Information Risk Management Key Component for HIPAA Security Compliance

1
Information Risk ManagementKey Component for
HIPAA Security Compliance

• Ann GeyerTunitas Group209-754-9130ageyer_at_tunita
  s.comwww.tunitas.com

2
Federal Law Mandates Security Controls for
Health Information

• HIPAA Statutory Requirement -- 1996
• General requirement to safeguard all PHI
• Framework for security regulation
• Privacy Rule -- 2003
• General requirement for admin, physical, and
  technical safeguards
• Covers all PHI (paper, electronic, spoken)
• Emphasis on Patient Rights and Appropriate Use
• Security Rule -- 2005
• Specific standards and implementation
  specifications
• Covers electronic PHI
• Emphasis on Confidentiality, Integrity, and
  Availability

3
Information Subject to Security Rule

• Electronic Protected Health Information (EPHI)
• Is PHI that is electronically maintained or
  transmitted by a Covered Entity
• PHI is any individually identifiable information
  about a patient that is created, received,
  processed, or stored by a health plan,
  clearinghouse, or healthcare provider (or their
  business associates)
• Not Included
• Any PHI that is not stored electronically, and
• Information that was not in electronic form prior
  to transmission (e.g. oral communications,
  telephone conversations, paper faxes, film images)

4
HIPAA Security Purpose

• Ensure Confidentiality, Integrity (Authenticity)
  and Availability
• Information security is now a patient safety
  requirement
• Elevate Information Risk Management to the level
  of other compliance areas

5
HIPAA Security Rule

• General Rule 164.306(a)
• Covered Entities must
• 1. Ensure the confidentiality, integrity
  authenticity, and availability of all
  electronic protected health information (EPHI)
  the CE creates, receives, maintains, or transmits
  
• 2. Protect against any reasonably anticipated
  threats or hazards to the security or integrity
  authenticity of EPHI
• 3. Protect against any reasonably anticipated
  uses or disclosures of EPHI that are prohibited
  by the HIPAA Privacy Rule
• 4. Ensure compliance by the workforce

6
General Rule Significance

• Congress intends the Rule to set a high standard
• Ensure means to Make Inevitable
• But Rule also permits Flexibility 164.306(b)
• CE may use any measures that implement the Rule
  requirements, and
• CE must take into account certain factors
• Size, complexity, and capabilities
• Technical infrastructure, hardware and software
  security capabilities
• Costs of security measures
• Probability and criticality of potential risks

7
Acceptable Level of Risk

• CE must use formal risk analysis methodology to
  determine the acceptable level of risk

CE can live within the limits of existing IS
capabilities, or Current limitations that permit
undue risks must be changed
The risk mitigation costs too much, or The CE
didnt allocate sufficient budget to address the
risk
CE can reject security measures that are too
complex, or CE must develop the skills and
experience to apply best available measures
8
Security Compliance

• Compliance means a well designed and integrated
  Information Risk Management program
• Necessary to demonstrate understanding of risks
  to the EPHI
• CE must conduct an accurate and thorough
  assessment of the potential risks and
  vulnerabilities 164.308 (a)(1)(ii)(A)
• Non-compliant if
• Not thorough -- failure to consider all
  significant threats
• Not accurate -- failure to adequately estimate
  the likelihood or impact of a threat
• Not responsive failure to mitigate risk to an
  acceptable level

9
Information Risk Management

• Program Components
• Risk Assessment
• Determine the risk level
• Risk Mitigation
• Identify how risk will be reduced to an
  acceptable level
• Information Management Policy and Procedures
• Combination of privacy and security policy that
  accomplishes the following
• Prevents PHI use or disclosure without
  authorization
• Prevents PHI modification or tampering that could
  result in integrity/authenticity or availability
  issues
• Ensures workforce is trained, supervised,
  monitored, and appropriately sanctioned
• Ensures organization is able to monitor PHI
  activity to determine when and how a compromise
  has occurred and
• Ensures known risks are appropriately addressed

10
Information Risk Management

• Program Components
• Standards
• Establish minimum security control sets based on
  risk classification
• Develop process for requesting and approving
  deviation from a required control set
• 5. Audit and/or Re-assessment
• Periodically evaluate whether safeguards and
  minimum controls sets are still effective
• Determine whether a new risk assessment is
  warranted
• Audit high risk areas, known problem areas, new
  technology, new applications
• Management Review
• Objective and conflict-free
• Focused on acceptable risk
• Clearly considers patient safety and
  confidentiality factors

11
Information Risk Management

• Whats Acceptable Risk
• Rule says acceptable risk is that which satisfies
  the General Rule 164.306(a)
• No objective standard organization must rely on
  industry best practices and its own determination
  of risk and consequences
• Key Organizational Requirements
• Understand how information security failures
  impact the organization
• Patient care and safety
• Revenue lifecycle
• Management and financial functions
• Operations and workflow
• Compliance, risk management, legal

12
Risk-based Business Decisions

• Would you manage differently if you knew that PHI
  would be compromised?
• HIPAA expects PHI to be treated as securely as
  financial or tax information
• Healthcare organizations will be evaluated on the
  basis of how well they manage their fiduciary
  responsibilities to protect patient information
• Electronic PHI is becoming the norm
• Email and data transfer
• EMR, CPOE, E-prescriptions, PAMF online for
  patients, Sutters virtual ICU
• Securing EPHI has to become as important as
  paper-based records management

13
Conducting a Risk Analysis

• Risk Assessment
• Impact Analysis (Business Manager)
• What is the business impact of a loss of
  confidentiality, integrity, availability
• Exposure and Controls (Technical Manager)
• Where is the system located
• What are the big picture exposures
• What security controls are in place

14
Conducting a Risk Analysis

• Risk Mitigation
• Risk Characterization (Security, Compliance, Risk
  Management or Other Management)
• Greatest impact determines the required security
  level
• Security level determines the required control
  set
• Risk is mitigated by the implementation of a
  control
• Missing controls create unaddressed risk
• Organizational risk decisions
• Accept the risk (not implement a control)
• Mitigate the risk (fix a missing control)
• Reduce the exposure (isolate the system)
• Reduce the impact (reduce dependency)

15
Conclusion

• Information Risk Management
• Represent the basic set of responsibilities for
  addressing information security
• Permit each organization to determine specific
  details for how to best achieve an acceptable
  security level
• Important to take security seriously integrate
  security requirements into all aspects of
  information use within the organization
• Business functions must learn how to make
  risk-based operational decisions
• Using PHI without due regard for its security is
  no longer an option