Upload
compliancy-group
View
218
Download
0
Embed Size (px)
Citation preview
HIPAA Compliance “Tune-Up” for 2016 Are You Prepared?
2
Speakers
Michael Flavin Senior Product Marketing Manager eFax Corporate®, Part of j2 Cloud Services
3
Agenda
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
3 Why Covered Entities Should Prioritize a Security Risk Analysis
4 6 Tips to Prevent Cyber Hacking
5 How to Create Cyber-Security Culture Across Your Organization
6 How a Cloud Fax Model Can Enhance HIPAA Compliance
4
The information provided in this presentation does not constitute, and is no substitute for, legal or other professional advice. We strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situations, and in connection with any compliance-related concerns.
5
Why HIPAA Enforcement will Ramp Up in 2016
HHS’s Office of the Inspector General (OIG) issues report recommending stronger oversight of CEs and BAs.
The Office for Civil Rights (OCR) responds with Phase 2, launching in early 2016.
6
HIPAA Resolutions & Corrective Actions Up Every Year
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2003* 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Investigated: No Violation Resolved Corrective Action or Tech Asst. Total Resolutions
7
Findings: The Results of HIPAA’s “Phase 1 Audits”
2/3 of entities had no complete or accurate risk
assessment program.
44% of Privacy Rule deficiencies involved disclosures of ePHI.
58 out of 59 healthcare providers had at least 1
negative finding relating to the Security Rule!
8
Findings: The OIG Report that Led to the Phase 2 Audit
“In about half of the closed privacy cases… covered entities were noncompliant with at least one privacy standard.”
Implement permanent audit
program
Keep documentation of corrective action
Improve method of tracking cases
Expand outreach and education to
CEs”
Check CE HIPAA investigation
history
Recommendation: “OCR should…
9
Quick Audience Poll
How concerned are you about phase 2 OCR Compliance Audits in 2016?
a. Not concerned at all b. Slightly concerned c. Moderately concerned d. Very concerned
1
What best describes the biggest pain point with faxing in your organization today?
a. No integration into our EHR system b. HIPAA Security and Compliance concerns c. Ongoing costs of on-site fax Infrastructure d. Inefficiency of workflow processes
2
10
Agenda
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
3 Why Covered Entities Should Prioritize a Security Risk Analysis
4 6 Tips to Prevent Cyber Hacking
5 How to Create Cyber-Security Culture Across Your Organization
6 How a Cloud Fax Model Can Enhance HIPAA Compliance
11
What Exactly is a “Phase 2 HIPAA Audit?”
Phase 2: Hundreds of Covered Entities Will Be Audited
• 550 to 800 entities contacted • Estimated 350 selected for audit • OCR’s own staff conducting the audits • Combination of “desk” and onsite
audits • Measuring security, breach, privacy
12
Agenda
3 Why Covered Entities Should Prioritize a Security Risk Analysis
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
4 6 Tips to Prevent Cyber Hacking
5 How to Create Cyber-Security Culture Across Your Organization
6 How a Cloud Fax Model Can Enhance HIPAA Compliance
13
Why Prioritize a Security Risk Analysis?
Health firms are at risk: • Virus vulnerabilities are up • Data breaches and ePHI theft are up • Between 2010 and 2013, 29 million
records compromised • From the HHS Wall of Shame
113,180,244 breaches in 2015 alone!
14
Why Prioritize a Security Risk Analysis Healthcare was 2015’s #1 Data Breach Victim
Source: And published as required by the HITECH Act on DHHS: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
78.8 million records
11 million records
10 million records
4.5 million records
3.9 million records
15
Vulnerability to Cyber Hacking & ePHI Breach
FBI warnings to industry: “The FBI has observed malicious actors targeting healthcare related systems…for the purpose of obtaining Protected Healthcare Information (PHI)”
HHS Office for Civil Rights
1,199 Incidents
41.5 Million
Individuals
Huge Change in Scope
1,800%! Increase from
2008-2013
Data Breaches Year to Date
113+ Million
Individuals
Top 5 Health Data Breaches
in 2014
7.4 Million
Individuals
16
The largest data breaches in 2015 were all the result of cyber hacking breaches, resulting from...
Spearphishing Malware Network Intrusion
17
What’s a “Secure” ePHI Transmission?
TLS encryption
AES 256-bit encryption
NIST encryption standards for handshake…
NIST encryption cipher standard for data protection…
HIPAA Privacy Rule: 45 CFR § 164.304
“…requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
18
Why Prioritize a Security Risk Analysis?
98% of healthcare providers
audited were found to have failed to comply with
HIPAA’s Security Rule in at least one instance
19
The Cost Data Breaches
$154 Average cost per record across all
industries globally
$363 Average cost per
breach for healthcare firms
globally
$163 Average cost per record for retail firms globally
Again, Healthcare Tops the List of Industries
20
What are the Business-Impacting Threats?
Marketplace Reputation and Customer Loyalty
Liability • Legal costs • Credit assistance for customers • Training, call center triage • Fraudulent charges • Stock price, earnings, etc. • IT Resources
21
Agenda
4 6 Tips to Prevent Cyber Hacking
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
3 Why Covered Entities Should Prioritize a Security Risk Analysis
5 How to Create Cyber-Security Culture Across Your Organization
6 How a Cloud Fax Model Can Bring Enhance Compliance
22
6 Tips to Prevent Cyber Hacking Build Your Network’s Defensive Walls
Proactive Software Assurance • Source code and binary code testing tools • Application security scanners • Certifications
Blocking Attacks: Network Level • IDS and IPS • FW • MSS
Blocking Attacks: Host Level • Endpoint security • NAC
Eliminating Security Vulnerabilities • Vulnerability management • Patch management • Penetration testing
Safely Supporting Authorized Users • Encryption technology • VPN • DLP
Tools to Manage Security and Maximize Effectiveness • Log management • SIEM • Training
1
2
3
4
5
6
23
Agenda
5 How to Create Cyber-Security Culture Across Your Organization
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
3 Why Covered Entities Should Prioritize a Security Risk Analysis
4 6 Tips to Prevent Cyber Hacking
6 How a Cloud Fax Model Can Enhance HIPAA Compliance
24
How to Create a Cyber-Security Culture
Find ways to explain the right processes that are non-technical - because that loses a lot of people.
Identify the digital assets you most need to secure -
and make sure you’re monitoring and protecting
them.
Look also for non-cyber data risks - hardcopy files left unattended, etc. - and
include them in your training.
Start at the top of your company - make everyone aware of the risks and how
to avoid them.
25
Most Common Pitfalls
Risk Assessment Lack of Accurate Data Inventory/Controls • Audit Logs (critical for compliance and
root cause)
Humans • “Accidents Happen” • Social Engineering • Security Awareness Training
Missing Policies and Procedures Incident Response Team and Plan & Audit Trail
26
Agenda
5 How to Create Cyber-Security Culture Across Your Organization
1 Why HIPAA Enforcement Will Get Stronger in 2016
2 What Exactly is the OCR Phase 2 Audit?
3 Why Covered Entities Should Prioritize a Security Risk Analysis
4 6 Tips to Prevent Cyber Hacking
6 How a Cloud Fax Model Can Enhance HIPAA Compliance
27
Faxing in Healthcare today – Trends The Move toward a Cloud Fax Model
The “Cloud Fax” Model
• Your staff can fax anywhere
• Deploys in minutes
• Easy to use
• Requires no training
• Highly secure
• Compliant*
• Provides clear audit trails
• Cost-effective
Virtually No IT administration, maintenance and troubleshooting
*eFax Secure™, part of the eFax Corporate® suite of solutions is a HIPAA-compliant solution for Healthcare
28
eFax Corporate®
The world’s #1 online fax company – and the
industry’s most experienced hosted
fax service
The most widely deployed online fax service for the
Fortune 500
Trusted by more major healthcare, legal,
financial and other highly-regulated firms than any
other online fax provider to transmit sensitive
documents
Inbound/ Outbound
Faxes
Hosted Fax Service Encrypted Fax Storage
via eFax Secure (optional)
Email, Secure Browser, Mobile App & eFax Messenger User
Interfaces
Encrypted in Transit
(optional)
PSTN Telco Service
30
Helpful Resources
• HIPAA Privacy Rule
• The HIPAA Security Rule Toolkit
• OCR’s HIPAA Enforcement Data Page
• OCR’s Findings from Phase 1 Audits
• OIG 2015 Report Recommending Strengthened HIPAA Oversight
• BitSight Data-Security Industry Report
• HealthITNews: Top 10 Breaches of 2015
• HIPAAJournal: Top 2015 Breaches (Healthcare Industry #1 Victim)
• eFax Corporate Blog: Six Best Practices to Deter Cyber Hackers
• HealthCareITNews Article on Cyber Security Culture
• SANS Institute: Layered Defense Approach to Preventing Cyber Hacking
• The American Bar Association’s Interpretation of the HIPAA Security Rule and Protecting ePHI
• HHS Report: Security 101 for the CE
• HIPAA Audit Webpage
• Ponemon: 2015 Costs of Breaches
• 2015 HIMSS Conference
• eFax Corporate Data Sheet on HIPAA-Compliant Faxing