Helping companies protect their information, people, and facilities. HIPAA and SB 1386: The New Security Imperatives Presented by: Russell L. Rowe

2 9/18/2015 Background Chief Security Officers, LLC is a full- service IT firm specializing in security compliance and auditing services. We help companies protect their information, people, and facilities

3 9/18/2015 Seminar Objectives  Define HIPAA and SB 1386 and their impact on your business.  Provide specific techniques to aid in planning and implementing security measures to meet HIPAA and SB 1386 requirements.

4 9/18/2015 HIPAA  Healthcare Insurance Portability and Accountability Act (HIPAA)  Privacy Compliance Dates  2/26/03 Healthcare Clearinghouses  4/14/04 Large Covered Entities  4/14/04 Small Covered Entities  Security Compliance Dates  4/20/05 Large Covered Entities  4/20/06 Small Covered Entities

5 9/18/2015 HIPAA’s Goals  Ensure health insurance portability  Reduce health care fraud and abuse  Guarantee security and privacy of personal health information  Enforce standards for health information, i.e., medical records use and release

6 9/18/2015 “It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect patients' privacy, including designating an official to establish and monitor the entity's privacy practices and training.” A Simple Mandate

7 9/18/2015 Affected Healthcare Organizations  Health Plans  Individual or group plans that provide for or pays the cost of medical care  Employers that self-insure  Providers (furnish healthcare services or supplies)  Hospitals, medical groups, physicians’ LLPs, clinics,eEmergency care facilities  Clearinghouses  Public or private organizations that process or facilitate processing of health information  Other Entities  Employers that want to utilize medical information for data mining  Pharmaceutical companies conducting clinical research

8 9/18/2015  All individually identifiable information relating to past, present, or future:  Health conditions  Treatment  Payment for treatment  Demographic data collected by plans or providers Affected Business Processes

9 9/18/2015 Administrative Procedure Standards  Certification  Chain of Trust Agreements  Contingency Planning  Record Processing  Information Access Control  Internal Audit  Security Management  Personal Security  Training  Termination Procedures  Security Incident Response  Security Configuration Management

10 9/18/2015 Physical Safeguards  Assigned security responsibility  Media controls  Physical access controls  Policy/guideline on workstation use  Secure workstation location  Security awareness training  Business continuity & disaster recovery plans

11 9/18/2015 Technical Security Services Standards  Access Control  Authorization Control  Data Authentication (Integrity)  Entity Authentication

12 9/18/2015 Technical Security for Network Communications  Basic networking safeguards  Confidentiality  Integrity  Availability  Network security issues  Integrity (message corruption) and confidentiality (message interception)  Protection from unauthorized remote access

13 9/18/2015 Why Comply?  Statutory Penalties  Standards: Up to $25,000 per violation per year  Wrongful disclosure: Up to $250,000 and 10 years in prison  Cost Savings  Reduction in processing costs  Simplification of manual processing  Improved Customer Service  Fewer errors  Quicker turnaround  Enabler of e-commerce

14 9/18/2015  79% say HIPAA is the top business issue in healthcare industry  Two-thirds say upgrading security to meet HIPAA is a top priority Healthcare IT Professionals Understand HIPAA’s Importance Source: HIMSS leadership survey, 1/01

15 9/18/2015 Structural Impact  Cultural transformation for handling, using, communicating, and sharing patient information  Major revamping of business/security policies and procedures  Must rethink how to protect security and privacy of patient and consumer information  Additional information security technology solutions (e.g., PKI, VPNs, Business Continuity)  Standard formats for most common transactions among healthcare organizations  Replacement or substantial change to providers’ current systems and processes

16 9/18/2015 Financial Impact  Establish “Privacy Official”  Extraordinary budget and staff requirements for next two years  More extensive than Y2K efforts: $5B in spending by end of 2003 (IDC)  Large healthcare providers and/or payers could spend $50-$200 million each to become HIPAA compliant

17 9/18/ Steps to Compliance 1. Identify gaps between current practices and proposed rules. 2. Identify key individuals to spearhead compliance efforts. Include senior management to insure top- down support. 3. Educate staff, physicians, and other key constituents. 4. Make a comprehensive inventory of individually identifiable electronic health information your organization maintains. Include information kept on PCs and in research databases.

18 9/18/ Steps to Compliance 5. Conduct a risk assessment to evaluate potential risks and vulnerabilities to individually identifiable electronic health information. Include the possibility of outside attacks. 6. Develop tactical plan to address identified risks, with highest priority on areas of greatest vulnerability. 7. Collect and organize existing information security policies into the four categories outlined in the security standards. Evaluate for currency, consistency, and adequacy. 8. Develop checklist of policies to be developed. Assign responsibility to appropriate individuals.

19 9/18/ Steps to Compliance 9. Educate staff about security policies - enforce them. 10. Establish confidential reporting system to report security breaches without fear of repercussion. 11. Impose sanctions for violations. Prepare for system disruptions or data corruption that may result from security violations. 12. Assess accuracy of master patient index (MPI) for duplication (patients assigned more than one number) and overlays (more than one patient assigned the same number). Out-task if necessary. 13. Evaluate current billing system for EDI transaction standard and modifications.

20 9/18/ Steps to Compliance 14. Compare current health information disclosure procedures with proposed privacy standards. l Are individuals allowed to inspect and copy their health information? Are reasonable fees charged? l Does the organization account for all disclosures of protected health information other than for treatment, payment, or healthcare operations? l Is there a procedure in place to allow individuals to request amendments or corrections to their health information? l Is there a mechanism for individuals to complain about possible violations of privacy? 15. Designate a privacy officer. 16. Review/revise existing vendor contracts to ensure HIPAA compliance. Ensure that business partners also protect privacy of identifiable health information.

21 9/18/ Steps to Compliance 17. Evaluate new information security technologies. 18. Consider biometric identifiers (fingerprints, voiceprints, retinal scans) for secure authentication of users, and single sign-on technology to eliminate multiple passwords and logons. 19. Evaluate audit trails on existing information systems. Audit trails must record every access (including read-only access) to patient information, not just additions or deletions. 20. Look for audit trail technologies that can analyze large amounts of information and flag suspicious patterns.

22 9/18/2015 California SB 1386 California SB 1386 provides Californians with immediate notification, when confidential information about them has been compromised due to a breach on any computer system that stores such information, and this breach is discovered.

23 9/18/2015 Why was it created? Early, in 2002, the State of California's Data Center that runs the Payroll application for the State of California, was breached. For many weeks, confidential information about 265,000 employees of the state was available to the hackers – names, addresses, bank account numbers, social security numbers, etc. The Data Center did not notify anybody about this breach for many weeks, leaving state employees and lawmakers open to identity theft attacks longer than they needed to be.

24 9/18/2015 Who does the Bill impact? Any business, government or non-profit agency, or individual that stores confidential information about California residents on their computers.

25 9/18/2015 When does it become effective? The Bill was approved by the Governor on September 25, 2002, while its provisions became effective July 01, 2003.

26 9/18/2015 What’s considered to be “confidential personal information”?  Social Security numbers, California Driver's License numbers or Identification Card numbers, Account numbers, Credit or Debit card numbers, etc.  Information that is lawfully available to the general public, from government records, is not considered confidential personal information.

27 9/18/2015 What constitutes a breach of a computer system? Any unauthorized access of a computer and its data, constitutes a breach of a computer system. Typically, if a policy exists within a business or agency, authorizing access to a computer and its data, any access outside the scope of that policy is unauthorized.

28 9/18/2015 What if a computer was breached, but the confidential personal information was not stolen? While possible, this would be very difficult to prove. It would depend on the technology used to store the confidential personal information and the security policies and procedures in force within that infrastructure.

29 9/18/2015 What if I don’t monitor the systems and thus, do not detect a breach? Unfortunately, you will not be able to get away with such an argument. In general, businesses have a responsibility to exercise a certain level of care in protecting its information especially information deemed confidential. By not monitoring your systems, and thus, not detecting a breach, you can be accused on negligence - for not applying what is considered to be the standard level of care within the industry.

30 9/18/2015 Does SB 1386 apply to me if I do not have an office in California? As long as you have a single employee or customer that resides in California, and as long as you store any confidential personal information about that employee or customer on a computer, you will need to comply with SB It doesn't matter if you do not have an office in California, or do not maintain any computers in California – you're still responsible to uphold the provisions of SB 1386 as long as the above conditions are true.

31 9/18/2015 What if I am just a small business, and not a large corporation? SB 1386 does not discriminate based on size of the business. If you are a Sole Proprietorship, a Partnership, an LLC, LLP, a Corporation, a Non- Profit or any form of Government agency – and maintain confidential personal information about a California resident on a computer – SB 1386 applies to you.

32 9/18/2015 What if the data is encrypted? Where the confidential data is encrypted on the computer, and in the transmissions between the computer and its use by authorized users, the company may be exempted from disclosure. Notice the emphasis on the word "may". The reason is - there are many different kinds of encryption technologies, ranging from being relatively trivial to break, to being "computationally infeasible". Depending on the kind of encryption you use, you may be judged to have exercised sufficient, or insufficient, standard-of-care in protecting the data.

33 9/18/2015 What if the confidential data is separated from the name and password? In the event that your database maintains confidential data about Californians, but does not store either the password or the name of the Californian in the same database or computer, then SB 1386 disclosure rules will not apply to you. The rationale for this is obvious - if an attacker stumbled upon social security numbers or account numbers, but did not know who they belonged to, then it would make the attackers job much harder in attempting to steal identities.

34 9/18/2015 What preventive measures are available?  Implementing rigorous policies and controls  Re-architecting the critical infrastructure and/or applications  Elimination of User ID's and Passwords  Use of encryption beyond the network

35 9/18/2015 Questions Russell Rowe President Chief Security Officers E. Via Linda Scottsdale, AZ