chapter 11: security for health information informatics

Security Awareness and Training Standard—Addressable

All existing workforce members must receive training and periodic training on updates Security reminders—pop-up for log-off Protection from malicious software—guidance for opening attachments Log-in monitoring—lockout after 3 unsuccessful log-in attempts Password protection—creation, changing and safeguarding passwords

Access Control Standard—Required and Addressable

Allow access only to those persons or software programs with granted access rights Unique user identification Emergency access procedure Automatic logoff Encryption and decryption

Risk Assessment

Assess potential risks and areas of vulnerability related to the security of the ePHI

Information Security Threat Analysis

Backup Data Facilities Hot Site Warm Site Code Site

Business Associate Contracts and Other Arrangements—Required

Business associates must Follow the Security Rule for ePHI. Have business associate agreements with their subcontractors who must also follow the security rule for ePHI. Covered entities do not have business associate agreements with these subcontractors. Obtain authorization prior to marketing

Confidentiality, Integrity and Availability

Confidentiality—ePHI is accessible only by authorized people and processes Integrity—ePHI is not altered or destroyed in an unauthorized manner Availability—ePHI can be accessed as needed by authorized users

Facility Access Control Standard—Addressable

Contingency operations—procedures to restore lost data Security plan—safeguard the facility and equipment from unauthorized physical access tampering and theft Access control and validation procedures—based on role Maintenance records—document repairs and modifications related to security

Contingency Plan Standards—Required and Addressable

Data back-up plan What data needs to be backed up from which sources Disaster recovery plan Procedures for the restoration of any loss of data Emergency mode operation plan Continuation of critical business processes while operating in emergency mode Addressable Testing and revision of required contingency plans—organizational size and resources Criticality analysis of applications and data Balance recovery and management with the criticality of the system Update when new systems added or changes made

Enforcement

Department of Health and Human Services Office of Civil Rights (OCR) Must investigate all reported violations and appropriately initiate investigations for cause in absence of a reported violation

Device and Media Controls Standard—Addressable and Required

Disposal—must be unreadable and unusable Media reuse—internal and external Accountability—movements of hardware and electronic media Data back-up and storage—create retrievable, exact copy

Disaster Preparedness

Ensure protection of organizational information assets Ensure information functions can continue when disasters occur

Medical Identity Theft Risks

Financial loss Clinical risks if critical conditions, procedures, medications, allergies and other information are incorrectly omitted or included

Civil Penalties

Fines or money damages to sanction violators Prior to 2/18/2009 Limit of $100 per violation Limit of $25,000 for identical violations during a calendar year No more than $1,500,000 for identical violations each year in any situation Inadvertent violation with reasonable diligence Between $100 to $50,000 for each violation Violation due to reasonable cause and not to willful neglect Between $1,000 to $50,000 for each violation Violation due to willful neglect, corrected during 30-day period CE knew or would have known of the violation Between $10,000 to $50,000 for each violation Violation due to willful neglect and not corrected during 30-day period CE knew or would have known of the violation $50,000 for each violation

types of standards

Flexible, scalable, technology-neutral solutions and alternatives Implementation specifications Required—must be implemented as described in the regulation Addressable—should be implemented unless an organization determines the specification is not reasonable and appropriate. Organization must document assessment and decision

security risk analysis

Full evaluation of the methods, operational practices, and policies by the covered entity to secure ePHI Structural framework to build HIPAA Security Plan Required for Meaningful Use

NIST Guidance on Risk Analysis (National Institute of Standards and Technology)

Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain or transmit. What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI? What are the human, natural, and environmental threats to information systems that contain ePHI? (NIST SP 800-66 2008)

Identity Theft Prevention Program

Identify Covered Accounts Identify Relevant Red Flags Detect Red Flags Respond to Red Flags Oversee the Program Train Employees Oversee Service Provider Arrangements Approve the Identity Theft Prevention Program Provide Reports and Periodic Updates

Audit Control Standards

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information Track and record user activities to monitor intentional and unintentional actions

Technical Safeguards Standards

Increased opportunity also increases organizational risk Technology and the policy and procedures for its use that protect electronic protected health information and control access to it

Red Flag Rules

Issued by the Federal Trade Commission, Department of the Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, and the National Credit Union Administration Requires creditor and financial institutions to implement an Identity Theft Prevention Program. Federal Trade Commission enforces the rules that apply to healthcare organizations Red Flags: Suspicious documents—do they appear to have been altered? Suspicious information—addresses do not match between ID and insurance Suspicious behaviors—confused about type of insurance

Criminal Penalties

OCR refers cases it determines to be of a criminal nature to the Department of Justice. OCR and DOJ cooperate to pursue possible violators. Must knowingly commit a HIPAA violation There HAVE been criminal convictions Most complaints found to be not relevant

Disaster Planning

Organizations need to help their employees be prepared Planning Preparedness Training Testing Response and Recovery

Evaluation Standard—Required

Perform periodic evaluations, in response to environmental or operational changes, to determine whether security policies and procedures meet the requirements of the Security Rule

Physical Safeguard Standards

Physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion

Administrative Safeguard Standards

Policies and procedures Manage the selection, development, implementation and maintenance of security measures to protect ePH Manage the conduct of the covered entity's or business associate's workforce in relation to the protection of the information

Integrity Standard—Addressable

Protect ePHI from improper alteration or destruction The extent to which healthcare data are complete, accurate, consistent, and timely Ensure data are not improperly altered or destroyed

Business Impact Analysis

Recovery Point Objective—length of time the organization can operate without an application Recovery Time Objective—maximum amount of time tolerable for data loss and capture What are the minimal resources for operations? What are the business recovery objectives and assumptions? What is the order for restoration of services? What would be the operational, financial, and reputational impact of loss of data?

Security Incident Procedures Standard—Addressable

Response and reporting—identify and respond to suspected or known security incidents; mitigate the harmful effects; document security incidents and their outcomes

Security Management Process Standard—Required

Risk analysis Risk management element Communication of security processes Leadership involvement with risk mitigation Sanctions policy—how noncompliance will be addressed Information systems activity review—procedures for monitoring system use

Mandated Risk Analysis Elements

Scope of the Risk Analysis Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk Finalize Documentation Periodic Review and Updates to the Risk Assessment

Medical Identity Theft

The assumption of a person's name and/or other parts of his or her identity without the victim's knowledge or consent to obtain medical services or good, or When someone uses the person's identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims

security officer

The official who is responsible for the development and implementation of the required Security Rule policies and procedures

Threat

The potential for exploitation of a vulnerability or potential danger to a computer, network, or data Natural—storms, earthquakes, etc. Human Intentional—hacking Unintentional—Forgetting to log off Environmental—power failure

Risk

The probability of incurring injury or loss Compare the probability to the potential impact

Person or Entity Authentication Standard

Verify that a person or entity seeking access to ePHI is the one claimed Are users who they claim to be? Methods Passwords Smart cards Tokens Fobs Biometrics

Transmission Security Standard—Addressable

ePHI being transmitted over an electronic communications network MUST be secured Integrity controls—electronically transmitted ePHI cannot be improperly modified Encryption—ePHI must be encrypted whenever appropriate

foundation

ePHI—electronic protected health information

security rule

electronic protected health information covers all ePHI created, received, or transmitted by an organization.

vulnerabilities

the ultimate goal of the risk analysis process to guide organizations in the decisions made and actions taken to comply with the Security's Rule standards and addressable or required implementation specifications. An inherent weakness or absence of a safeguard that can be exploited by a threat Inappropriate protective methods Technical Firewalls, Virus blocker Nontechnical Policies and procedures

Security incident

—the attempted or successful unauthorized access, use, disclosure, modification, or destruction or interference with systems operations in an information system