Download Best Practices for Healthcare Incident Response: HIPAA Compliance & Breach Management and more Study notes Innovation in PDF only on Docsity! 1 Incident Response: Best Practices in Breach Management Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, VP of Privacy, Compliance and HIM Policy, MRO Melissa Landry, RHIA, Assistant Vice President of Health Information Management, Ochsner Health System Agenda • Current Environment and Statistics related to Healthcare Breaches • Breaches under HIPAA and State Law • HIPAA Security Rule Safeguards that Address Incident Response Plans • Best Practices for Incident Response Plans • The First 24 Hours Following a Breach • Questions Reputation. People. Innovation. Outcomes. 2 2 Data Breach Landscape • Data breaches cost companies an average of $221 per compromised record – $145 pertains to indirect costs, which include abnormal turnover or churn of customers – $76 represents the direct costs incurred to resolve the data breach, such as investments in technologies or legal fees • Heavily regulated industries such as healthcare, life science and financial services, tend to have a per capita data breach cost substantially above the overall mean of $221 • The total average organizational cost of a data breach is $7.01 million Reputation. People. Innovation. Outcomes. Statistics 3 The Cybersecurity Threat to Healthcare • 89% of healthcare organizations surveyed by the Ponemon Institute report suffering at least one data breach in the past 2 years • Data breaches could be costing the healthcare industry upwards of $6.2 billion per year • A breach of medical information costs healthcare organizations an average of $2.2 million per breach • Interestingly, the value of medical information on the black market has recently plummeted, one reason hackers are resorting to ransomware Reputation. People. Innovation. Outcomes. 4 5 Recent Resolution Agreements and Civil Money Penalties involving Breaches Reputation. People. Innovation. Outcomes. 9 ANTHEM, INC A record HIPAA settlement following largest health data breach in history - October 15, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest health data breach in history and exposed the electronic protected health information of almost 79 million people. settlement, a $16 million fine, the largest fine yet. http:anthem/index.html://www.hhs.gov/hipaa/for- professionals/compliance-enforcement/agreements/a The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016 • This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. • On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. • After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. Reputation. People. Innovation. Outcomes. 10 6 The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016 • OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. • OCR’s investigation revealed: – that Anthem failed to conduct an enterprise-wide risk analysis, – had insufficient procedures to regularly review information system activity, – failed to identify and respond to suspected or known security incidents, and – failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. Reputation. People. Innovation. Outcomes. 11 Recent Resolution Agreements and Civil Money Penalties involving Breaches Reputation. People. Innovation. Outcomes. 12 A health system in California (the “System”) The System operates several hospitals, including a rehabilitation hospital • The System reported to OCR two breaches of unsecured electronic protected health information (“ePHI”) that affected over 60,000 individuals. One breach occurred in December 2013 and impacted approximately 50,197 individuals, and the other occurred in December of 2015 and impacted about 11,608 individuals. • The removal of server protections by a System contractor led to the first breach, where protected health information (“PHI”) was available to anyone who could access the System’s server who could also download files – even if they did not have a username and password. • PHI was accessible on the internet again due to an employee activating the incorrect website on a SQL server. This led to the second breach. Resolution Payment: $3 million fine and adopt an extensive corrective action plan 7 Potential financial impact of HIPAA noncompliance on covered entities and business associates • Is not limited to fines from OCR. These record figures do not include the costs covered entities and business associates incur when required to respond to an OCR investigation that does not result in direct fines and penalties. – Hard costs – Soft costs Reputation. People. Innovation. Outcomes. 13 Reputation. People. Innovation. Outcomes. 14 • The increasing demands on technology infrastructure and capabilities as well as the accompanying demands on information technology staff have created a complex environment to manage for entities that must comply with HIPAA. Entities subject to HIPAA should: – Recognize the importance of a robust HIPAA compliance plan that is regularly reviewed and updated by all relevant internal parties; – Ensure that sufficient resources are allocated to implement adequate security measures to address identified risks and vulnerabilities; – Establish processes to regularly conduct system reviews for all systems and applications that maintain ePHI to reduce the chance that human error results in such a significant breach of ePHI; and – Ensure that those responsible for contracting and procurement are fully apprised of the nature and scope of services a particular vendor is providing and that they work with information technology staff and business partners to properly address regulatory obligations, like business associate agreements » Taken from Hall Render Killian Heath & Lyman PC Potential financial impact of HIPAA noncompliance on covered entities and business associates 10 HIPAA Security Rule Safeguards that Address Incident Response Plans • HIPAA Administrative Safeguards – Security Management Process - 45 CFR § 164.308(a)(1) • Sanction Policy (Required) – “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the CE” • Require workforce members to sign a Statement of Adherence to your organization’s HIPAA Security Policies & Procedures • Statement of Adherence should state that the workforce member acknowledges that violations of HIPAA Security P&Ps may lead to disciplinary action, for example, up to and including termination • Sanction Policy should include examples of potential violations of HIPAA Security P&Ps • Sanction Policy should adjust the disciplinary action based on the severity of the violation • Information System Activity Review (Required) – “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” – The information system activity review enables CEs to determine if any e-PHI is used or disclosed in an inappropriate manner • Information system activity review procedures may be different for each CE and BA • The procedure should be customized to meet your organization’s risk management strategy and take into account the capabilities of all information systems with e-PHI Reputation. People. Innovation. Outcomes. 19 Reputation. People. Innovation. Outcomes. 20 11 HIPAA Security Rule Safeguards that Address Incident Response Plans • HIPAA Administrative Safeguards – Security Management Process - 45 CFR § 164.308(a)(1) • Assigned Security Responsibility (Required) – “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity” Reputation. People. Innovation. Outcomes. 21 HIPAA Security Rule Safeguards that Address Incident Response Plans • HIPAA Administrative Safeguards Security Awareness and Training - 45 CFR § 164.308(a)(5) — “Implement a security awareness and training program for all members of its workforce (including management)” • Security Reminders (Addressable) — Notices in printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders posted in affected areas, as well as formal retraining on your organization’s HIPAA Security P&Ps — It is recommended that your organization review how it currently reminds the workforce of current P&Ps, and then decide whether these practices are reasonable and appropriate, or if other forms of security reminders are needed NOTE: At the Spring 2017 HIPAA Summit, the OCR stated, “Addressable does not mean optional!!!” Reputation. People. Innovation. Outcomes. 22 12 HIPAA Security Rule Safeguards that Address Incident Response Plans • HIPAA Administrative Safeguards - Security Awareness and Training - 45 CFR § 164.308(a)(5) Reputation. People. Innovation. Outcomes. 23 • Initial, then Annual Training – Documentation – Have a System • Ongoing Privacy & Security Tips – Employee Newsletters – Use Technology Applications • OCR You Tube videos: https://www.youtube.com/user/USGovHHSOCR • Competency Testing – AHIOS CRIS Test – HITNOTS.com Quizzes • Retrain & apply sanctions for all privacy & security incidents • Focus on Breach Prevention! • Your New Rights Under HIPAA (2:47) https://www.youtube.com/watch?v=3- wV23_E4eQ • The Right to Access and Correct Health Information (1:04) https://www.youtube.com/watch?v=JY1l 5s8ED5c • Your Mobile Device & Health Information Privacy & Security (4:43) http://www.healthit.gov/providers- professionals/your-mobile-device-and- health-information-privacy-and-security HIPAA Security Rule Safeguards that Address Incident Response Plans • HIPAA Administrative Safeguards – Security Incident Procedures (Required) – 45 CFR § 164.308(a)(6) • Requires CEs and BAs to address security incidents within their environment • Security Incident - “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system” – Procedures must address how to identify security incidents and require incident be reported to the appropriate person or persons – Whether a specific action would be considered a security incident, the specific process of documenting incidents, what information should be contained in the documentation, and what the appropriate response should be will be dependent upon an entity’s environment and the information involved – An entity should be able to rely upon the information gathered in complying with the other HIPAA Security Rule standards to determine what constitutes a security incident in the context of its business operations Reputation. People. Innovation. Outcomes. 24 15 Ochsner Health System: Who We Are Reputation. People. Innovation. Outcomes. 29 Ochsner Health System pursues partnerships and affiliations to align with our DESTINATION CENTER OF EXCELLENCE STRATEGY Largest Health System in the Gulf South • 29 Hospitals (Owned, Managed & Affiliated ) • Over 60 Health Centers • Over 2,500 Affiliated Physicians, including over 1,100 Employed in more than 90 Specialties and Subspecialties • 600 Clinical Trials – 7,000 Patients • 417 Medical Students – Ochsner Clinical School/University of Queensland • 375 Residents in 27 Programs • Largest Private Employer in Louisiana OHS – Best Practices for Incident Prevention Audit Controls – User Activity Monitoring • Fair Warning - Managed Privacy Services – Proactive monitoring by Fair Warning; alerts provided to OHS – OHS Privacy team of three dedicated resources manage the internal investigation and follow-up – Monitoring rules for VIP and co-worker hierarchy Reputation. People. Innovation. Outcomes. 30 16 OHS – Best Practices for Incident Prevention Access Controls – EMR/PHI • Break the Glass (BTG) -Offers a higher level of protection for a patient’s private information -Attempted access will prompt for a reason and password to gain entry -Closely monitored to ensure that only authorized individuals are accessing Triggers for BTG Security a) Patient Level – When the patient is marked with BTG – Celebrity or BTG – all other – When a patient is associated with one service area and access is attempted by a user associated with another service area via the user’s default log in settings in the EMP record b) Encounter Level – When a patient currently or has ever had an encounter within a psych department Reputation. People. Innovation. Outcomes. 31 OHS – Best Practices for Incident Prevention Access Controls – EMR/PHI • Patient Opt Out -Private encounter flag • Sensitive Notes -Default setting vs. end user initiated -Access to view controlled by security • Social Security Number Masking -Limited display of SS# - controlled through security Reputation. People. Innovation. Outcomes. 32 17 OHS – Best Practices for Incident Prevention Access Controls – EMR/PHI • Shared EMR – Service Area Build - SA matrix defines the access Reputation. People. Innovation. Outcomes. 33 OHS – Best Practices for Incident Prevention Access Controls – EMR/PHI • Security Provisioning – Role-Based Access – OHS Policy: EMR User Access Provisioning • Access granted based upon job role and contingent upon proper training/application template assigned • Residents and students completing clinical rotations are granted time-limited access based upon start/end dates of rotation – OHS Policy: DGProc.023 – Access to PHI Non-OHS Individuals • Community and Referral providers, office staff, outside reviewers granted limited “view only” EMR • User Access Agreement – “SWAAG” • Limited access based upon needs (First Access, Managed access, insurance restricted) – OHS Policy: Workforce Access to PHI Reputation. People. Innovation. Outcomes. 34 20 Best Practices for Incident Response Plans 4. Provide On-Going Education and Training for Workforce Members – Creating a culture of compliance is key – Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state law – Provide regular reminders of P&Ps • Emails, posters, and patient privacy awareness events and activities – Investigations into “Close Calls” • Root Cause Analysis Reputation. People. Innovation. Outcomes. 39 Best Practices for Incident Response Plans 5. Provide On-Going Education and Training for Workforce Members – Helpful Tools • Your cyber-liability insurance carrier may have free tools for training and education • OCR’s YouTube Channel: https://www.youtube.com/user/USGovHHSOCR Reputation. People. Innovation. Outcomes. 40 21 Best Practices for Incident Response Plans 6. Encrypt!!! – Utilize technologies that strengthen your compliance program • Encryption – Secured PHI Safe Harbor – Access monitoring Software – HHS Guidance on Technical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securit yrule/techsafeguards.pdf DON’T FORGET SNAIL MAIL PROCESSES --- take precautions. For example, recent incident at Rush exposes names of 908 patients Reputation. People. Innovation. Outcomes. 41 Best Practices for Incident Response Plans 7. Test the Effectiveness of your Compliance Program • Social Engineering – Fake phishing emails – Fake phone calls – Check desks for exposed passwords • Mock Breach Exercise • Auditing – Internal audits • OCR Phase 2 Audit Protocol – External audits – Penetration testing Reputation. People. Innovation. Outcomes. 42 22 Best Practices for Incident Response Plans 8. Assess your BA’s Compliance • Due Diligence • Business Associate Agreements • Periodic Vendor Assessments Reputation. People. Innovation. Outcomes. 43 The First 24 Hours Following a Breach 1. Privacy Officer should document the incident in a report and conduct and draft a risk assessment • What happened? • When did it happen? • What data was involved? • How many individuals were impacted? • Corrective action taken • Identify what state laws must be complied with in addition to the HIPAA Breach Notification Rule 2. Assemble your Patient Data Protection Committee/ Incident Response Team to review the report and risk assessment 3. If the breach involves a significant number of individuals or you anticipate the breach to be costly, notify your cyber liability insurance carrier immediately • If breach is caused by a BA and they indemnify you, have the BA notify their cyber liability insurance carrier 4. Draft notice to affected patient(s) in accordance with HIPAA and applicable state laws (the law of the state in which the facility is located and the law(s) of the state(s) in which the affected individual(s) reside) 5. Provide notice to applicable government entities under HIPAA and relevant state laws 6. Notify the media, if required under applicable law 7. Document the incident in the patient’s accounting of disclosures Reputation. People. Innovation. Outcomes. 44 25 Environmental Scanning is an Essential Element for your program; Becker's Health IT & CIO Report
[email protected] top news 2/21/2019 Seattle-based UW Medicine sent letters to 974,000 patients notifying them of a Dec. 4, 2018, data error that allowed patient information to come up in internet searches. UW Medicine became aware of the incident Dec. 26, 2018, and took immediate action to remove the patient files from the internet. An internal human error made the patient files accessible. Google saved some of the files before UW Medicine discovered the breach, so the hospital worked with the tech giant to remove the saved versions. As of Jan. 10, all patient files were removed from Google's servers. Reputation. People. Innovation. Outcomes. 49 Post-Incident Actions UW Medicine • Reviewing its internal protocols and procedures to prevent further data errors. • Set up a call center and website to field patient questions. Reputation. People. Innovation. Outcomes. 50 26 The 10 Elements of an Effective Compliance Program 1) Risk Assessments 2) Training and Education 3) Developing Workplans 4) Policies and Procedures 5) Incident Monitoring 6) Program Audits 7) Sanction Checking 8) Governance and Oversight 9) Contract Management 10) Executive Reporting Reputation. People. Innovation. Outcomes. 51 Helpful Tools • OCR FAQs on Patient Access – http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ • Phase 2 of HIPAA Audits – http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when • Administrative Safeguards – HHS - Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework: http://www.hhs.gov/hipaa/for- professionals/security/nist-security-hipaa-crosswalk/ – HHS Guidance on Risk Analysis: http://www.hhs.gov/hipaa/for-professionals/security/guidance/final- guidance-risk-analysis/index.html – ONC’s Security Risk Assessment Tools: https://www.healthit.gov/providers-professionals/security-risk- assessment – HHS Security Rule Guidance Material: http://www.hhs.gov/hipaa/for- professionals/security/guidance/index.html • “Minimum Necessary” Rule – HHS Guidance on the Minimum Necessary Requirement: http://www.hhs.gov/hipaa/for- professionals/privacy/guidance/minimum-necessary-requirement/index.html • Technical and Administrative Safeguards – HHS Guidance on Technical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf – HHS Guidance on Physical Safeguards: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf Reputation. People. Innovation. Outcomes. 52 27 Questions? Reputation. People. Innovation. Outcomes. 53 Contact Info The views and opinions expressed in this presentation are those of the presenters and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation. Reputation. People. Innovation. Outcomes. 54 Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB Vice President of Privacy, Compliance and HIM Policy MRO
[email protected] 610-994,7500, Ext. 526 Melissa Landry, RHIA Assistant Vice President of Health Information Management Ochsner Health System
[email protected]