Episode 12: Breach Response Plans

Description

A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done.

Glossary

NIST National Institute of Standards and Technology

Links

NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide

APDerm Resolution Agreement See item 2(2)

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

Establishing an incident response capability should include the following actions:

• Creating an incident response policy and plan
  • Written required - already had an OCR resolution that mentioned not having one (APDerm - $150,000)
• Developing procedures for performing incident handling and reporting
  • Who is your "go to" team for forensics
• Setting guidelines for communicating with outside parties regarding incidents
  • PR will be critical for reputation managment
• Selecting a team structure and staffing model
  • Someone has to be in charge of the whole thing and then others in charge of the parts.
• Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
  • Bigger organizations need to know who is responsible for talking with each department.
• Determining what services the incident response team should provide
  • How far is the team going through the process? Will they pass off follow up or will they do all the activity required from beginning to end. Again, large organizations need to worry about this.
• Staffing and training the incident response team
  • Make a written list and have the team meet regularly to review how to respond to any incident that may come up in the organization.

Check out the latest episode!

Episode A1: HIPAA Answers - How do I get rid of my printers properly?

How do I get rid of my printers properly?  Find out in HIPAA Answers Episode A1.

Thanks for our listener questions that are coming in!  It took us a bit to work out the best way to get back to you, so sorry for the delay.  

Today we introduce, HIPAA Answers episodes.  These short "answer episodes" will be released weekly on Tuesday mornings.

Send us your questions and we will get them answered.  Lots of ways to contact us below!

Website form or Speakpipe voicemail

Twitter

LinkedIn

Facebook

Google+

Send us an email

Check out the latest episode!

Episode 11: Ponemon Study 2014 on Healthcare Compliance

Description

A discussion of the findings in the recently released study concerning healthcare breaches in 2014.  

Glossary

A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.

Links

Fourth Annual Benchmark Study on Patient Privacy and Data Security

Criminal Attacks: The New Leading Cause of Data Breach in Healthcare

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

Represented in this study are 90 CE and 88 BAs.

This year is the first time BAs were added to the study data.  Previous fours years only CEs were included.

A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information.

A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.

Points to note:

• There has been a 125% increase in breaches due to criminal attacks on healthcare data over last 5 years.
• Only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers even though it is now the number one reason for breaches and increasing rapidly.
• Security incidents that aren’t breaches are also primarily criminal attacks: 78 percent of healthcare organizations and 82 percent for BAs security incidents.
  • 87% of BAs had multiple security incidents in the past 2 years involving the exposure, theft or misuse of electronic information.
    • 70% say they have had between 11 and 30 electronic information-based security incidents.
  • Most involved the exposure of less than 100 PHI records.
• Medical identity theft has nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014.
• Employee negligence remains a top concern when it comes to exposing patient data inappropriately.
• Many victims of medical identity theft report they spent an average of $13,500 to:
  • Restore their credit,
  • Reimburse their healthcare provider for fraudulent claims and
  • Correct inaccuracies in their health records.
• According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.
• No healthcare organization, regardless of size, is immune from data breach.
• The average cost of a data breach to BAs represented in this research is more than $1 million.
• Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Interesting question details: 

Check out the latest episode!

Episode 10: ONC Sample Seven-Step Approach for Implementing a Security Management Process

ONC recently published an updated guide for Privacy and Security of Electronic Health Information.  This episode David and Donna discuss what that guide calls the Seven-Step Approach for Implementing a Security Management Process.

Links

Guide to Privacy and Security of Electronic Health Information

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

The 7 Steps

Step 1: Lead Your Culture, Select Your Team, and Learn

Assign your officers, make sure they are trained, show compliance is a top down commitment

Step 2: Document Your Process, Findings, and Actions

If you can't prove it then it didn't happen. Document your decisions, plans and activity

Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)

Review or perform your Security Risk Analysis and current security assessment

Step 4: Develop an Action Plan

The plan needs to address all the things you identified in your assessments, policies, and procedures

Step 5: Manage and Mitigate Risks

This is where your project management skills come into play making sure you have addressed all the risks in your Analysis and new ones aren't showing up

Step 6: Attest for Meaningful Use Security­Related Objective

If you are attesting make sure you have done the previous steps

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis

Remember it isn't a project that has a beginning and ending date 

Check out the latest episode!

Episode 9: HIPAA Myths Part 3

 

We finish up our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements. 

Glossary
Myth is a widely held but false belief or idea. 

Links 

HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis

Notes 1 - 7 of 10 Covered in two previous episodes.

1. HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, healthcare clearinghouses, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA.

2. A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can't imagine how anyone could do it with such little training. Nor do any others who do the job themselves. Training is essential to understanding the requirements enough to perform them.

3. HIPAA training requirements are met with an annual training for all employees. Mostly false. It could be argued that all is required is a quick reminder/refresher course. However, the amount of training provided for privacy and security awareness is directly related to the results you will get from your workforce. If you don't worry about it more than once a year, neither will they.

Check out the latest episode!

Episode 8: HIPAA Myths Part 2

 

We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements. 

Glossary
Myth is a widely held but false belief or idea. 

Links 

HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis

Notes 1-3 In previous episode 

1. Communicating with patients via email, fax, or telephone violates HIPAA.  Actually, not true. But.... reasonable and appropriate safeguards must be in place.

2. HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.

3. A website is HIPAA compliant if it uses HTTPS.  False.  There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.

4. If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI.  Perform a due diligence of some sort to get assurances they actually have a compliance program in place.

8-10 In next episode

Check out the latest episode!