Howard Schmidt, Obama administration's cyber security czar, prepared a fantastic presentation about the four guiding principles of his cyber security plan:
Deterrence is a primary factor in preventing cyber security threats. Applying strong protectionlike two factor authentication, one time passwords, smart cards, and implementing standard data protection systems were mentioned.
Resilience is the ability to recover from an attack. Designing systems that are able to recover from an attack is paramount to national security, and especially protected health information (PHI). It was noted (in a different part) of the NIST Conference that doctors relying on Health information systems (HIT) need to ensure that a disaster recovery and backup plan is in place and is tested regularly. A doctor’s office or a hospital would be nearly impossible to operate if access to PHI is not available after moving entirely to electronic medical records.
Privacy is important to the White House. It’s clear that legislation and the regulations that follow have privacy in mind. An good example is the Breach Notification law written into section 13402 in the HITECH ACt, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act specifically provides safe harbors in case of a breach of encrypted PHI. The government is clearly incentivizing the use of data encryption to protect privacy.
Partnerships with private industry were mentioned as well, although not in too much detail. Perhaps the White House wants to make sure that whatever steps they put in place have transparency to the public and the private industry.
The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
In a strongly-worded letter sent and signed by six congressmen to HHS SecretaryKathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm. This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.
..
There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.
..
A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.
The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.
..
During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.
An important part the interim final rule is the decision that encryption is the only acceptable technology to make protected health information (essentially, patient records) “unusable, unreadable, or indecipherable to unauthorized individuals”. The preamble to the rule explains that even though other methods (such as access control) can continue to be used, if a breach occurs and the protected health information is disclosed to unauthorized individuals a breach notification is required.
Breach notifications are essentially categorized as “under 500″ and “over 500″ records. If a breach occurred to under 500 records then covered entities must maintain a log of the breach and notify the patients. If a breach over 500 records has occurred then not only patients need to be notified but also major media outlet and HHS. In addition, a hotline must be established so that people can call and obtain more information about the breach (notification procedures are specified in the HITECH Act, Section 13402). HHS can issue fines and attorneys general of each state are empowered to pursue these types of breaches on a criminal level.
The government is clearly serious about patient record privacy to encourage covered entities to move paper records to electronic records as part of its overall healthcare reform efforts.
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f109c045-b7ee-4c5f-b033-6660b8cf7572)
