Eurasia Energy Policy Case Study Russia – Ukraine Relations Vittorio Pagliaro.
HITECH Management Briefing June 23, 2010 Karen Pagliaro-Meyer Privacy Officer [email protected]...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of HITECH Management Briefing June 23, 2010 Karen Pagliaro-Meyer Privacy Officer [email protected]...
HITECH Management Briefing
June 23, 2010
Karen Pagliaro-MeyerPrivacy Officer
[email protected](212) 305-7315
Soumitra SenguptaInformation Security Officer
[email protected](212) 305-7035
AGENDA1. HITECH update2. Privacy & Information Security Training3. Privacy Issue Log Summary4. Encryption 5. Risk Assessment6. Data Leakage Prevention
Administrative Simplification
(Accountability)
InsuranceReform
(Portability)
Health Insurance Portability and Accountability Act
(HIPAA)
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002
and 10/16/03
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002
and 10/16/03
Privacy
Compliance Date: 4/14/2003
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date: 4/20/2005
Security
Compliance Date: 4/20/2005
Fraud and Abuse
(Accountability)
Fraud and Abuse
(Accountability)
HITECHHealth Information Technology for Economic and Clinical Health
9/18/2009
HITECH Act (ARRA)
REQUIREMENT COMPLIANCE DATE1. Breach Notification September 20092. Self-Payment Disclosures February 20103. Business Associates February 20104. Minimum Necessary August 20105. Marketing6. Fundraising7. Accounting of Disclosures January 2011/20148. Performance Measures for EHR
– enhanced reimbursement rate
4
HITECH Act (ARRA)
5
New Federal Breach Notification Law – Effective Sept 2009 Applies to all electronic “unsecured PHI” Requires immediate notification to the Federal Government
if more than 500 individuals effected Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients
Criminal penalties - apply to individual or employee of a covered entity
6
Self Payment Disclosures If patient pays for service – has the right to limit the
disclosure of that information to their health insurance Business Associates
Standards apply directly to Business Associates Statutory obligation to comply with restrictions on use and
disclosure of PHINew HITECH provisions must be incorporated into BAA
Minimum Necessary StandardsNew Definition of Minimum Necessary, determined by the
disclosing party, encourage the use of limited data sets
HITECH Act (ARRA)
HITECH Act (ARRA)
Accounting of Disclosures Right to request copy of record in any format and to know who viewed,
accessed, used or disclosed their medical information
Electronic Health Record Performance Measures for EHR enhanced reimbursement Patient has a right to electronic copy of records Electronic copy transmission Delivery options 96 hours or 48 hours w/o ancillary - information available to the patient Meet Meaningful Use Standards
7
Who is a Business Associate?
• Individuals who do business with CUMC and have access to protected health information.
• Signed Business Associate Agreement (BAA) is needed to assure that they will protect the information and inform CUMC if the data is lost or stolen.
Examples of BAAs include: billing companies or claims processing voice mail or appointment reminder service management transcription services or coding companies accreditation consultants Software used for medical data9
10
Summary of Breaches Reported to Office of Civil Rights
Sept. 2009 – June 2010Breaches of over 500 records: 100• 72% of breaches are computer related• 64% of breaches the result of a theft
Type of Facility• 39% from hospital / medical center• 29% from a private practice / corporation• 20% from a health plan / insurance company
13
34%
20%
14% 11%
9%
6%
5%
2%
HITECH Breach Notification Reports 9/09 – 6/10 Laptops
PaperDesktopPortable DeviceOtherNetworkEmailBackup tapes
Privacy & Information Security Training
• HITECH changed the definition and reporting requirements of Protect Health Information
• Technology has increased the potential exposure of data theft / loss (portable data)
• All staff benefit from refresher HIPAA training
• Tracking of workforce members to verify that they complete HIPAA training has improved
Privacy & Information Security Training2008 2009
Welcome Program 787 1,585
Students 146 409
Dept/Role Specific 506 573
HCCS on-line Training 425 662
TOTAL 1,864 3,229
2008 20090
500100015002000
HCCS on-line TrainingDept/Role SpecificStudentsWelcome Program
ANNUAL HIPAA Training
Num
ber o
f Sta
ff
Privacy & Information Security Training
Management Follow-up• Scheduling refresher HIPAA training for staff• Verify that all new workforce members (employees,
faculty, students, volunteers) receive HIPAA training• Review policies and procedures related to
information security and privacy• Distribute “HIPAA reminders” to staff
Privacy Issue Summary 2010
• Privacy Breach Allegation 15• Access to Medical Record 9 • Theft of Electronic Device 8• Registration Issue 5• Medical Record Sent to wrong patient 3• Paper Data Loss 1• Development 1• Marketing 1
Cost of Data Breach
• Ponemon annual study on breach costs
• Loss of 10,000 records means $2,000,000• The cost includes Detection, Notification, Post-response &
Lost business• Qn: Who will pay this cost?
FY 2005 FY 2006 FY 2007 FY 2008 FY 20090
50
100
150
200
250
Cost per record
What does OCR’s Privacy Breach reporting tells us?
• 46% of reported breaches are for lost/stolen laptops, PDA, and Back up tapes
• HITECH permits non-notification if the information is “encrypted.”
• So, encrypt already, or stop carrying sensitive data • Our encryption help page is:
https://secure.cumc.columbia.edu/cumcit/secure/security/encryption.html
Encryption
Risk of incurring
a breach cost
What’s new from OCR?
• Office for Civil Rights Guidance– May 7, 2010– HIPAA Security Standards
• Guidance on Risk Analysis
– Based on NIST recommendationNIST 800 Special Publication 30
Risk Management Guide for Information Technology Systems
OCR Risk Analysis Guidance Steps
• Scope of the Analysis• Collect all Assets• Identify and document Potential Threats and
Vulnerabilities• Assess current Security Measures (Controls)• Determine the Likelihood and Impact of Threat
Occurrence to determine the Level of Risk• Finalize Documentation• Periodic Review and Updates to the Risk
Assessment
Scope of the Analysis at CUMC
• G.R.O.W.I.N.G…– Protected Health Information– Personally Identifiable Information
(SSN, Driver’s License, Credit cards)– Payment Card Industry Data Security Standard– FDA Approved Research - 21 CFR Part 11– FERPA (Student information)– Etc.
• Has to fit in a common framework
Threats and Vulnerabilities + Likelihoods + Impact
• Original analysis of HIPAA issues at CUMC• Used a classification method
– Threat Source: Internal/External – Type: Opportunistic/Accidental/Deliberate/Environmental– Likelihood: Very likely/Likely/Unlikely/Very unlikely– Costs/Severity: Operational Impact/Monetary
Impact/Regulatory Impact/Reputation Impact
• New threats– Social networks– Wireless devices
Threats and Vulnerabilities + Likelihoods + Impact
• Examples:– Internal user, accidentally, infects a workstation
with a virus through a personal USB drive– External user, deliberately, uses a server to
distribute music or DVD or to send SPAM– Internal user, deliberately, looks up clinical data of
a celebrity
Security Controls
• Examples of controls that address threats
Asset Inventory Program at CUMC
• Work starts July 2010• Ask departments to Identify a Primary Person
responsible for all matters Privacy and Security communications, incidents, and resolutions
• Ask Primary Person to identify Servers and Workstations with PII, PHI, FDA Research– Description, responsibility, IP address, etc.
Asset Inventory
• CUMC IT will establish Asset inventory database of PHI, PII, and FDA systems
• IT Security group will conduct vulnerability scans using automated tools, and return results and recommendations to Primary Person
• Departments will address deficiencies with their IT custodians and take corrective actions; with follow up re-scan
• Departments will be provided with a comprehensive list of assets from the inventory
Asset Inventory
• Non-compliant systems after a specified time period will be disconnected from the network
• Non-compliant systems after a specified time period will be reported to CUMC HIPAA/InfoSec Committee, department management, and CUMC senior management
• The inventory will be updated by self-reporting and by annual recertification
New control: Data Leakage Prevention
• DLP technology is a set of tools that look at– Our networks– Our incoming and outgoing emails– Our workstations and servers
And – Alert on leakage of PHI, PII and other sensitive data
(Data at rest)– Report on where such data reside
(Data in motion)– Control how such data are used
(Data in use)
Data Leakage Statistics
Data Leakage Prevention
• A pilot study showed– Sensitive PHI data are sent to billers, vendors
without encryption– Sensitive data are accidentally left on workstations– Old, forgotten, sensitive data stay forever on
servers– Users are using social networks and systems such
as wikis and GoogleDocs to store sensitive, institutional data without proper authorization
Data Leakage Prevention
• A 2010 project to start alerting on what is found on the networks
• Reports to the department Primary Person• Reports to CUMC senior management• Development of a process to address the findings comprehensively
HITECH Management Briefing
Karen Pagliaro-MeyerPrivacy Officer
[email protected](212) 305-7315
Soumitra SenguptaInformation Security Officer
[email protected](212) 305-7035