1 / 44

Where HIPAA Compliance and Cyber Security Intersect: Are you Protected?

Where HIPAA Compliance and Cyber Security Intersect: Are you Protected?. Carol Albaugh, Technical Solutions Consultant, VMG Group, Inc. Kelly Grahovac, Senior Consultant, The van Halem Group. Please Complete Your Evaluation

dahlstrom
Télécharger la présentation

Where HIPAA Compliance and Cyber Security Intersect: Are you Protected?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Where HIPAA Compliance and Cyber Security Intersect: Are you Protected? Carol Albaugh, Technical Solutions Consultant, VMG Group, Inc. Kelly Grahovac, Senior Consultant, The van Halem Group

  2. Please Complete Your Evaluation Everyone should have received an evaluation form upon entering the session. Please complete evaluation form and turn in to room monitor as you exit the session. Or, you can complete your evaluation in the mobile app. Locate the session in the app and tap on the clipboard icon to begin the survey. Please help us keep the Medtrade Spring Education sessions the best in the industry by completing an evaluation for every session you attend! Your feedback is very valuable to us and will be used in planning future Medtrade Spring events! Connect with us on Social Media Twitter: @MedtradeConnect Instagram: @MedtradeConnect Facebook: facebook.com/medtrade #MedtradeSpring19

  3. Current State of Cyber Threats

  4. Large Company Breaches in the Media

  5. BUT…. • The majority of breaches in the U.S. affect small to medium-sized businesses • Lack of IT expertise • Lack of resources for sophisticated IT security staff • 67% do not use web-based security • 61% do not use antivirus on all computers • 60% of small businesses will go out of business within a year of having a major breach Current State of Cyber Threats

  6. Current State of Cyber Threats • The costs of a healthcare breach are skyrocketing: • $402/patient record • Fees for government agency involvement (HIPAA, HITEC) • Patient and media notification expenses • What’s not covered in the cost… • Brand reputation costs – loss of contracts and referrals • Loss of business revenue • Hackers have become more savvy • Operate as a stand-alone hacking entity or under a legitimate business front. • Their employees get salaries and full benefit packages!

  7. 265

  8. Why Health Care?

  9. Healthcare is now the #1 target for hackers • Healthcare data is rich with information hackers can make money on: • Patient Names & Addresses • Social Security Numbers • Date of birth • Insurance/Medicare ID • Cell phone numbers • Credit card/checking account numbers • EACH of these data points is valuable on the cyber black market – together, they are a gold mine! Why Health Care?

  10. Health Care Focus

  11. Don’t know where to start • Limited visibility into systems • Unprepared for an attack • Ever changing landscape • HIPAA compliance SMB Health Care Pain Points

  12. “If you haven’t suffered a cybersecurity breach you’ve either been incredibly well prepared, or very, very lucky… Are you incredibly well prepared?”

  13. Road Map & Best Practices

  14. Technology: • Vulnerability Assessments • Penetration Testing (ethical hacking) • Compliance/Regulatory: • Compliance & Regulatory Risk Assessment • HIPAA • HITRUST • Breach Protection (reactive response) • Incident Response Plan • Cybersecurity Insurance • People: • Employee Awareness Training • Security & Privacy Strategy Cyber Security Road Map

  15. Cyber Security - “Secure the Human”

  16. Update company software as soon as updates are released, this will patch security vulnerabilities • Develop a schedule for regularly backing up sensitive files • Keep confidential information and important files backed up in a remote location not connected to your network • Protect your infrastructure by using proper firewalls, anti-virus, web filtering, email filtering, access levels, etc. • Develop a protocol for reporting all suspicious activity/incidents Best Practices to Protect Your Business

  17. Hire third-party experts to expose threats and offer best practices • Perform a Risk Assessment • Review your BAA, who is liable for what • Have IT policies & update annually to address newer technologies and increasing cyber threats • Communicate changes with staff members • Train your staff about the types of cyber threats & identify suspicious emails/attachments/websites • Purchase Cyber Liability Insurance! Best Practices to Protect Your Business

  18. “Cyber is uncharted territory. It’s going to get worse not better and it’s a bigger threat to humanity than nuclear weapons.” -Warren Buffett Prepare to the Future

  19. "You can't have privacy without security, but you can have security without privacy," - Daniel Farris attorney/partner and co-chair of the technology group at law firm Fox Rothschild LLP Compliance Security

  20. Privacy Regulations: • Govern how healthcare facilities use and share ePHI • Security Regulations: • Cover measures that curtail unauthorized access to ePHI, including the use of IT capabilities. HIPAA broadly divides specifications among its Privacy and Security Rules Privacy and Security Rules

  21. Let’s talk about…

  22. Do you have a HIPAA Compliance program in place? • Do you incorporate HIPAA Training annually? • Do you have a current Security and Risk Assessment on file? • Do you have Business Associate Agreements in place for all entities that may come in contact with your PHI? Poll

  23. Health Insurance Portability and Accountability Act • HIPAA’s intent is to reform the healthcare industry by: • Reducing costs • Simplifying administrative processes and burdens, and • Improving the privacy and security of patient’s information HIPAA Overview

  24. It’s the law • Increased usage of data • OCR and OIG Hotlines • OCR audits • Insurance Why have a HIPAA Compliance Program?

  25. Phases 1 and 2 completed, OCR preparing for Phase 3 • Intended to be non-punitive, but OCR can open up compliance review • Learn from this next phase in structuring permanent audit program • Develop tools and guidance for industry self-evaluation and breach prevention • OCR will use findings to: • Identify best practices, • Uncover risks and vulnerabilities, • Detect areas for technical assistance, and • Encourage consistent attention to compliance OCR Audits

  26. It exists today, it existed last year, it is shared, it is reviewed, and is maintained regularly • Willful Neglect HIPAA Compliance Program

  27. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. • 45 CFR §160.401 Willful Neglect

  28. 2015 - $6,193,000 • 2016 - $23,504,800 • 2017 - $19,393,000 • 2018 - $25,635,400 • 2019 - $3,000,000 OCR Fines

  29. HIPAA Compliance Program

  30. Compliance Officer • Existing or new employee • Develops and oversees corporate compliance program – to include HIPAA • Privacy Officer • Oversees all activities related to the development, implementation, maintenance, and adherence to the organization’s policies and procedures covering the privacy and access to patient health information • Security Officer • Developing and implementing policies and procedures to safeguard PHI • Identifying and evaluating threats to the integrity of PHI • Developing and implementing action plans for addressing risks to PHI Building your compliance team

  31. The compliance team will be the main contact for: • Identifying individuals responsible for HIPAA compliance and defining responsibilities • Performing an updated SRA • Managing all BAA’s and other HIPAA related documentation • Establishing and maintaining an ongoing HIPAA awareness training program • Breach and incident reporting - Know the requirements and act accordingly! Building your compliance team

  32. Policies and Procedures • Security and Risk Assessment • Awareness Training • Business Associate Agreements Core Compliance Components

  33. Helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards • Reveals areas where your organization’s PHI could be at risk • Should be updated on an annual basis • Most commonly missing or incomplete item in a provider’s compliance program Security and Risk Assessment

  34. CardioNet paid HHS $2.5 million to settle potential noncompliance with the HIPAA Privacy and Security Rules • Employee laptop containing the ePHI of 1,391 individuals was stolen from a parked car • OCR’s investigation revealed: • Insufficient risk analysis and risk management processes in place at the time of the theft • Policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. • Unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. Violation – Insufficient SRA

  35. Any company or person outside your organization that has access to PHI or ePHI should sign a BAA • Ensure all BAA’s are in place with an audit • Store BAA’s in one place with access available to internal management • Include BAA language in your policies and procedures Business Associate Agreement

  36. The Center for Children’s Digestive Health (CCDH) paid HHS $31,000 to settle potential violations of the HIPAA Privacy Rule • OCR initiated a compliance review following an investigation of a business associate, FileFax, Inc. • While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015 Violation - Missing BAA

  37. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI • 500 or more individuals: Must report without unreasonable delay and no later than 60 calendar days from the date of discovery • Less than 500 individuals: Must report within 60 days of the end of the calendar year Breach Reporting

  38. (September 2009 – December 31, 2017) • Approximately 2,178 reports involving a breach of PHI affecting 500 or more individuals • Theft and Loss are 46% of large breaches • Hacking/IT now account for 19% of incidents • Laptops and other portable storage devices account for 25% of large breaches • Paper records are 21% of large breaches • Individuals affected are approximately 176,589,175 • Approximately 307,061 reports of breaches of PHI affecting fewer than 500 individuals HIPAA Breach Highlights

  39. How you communicate HIPAA policies and guidelines with your employees • The program should, at a minimum, include the following: • HIPAA Policies & Procedures • Should also be provided to employees and require a signature acknowledging they have read and understand • Regular awareness training (phishing, email, etc.) • Well defined escalation policies and procedures HIPAA Awareness Program

  40. Ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions • Currently restricted to 9 HIPAA-covered entities • Health Plans • Clearinghouses • CMS has authority to investigate HIPAA transaction complaints and conduct compliance reviews for: • Standards • Code sets • Unique identifiers • Operating rules • OCR manages complaints related to HIPAA Privacy and Security Rule CMS Compliance Review program

  41. HIPAA compliance is an ongoing effort and must be addressed and updated on a regular basis • The time to get started is right now! Any effort is better than doing nothing • Safeguard against willful neglect “egregious cases” • Finalize policies & procedures and make sure all employees are aware • Have all BAA’s, finalized P&Ps, HIPAA policies, SRAs, and training materials in one easily accessible location Best Practices - HIPAA Compliance

  42. Come see us in Booth #615! Sign up at Medtrade and receive a 50% discount on your implementation fee! Medtrade Specials

  43. Carol Albaugh Technical Solutions Consultant VGM Group, Inc. 319-874-4797 Carol.Albaugh@vgm.com Kelly Grahovac Sr. Consultant The van Halem Group 404-343-1815 Kelly@vanHalemGroup.com Questions???

  44. The van Halem Group/The VGM Group, Inc. @vanHalemGroup The Details Matter - blog.vanhalemgroup.com Kelly Grahovac/Carol Albaugh Stay Connected

More Related