Download presentation
Presentation is loading. Please wait.
Published byJuliet Mayden Modified over 9 years ago
1
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130 ageyer@tunitas.com www.tunitas.com
2
1 Federal Law Mandates Security Controls for Health Information n HIPAA Statutory Requirement -- 1996 General requirement to safeguard all PHI Framework for security regulation –Privacy Rule -- 2003 General requirement for admin, physical, and technical safeguards Covers all PHI (paper, electronic, spoken) Emphasis on Patient Rights and Appropriate Use –Security Rule -- 2005 Specific standards and implementation specifications Covers electronic PHI Emphasis on Confidentiality, Integrity, and Availability
3
2 Information Subject to Security Rule n Electronic Protected Health Information (EPHI) –Is PHI that is electronically maintained or transmitted by a Covered Entity –PHI is any individually identifiable information about a patient that is created, received, processed, or stored by a health plan, clearinghouse, or healthcare provider (or their business associates) n Not Included –Any PHI that is not stored electronically, and –Information that was not in electronic form prior to transmission (e.g. oral communications, telephone conversations, paper faxes, film images)
4
3 HIPAA Security Purpose n Ensure Confidentiality, Integrity (Authenticity) and Availability n Information security is now a patient safety requirement n Elevate Information Risk Management to the level of other compliance areas
5
4 n General Rule (a) n General Rule §164.306(a) Covered Entities must: 1.Ensure the confidentiality, integrity [authenticity], and availability of all electronic protected health information (EPHI) the CE creates, receives, maintains, or transmits 2.Protect against any reasonably anticipated threats or hazards to the security or integrity [authenticity] of EPHI 3.Protect against any reasonably anticipated uses or disclosures of EPHI that are prohibited by the HIPAA Privacy Rule 4.Ensure compliance by the workforce HIPAA Security Rule
6
5 General Rule Significance n Congress intends the Rule to set a high standard –Ensure means to “Make Inevitable” n But Rule also permits Flexibility (b) n But Rule also permits Flexibility §164.306(b) –CE may use any measures that implement the Rule requirements, and –CE must take into account certain factors: Size, complexity, and capabilities Technical infrastructure, hardware and software security capabilities Costs of security measures Probability and criticality of potential risks
7
6 Acceptable Level of Risk n CE must use formal risk analysis methodology to determine the acceptable level of risk CE can live within the limits of existing IS capabilities, or Current limitations that permit undue risks must be changed The risk mitigation costs too much, or The CE didn’t allocate sufficient budget to address the risk CE can reject security measures that are too complex, or CE must develop the skills and experience to apply best available measures
8
7 Security Compliance n Compliance means a well designed and integrated Information Risk Management program –Necessary to demonstrate understanding of risks to the EPHI CE must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities” § 164.308 (a)(1)(ii)(A) –Non-compliant if Not thorough -- failure to consider all significant threats Not accurate -- failure to adequately estimate the likelihood or impact of a threat Not responsive – failure to mitigate risk to an acceptable level
9
8 Information Risk Management n Program Components 1.Risk Assessment –Determine the risk level 2.Risk Mitigation –Identify how risk will be reduced to an acceptable level 3.Information Management Policy and Procedures –Combination of privacy and security policy that accomplishes the following: –Prevents PHI use or disclosure without authorization –Prevents PHI modification or tampering that could result in integrity/authenticity or availability issues –Ensures workforce is trained, supervised, monitored, and appropriately sanctioned; –Ensures organization is able to monitor PHI activity to determine when and how a compromise has occurred; and –Ensures known risks are appropriately addressed Risk Analysis
10
9 Information Risk Management n Program Components 4.Standards –Establish minimum security control sets based on risk classification –Develop process for requesting and approving deviation from a required control set 5. Audit and/or Re-assessment –Periodically evaluate whether safeguards and minimum controls sets are still effective –Determine whether a new risk assessment is warranted –Audit high risk areas, known problem areas, new technology, new applications 6.Management Review –Objective and conflict-free –Focused on acceptable risk –Clearly considers patient safety and confidentiality factors
11
10 Information Risk Management n What’s Acceptable Risk –Rule says acceptable risk is that which satisfies the General Rule §164.306(a) –No objective standard; organization must rely on industry best practices and its own determination of risk and consequences n Key Organizational Requirements –Understand how information security failures impact the organization Patient care and safety Revenue lifecycle Management and financial functions Operations and workflow Compliance, risk management, legal
12
11 Risk-based Business Decisions n Would you manage differently if you knew that PHI would be compromised? –HIPAA expects PHI to be treated as securely as financial or tax information –Healthcare organizations will be evaluated on the basis of how well they manage their fiduciary responsibilities to protect patient information –Electronic PHI is becoming the norm Email and data transfer EMR, CPOE, E-prescriptions, PAMF online for patients, Sutter’s virtual ICU –Securing EPHI has to become as important as paper- based records management
13
12 Conducting a Risk Analysis n Risk Assessment 1.Impact Analysis (Business Manager) –What is the business impact of a loss of confidentiality, integrity, availability 2.Exposure and Controls (Technical Manager) –Where is the system located –What are the big picture exposures –What security controls are in place
14
13 Conducting a Risk Analysis n Risk Mitigation 3.Risk Characterization (Security, Compliance, Risk Management or Other Management) Greatest impact determines the required security level Security level determines the required control set Risk is mitigated by the implementation of a control Missing controls create unaddressed risk Organizational risk decisions –Accept the risk (not implement a control) –Mitigate the risk (fix a missing control) –Reduce the exposure (isolate the system) –Reduce the impact (reduce dependency)
15
14 Conclusion n Information Risk Management –Represent the basic set of responsibilities for addressing information security –Permit each organization to determine specific details for how to best achieve an acceptable security level –Important to take security seriously; integrate security requirements into all aspects of information use within the organization –Business functions must learn how to make risk- based operational decisions –Using PHI without due regard for its security is no longer an option
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.