Title: Information Risk Management Key Component for HIPAA Security Compliance
1Information Risk ManagementKey Component for
HIPAA Security Compliance
- Ann GeyerTunitas Group209-754-9130ageyer_at_tunita
s.comwww.tunitas.com
2Federal Law Mandates Security Controls for
Health Information
- HIPAA Statutory Requirement -- 1996
- General requirement to safeguard all PHI
- Framework for security regulation
- Privacy Rule -- 2003
- General requirement for admin, physical, and
technical safeguards - Covers all PHI (paper, electronic, spoken)
- Emphasis on Patient Rights and Appropriate Use
- Security Rule -- 2005
- Specific standards and implementation
specifications - Covers electronic PHI
- Emphasis on Confidentiality, Integrity, and
Availability
3Information Subject to Security Rule
- Electronic Protected Health Information (EPHI)
- Is PHI that is electronically maintained or
transmitted by a Covered Entity - PHI is any individually identifiable information
about a patient that is created, received,
processed, or stored by a health plan,
clearinghouse, or healthcare provider (or their
business associates) - Not Included
- Any PHI that is not stored electronically, and
- Information that was not in electronic form prior
to transmission (e.g. oral communications,
telephone conversations, paper faxes, film images)
4HIPAA Security Purpose
- Ensure Confidentiality, Integrity (Authenticity)
and Availability - Information security is now a patient safety
requirement - Elevate Information Risk Management to the level
of other compliance areas
5HIPAA Security Rule
- General Rule 164.306(a)
- Covered Entities must
- 1. Ensure the confidentiality, integrity
authenticity, and availability of all
electronic protected health information (EPHI)
the CE creates, receives, maintains, or transmits
- 2. Protect against any reasonably anticipated
threats or hazards to the security or integrity
authenticity of EPHI - 3. Protect against any reasonably anticipated
uses or disclosures of EPHI that are prohibited
by the HIPAA Privacy Rule - 4. Ensure compliance by the workforce
6General Rule Significance
- Congress intends the Rule to set a high standard
- Ensure means to Make Inevitable
- But Rule also permits Flexibility 164.306(b)
- CE may use any measures that implement the Rule
requirements, and - CE must take into account certain factors
- Size, complexity, and capabilities
- Technical infrastructure, hardware and software
security capabilities - Costs of security measures
- Probability and criticality of potential risks
7Acceptable Level of Risk
- CE must use formal risk analysis methodology to
determine the acceptable level of risk
CE can live within the limits of existing IS
capabilities, or Current limitations that permit
undue risks must be changed
The risk mitigation costs too much, or The CE
didnt allocate sufficient budget to address the
risk
CE can reject security measures that are too
complex, or CE must develop the skills and
experience to apply best available measures
8Security Compliance
- Compliance means a well designed and integrated
Information Risk Management program - Necessary to demonstrate understanding of risks
to the EPHI - CE must conduct an accurate and thorough
assessment of the potential risks and
vulnerabilities 164.308 (a)(1)(ii)(A) - Non-compliant if
- Not thorough -- failure to consider all
significant threats - Not accurate -- failure to adequately estimate
the likelihood or impact of a threat - Not responsive failure to mitigate risk to an
acceptable level
9Information Risk Management
- Program Components
- Risk Assessment
- Determine the risk level
- Risk Mitigation
- Identify how risk will be reduced to an
acceptable level - Information Management Policy and Procedures
- Combination of privacy and security policy that
accomplishes the following - Prevents PHI use or disclosure without
authorization - Prevents PHI modification or tampering that could
result in integrity/authenticity or availability
issues - Ensures workforce is trained, supervised,
monitored, and appropriately sanctioned - Ensures organization is able to monitor PHI
activity to determine when and how a compromise
has occurred and - Ensures known risks are appropriately addressed
10Information Risk Management
- Program Components
- Standards
- Establish minimum security control sets based on
risk classification - Develop process for requesting and approving
deviation from a required control set - 5. Audit and/or Re-assessment
- Periodically evaluate whether safeguards and
minimum controls sets are still effective - Determine whether a new risk assessment is
warranted - Audit high risk areas, known problem areas, new
technology, new applications - Management Review
- Objective and conflict-free
- Focused on acceptable risk
- Clearly considers patient safety and
confidentiality factors
11Information Risk Management
- Whats Acceptable Risk
- Rule says acceptable risk is that which satisfies
the General Rule 164.306(a) - No objective standard organization must rely on
industry best practices and its own determination
of risk and consequences - Key Organizational Requirements
- Understand how information security failures
impact the organization - Patient care and safety
- Revenue lifecycle
- Management and financial functions
- Operations and workflow
- Compliance, risk management, legal
12Risk-based Business Decisions
- Would you manage differently if you knew that PHI
would be compromised? - HIPAA expects PHI to be treated as securely as
financial or tax information - Healthcare organizations will be evaluated on the
basis of how well they manage their fiduciary
responsibilities to protect patient information - Electronic PHI is becoming the norm
- Email and data transfer
- EMR, CPOE, E-prescriptions, PAMF online for
patients, Sutters virtual ICU - Securing EPHI has to become as important as
paper-based records management
13Conducting a Risk Analysis
- Risk Assessment
- Impact Analysis (Business Manager)
- What is the business impact of a loss of
confidentiality, integrity, availability - Exposure and Controls (Technical Manager)
- Where is the system located
- What are the big picture exposures
- What security controls are in place
14Conducting a Risk Analysis
- Risk Mitigation
- Risk Characterization (Security, Compliance, Risk
Management or Other Management) - Greatest impact determines the required security
level - Security level determines the required control
set - Risk is mitigated by the implementation of a
control - Missing controls create unaddressed risk
- Organizational risk decisions
- Accept the risk (not implement a control)
- Mitigate the risk (fix a missing control)
- Reduce the exposure (isolate the system)
- Reduce the impact (reduce dependency)
15Conclusion
- Information Risk Management
- Represent the basic set of responsibilities for
addressing information security - Permit each organization to determine specific
details for how to best achieve an acceptable
security level - Important to take security seriously integrate
security requirements into all aspects of
information use within the organization - Business functions must learn how to make
risk-based operational decisions - Using PHI without due regard for its security is
no longer an option