial effort and 1.0 FTE on an ongoing basis.

•  Assigned someone to lead the project. •  Empowered the leader to be able to do

the job.


②  Form Partnerships •  Got to know all IU Compliance folks. •  Formed an oversight committee; put all

stakeholders on it – Compliance, Counsel, Information Security Office, Information Policy Office, School of Medicine CIO/Security Office, staff/faculty, and central IT senior management.


③  Inventory/Document •  Spent a lot of time on developing a

documentation strategy/format. •  Inventoried all assets, current policies and

procedures, physical, administrative, and technical controls in place already.

•  Consulted with line managers & key staff. •  Instituted a secure document management

system (DMS).


Identify Dependencies •  Inventoried infrastructure pieces on which

systems/services depend. •  This means identity management,

messaging, the network, data centers, etc. on which the systems/services to be aligned depend.

•  Included as many of them as we could.


④ Hire External Consultant* •  Asked IU Compliance folks for references. •  Got referred to a consultant from DC, who

also serves on national HIPAA committees, etc.

•  Consultant was given information about the organization, documentation, etc.

•  Consultant visited IU a couple times to do in-person interviews.

* = optional


⑤ Perform Gap Analysis

•  The Gap Analysis (GA) measures gaps between actual security and what the HIPAA Security Rule requires.

•  Involved on-site interviews. •  Consultant used the data to identify gaps. •  We received the GA report.


Fill Gaps

•  Reviewed gap analysis report. •  Filled as many holes as we could,

especially the serious ones. •  Updated documentation. •  Got everything ready for a risk

assessment.


⑥ Assess Risk •  Everything done so far went into the risk

assessment exercise. •  Submitted updated documentation and

other information as requested to the external consultant.

•  On-site interviews followed. •  Received a risk assessment report listing

identified risks and risk scores.


⑦ Create a Risk Management Plan

•  Reviewed risk assessment report. •  Addressed all risks and documented

mitigation, reason for not mitigating, or alternatives.

•  Submitted the RM plan to the external consultant for review.

•  Modified RM plan as per consultant recommendations.


Execute Risk Management Plan •  Execution involved some short term

actions that addressed many high/medium risk items immediately.

•  Instituted long term processes such as regular reviews, risk monitoring, risk avoidance strategies, etc.

•  Documented everything (again) …


⑧ Get Official Blessing & Advertize

•  Submitted everything to the oversight committee.

•  Received an official letter of approval from Compliance in January 2009.

•  Advertized internally and targeted only IUSM researchers to avoid unnecessary attention.


Follow Standards •  We used the NIST 800-53 information

security standard since it is often used for complying with HIPAA and is the basis for FISMA.

•  It put an “official seal” & added rigor to the process.

•  We also looked at other standards such as ISO 27001, COBIT, etc.


NIST 800-53


HIPAA - Ongoing •  Semi-annual, internal reviews, documentation

updates. Risk reassessment. External reviews every 5 years.

•  Annual, mandatory HIPAA training in the HIPAA regulation, how it applies to us, and our policies and procedures, etc.

•  Self-assertion process for new services requires risk analysis, risk mitigation, documentation, security screening, & training/reviews.


Future •  Expand the mature, standards-based NIST

approach. •  Provide NIST-based risk and security

assessment tools for units to do their own internal assessments.

•  Centralize documentation. •  Establish baseline risk profile, evaluate risks,

update continuously as risks change.


5. Box Evaluation


While Box said they were HIPAA compliant, due diligence (to us) meant evaluating whether Box

meets the same NIST standards we follow ourselves.


Method •  We asked Box for documentation of their

information security practices, audit reports, etc. •  We reviewed the documents thoroughly. •  We used the NIST HIPAA Security Rule Toolkit

to answer nearly 1000 questions about Box’s security/risk management practices.

•  Some of these answers came from the Box documentation, some from Box’s Compliance folks.


NIST HIPAA Security Rule

Toolkit Questionnaire


Results •  Box satisfies > 95% of HIPAA Security Rule

requirements. •  They have the necessary “Required” and

“Addressable” safeguards in place. •  It helps greatly that they encrypt all data in

transit and at rest for enterprise customers (i.e. us) and secure the encryption keys.


Current Status •  We are waiting on a HIPAA compliant BAA with

Box. •  After a BAA is in place, we will submit the

paperwork to the IU HIPAA Compliance Office to approve Box’s suitability for storing ePHI.

•  After approval, we expect to make Box available to biomedical researchers as a HIPAA aligned collaboration tool.


6. Conclusions


Conclusions •  Cloud computing is imminent; be prepared. •  Box provides an ideal data sharing

environment for biomedical researchers. •  Our own NIST based evaluation found Box

to be capable of keeping our ePHI secure. •  We are using our existing RMF to satisfy

dependencies and ensure end to end security.


Conclusions •  Follow your own institutional process, but an

institutional RMF is an essential pre-requisite. •  Implementing a RMF also provides resources

that can be used to align with any current/future regulation.

•  It also makes breaches less likely, lowering liability and the chance of damaging institutional reputation.


We are more than happy to help in any way we can


Resources •  The HIPAA Security Rule

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html •  NIST 800-66: Guide to Implementing the HIPAA Security

Rule http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

•  NIST 800-53: Recommended Security Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

•  NIST 800-53A: Guide for Assessing Security Controls http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf

•  FIPS 200: Federal Systems Minimum Security Requirements http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

•  NIST HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/

•  IU HIPAA Documentation Templates (email us) •  IU HIPAA Risk Assessment Template (email us)


Contact

Bob Flynn [email protected] 812-856-3792

Anurag Shankar [email protected]

812-325-8629

Bringing Box into HIPAA Alignment · 4/1/2014 · Myth #2 – You can be certified HIPAA...

Documents

Transcript of Bringing Box into HIPAA Alignment · 4/1/2014 · Myth #2 – You can be certified HIPAA...