Safeguard your confidential data by implementing HIPAA Privacy Rule’s De-Identification Standard

A legislative act passed in year 1996, called HIPAA or in other words the Health Insurance Portability & Accountability Act affected the health care administration. For years, we have researched upon the safety rule along with three types of security safeguards based mainly on technical and physical grounds.

Amongst the above mentioned three safety points, we delved at the administrative safeguards and its obligatory as well as addressable implementation specifications. In this article, we will examine the main key factors pertaining to the technical and physical safeguards of the security rule. The motive of this article is to simplify and state the main concepts of HIPAA Privacy Rule’s De-Identification Standard.

Physical Safeguards

Physical safeguard rule laid by the HIPAA Privacy Rule’s De-Identification Standarddeals with the strategies and procedures required to be implemented in order to control physical admission to systems or devices containing health information and facilities covering electronic records.

It is therefore mandatory to take maximum care when beginning and removing hardware and software that deals with secured Health Information (PHI) from the network. Utmost care must be taken in disposing off any equipment which is on the edge of retirement, so that PHI contained within such systems is not compromised.

• Health data stored in the equipment must be controlled and monitored carefully.
• Access to the hardware and software must be operated by proper trained and authenticated individuals.
• Make sure that workstations must be situated away from high traffic areas to avoid direct view of the monitor screens to the public.
• The main person taking the services of contractors and agents must assure that the contractors and agents are professionally trained and are aware of their duties and responsibilities.

Technical Safeguards

Technical security measures deals with factors that require to be executed when transmitting health information electronically over open networks in order to ensure that health information do not go into wrong hands.

• Responsible entity must follow a strict procedure to make sure information integrity which includes digital signature, check sum, message confirmation.

• Execute right methods to confirm that the entity entitle to access the electronic records is the one it claims to be. There are some signs to confirm the same that includes card systems, password systems, giving a return call, and hand showing signs

• Drafting and maintaining all policies implemented and practices followed for HIPAA Privacy Rule’s De-Identification Standard that needs to be presented as and when required by the compliance auditors.

Implementation Specifications

We cannot ignore with the healthcare compliance, as it becomes essential to safeguard Protected Health Information.

It is required to employ a system that will take utmost care of the health information, for this our heath care providers like doctors, hospitals and health plans must be given a unique identifier. At present most of them are using either tax-id numbers or employer identification number.

The security and privacy rules have laid down certain provisions to assure that the personal records of people is not misused, secured and kept confidential, any person failing to follow the rule will be fined up to $250,000 and possible jail time for severe enough violations by HIPAA. HIPAA rule was indeed designed and created to ease the massive process of health care administration.

About emPower

emPower is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as O.SHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

$1.5M Fine Marks A New Era In HITECH Enforcement

Data breach at BlueCross BlueShield of Tennessee and subsequent penalty stands an example of the financial fallout from poor healthcare IT security practices

By Ericka Chickowski, Dark Reading
Contributing Writer

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.”It’s certainly a warning shot for the healthcare industry,” says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. “But is that a sufficient amount to act as a deterrent? It’s hard to tell at this point. It’s at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that’s just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, ‘Eh, it’s another one.’”

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn’t been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA Training) security requirements changes that financial equation for these organizations, he says.

“What I’m seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue,” he says. “But when it comes to making sure HIPAA requirements are up to date, that’s usually the last line item on the budget because it’s really a sunk cost. Now they’re going to have to look at the risk involved and wonder ‘Do I risk having a million dollar lawsuit if I don’t put the right security protocols in place?’”

The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.

“This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said Leon Rodriguez, director of HHS OCR. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. “One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don’t know for sure, but it seems like BlueCross BlueShield of Tenessee may not have done that evaluation. If they had done it, they might have said, ‘We’ve got these hard drives containing this unencrypted PHI and it’s in a locked closet but that’s not sufficient in this leased space,’” he says. “That’s probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.”

For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.

“Really, it’s all about making sure that if you have data servers in your office or workplace, they need to be locked down–they need to locks on them–and they need to be encrypted,” he says. “Those are two of the main things that are not commonplace but they should be.” Health Care Compliance

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

How to understand the new HIPAA requirements to make sure you’re in compliance

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”

Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.

Smart Business asked Porter for more information about the changes to HIPAA Training.

Who is covered by HIPAA?

You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.

What changes have been made regarding penalties for noncompliance?

The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

What is the impact on state privacy laws?

Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.

What is considered protected health information?

Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

What is a permissible disclosure?

Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.

Do patients have any new rights?

Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

How can covered entities best keep up with the changes and protect themselves?

1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This article was originally posted at http://www.sbnonline.com/2012/03/how-to-understand-the-new-hipaa-requirements-to-make-sure-you%E2%80%99re-in-compliance/?full=1

 

MGMA Calls for New Contingency Plan for HIPAA 5010 Transaction Standards

The Department of Health and Human Services should “immediately” issue an expanded contingency plan on the transition to the new Health Insurance Portability and Accountability Act (HIPAA) Version 5010 electronic transaction standards, since many practices and state Medicaid agencies are not ready for the transition, the Medical Group Management Association (MGMA) recommended Dec. 19.

According to the latest research from MGMA, many state Medicaid plans are unable to accept Version 5010 claims and “a significant number of practices” have not yet completed the software upgrades and health plan testing needed for the transition.

The new contingency measures should permit health plans to continue accepting HIPAA Version 4010 transactions and resolve Version 5010 claims that lack all the required data. Additionally, this contingency plan should last for a minimum of six months, MGMA said.

Currently, the compliance date for implementation of these standards is Jan. 1, 2012.

“We have been tracking the Version 5010 coordination between physician practices and their key trading partners throughout 2011 and it is clear that a significant number of these stakeholders are not ready to meet the January 1 compliance date,” Susan Turney, president and chief executive officer of MGMA, said in a statement. “Our main concern is that the failure to implement Version 5010 by the compliance date will impact payment to practices for the services they provide.”

“We oppose requiring the submission of a transition plan and timeline as a needless bureaucratic exercise that adds to the workload of the providers who have to produce them and the government employees who have to review them,” she said.

Implementation of Version 5010 is a prerequisite for using the updated International Classification of Diseases, 10th Revision (ICD-10) Clinical Modification diagnosis and ICD-10-PCS inpatient procedure code set in electronic health care transactions effective Oct. 1, 2013.

On Nov. 14, the Centers for Medicare & Medicaid Services announced that it would not initiate enforcement of the new HIPAA transaction standards until March 31, 2012 (see previous article).

Additional MGMA Findings

According to findings from a survey conducted by MGMA and the American College of Medical Practice Executives (ACMPE), 32 percent of study respondents reported that their organizations’ practice management system software has been upgraded to the HIPAA Version 5010 standards and that internal testing was complete.

Nearly 25 percent of those respondents indicated that either their software has not yet been upgraded or that testing is not even scheduled, the release said.

Additionally, less than 18 percent of respondents to the survey said they have completed testing with their Medicaid plans, and 79 percent of study respondents indicated that testing with all major commercial health plans remains incomplete.

Overall, the study found that less than 14 percent of respondents rate their 5010 implementation status as fully complete.

HIPAA Activity on the Rise

HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

HIPAA vs The Cloud

HIPAA Compliance: The objective behind

Sensitivity in maintaining individual health record of every person is too significant and this is what gets ensured under HIPAA security compliance, which aims at protecting an individual’s information to be obtained, created, used and maintained electronically at a specific healthcare unit or hospital. As a result of this rule, the healthcare unit is responsible for taking every measure to keep this information confidential, secure, reliable and free from any electronic interference. But healthcare units usually find it tough to meet the expectations of this security rule & it requires a more technical approach in abiding by the directives of the security rule.

Healthcare unit’s responsibility in ensuring HIPAA security compliance

Under HIPAA security compliance, each of the three aspects, namely administrative, technical and physical, has to be adhered to by implementation specifications. These specifications specify the modus operandi for meeting the three aspects. A healthcare unit or hospital has to either implement a security measure to achieve this objective, execute the given implementation specifications or, may not put into practice either one of the two. But as part of HIPAA compliance, the body has to document whichever choice it wants to implement and this document should additionally comprise of basis of the evaluation on which this decision has been arrived at. Outcome of all this can be visibly noticed in the form of a challenge for IT professionals working in health sector.

Shouldering HIPAA compliance responsibility with cloud computing vendor

No surprise, emergence of cloud computing looked like easing the scenario but with enough caution, given that an outside agency in the form of cloud providing associate is involved besides the healthcare unit. Because of this vendor-client partnering, the ultimate responsibility to abide by HIPAA compliance resting with the healthcare unit gets pooled with the vendor, since implementation gets carried out at the vendor end. Thus, there is much room for the sensitive information getting trickled at the remote location where cloud model has been setup. In this situation, the healthcare unit will have to adhere to all the security aspects and implementation specifications as discussed above, so as to satisfy the HIPAA security rule. In the process, the healthcare unit will have to extend its interference and control at the cloud computing associate’s location in terms of integrity, encryption, data transfer & management, etc., which this body earlier left up to business associate due to contractual limitations or budget constraints.

Documentation of roles

Obviously, the healthcare unit has an opportunity this way to allot even responsibility to its cloud computing business associate and keep it under the scanner, as if HIPAA compliance is not just the healthcare unit’s liability, but is as much an accountability of that vendor. The documented modus operandi of this body can well include the extent to which it has involved vendor and along with, ask the vendor to document its procedures and practices in following the technical requirements and the HIPAA compliance as a whole.

While cloud computing can be the technical answer for healthcare IT professionals to successfully satisfy HIPAA security compliance, the organisations in healthcare can well ensure strict adherence of HIPAA rules by shouldering equal responsibility with their cloud computing business associates.

About emPower eLearning

emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com/HIPAA_Compliance_Training.html.

Clinic says North Dakota Blues violate HIPAA law

Mid Dakota Clinic of Bismarck has opted out of a major initiative by Blue Cross Blue Shield of North Dakota that involves sharing patient records with an outside consultant and cites patient privacy concerns as the reason.

The program, MediQHome, is a “medical home” partnership between the health insurer and teams of medical providers aimed at better managing patients, especially those with chronic diseases, such as diabetes or asthma, to improve outcomes and reduce costs.

The initiative, which involves more than seven of every 10 primary care clinicians representing 75 percent of the North Dakota Blues’ members, requires providers to share patient information with an outside health quality consultant, MDdatacor, a firm located in suburban Atlanta.

Jeff Neuberger, the chief executive officer of Mid Dakota Clinic, said Friday that all patients should be contacted in advance to get their permission before their medical information is sent to a third party for review.

The clinic’s legal counsel, he said, concluded that failure to get individual patients’ express approval would violate a federal law protecting patient privacy, the Health Information Portability and Accountability Act, often called HIPAA.

“HIPAA doesn’t allow us to send information on everybody” without the patient’s permission, Neuberger said. “It’s very clear on that. We’ve said (to Blue Cross Blue Shield) you have no right to do that.”

The contract given to providers specifies they get “all appropriate” releases from patients, Neuberger said. But the contract language contradicts what Blue Cross Blue Shield executives have said about patient permission not being necessary, Neuberger said.

Representatives of Blue Cross Blue Shield of North Dakota said the information-sharing under the MediQHome program complies fully with HIPPA and protects patient privacy.

“We have remained 100 percent consistent with all providers that there is no requirement to receive permission from patients in order to participate in MediQHome,” Denise Kolpack, a Blue Cross Blue Shield vice president said in a statement to The Forum, highlighting “no requirement” in bold to emphasize the point.

She went on to say, however, that the contract includes language to allow a provider to participate in the health quality program “even if that provider has their own, stricter requirements around patient permissions and authorizations.”

Most of the major medical providers in North Dakota participate in the MediQHome program, which began in 2009, including Sanford Health and Essentia Health in Fargo.

The top lawyer for Sanford Health said the initiative both helps to improve patient care and complies fully with federal privacy laws.

“The partnership with BCBSND is one example of efforts we are undertaking as a health care system to improve quality and reduce the cost of health care overall for all consumers in our service area,” said Paul Richard, Sanford’s chief legal officer.

“All releases of patient information to MDdatacor by Sanford Health are in compliance with HIPPA,” he added, including a section of the law he said supported his position.

Kevin Pitzer, chief administrative officer of Essentia Health in Fargo, said the health system’s standard release of information form, for both hospital and clinic patients, includes authorization to release information of the kind it sends to MDdatacor.

“We do get permission from patients to release that information,” he said, adding that Essentia consulted both with in-house and outside legal counsel before embarking on the MediQHome program two years ago.

Participating medical providers send data on all their patients to MDdatacor “to identify clinical opportunities for improved health care delivery to all their patients with chronic diseases,” said Dr. David Hanekom, chief medical officer for Blue Cross Blue Shield of North Dakota.

Dr. Robert Roswick, medical director of Mid Dakota Clinic and a family practice physician, said it is improper – and illegal – to send medical information from all patients to the health quality consultant without prior patient approval.

He offered himself as an example of what he views as a breach of patient confidentiality.

A private pilot, Roswick must get annual physical checkups to keep his license current. He gets his exam at Trinity Health in Minot, which participates in MediQHome.

Aware of that, and the program’s protocol calling for providers to share information for all Blue Cross Blue Shield of North Dakota patients, he asked Trinity if his medical records were sent to the outside health quality consultant, MDdatacor.

The answer Roswick received from Trinity, after writing several letters, was yes. Roswick, who said he had not given his approval to do so, said the release was inappropriate and illegal – especially considering he is not covered by Blue Cross Blue Shield and does not have a chronic medical condition.

“It’s a blatant HIPAA violation,” Roswick said, adding that he has filed a complaint with the federal government and is still waiting for a response.

A spokesman for Trinity Health declined to comment on Roswick’s complaint.

“Patient privacy is important to us, and we strive to comply with all regulations involving patient privacy,” said Randy Schwan, a Trinity vice president.

Mid Dakota Clinic’s Neuberger and Roswick said medical providers in North Dakota have strong financial incentives to participate in MediQHome and therefore to send information of their patients covered by Blue Cross Blue Shield of North Dakota to MDdatacor, which could not be reached for comment Friday, for analysis.

In response, Hanekom said BCBSND is revamping their reimbursements to providers in a broad ongoing effort to reward better quality of care.

This article was originally posted at http://www.inforum.com/event/article/id/334231/group/Business/

Day-Long HIPAA Boot Camp Targets HIM Professionals

The 2011 annual convention of the American Health Information Management Association, Oct. 1-6 in Salt Lake City, features a series of in-depth post conference educational sessions on the 6th, including an eight-hour HIPAA Privacy and Security Boot Camp.

The camp is designed for health information management directors, other professionals with little or no privacy experience who is taking on a new role as a privacy officer or would like to, and existing privacy officers who want a better understanding of regulations and issues.

“I’m not going to assume they know too much,” says Kelly McLendon, the presenter and founder of HIXperts, a Titusville, Fla.-based consultancy. “I’m not going to leave anyone behind, but at the same time will go beyond the basics.”

McLendon will cover the tools of HIPAA privacy compliance, such as policy templates, spreadsheets and other forms for specific functions, such as cataloging records systems with protected health information. He’ll cover expected requirements in a final omnibus HIPAA rule expected this year covering the privacy, security, breach notification and enforcement rules, and also cover privacy regulations from the HHS Substance Abuse and Mental Health Services Administration.

“This is a very deep view of HIPAA for HIM and privacy professionals, but we will start from the basics and make sure everyone understands from the ground up,” McLendon says. More information on educational session 7004, “HIPAA Privacy and Security Boot Camp,” which starts at 9:00 a.m., is available at ahima.org.

This article was originally posted at  http://www.healthdatamanagement.com/news/hipaa-ahima-privacy-security-breach-43164-1.html

The Criticality of Risk Assessments: FISMA, HIPAA, and other regs

 By Richard E. Mackey, Jr.
Dark Reading

One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments.What is a formal risk assessment?

Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk.

The benefits of formal risk assessments

Conducting formal assessments within a risk management program a number of benefits.

Formal assessments: 1. Require business and technical representatives to reason about risk in an objective, repeatable, way 2. Require consistent terminology and metrics to discuss and measure risk 3. Justify funding for needed controls 4. Identify controls that provide can be eliminated 5. Provide documentation of threats that were considered and risks that were identified 6. Require business and IT to acknowledge the responsibility for ownership of risk 7. Require organizations to track risks and reassess them over time and as conditions change

Why are risk assessments so important in compliance?

There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, it stands to reason that the controls may be different.

It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk based. This approach makes sense when one standard needs to apply to everyone.

Choosing a risk management framework

If your organization needs to comply with FISMA, your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management lifecycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization.

Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that help organizations meet their security and regulatory requirements.

This article was originally posted at http://www.darkreading.com/blog/231600781/the-criticality-of-risk-assessments-fisma-hipaa-and-other-regs.html

Tips on PCI DSS Compliance

Too many healthcare organizations have overlooked their obligation to comply with the Payment Card Industry Data Security Standard, says security expert Tom Walsh. Compliance with PCI DSS, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That’s because PCI DSS offers far more security specifics than HIPAA, including, for example, specific password requirements, he notes.

“If an organization can meet all of the requirements of PCI, it’s going to be in great shape when it comes to HIPAA security compliance,” Walsh contends. “The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA.”

Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a “self-assessment questionnaire.” All merchants are required to complete an “attestation of compliance.”

In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:

• Creating a diagram that shows how credit transactions are handled;
• Identifying all applications and systems involved and creating an inventory of all card reading devices;
• Conducting an initial self-assessment and creating a plan to remediate any problems identified;
• Creating a credit card handling policy and training staff annually on how to carry it out.

On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.

Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.

HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.

TOM WALSH: … To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. … In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.

The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They’ve been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.

…Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.

One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.

Security Controls

ANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA’s privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.

WALSH: Many organizations are worried about complying with HIPAA, and they’ve forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what’s called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place.

While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards.

Generally they’ll ask for … some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.

Now sometimes a breach may occur, and that is when these organizations will get involved, and then they’ll want to see proof that you’ve been compliant over the years. …

One of the things I’ve seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they’re compliant by going online to a website and completing their self-assessment questionnaire. …

The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. …

The other thing is, who gets these letters? Generally it’s not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren’t getting the word.

So as far as a compliance audit … you should be doing it on an annual basis. … In most cases, my clients, when they go through this, they’ll hold on to the result of it and won’t turn it over unless they are asked to produce it.

PCI Compliance

ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?

WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you’ve got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access … where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy … or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.

The next step would be to determine who really owns the PCI project. … They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in – are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.

Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time … may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?

Some simple things … that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.

HIPAA, PCI Overlap

ANDERSON: And is there any overlap between what HIPAA requires and what PCI requires? WALSH:Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn’t give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example … within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn’t specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it’s very detailed.

So, if an organization can meet all of the requirements of PCI, you’re going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it  would be a great help with HIPAA.

ANDERSON: Finally, you’ll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.

WALSH: In that webinar, I’m going to go into more detail about the PCI Data Security Standard. I’ll also be talking about some of the common mistakes that I’ve seen in healthcare organizations as far as addressing the standard. We’ll provide a more detailed action plan. …

This article was originally posted at  http://www.healthcareinfosecurity.com/articles.php?art_id=3581&pg=3