Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

CMS OIG HIPAA Security Rule Enforcement So NCHICA

VIEWS: 6 PAGES: 38

									CMS & OIG HIPAA Security
   Rule Enforcement
  Lessons in Audit Readiness
          March 3, 2009
                 Today s
                 Today’s Speaker




Michael "Mac" McMillan
Chief Executive Officer
CynergisTek, Inc.
 y    g     ,
Chair, HIMSS Information System
     Security Working Group




                             CynergisTek
                         Discussion Guide


•   The Audit Landscape
•         g         g            p
    Getting Your Organization Prepared
•   Understanding Audit Expectations
•   Establishing a Readiness Mindset
•   Recent Experiences
•   References/Questions


                                  CynergisTek
                            2008 Audit Landscape

• The OIG reported they would audit up to 10
    organizations, one per region across the country
•   CMS/OESS would audit 10-20 organizations
•   Both OIG and CMS audits were not announced; both
    said they would publish results; OIG did
•                                     g
    CMS audits were to focus on large institutions and be
    compliance driven, involve a “complaint”
•   OIG audits focused on Medicare related facilities and
    were not size driven
•   Audits will continue in 2009 and beyond and will most
    likely increase in frequency, with joint cooperation

                                              CynergisTek
                      HIMSS 2008 Outreach

• Vi t l Conferences and Webinars F
  Virtual C f          d W bi           d
                                  Focused
    on Preparedness
•   T     T kl Director, Offi   f H lth
    Tony Trenkle, Di t Office of eHealth
    Standards & Services, CMS
•        McMillan Chair,
    Mac McMillan, Chair HIMSS Information
    System Security Working Group
•   Nationwide webinars
•   State level presentations
•   Conferences
                                     CynergisTek
                         CMS View on Readiness

• CMS’ bottom line is that all healthcare organizations
  CMS
  should be audit ready all the time
• By making security considerations a natural part of
  their every day business processes, CMS believes
  organizations can achieve compliance
• Compliance should be a natural by-product of
  everyday activities, requiring little to no effort to
  prepare for audit
• Audits are evidence based, making readiness most
  important

                                                  CynergisTek
                      Readiness: Rule One

• Th first rule i b i audit ready i
  The fi t l in being dit      d is
  integrating security into every aspect of
                        management,
  data and enterprise management
  following a system life cycle management
  approach

• Crash preparation rarely works with a
  knowledgeable auditor and does nothing
  to support day-to-day requirements

                                    CynergisTek
                   What Requirements Apply?

• Define the Security environment based
 on the business and regulatory drivers
 that apply to your organization:
  – HIPAA
     C O
  – JCAHO
  – PCI/DSS
  – Sarbanes Oxley
  – Identity Theft Red Flags
  – State Laws

                                   CynergisTek
                            Define The Program

• Define your program based on those
         y    p g
  regulatory requirements that apply and your
  business

• Adopt a framework or model for your security
  program that enables you to address data
  security requirements in a reasonable
  manner

• Build a matrix of security requirements and
                                          control,
  associated factors such as method of control
  periodicity, method of testing or audit
                                          CynergisTek
                                Document


• Plans, Policies, Processes, Procedures
 & Controls:

 Any auditor will always start by
 requesting copies of all relevant and
 required documentation



                                  CynergisTek
                              Document


• Plans, Policies & Procedures…

 It all begins here. Most auditors
 presume the presence of policies and
 procedures. Without them, every
 assertion made is suspect at best.
 They demonstrate Management’s
 support for the program.
                                  CynergisTek
                               Document


• Processes & Controls:
 Policies rarely enable anything. The
                           how
 auditor will want to see “how” your
 policies, and therefore your program,
 will be enforced.



                                 CynergisTek
                                 Document


• Testing, monitoring, audit, investigative
  activity, and records:

  These documents provide the
   evidence        demonstrates
  “evidence” that “demonstrates”
  compliance and provides an
   pp                   p
  appreciation for both performance as
  well as management of the program


                                    CynergisTek
                              Risk Analysis

• C d t risk analysis th t i l d any
  Conduct i k   l i that includes
 and all threats to ePHI and the systems
     d to t                t      it thi
 used t store, process or transmit this
 information that could reasonably be
        t d
 expected

• An auditor will want to see how the
 measures employed reflect the risks
 identified
                                   CynergisTek
                     Readiness: Rule Two


• The second rule to being audit ready is
 to understand the requirements and
                     q
 expectations of the audit in question

 There is a reason we watch the other
 team’s game films on Mondays



                                  CynergisTek
                   Failure is NOT the Goal

• Most audits and the individuals who
 conduct them, regardless of how it may
 feel,
 feel are not interested in you failing
• CMS & OIG have initiated outreach
 focused on reassuring healthcare
 organizations that their primary goal is
 compliance
• However sanctions are still possible
  However,
                                   CynergisTek
                        Audit Orientation


• CMS h b        i   il focused on
      has been primarily f    d
 education and compliance. They have
 been reluctant to press enforcement
• OIG remains focused on measuring the
                                 g
 effectiveness of both CMS and OCR
 enforcement of the rules and in
 conducting investigations. Primary
 concern – Medicare/Medicaid

                                CynergisTek
                              HIPAA Overview

• Applies to electronic personal health
  information
• I l     t ti i b      d            i ti ’
  Implementation is based on an organization’s
  size, complexity, technical capabilities and
  infrastructure and the risk assessment
• The rule is technology neutral – the what, not
  the how
  th h
• Standards are required, specifications are
  addressable
                                          CynergisTek
                  Supplemental Guidance

• CMS Guidance for Remote Use and
 Access to ePHI
• CMS Sample Documents – Interview
 and Document Request List for HIPAA
 Security I
 S            ti ti      d Compliance
      it Investigation and C   li
 Reviews
• These documents describe in greater
 detail what a CMS auditor will be
 looking for
 l ki f
                                 CynergisTek
                        Supplemental Guidance

• OIG references various government
        f           i             t
 related security standards and
    id li
 guidelines:
  –   Medicare Core Security Requirements
  –   Homeland Security
  –   Privacy Act
  –   NIST/FIPS/OMB Standards
• However, they still focus on the
 Medicare Core Security Requirements
                      y   q
                                            CynergisTek
                        Prepare Your Staff


• Interviews provide valuable insight for
 an auditor. The maturity and
 effectiveness of a program is often
 measured by how well the workforce is
 able to articulate the program’s
 elements and their understanding of
 them.

                                   CynergisTek
                             Once Again


• Document, document, document…
 This can not be repeated or stressed
                   p
 enough

• D      t      id the     f that due
  Documents provide th proof th t d
 diligence has been applied and/or that
      t l     in l      d ff ti
 controls are i place and effective


                                 CynergisTek
                          Have Ready to Present


•   Policies               • Assessments/Testing
•   Procedures                 results
•   Network Topologies     •   Pl      Procedures
                               Plans & P     d
•   Configuration Files    •   Inventories
•   Reports of Incident    •   Physical Security
                               Ph i l S       it
•   Audit reports              plans/diagrams
•   BAA/C
    BAA/Contracts          •   Training materials
                               and records


                                          CynergisTek
                   Readiness: Rule Three


• Practice. Prepare for an audit by
 conducting your own testing, monitoring
 and audits regularly

• Results have shown that organizations
 that experience audit regularly
 outperform those that don’t


                                   CynergisTek
                                     Practice

• Practice activities should include both
  scheduled and unscheduled events
• Periodic testing, activity monitoring,
         g,        p ,          ,
  auditing, tabletops, exercises, etc. as
  well as self assessment and/or external
  assessment
• These activities can serve as platforms
  to accomplish multiple purposes
                                     CynergisTek
                        Prepare The Staff

•   Management/Executives
•   Information Security Officer
•   Key Staff
•   Alternates
•   Others
    – Vendors
    – Volunteers
    – Consultants

                                   CynergisTek
                 Prepare Your Documents


• Know what is relevant or required
• Know its location
• Make sure it is current
• Conduct your own review
• Provide for appropriate access
• Provide support for collection
                                   CynergisTek
                 Ready Information Systems

• H    inventories available
  Have i    t i       il bl
• Up-to-date topologies and diagrams
   p           p g             g
• Configuration guidelines
• Related operational documents:
  – Configuration files, change control records,
    access control lists
• Provide for appropriate access

                                       CynergisTek
                              Organization


• Being organized and facilitative can
         difference,
 make a difference build confidence and
 help set a positive tone for an audit or
 investigation

• Confidence – Execution - Compliance



                                   CynergisTek
                            What To Expect

• Initial written notification
• Request for documentation in advance
  of visit
• Initial testing and data gathering (can
          d     tifi ti )
  precede notification)
• Onsite interviews, site tours, and
  additional requests for information
• Report of findings, g p analysis
      p              g , gap   y
                                    CynergisTek
                             What To Expect


• Opportunity to respond/question finding,
  provide additional information
• Final report of findings
• Plan for remediation
• Follow up if appropriate
• Average of 500+ hours support to audit

                                   CynergisTek
                              Lessons Learned

• Technical conducted testing prior to
    notification of audit
•   Auditors with limited knowledge of healthcare
    IT/frequent reviews
•                                    viewed
    Requests for information not “viewed” as
    relevant to HIPAA; e.g., Pentest results
•                     show           evidence
    Theme of audit “show me the evidence”
•   If policy specified activity, expectation was
    organization was doing it
       g                    g

                                         CynergisTek
                           Lessons Learned

• Stressed laptop security and encryption
• Reviewed email encryption and remote access
  securityy
• Reviewed configuration management and
  wanted proof of timely application of p
            p          y pp             patches
• Reviewed physical and environmental security
  considerations and all IT controlled areas
• Reviewed disposal of media/equipment
  procedures, processes for rendering obsolete
  prior to disposal
                                     CynergisTek
                              Lessons Learned

• Access management practices did not match
    access management policies
•        y pp            y                p y
    Many applications/systems do not employ
    RBAC rules
•                         g
    Individuals and/or organizations with
    alternative rules/elevated privileges
•   Logging on systems/applications not
    configured to collect and/or be monitored
•   Inadequate transmission security controls

                                        CynergisTek
                               Wrap Up




                  Questions


Contact Information:
Mac.mcmillan@cynergistek.com
O: (512) 402-8551
C: (703) 244-3944
                                                      References

• Health Insurance Portability & Accountability Act
  http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp

• CMS HIPAA Security Guidance for Remote Use and Access to EPHI:
  http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp
  http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidancef
  orRemoteUseFinal pdf
  orRemoteUseFinal.pdf

• CMS Sample Interview and Document Request for HIPAA Security
  Investigation and Compliance Reviews:
  https://www.cms.hhs.gov/Enforcement/025_GeneralEnforcementInforma
  https://www cms hhs gov/Enforcement/025 GeneralEnforcementInforma
  tion.asp#TopOfPage




                                                          CynergisTek
                                   References


• Homeland Security Act 2002
  http://www.dhs.gov/xlibrary/assets/hr_5005_
  enr.pdf
  enr pdf
• Privacy Act of 1974
  http://www.usdoj.gov/oip/privstat.htm
• Medicare Core Security Requirements
  http://www.cms.hhs.gov/InformationSecurity
  /13_Policies.asp

                                          CynergisTek
                                    References

• National Institute of Standards and
  Technology Special publications SP 800-37 &
     800-26
  SP 800 26

• NIST Federal Information Processing
  Standards, Publication 199

• OMB Guidance, M 01 05; M 05 24; M 06 6
      Guidance M-01-05; M-05-24; M-06-6,
  15, 18, 19; M-07-06, 11, 16, 18, 19, 24


                                        CynergisTek

								
To top