Category Archives: Compliance

The Top 5 Reasons Why You May Not Be HIPAA Compliant!

After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline
coming up on September 23, 2013, some organizations still aren’t HIPAA compliant!   With over
22,000,000 disclosures of Protected Health Information already, what are the five most common
reasons why your organization isn’t compliant!

1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is.   A HIPAA Risk Analysis,  (according to the Office for Civil Rights for the Department
of Health and Human services) is: Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic 
protected
health information held by the organization.

2.  The HIPAA Risk Analysis is out of datemaybe you did it five years ago, which was BEFORE
the new HIPAA Omnibus Rule 
was mandated.  Maybe you wanted to update it, but you got busy
with all the other pressing IT issues.  Maybe you didn’t have the right resources to run a risk analysis.

3.  HIPAA Risk Analysis was too focused on technical elements.  Many information security
managers think that “IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.

4.  No correlation between the HIPAA Risk Analysis Recommendations and the changes
that were made
after the HIPAA Risk Analysis was completed.  The HIPAA Security controls should
have been implemented in conjunction with the Risk Analysis, not added completely independently.
The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.

5.  Inadequate training and security awareness program.   In a recent HIPAA Risk Analysis,
the individuals surveyed said they had a few hours of HIPAA training when they joined the company,
but nothing since.  Next question, how long had they been with the organization, and they said,
six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training
or even access to a security awareness program.

Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today.  To get started, send your questions to caroline@riskandsecurityllc.com, or review the OCR Guidelines for HIPAA Risk Analysis at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Why the HIPAA Risk Analysis should be finished by December 31, 2012

The federal regulators from the U.S. Department of Health and Human Services are from the Office of Civil Rights.  They think that breaches in patient information protection is a violation of the patient’s civil right!   Regulators commonly assess fees for non-compliance and some are as high as $4 milion dollars.

Because the OCR just came out with new Audit Guidelines this summer (email me and I’ll send you a copy), we all can see that the visits to healthcare organizations are still speeding up, and even more rules are coming this fall as they reconcile the HIPAA Security Rule with the HIPAA Privacy Rule with the Breach Notification Rule.  I call this:  MEGA HIPAA!

Because the current HIPAA rules have been in place for over ten years, and because the new Rules may be much more complex, it makes sense to finish your 2012 HIPAA Risk Analysis for either Security or Privacy, or both, before December 31, 2012.

My experience with federal regulators and auditors leads me to believe that a HIPAA Security Risk Analysis that is finished before the end of this calendar year will go a long way in reassuring regulators that there is, at least, a formal process in place to assess the risks to patient medical information.

A new software program is based on my original free Data Collection Guide,and can be used to complete these important security rules at a fraction of the cost of older, out-of-date risk analysis programs. Or do it on a spreadsheet.

Remember, you can also use it in your Meaningful Use Risk Assessment.  A two-for-one.

My advice:  Take the easy way out.  Finish the Risk Analysis!

 

 

How long does it take for OSHA to develop standards – like for Workplace Violence?

Why OSHA standards take so long to develop

The Government Accountability office reports to Congress on items of interest to Congress and their constituents.  One area that was recently examined was how long it takes OSHA to update standards, or develop new standards.  Here’s a look at the results:

By:         David LaHoda  April 30th, 2012

A report by the U.S. Government Accountability Office (GAO) on why OSHA standards take, on average, more than seven years to complete found that “increased procedural requirements, shifting priorities, and a rigorous standard of judicial review” contributed to the lengthy time frame.

In responding the GAO report, Randy Rabinowitz, OMB Watch’s director of regulatory policy said: “In the years since its creation, OSHA’s charge to protect workers from harm has been undermined by Kafkaesque demands for additional reviews of existing rules mandated by new statutes and executive orders,” according to The Hill. While OSHA’s internal inability to remain focused on priorities and regulatory follow-through was the counter argument presented by the U.S. Chamber of Commerce.

“While some of the changes, such as improving coordination with other agencies to leverage expertise, are within OSHA’s authority, others call for significant procedural changes that would require amending existing laws,” according tot he GAO report.

The GAO report recommended that that OSHA and NIOSH improve collaboration on researching occupational hazards. In that way OSHA could better “leverage NIOSH expertise in determining the needs for new standards and developing them.”

To access the entire 55-page report, go to: http://www.gao.gov/products/GAO-12-330

Use A Data-Driven Security Program to Transform Organization Security

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

  by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected.  Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO.  To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®)  which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards.  New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product,  theft of data/information,  and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time,  the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization.  It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

 

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert.  She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995.  From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model,  (DIWRM2) under the auspices of the Office of the Secretary of Defense.  She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines.   In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C.  Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more.  She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

 

 

TWEET: http://twitter.com/riskalert

Outlook on Risk & Security Compliance in 2012 – What to Expect.

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.
  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.

 

There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!

HAS 60 MINUTES EXPOSED THE SEC SECRET – No Penalties for Big Banks?

On Sunday evening, December 5th,  60 MINUTES aired what I think is a ground-breaking bit of investigative reporting on how the SEC allowed big banks and mortgage companies to violate Sarbanes Oxley (SOX) requirements with total impunity.

Since the American public is still suffering from the mortgage meltdown – they are looking for answers and looking for punishment.  Crime and punishment usually go together in the Justice Department and law enforcement communities.

“You do the Crime – You do the Time”.

So one person is arrested for a victimless crime, like shoplifting a candy bar, but a big company, like Countrywide, or Bank of America, can crash a worldwide economy, lie on federal forms, commit perjury and saw intense financial destruction to millions of people, and they are allowed to keep the fortunes they made through this risky behavior, and, even better, there’s no jail time, no fines commensurate with crime, and no penalty for openly flaunting federal laws!!

WOW – what kind of message does this send?

For me, concerned day after day with helping organizations comply with federal mandates and laws, like SOX, and HIPAA, and OSHA, this makes a parody of compliance enforcement.

Companies spend millions of dollars to comply with these regulations, which are passed to protect the American public from exactly what just happened.  To find that the regulators are the ones who ignored the falsified attestations, forgave the lack of compliance and let these 21st century robber barons keep their ill-gotten gains makes me, and about 200 million other people, sick!

 

OSHA Starts New Enforcement Initiative for Workplace Violence Issues

On September 8, OSHA issued a new directive about enforcement activity on workplace violence issues.  This directive (CPL 02-01-052) takes effective on Sept. 8, 2011 and is called Enforcement Procedures for Investigating or Inspecting Workplace Violence Incidents.  It details new procedures for the OSHA inspectors, but it is also a valuable document to show employers what they can expect.

The directive follows the shocking news that in 2010, 18% of workplace fatalities were caused by assaults and violent acts, while only 14% were caused by falls, according to the Bureau of Labor Statistics.

Workplace violence incidents are even higher in the hospital and healthcare industries.

The new inspection directive shows how OSHA inspectors are going to look at employers to see whether they have performed a workplace violence analysis.  These assessments follow the security risk assessment model and should take into account the threat level at the organization, the history of incidents and examination of trends, and whether ‘accepted’ controls have been implemented at the place of employment.

Some of the ‘accepted controls’ they will be examining include:

  • Having a recent workplace violence analysis
  • Having a formal workplace violence training program in place
  • Showing the employer had incident reports to identity possible threat levels
  • Methods the employer used to inform employees of the risk of workplace violence
  • Evidence the employer has a workplace violence prevention plan in place
  • Evidence the employer has a current security plan
  • There are also a set of recommended physical controls that include proper lighting, cameras, curved mirrors, etc.

For more information, or a copy of the document, email info@riskwatch.com.