Watch to learn how to convince senior management to increase HIPAA budget.
Having issues accessing the video above? Watch the video here.
In this webinar, Russ Stay, VP of Business Operations at SecurityMetrics, covers:
This webinar was hosted on October 7th, 2015.
Okay. Welcome out to the webinar this morning. We appreciate everyone's attendance. We're gonna be talking about overcoming the reality of HIPAA budgets.
So we're gonna go ahead and get started. If you have any questions or problems hearing or seeing the webinar, please chat in, and we'll go ahead and address those and see if we can help you out.
Our presenter today is Russ Stay, VP of business operations here at SecurityMetrics.
Russ has really been the head of our HIPAA and health care security initiatives and is very familiar with the industry. Should bring some really great insights. Has has been at many conferences, trade shows, and events to really better understand the space and should be able to give a lot of knowledge that he's learned.
A little bit about SecurityMetrics. We've been helping organizations comply with mandates, avoid security breaches, and prevent prevent data theft since two thousand.
We actually got our start. Our CEO and founder's company was hacked. And as he looked into solutions of how to avoid them in the future and how to do a forensic investigation and get to the bottom of it, he realized, you know, there just weren't a lot of options that were reasonably priced and and solid solutions. And so he decided to start a data security company and compliance company, and that's how we got our start and have been thriving, since.
So just as a reminder, we get this question a lot. We will be sending a recording of the webinar as well as the slide deck in the next few days, so watch for that. So if you do, you know, wanna review anything or have any questions or have colleagues that you'd like to share some of the information with, we will be sending that out to anyone who registered for the webinar in the next few days.
So with that, we're gonna turn the time over to Russ to get started into the presentation.
I'm so much more used to doing this in front of a real live crowd, so I'm expecting some kind of clapping or something at this point, and it obviously won't happen.
Thanks so much. We have an audience of, mixed large covered entities and small covered entities. So the presentation material will, in fact, address both those audiences. Just to give you some kind of a feel of where we're going with, with the discussion today, I wanna start off by taking you through what's going on in the space and data to help, explain why you should do more. When I say you, I'm really talking about your organizations.
The data we'll cover will be date breach data along with related cost data.
And then we'll talk briefly about what makes it tough or what if you will, what are the challenges associated with implementing proper HIPAA practices and becoming compliant?
And then, that obviously leads to questions that we'll answer regarding budgets and costs that you might expect. Obviously, that that differs based upon the size of the organization, but we'll give you some ranges there. And, then lastly, we'll walk you briefly through the implications of of actually implementing, these measures into your practices and what you might expect there in terms of of steps or along the way.
So with that having been said, let me just move on into it.
Our first slide, really is, you know, it seems like every time you see a presentation, there's a there's a a a obligatory logo cloud of all the companies with which a presenter is working with. This logo cloud I put up is, in fact, not a logo cloud of companies from which or with which and with whom we've done work, but, in fact, represents, what's going on in the the retail space, and beyond.
So you're all familiar, of course, with the recent, Target breach. Target breach actually, impacted forty million cards or seventy million records. It was one of the largest breaches in the history of the US.
And, you know, in a general sense, it was extremely costly to the company.
The the, profits for twenty fourteen, q over q, if you were quarter over quarter for the last quarter of the year, dropped forty six percent. And estimates, indicate that that breach will cost, and has cost Target well over a billion dollars already. Little less publicized breach, but actually happened shortly after Target was the Home Depot breach, which is which is actually bigger at, fifty six million cards.
And the estimates are that that that cost about, about two hundred dollars per card for Home Depot. And and if you will, that takes, takes the cost over eleven billion dollars. Now mind you, these are these are large large, large organizations, but it gives you a feel for not only the impact financially, but but how serious this, the the breach activity or, if you will, the the hacker activity is throughout the world. Other breaches would include JPMorgan at seventy six million households and seven million small businesses.
You're probably not familiar with the TJ Maxx breach or the P. F. Chang's breach or the Neiman Marcus breach. But, point being here is that in the retail space, breaches are almost becoming commonplace.
And for the payment card industry, this is becoming a very, very serious focus on how they can, in fact, reduce this. And one of the things, of course, they're doing now is releasing the new EMV or chip card technology to try to stem some of that, vulnerability.
But it does go beyond, the the retail space. We've seen large breaches recently in the US government. The Office of Personnel Management was extremely embarrassed when nearly twenty million security clearance applications were published on the web. The postal department recently had a breach that, was that affected about three, three million people, both customers and workers. So what we're seeing happen in the space is is an ever increasing frequency and rate of of hacker activity.
In specific, for your audience, though, what's happening in the in the medical space? Well, before we dive into that, let me talk a little bit about how this happens. Now there's a number of of ways that it can happen.
Typically, there is some type of an insertion of of rogue software into the environment. But before it's inserted, they have to actually get through your perimeter perimeter security. And what happens is the hackers, whether they be, large scale organized crime or this of the garage variety, they they have tools that are we're called scan tools, which effectively scan the perimeter of any organization.
And as what they do is they actually turn this on, and it goes out and pings the IP addresses of of each one. He's looking for vulnerabilities, looking for weaknesses. When it finally finds one, then it's able to to take advantage of that. In this particular graphic, what the the hackers may, in fact, be able to go for and attack the the large organization directly, or oftentimes, what they'll do is they will gain access to the large organization through a smaller, related organization, whether it's a business associate or a covered entity that's that's attached. I might go back to the target breach. That that breach was actually through an HVAC, heating air conditioning, subcontractor.
They went in through the subcontractor into the, main system of Target. So it's a real common approach to get in, and we just gotta have our protections, our defenses, our securities, our our perimeters as as tightly secured as possible. And we'll talk about that more, but but this is the anatomy, if you will, of how they get in.
That it's not only, hackers, if you will, but also when it comes to HIPAA, we need to be looking at at all potential breaches. Sometimes it's just simply non malicious loss.
An amazingly high percentage of the breaches that happen in the medical space are lost computers or flash drives.
Sometimes those are they're stolen.
We have a a number of problems that have been identified throughout the industry as related to ex employees.
Sometimes it's not an ex employee at all. Sometimes it's it's, someone who's actually an employee, and they found that this is a lucrative way to, supplement their income. And, of course, it's just just a whole lot of you look at the the wall of shame as published by the homeless or the HHS, Office of Civil Rights, just unauthorized access and disclosures.
In particular, and you're all familiar with with nearly every one of these, but let's just review it again.
Community Health System, CHS, about a year and a half ago now, lost, nearly five million records, and that was nearly a cost of a billion dollars to them. Anthem is is clearly had a tremendous amount of press. They lost eighty million records, at a at a total estimated cost of about sixteen billion dollars to Anthem.
These are huge numbers. These are scary.
Here, we're we're located in Utah. One of the the larger, providers here in Utah recently was breached. It wasn't a huge breach. They lost, thirty two thousand records. But nevertheless, for that organization, it's gonna be costing them nearly eleven million dollars. Montana Department of Health Services was breached.
You probably you probably heard that New York Presbyterian Hospital was breached about a year ago. WellPoint, Texas Health, Saint Elizabeth's Medical Center. We could go on and on and on with the organizations who have experienced, hacker related breach activities.
And so and each one of these has tremendous costs associated. We'll get into more of why these costs are as high as they are in a bit. But just wanted to kinda walk you through that and and arm you or or alert you or or, alarm you as to the per pervasity and and the magnitude of of this type of of activity.
More sobering probably still, this is a a graph of recent breach activity, the number of compromised individuals.
In twenty twelve, it was a little under three million. Twenty thirteen, about seven million. Twenty fourteen, twelve and a half million. And through June of twenty fifteen, we've already seen more than ninety three million, individuals compromised in the health care space. So the activities of the hackers in is moving away from from the, the merchant environment or retailer environment to the health care space, and there's a number of reasons for that.
And we'll talk about those. But but one of the big misconceptions is, hey. They're only going after the big guys. The list I just showed you, of course, are large, large organizations, but that's that's really a fallacy. In fact, if you get into the wall of shame data as published by OCR, what you're gonna find is seventy three percent of the breaches involve, hacks or breaches of less than eight thousand records. And these are typically from smaller covered entities. In this list here, you see that you've got a dent couple of dentists, a chiropractor.
They're just they're just much smaller organizations are being attacked as well. Typically, this is more of a a garage variety hacker activity, but the cost of the organization is is the same, irrespective.
And so we don't allow anyone to think, hey, it's only the big guys. If you're a smaller covered entity, you're every bit as vulnerable and every bit as valuable a target as the larger ones are. In fact, you're probably an easier target. Your defenses are probably, more are probably smaller and less sophisticated than that of a larger organization.
Let's talk briefly about, the cost and the values.
So first of all, you know, one of the big concerns a lot of people worry about is fines and and audits from OCR.
And we'll talk about that. I don't think that's the biggest concern that you ought to have, but it's it's a reasonable one.
If for no other reason because it gets it's it's easily accessible.
The data that comes out of that is published and is, in fact, required by law to be published if your breach is over five hundred records. And so what, in fact, does trigger an OCR? Well, one of the one of the triggers is random. They've, they typically target about two thousand entities per year for random r audits.
I don't think they've successfully hit two thousand yet.
It's just typically more like fifteen hundred, eighteen hundred random audits. But they try to spread those random audits evenly between the large covered entities and the smaller covered in covered entities. And I say evenly, evenly based upon the number of patients that might be being, being treated through those organizations. And so small covered entities are, in fact, every bit as much of target of random audits as are the larger entities.
If in fact you're ever breached, if it's over five hundred, records, you have to notify the public any breach needs to be needs to be, disclosed to, HSS OCR.
And when you are breached, you will be audited.
Another another, common trigger for an audit is a disgruntled employee who files a complaint.
Now they know what your weaknesses are. They know what you're doing wrong and right. And if they're mad about the fact they've been separated from employment, they'll oftentimes go ahead and file a complaint, as will your patients if they're unhappy or see practices that disturb them. Anyone can file a complaint. And in fact, since two thousand and three, there's been over a hundred thousand complaints filed. Most of those, in fact, probably about eighty percent of those have happened in the last four years.
There are penalties associated with violations of HIPAA. You're you may all be familiar with this. There are four classifications for the penalties. There's, if you're in fact found to be deficit, or, non compliant with the regulations, but you've made reasonable efforts, then you, in fact, would could've expect to see fines that range between one hundred to as much as fifty thousand dollars for, the non compliance.
It's it's capped at one point five million per year, but that is per violation.
So it can add up pretty quickly. There's reasonable cause, which means that you you did stuff. You you should have known about it. You're working on it. But, nevertheless, the noncompliance existed, and now the fines move from a hundred dollars to a minimum hundred to a minimum of a thousand up to fifty thousand, again, capped at one point five million. Willful negligence, effectively, is where you there's a big problem. It's been it's it's it's known.
You after you've been audited, you quickly fix the problem.
They they then for willful negligence, these things that you should have been able to identify, should have corrected, but didn't, until after you're audited, you'll be looking at fines between ten and fifty thousand. And then there's willful negligence not corrected, that's they come in to do the audit or you've been breached and they find no. They notify you of the reason and you don't do anything about it, and then you're guaranteed fifty thousand dollars per violation per year.
So, these are fines. They're real, and and they hurt.
Some examples of fines, you'll notice these are a collection of sort of medium sized covered entities and a few smaller ones. But there, you know, I we could go on on the list. You can go out. In fact, if you look in the notes on this, it'll tell you where the website is to kind of explore, peruse through the the fines that have been issued, and the violations that have been identified and along with all the breaches. And it's a it's a massive database, quite a useful log site in terms of the way you can look at the data.
It's not only OCR you've gotta worry about though. State attorney generals have been empowered, through the OCR as an act of congress, part of the omnibus ruling of twenty thirteen, allows state attorney generals to enforce HIPAA. And they are allowed to keep the monies that are associated with fines.
You also have, the FTC is now involved. And additionally, the courts are very, very involved, and we'll get to that in a minute. But but because we have a standard, if you will, HIPAA, that now becomes the benchmark around which all civil penalties, are based. And so if a patient or any other individual gets compromised as a result of of a noncompliance on your part, that will, certainly is is, a a valid lawsuit and will likely end up in the courts.
So let's let's continue to look at this sort of the size of the problem here.
There have been if you go into the, again, the the wall of shame database, there are over two hundred thirteen million patient records that have, in fact, been compromised to date. That's two thirds of the population of the United States. Now remember, of course, this database is only US. And so that is, you know, effectively a room of ten people.
Seven of them have experienced some kind of of a breach, and their records have, in fact, been compromised.
There's only been twenty five million in fines so far as published, by the OCR.
And and I'm gonna come back to that in just a second here. But if you will, one of the questions that should be going through a lot of your minds is why the shift to to medical? Why do we see that large, hockey stick and the the graph that showed the number of of breached records? Well, the reason is pretty simple.
It's economics. Credit card data, which was the the previous major target of hackers, is worth about two dollars per card on the black market. Medical data, on the other hand, is fetching actually, it's fifty eight dollars per record, but about sixty dollars per record. And, you know, there's a variety of reasons why that has the value.
Of course, it has all the value that a credit card would have because you can use it for for credit fraud.
But it it carries so much more. It has the ability to be used for, you know, pharmaceutical fraud, for insurance fraud. You can utilize they can sell it to uninsured parties to then get insured or if you will, medical coverage under some other identity.
It's also been used a lot, if you will, just in in in by large scale organized crime in insurance fraud. Just going and collecting, you know, hundreds of thousands of dollars in fraudulent claims. And by the time it's determined that it's fraud, usually, the, the perpetrators are are long gone.
In terms of a covered entity, what does it cost you to to fix it? And I'm gonna come back to exactly what these these numbers or these these dollars what they what they derive from. But in terms of the number of records so if you had a breach of, let's say, a thousand records, you can look at three hundred and fifty eight dollars per record just to clean the mess up. Now when I say clean the mess up, that's that's sort of the the immediate activities that have to happen with respect to each one of those records.
But if any of those records or a collection of those records actually make it into the public space and actually be get used for fraud, if you will, compromise patients and and the records are utilized for identity fraud in any any way, shape, or form, be it credit or medical or otherwise, to clean that up on average, cost between, approximately thirteen thousand five hundred dollars per patient. So if you think about it, just seventy five compromised records or patients, would cost over a million dollars.
You know, and it's easy to understand where this comes from because if if I as an individual had my records compromised, it typically takes about three years to clean the mess up. And every time I go into a medical facility for coverage, every time I try to get a loan, every time, this keeps popping up again and again, and it takes a fair amount of work and money to clean the problem up. And typically, it costs between sixty hundred thousand dollars to clean the the, personal records of any individual up. And, in civil courts, that's trouble damages. So you're gonna get, three times whatever the actual costs are. So if it's between, sixty and a hundred million dollars, it can get very expensive, very quickly.
What are the costs? So when you get breached, you have to do an a forensics investigation. That is you have to bring in experts. They're certified and licensed to do forensics activities.
They come in and they figure out how the breach happened. You're required to do that. Then you have to, as quickly as possible, remediate those problems. You have to notify all the compromised or affected individuals.
You have to replace all the cards and and cover the costs associated with that. Any identity, monitoring, repair, and restoration is a fee that's gonna fall back to the compromised entity.
Yours there's regulatory fines. We talked about the fines.
There's another cost that is very, very real is disruption to your normal business operations. This is a huge distraction from that which you want to be focused on. Anthem is spending a tremendous amount of resources on cleaning up, you know, the aftermath of their breach. And there's lost business.
When when this becomes known, clients, patients, they move their business to some place they feel might be more secure. It's been it's been estimated in most of the studies that somewhere between thirty and forty five percent of your patients, will in fact leave you as a result of a breach. And then lastly, there there's the civil lawsuits that can be associated. It all adds up very, very quickly.
Well, what do you do? K. We've now talked about the financial aspects. Fine. What do we do to clean this up?
It's it's not really about finding time. And I I I will admit that it takes time. It takes time to get it right. It takes time to make sure these things don't happen.
It's it's not fun. I've oftentimes, used the analogy of it's quite similar to a to a prostate exam. It's not something you want to do. It's something you ought to do.
So what you wanna do, given a commitment to become compliant and improve your security and reduce the probability of a breach, what you really wanna do is focus on maximizing the time that you invest in it.
It's a little bit difficult. If you look at any organization, whether it be a small covered entity, the executive there is, in fact, the doctor, typically.
If it's a larger entity, it's you have executives.
Their primary focus is doing all they can to increase revenue while reducing costs and and dilution to their resources.
But if you were to ask them how important is not becoming the next anthem, they'll say, yeah, that's important too. But it wouldn't be on the top of any executive's mind. It's not on the top of any doctor's mind.
Again, though, if you raise it to their attention, they say, yeah, yeah, we gotta do that.
One of the things that's been very interesting, we've we've done some analysis. We actually are about to publish a report wherein we surveyed, approximately four hundred different, health care providers.
And we found as we interviewed both the executives and their, compliance risk and IT staffs, that the executives believe that they're ten to twenty percent more secure or more compliant than in fact their supporting organizations do. So you go and you ask an executive. He said, oh, yeah. We're about eighty percent compliant. And if you talk to the IT staff or the the, compliance officers, they will typically tell you that it's something more like sixty if their executives thought it was eighty and or if the executives think it's they're fifty, then it's typically more like twenty. So we find there's a huge disconnect. Most executives are much more optimistic and rosy, in their their assessment of where your organization stands with respect to compliance and and security.
And so you need to spend time educating them on where you really are.
It's complicated.
If you, you know, if if you start to dig into HIPAA, it's fundamentally fairly difficult to understand. The regulation is just shy of a hundred pages.
It is loaded with terms and, vagaries that make it very, very difficult to understand. And then when you get into the specifics, there's discussions about encryption standards, vulnerability scans, risk analysis, penetration tests, firewall management, risk management plans, implementation and tracking training, policies and procedures, intrusion prevention, log monitoring, and on and on goes a list of things that need to be comprehended in a a, a a meaningful approach to compliance.
To make things even worse, the whole space is covered with acronyms, and and this is, fundamentally a a function of the medical space in general. But, you know, BA, HHS, OCR, HITECH, CSSOs, or CISOs as they're oftentimes called, CEs, PHI, EMRs, MU. You know, we walk through this this plethora of of acronyms.
And and it's there's just so many that we have to deal with there that that oftentimes that can become an alphabet soup of its own that makes things even more confusing for the implementers.
Normally, I says often here, but I'd say normally, to to do a proper job of attacking, HIPAA requires that you have outside resources that are focused and experts on on this domain. It's time consuming and stressful.
One of the big problems in for most organizations is just determining who is in fact accountable. Is it administration? Is it the compliance or risk officer? Is it the IT staff?
An awful lot of organizations wanna throw it at the IT staff. Everybody wants to protect the data, but when you when you look to the IT staff to do it, we must remember that they're also responsible for your record systems and your networking, your disaster recovery, supporting, your users' help desk. And the list goes on and on what IT is expected to do. And they typically tend to put wanna put their resources on those things which have the highest visibility and the quickest payback.
And so oftentimes, security and, HIPAA compliance take a a a fairly, major backseat role to the to the other activities they're responsible for. In addition, even if you do make them responsible for the implementation of security practices and HIPAA compliance, and, of course, a lot of HIPAA compliance goes beyond just data security, but it's and includes privacy and other practices. But nevertheless, you need to have a it's highly recommended by anyone in this space that you have an independent organization within your group or person who is responsible for verification to make sure that things are in fact done properly, that the proper level of prioritization has been provided to data security and compliance.
Budgeting is not nearly the problem it could be if you just educate your executives on the potential risk and cost associated with with not being compliant and being breached.
Most organizations ask us the question of what effect in fact does it cost to become compliant and to tighten up your security so that you're not a, an obvious target.
Before I walk into the cost, let me just point out that that breaches or hackers, hackers take the same type of mentality that a, house burglar would use. House burglars seldom break windows or or, bust in doors. They work down the street looking for the open garage, the unlocked front door, unlocked back door, or the window that's left open. They look for the easy targets, the easy places to get in. Same thing happens in this space. Your your, hackers are looking for the easy targets. And so when they do those scans, they're looking for the places that have the organizations that have easy easily, leverage vulnerabilities.
What does it take to kinda clean that up, to tighten it up so that you're both compliant and, have dramatically reduced risk? I say dramatically reduced risk because you can never eliminate the prop the possibility of a breach.
A determined hacker can get into almost any environment, but they typically go to that, which is easy.
So for a small covered entity, this would be a small practice of maybe one to three physicians, staffs of under, under twenty five people. Typically, for risk analysis and risk management plan, you're looking around two thousand dollars. The activity that comes off that that requires attention will usually run between one thousand, eight thousand dollars depending upon how much work you've already put into it. You need to deploy training and, policies throughout your organization. And usually, for a small covered entity, to go from point zero to to compliant and significantly more secure, you're looking at something between four and twelve thousand dollars.
For larger entities, they they would require an on-site audit.
Now I'm talking about small hospitals, up through, large HMOs.
You you wanna have someone come on-site. Typically, that's, upwards of forty thousand dollars, not always. Small organizations, we've done done several that have been in the twenty thousand dollar range. But but, you know, typically they're they're north of of forty thousand.
And you kinda walk through, the different things that you do. Typically, a large organization will want to have a penetration test done, which effectively is is an organization, a white hat organization acting as though they're black hat.
Acting as though they're actually trying to truly hack into your environment, and they identify problems. And there are special tests. It's significantly more intrusive than a simple vulnerability scan.
And then you've got your training and your policy development. And and the remediation for large organizations is highly variable. On average, we find that for most medium to large sized entities, it's about seventy thousand dollars of the range, typically moving from forty thousand to a hundred and twenty and up. Some very large organizations, you know, clearly, if you were to go in and do Anthem or Kaiser or Intermountain or one of those large organizations, you'd be looking at significantly more money than that.
Security needs to be done. And if you will, HIPAA compliance needs to be done in a top down approach. And we'll talk about both of these things.
It's always if you don't have support from the top, you're wasting your time. You're gonna run into, conflicts of interest constantly over and over again and and competing priorities. So you have to have buy in and and, you know, full support from upper management.
HIPAA does have three primary areas. There's a security rule, the privacy rule, and the breach notification rules. Again, these are all handed down and outlined in the the, HIPAA rule as defined by Congress and find in two thousand thirteen.
We recommend that you start, with a prioritized approach.
There's a lot of very simple things that can be done that both improve your compliance and dramatically reduce the, the risks or if you will improve your security. And those typically are focused, number one, on making sure your firewalls are properly configured. I'm looking at remote access. And in fact, in most cases, we'd say remove or eliminate remote access in all except for some very, very limited cases. You wanna make sure you have antivirus installed on all of your systems. And and, of course, we all are familiar with that for our laptops, but that needs to be pervasive throughout your environment and it needs to automatically update, on a regular basis.
Wireless access points tend to be a huge problem for most organizations, so we recommend that you make sure that all of your access points are are password protected and have an encryption policy or encryption settings of WPA two plus, or, you know, or greater if you will.
We also recommend that you segment your guest, access from the production access.
We oftentimes find that the two are intermingled and that provides guests taking advantage of your wireless, sort of unfettered access to to areas and data they shouldn't have.
Fairly simple fix, but but oftentimes ignored. All accounts and passwords, each one of your employees needs to have his own accounts and then you need to have password policies that are sufficiently strong, to make sure that hackers have it's amazing the the algorithms they use that quickly check very, very common passwords based upon names or or geography, etcetera. And and they find they're found to be successful about twenty percent of the time. And then lastly, there's very, very simple thing is making sure that all of your, terminals and workstations have an automatic session time time out or log out, turned on. So that in fact, within five to fifteen minutes, those those, workstations are inaccessible.
We take again a piecewise approach. We recommend that you start again with those those, we call it the breach correction checklist, but the the very easy things that that truly improve, again, going back, improve your your security by about ninety percent. You do these things. You just closed all your you've made sure your garage door is closed.
You've you've locked your doors and you've closed all your windows. And so you've made it so most hackers move on just by doing those things there. So that's what we call the bridge correction checklist. But then you immediately have to kinda move into an environment that says, okay.
So where is all my data?
You can't protect it if you don't know where it is. And so, we recommend that that be, if if you will, one of the very first activities, identifying the data and the flow of that data. Then in move into your risk analysis, the risk management plan, and its associated implementation, which includes perimeter vulnerability scans. These are just normal scans which are actually very similar to that which a, a hacker uses, to identify vulnerabilities that might exist in your perimeter.
You need to put in place customized specific to your organization policies and procedures.
There are, a myriad of of of templates available out there. It usually makes sense to have, trained professionals help with the customization of those those templates, but nonetheless, it's not it's not a daunting process.
It does need to be specific to your organization. Part of the audit process is to find out if you're actually following your own policies and procedures, and if if in fact your employees know the common ones. So So they'll ask they'll ask your employees, what is your pass through policy here?
And then then verify that it's actually being followed. You need to implement training. You need to have a list of all your business associates and and, that includes contact information along with status and a file of all the updated business associate agreements, which basically puts your business associates under notice that they have to comply to HIPAA in all their dealings with the data that you share with them. And then you have to have a breach notification policy. It's a progressive approach. You don't do any one of these, all at once. You kinda work on them simultaneously and move the front forward.
The blue square here, these are all things that are in fact required by HHS as part of the HIPAA requirements. And the last note here is documentation is everything. In fact, one of the common terms or statements made by HHS over and over again is if it isn't if it isn't documented, it didn't happen.
Understand your reality.
Even if you feel like you're in pretty good shape, it's a good chance you're you're behind. Identify all the risks and then make sure that your top executives or in in the smaller, CE cases, your doctors really understand where they are.
When we talk about HIPAA, they talk in terms of risk. So they talk the three terms they use, vulnerabilities, threats, and risk. Vulnerabilities are the weaknesses in your environment, your computers, your, copiers, your fax machines, etcetera.
Threats are really the things or people that could exploit the vulnerabilities, and identify who and what those might be. And then risk is probability that it might happen. And you by combining these things, these three things in the risk analysis, you're able to determine which things should be the highest priority, which things should should, attract your attention first and be resolved first, and which things can be can be left to wait for later.
I talked about, the PHI map or if you will, the data flow. We have to identify where all your data is, which which devices actually have access to data, and it's amazing. It's it's pervasive in the medical space. The data exist everywhere. And so actually identifying which components, are have access to data and what data is actually there is invaluable.
This requires interviewing departments and talking about the data they use and they're able to collect and that which they share, etcetera, and then creating a comprehensive map of of both the data and the flow.
You also need to, as as mentioned before, have vulnerability scans. These are things that are required by the HIPAA regulation. You need to have do both internal and external vulnerability scans. External are much less, intrusive, but they tell a lot. And regularly run external vulnerability scans, do a tremendous amount in a very fairly a very easy fashion.
Internal vulnerability scans are a lot more work.
They're more intrusive, but they once you've gotten clearly past the external scans, we recommend moving into internal scans, which can identify other potential problems. Then penetration tests, which is is basically looking at at the flaws in your environment.
It's it's a black hat approach, to and we'll come back to this in a second, but to your environment. But also, we use automated or many companies, including ourselves, use use many tools, automated tools to actually, exercise and stress your third party applications and the the networking environment you set up. And then Nmap scanning is basically that which verifies the data map that we talked about before and actually looks and says, okay. How is my network configured? How does the data flow? And it's a they're automated tools that actually track how data moves inside of your organization.
Going back on this, penetration test, one of the parts of a penetration test is, if you will, a synthesized bad guy walk through, where we we would recommend you have someone actually play the part of a hacker. And, there's lots of games they play, in terms of of asking for access, being a a service, provider. You know, it can be whether it's a maintenance person or it's, one of your IT providers. There are things that should be, in fact, protected and are very easily we we overlook them. We also look for things like making sure that, in fact, your your terminals have, in fact, turned timed out, and that the passwords are reasonable. And now we can go with this, but this makes a lot of sense, to employ in addition to what would be called a normal mock audit, which is what what HHS would do should they show up to to, audit your environment.
You wanna make sure you use trained professionals.
You know, the the truth is that there are IT people, as I talked about earlier in the presentation, they're very, very they're buried. They're burdened.
They've got a lot of things they need to be working on to keep your organization up and running. And one of the areas typically not expert in is that of HIPAA. And in fact, they're oftentimes not very expert in security.
They're very good at working with security professionals to implement the right procedures and protections, but that they're really more about setting up the environment so that you can get production work done than they are about worrying about security. So using the wrong people is a little bit like, you know, asking a neurosurgeon to perform a coronary bypass. Probably could do it, but it's not it doesn't make sense.
You know, you wanna take professionals and use them in in their their space of expertise.
Training, you know, you've got a large staff.
Well, you may have a small staff. It doesn't matter. You really need to make sure that anyone who has access to, receives, transmit, or maintains, patient health information should, in fact, go through regular trainings. Again, required on an annual basis by the, the HIPAA mandate. So make sure that's in place.
We would we would recommend and encourage you to protect your patient data like, you protect their health. I mean, you're in that space.
A compromised patient is a damaged patient.
The conclusions, hacks and breaches are commonplace. The problem is it getting worse.
There's no no entity that's being spared, whether you're large or small.
I might I didn't really point this out as we went through it, but I think it's important to realize that compliance does not equal security and security does not equal compliance. There's a large amount of overlap, but they are, in fact, separate disciplines that need to be focused on independently.
If you don't get breached, if in fact you make sure you're secure, then the the concerns you have for the, normal operation of your business should diminish dramatically.
Patient data does matter. And, again, we'd we'd encourage you to protect it as though it was your own. And with that, we'd like to, to turn it over to questions, and I'll turn it back to Colin.
Okay. Thank you all for your participation.
We're gonna let some of these questions come in. So just give us one second as we kinda get organized to address them.
Okay. One one really good question, Russ, is they they mentioned you talked a lot about cost estimates and things like that. But what kind of estimate on time to get compliant to take care of risk analysis, etcetera?
Good question.
You know, the interesting thing about HIPAA, unlike many, many standards that exist out there, there is the concept of HIPAA is that it is not a destination, but in fact, it's a journey. And so you, in fact, protect yourself from, the the fines and and a certain amount of liability by just being in the process of becoming compliant. So, you know, the first thing is get started.
So, you know, the first thing is get started.
But then, you know, the the specific question was how long does it actually take? Well, obviously, that's a bit of a variable depend depending upon where you are when we get started.
But most organizations, that get very committed to it, it can get from some point of quasi compliance to full compliance within four to six months. That's being very, very aggressive though. We find that most organizations tend to take something more like two years to, to move through the process. And, of course, we recommend you start with that the highest priority options or priority activities first, and then work towards the less less important, less, strategic activities towards the end. But we found an awful lot of of especially large large organizations taking as much as two years. In terms of time to individuals, for an awful lot of our, smaller CE clients, smaller covered entity, CE, again, one of those acronyms.
If we're talking about a doctor's office with, say one or two physicians and and something around twenty employees, usually, the office manager and the IT provider are the primary, recipients of the workload.
And if in fact you were to try to get move from from wherever you are to a state of of fairly high compliance over the course of a year, we find that it typically takes and it's front end loaded, I might add. But if you were to to spread it evenly throughout the year, it's about an hour a week for the office manager and, a little more than that for your IT people.
So, you know, over the course of a year, it's it's fifty hours to an office manager and, something a little greater than that in terms of IT support services.
So it it's it's not it's not free. It it takes effort. It takes focus. It takes time.
Great. So another good question kinda going back to some business associates and the relationship between them.
They asked, do you need to have a business associate agreement from all companies that upload patient data for appointment reminders on file in case of a HIPAA audit, or, you know, do you need something downloaded off their site?
What do you really need in terms of a business associate and agreement, and when do you need that?
Yeah. There's, there are I'm trying to remember the exact number, but it's roughly twenty, fields or or, types of data that are designated as protected data. And, if you're and it includes name, includes address, includes social security number, it includes a number of things. But but if you're sharing any of that data with any third party, they need to have signed a a BA or a business associate agreement that effectively notifies them.
It's not it's not a copy. It notifies them that they that they are, subject to the same rules and regulations that you're required with respect to protecting that data. And that and they would then accept the liability associated with any loss of that data. So it really protects you to a tremendous degree to get those agreements in place.
And any serious business associate will understand that they need to do that. In fact, we find that one of the the more aggressive parts of the market space is the business associate space. They're actually looking to use it as a differentiator when they compete with other business associates. They wanna be able to say, we've been audited and we've been certified to be compliant.
So, yeah, we're willing and ready to sign your business associate agreement. For small entities, of course, that may not be the case, but you really need to get that in place. It's a fairly simple document, usually less than two pages, and, it can in fact be downloaded or, acquired from from, you know, organizations that specialize in HIPAA. So it it's not hard.
It's not onerous, but it does protect your organization both from the liabilities. And should you be audited, you actually have a copy of that agreement in place so you can prove to HHS that you've done that part of the the due diligence.
And in the case of a business associate, let's say breach or compromise, if there was a BAA in place, does that totally take the covered entity off the hook?
The primary liability then goes to the business associate.
You know? In courts, they will oftentimes cast about for whoever has the deepest deepest pockets. So I wouldn't wanna say you're totally off liability because you're not.
Perfect.
Well, it looks like that that wraps up, the questions that have come in. Once again, if you have any more questions, please contact us at HIPAA at SecurityMetrics dot com, and we'll promptly respond and see if we can't get you on the road to compliance and a little more secure. We're gonna get you out a couple minutes early so you can get back to your work and prioritizing HIPAA compliance, hopefully. So we appreciate everyone's attendance and, Russ, the presentation, and we'll be sending out the recording and slides within the next few days. Thank you.
.svg)
