hipaa compliance tuneup 2016

HIPAA Compliance “Tune-Up” for 2016 Are You Prepared?

2

Speakers

Michael Flavin Senior Product Marketing Manager eFax Corporate®, Part of j2 Cloud Services

3

Agenda

1 Why HIPAA Enforcement Will Get Stronger in 2016

2 What Exactly is the OCR Phase 2 Audit?

3 Why Covered Entities Should Prioritize a Security Risk Analysis

4 6 Tips to Prevent Cyber Hacking

5 How to Create Cyber-Security Culture Across Your Organization

6 How a Cloud Fax Model Can Enhance HIPAA Compliance

4

The information provided in this presentation does not constitute, and is no substitute for, legal or other professional advice. We strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situations, and in connection with any compliance-related concerns.

5

Why HIPAA Enforcement will Ramp Up in 2016

HHS’s Office of the Inspector General (OIG) issues report recommending stronger oversight of CEs and BAs.

The Office for Civil Rights (OCR) responds with Phase 2, launching in early 2016.

6

HIPAA Resolutions & Corrective Actions Up Every Year

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

2003* 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Investigated: No Violation Resolved Corrective Action or Tech Asst. Total Resolutions

7

Findings: The Results of HIPAA’s “Phase 1 Audits”

2/3 of entities had no complete or accurate risk

assessment program.

44% of Privacy Rule deficiencies involved disclosures of ePHI.

58 out of 59 healthcare providers had at least 1

negative finding relating to the Security Rule!

8

Findings: The OIG Report that Led to the Phase 2 Audit

“In about half of the closed privacy cases… covered entities were noncompliant with at least one privacy standard.”

Implement permanent audit

program

Keep documentation of corrective action

Improve method of tracking cases

Expand outreach and education to

CEs”

Check CE HIPAA investigation

history

Recommendation: “OCR should…

9

Quick Audience Poll

How concerned are you about phase 2 OCR Compliance Audits in 2016?

a. Not concerned at all b. Slightly concerned c. Moderately concerned d. Very concerned

1

What best describes the biggest pain point with faxing in your organization today?

a. No integration into our EHR system b. HIPAA Security and Compliance concerns c.  Ongoing costs of on-site fax Infrastructure d.  Inefficiency of workflow processes

2

10

Agenda







11

What Exactly is a “Phase 2 HIPAA Audit?”

Phase 2: Hundreds of Covered Entities Will Be Audited

•  550 to 800 entities contacted •  Estimated 350 selected for audit •  OCR’s own staff conducting the audits •  Combination of “desk” and onsite

audits •  Measuring security, breach, privacy

12

Agenda







13

Why Prioritize a Security Risk Analysis?

Health firms are at risk: •  Virus vulnerabilities are up •  Data breaches and ePHI theft are up •  Between 2010 and 2013, 29 million

records compromised •  From the HHS Wall of Shame

113,180,244 breaches in 2015 alone!

14

Why Prioritize a Security Risk Analysis Healthcare was 2015’s #1 Data Breach Victim

Source: And published as required by the HITECH Act on DHHS: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

78.8 million records

11 million records

10 million records

4.5 million records

3.9 million records

15

Vulnerability to Cyber Hacking & ePHI Breach

FBI warnings to industry: “The FBI has observed malicious actors targeting healthcare related systems…for the purpose of obtaining Protected Healthcare Information (PHI)”

HHS Office for Civil Rights

1,199 Incidents

41.5 Million

Individuals

Huge Change in Scope

1,800%! Increase from

2008-2013

Data Breaches Year to Date

113+ Million

Individuals

Top 5 Health Data Breaches

in 2014

7.4 Million

Individuals

16

The largest data breaches in 2015 were all the result of cyber hacking breaches, resulting from...

Spearphishing Malware Network Intrusion

17

What’s a “Secure” ePHI Transmission?

TLS encryption

AES 256-bit encryption

NIST encryption standards for handshake…

NIST encryption cipher standard for data protection…

HIPAA Privacy Rule: 45 CFR § 164.304

“…requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

18

Why Prioritize a Security Risk Analysis?

98% of healthcare providers

audited were found to have failed to comply with

HIPAA’s Security Rule in at least one instance

19

The Cost Data Breaches

$154 Average cost per record across all

industries globally

$363 Average cost per

breach for healthcare firms

globally

$163 Average cost per record for retail firms globally

Again, Healthcare Tops the List of Industries

20

What are the Business-Impacting Threats?

Marketplace Reputation and Customer Loyalty

Liability •  Legal costs •  Credit assistance for customers •  Training, call center triage •  Fraudulent charges •  Stock price, earnings, etc. •  IT Resources

21

Agenda






6 How a Cloud Fax Model Can Bring Enhance Compliance

22

6 Tips to Prevent Cyber Hacking Build Your Network’s Defensive Walls

Proactive Software Assurance •  Source code and binary code testing tools •  Application security scanners •  Certifications

Blocking Attacks: Network Level •  IDS and IPS •  FW •  MSS

Blocking Attacks: Host Level •  Endpoint security •  NAC

Eliminating Security Vulnerabilities •  Vulnerability management •  Patch management •  Penetration testing

Safely Supporting Authorized Users •  Encryption technology •  VPN •  DLP

Tools to Manage Security and Maximize Effectiveness •  Log management •  SIEM •  Training

1

2

3

4

5

6

23

Agenda







24

How to Create a Cyber-Security Culture

Find ways to explain the right processes that are non-technical - because that loses a lot of people.

Identify the digital assets you most need to secure -

and make sure you’re monitoring and protecting

them.

Look also for non-cyber data risks - hardcopy files left unattended, etc. - and

include them in your training.

Start at the top of your company - make everyone aware of the risks and how

to avoid them.

25

Most Common Pitfalls

Risk Assessment Lack of Accurate Data Inventory/Controls •  Audit Logs (critical for compliance and

root cause)

Humans •  “Accidents Happen” •  Social Engineering •  Security Awareness Training

Missing Policies and Procedures Incident Response Team and Plan & Audit Trail

26

Agenda







27

Faxing in Healthcare today – Trends The Move toward a Cloud Fax Model

The “Cloud Fax” Model

•  Your staff can fax anywhere

•  Deploys in minutes

•  Easy to use

•  Requires no training

•  Highly secure

•  Compliant*

•  Provides clear audit trails

•  Cost-effective

Virtually No IT administration, maintenance and troubleshooting

*eFax Secure™, part of the eFax Corporate® suite of solutions is a HIPAA-compliant solution for Healthcare

28

eFax Corporate®

The world’s #1 online fax company – and the

industry’s most experienced hosted

fax service

The most widely deployed online fax service for the

Fortune 500

Trusted by more major healthcare, legal,

financial and other highly-regulated firms than any

other online fax provider to transmit sensitive

documents

Inbound/ Outbound

Faxes

Hosted Fax Service Encrypted Fax Storage

via eFax Secure (optional)

Email, Secure Browser, Mobile App & eFax Messenger User

Interfaces

Encrypted in Transit

(optional)

PSTN Telco Service

Q&A enterprise.efax.com [email protected]

U.S. Sales (888) 532-9265

UK Sales +44 (0) 8707113811

30

Helpful Resources

•  HIPAA Privacy Rule

•  The HIPAA Security Rule Toolkit

•  OCR’s HIPAA Enforcement Data Page

•  OCR’s Findings from Phase 1 Audits

•  OIG 2015 Report Recommending Strengthened HIPAA Oversight

•  BitSight Data-Security Industry Report

•  HealthITNews: Top 10 Breaches of 2015

•  HIPAAJournal: Top 2015 Breaches (Healthcare Industry #1 Victim)

•  eFax Corporate Blog: Six Best Practices to Deter Cyber Hackers

•  HealthCareITNews Article on Cyber Security Culture

•  SANS Institute: Layered Defense Approach to Preventing Cyber Hacking

•  The American Bar Association’s Interpretation of the HIPAA Security Rule and Protecting ePHI

•  HHS Report: Security 101 for the CE

•  HIPAA Audit Webpage

•  Ponemon: 2015 Costs of Breaches

•  2015 HIMSS Conference

•  eFax Corporate Data Sheet on HIPAA-Compliant Faxing

hipaa compliance tuneup 2016

Health & Medicine