Industry Benchmarks

1
Security Implementation Case Studies May 7,
2004 HIPAA COW Spring Conf.
2
Agenda

• Risk Analysis- Key Points Process Review
• Case Study from the Small Provider Perspective
• Case Study of a large Health System
• Comparisons
• Questions

3
General Requirements

• Ensure
• ConfidentialityOnly the right people see it.
• IntegrityThe information is what it is supposed
  to be it hasnt been changed.
• AvailabilityThe right people can see it when
  needed.

4
Security is Flexible and Scalable

• Each organizations security program should be
  based on that organizations risk.
• Security solutions should be based on
  circumstances such as size, complexity, cost
  and capabilities.
• Security controls should be proportionate to
  risks.

5
Regulation Themes

• Scalable and FlexibleDesigned to protect
  electronic data at rest and in transit.
• Covered entities can take into account
• Size
• Complexity
• Capabilities
• Technical Infrastructure
• Cost of procedures to comply
• Potential security risks

6
Regulation Themes

• Technology Neutral
• What needs to be done, not how
• Need to keep moving forward
• Comprehensive
• Not just technical aspects, but behavioral as well

7
What are the Standards?

• Three Security Categories
• Administrative
• 12 Required, 11 Addressable
• Physical
• 4 Required, 6 Addressable
• Technical
• 4 Required, 5 Addressable

8
Addressable

• If an implementation specification is
  addressable, a covered entity can
• Implement, if reasonable and appropriate
• Implement an equivalent measure, if reasonable
  and appropriate
• Implement a combination of both
• Not implement it
• Based on sound, documented reasoning from a risk
  analysis

9
Process of Implementation

• Awareness
• Learning the requirements
• Risk Analysis / Gap Analysis
• Identifying how current practices differ from the
  requirements
• Remediation
• Deciding and documenting the changes necessary in
  order to comply with the requirements

10
Steps to Implementation

• Training
• Teaching people what they need to do differently,
  to make the organization compliant with the
  requirements
• Maintenance
• Periodic evaluation of peoples understanding of
  new procedures, retraining and correction, and
  periodic review of the requirements to identify
  any changes

11
Risk Analysis

• Why Do I have to do this?
• When When does it have to be done? How long
  will it take?
• What What exactly do I have to do?
• How How can it be accomplished? What tools do
  I need?

12
Why?

• Is this required by the regulations?
• YES
• See Page 8346 FRVol. 68, No. 34 February 20,
  2003In this final rule, risk analysis is
  adopted as a required implementation
  specification.
• Inaccurate information can lead to a
  misdiagnoses or impropertreatment.

13
When?

• When does it have to be done?
• If your compliance implementation date is April
  21, 2005
• Consider time to train and implement Security
  requirements
• Consider time to investigate and choose any
  technical solutions
• Consider time and resources to determine which
  solutions and areas of the organization are
  responsible
• Consider that on average- the gap analysis/risk
  analysis performance may need to take weeks
  depending upon your organization size.
• Consider conducting it between now and mid-Summer
  2004

TODAY
4/21/05
14
Scalable and Flexible?

• What do the Regs say?
• The Risk Analysis must look at risks to the
  covered entitys electronic protected health
  information. A thorough and accurate risk
  analysis would consider all relevant losses that
  would be expected if the security measures were
  not in place. Relevant losses would include
  losses caused by unauthorized uses and
  disclosures and loss of data integrity that would
  be expected to occur absent the security measure.

15
What Exactly Needs to Be Done?

• Consider the difference between a Risk Analysis
  and Risk Assessment
• Regulation Definition of Risk Analysis Conduct
  an accurate and thorough assessment of the
  potential risks and vulnerability to the
  confidentiality, integrity, and availability of
  electronic protected health information held by
  the covered entity.
• Terms are used interchangeablybut
• Risk Analysis- Assess the environment and how it
  protects health information- Use the regulations
  as a starting point. (This is more of a HIPAA
  term.)
• Risk Assessment- Allows for a much broader and
  more detailed review of he vulnerability and
  access points of the technical system. (This is
  more of a standard industry term.)

16
What has to be secured?

• One needs to define what it is they are
  protecting
• Protected Health Information is an ASSET
• An asset is what the organization values and
  wishes to protect in order to stay in business!
• Examples can include
• Mission- Services
• Data- PHI/ Financial
• Hardware/software
• Bricks and Mortar
• Personnel
• Assets can be defined in terms of quantity and
  quality- and exact values can be documented.

17
Consider Loss of Assets

• Losses can be categorized in different ways
• Direct losses (9/11)
• Delays or denials of services (due to computer
  virus)
• Loss of reputation due to inappropriate
  disclosure of PHI
• Data can be altered or destroyed (loss of
  integrity)
• Losses can be direct or hard costs (cost to
  replace computer) and indirect (cost of personnel
  to work overtime to fix computer virus problem
  and make up for downtime interruption of business
  operations. Indirect can also be intangible-
  e.g consider the cost of embarrassment or loss of
  reputation.
• Losses can also be defined in terms costs and
  criticality.

18
Consider Threats

• Threat The potential for a threat-source to
  exercise (accidentally trigger or intentionally
  exploit) a specific vulnerability.
• Threat-Source Either (1) intent and method
  targeted at the intentional exploitation of a
  vulnerability or (2) a situation and method that
  may accidentally trigger a vulnerability

19
A Threat May Be

• An activity
• A process
• An event or even related to a substance
• Consider natural threats-
• Earthquakes, floods, thunderstorms, hurricanes
• Consider Accidental Threats-
• Contamination
• Human Accidental and/or malicious threats
• Bomb, terrorist, theft, vandalism
• Consider frequency of threats as well as level of
  criticality

20
The Risk Analysis Process

• Allows for one to consider its assets, its
  business and the relation of it to PHI, compared
  with the probability of the threat of loss.
• The process must be conducted in such a manner
  that it is scalable for the organization.
• It must be well documented. It should be the
  catalyst for all other HIPAA security remediation
  activities (including completion of the policies
  and procedures).

21
Consider Level of Review

• Cross Walk Development
• Between NIST 800-53 Series and HIPAA Security
  Requirements
• Includes other Industry Recommended Guidelines

22
Also Consider

• Use of Regulations Chart
• Policy and Procedure Checklist
• NCHICA
• Secorix and others
• Put together a process that works for YOUR
  organization

23
HIPAA Security

• Risk Analysis
• Case Study for the Small Provider
• Presented by
• Lesley Berkeyheiser
• Principal, The Clayton Group LLC

24
Standards and Policies

• Follow the Clayton Group HIPAA Security Template
  Checklist/ Use the Chart

25
Now A Look
From the Small Provider Perspective
26
Purpose of Case Study

• To Determine the level of detail a smaller
  provider needs to review in order to
  comprehensively assess its environment, potential
  threats and risks related to protecting PHI.
• Assess the number and types of resources needed
  to accomplish the risk analysis and confirm
  estimated timeframes for completion.

27
Small v. Large Practice

• Security Regulations do allow for scalability
• Cost of compliance can be a factor
• Probability of risk can be a factor
• Required v Addressable
• Regulations are technology neutral

28
Practice Description

• Specialty Practice
• 50 FTEs
• 8 Physicians
• 6 Nurse Practitioners
• 36 Support Staff
• 4 Locations
• Hospital Affiliation

29
Security Environment

• Once the right team was established, the
  environment needed to be assessed.
• Begins with access points, review of the ways
  ePHI are utilized in the Practice.
• Enhanced communication between business and
  systems representatives.
• Validated capabilities of the systems as compared
  to the current ways the systems are being used.

30
Assets and Threats

• Discussion of Assets
• ePHI, paper patient charts, workforce, buildings,
  hardware software etc
• Focus on ePHI access points
• Discussion of Threats
• Natural, human and environmental
• (cold, frost snow/vandalism/chemical
  contamination)
• Rates NA,Low, Medium and High

31
Review of Safeguards

• Mix the ingredients together
• Security Environment Findings
• Assets, threats and determined risk level
• Requirements and current safeguards
• In Order to Document Risk Analysis
• Prioritize Work Plan
• Begin Remediation

32
Case Study Findings

• Just because a Practice is smaller doesnt mean
  the process is faster!
• Changes of titles and languagebut process and
  accountability same as large organization.
• Communication between IT and the Practice Manager
  is the key.
• Threats are tricky. Risk Assessment allows for
  prioritization of work.

33
Large Hospital Case Study

• Sisters of Mercy
• Parent Organization
• St. Johns Health System
• 18 Hospitals
• 150 Clinics
• Many affiliated practices
• No common HIS
• Multiple Vendors
• Regional / Metropolitan facilities
• Missions

34
St. Johns Health System

• Hospitals
• Clinics / Providers Offices
• Home Health / Home Care
• TPA
• DME
• Home Infusion
• Pharmacy

35
Large Hospital System - Approach

• Security program already underway since 2000
• Core team at flagship hospital providing guidance
  across the enterprise
• Formal, rigorous methodology
• PCI Security JumpStartsm
• Formal project management
• Detailed reporting
• Outside experts
• Enterprise-wide strategy
• Some things done centrally, others locally

36
Large Hospital System - Strategy

• True strategic approach to security
• Its the right thing to do
• HIPAA
• NIST
• ISO
• JCAHO
• Leverage existing security program already
  underway
• Centralized development of PPs
• Pushed out to facilities, practices, et al.
• Centralized project management under an
  enterprise-wide Security committee

37
Central v. Local

• Central
• Education Train-the-trainer
• PP Development
• Tool selection and procurement
• System selection and procurement
• Global disaster recovery and business continuity
  policy
• General asset threat categories

• Local
• Facility walkthroughs
• Intrusion detection efforts
• Site-specific disaster recovery and business
  continuity planning
• Site-specific asset threat identification and
  prioritization

38
Tools, Tools, Tools

• PCI JumpStart Tools
• Report
• Executive Presentation
• Checklists Spreadsheets
• PCI Documentation Master Electronic Catalog
• Gap Analysis Education NCHICA Earlyview
  Security
• Risk Assessment Secorix
• Policies Procedures The Clayton Group
  Security Templates
• Consultants available on-call after core work
  completed

39
Large Hospital - Findings

• Lots of reusable work from existing security
  program
• Lots of policies and procedures in practice, but
  not documented
• Huge effort to identify all asset and threats
  across entire enterprise, all locations
• Biggest gap is lack of disaster recovery and
  business continuity plan
• Getting compliant will require a formal,
  sustained effort that is geared UP immediately
• If they had not started 3 years ago, there is no
  way they could finish by the compliance deadline.

40
Compare and Contrast

• Level of Resource Commitment
• Amount of Time from Soup to Nuts
• Costs
• Kinds of Tools/Resources that work for both
• Tools/Resources that only work in accordance with
  size and complexity
• Implementation Process
• Documentation Process
• Other Findings

41
Thank you for your participation!We appreciate
the opportunity to present to you.

• Lesley Berkeyheiser
• The Clayton Group
• 1-800-505-6505
• www.theclaytongroup.org
• Miriam Paramore
• PCI
• 1-888-809-3092
• www.paramoreconsulting.com