December 12, 2016 | Author: Redspin, Inc. | Category: N/A
Best Practices in Healthcare Information Security and Compliance
Successful healthcare information security starts with strong organizational leadership Internal risk management is the key for ensuring information confidentiality, business process availability, and data integrity The ability to adapt to continuously-evolving security threats can lead to enduring competitive advantage 6450 Via Real, Suite3 Carpinteria, CA 93013 800-721-9177 805-684-6858
WHITE PAPER
TABLE OF CONTENTS 1 Executive Summary 2 Best Practice: Robust Organizational Leadership 3 Best Practice: Build Organizational Competency 4 Best Practice: Risk Classification and Proactive Preparation 5 Best Practice: Collaborate 6 Best Practice: Stay up to Speed 7 About Redspin
Page 1 | www.redspin.com
2010 | White Paper
Executive Summary
It is common for healthcare organizations to be simultaneously compliant with the laws and vulnerable to EPHI security lapses.
The healthcare industry today is undergoing revolutionary changes in the management of healthcare information. Increasingly this information is in electronic form, also known as electronic protected healthcare information (EPHI). Healthcare providers, health insurers, and health information service companies are moving faster than ever to implement IT systems to electronically capture, manipulate, share, and warehouse EPHI. Ensuring the security of EPHI is both a regulatory and a business competitiveness issue. Certainly not all efforts to safeguard EPHI are equally successful. This paper examines in detail best practices we recommend for healthcare organizations to effectively and efficiently manage EPHI security and to remain compliant with the Health Insurance Portability and Accountability Act (HIPAA) laws. This report is sectioned into five key Best Practices. The first and perhaps most important regards the need for strong organizational leadership. Leading healthcare organizations know that excellent EPHI management can be a competitive advantage. The best managers emphasize the process of data security over the often illusionary benefits of installing cutting-edge technologies. Ensuring executivelevel awareness of EPHI security performance through specific job roles and reporting mechanisms is important. The best healthcare organizations actively link EPHI security spending decisions to both (1) the creation of business value; and (2) the reduction of risks. The second section involves the construction of information security competency. Security competency includes a deep knowledge of the regulatory landscape, but regulatory compliance alone is not sufficient for ensuring EPHI security. It is common for healthcare organizations to be simultaneously compliant with the laws and vulnerable to EPHI security lapses. Therefore healthcare organizations may be advised to focus first on a comprehensive EPHI security program, with
Page 2 | www.redspin.com
the rationale that such a program will usually overlap with all areas of compliance. The buildup of knowledge regarding EPHI security management is itself a valuable asset that should be protected and institutionalized. The third section covers the steps to successful risk management of potential EPHI security issues, and the development of impact-adjusted mitigation plans for security threats. Efficient and effective EPHI management requires excellent organizational preparation. Risks to EPHI security should be carefully evaluated and prioritized based on their likelihood and their business impact, with resources and technology applied accordingly. Developing business continuity plans can help a healthcare organization respond to security threats more efficiently, and minimize the impact of security incidents to the organization. The fourth section deals with the concept of security collaboration. The best healthcare organizations often collaborate with their vendors, business associates, industry contacts, and even competitors in implementing EPHI security programs. Collaboration sometimes involves oversight via contractual obligations. Other times collaboration involves coordinating security efforts across affiliated organizations that exchange EPHI. The fifth and final section explores the importance of continuous process improvement Threats to EPHI are continually developing— therefore, safeguarding EPHI requires constant vigilance. The IT security environment is also becoming more complex: new IT security tools, technologies, and applications are just a few of the items that add complexity—and therefore risk—to a company’s EPHI security program. Leading healthcare organizations take specific actions to manage this evolving threat landscape.
2010 | White Paper
Best Practice: Robust Organizational Leadership One of the strongest indicators of a successful healthcare information security program is an organizational attitude that highly values security across the entire enterprise. The healthcare organizations that are the most successful at safeguarding EPHI tend to be those that implement a complete Information Security Program (ISP). A comprehensive ISP covers not only IT security, but also items such as facilities management, business continuity, disaster preparedness, employee safety, and human resource privacy. The most effective ISPs receive (1) executive-level attention and support, from budgeting to reporting; and (2) independent assessments of program effectiveness. A recommended approach is to empower a Chief Information Security Officer to verify adoption of EPHI security procedures and to regularly update senior executives on the compliance of both internal policies and regulatory requirements. EPHI Security as a Competitive Advantage
The healthcare organizations that are the most successful at safeguarding EPHI tend to be those that implement a complete Information Security Program (ISP).
Savvy healthcare industry leaders understand that securing EPHI is more than a cost center: effective EPHI management contributes to business value and provides competitive advantage. Increasingly the heart of any enterprise is found in the proper collection, storage, manipulation, availability, integrity, and protection of electronic data. Effective EPHI management can lead to many business benefits for healthcare organizations including: • • • • • •
Faster, more collaborative care and service. More accurate data transfer and sharing (fewer mistakes and their related consequences). Lower administration costs. Lower vendor and business associate transaction costs. Faster revenue collection and reimbursement. Highest possible Medicare reimbursement (HITECH Act Compliance).
Effective EPHI management also helps healthcare organizations avoid the damaging consequences of successful attacks and other security breaches such as: • Large monetary penalties from regulators. • Revenue loss from downtime of mission-critical IT systems including web applications, business associate networks, and internal networks. • Breach notifications to customers, patients, and media outlets (reputation damage). • Legal action by affected customers, business associates, and vendors. • Theft and/or misuse of the data itself. Emphasize Process Management Over Capital Expenditures It is common for healthcare organizations to simultaneously over-invest in IT equipment and cutting edge technologies and to under-invest in fundamental security policy management and process control. The most technologically secure organizations are not necessarily those that have the best array of security gear, but rather are those that carefully document comprehensive security policies and procedures, and then ensure that these policies and procedures are followed, measured, and updated. It is certainly possible for a healthcare organization with solid security policies and procedures, yet only middle-of-the-road security tools, equipment, and gear, to be well protected against an EPHI security incident. On the other hand a similar organization that has the most sophisticated security equipment but is lacking in comprehensive security policies and process documentation is much more susceptible to an EPHI security incident. There are many reasons why healthcare organizations might over-invest in technology and underinvest in process management. Some of the most common include: Many healthcare organizations, through basic organizational structure and reporting hierarchy, lack executive-level knowledge of (1) information technology solutions; and (2) the importance of EPHI security issues and regulations. This lack of knowledge at the executive level manifests itself in at least two unfortunate ways:
•
Page 3 | www.redspin.com
The tendency of organizations to under-invest in critical IT systems—both capital and operational—because they lack the understanding and awareness of the issues.
2010 | White Paper
•
The tendency of lower-ranking IT managers to push the IT budget in a favored direction, which may not include the best solutions for linking IT spending to business value and risk reduction. Lower-ranking IT managers may be unduly influenced by misplaced knowledge or vendor/product-driven knowledge that does not necessarily speak to the healthcare organization’s key business goals and security risks.
Many managers mistakenly believe—or are sold on the idea—that more equipment under the data center roof makes an organization more secure. In fact the opposite is often true. The addition of more sophisticated technology solutions typically introduces complexity into the organization. Complexity adds unnecessary risk and can actually make a healthcare organization’s data LESS secure.
The best healthcare organizations actively link EPHI security spending decisions to both 1) the creation of business value; and 2) the reduction of risks.
Buying equipment and implementing cutting-edge technology is more fun and exciting for managers and staff than anything else. In stark contrast is the relatively mundane and disciplined process of documenting an EPHI security program, training staff to implement the program, monitoring the program’s success, and consistently working to maintain EPHI security. Enhance Executive-Level Awareness of EPHI Security Performance Building executive-level awareness of EPHI security processes and regulations and awareness of the organization’s performance in safeguarding EPHI is important. Redspin recommends that healthcare organizations have a Chief Information Security Officer (CISO) who reports to the executive management team and who is operationally independent from all other IT groups. This independence will help prevent conflicts of interest which may occur if the person responsible for installing and configuring IT systems is the same person responsible for managing the security risk introduced by those same IT systems. Ideally the CISO is responsible for the security of EPHI by: • Ensuring compliance with internally-developed security policies through ongoing oversight and regular review of controls. This review should include an evaluation of the effectiveness of EPHI security tools, applications, and operational procedures. • Reporting the results of internal and third-party EPHI security assessments, linking security issues to potential business impact, and making business-justified budgetary recommendations to executive-level management. • Ensuring organizational compliance with HIPAA law and all other applicable regulations. Budget Appropriately for EPHI Security The best healthcare organizations actively link EPHI security spending decisions to both 1) the creation of business value; and 2) the reduction of risks. Furthermore, effective IT governance requires that business value contribution and risk management be reviewed on a regular basis, with course correction where necessary. Safeguarding EPHI is a dynamic endeavor—significant investment and constant vigilance are required. New security threats frequently materialize. Regulations are expanded and modified over time. Periodic, independent assessments of EPHI security and corrective action plans are warranted. Staying current with this dynamic environment requires an ongoing investment in an organization’s skilled resources and financial capital. Budgeting for these inevitable changes can help healthcare organizations remain disciplined in following EPHI security plans and avoid resource constraints when proactively managing the changing threat landscape.
Best Practice: Build Organizational Competency A successful information security program requires not only organizational awareness of the issues but also the organizational competency to build a program that mitigates risks and takes advantage of opportunities to generate business value and gain competitive advantage. Competency starts with a comprehensive security program that goes far beyond the scope of regulatory compliance. That is because regulatory compliance alone does not necessarily safeguard EPHI. It is possible for a healthcare organization to be simultaneously compliant and insecure regarding EPHI. The knowledge of how to properly safeguard and manage EPHI is itself a valuable asset that should be protected and institutionalized.
Page 4 | www.redspin.com
2010 | White Paper
Go Beyond Compliance for Greater IT Security Being in compliance with EPHI security laws is a mission-critical step, but we caution that being compliant with HIPAA and other health information security laws will not necessarily make a healthcare organization’s information technology secure. It is possible—even common—for an organization to be both compliant and insecure when it comes to protecting information. Consider the example of a health insurance company that has encrypted its EPHI and managed its encryption keys adequately, but has failed to properly configure the firewall that protects its internal network. While the EPHI data may be indecipherable to a hacker, the improper configuration of the firewall could still compromise the organization’s security. An attack on the internal network could disable information systems and/or require that the network be taken off-line for repair. In either case, the EPHI and all other data may be temporarily unavailable, in violation of HIPAA law and causing immense disruption to the business.
Knowledge of EPHI security regulations, policies, controls, and measurements is a valuable organizational asset.
Make Compliance a Non-issue The protection of EPHI is highly regulated at the federal level of government, and many states impose their own data security regulations as well. The U.S. Federal Government mandates enforcement of laws related to healthcare IT security, most notably the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Security Rule specifically focuses on safeguarding EPHI, requiring that covered healthcare organizations ensure the confidentiality, integrity, and availability of EPHI at all times. Knowing the letter of the laws for safeguarding EPHI, ensuring organizational compliance with these laws, and being aware of the significant consequences of non-compliance are important endeavors for all healthcare organizations. For more details about the HIPAA Security Rule and the consequences of non-compliance, see the Redspin publication Trends in Healthcare IT: Understanding HITECH, the HIPAA Security Rule, and How to Safeguard your Electronic Protected Health Information (EPHI). Build Institutional Knowledge Knowledge of EPHI security regulations, policies, controls, and measurements is a valuable organizational asset. This asset should be protected like all others. Imagine the disruption to a healthcare organization if this knowledge one day walked out the door and the organization had to start from square one. This worst-case scenario could happen if an organization relies too heavily on the knowledge and expertise of individuals to implement EPHI security programs. Well-run organizations seek to institutionalize this knowledge by: Meticulously developing, documenting, and disseminating EPHI security goals. Creating implementation plans and training guides that anyone in the organization can learn and follow. Organize and empower a technical team whose purpose is to safeguard EPHI and to manage regular security assessments. If an organization succeeds in building institutional knowledge of EPHI security programs, the loss of one or two key employees familiar with these programs need not be debilitating. Page 5 | www.redspin.com
2010 | White Paper
Best Practice: Risk Classification and Proactive Preparation The processes of risk identification, threat prioritization and proactive preparation follow organizational awareness and organizational competency in safeguarding EPHI. Ongoing EPHI risk management requires excellent organizational preparation. First, an organization must invest in EPHI classification—the task of identifying the location, specific content, and business value of all protected health data. Next, risks to EPHI security should be evaluated based on threat probability and business impact. Not all potential threats should be treated with equal vigor. Finally, developing plans for business continuity in the event of a major service interruption will help healthcare organizations respond effectively to the less catastrophic security incidents that are more likely to occur. Classify and Manage EPHI It is vital that all healthcare organizations know precisely where EPHI is processed, stored, accessed, and transmitted. It is common for healthcare organizations to share EPHI with business associates and other healthcare providers. The responsibility for protecting EPHI, by law, rests with all organizations that have access to the protected data. A breach of EPHI security anywhere in the chain may result in consequences for all organizations with access to the data. Therefore all EPHI data, both internally and externally within each healthcare organization, should be classified based on business impact. Detailed EPHI data flows should be developed and updated as needed. Frequently a thorough EPHI mapping can help an organization identify inefficiencies or weaknesses which can be corrected to strengthen EPHI security. Assess and Prioritize Security Threats and Vulnerabilities Strong healthcare organizations realize that not all EPHI security threats are equal. Well-run organizations make the effort to identify all EPHI security threats and vulnerabilities, and then manage the issues based on business impact and probability. It may not be practical or costefficient to address all security issues at once. By managing threats and vulnerabilities according to urgency, a healthcare organization can prioritize its action plans. Redspin works with healthcare organizations to evaluate security controls, to identify EPHI security vulnerabilities, and to develop action plans for addressing these issues. Redspin categorizes the impact of security issues based on the potential impairment of an IT system, facility, or procedure if a given vulnerability were exercised. See the following table.
Redspin Healthcare Security Impact Definitions
Impact Level
Description And Necessary Actions
Critical
Corrective measures are required immediately. The existing system should be separated from the network and considered for forensic analysis if a malicious service has been identified.
High
There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Medium
Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low
Management must determine whether corrective actions are required, or decide to accept the risk.
Informational
The issue does not indicate a material violation but is something for management to consider for enhancing the overall security posture. Table 1. — Redspin Healthcare Security Impact Definitions
Page 6 | www.redspin.com
2010 | White Paper
Develop Business Continuity Plans Healthcare organizations should consider developing a mission-critical Business Continuity Plan (BCP) as part of their overall information security program. A proper BCP starts with a Business Impact Analysis of all IT systems and applications. Once the criticality of individual systems and applications is determined, the business impact of the potential loss or disability of these systems can be measured. At that point the importance of safeguarding these systems and applications becomes apparent. Safeguarding systems and applications may take many forms, such as: • Separation of critical system components from non-critical components (i.e., segmentation). • Stronger security tools and stricter access controls for mission-critical components. • Implementation of redundant systems and/or robust data backup procedures.
With so much riding on the successful protection of EPHI, it is not surprising that leading healthcare organizations often work as a team to evaluate the breadth and depth of each other’s EPHI security processes and programs.
In order to recover from a catastrophic interruption of information systems, healthcare organizations are advised to develop a BCP that documents specific actions for bringing systems and applications back on line, starting with the highest priority items and data sources.
Best Practice: Collaborate The best healthcare organizations recognize the benefits of collaborating with their vendors, business associates, industry organizations, and sometimes even their competitors when it comes to EPHI management and security. Collaboration sometimes takes the form of oversight via contractual obligations. Other times collaboration involves coordinating EPHI security strategies and programs across affiliated organizations. Implement Coordinated EPHI Security Programs The HIPAA Security Rule specifies that EPHI security is the responsibility of all organizations that have access to the protected healthcare information. A breach of EPHI security has consequences for all affiliated organizations, regardless of where the breach occurs. With so much riding on the successful protection of EPHI, it is not surprising that leading healthcare organizations often work as a team to evaluate the breadth and depth of each other’s EPHI security processes and programs. Such coordination also facilitates stronger and more frequent communication between business associates across a whole host of business matters. Institute Business Associate Oversight Measures Although EPHI security coordination is encouraged, non-binding coordination is not a substitute for close oversight of business associates when significant organizational reputation is at stake. It is common for leading healthcare organizations to structure business contracts with vendors and other business associates to protect against and/or recover the costs of EPHI breaches. Examples of contractual obligations related to EPHI security include: Requirement of annual assessments by an independent security assessment firm. Development and maintenance of an EPHI security program that satisfies HIPAA law and any other applicable regulations, including breach notification requirements. Commitment to correct in a timely manner any identified security issues of a certain severity. Financial obligation to compensate for any penalties, fees, and mitigation costs in the event of an EPHI security breach judged to be the responsibility of the business associate. Benchmark EPHI Security Programs It is not advisable for a healthcare organization to operate an EPHI security program in a vacuum. A better approach is to share and solicit ideas for improving security processes, procedures and tools. The security threat landscape is evolving and there is greater safety in sharing strategic program information with associates and colleagues. Strong organizations often measure the scope of their own programs against those of other leading organizations. Whether sharing and soliciting ideas comes in the form of a tradeshow presentation, an industry conference, a business associate meeting, or in contract discussions, the more collaboration there is, the stronger all entities will become.
Page 7 | www.redspin.com
2010 | White Paper
Best Practice: Stay up to Speed Threats to EPHI are continually developing whether these threats are targeted at a particular organization, or materialize silently in the form of undetected mismanagement. In addition, the IT security environment is becoming more complex: new IT security tools, software updates, wireless infrastructure, web application development, workstation upgrades, off-site data storage/recall, and vendor/business associate network development are just a few of the items that add complexity— and therefore risk—to a company’s goal for EPHI confidentiality, integrity, and availability. Leading healthcare organizations must take specific actions to manage this evolving threat landscape. Conduct Independent Security Assessments
HIPAA law requires qualified healthcare organizations to conduct routine evaluations of the effectiveness of EPHI security programs, policies, and procedures.
HIPAA law requires qualified healthcare organizations to conduct routine evaluations of the effectiveness of EPHI security programs, policies, and procedures. An independent security assessment that evaluates EPHI security against potential security risks--in a format accordant with HIPAA Security Standards--is recommended. Independent security assessments may also include the evaluation of business associates with whom health data is exchanged. A high quality EPHI security assessment will do the following: • Pinpoint specific vulnerabilities to EPHI security by evaluating internal security policies, management process controls, and optimal infrastructure configuration. A thorough EPHI security assessment will evaluate all standards of the HIPAA Security Rule. • Identify the impact to the organization if a vulnerability is exploited. • Provide specific recommendations on how to effectively mitigate EPHI security issues. • Follow a repeatable pathway so that EPHI security risks can be efficiently reassessed after changes are implemented. Take Aggressive Corrective Action When significant EPHI security issues are identified, taking aggressive corrective action is the best practice. In the event of an EPHI security breach, a healthcare organization should immediately respond to the cause of the incident, review current policies and procedures to determine what additional measures should be taken to avoid similar incidents, quickly institute any necessary revisions to policies and procedures, send out revised polices, and retrain employees and business associates as applicable. All corrective measures undertaken including training materials should be documented and actively revised if necessary. Any time security policies and procedures are updated, these changes should be institutionalized. By aggressively managing the security threat landscape, leading healthcare organizations remain better positioned to safeguard EPHI.
Page 8 | www.redspin.com
2010 | White Paper
About Redspin Redspin delivers the highest quality, independent Information Security Assessments through technical expertise, business acumen, and objectivity. Redspin customers include leading companies in industries of healthcare, financial services, hotels, casinos and resorts, as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely on Redspin to provide effective technical solutions tailored to their business context, allowing them to reduce risk, maintain compliance, and increase the value of their business unit and IT portfolios.
WEB WWW.REDSPIN.COM
PHONE 800-721-9177
EMAIL
[email protected]
Redspin, Inc. 6450 Via Real, Ste. 3, Carpinteria, CA 93013
