SlideShare une entreprise Scribd logo

OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You

Redspin, Inc.
Redspin, Inc.

The OIG's report on CMS oversight of the HIPAA Security Rule means that hospital CIOs can expect more audits of their information security programs.

1  sur  3
Télécharger pour lire hors ligne
OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services) recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part of the analysis were lacking in security, I thought, it made sense to discuss the inevitable outcome for hospitals and frankly any organization covered by the HIPAA Security Rule. What the Report Says About the Future 1. Expect post-breach due-diligence In rock climbing, we had a saying: it’s not the fall that kills you, its the landing. Well that certainly rings true with a data breach. If you’ve read the news lately, you’re likely aware of the scrutiny into organizations that have experienced a breach. Not only does the true financial cost and liability impact become clear in the weeks and months following a breach, but the entire risk management strategy of the organization comes under a microscope. And for those organizations that fall within HIPAA Security Rule compliance requirements, that is echoed loud and clear in this report, in which it is stated that the CMS: “performs compliance reviews of covered entities in response to breaches of unsecured protected health information affecting 500 or more individuals”. So, while many healthcare CIOs have never been through a compliance audit but may expect one in the event of an ePHI data breach – they can be assured of an audit after this report. And when the microscope comes out, here are the kinds of questions the CMS will be asking:  Sure you have security controls, but are they actually working?  Does executive management have a clear understanding of their risk profile?  Does your healthcare organization have a structured and systematic approach to risk management?  Are you aware of, and do you follow-up on, deficiencies in your security program? So if your security is lax, the effectiveness of your program will become clear in the post breach analysis. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
2. Expect Pro-Active Audits While it may not be surprising to CIOs to expect some regulatory due-diligence into their information security programs after a breach, it may be more of a surprise that periodic or even annual regulatory security audits by the CMS are inevitable. Not only are state Attorneys General getting trained by the federal government on HIPAA enforcement, but the OIG is clearly indicating that pro-active CMS auditing is what it would like to see. Healthcare is unique in that, while it has clear regulatory guidance on security (the HIPAA Security Rule), it has not been the subject to consistent oversight in the form of audits. In other industries (financial services for example) CIOs have for years come to expect annual onsite visits from the regulators in which their security programs and controls are reviewed. Here are some of the OIG statements showing the current state of affairs (lax auditing and minimal oversight) is not appropriate moving forward: INSUFFICIENT OVERSIGHT AND ENFORCEMENT ACTIONS CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule. Here is another telling indicator from the report: Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009. So while it’s clear that not only should healthcare organizations expect pro-active audits from the State Attorneys General, but at the federal level as well, from the CMS. 3. Expect the CMS to take a broad view of security At Redspin, we’ve always been a fan of taking a practical view of security and compliance. It looks like the regulatory environment is poised to take a similar view. RECOMMENDATIONS We recommend that OCR continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. From a practicality standpoint this is a good thing. However, for those entities that are deploying controls just because they have to, rather than really putting thought into the deployment to ensure the controls are working as intended will find that the existence of the control itself does not free them from regulatory liability. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
Redspin Recommendations:  Don’t just treat a HIPAA Security Risk Analysis like a compliance check-the-box item on your agenda. Consider the fact that a meaningful HIPAA Security Risk Analysis is the foundation for effective risk management and leverage the effort to build a robust and systematic information security program that will maximize HIPAA Security Rule compliance while minimizing risk of ePHI data breach.  Understand that by focusing on the intent of the HIPAA Security Rule you can achieve both security and compliance. However, the inverse is not true : focusing on compliance does not necessarily buy you security in the risk management sense of the word – in fact in the OIG’s opinion, it won’t even buy you compliance.  Always remember it’s not the existence of a control that matters, rather it’s the effectiveness. Conclusion While additional oversight may seem daunting, the good news is that hospitals and other healthcare organizations can get lasting practical and compliance value from doing an annual HIPAA Security Risk Analysis.  It can be used to meet the meaningful use core objective of safeguarding ePHI.  it’s the foundation of a robust information security program.  It can be used to provide executive management visibility into their risk profile and overall IT environment.  It can lower your overall risk profile, by identifying and prioritizing critical risk.  In the event of a CMS audit – it will provide evidence that your organization has a robust security foundation and systematic information security program. * Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069) WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

Recommandé

Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Redspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009
Kim Jensen
 
Avid
AvidAvid
Avid
MassTLC
 
RSA Conference 09 - Building Security Models to Support Business Decisions 09...
RSA Conference 09 - Building Security Models to Support Business Decisions 09...RSA Conference 09 - Building Security Models to Support Business Decisions 09...
RSA Conference 09 - Building Security Models to Support Business Decisions 09...
Allgress, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 

Recommandé

Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Redspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009
Kim Jensen
 
Avid
AvidAvid
Avid
MassTLC
 
RSA Conference 09 - Building Security Models to Support Business Decisions 09...
RSA Conference 09 - Building Security Models to Support Business Decisions 09...RSA Conference 09 - Building Security Models to Support Business Decisions 09...
RSA Conference 09 - Building Security Models to Support Business Decisions 09...
Allgress, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
Redspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Redspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
Redspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
Redspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
Redspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
Redspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
Redspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
Redspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
Redspin, Inc.
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Redspin, Inc.
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
Redspin, Inc.
 

Contenu connexe

Plus de Redspin, Inc.

Plus de Redspin, Inc. (20)

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 

OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You

  • 1. OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services) recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part of the analysis were lacking in security, I thought, it made sense to discuss the inevitable outcome for hospitals and frankly any organization covered by the HIPAA Security Rule. What the Report Says About the Future 1. Expect post-breach due-diligence In rock climbing, we had a saying: it’s not the fall that kills you, its the landing. Well that certainly rings true with a data breach. If you’ve read the news lately, you’re likely aware of the scrutiny into organizations that have experienced a breach. Not only does the true financial cost and liability impact become clear in the weeks and months following a breach, but the entire risk management strategy of the organization comes under a microscope. And for those organizations that fall within HIPAA Security Rule compliance requirements, that is echoed loud and clear in this report, in which it is stated that the CMS: “performs compliance reviews of covered entities in response to breaches of unsecured protected health information affecting 500 or more individuals”. So, while many healthcare CIOs have never been through a compliance audit but may expect one in the event of an ePHI data breach – they can be assured of an audit after this report. And when the microscope comes out, here are the kinds of questions the CMS will be asking:  Sure you have security controls, but are they actually working?  Does executive management have a clear understanding of their risk profile?  Does your healthcare organization have a structured and systematic approach to risk management?  Are you aware of, and do you follow-up on, deficiencies in your security program? So if your security is lax, the effectiveness of your program will become clear in the post breach analysis. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  • 2. 2. Expect Pro-Active Audits While it may not be surprising to CIOs to expect some regulatory due-diligence into their information security programs after a breach, it may be more of a surprise that periodic or even annual regulatory security audits by the CMS are inevitable. Not only are state Attorneys General getting trained by the federal government on HIPAA enforcement, but the OIG is clearly indicating that pro-active CMS auditing is what it would like to see. Healthcare is unique in that, while it has clear regulatory guidance on security (the HIPAA Security Rule), it has not been the subject to consistent oversight in the form of audits. In other industries (financial services for example) CIOs have for years come to expect annual onsite visits from the regulators in which their security programs and controls are reviewed. Here are some of the OIG statements showing the current state of affairs (lax auditing and minimal oversight) is not appropriate moving forward: INSUFFICIENT OVERSIGHT AND ENFORCEMENT ACTIONS CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule. Here is another telling indicator from the report: Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009. So while it’s clear that not only should healthcare organizations expect pro-active audits from the State Attorneys General, but at the federal level as well, from the CMS. 3. Expect the CMS to take a broad view of security At Redspin, we’ve always been a fan of taking a practical view of security and compliance. It looks like the regulatory environment is poised to take a similar view. RECOMMENDATIONS We recommend that OCR continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. From a practicality standpoint this is a good thing. However, for those entities that are deploying controls just because they have to, rather than really putting thought into the deployment to ensure the controls are working as intended will find that the existence of the control itself does not free them from regulatory liability. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  • 3. Redspin Recommendations:  Don’t just treat a HIPAA Security Risk Analysis like a compliance check-the-box item on your agenda. Consider the fact that a meaningful HIPAA Security Risk Analysis is the foundation for effective risk management and leverage the effort to build a robust and systematic information security program that will maximize HIPAA Security Rule compliance while minimizing risk of ePHI data breach.  Understand that by focusing on the intent of the HIPAA Security Rule you can achieve both security and compliance. However, the inverse is not true : focusing on compliance does not necessarily buy you security in the risk management sense of the word – in fact in the OIG’s opinion, it won’t even buy you compliance.  Always remember it’s not the existence of a control that matters, rather it’s the effectiveness. Conclusion While additional oversight may seem daunting, the good news is that hospitals and other healthcare organizations can get lasting practical and compliance value from doing an annual HIPAA Security Risk Analysis.  It can be used to meet the meaningful use core objective of safeguarding ePHI.  it’s the foundation of a robust information security program.  It can be used to provide executive management visibility into their risk profile and overall IT environment.  It can lower your overall risk profile, by identifying and prioritizing critical risk.  In the event of a CMS audit – it will provide evidence that your organization has a robust security foundation and systematic information security program. * Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069) WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM