HIM 322
Vulnerabilities
-Weaknesses that impact the security of systems and networks -In order to be exploited, it must be known to others -Threat Vector = path taken to exploit a vulnerability -Examples: emails, external hardware, mobile devices, and lack of patch management -Attack Vector examples: lack of proper system configuration, unsecure connections allowing entry through unrelated systems (HVAC in Target) -Criminals can get in even through coffee machines and AC units -Identifying potential vulnerabilities is part of risk mitigation planning
Applicability
-applicability of security rule is same as privacy rule -applies to covered entities, business associated, subcontractors of business associates -administrative, physical, and technical safeguards are mandated and subjected to penalties by HiTECH -HiTECH expanded the business associate definition to include PHR vendors, e-subscribing gateways, and HIE (health info exchanges)
Group Health Plans (required) (organizational safeguard)
-requires the plan sponsor (one who sets up the plan; ex: employer) to reasonably and appropriately safeguard the confidentiality, integrity, and availability of ePHI There is 1 implementation specifications: Plan Document (R) Plan documents of group health plan must require sponsor to implement administrative, technical, and physical safeguards to protect ePHI it receives, creates, maintains, or transmits on behalf of the plan. Separation of ePHI is supported by security measures Ensure that any agent to whom it provides information agrees to implement security measures to protect information and report to the health plan any security incident of which it is aware.
Technical Safeguards
1. Access controls 2. Audit Controls 3. Integrity 4. Person or entity authentication 5. Transmission security
Five Security Components of Risk Management
1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Organizational Standards 5. Policies and Procedures
HIPAA Security Rule, Section (e) , Maintenance
1. Continued review of the reasonableness and appropriateness of security measures 2. Review and modify security measures if necessary 3. Update documentation of such measures
HIPPA security rule: security standards
1. General requirements 2. Flexibility of approach 3. Standards related to: a) Administrative, physical, and technical safeguards b) Organizational requirements c) Policies and procedures d) Documentation requirements 4. Implementation specifications 5. Maintenance of security measures
HIPAA Security Rule—Administrative Safeguards
1. Security management process 2. Assigned security responsibility 3. Workforce security 4. Information access management 5. Security awareness and training 6. Security incident reporting 7. Contingency planning 8. Safeguard evaluation 9. Business associate contracts and other requirements
HIPAA Security Rule Section (b) Flexibility of Approach
A covered entity's choice of security protections will depend on: 1. Complexity of the organization 2. The cost of implementing security safeguards (not supposed to be cost prohibitive meaning it's cheap) 3. Probability and criticality of potential risks to ePHI (uncovered in risk analysis) 4. Security capabilities of their hardware and software -CEs are allowed to implement the standards and their implementation specifications reasonably and appropriately
Access Controls
Access controls are designed to prevent unauthorized individuals from retrieving, using, or altering information
Access Rights: Role-Based Access Control (RBAC)
Access is based on roles individuals have within the organization Users are assigned roles which have been assigned various privileges needed to perform that role Ex: nurses will all have same access within the system Easier to manager than user based access control
Intentional Human Threats
Ex: viruses, hacking, theft, intentional alteration of data, intentional destruction of data Culprits(person doing threat): disgruntled employee, computer hacker, prankster Large scale hacking is now the most common form of intentional computer tampering Large scale hacking can be done through: -Embedded malware -Ransomware (becoming a bigger threat in hospitals) (hold data for ransom, encrypting it to not allow access until hospital pays ransom) (basically, the criminal will not release data unless they get what they want)
Natural or Environmental Threats
Examples: tornados, floods, fire, power surges lightning, water damage Providers must have a plan for protecting and recovering their information to be compliant with HIPAA and Joint Commission standards
Firewall Protection-System Controls
Firewall = A hardware or software device that examines traffic entering and leaving a network Prevents some traffic from entering or leaving based on established rules Usually exists between the CE's internal network (trusted network) and the Internet (untrusted network) Routers: -Link two different networks -Are responsible for routing or sending the network traffic to the correct designation -Not as robust as firewalls Can be programmed to filter certain types of network traffic
Medical Identity Theft
Medical identity theft is stealing of an individual's PHI (personal health information) Medical identity theft is rising Victims include patients, providers, and insurers Costs around $13,500 to resolve the crime Two types: -Use of a person's name and/or other identifiers without the knowledge or consent of the victim, to obtain medical services or good -Use of a person's identity to obtain medical services by falsifying claims for medical services
Password Systems: Password Do's
Most secure method: Phrase + Number Do's: Pick a combination of letters and at least one number Pick a password with at least eight characters Mix upper and lowercase if case sensitive Pick a word that you can easily remember Change password often
Access Rights: Context-Based Access Control (CBAC)
Most stringent Begins with protection afforded by RBAC or UBAC Takes it a step farther by taking into account: The person attempting to access the data The type of data being accessed The context of the transaction Ex: Only allow night time nurses access during night
Security Threats: Types
Natural, environmental, also human. Human threats can be internal, external, intentional, unintentional Criminal attacks are now the leading cause of data breach for healthcare entities. Cyber attacks are now the leading concern, and they can be internal or external.
Example: Mrs. Jones' son, who is a lab technician, was visiting his mother in the hospital and noticed the hospital had an electronic health record system. He recognized the software program, and wanted to see how it worked. He sat down at an open laptop to look at the program. Should he be able to do this?
No. -A covered entity must have various security measures in place including: -Technical controls on who has access into the computer system -Physical security for the workstations -Administrative safeguards such as policies and procedures to protect ePHI
Security Safeguards Evaluation (Required) (admin safeguard)
Periodic performance of technical and nontechnical evaluations in response to changes affecting the security of ePHI
Policies and procedures for the use of email should be created and enforced CEs should develop policies that include use of company email, retention, automatic forwarding, and use of third party email storage systems such as Google Security teams should verify compliance by walk throughs, video monitoring, and internal and external audits of email systems
Types of Controls
Preventive controls try to stop harmful events from occurring Detective controls identify if a harmful events has occurred Corrective controls are used after a harmful event to restore the system
Integrity (Addressable) (tech safeguard)
Requires implementation of policies and procedures to protect ePHI from improper alteration or destruction
Transmission Security (tech safeguards)
Requires implementation of technical measures to guard against unauthorized access to ePHI that is transmitted across a network There are two implementation specifications: -Integrity controls (Addressable) -make sure that electronically transmitted ePHI is not improperly modified without detection -Encryption (A) -when appropriate These are addressable standards that do not require encryption
Documentation: (polices, procedures & documentation safeguard)
Requires maintenance of policies and procedures in written (!!!) form Three implementation specifications: Time limit (Required) - retained for six years from the date of creation or date it was last in effect (whichever is later) Availability (R)-documentation is available to those responsible for implementation (staff must be well trained and available to perform their job function) Updates (R)-must review documentation periodically and update as needed (flexible)
Information Access Management (admin safeguard)
Requires policies and procedures for authorizing access to ePHI Three implementation specifications: Isolating healthcare clearinghouse functions (Required) -Access authorization (Addressable) >Policy and procedure for granting access to ePHI through a workstation, transaction, program, or other process -Access establishment and modification (Addressable) >Policy and procedure to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process
Device and Media Controls (physical safeguard)
Requires policies and procedures that govern the removal and movement of hardware and electronic media that contain ePHI -Four implementation specifications: -Disposal (Required) -The standard requires that the entity provide policies and procedures for the final disposition of hardware and electronic media -Media Reuse (R) -procedures for removal of ePHI from electronic media before it can be reused -Accountability (Addressable) -maintain a record of movements of hardware and electronic media and any person -Data Backup and Storage (A) -must create a retrievable, exact copy of ePHI when needed, before movement of the equipment
Policies and Procedures: (polices procedures and documentation safeguard)
Requires the establishment and implementation of policies and procedures to comply with the standards, implementation specifications, and other requirements Policies and procedures may changed at any time, as long as those changes are documented and implemented (similar to privacy rule)
Automatic Log-Off
Security procedure that causes a computer session to end after a predetermined period of inactivity Set by network administration Different than a screen-saver that requires you enter a password
Workstation Use and Security-System Controls
Should be placed in a secure area Should be positioned so that patients and visitors cannot read screens in public areas Screen devices can be placed over the monitor Policies should delineate the appropriate functions performed on workstations, and rules for sharing workstations
Electronic Mail 2
Staff training on security risks associated with email and compliance with applicable privacy and security policies and procedures is mandatory All email users should be required to have user IDs and passwords for email Staff should be trained on how to manage email and given specific templates for email content and business functions routinely handled through email
HIPAA Security Rule Section (a) General Requirements
The Security Rule requires all covered entities to: 1. Ensure the confidentiality, integrity, and availability (CIA triad) of all ePHI that they create, receive, maintain, or transmit 2. Protect against any reasonably anticipated threats or hazards to the security and integrity of the ePHI 3. Protect against any reasonably anticipated uses or disclosures of the ePHI that are not permitted or required by the Privacy Rule 4. Ensure compliance with the Security Rule by their workforce
Physical Safeguards
The Security Rule requires covered entities to establish policies and procedures that will provide physical safeguards for ePHI The rule defines physical safeguards as "the physical measures, policies, and procedures to protect a covered entity's electronic information system and related buildings and equipment from natural and environmental hazards and unauthorized intrusion" 4 physical safeguards: -Facility Access Controls -Workstation Use -Workstation security -Device and media controls
Internet Transmission of ePHI
The internet is applied to a variety of healthcare functions including prescription refills, scheduling appointments, communicating with physicians, researching medical conditions, and telemedicine activities Security risks commonly faced include: -Unauthorized access -Unauthorized disclosure -Introduction of viruses or other contaminants
Balancing act between computer system security
The need for ready access to patient info by all of those involved in patient's care. A provider can be held liable if records are so guarded, that they are not available to them. A provider can also be liable for privacy and security breaches that are a result from allowing unauthorized people access to the EHR or from not safeguarding the EHR from destruction
Remote Access
Tips for keeping remote working environment secure: -Facilitate remote workforce with support of HR and IT -Create a security policy and educate workforce Issue corporate equipment for work purposes only -Deploy VPNs with two factor authentication -Utilize thin-client applications that do not store any information locally -Install tools that monitor the status of all computers -Check virus updates regularly -Require the use of personal firewalls -Insist on shredders for any information that is printed -Balance security with ease of access to eliminate subversive behaviors
Virus Checking
Types of viruses: -File infectors ->attack program files so that when a program is loaded, the virus is also loaded -System or boot-record infectors ->infect system areas of hard disks -Macro viruses ->infect office applications Worm ->stores and replicates itself; usually transmitted via email Trojan horse -> hides in something that looks harmless
Unintentional Human Threats
Unintentional damage to electronic information systems include: Lack of training Improper system use Human error Password sharing Responding to phishing requests (phishing-impersonates a business to attempt the user to provider personal info. Allow them to have access to the system) Downloading information from an nonsecure site Installation or use of unauthorized software Pg 296
Types of Malware
Viruses: -Spyware: -can track keystrokes and passwords, or monitor websites visited -Information gathered is reported back to the creator. Phishing: -An email that appears from a legitimate business that asks for account number and other personal information -The email is actually from a phisher who uses the information maliciously.
Access Rights: Who?
Who? Access Control List: A list of users with rights to access the information May be organized by individual users or groups of users Groups are defined by role or job function
Security Awareness and Training
Workforce training is required Raising awareness and changing individual behaviors is one of the most effective tools a CE has to ensure compliance with HIPAA Security Rule and prevent breaches Human factor can be the weakest part of your security program Privacy and security training may be combined due to overlap Training programs should be continually evaluated for effectiveness Resources available from HealthIT.gov: http://healthitd8.ahrqstg.org/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers
Unfortunately, the hospital had not started planning for the HIPAA security rule and had not assessed its system vulnerabilities. Mrs. Jones' son crashed the system causing it to be down for 48 hours and all information entered since the previous back up was lost. Could this have been prevented?
Yes. The security rule requires HIPAA covered entities to analyze their risks and vulnerabilities. One of the areas that must be addressed is contingency planning -how to restore lost data and operate in an emergency or disaster.
HIPPA Security Rule
governs only PHI that is transmitted or maintained in some sort of electronic media. So this only applies to ePHI
HIPPA Privacy Rule
governs privacy and confidential of all PHI regardless of media
ONC (Office of the National Coordinator)/HHS (Health and Human Services) SRA Tool
https://www.healthit.gov/providers-professionals/security-risk-assessment-tool Can be used to systematically identify gaps in processes, policies, or procedures. can help come up with a plan to address the gaps
security
protecting info from loss, unauthorized access or misuse, and keeping info confidential
Entity Authentication
Entity authentication is the "corroboration that an entity is the one claimed" Users must be assigned a unique identifier Commonly known as a "user-id" Due to its public nature, if there is a need to authenticate, commonly with a password Three Authentication methods: Something you know- ex: traditional password Something you have- ex: token (see below on another flashcard) Something you are- ex: by a metric identifier (see below)
Disaster Planning and Recovery
-Implementation of these implementation specifications should become part of the risk analysis -AHIMA has a Disaster Planning and Recovery Toolkit which contains: -Steps to draft a business continuity plan including communications, management, protecting health information, use and disclosure of health information, and recovery -Sample contingency plan, staff competency list, immediate and short term concerns checklist, and sample emergency privilege application and release form Link: http://bok.ahima.org/doc?oid=301964#.Wrapypch1EZ APPLIES TO CIA
Risk Analysis (policies, procedures, and doc safeguard)
-"Risk analysis is a process to identify threats, vulnerabilities, and risks to the organization's protection of health information. -These risks are evaluated based on their probability and impact on the organization and then determined to be low, medium, or high. -Organizations then use the results to create a plan to minimize the risks and reduce the impact to both the organization and its patients." -If a risk is found, organizations accept the risk, mitigate (lessen/decrease) the risk by implementing risk controls, transfer the risk, or research the risk, (a temporary solution that allows further study of the risk and its impact) -OCR may ask to review the risk assessment if the CE is selected for a random security compliance audit
Security Incident Reporting (Required) (admin safeguard)
-A "security incident" is an event in which the security of a system was breached or threatened -Policies and procedures to address security incidents is required -One implementation specification: -Response and reporting (R) -Must identify and respond to suspect or known security incidents and document security incidents and their outcomes -Don't forget breach notification under ARRA (The HIPAA Breach Notification Rule requires covered entities to notify affected individuals)
Five Categories of Red Flags
-Alerts, notifications, or warnings from a consumer reporting agency -Suspicious documents -Suspicious personally identifying information such as suspicious address -Unusual use of, or suspicious activity relating to, a covered account -Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
Audit Trails
-Audit trails show: Who accessed a computer system When it was accessed What operations were performed -Categorization of uses: Individual accountability Reconstructing electronic events Problem monitoring Intrusion detection Retention of logs
Prevention, Detection, and Mitigation of Medical Identity Theft
-Build awareness by providing education to all staff about the issue and impacts -Educate registration staff to watch for actions or documents that could be an indicator -Work with IT staff to educate the workforce on security risks -Perform comprehensive background checks and screenings on all employees -Monitor BA activities for compliance with privacy and security practices -Use fraud prevention measures for anomaly detection and data flagging -Perform proactive audits to determine if a data breach has occurred -Educating consumers is a good idea as well. If a wallet is stolen, they would report missing credit cards. Would they report a missing insurance card the same way? Do they understand the importance of monitoring EOBs?
Cybersecurity-System Controls
-Cybersecurity = the preventative methods used to protect information from being stolen, compromised, or attacked -It requires an understanding of threats -Strategies include: Identity management Risk management Incident management -Value of stolen medical information on the black market is the driving force behind the significant rise in attacks against healthcare organizations -AHIMA's Steps to a Cybersecurity Plan: http://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf -Ransomware-criminal makes data unreadable until one pays ransom -Paying ransom-paying is more susceptible to another attack -Phishing exercises -Dropped flash drive exercise -Malware on a phone charger -Virus through coffee machine
Tokens Identifiers
-Devices (like key cards) that are inserted into doors or computers or a device that uses the USB port on a device -With cloud storage, more web-based security tokens are being used -Identification is based on user's possession of the token Two-factor with User ID and Password May be lost, misplaced, or stolen
Transmission of ePHI
-Electronic communications: -Examples: fax, email, text, wireless mobile devices -Are business records of the organization -Are subject to the same storage, retention, retrieval, privacy, and security provisions as any other patient-identifiable health information
Identity Theft
-Fast-growing crime made possible by our increasingly electronic business environment Because of the demographic information we collect, we have an obligation to protect our patients Health information is now more valuable than stolen credit card data Identity Theft and Assumption Deterrence Act made it a federal crime Max penalty is 15 years in prison and up to $250,000 in fines Pg. 298
HIPPA security rule 2
-HIPAA security standards are unique in that they state fairly general objectives, but provide no detailed instructions concerning how to meet them -technology neutral -Covered entities may use any security methods that enable them "to reasonably and appropriately implement" the security standards -The flexibility and scalability of the standards make it possible for all CEs, regardless of size, to be compliant with the rules -They are allowed to design specific safeguards that will achieve those objectives in their own organizations and operational environments
HIPAA Security Rule, Section (d) Implementation Specifications
-Implementation specifications are detailed instructions for implementing a particular standard -They are designated as required or addressable -Required specifications must be present if the CE is to be in compliance -An addressable specification is more available for use and to provide the CE flexibility with respect to compliance -CEs must evaluate risks and vulnerabilities and implement policies and procedures to address them
Security Rule Enforcement (policies, procedures, and doc safeguard)
-In 2009, HIPAA security rule enforcement was transferred from CMS (content management system) to OCR, and OCR has recently added investigators -Notable changes to enforcement occurred due to HITECH (just as with the Privacy Rule) -OCR not only investigates based on claims received, but may conduct random compliance audits at CEs -The HITECH also increased fines for HIPAA violations -Old policies and procedures will need to be dusted off as organizations prepare for these random compliance audits -The best way to prepare is to conduct an organization-wide risk analysis -Used to be complaint driven only.
Facsimile or Faxing ePHI
-Most states allow faxes to be accepted as part of the legal health record -CMS specifically permits faxed copies of physician orders as long as they are kept as part of the patient's record -HHS specifically states that a valid, signed authorization for disclosure of PHI may be a copy received by fax
Business Associate Contracts and Other Arrangements (Required) (admin safeguard)
-One implementation specification -Written contract or other arrangement (Required) -If someone is using your PHI, you must ensure they will safeguard the information with a written contract. -The same goes for Bas and their Subcontractors
Noncompliance
-Providers may face civil and criminal liability for a release of medical records information that has not been authorized by the patient or that has not been made pursuant to statutory, regulatory, or other legal authority
Assigned Security Responsibility (Required) (admin safeguard)
-Requires identification of the individual responsible for overseeing development of the organization's security policies and procedures -The privacy official and the security official positions may be filled by the same person -No implementation specifications
Workforce security (admin safeguard)
-Requires implementation of policies and procedures to ensure that all members of a CEs workforce have appropriate access to ePHI and prevent those workforce members who do not have access from obtaining access Three implementation specifications: -Authorization and Supervision (A) (A=Addressable) -must have procedures for ensuring that the workforce working with ePHI has adequate authorization and/or supervision -Workforce Clearance Procedure (A) -there must be a procedure to determine what access is appropriate for the workforce -Termination Procedures (A) -there must be a procedure for terminating access to ePHI when a workforce member is no longer employed or responsibilities change The Security Rule does not require employee background checks as a part of a covered entity's workforce clearance procedure but a covered entity must determine that the access of a workforce member is appropriate -All flexible
Workstation Security (Required) (physical safeguard)
-Requires physical safeguards at all workstations -Access must be restricted to authorized users -Locking portable workstations to desks to prevent theft and limiting access to work areas that include computers
Facility Access Controls (addressable) (physical safeguard)
-Requires policies and procedures to limit physical access to electronic information systems and facilities that contain such systems -Four implementation specifications: 1. Contingency Operations (Addressable) -allow facility access to support the restoration of lost data under disaster recovery plan 2. Facility Security Plan (A) -policy and procedure to safeguard facility and equipment from unauthorized access, tampering, and theft 3. Access Control and Validation Procedures (A) -procedures to control and validate access to facilities based on user functions 4. Maintenance Records (A) -document repairs and modifications to physical components of a facility as they related to security -"Facility" is defined as physical premises and the interior and exterior of buildings -The standard focuses upon protecting ePHI from unauthorized access and ensuring that authorized personnel have appropriate access
Workstation Use (Required) (physical safeguard)
-Requires policies and procedures to secure ePHI contained in or used at workstations -Policies should specify: -Proper functions to be performed -Manner in which those functions are to be performed -Physical attributes of the surroundings of a specific workstation -Classification of workstation that can be used to access PHI
Audit Controls (Required) (tech safeguard)
-Requires the implementation of hardware, software, and/or procedures that record and examine activity in the information systems that contain ePHI -Data that lives behind data, audit trails, record of everything in system, etc. -error checking
Remote Access--Traveling
-Tips to protect laptops: -Don't use a bag -Use a physical security device -Never leave laptop visible -Desktop firewall, antivirus, and intrusion software -Encryption -Follow password guidelines
Noncompliance
-Under HIPAA, a patient may file a complaint with DHHS alleging that a covered entity has failed to comply with a provision of HIPAA -The Secretary of DHHS is authorized to impose civil monetary penalties (CMPs) of $100 for each violation, up to $50,000 for all violations of an identical requirement -Reasonable cause and willful neglect may result in larger penalties Criminal penalties can include fines from $50,000 to $250,000, or imprisonment from 1 to 10 years depending on the severity of the offense
Security management process (admin safeguard)
-Requires the implementation of policies and procedures to prevent, detect, contain, and correct security violations -Four implementation specifications 1. Risk Analysis (R) (R=Required) -must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI 2. Risk Management (R) -must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the security standards 3. Sanction Policy (R) -must apply appropriate sanctions against workforce members who fail to comply with their security policies and procedures 4. Information System Activity Review (R) -Must implement procedures to regularly review records of information system activity, access reports, and security incident tracking reports **all flexible safeguards**
Person or Entity Authentication (Required) (tech safeguard)
-Requires the implementation of procedures to verify that a person or entity seeking access to ePHI is the person or entity they claim to be
Access Control (tech safeguard)
-Requires the implementation of technical policies and procedures to grant access to ePHI only to individuals and software programs that have been granted access rights as outlined in the administrative safeguards -There are four implementation specifications: 1. Unique user identifications (Required) -must be assigned not only for identification, but also for tracking 2. Emergency access procedure (R) -Must be a way to obtain ePHI in an emergency 3. Automatic logoff (Addressable) -after a predetermined time of inactivity 4. Encryption and decryption (A) -as needed.
Ensuring compliance with the security rule
-Security is not a one-time project, but an ongoing process that requires constant analysis as new technologies are used and new systems are implemented CEs (covered entities) and Bas (business associates) must decide which security measures to implement, using a risk analysis to determine circumstances that leave them open to unauthorized access and disclosure of ePHI. -HHS (health and human services) recommends a seven-step process: 1. Lead your culture, select your team, and learn 2. Document our processes, findings, and actions 3. Review existing security of ePHI (perform security risk analysis (possible vulnerabilities)) 4. Develop an action plan 5. Manage and mitigate risks 6. Attest for meaningful use security-related objectives 7. Monitor, audit, and update security on an ongoing basis
Termination of Access
-Should have policy and procedure for terminating access when: -Employee changing roles -Employee terminates employment -Employer terminates employee's employment
Security Officer Designation (policies, procedures, and doc safeguard)
-Single individual oversees the security program -May be 100% of the job description, or only a portion -Must be given authority to effectively manage the security program, apply sanctions, and influence employees -Must periodically evaluate their organization's electronic information system and networks for proper technical controls and processes (education, drills, audit controls, be in the system) -Periodically evaluate physical security as well (locked doors, etc.)
HIPAA Security Rule, Section (d) Implementation Specifications
-The CE is in compliance with an addressable specification if it: 1. Implements the addressable specification as written 2. Implements an equivalent alternative security measure 3. Documents that the risk for which the addressable implementation specification was provided either does not exist in the organization or exists with a not a big change it will occur
Red Flags Rule
-The Red Flags Rule (part of the Fair and Accurate Credit Transaction Act (FACTA) of 2003) requires financial institutions and creditor to develop and implement written identity theft prevention programs which identify warning signs, establish policies and procedures to detect red flags, and detail appropriate responses to prevent and mitigate identity theft -Red Flag = pattern, practice, or specific activity that could indicate identity theft -Red flags should be used as triggers to alert an organization that an identity theft problem may exist -Hospitals may be covered if they are considered "creditors" (see textbook)
Implications of Medical Identity Theft
-The risks to the victim are not only financial, but can also be life threatening due to inaccurate information recorded in the victim's medical record -Victims suffer reputational harm, and it can cause them to miss out on career opportunities -Victims should work with the organization where the identity theft occurred to correct their health information and determine where it has been sent so that appropriate corrections can be made -Providers can help victims by allowing them their rights under HIPAA of access, amendment, and an accounting of disclosures HIPAA does not address medical identity theft
Technical Safeguards
-The technical safeguards are much like the administrative and physical security standards in that they are general and require CEs to implement methods appropriate to their business operations -If the standards were more specific, they would quickly become obsolete given the speed with which technology changes -Scalable-not have same technical safeguards in big hospitals versus small clinics Technology neutral-do not recommend a specific technology bc it will go out to date quickly due to how fast technology is advancing
Privacy Rule vs. Security Rule
-The two rules work in tandem to protect health information -Two primary distinctions: Electronic vs. paper vs. oral -"Safeguard" requirement in Privacy Rule (security rule has much more detail for safeguards)
Biometric Identifiers
Analyze biologic data about the user (voiceprint, fingerprint, handprint, retinal scan, face print, or full-body scan) Need a reader or scanner device combined with software Difficult to replicate or steal Two-factor with another method
Business Associate Contracts and Other Arrangements (Required): (organizational safeguard)
Business Associate Contracts and Other Arrangements (Required): requires a CE (covered entity) ensure that BAs(business associates) meet the security requirements (and BAs to ensure subcontractors meet security requirements) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of the covered entity. There are 3 implementation specifications: BA Contracts (Required): Contracts must provide that BA complies with the security rule and ensure subcontractors do as well. Must report to CE any security incident like a breach Other Arrangements (R): CE is in compliance if it has another arrangement in place that meets requirements BA Contracts with Sub-Contractors (R): same requirements as those between CE and BA
Security Awareness Training (addressable) (admin safeguard)
Can be the single most effective tool a CE has to ensure compliance with the security rule and prevent data breaches. Human factor can be the weakest part of a security program. Requires implementation of ongoing, reasonable, and appropriate security awareness training for a CE's workforce Four implementation specifications: (all addressable) -Security reminders (Addressable) -conduct periodic security updates -Protection from malicious software (A) -guard against, protect from, and report malicious software -Log-in monitoring (A) -Password Management (A) -procedures for creating, changing, and safeguarding passwords
System controls: Electronic Mail 1
Common recipients should sign confidentiality agreements that prohibit: -Forwarding of mail to multiple users -Printing out multiple unauthorized copies -Leaving messages onscreen for unauthorized viewing -Storing messages in an unsecured file -Altering the original message
CIA triad
Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals. Integrity: Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. (not altered or destroyed) Availability: A requirement intended to ensure that systems work promptly and service is not denied to authorized users. (do providers have it when they need it to provide patient care)
Internal vs. External Threats
Criminal attacks are the number one cause of data breaches in healthcare -Criminal attacks on healthcare organizations are up 125% compared to five years ago Common internal breaches: "Taking a peek" Installation of unauthorized software Use of the organization's computing resources for illegal or illicit communications or activities Use of computing resources for personal profit
Malicious Software (Malware)
Designed to harm a computer Damage varies from nuisance to catastrophic loss of data We must protect our ePHI
Password Systems: password Don't's
Don'ts: Pick a password that someone who knows you can easily guess Pick a word that can be found in the dictionary Pick a word that is currently newsworthy Pick a password from adjacent keys on the keyboard (keys make a square) Pick a password that is similar to your previous password Share your password with others
Electronic Mail 1
Email has become a primary means of communication for business and personal purposes It is increasingly requested in response to litigation It is discoverable under e-discovery rules The use of email in provider-patient communications is becoming more popular Email through a secure patient portal is preferred
Data Encryption-System Controls
Ensures data transferred from one location on a network to another are secure from eavesdropping data interception Cryptography is the study of encryption and decryption techniques Two common forms of encryption: Pretty good privacy (used with email) (PGP) Wired equivalent privacy (used on wireless networks) (WEP) Mobile device encryption is essential Laptops should have full disk encryption with an approved software package Data stored on a cell phone must be saved to an encrypted file system using approved software that employees report wipe technology
Contingency Planning (admin safeguard)
Five Implementation specifications: -Data backup plan (Required) -procedures to create an exact copy of ePHI -Disaster recovery plan (R) -procedures to restore lost data -Emergency mode operation plan (R) -procedures for continuation of critical business processes needed to protect ePHI while operating in emergency mode -Testing and revision procedures (Addressable) -test all contingency plans periodically -Applications and data criticality analysis (A) -assess the criticality of specific applications and data in support of contingency plans Specifically, policies also must address down-time. Policy must give a specific procedure for down time (both how to document during downtime, and how soon that info is translated into EHR when back up. This is important for the Legal Health Record. In order to qualify for exception to the hearsay rule, you must protect the record's integrity. Each covered entity is permitted to design its contingency plan to accommodate its individual structure, size, and operations, as long as it includes appropriate procedures for maintaining critical health information in a crisis
HIPAA Security Rule Section (c) Standards
Five categories: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Organizational Requirements 5. Policies, Procedures, and Documentation
Facsimile or Faxing ePHI
Following are AHIMA's recommendations regarding faxes: Policies and procedures should be based on federal and state law and consultation with legal counsel NPP (notice of privacy practices) should describe the use and disclosure of PHI by fax machine Obtain patient authorization when the transmission is not otherwise permitted by law Take steps to ensure the fax is sent to the appropriate destination Include a confidentiality statement on the cover page of the fax Place fax machines in secure locations Do not fax highly sensitive information
Access Rights: User Based Access Controls (UBAC)
Grants users access based on the identity of the user
Access Rights: How?
How? Specifies how a user can access the resource Examples: Read Write Edit Execute Append Print Owners or those with administrative privileges can modify, delete, or create new components
Firewall Protection-System Controls
IDS -Intrusion detection system -Serve as alarm system for network -Warn of possible inappropriate attempts to access the network IPS -Intrusion protection system -Identify malicious network traffic -Apply rules to block its passage across the network like a firewall -Both require human intervention -Must be monitored by people -Need people to make sense of messages produced
Employee Nondisclosure Agreements
Many CEs require employees to sign nondisclosure agreements Especially important with remote work locations See Appendix 13
Types of Malware
Masqueraders = appear to be what the user need, but when activated it performs a malicious action ( will take away the virus, but is the virus) Incapacitation = programs designed to disable a computer Time bombs = lies in wait until a specific trigger occurs Denial of service = overloads a system until it shuts down