Category Archives: Regulatory Compliance

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

 

 

 

 

The Top 5 Reasons Why You May Not Be HIPAA Compliant!

After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline
coming up on September 23, 2013, some organizations still aren’t HIPAA compliant!   With over
22,000,000 disclosures of Protected Health Information already, what are the five most common
reasons why your organization isn’t compliant!

1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is.   A HIPAA Risk Analysis,  (according to the Office for Civil Rights for the Department
of Health and Human services) is: Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic 
protected
health information held by the organization.

2.  The HIPAA Risk Analysis is out of datemaybe you did it five years ago, which was BEFORE
the new HIPAA Omnibus Rule 
was mandated.  Maybe you wanted to update it, but you got busy
with all the other pressing IT issues.  Maybe you didn’t have the right resources to run a risk analysis.

3.  HIPAA Risk Analysis was too focused on technical elements.  Many information security
managers think that “IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.

4.  No correlation between the HIPAA Risk Analysis Recommendations and the changes
that were made
after the HIPAA Risk Analysis was completed.  The HIPAA Security controls should
have been implemented in conjunction with the Risk Analysis, not added completely independently.
The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.

5.  Inadequate training and security awareness program.   In a recent HIPAA Risk Analysis,
the individuals surveyed said they had a few hours of HIPAA training when they joined the company,
but nothing since.  Next question, how long had they been with the organization, and they said,
six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training
or even access to a security awareness program.

Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today.  To get started, send your questions to caroline@riskandsecurityllc.com, or review the OCR Guidelines for HIPAA Risk Analysis at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 

Crime and Punishment II – Sentencing of Rod Blagojevich

Today marks a historic day in the State of Illinois.  While the previous governor is still in prison on corruption charges, out-going, loud-mouth Rod Blagojevich is in court to receive his sentence on federal corruption charges.

This is a great moment for the judge and the judicial system to hand out a sentance that will help PERMANENTLY end the endemic corruption in the Illinois executive branch.

Americans always point out corruption issues in other countries — but this is the MidWest — the Heartland of America.  In fact, I know people who ONLY hire people from the midwest because they think they are more honest and more hardworking.

So I hope that this verdict will uphold justice because I firmly believe that a country is only as good as it’s justice system.  It defines everything else that happens (read my previous post on the SEC failures to enforce).

Every judicial decision, even a non-decision, sends out a strong message to the next potential corrupt politican that the State of Illinois, and the US as a whole, cannot allow corruption in our elected officials!

 

Is $7000 Enough of a Fine for a Young Girl’s Murder?

OSHA workplace safety officials have fined the organization that runs a Revere group home, where a Peabody mental health worker was stabbed in January, for not having adequate safety measures in place despite high probability of an incident occurring.

The Revere mental health clinic where Peabody caseworker Stephanie Moulton was stabbed in January as fined $7000.00 by OSHA for not having adequate safeguards against violence in place for employees at the clinic. OSHA cited the facility for “a serious violation of [OSHA’s] ‘general duty clause’ for failing to provide a workplace free from recognized hazards likely to cause serious injury or death.” 

Moulton, 24, died from her stab wound inflicted by a patient, 27-year-old Deshawn Chappell, after he fled the group home, taking her with him and then dumping her body behind a church in Lynn. Chappell, who had a history of violent behavior, attacked Moulton during a counseling session.

The fine is a piddling amount, but the damage done by the fine is much worse. Because the organization was directly fines by OSHA, that gives the victim’s family solid grounds for a lawsuit for negligence, and they can quote OSHA, that they “failed to provide a workplace free from recognized hazards likely to cause injury or death”.

It will be interesting to see if a lawsuit develops, and if the organization puts stricter controls in place to protect staff members.

OSHA and the Joint Commission have reported for several years that violence against healthcare workers has steadily increased, and the Joint Commission even issued a Sentinel Event about the increase in violence.

Using Risk Assessments as a Business Process

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!

Using a Project Plan for your HIPAA Risk Analysis

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at chamilton@riskwatch.com

 

 

 

 

 

 

 

 

The Risk Assessment – Live – and Cross-Cultural

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.

All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.

.

DO WE NEED HEALTH INSURANCE?

HEALTHIER WITHOUT HEALTH INSURANCE

Last week I showed you my medical records – now I’m going to give you my take on the Healthcare Bill & Accountability! 

I never had health insurance — shocking, isn’t it!!  I grew up and raised two wonderful sons without any health insurance.  Part of it was my natural disinclination for paperwork, part of with my years of being self-employed but the main reason was I never understood why I should pay someone – that is – bet against myself — on my health.

Because I wasn’t saddled with medical paperwork, I could negotiate with the doctors for treatments I needed and usually got the price down 40% BECAUSE they didn’t want to use insurance anyway – it meant they got paid in six months instead of right now. 

My family believed in Adelle Davis – for those younger readers – she wrote “Let’s Eat Right to Keep Fit” and “Let’s Cook It Right”, “Let’s Get Well”, and “Let’s Have Healthy Children”. These books came out in the 50s and my mom was an immediately convert.  In fact, if you find these tattered old paperbacks in a used book store – you’ll see they were ahead of their time, in worrying about aluminum pans contributing to Alzheimer’s, endorsing fresh fruit and veggies for Vitamin C., and taking on the food industry which mightily contributes to disease in this country. 

I was never sick.  One bout of Scarlet fever that left my sister, Linda, deaf in one ear, but other than having two children – I was never sick.  The one year I did have health insurance was a total loss – paid about $3000 for N*O*T*H*I*N*G.  

Mind you, I’m in favor of national healthcare, delivered simply and effectively.  I am NOT in favor of fifteen xrays for a sprained ankle, seventeen mammograms that find nothing and basically – what I call the over-zealous use of medical technology.

Hey – news flash – healthcare is a BUSINESS!! Healthcare providers want to MAKE MONEY. The more procedures they perform – the more money they make.  It’s a very simple system.

So if it’s true that you have to incentivize people to stay healthy – maybe that’s the way to teach personal accountability for your own health!   I am amazed at how many of my friends, who are smart, and well-educated – turn their healthcare over to any doctor and do not question anything the doc says.  They don’t ask about the procedures or the tests, and they always assume that the doc knows best.

Nothing wrong with doctors – I love them.  But it’s YOUR BODY – learn how to take care of it!  Watching all the news about obese children, increase in diabetes, and declining health of the baby boomers (me included – I’m a baby boomer, but still healthy), it’s clear to me that what is missing is the connection between how someone lives every day – and how healthy they are.   So how do you encourage a healthy lifestyle?  That’s the $64,000 question.

My ingredients are simple:

Being outdoors
Taking extra vitamins and herbs
Getting moderate exercise
Eating less animal products
Low fat dairy
Don’t eat refined foods
Having pets
Doing work you love
Stress relieving activities – yoga and meditation work for me.

And… the big secret – being happy every day. 

So I am all for encouraging accountability and changing the insurance picture in this country.    This could mean – sliding scale of insurance costs based on how healthy you are.. like a Good Driver Discount for Staying Healthy! 

Having employer-sponsored plans also weighed and have unhealthy workers penalized.(I know that’s tough love – but they will thank you years later).

And adjusting pricing of health services so that preventive things  — like getting your blood pressure checked, become less expensive than expensive procedures like MRIs and CAT scans. 

Getting back to my original point – if you are totally RESPONSIBLE for your own healthcare – you make the extra effort to stay healthy. It’s a personal choice we all make every day.