HITRUST, HIPAA, & HITECH TURNING COMPLIANCE INTO COMPETITIVE ADVANTAGE Mark Fulford, Partner Thomas Lewis, Partner LBMC Risk Services

Welcome and Presentation Topics Why you should care HIPAA & HITECH - update on new regulation Insight into the HITRUST Common Security Framework How independent assurance can result in fewer audits and a competitive advantage for your organization How LBMC can help

90% Of organizations have experienced a computer security incident in the last 12 months. Cybercrime statistics from 12 th Annual Computer Crime and Security Survey

71% Of organizations have no external insurance coverage to cover computer security incidents losses. Cybercrime statistics from 12 th Annual Computer Crime and Security Survey

$1B Cybercrime profits – that have surpassed those of drug smuggling in a year. Cybercrime statistics from 12 th Annual Computer Crime and Security Survey

$234,244 Annual average loss due to security incidents per respondent Cybercrime statistics from 2009 CSI Computer Crime and Security Survey

What is HIPAA?

What is HITECH? The HITECH Act is legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). As part of the American Recovery and Reinvestment Act of 2009, the HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules. 8

What is HITECH? Extends HIPAA directly to Business Associates Establishes first national data security breach notification law (500 or more records is nasty) Grants State AGs authority to bring civil actions 9

What is HITECH? HITECH authorizes increased civil monetary penalties for HIPAA violations. The Act establishes tiers of penalties based upon: whether or not a covered entity (including physicians) knew of a breach of privacy; whether the breach was due to reasonable cause and not willful neglect; or whether the breach was due to willful neglect. The tiers of penalties are as follows: – $100/violation not to exceed $25,000/calendar year. – $1,000/violation not to exceed $100,000/calendar year. – $10,000/violation not to exceed $250,000/calendar year. – $50,000/violation not to exceed $1,500,000/calendar year. 10

What is HITRUST The Health Information Trust Alliance (HITRUST) has been created to establish a common security framework that will allow for more effective and secure access, storage and exchange of personal health information. HITRUST is bringing together a broad array of healthcare organizations and stakeholders, who are united by the core belief that standardizing a higher level of security will build greater trust in the electronic flow of information through the healthcare system.

Strategic Objectives of HITRUST Establish a fundamental and holistic change in the way the healthcare industry manages information security risks: Rationalize regulations and standards into a single overarching framework tailored for the industry Deliver a prescriptive, scalable and certifiable process Address inconsistent approaches to certification, risk acceptance and adoption of compensating controls to eliminate ambiguity in the process Enable ability to cost-effectively monitor compliance of organizational, business partner and governmental requirements Provide support and facilitate sharing of ideas, feedback and experiences within the industry

Who is HITRUST? HITRUST Executive Council

Why the Need? Healthcare organizations are facing multiple challenges with regards to information security: Costs and complexities of redundant and inconsistent requirements and standards Critical systems not incorporating appropriate controls or safeguards Confusion around implementation and acceptable baseline controls Information security audits subject to different interpretations of control objectives and safeguards Increasing scrutiny and similar queries from regulators, auditors, underwriters, customers and business partners Growing risk and liability

“The List” 15

HITRUST CSF The HITRUST CSF is a framework that normalizes the security requirements of healthcare organizations, including federal (e.g., HITECH Act and HIPAA), state (e.g., MA 201 CMR 17.00), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS). The CSF is built to provide scalable security requirements based on the different risks and exposures of organizations in the industry. The CSF also makes security manageable and practical by prioritizing one-third of the controls in the CSF as a starting point for organizations. These priorities are based on industry input and analysis of breach information in the industry.

Standards and Regulations Overlap ISO 27001/2 PCI COBIT NIST HIPAA Security HITECH Act Mngfl. Use States

CSF Standards and Regs Coverage ISO 27001/2 PCI COBIT NIST HIPAA Security HITECH Act Mngfl. Use States HITRUST CSF

CSF Compared with Other Standards RequirementCSFCOBITPCIISONISTHIPAA Comprehensive – general securityYes Partial Comprehensive – regulatory, statutory, and business security requirements YesNo PrescriptiveYesNoYesPartialYesNo Practical and scalableYes No Yes Audit or assessment guidelinesYes No CertifiableYes No*No Support for third-party assuranceYes No Open and transparent update processYesNoYes CostFreeSubsc.FreeSubsc.Free *Certifiable only for government agencies and organizations doing business with the government

CSF Sample Structured in accordance with ISO / standard Multiple levels of implementation requirements Risk factors tailored for healthcare organizations Cross-references to industry standards and regulations 20

Introduction to CSF Assurance Program

Overview of CSF Assurance Program Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations. Through the program, healthcare organizations and their business associates can improve efficiencies and reduce the number and costs of security assessments. The oversight and governance provided by HITRUST support a process whereby organizations can trust that their third parties have essential security controls in place.

Strategic Objectives of CSF Assurance Program Provide assurance that controls to limit the exposure of a breach are in place and operating effectively. Recipients of this assurance include: Executive management Auditors Federal and state regulators Customers of business associates Simplify compliance efforts for organizations Assess once and report to many constituents: ­ Federal (e.g., HIPAA/HITECH or meaningful use information) and state regulators ­ Credit card companies (i.e., PCI requirements) ­ CMS (i.e., Core Security Requirements) ­ Internal or external auditors Comprehensively leverage assessments (i.e., leverage internal audit or other certifications such as PCI to streamline audits and testing) Provide this assurance in a more cost-effective manner with additional rigor than existing processes

Resources

HITRUST Central (HITRUSTcentral.net) Access to the CSF online. A professional network for: Understanding industry issues and events Sharing knowledge Exchanging ideas and best practices Discovering new ways to solve business problems Downloading documentation and training materials Providing support: What does this control mean? How do I implement these requirements? What do I do if I cannot meet a requirement?

Additional Resources Visit HITRUSTalliance.net for information and materials on:HITRUSTalliance.net Common Security Framework CSF Assurance Program -

For more information on HITRUST and the CSF visit: To access the CSF and HITRUST Central visit: For a list of HITRUST CSF Assessors visit: For assistance, contact: Thomas Lewis – Mark Fulford – For More Information