HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, - - PowerPoint PPT Presentation

HIPAA Security HIPAA Security

Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH

What is this? What is this?

  Federal Regulations

Federal Regulations… …

– – August 21, 1996 August 21, 1996

  HIPAA Became Law

HIPAA Became Law

– – October 16, 2003 October 16, 2003

  Transaction Codes and Identifiers Deadline

Transaction Codes and Identifiers Deadline

– – April 14, 2003 April 14, 2003

  Privacy Deadline

Privacy Deadline

– – April 21, 2005 April 21, 2005

  Security Deadline

Security Deadline

You You’ ’ve ve got to have goals…

  Everyone who sees, hears or handles

Everyone who sees, hears or handles PHI must keep it confidential and PHI must keep it confidential and follow these rules, even if the follow these rules, even if the individual does not have direct individual does not have direct patient contact. patient contact.

What is PHI? What is PHI?

  Protected Health Information:

Protected Health Information: PHI is any health information that PHI is any health information that can be used to identify a patient and can be used to identify a patient and which relates to the patient, which relates to the patient, healthcare services provided to the healthcare services provided to the patient, or the payment for these patient, or the payment for these services. services.

What is this? What is this?

40+ Pages of very fine print 40+ Pages of very fine print… … “ “164.306 Security standards: General rules. 164.306 Security standards: General rules. (a) (a) General requirements. General requirements. Covered entities must do the Covered entities must do the following: following: (1) Ensure the confidentiality, integrity, and availability (1) Ensure the confidentiality, integrity, and availability

• f all electronic protected health information the covered
• f all electronic protected health information the covered

entity creates, receives, maintains, or transmits. entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats (2) Protect against any reasonably anticipated threats

• r hazards to the security or integrity of such information.
• r hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or disclosures of such information that are not permitted or required under subpart E of this part. required under subpart E of this part. (4) Ensure compliance with this subpart by its (4) Ensure compliance with this subpart by its workforce. workforce.” ”

What is this? What is this?

  Safeguards and Standards

Safeguards and Standards

– – Administrative Administrative – – Physical Physical – – Technical Technical

  Implementation Specifications

Implementation Specifications

– – Required Required

 (You have to do this)

(You have to do this) – – Addressable Addressable

 (You still have to do this)

(You still have to do this)

Hot Topics Hot Topics

  Risk Assessments

Risk Assessments

  Activity Review and Logs

Activity Review and Logs

  Awareness and Training

Awareness and Training

  PHI in Email

PHI in Email

  Wireless, Mobile Devices

Wireless, Mobile Devices

  Shadow copies, unmanaged PHI

Shadow copies, unmanaged PHI

  Encryption

Encryption

Awareness and Training Awareness and Training

“ “164.308(5)(i) Implement a security 164.308(5)(i) Implement a security awareness and training program for all awareness and training program for all members of its workforce (including members of its workforce (including management) management)… … (A) Security reminders (A) Security reminders… … (B) Protection from malicious software (B) Protection from malicious software… … (C) Log-in monitoring (C) Log-in monitoring… … (D) Password management (D) Password management…” …”

Risk Management Risk Management

“ “164.308 Administrative safeguards. 164.308 Administrative safeguards. (1)(a)(ii)(A) (1)(a)(ii)(A) Risk analysis Risk analysis (Required). Conduct (Required). Conduct accurate and thorough assessment of the accurate and thorough assessment of the potential risks and vulnerabilities to the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidentiality, integrity, and availability of electronic protected health information held by electronic protected health information held by the covered entity. the covered entity. (1)(a)(ii)(B) (1)(a)(ii)(B) Risk management Risk management (Required). (Required). Implement security measures sufficient to reduce Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and risks and vulnerabilities to a reasonable and appropriate level to comply with appropriate level to comply with § § 164.306(a). 164.306(a).” ”

Risk Management Risk Management

  Why do we need this?

Why do we need this?

  Who will accept the risks?

Who will accept the risks?

  What is the determination process?

What is the determination process?

  Who will be involved determination

Who will be involved determination process? process?

Physical Security Physical Security

  164.310 Physical safeguards.

164.310 Physical safeguards.

 “

“Physical safeguards are physical Physical safeguards are physical measures, policies, and procedures to measures, policies, and procedures to protect a covered entity's electronic protect a covered entity's electronic information systems and related information systems and related buildings and equipment, from natural buildings and equipment, from natural and environmental hazards, and and environmental hazards, and unauthorized intrusion. unauthorized intrusion.” ”

Physical Security Physical Security

  Facilities

Facilities

– – Access Control Access Control – – Policies and Documentation Policies and Documentation

  Systems

Systems

– – Servers & Servers & Workstations Workstations

  Media

Media

– – Removable Magnetic, CD- Removable Magnetic, CD-Rs Rs, Memory , Memory Keys, etc. Keys, etc. – – Surplused Surplused Systems Systems

Physical Security Physical Security

  Equipment such as PCs, servers,

Equipment such as PCs, servers, mainframes, fax machines, and copiers mainframes, fax machines, and copiers must be afforded appropriate physical must be afforded appropriate physical controls. controls.

  Computer screens, copiers, fax machines,

Computer screens, copiers, fax machines, and printers and printers must be situated in such a must be situated in such a way that they cannot be accessed or way that they cannot be accessed or viewed by the public. viewed by the public.

  Computers must use password-protected

Computers must use password-protected screen savers. screen savers.

Physical Security Physical Security

  PCs that are used in open areas must

PCs that are used in open areas must be adequately secured to protect be adequately secured to protect against theft or unauthorized access. against theft or unauthorized access.

  Servers and mainframes must be

Servers and mainframes must be contained in a secured area that is contained in a secured area that is capable of limiting and monitoring capable of limiting and monitoring physical access. physical access.

  Sealed envelopes marked

Sealed envelopes marked “ “CONFIDENTIAL CONFIDENTIAL” ” should be used should be used when mailing PHI. when mailing PHI.

Appropriate Disposal of Data Appropriate Disposal of Data

  Procedures for the appropriate disposal apply to PHI

Procedures for the appropriate disposal apply to PHI and Confidential Information. and Confidential Information.

  Hard copy materials such as paper or microfiche

Hard copy materials such as paper or microfiche must be properly shredded or placed in a secured must be properly shredded or placed in a secured bin for shredding later. bin for shredding later.

  Magnetic media such as diskettes, tapes, or hard

Magnetic media such as diskettes, tapes, or hard drives must be degaussed (subjected to a strong drives must be degaussed (subjected to a strong magnetic field) or magnetic field) or “ “electronically shredded electronically shredded” ” using using approved software and procedures. approved software and procedures.

  CD ROM disks must be rendered unreadable by

CD ROM disks must be rendered unreadable by shredding, defacing the recording surface, or shredding, defacing the recording surface, or breaking. breaking.

  No PHI or CI should be placed in the regular trash!

No PHI or CI should be placed in the regular trash!

Activity Review Activity Review

  “

“164.306(a)(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Activity Review Activity Review

“ “Auditing is a human-driven process Auditing is a human-driven process” ”

  Application logs?

Application logs?

  System logs

System logs

– – Windows Windows “ “Event Logs Event Logs” ”

 Additional tracking has to be turned on

Additional tracking has to be turned on

– – Netware Netware

“ “NetWare events are server-specific settings; NetWare events are server-specific settings; that is, they must be enabled on each NCP that is, they must be enabled on each NCP Server object in the tree Server object in the tree…” …”

Activity Review Activity Review

  Networking Devices

Networking Devices

– – Firewalls, Routers, Switches Firewalls, Routers, Switches… …

 Syslog

Syslog? ?

 SNMP traps?

SNMP traps?

  Other Security Devices

Other Security Devices

– – Anti-Virus Clients Anti-Virus Clients – – Intrusion Detection Intrusion Detection – – Intrusion Prevention Intrusion Prevention – – Content Filters Content Filters

Administrative Safeguards Administrative Safeguards

  Security Management Process

Security Management Process

– – Risk Analysis Risk Analysis Required Required – – Risk Management Risk Management Required Required – – Sanction Policy Sanction Policy Required Required – – I.S. Activity Review I.S. Activity Review Required Required

Administrative Safeguards Administrative Safeguards

  Assigned Security Responsibility

Assigned Security Responsibility

  Workforce Security

Workforce Security

– – Authorization and/or Supervision Authorization and/or Supervision Addressable Addressable – – Workforce Clearance Procedure Workforce Clearance Procedure Addressable Addressable – – Termination Procedures Termination Procedures Addressable Addressable

Administrative Safeguards Administrative Safeguards

  Information Access Management

Information Access Management

– – Isolating Healthcare Clearinghouse Isolating Healthcare Clearinghouse Required Required – – Access Authorization Access Authorization Addressable Addressable – – Access Establishment and Modification Access Establishment and Modification Addressable Addressable

Administrative Safeguards Administrative Safeguards

  Security Awareness and Training

Security Awareness and Training

– – Security Reminders Security Reminders Addressable Addressable – – Protection from Malicious Software Protection from Malicious Software Addressable Addressable – – Login Monitoring Login Monitoring Addressable Addressable – – Password Management Password Management Addressable Addressable

Administrative Safeguards Administrative Safeguards

  Security Incident Procedures

Security Incident Procedures

  Evaluation

Evaluation

  Business Associate Contracts

Business Associate Contracts

Administrative Safeguards Administrative Safeguards

  Contingency Plan

Contingency Plan

– – Data Backup Plan Data Backup Plan Required Required – – Disaster Recovery Plan Disaster Recovery Plan Required Required – – Emergency Mode Operation Plan Emergency Mode Operation Plan Required Required – – Testing and Revision Procedure Testing and Revision Procedure Addressable Addressable – – Applications and Data Criticality Applications and Data Criticality Addressable Addressable

Physical Safeguards Physical Safeguards

  Facility Access Controls

Facility Access Controls

– – Contingency Operations Contingency Operations Addressable Addressable – – Facility Security Plan Facility Security Plan Addressable Addressable – – Access Control and Validation Access Control and Validation Addressable Addressable – – Maintenance Records Maintenance Records Addressable Addressable

Physical Safeguards Physical Safeguards

  Workstation Use

Workstation Use

  Workstation Security

Workstation Security

  Device and Media Controls

Device and Media Controls

– – Disposal Disposal Required Required – – Media Re-use Media Re-use Required Required – – Accountability Accountability Addressable Addressable – – Data Backup and Storage Data Backup and Storage Addressable Addressable

Technical Safeguards Technical Safeguards

  Access Control

Access Control

– – Unique User ID Unique User ID Required Required – – Emergency Access Procedure Emergency Access Procedure Required Required – – Automatic Logoff Automatic Logoff Addressable Addressable – – Encryption and Decryption Encryption and Decryption Addressable Addressable

  Audit Controls

Audit Controls

Technical Safeguards Technical Safeguards

  Integrity

Integrity

– – Mechanism to Authenticate Mechanism to Authenticate ePHI ePHI Addressable Addressable

  Person or Entity Authentication

Person or Entity Authentication

  Transmission Security

Transmission Security

– – Integrity Controls Integrity Controls Addressable Addressable – – Encryption Encryption Addressable Addressable

Thank you Thank you

Questions? Questions?