Top Banner
How Safe is Your Patient Data? Steps to Protect Electronic Health Information in Nursing Homes A collaborative effort brought to you by Harmony University The Provider Unit of Harmony Healthcare International, Inc. (HHI) And Kinara Insights Presented by: Sameer Sule, MS, MSc Founder & President
59

How Safe is Your Patient Data?

Oct 19, 2014

Download

Healthcare

As digitization of the healthcare industry increases, the need to safeguard electronic patient data is also becoming increasingly important. Electronic protected health information (ePHI) is not just in the electronic medical records (EMRs). It also resides in emails, in documents and images on computers, servers, printer hard drives and mobile devices like laptops, cell phones, tablets and USB memory sticks. Healthcare professionals are also using texting and online file sharing services to conveniently share confidential information. The loss of this confidential patient health information is disastrous for patients and healthcare organizations.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: How Safe is Your Patient Data?

How Safe is Your Patient Data?Steps to Protect Electronic Health Information in Nursing Homes

A collaborative effort brought to you by Harmony University

The Provider Unit of Harmony Healthcare International, Inc. (HHI)

And Kinara Insights

Presented by:

Sameer Sule, MS, MSc Founder & President

Page 2: How Safe is Your Patient Data?

Harmony Healthcare International

About SameerSameer Sule, MS, MSc., Founder and President of Kinara Insights !

Specialize in patient data security & HIPAA compliance. Author of “Protecting Electronic Health Information: A Practical Approach to Patient Data Security in your Healthcare Practice” Extensive experience in guiding clients through the planning, selection and technology implementation phases. Assisted clients through the OCR HIPAA audit process and provided recommendations to address the audit findings. Published in the Journal of Massachusetts Dental Society, The Granite State Report - a publication of the ACHCA New Hampshire Chapter, The Disaster Recovery Journal and the Worcester Telegram and Gazette. Regular blogger- provides insights, tips and advice on secure technology usage in a constantly changing healthcare landscape. MS from Syracuse University and MSc. from the Indian Institute of Technology, Bombay Co-inventor on 14 US, EU, and AU patents.

Copyright © 2014 All Rights Reserved

Page 3: How Safe is Your Patient Data?

Harmony Healthcare International

How Safe is Your Patient Data?Steps to Protect Electronic Health Information in Nursing Homes

Disclosure: The planners and presenters of this education activity have no relationship with commercial entities or conflicts of interest to disclose Planners:

Elisa Bovee, MS, OTR/L Diane Buckley, BSN, RN, RAC-CT Sameer Sule, MS, MSc

Presenter: Sameer Sule, MS, MSc

Copyright © 2014 All Rights Reserved

Page 4: How Safe is Your Patient Data?

www.kinarainsights.com

Healthcare Technology ConsultingHelp healthcare organizations and their business associates use technology in a secure HIPAA compliant manner to be more efficient and deliver high quality patient care. Focus Data Security | HIPAA Compliance Mobile Technology | Cloud Computing KINARA | INSIGHTS

Copyright © 2014 All Rights Reserved

Page 5: How Safe is Your Patient Data?

www.kinarainsights.com

Services

ePHI Risk Assessment HIPAA Security Policies & Procedures

(Review /Development) Data Backup & Disaster Recovery Planning Data Security- HIPAA Compliance Training and Workshops Secure Cloud Computing, Mobile Solutions

Copyright © 2014 All Rights Reserved

Page 6: How Safe is Your Patient Data?

www.kinarainsights.com

Objectives

By the end of this presentation, you will be able to: 1. Explain the importance of patient data

security and consequences of medical identity theft to nursing homes

2. Identify potential data breach scenarios in your facility

3. List the steps for protecting ePHI in your organization

Copyright © 2014 All Rights Reserved

Page 7: How Safe is Your Patient Data?

www.kinarainsights.com

Disclaimer

This seminar is meant to provide information for educational purposes only Information presented in this seminar is not legal advice and must not be taken as such HIPAA rules and regulations are subject to different interpretations Please consult your attorney for legal advice specific to your case

Copyright © 2014 All Rights Reserved

Page 8: How Safe is Your Patient Data?

www.kinarainsights.com

Acronyms Used

HIPAA (Health Insurance Portability and Accountability Act) ePHI (Electronic Protected Health Information) CE (Covered Entity) BA (Business Associate) BAA (Business Associate Agreement)

Copyright © 2014 All Rights Reserved

Page 9: How Safe is Your Patient Data?

www.kinarainsights.com

Why is Data Security Important?

!

MEDICAL IDENTITY THEFT

Copyright © 2014 All Rights Reserved

Page 10: How Safe is Your Patient Data?

www.kinarainsights.com

Medical Identity Theft

Occurs when criminals use your personal information to obtain medical services, drugs or for fraudulent billing Fastest growing identity theft in the US Over 300,000 victims per year in the US

Copyright © 2014 All Rights Reserved

Page 11: How Safe is Your Patient Data?

www.kinarainsights.com

Health Information at Risk

!Medical/Healthcare industry is a top target for cybercriminals accounting for 44% of the breaches

(Identity Theft Resource Center 2013 study) !

Nursing homes are exposed to hacker attacks - Cybersecurity experts find trove of information on file-sharing web site

(Wall Street Journal Article, Feb 2014) !

Cybercriminals know that many healthcare organizations do not have adequate security measures in place to protect confidential data

Copyright © 2014 All Rights Reserved

Page 12: How Safe is Your Patient Data?

www.kinarainsights.com

Criminals Love ePHI!

Rich in identity information Contains patient name, DOB, SSN#, insurance policy information, credit card details, medical history, emergency contact info of family members, etc. A complete medical record sells for $50 on the black market vs. $20 for credit card info alone

Copyright © 2014 All Rights Reserved

Page 13: How Safe is Your Patient Data?

www.kinarainsights.com

Medical Identity Theft Consequences

Financial fraud Medical insurance fraud Corruption of the original medical records Denial of access to your own records

Copyright © 2014 All Rights Reserved

Page 14: How Safe is Your Patient Data?

www.kinarainsights.com

Medical Identity Theft Consequences

Possible social stigma and embarrassment Denial of insurance Loss of reputation Loss of time trying to get the records corrected in different healthcare systems that are not connected with each other

Copyright © 2014 All Rights Reserved

Page 15: How Safe is Your Patient Data?

www.kinarainsights.com

Data Breach Costs

$$$$$$$$ in

HIPAA fines, Legal costs, Remediation costs,

Loss of Reputation & Revenue

Copyright © 2014 All Rights Reserved

Page 16: How Safe is Your Patient Data?

www.kinarainsights.com

Recent HIPAA Penalties$4.8 million New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU)

Cause: Physician employed by CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI

Disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results on internet search engines Lack of technical safeguards to check to see if the server was secure, no risk analysis to identify all systems with ePHI, failure to implement and appropriate policies for database access authorization and failure to comply with its own information access management policies

Copyright © 2014 All Rights Reserved

Page 17: How Safe is Your Patient Data?

www.kinarainsights.com

Recent HIPAA Penalties

$1.7 million Concentra Health Services

Cause: Unencrypted laptop was stolen from one of its facilities. Company had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktops, medical equipment, tablets and other devices containing ePHI was a critical risk Efforts at encryption were incomplete and inconsistent over time leaving patient ePHI vulnerable throughout the organization Insufficient security management processes

Copyright © 2014 All Rights Reserved

Page 18: How Safe is Your Patient Data?

www.kinarainsights.com

Recent HIPAA Penalties$1.2 million Health Plan, Inc

Cause: Photocopier Hard Drive Disclosure of ePHI of 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives

!Failure to incorporate the ePHI stored in copier’s hard drives in its risk analysis !Failure to implement policies and procedures when returning the hard drives to its leasing agents

Copyright © 2014 All Rights Reserved

Page 19: How Safe is Your Patient Data?

www.kinarainsights.com

Recent HIPAA Penalties$150,000 Dermatology practice in MA

Cause: Unencrypted thumb drive containing ePHI of 2,200 individuals stolen from a vehicle of one its staff members. Drive was not recovered. !Failure to conduct an accurate and thorough risk analysis as part of its security management process. !

First settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of HITECH Act.

Copyright © 2014 All Rights Reserved

Page 20: How Safe is Your Patient Data?

www.kinarainsights.com

Breach Report to Congress

In 2012, theft and hacking/IT incidents affected the largest numbers of individuals.

Theft continues to be one of the top causes that affects the most individuals.

Copyright © 2014 All Rights Reserved

Page 21: How Safe is Your Patient Data?

www.kinarainsights.com

HIPAA Settlements!In 7 cases resulting from a breach report, HHS has entered into resolution agreements or corrective action plans totaling more than $8 million in settlements.

Copyright © 2014 All Rights Reserved

Page 22: How Safe is Your Patient Data?

www.kinarainsights.com

Loss of ePHI is disastrous for your patients and your healthcare organization!

Copyright © 2014 All Rights Reserved

Page 23: How Safe is Your Patient Data?

www.kinarainsights.com

Data Security&

HIPAA Compliance

Copyright © 2014 All Rights Reserved

Page 24: How Safe is Your Patient Data?

www.kinarainsights.com

HIPAA Security Rule

Protect Confidentiality Integrity Availability of ePHI

Copyright © 2014 All Rights Reserved

Page 25: How Safe is Your Patient Data?

www.kinarainsights.com

Security Rule SafeguardsNursing homes and their business associates must implement Administrative, Physical & Technical safeguards to protect ePHI. !

Each safeguard has standards Each standard has implementation specifications that are Required/Addressable Addressable DOES NOT mean optional

Copyright © 2014 All Rights Reserved

Page 26: How Safe is Your Patient Data?

www.kinarainsights.com

Administrative Safeguards

STANDARDS

IMPLEMENTATION SPECIFICATIONS

R= Required, A=Addressable

Security Management Process

Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R)

Assigned Security Responsibility (Required)

Workforce Security

Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A)

Information Access Management

Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) Access Establishment and Modification (A)

Security Awareness and Training

Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A)

Security Incident Procedures

Response and Reporting (R)

Contingency Plan

Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A)

Evaluation

(Required)

Business Associate Agreements/Contracts and Other Arrangements

Written contract or other Arrangement(R)

Contingency Plan

Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedures (A)

Applications and Data Criticality Analysis (A)

Copyright © 2014 All Rights Reserved

Page 27: How Safe is Your Patient Data?

www.kinarainsights.com

Physical Safeguards

STANDARDS

IMPLEMENTATION SPECIFICATIONS

R= Required, A=Addressable

Facility Access Controls

Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A)

Workstation Use

(Required)

Workstation Security

(Required)

Device and Media Controls

Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)

Copyright © 2014 All Rights Reserved

Page 28: How Safe is Your Patient Data?

www.kinarainsights.com

Technical Safeguards

STANDARDS

IMPLEMENTATION SPECIFICATIONS

R= Required, A=Addressable

Access control

Unique User Identification (R) Emergency Access Procedure (R) Automatic logoff (A) Encryption and Decryption (A)

Audit Controls

(Required)

Integrity

Mechanism to authenticate EPHI(A)

Person or Entity Authentication

(Required)

Transmission Security

Integrity Controls (A) Encryption (A)

Copyright © 2014 All Rights Reserved

Page 29: How Safe is Your Patient Data?

www.kinarainsights.com

Causes of Data Breach in SNFs

Loss / theft of laptops or mobile devices containing ePHI Lack of appropriate authentication/audit software and controls to secure access to ePHI Unsecure medical devices, printers connected to the network Software updates or system maintenance Stolen passwords or weak passwords that are easy to hack Use of unsecure file sharing software/services Use of unsecure email or text messaging services Viruses or malware in the computer system Unintentional employee action or error Intentional employee action Negligence of third party service contractors

Copyright © 2014 All Rights Reserved

Page 30: How Safe is Your Patient Data?

www.kinarainsights.com

Key Steps to Data Security1. Risk Analysis 2. Access and Audit Controls 3. Encryption (Safe Harbor) 4. Mobile Device Management 5. Contingency Planning 6. Policies & Procedures 7. Training 8. Business Associate Agreements 9. Documentation

Copyright © 2014 All Rights Reserved

Page 31: How Safe is Your Patient Data?

www.kinarainsights.com

1. Conduct a Risk Analysis

An accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Copyright © 2014 All Rights Reserved

Page 32: How Safe is Your Patient Data?

www.kinarainsights.com

What is Risk Analysis?1. Knowing where ePHI resides in your

computer systems and how it flows through your systems. !

2. Identifying potential risks to the data. !

3. Taking reasonable and appropriate measures to mitigate the risks.

Copyright © 2014 All Rights Reserved

Page 33: How Safe is Your Patient Data?

www.kinarainsights.com

O ePHI, ePHI, wherefore art thou ePHI?

Copyright © 2014 All Rights Reserved

Page 34: How Safe is Your Patient Data?

www.kinarainsights.com

ePHI in MotionElectronic Communications

Are you using web based email like Hotmail or Gmail to send ePHI? How about text messaging? Is the Wireless internet in the facility secure? Is staff accessing ePHI from remote locations using free/unsecure Wi-Fi?

Copyright © 2014 All Rights Reserved

Page 35: How Safe is Your Patient Data?

www.kinarainsights.com

2. Access and Audit Controls Who has access to ePHI? What are the policies/processes in place to grant individuals access to ePHI? What technology are you using to monitor access? How are alerts set up for monitoring unauthorized access? Do you have audit logs to monitor access to ePHI?

Copyright © 2014 All Rights Reserved

Page 36: How Safe is Your Patient Data?

www.kinarainsights.com

2. Access and Audit Controls

The Minimum Necessary Principle !

Restrict ePHI access only to those people that need it to perform their jobs

AND Restrict access to ePHI data to the minimum necessary for people to do their jobs

Copyright © 2014 All Rights Reserved

Page 37: How Safe is Your Patient Data?

www.kinarainsights.com

3. Encryption

Renders your data unreadable to unauthorized users Needs password (key) to access the data Provides a safe harbor in case of a data breach

Copyright © 2014 All Rights Reserved

Page 38: How Safe is Your Patient Data?

www.kinarainsights.com

3. Encryption

Addressable DOES NOT mean optional Is all your stored (at rest) ePHI encrypted? Is the ePHI encrypted during transmission (in motion) over the network? If the ePHI is not encrypted, what alternative safeguards do you have in place of encryption that ensure the security of ePHI?

Copyright © 2014 All Rights Reserved

Page 39: How Safe is Your Patient Data?

www.kinarainsights.com

4. Manage Mobile DevicesLaptops, Smartphones, Tablets, USB drives

Usage & Disposal Policy Encryption Device Tracking Remote Lock & Wipeout

Wireless Internet Access Secure Wi-Fi network for providers and staff (password protected) Separate guest Wi-Fi network for residents and family

Copyright © 2014 All Rights Reserved

Page 40: How Safe is Your Patient Data?

www.kinarainsights.com

5. Contingency Planning

Planning and Preparing for Unforeseen Disruptive Scenarios including natural disasters and disruptions due

to power failures, server repair etc. !

Ensuring Continuity of Business Operations and Patient Care

Copyright © 2014 All Rights Reserved

Page 41: How Safe is Your Patient Data?

www.kinarainsights.com

Eye Opener

70 percent of small firms that experience a major

data loss go out of business within a year

!SCORE: Counselors to America’s Small Businesses

Copyright © 2014 All Rights Reserved

Page 42: How Safe is Your Patient Data?

www.kinarainsights.com

Is Contingency Planning Required?

YES! If you are a Covered Entity or a Business Associate under HIPAA Security Standard § 164.308(a)(7) !

AND !

YES! If you would like to still stay in business after a disaster.

Copyright © 2014 All Rights Reserved

Page 43: How Safe is Your Patient Data?

www.kinarainsights.com

Implementation Specifications

Data backup plan (Required) Disaster recovery plan (Required) Emergency mode operation plan (Required) Testing and revision procedures (Addressable) Applications and data criticality analysis (Addressable)

Copyright © 2014 All Rights Reserved

Page 44: How Safe is Your Patient Data?

www.kinarainsights.com

Contingency Plan Benefits

Prevents or reduces operational downtime

!Reduces business loss

!Enables continuity of patient care !Enhances your reputation among patients and business partners

Copyright © 2014 All Rights Reserved

Page 45: How Safe is Your Patient Data?

www.kinarainsights.com

Contingency Planning CycleCopyright © 2014 All Rights Reserved

Page 46: How Safe is Your Patient Data?

www.kinarainsights.com

Contingency Plan

PLAN IT IMPLEMENT IT TEST IT REGULARLY !

DON’T LEAVE YOUR BUSINESS TO CHANCE!!

Copyright © 2014 All Rights Reserved

Page 47: How Safe is Your Patient Data?

www.kinarainsights.com

6. Policies and ProceduresMust have well documented policies and procedures that comprehensively cover the administrative, physical, and technical safeguards in place to protect ePHI.

!Polices should cover risk management, access control to ePHI, contingency planning, employee termination etc.

!Make sure policies and procedures are relevant and up-to-date.

Copyright © 2014 All Rights Reserved

Page 48: How Safe is Your Patient Data?

www.kinarainsights.com

7. TrainingImplement a policy mandating periodic training for all personnel that handle ePHI. Must include permanent staff as well as temporary and contract workers. Conduct periodic training. Document the training. Implement a sanction policy in place that clearly spells out the severe consequences for anyone not following the security policies despite receiving compliance training.

!Humans can be the Weakest Link in the security chain!!!

Copyright © 2014 All Rights Reserved

Page 49: How Safe is Your Patient Data?

www.kinarainsights.com

8. Business Associate Agreement

Execute a Business Associate Agreement (BAA) with all third party vendors that come in contact with your ePHI, as a part to the services they provide you/on your behalf.

!(These include consultants, transcription companies, billing companies, accountants, legal companies, marketing companies, cloud based data backup services etc.)

Copyright © 2014 All Rights Reserved

Page 50: How Safe is Your Patient Data?

www.kinarainsights.com

Final Omnibus Rule and BAs

How many Business Associates (BA) do you have?

Expanded BA definition !

Need to have BAA with all your BAs !BAs are directly liable for data breach

Copyright © 2014 All Rights Reserved

Page 51: How Safe is Your Patient Data?

www.kinarainsights.com

9. Documentation!Is all your HIPAA related documentation organized and easily accessible? !You will need to produce this in case of a data breach or HIPAA Compliance Audit

Copyright © 2014 All Rights Reserved

Page 52: How Safe is Your Patient Data?

www.kinarainsights.com

The Big PictureCopyright © 2014 All Rights Reserved

Page 53: How Safe is Your Patient Data?

www.kinarainsights.com

Security Rule ComplianceDon’t assume that if the technology is compliant, the organization is also compliant. Compliance is achieved by a combination of: ❖ Technology ❖ Policies and procedures ❖ Regular staff training ❖ Strict enforcement and sanctions ❖ Periodic review and updates ❖ Proper documentation

Copyright © 2014 All Rights Reserved

Page 54: How Safe is Your Patient Data?

www.kinarainsights.com

Data Security and Compliance

Requires planning Must be detailed Takes coordination different departments Requires an investment of time Is on-going

Copyright © 2014 All Rights Reserved

Page 55: How Safe is Your Patient Data?

www.kinarainsights.com

Data Security: A Practical Approach

Immediate Action Steps !1. Conduct a comprehensive risk analysis. 2. Encrypt all ePHI. 3. Review existing security technology, policies and

procedures. 4. Review your data backup & disaster recovery procedures. 5. Schedule regular staff training. !

Take a step-wise approach and build a strong data security foundation

Copyright © 2014 All Rights Reserved

Page 56: How Safe is Your Patient Data?

www.kinarainsights.com

Your Options

Do it all by yourself and/or get outside help when needed. Example: You can use ready-made policy templates. But you need to customize them to your organization.

GOAL Implement reasonable and appropriate

security measures for your organization.

Copyright © 2014 All Rights Reserved

Page 57: How Safe is Your Patient Data?

www.kinarainsights.com

THANK YOUSameer Sule, President Kinara Insights

Author: “Protecting Electronic Health Information: A Practical Approach to Patient Data Security in Your Healthcare Practice” Amazon: http://www.amazon.com/author/sameersule Email: [email protected] Blog: www.kinarainsights.com/blog LinkedIn: http://www.linkedin.com/pub/sameer-sule/7/b1b/511 Twitter:@sameersule

Copyright © 2014 All Rights Reserved

Page 58: How Safe is Your Patient Data?

Harmony Healthcare InternationalCopyright © 2014 All Rights Reserved

Register online http://info.harmony-healthcare.com/harmony2014

or by phone (978) 887-8919 ext. 13

Register Online

Page 59: How Safe is Your Patient Data?

Copyright © 2014 All Rights Reserved Harmony Healthcare International