HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL - - PDF document

2/21/2012 1

HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL LITTLES AND ANNUAL TRADITIONS

KENNETH N. RASHBAUM, ESQ. RASHBAUM ASSOCIATES, LLC www.rashbaumassociates.com

BREACHES MUNDANE AND COMPLEX

 Increasing Incidents Of Protected Health Information

Loss Through Negligence Loss Through Negligence  Lost, Unencrypted Portable Media (laptops, USB’s,

Portable Hard Drives, Smartphones, etc.)

 Virus Infection Shuts Down Hospital in Georgia

 “Worm” Introduced Through USB  Blocked Access to EMR  Potential For Disclosures Of PHI Via Virus (HIPAA

Violation)

2/21/2012 2

CYBER-ATTACKS: SECURITY AFFECTS PATIENT SAFETY

 Chicago Hospital Shut Down In 2006 As Attack

Crippled Vital Systems Crippled Vital Systems

 Hospital Security Guard Obtains Password For HVAC

system, Tampers, Raising And Lowering Temperatures To Dangerous Levels

 Potential Exists For Attacks On Vital Systems, Such As

ICU Monitors Etc ICU, Monitors, Etc.

HIPAA SECURITY COMPLIANCE

 Physical, Technical And Administrative Safeguards

Required Required

 Documentation and Documented Training  Current HIPAA Security Risk Analysis (as per Guidance

from U.S. Dept. of Health and Human Services, “DHHS”)

 NB: Some State Privacy and Security Laws Are Stricter

Than HIPAA (i.e., MA, NC, NY, CA)

2/21/2012 3

Challenges to Compliance

 Diverse set of content contributors

C t t h ll d d

 Content changes all day, every day

 Documents uploaded / edited  Chart entries  Email communications  Social collaboration through blogs, wikis  External and internal website content

 80 percent of enterprise content is unstructured and

growing at 36 percent a year.

• Doculabs

SECURITY ENFORCEMENT INCREASING

 DHHS Office For Civil Rights Spot Audit Program

 Through 2012  Through 2012  Targets Covered Entities AND Business Associates  Audits Outsourced to KPMG  System Audited, But Also Policies and Procedures  Random Interviews Will Be Conducted  Breach Response Protocols Will Be A Target Of Audit

2/21/2012 4

SURVIVING THE SPOT AUDIT

 Prepare BEFORE The Audit Notice Arrives  Retain Outside Entities To Prepare Hospital Or

Company For Audit (Review of Protocols, Etc.)

 Conduct Mock Audit (Report Through Counsel For

Attorney-Client Privilege Where Applicable)

 Remediate Vulnerabilities And Compliance Gaps

p p

SECURITY TAKES A TEAM

 Information Security Is An Interdisciplinary Initiative  Culture of Privacy and Compliance Requires A Culture

• f Security

 Assemble the Information Security Team

 IT  Health Information Management and Clinicians  Legal: In-House And Outside Counsel  Outside Security Consultants/Vendors

2/21/2012 5

SECURITY TEAM ASSESSMENTS

 Data Map: Where Is Your PHI?

 Many Locations Including Portable Media  Systems “Off the Grid”

 Tools and Applications

 Access Controls  Encryption  De-Identification Where Practicable

 Penetration Analyses  Are Policies and Procedures Comprehensive and Current?  Business Associate Compliance

CONCLUSION

 PROACTIVITY SAVES TIME AND MONEY

 Assemble Security Assessment Team Now  Assemble Security Assessment Team Now  Security Analysis Is A Requirement For Accessing

HITECH Incentive Funds (“Meaningful Use”)

 Remediate Vulnerabilities Before Breaches Occur And

Before Audit Notice Is Received

 Reminder Training And Notices Enable A Culture Of

Security And, With It, Privacy

2/21/2012 6

QUESTIONS?

 KENNETH N. RASHBAUM, ESQ.

 Rashbaum Associates LLC  Rashbaum Associates, LLC  212-421-2823  krashbaum@rashbaumassociates.com  www.rashbaumassociates.com  Twitter: @RashbaumAssoc