1 / 14

Risk Analysis and Security Management Issues in Specific Healthcare Industries

Risk Analysis and Security Management Issues in Specific Healthcare Industries. Cindy Smith, CISSP. HIPAA Security Rule Excerpts. Ensure the confidentiality, integrity, and availability of all electronic PHI (Privacy rule protects all PHI, no matter the form)

mabelk
Télécharger la présentation

Risk Analysis and Security Management Issues in Specific Healthcare Industries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis and Security Management Issuesin Specific Healthcare Industries Cindy Smith, CISSP

  2. HIPAA Security Rule Excerpts • Ensure the confidentiality, integrity, and availability of all electronic PHI (Privacy rule protects all PHI, no matter the form) • Protect against any reasonably anticipated threats or hazards and protect against any reasonably anticipated use or disclosure that is not required or permitted by the Privacy rule • Use any security measure deemed appropriate by the entity to reasonably implement the Security standards – Each entity must make documented security implementation decisions that take into account its… • Risk analysis and threats • Size, complexity, and capabilities of organization • Cost of implementing security measures • Technical infrastructure, hardware, and software security capabilities

  3. Pharmaceutical Companies • Typically not a business associate, but may get customers’ PHI (e.g., rebate processing) – current argument that they shouldn’t receive PHI for rebates unless providers obtain patient authorization • Break of privacy risk is customer’s (the Covered Entity); but possible loss of business/income to pharmaceutical company if rebate processing cannot continue • May be able to use “limited data set” for research purposes • Media controls should address return/reuse/disposal • Highly regulated outside of HIPAA • Must also be consistent with FDA Part 11 and EU Privacy Directive

  4. Employers/Government Agencies • May want to limit HIPAA scope to HR/Benefits and the separation of information regarding health benefits from other HR information (i.e., performance related data) • Information Access controls must maintain separation if network isn’t segmented • Much of group health plan functions may be outsourced • Must safeguard through Business Associate contract • Union reps may act on behalf of represented employees • Patient advocacy by union/employer can be mitigated through authorizations, but system must support need-to-know • May be issues associated with Voice Response Unit (VRU) systems for enrollment • VRU systems fall under this rule because they are input/output devices for computers • HR and other groups typically have access to systems with PHI, but may not be included in the plan workforce • So who needs to be trained under HIPAA? • Most employers are not involved with healthcare as their core business and want to eliminate or minimize expenditures that they see as pure compliance • Cost can be considered in risk analysis/management decisions

  5. Universities/Academic Medical Centers • Student health center records may be paper with no transactions occurring, thus not a covered entity • However, there may be transfer of PHI to sports department physician (e.g. x-ray) • May offer other services (hearing, speech, PT, OT) to students, faculty, and community for teaching purposes • Again, not qualifying as CE, but records may be sent to outside physician • Appropriate access controls must be in place for teaching physicians when teaching vs. practicing • Is role-based access enough, or should context (e.g., off-site) be considered? • May be pockets of systems run outside of the main IT department • Should entire university be subjected to risk analysis and resulting policies/implementation decisions to protect a few departments that are CEs or house PHI? • Expectation of “freedom of speech” for students and sharing of information for faculty • Need-to-know may be politically difficult to enforce

  6. Hospitals • Multiple users on nurses’ workstations (i.e., no accountability of activity) and productivity issues with shared workstations if automated logoffs are implemented • 30 seconds to relog on is unacceptable in a nurse’s station • Overrides to security are necessary in emergency situations • Logs of override use are an evolving best practice • Multiple shifts performed by same nurse in different departments– also “floating” nurses may work in multiple departments in multiple locations on the same shift • Granularity of access controls are more difficult in smaller hospitals; all clinical access may be the same • Most have vendor software and small IT groups, and many functions may be outsourced • Must trust vendors (I.e., business associates) who can dial-in to fix systems • Some hospitals are implementing wireless technologies (e.g., emergency room) and likely to be pockets of systems run outside of the IT department • Technology risks may not be fully understood

  7. Physicians • Need for secure e-mail communications to hospitals/insurance companies (may be frequent) and patients (may be “one offs”) • Encryption of email is now “addressable”, so need method of informing patients of risk of sending email that is not encrypted • May require different access when practicing on own vs. through a hospital – also may practice at multiple hospitals, each using a different access methodology • Need “good” authentication mechanisms, but not so strong that they purposely defeat it • Funding issues – large numbers of very small entities • May use cost as basis for not implementing expensive technological solutions, relying on physical controls and policies • More and more using PDAs • Technology risks may not be fully understood

  8. Drug Chains • Locations (e.g., inside a large grocery store) may be diverse • Physical controls may be different depending on site • Often only the pharmacist has a userID, and technicians use same system access • In violation of unique user ID requirement • Very few vendors are in the market, and inability for drug chain to demand system (security) changes, like audit controls • Drug chain may have to implement compensating controls at the system (I.e., not application) level • Many now have online or VRU prescription refill service • May violate privacy controls as to who can “see” prescription data depending on how system works, so system must support proper data access

  9. Clearinghouses • Some are seeing the industry have no use for them in a few years, and are now increasing their service offerings to entice customers to stay – others see the complexity of transactions compliance assuring them an ongoing role • Must isolate the clearinghouse functions if part of a larger organization • There is an increasing focus on the data and its uses as opposed to the data transformation and routing functions • Thus security becomes especially important as models move to data aggregator, rather than postal intermediary

  10. Business Associates • Perception that they are/are not a business associate based on what functions they are actually performing • E.g., small community banks who receive and handle payments for providers (e.g., lockbox services) or payment/collection agencies may now have to implement administrative/physical/technical safeguards they never had to before • Many are signing business associate contracts agreeing to be compliant with HIPAA whether they should/should not be, just to be safe • May impose requirements they don’t have to do, and incur costs they don’t have to take on

  11. Insurance Companies • Many have in-house software that may be 20-year old COBOL code with little documentation • Adding audit controls or access controls may be impossible • Challenges of dealing with a large number of provider entities sending transactions • Standard transactions will help, but transmission methodologies will still be diverse • Many are now documenting and aligning their current privacy and security programs with HIPAA • Already subject to GLBA and maybe EU Privacy Directive

  12. Disease Foundations • Most disease foundations are not covered entities, nor business associates of CEs • However, may want to adhere to HIPAA security rules for public relations reasons • Fundraising must be kept separate from patient care if provided • Need-to-know must be enforced through proper access

  13. Risk Analysis/Security Management Considerations • Focus on the business drivers first, then the regulatory drivers (this doesn’t • mean ignore the regulatory drivers!) • A comprehensive risk analysis is the starting point for both required and addressable components (and “addressable” doesn’t mean “optional”) • Demonstrate “good faith” efforts to protect PHI • Must protect against reasonably anticipated threats or hazards to the security or integrity of the PHI and unauthorized use or disclosure of the PHI • I.e., not required to guarantee the safety of PHI against all threats • It is expected that enforcement will consider overall industry progress as well as individual covered entity efforts During the first year of enforcement for each HIPAA rule, the government will be tentative, focusing on the most egregious and deliberate violators rather than on detailed, across-the-board compliance. Gartner Group

  14. Questions? Cindy Smith, CISSP Security and Privacy Practice PricewaterhouseCoopers Cynthia.E.Smith@us.pwc.com 412-355-8054

More Related