2/21/2012 HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL LITTLES AND ANNUAL TRADITIONS KENNETH N. RASHBAUM, ESQ. RASHBAUM ASSOCIATES, LLC www.rashbaumassociates.com BREACHES MUNDANE AND COMPLEX Increasing Incidents Of Protected Health Information Loss Through Negligence Loss Through Negligence Lost, Unencrypted Portable Media (laptops, USB’s, Portable Hard Drives, Smartphones, etc.) Virus Infection Shuts Down Hospital in Georgia “Worm” Introduced Through USB Blocked Access to EMR Potential For Disclosures Of PHI Via Virus (HIPAA Violation) 1
2/21/2012 CYBER-ATTACKS: SECURITY AFFECTS PATIENT SAFETY Chicago Hospital Shut Down In 2006 As Attack Crippled Vital Systems Crippled Vital Systems Hospital Security Guard Obtains Password For HVAC system, Tampers, Raising And Lowering Temperatures To Dangerous Levels Potential Exists For Attacks On Vital Systems, Such As ICU, Monitors, Etc. ICU Monitors Etc HIPAA SECURITY COMPLIANCE Physical, Technical And Administrative Safeguards Required Required Documentation and Documented Training Current HIPAA Security Risk Analysis (as per Guidance from U.S. Dept. of Health and Human Services, “DHHS”) NB: Some State Privacy and Security Laws Are Stricter Than HIPAA (i.e., MA, NC, NY, CA) 2
2/21/2012 Challenges to Compliance Diverse set of content contributors Content changes all day, every day C t t h ll d d Documents uploaded / edited Chart entries Email communications Social collaboration through blogs , wikis External and internal website content 80 percent of enterprise content is unstructured and growing at 36 percent a year. - Doculabs SECURITY ENFORCEMENT INCREASING DHHS Office For Civil Rights Spot Audit Program Through 2012 Through 2012 Targets Covered Entities AND Business Associates Audits Outsourced to KPMG System Audited, But Also Policies and Procedures Random Interviews Will Be Conducted Breach Response Protocols Will Be A Target Of Audit 3
2/21/2012 SURVIVING THE SPOT AUDIT Prepare BEFORE The Audit Notice Arrives Retain Outside Entities To Prepare Hospital Or Company For Audit (Review of Protocols, Etc.) Conduct Mock Audit ( Report Through Counsel For Attorney-Client Privilege Where Applicable) Remediate Vulnerabilities And Compliance Gaps p p SECURITY TAKES A TEAM Information Security Is An Interdisciplinary Initiative Culture of Privacy and Compliance Requires A Culture of Security Assemble the Information Security Team IT Health Information Management and Clinicians Legal: In-House And Outside Counsel Outside Security Consultants/Vendors 4
2/21/2012 SECURITY TEAM ASSESSMENTS Data Map: Where Is Your PHI? Many Locations Including Portable Media Systems “Off the Grid” Tools and Applications Access Controls Encryption De-Identification Where Practicable Penetration Analyses Are Policies and Procedures Comprehensive and Current? Business Associate Compliance CONCLUSION PROACTIVITY SAVES TIME AND MONEY Assemble Security Assessment Team Now Assemble Security Assessment Team Now Security Analysis Is A Requirement For Accessing HITECH Incentive Funds (“Meaningful Use”) Remediate Vulnerabilities Before Breaches Occur And Before Audit Notice Is Received Reminder Training And Notices Enable A Culture Of Security And, With It, Privacy 5
2/21/2012 QUESTIONS? KENNETH N. RASHBAUM, ESQ. Rashbaum Associates LLC Rashbaum Associates, LLC 212-421-2823 krashbaum@rashbaumassociates.com www.rashbaumassociates.com Twitter: @RashbaumAssoc 6
Recommend
More recommend
