Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting...
-
Upload
grace-fitzhugh -
Category
Documents
-
view
214 -
download
1
Transcript of Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting...
![Page 1: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/1.jpg)
Built to Optimize…
HIPAA Security:A Decade of Breaches;A Decade of Ignorance
CMGMA Fall MeetingSeptember 2014
![Page 2: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/2.jpg)
https://www.youtube.com/watch?v=5J67xJKpB6c
YouTube Video – If Airlines worked like US Healthcare
![Page 3: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/3.jpg)
Built to Optimize…
Outline
•HIPAA Overview – key definitions, brief history•Examples of HIPAA breaches to date•The biggest HIPAA threats•Real life HIPAA breach example•Cloud – is it HIPAA compliant?•Questions/discussion
![Page 4: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/4.jpg)
Built to Optimize…
HIPAA (one “P”, two “A”s)
•HIPAA Stands for:•Health• Insurance* •Portability** and
•Accountability •Act
*(not information)**(not privacy)
![Page 5: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/5.jpg)
Built to Optimize…
P == Portability
•Old days: • “Cradle-to-grave” patient/doctor relationship•Records belonged to the practice/physician•Patients generally could not even see them
•New world order: •Fragmented HC delivery (specialists, clinics, etc.)•Practices are caretakers of a larger patient record•Patient “activism” – records “belong” to them•Portability made safekeeping rules necessary
![Page 6: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/6.jpg)
Built to Optimize…
HIPAA Breaches - Some macro numbers
•HHS-reported HIPAA breaches since 2009• 600 993 breaches of more than 500 records each•Total is over 22 31 million patient records affected• Largest is 4.9 million (SAIC – Service Provider)•Smallest reported breach (and not on this list) is 441
records (Hospice of Northern Idaho)• Largest pending judgments are $3-4 BILLION in class
action lawsuits (Sutter Health, California) and $3-4 BILLION against SAIC (Service Provider)
All data here and following graphs from:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
![Page 7: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/7.jpg)
Built to Optimize…
HIPAA Breaches – Type of Breach
Theft55%
Unauthorized access19%
Loss12%
All other14%
![Page 8: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/8.jpg)
Built to Optimize…
HIPAA Breaches – Source of Breach
Laptop25%
Paper23%
Portable12%
Computer11%
Server10%
All other 19%
![Page 9: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/9.jpg)
Built to Optimize…
HIPAA Breaches – Words (All Fields)
Theft32%
Laptop17%
Computer12%
Portable8%
Loss8%
EHR0.10% All other
23%
![Page 10: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/10.jpg)
Built to Optimize…
Some Recent Headlines
•Walgreens (1 record; ~$1.44 million judgment)•Community Health Systems (2nd largest; hacking)•LA Gay/Lesbian Clinic (hacking)•Stanford Children’s Hospital (5X offender)•Oregon Health Science Unit (4X offender)•UCLA; Cedars Sanai (celebrity snooping)•Hospice of Northern Idaho (441 records; 50K)•Arizona Surgery Center ($100K fine)•LabMD in Georgia is DOA (CEO is writing a book)
![Page 11: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/11.jpg)
Built to Optimize…
Time to dispel a big myth
•“My HIPAA Security situation is taken care of because I use a certified EHR”
•Number of breaches that have been directly caused by or involved a certified EHR:
ZERO!
![Page 12: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/12.jpg)
Built to Optimize…
HIPAA “Chapter and Verse*”
•HIPAA is contained in the Federal Register, CFR Parts 160, 162 & 164:•Section 164.308 – Administrative•Section 164.310 – Physical•Section 164.312 – Technical•Section 164.314 – Business Associate
Arrangements•Section 164.316 – Policies and
Procedures Documentation*More than 500 pages !
![Page 13: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/13.jpg)
Built to Optimize…
HIPAA on a 3x5 Card:
What does the HIPAA Security Rule* Say?
•Covered Entities must protect and secure all electronic protected health information (ePHI) against:
accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources.
* HIPAA Security governs electronic records. HIPAA Privacy governs paper records
![Page 14: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/14.jpg)
Accidental IntentionalCAUSES
Internal Threats
External Threats
HIPAA Security – Graphical Representation
Destruction
LossTheft
ImproperAccess
EPHI
![Page 15: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/15.jpg)
Built to Optimize…
Definition of ePHI
• “ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).
• “Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.
![Page 16: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/16.jpg)
Built to Optimize…
Things HIPAA doesn’t say…
•Length/complexity/change cycle of passwords•Timeout or logoff time interval•Type of encryption (e.g., technically WEP for WiFi is actually HIPAA compliant)•Version of OS such as Win 7, Svr 08 or higher (HIPAA doesn’t name vendor names/products)•Actually doesn’t mention laptops (or tablets, SmartPhones, PDAs, etc.), just “workstations”
![Page 17: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/17.jpg)
Is this the biggest HIPAA threat?
![Page 18: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/18.jpg)
Built to Optimize…
No, this is the biggest HC threat:
By far, the largest number of threats are caused by, or enabled by, internal users – office and clinical staff
![Page 19: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/19.jpg)
Built to Optimize…
HIPAA – A Brief History
•HIPAA signed by President Clinton in 1996•Primary purpose was to make HC insurance portable•Governed paper records•Massive increase in administrative burden to HC•Massive efforts on compliance and training
•HIPAA Security became effective in April 2005•Most people were unaware or chose to ignore it•They assumed “IT had it taken care of”•Thought it was something they had already done
![Page 20: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/20.jpg)
Built to Optimize…
ARRA/HITECH Act 2009
•Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of $$ for hospitals to adopt EHRs (Medicare/Medicaid) •Max fines increased from $50,000 to $1.5 million•Fines apply regardless of:•Whether docs/facilities are seeking MU funds•Whether docs/facilities qualify for MU funds (e.g.,
Ambulatory Surgery Centers, self-pay, etc.)•Whether the facility has or uses an EHR
![Page 21: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/21.jpg)
Built to Optimize…
Close to home……here in Colorado
HIPAA is Very Real
![Page 22: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/22.jpg)
22
You don’t want to get one of these nasty grams…
![Page 23: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/23.jpg)
23
More bad news…only 15 days to respond; threatened penalties
![Page 24: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/24.jpg)
24
Even more bad news…Freedom of Information Act may make this public
![Page 25: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/25.jpg)
Prior to 2/2009:Up to $100 per violation$25,000/year cap
After 2/2009:$100 to $50K per violation$1.5 MILLION/year cap
![Page 26: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/26.jpg)
Yikes!
![Page 27: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/27.jpg)
Built to Optimize…
HIPAA compliance is not optional
•HIPAA compliance is required for practices and hospitals to achieve Meaningful Use•Annual risk assessments are required•HHS is doing unannounced audits•HIPAA compliance is required with/without EHR and with/without Meaningful Use
![Page 28: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/28.jpg)
Built to Optimize…
Is “Cloud” HIPAA compliant?
•Many public cloud services are inherently unsafe and are not HIPAA compliant (but unfortunately they are used all the time):•Examples: Gmail; Hotmail; FaceBook; AOL; Twitter;
Flickr; iCloud; basically anything that’s “free”•Poorly designed/poorly run IT services are bad; moving them to the cloud doesn’t fix them•If a cloud provider refuses to sign a BAA or provide SLAs that’s a showstopper
![Page 29: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/29.jpg)
Built to Optimize…
Cloud HIPAA Headlines
•“Mobility and Cloud [Are] Keys to Fulfilling Promise of EMRs” (HealthcareIT News)• “Cloud solutions allow healthcare organizations to deliver
critical patient data…” (IDG White Paper) • "Use the Cloud to Reduce HIPAA Risk“ (HealthcareIT News)• “Google, Microsoft agree: Cloud is now safe enough to use” (
C|Net; Annual RSA Security Conference)
• “Cloud Computing Offers a Public Safety Edge:”• “The cloud is a safe, robust platform for first responders to rely on.”
“I lose control of my information.” Not true. “It’s not secure.” Again, not true.” (LawOfficer.com)
![Page 30: Built to Optimize… HIPAA Security: A Decade of Breaches; A Decade of Ignorance CMGMA Fall Meeting September 2014.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c8c5503460f949469ea/html5/thumbnails/30.jpg)
Built to Optimize…
Questions/Discussion