Scribd Logo
Upload

Welcome to Scribd!

  • Hipaa Security: Risk Assessment

    Uploaded by

    tdeviyan
    34 views36 pages
    This document discusses HIPAA risk assessments and compliance. It notes that every covered entity must identify a HIPAA security officer, complete a risk assessment addressing all components, and be in compliance with the HIPAA Omnibus Rule. It discusses the categories of administrative, physical and technical safeguards required and provides an overview of key concepts like risk analysis, policies, documentation, training, and monthly actions needed for ongoing compliance.

    Original Description:

    Original Title

    hipaasecurityriskassessments-140422065959-phpapp02

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses HIPAA risk assessments and compliance. It notes that every covered entity must identify a HIPAA security officer, complete a risk assessment addressing all components, and be in compliance with the HIPAA Omnibus Rule. It discusses the categories of administrative, physical and technical safeguards required and provides an overview of key concepts like risk analysis, policies, documentation, training, and monthly actions needed for ongoing compliance.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views36 pages

    Hipaa Security: Risk Assessment

    Uploaded by

    tdeviyan
    This document discusses HIPAA risk assessments and compliance. It notes that every covered entity must identify a HIPAA security officer, complete a risk assessment addressing all components, and be in compliance with the HIPAA Omnibus Rule. It discusses the categories of administrative, physical and technical safeguards required and provides an overview of key concepts like risk analysis, policies, documentation, training, and monthly actions needed for ongoing compliance.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    HIPAA

    Risk Assessment
    Security
    Dr. Jose I.
    Delgado

    Dr. Jose I. Delgado


    Introduction

    • HIPAA Background
    – Privacy
    – Security
    • Risk Assessment
    • Risk Management
    – Omnibus Rule
    • Meaningful Use
    Must Know
    • Every Covered Entity (CE) must identify a
    HIPAA Security Officer
    • Every CE entity must be in compliance with
    the final HIPAA Omnibus Rule
    • Every CE must have a Risk Assessment
    Completed with all components covered
    • A covered entity can be fined $1,000 to
    $50,000 per patient record up to $1,500,000 if
    patient records are breached
    HIPAA Audits
    • Audits will be conducted by Office for Civil Rights
    instead of contractor
    • Number of audits to increase
    • Monies collected to be used to fund further audits
    • Audits to include Covered Entities and Business
    Associates
    • 2014 first time a Government Entity was fined
    Meaningful Use
    • Ties HIPAA Security to Attestation
    • Fraud charges possibility based on answers
    • Part of Meaningful Use and Records Review
    Audits
    HIPAA
    Title II – Administrative Simplification
    Security Categories
    Administrative safeguards

    Physical safeguards

    Technical safeguards
    Basic Concepts
     Scalability – flexibility to adopt implementing measures
    appropriate to their situation.
     “Required” and “Addressable”

    Under no conditions should any covered entity considered


    addressable specifications as optional requirements.
    Risk Analysis
    CFR 164.308(a)(1)
    "Conduct accurate and thorough assessment of the potential risks and
    vulnerabilities to the confidentiality, integrity, and availability of electronic
    protected health information (ePHI) held by the covered entity."

    • Perform Risk Assessment


    • Formalized/Document Risk Assessment Process
    • Update Risk Assessment Process
    • Address all potential areas of risk
    Risk Analysis
    • Gap/risk assessment
    – Audit of security based on HIPAA Security
    Components
    – Document findings on all areas
    – Use initial analysis as baseline
    – Base Security Management on findings
    Resources
    • HHS Security Risk Assessment Tool
    – http://www.healthit.gov/providers-
    professionals/security-risk-assessment
    • Taino Consultants Compliance Tool
    – Forms
    – Policies
    – Security Reminders
    – Monthly instructions
    Security Risk Assessment
            Meets     
    HIPAA Requirem Not
    ent
      Review of Current Procedure Citation Guidelines for Policy Yes No Reqd Person Responsible
    .
    Task 1   -  Has all hardware and software  §164.30 -  Identify all information       
    Identify  for which the organization is  8 systems that house individually 
    Relevant responsible been identified? (a)(1) identifiable health information.
    Information     
    System -  Is the current information  -  Include all hardware and 
    system configuration  software that are used to collect, 
    documented, including  store, process, or transmit 
    connections to other systems? protected health information.
       
    -  Have the types of information  -  Analyze business functions and 
    and uses of that information  verify ownership and control of 
    been identified and the  information system elements as 
    sensitivity of each type of  necessary.
    information been evaluated?
    Security Risk Report
    Sample Risk Analysis
    Risk Management
    § 164.308(a)(1)(ii)(B)
    "“[i]mplement security measures sufficient to reduce risks and vulnerabilities to
    a reasonable and appropriate level to comply with § 164.306(a) [(the General
    Requirements of the Security Rule)].”

    • Develop and implement a risk management plan.


    • Implement security measures.
    • Evaluate and maintain security measures.
    Policies
    • Live Documents
    • Review as needed
    • Document reviews and updates
    • Having policies alone will not suffice
    Forms/Documentation
    • Not Required
    • Useful to document actions
    • Prevents adding too much information

    “Anything you say can be used against you”


    Training
    • Initial Training
    • Security Reminders
    • Annual Training
    Monthly Actions
    • Easier to keep track
    • Easier to document
    • Easier to manage
    Administrative Safeguards
    • Security management process (CFR §164.308(a)(1)): Prevent, detect,
    contain, and correct security violations
    • Assigned security responsibility (CFR §164.308(a)(2))
    • Workforce security (CFR §164.308(a)(3)): Employees and access to EPHI.
    • Information access management (CFR §164.308(a)(4)): ePHI access.
    • Security awareness and training (CFR §164.308(a)(5))
    • Security incident procedures (CFR §164.308(a)(6))
    • Contingency plan (CFR §164.308(a)(7))
    • Evaluation (CFR §164.308(a)(8)): Periodic evaluations.
    • Business associate contracts and other arrangements (CFR §164.308(b)
    (1))
    Administrative Safeguards
    Security Management Process 164.308(a) Risk Analysis (R) Sanction Policy (R)
    (1) Risk Management Information System
    (R) Activity Review (R)
    Assigned Security Responsibility 164.308(a) [None]
    (2)
    Workforce Security 164.308(a) Authorization and/or Supervision (A)
    (3) Workforce Clearance Procedure (A)
    Termination Procedures (A)
    Information Access Management 164.308(A) Isolating Health Care Clearinghouse
    (4) Function (R)
    Access Authorization (A)
    Access Establishment and Modification (A)
    Security Awareness and Training 164.308(a) Security Reminders (A)
    (5) Protection from Malicious Software (A)
    Log-in Monitoring (A)
    Password Management (A)
    Administrative Safeguards
    Continuation

    Security Incident Procedures 164.308(a)(6) Response and Reporting (R)


    Contingency Plan 164.308(a)(7) Data Backup Plan (R)
    Disaster Recovery Plan (R)
    Emergency Mode Operation Plan (R)
    Testing and Revision Procedure (A)
    Applications and Data Criticality Analysis A)

    Evaluation 164.308(a)(8) [None]


    Business Associate Contracts and 164.308(b)(1) Written Contract or Other Arrangement (R)
    Other Arrangements
    Sanction Policy
    CFR 164.308(a)(1)

    • Every covered entity must


    "have and apply appropriate
    sanctions against members
    of its workforce who fail to
    comply”.
    • Any system of penalties
    should be reasonable in
    relation to the violations to
    which they apply, particularly
    with regard to deterrence.
    System Activity Review
    “Implement procedures to regularly review records of information system
    activity, such as audit logs, access reports, and security incident tracking
    reports.”

    • What are the audit and activity review functions of the current
    information systems?
    • Are the information systems functions adequately used and monitored
    to promote continual awareness of information system activity?
    • What logs or reports are generated by the information systems?
    • Is there a policy that establishes what reviews will be conducted?
    • Is there a procedure that describes specifics of the reviews?
    Assigned Security Responsibility
    The HIPAA Security Officer is responsible for:
    • Understanding the HIPAA Security Rule and how it
    applies.
    • Developing appropriate policies and procedures.
    • Overseeing the security of EPHI.
    • Monitoring each Covered Component for compliance.
    • Identifying and evaluating threats.
    • Responding to actual or suspected breaches.
    AUTHORIZATION AND/OR SUPERVISION
    §164.308(a)(3)(ii)(A)

    “Implement procedures for the authorization and/or supervision of


    workforce members who work with electronic protected health
    information or in locations where it might be accessed.”

    • Detailed job descriptions with level of access to EPHI?


    • Policy that identifies the authority to determine who can access EPHI
    Security Reminders
    CFR 164.308(a)(5)

    Security reminders are just tidbits of information


    given to employees of covered entities throughout
    the year.
    Recommendations:
     Bulletin board in the break room or main office is a start.
     “org chart” showing who is in charge of HIPAA
     Emergency contact phone numbers
     HIPAA Breach checklist
     Changing HIPAA security reminders
     Use e-mail to sent security reminders
    Protection from Malicious Software
    “Procedures for guarding against, detecting, and reporting
    malicious software.”
    • Policies covering antivirus protection
    • Software used against malicious software
    • Updates and logs
    • Employee training
    Log-in Monitoring
    CFR 164.308(a)(5)

    Procedures for monitoring log-in


    attempts and reporting
    discrepancies.
    •Identify multiple unsuccessful attempts
    to log-in.
    •Record attempts in a log or audit trail.
    •Resetting of a password after a
    specified number of unsuccessful log-in
    attempts.
    Contingency Plans
    164.308(a)(7)
    • Data Backup Plan
    • Disaster recovery plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedure
    • Applications and Data Criticality
    Analysis: procedures for assessing
    the criticality of applications and
    systems.
    Physical Safeguards
    • Facility access controls: limit
    physical access to systems.
    • Workstation use: specify the
    proper workstation functions.
    • Workstation security: limit access
    to only authorized users.
    • Device and media controls:
    receipt and removal of hardware
    and electronic media.
    Physical Safeguards
    Facility Access Controls 164.310(a)(1) Contingency Operations (A)
    Facility Security Plan (A)
    Access Control and Validation Procedures (A)
    Maintenance Records (A)
    Workstation Use 164.310(b) [None]

    Workstation Security 164.310(c) [None]

    Device and Media Controls 164.310(D)(1) Disposal (R) Accountability (A)


    Media Re-use (R) Data Backup and Storage (A)
    Technical Safeguards
    • Access control: Implementing policies and procedures for electronic
    information systems that contain EPHI to only allow access to persons or
    software programs that have appropriate access rights.
    • Audit controls: Implementing hardware, software, and/or procedural
    mechanisms to record and examine activity in information systems that
    contain or use EPHI.
    • Integrity: Implementing policies and procedures to protect EPHI from
    improper modification or destruction.
    • Person or entity authentication: Implementing procedures to verify that
    persons or entities seeking access to EPHI are who or what they claim to
    be.
    • Transmission security: Implementing security measures to prevent
    unauthorized access to EPHI that is being transmitted over an electronic
    communications network.
    Technical Safeguards
    Access Control 164.312(a) Unique User Identification Automatic Logoff (A)
    (1) (R) Encryption and
    Emergency Access Decryption (A)
    Procedure (R)
    Audit Controls 164.312(b) [None]

    Integrity 164.312(c) Mechanism to Authenticate Electronic Protected


    (1) Health Information (A)
    Person or Entity 164.312(d) [None]
    Authentication

    Transmission Security 164.312(e) Integrity Controls (A) Encryption (A)


    (1)
    Key Items to Remember
    • Policies and Procedures not enough
    • Documentation is key
    – Evidence book
    • Follow the steps
    – Risk Assessment
    – Risk Management
    – Training
    ACT NOW!!
    Dr. Jose I Delgado
    Tel 904-794-7830
    DrDelgado@Tainoconsultants.com
    www.tainoconsultants.com

    You might also like