An Oracle White Paper October HITECH s Challenge to the Health Care Industry - PDF

Please download to get full document.

View again

of 22
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Travel & Places

Published:

Views: 11 | Pages: 22

Extension: PDF | Download: 0

Share
Description
An Oracle White Paper October 2011 HITECH s Challenge to the Introduction... 3 HITECH Changes the Game... 4 The Move to Electronic Health Records (EHR)... 4 Increased Penalties... 4 More Aggressive Oversight...
Transcript
An Oracle White Paper October 2011 HITECH s Challenge to the Introduction... 3 HITECH Changes the Game... 4 The Move to Electronic Health Records (EHR)... 4 Increased Penalties... 4 More Aggressive Oversight... 4 Breach notification... 5 HITECH s Challenge... 6 The Health Care Risk Environment... 6 Develop a Holistic Security program... 6 The Security and Compliance Burden... 7 The Data Protection Challenge... 7 The Access Control Challenge... 8 Frameworks for Compliance... 9 Standards-based Controls... 9 Role of Business Associates... 9 HITRUST s Common Security Framework Comprehensive Data Security Defense-in-Depth How Oracle Protects Patient Information Data Encryption and Masking Database Enforced Access Controls Monitoring, Alerting and Reporting... 15 How Oracle Controls Access to Patient Information Implement Centralized Access Control Use Role-based Access Control Automate User Provisioning Deploy Secure Federation Reduce Risk and Fraud Conclusion Legal Disclaimer... 20 Introduction The Health Information Technology for Economic and Clinical Health Act (HITECH) forces health care providers and their business associates to bring a sense of urgency to the security of protected health information (PHI). The act brings both pressures and incentives into play in its mandate to convert PHI to electronic health records (EHR), and puts teeth into the enforcement of the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA). Although the HIPAA Security and Privacy rules have been in effect since 2003, auditing has been, at best, spotty, enforcement and imposition of penalties rare, and they did not apply directly to business associates. Under these conditions, it s not surprising that healthcare has lagged behind most other industries in their security programs. More than one fifth of the respondents in the 2009 survey conducted by the Healthcare Information and Management Systems Society (HIMSS) reported that security accounted for less than 1% of their budget, with almost no change from the previous year. Forrester Research s annual security survey showed that healthcare trails financial services, retail and government sectors in the percentage of overall IT budget spent on security. Information security has not been a high-priority issue for hospitals, which naturally evaluate commitment of energy, spending and allocation of resources in terms of their impact on the quality of patient care. Before HITECH, there were no incentives and little concern about enforcement. Conversion to EHR will result in explosive growth in digital information sharing among health information exchanges, hospitals, medical practices and business associates. Under HITECH, all recipients of PHI contained in EHR are now subject to the same requirements for protecting PHI. The risk of inadvertent or malicious disclosure of health information increases dramatically, and there is evidence that attackers are taking note and targeting healthcare institutions in growing numbers. 3 In this environment, healthcare providers should assess their security programs and ensure that they have the policies, processes and supporting automated tools in place to protect patient information. HITECH Changes the Game The Move to Electronic Health Records (EHR) The HITECH Act is part of the $787 billion American Recovery and Reinvestment Act (ARRA), more commonly known as the Stimulus Bill, enacted in February The core purpose of HITECH is to convert the nation s health care records to digital formats, improving health care through the rapid transmission of medical information and ultimately saving money on operations by making the nation s health care systems more efficient. HITECH takes a carrot-and-stick approach to promote the mandated conversion to EHR. The act provides $19.2 billion to promote the conversion, most of it going to Medicare and Medicaid reimbursement as incentives to make what the act refers to as meaningful use of EHR, starting in The stick comes in the form of reduced reimbursement, starting in 2015, for entities that do not use EHR. But the really hard end of the stick is how HITECH, recognizing the increased risk of electronic PHI, ups the ante for healthcare providers and their business associates who fail to meet the HIPAA Security and Privacy Rules requirements. Increased Penalties Previously, penalties could be assessed at $100 per violation, capped at $25,000 per year for multiple violations of an identical requirement or prohibition. HITECH sets the range at $100 up to $50,000 per violation, capped at $1.5 million per year for multiple violations of an identical requirement or prohibition. Moreover, individuals, such as hospital employees, in addition to covered entities, can be held criminally liable with fines of up to $250,000 and up to 10 years in prison for HIPAA violations. In addition, if the Department of Justice declines to prosecute, the Department of Health and Human Services Office of Civil Rights (OCR) can still bring civil suit. A percentage of the civil penalties collected are distributed to individuals affected by the violations. More Aggressive Oversight Beyond any promises of greater oversight and more aggressive enforcement, both federal and state governments now have incentives to investigate possible violations and file suit when the 4 evidence is sufficient. Under HITECH, money collected in civil penalties is funneled back into OCR s enforcement budget. The act also permits state attorneys general to bring civil actions against HIPAA violations, making wider oversight and enforcement far more likely. In January, for example, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, alleging the company violated HIPAA when it lost a portable disk drive containing health and financial information of about 446,000 enrollees. The action claimed that Health Net did not properly secure the information and failed to notify consumers of the security breach. Breach notification HITECH mandates data breach notification, putting pressure on providers to avoid the costs and negative public exposure associated with data breaches involving PHI. The requirement is similar to the 40-plus state data breach notification laws, which cover exposure of consumer information. These laws typically exempt encrypted information, assuming that it cannot be read by anyone who obtains possession. HITECH states that breach notification applies to unsecured PHI, defining unsecured as information that has not been rendered unreadable, unusable or indecipherable to unauthorized individuals. In practical terms, HHS guidance means encrypting the data or destroying it. The act requires the health care provider to notify the affected individuals of the breach, as well as the Department of Health and Human Services (HHS) if 500 or more patients are affected. HHS posts these breaches on its Web site. Violators must also notify prominent media if the breach affects more than 500 people in a particular location. Business associates, now subject to HIPAA Security Rule requirements, must notify their covered entity partner if they are responsible for or victim of a PHI breach. It s important to note that HITECH does not require encryption (it makes encryption an addressable controls rather than a required one). However, as with the state laws, encryption generally obviates the need for breach notification. As HHS points out in its guidance, using encryption does not change the Security requirements to protect PHI. Encryption is only one step in support of a holistic security program that includes data protection, identity and access management policies, enabled and supported by the right tools. Today s health care information environment, involving many disparate organizations, and many people performing different roles, and communicating in multiple ways, doesn t lend itself to a simplistic security solution. 5 HITECH s Challenge The Health Care Risk Environment The modern healthcare information environment is complex, with information flowing across numerous interrelated and interdependent institutions, service providers and individuals: Physicians inside the hospital and at their practices, outsourced diagnostic services, pharmacies, labs, billing services, business associates, visiting nurses and other home/mobile healthcare providers, rehab centers, clinics, etc. Electronic patient information is communicated not only via LAN and WAN but all forms of wireless devices, from laptops to smart phones to specialized handheld medical information devices. The challenges are daunting. Covered entities and business partners must consider several factors, including: Identifying the information that is considered PHI under statute and carries the risk of harm to the patient and non-compliance to the organization. Balancing the need to protect information from exposure while still providing the highest level of patient care. Extending information access and policy enforcement beyond the organization to the myriad of partners, service providers and suppliers that support the health care provider. Identifying the applications that have access to PHI, validating whether that access is appropriate, as well as the individuals, groups and organizations authorized to use those applications, with appropriate limitations. Develop a Holistic Security program In this environment, health care providers must think and act in terms of a comprehensive information security program that incorporates protection around the data to prevent its use by unauthorized individuals. This includes creating and implementing granular, role-based, access control, authorization and authentication policies that help ensure that health information is properly secured and health care providers are compliant. Health care organizations must: Identify, classify and assess risk around data. Implement appropriate protection, such as strong encryption and data masking to prevent unauthorized exposure and at worst, malicious use. 6 Assign the appropriate privileged user roles, with careful attention to maintaining separation of duties. Monitor data access, with particular attention to the activities of privileged users, such as database administrators. Establish individual and group roles, evaluating and adapting them as needs change. Create policies and workflow processes with clear responsibilities and accountability for provisioning and de-provisioning users, approving job changes, as well as application, information and systems access authorization. Implement logging, audit and reporting capabilities around application and data access, administrative functions; user and asset access activity, provisioning and de-provisioning. The Security and Compliance Burden Managing and maintaining this type of program in a dynamic environment is a heavy burden for health care organizations dedicated to devoting maximum resources and focus on the quality of patient care. Personnel come and go; patients are discharged; business partner relationships change; new applications and systems come online, and new services become available. Oracle database security and identity management products provide a complete single-vendor defense-in-depth security strategy that can help customers address a broad set of requirements. Consider the difficulties of translating this into a manageable, efficient security and compliance program. The Data Protection Challenge Retrofitting existing applications with strong data protection can be a time consuming, costly, and seemingly impossible exercise. After all, most applications running today along with their supporting infrastructure were built for high availability, scalability and usability. In most cases, the data security that does exist resides solely in the application layer and consists of a username and password along with a mapping of users to various roles and responsibilities within the application, thus limiting access to application screens and functions. Outside the context of the application, data remains unprotected and vulnerable to application bypass attacks. Information security in terms of encryption, masking, access control and monitoring remains a relatively specialized area that only recently has seen technology progress to the point that it can be widely adopted by those with little to no security background and applied to existing applications without costly and time-consuming changes. Take for example data encryption and the associated key management requirements. Encryption algorithms have been widely available for well over a decade. The ability, however, to apply encryption technology to practical business problems, as required by HITECH, has been limited. 7 This was due to the changes, both technical and administrative, required to deploy encryption. Encryption needs to be transparent to existing applications, non-disruptive to the existing high availability strategy and be easy to administer in a large, distributed environment. Similarly, deploying additional access controls on data outside the application layer without breaking the application was viewed as next to impossible. In fact, access to application data by administrative personnel operating outside the application has to this point been considered the norm. Thus far, separation of duty enforcement along with deployment of preventive controls on access to application data by administrators operating outside the application has been considered too operationally disruptive. In addition, the increasingly important task of monitoring audit logs for unauthorized or inappropriate activity has languished due to the time consuming, resource intensive nature of the task. This is despite numerous examples where such monitoring would have greatly reduced or even prevented unauthorized disclosure of sensitive information. Oracle s comprehensive database security portfolio, including Oracle Advanced Security, Oracle Data Masking, Oracle Database Vault and Oracle Audit Vault, protects information by providing transparent data encryption, masking, privileged user and multi-factor access control, row level data classification, as well as continuous monitoring of database activity. The Access Control Challenge Maintaining an effective access control program is even more challenging, as the health care provider typically must administer authorization and appropriate authentication on a perapplication basis. It s impossible to administer and enforce unified policy across applications and systems; management is fragmented and laborious, policy inconsistently applied and users frustrated. Policy-based provisioning and de-provisioning of user access and authorization is: Fragmented by reliance on each application Hampered by a lack of an automated workflow to assure that authorization is appropriate and approved by the responsible managers, who can be held accountable for their action. Reliant on group-based authorization, which can be too coarse for fine-grained controls, making provisioning an inexact science that typically leads to too much privilege, which is a security risk, rather than too little, which impedes work and ultimately, would impact patient care. Monitoring user access activity for malicious behavior and policy violations and producing auditable reports and responding to auditor requests will be manual and error prone, and difficult to coordinate. Administrators have to collect and query access logs, for example, from diverse applications, if they are available. 8 Further, health care providers have to extend special sets of access control rules to numerous third parties who need to access or share PHI. Assigning and administering access controls outside the core organization is exceedingly difficult. Great care has to be taken to assure that the disclosure of PHI is the minimum needed to perform the contracted services, but easy and manageable enough to allow critical medical information to move without delay. Oracle Access Manager, Oracle Identity Manager, Oracle Identity Analytics, Oracle Identity Federation and other products in the suite of Oracle identity management solutions provide application and system-level security, enabling health care organizations to create and sustain a centrally managed, automated and auditable access control program. Frameworks for Compliance Standards-based Controls In addition to the specific Privacy and Security controls required by HIPAA/HITECH, it s highly recommended that health care organizations look to one or more of the accepted control standards, such as ISO27002, NIST and COBIT, as the foundation of their HIPAA/HITECH security and compliance programs. As organizations move to electronic health records, they must implement required controls around the maintenance and flow of health information. This will enable organizations to capture HITECH incentive reimbursement, avoid penalties, protect themselves against the heightened oversight from HHS and state attorneys general and guard against the damage of a major PHI breach and the negative impact of the required notification. A standards-based approach: Provides a well-defined set of controls that can serve as a template to be modified to the organization s special requirements as a member of the health care industry. Provides a yardstick for the organization to measure progress and evaluate its security program. Demonstrates to auditors that the organization is following a well-conceived initiative that follows universally accepted control recommendations. Forms a common basis for establishing security controls and trust across entities to assure that PHI is being transmitted and maintained as it is shared across organizations. Role of Business Associates The last point emphasizes the need to maintain strong controls as information is shared outside the provider organization. The HIPAA Security Rule has always required health care providers to have contracts that direct business associates to safeguard PHI. However, now that HITECH 9 puts the same security requirements on business associates as for covered entities, those contracts will need to be modified to reflect these new obligations. HITECH expanded the definition of a business associate to include organizations that transmit and routinely access PHI, such as health information exchange organizations, regional health information organizations and vendors. Previously, business associates were liable only under the terms of their contracts, but under HITECH, they are subject to direct government oversight and civil and criminal penalties for HIPAA violations. HITRUST s Common Security Framework The Health Information Trust Alliance (HITRUST) has addressed these issues with a health care industry-centric approach to standardize security controls and streamline compliance programs. The Common Security Framework (CSF) incorporates hundreds of IT controls from other frameworks that are relevant to the health care industry, such as NIST, ISO, COBIT, HIPAA/HITECH, PCI DSS and SOX. The CSF contains 13 security categories encompassing 42 control objectives and 135 control specifications. It is too early to tell if HITRUST will become a widely embraced standard for HIPAA/HITECH and other regulations that impact the health care industry, but it is well worth considering as the basis for a security/compliance program and a common ground for meeting contractual obligations. HIPAA SECURITY RULE ORACLE PRODUCTS AND FUNCTIONALITY THAT HELP ADDRESS HIPAA SECURITY RULE REQUIREMENTS Administrative safeguards (a)(1)(ii)(a) (a)(1)(ii) (D) (a)(3)(i) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Implement procedures to regularly review records o
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x