Choose one of the types of security threats to health information you have reviewed in your work in this module and find an example from the real world where that type of threat has resulted in a security breach. In a three page paper, using APA format, summarize the type of threat, the breach that occurred and what you would recommend as part of a Security Plan to have prevented, detected and mitigated that breach.
Types of Security Threats
The Health Insurance Portability and Accountability Act (HIPAA), signed into law April 21, 1996, requires the use of standards for electronic transactions containing healthcare data and information as a way to improve the efficiency and effectiveness of the healthcare system. Title II of the law was designed to protect not only the privacy of healthcare data and information but also the security of the data and information. Security refers to protecting information from loss, unauthorized access, or misuse, and also keeping it confidential. This chapter introduces the HIPAA Security Rule, which closely aligns with the Privacy Rule. Although the rules complement each other, the Privacy Rule governs the privacy of protected health information (PHI) regardless of the medium in which the information resides, whereas the Security Rule governs PHI that is transmitted by or maintained in some form of electronic media (that is, electronic protected health information, or ePHI). ePHI is all “individually identifiable health information: held or transmitted by a covered entity (CE) or business associate (BA), in any form or media, whether electronic, paper, or oral” (HHS 2014). The Privacy Rule calls this information “PHI”. The chapter begins with a discussion of the purposes of the rule, its source of law, scope, and to whom the law applies. The chapter suggests a process for complying with the rule and outlines the five key components of the rule. Where appropriate, the chapter also discusses changes to the Security Rule as a result of the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act was passed to promote the adoption and meaningful use of health information technology. Subtitle D addresses privacy and security and strengthens the civil265and criminal enforcement of the HIPAA rules. It concludes with a discussion of the role of a security officer, how the rule is enforced, and the penalties for noncompliance with the rule.
The security standards in HIPAA were developed for two primary purposes: to implement appropriate security safeguards and protect electronic healthcare information that may be at risk, and to protect an individual’s health information while permitting appropriate access and use of that information. The standards ultimately promote the use of electronic health information in the industry, which is an important goal of HIPAA (HHS 2007a). The HIPAA Security Rule requires covered entities (CEs) to ensure the integrity and confidentiality of information, to protect against any reasonably anticipated threats or risks to the security and integrity of information, and to protect against unauthorized uses or disclosures of information. As a reminder, CEs are the individuals and organizations that must comply with HIPAA, as discussed later in the section, Applicability. The Security Rule defines integrity as data or information that has not been altered or destroyed in an unauthorized manner, and it defines confidentiality as data or information that is not made available or disclosed to unauthorized persons or processes (45 CFR 164.304). Ultimately, the Security Rule seeks to ensure that CEs implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission, while also ensuring that data or information is accessible and usable on demand by authorized individuals.
As discussed in chapter 10, HIPAA (of which security is only one piece) was enacted by Congress in 1996 and became federal statutory law. The Department of Health and Human Services (HHS) published the final Security Rule in the Federal Register, Health Insurance Reform, Security Standards, Final Rule (45 CFR Parts 160, 162, 164(a), and 164(c)) on February 20, 2003 (HHS 2003). The rule established security standards to protect ePHI. CEs were expected to be in compliance with the rule by April 20, 2005, and small health plans by April 20, 2006. Changes to the HIPAA Privacy and Security Rules were passed in February 2009 as part of the HITECH Act of the ARRA Act of 2009 (ARRA 2009). The HITECH Act was designed to promote widespread adoption of electronic health records (EHRs) and electronic health information exchanges (HIEs) to improve patient care and reduce healthcare costs. To achieve these goals, HITECH identified requirements to strengthen the privacy and security protections under HIPAA to ensure patients and healthcare providers that their electronic health information is kept private and secure. In July 2010 and May 2011, HHS published proposed rules to implement some of the HITECH provisions and modify other HIPAA requirements (HHS 2010a). The 2010 proposed rule went into effect with publication of the January 2013 final rule titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” The 2011 proposed rule is still pending (AHIMA 2013a).
Until 2009, the Centers for Medicare and Medicaid Services (CMS) were responsible for oversight and enforcement of the Security Rule, whereas the Office of Civil Rights (OCR) within HHS oversaw and enforced the Privacy Rule. In the latter half of 2009, authority for oversight and enforcement of the HIPAA Privacy and Security Rules was consolidated under the OCR (HHS 2009a). CMS continues to have authority for enforcement of administrative simplification regulations other than privacy and security (preventing healthcare fraud and abuse, and medical liability reform).
HIPAA consists of five titles. The Security Rule is one of five administrative simplification provisions in the law (privacy, security, transaction code sets, unique national provider identifiers, and enforcement). The scope of the Security Rule is to protect individually identifiable health information that is transmitted by or maintained in any form of electronic media. The Security Rule defines electronic media to mean electronic storage media including memory devices in computer hard drives and any removable or transportable digital memory medium, such as magnetic-type storage or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media, such as the intranet, extranet, leased lines, dial-up lines, private networks, and physical, removable, transportable electronic storage media (45 CFR 160.103).
Congress published the first set of security standards for public comment in 1998. At that time, many of the public comments concluded that the rules were too prescriptive and not flexible enough. As a result, the final rule includes standards defined in general terms, focusing on what should be done rather than how it should be done. Efforts were made to make the rule technology neutral (this means that specific technologies are not prescribed in the rules which allows the use of the latest and appropriate technology) and flexible so that CEs could choose the security measures that best meet their technological capabilities and operational needs to comply with the standards. The flexibility and scalability (the concept that based on the size of the CE, the threshold of compliance varies) of the standards make it possible for any CE, regardless of size, to comply with the Rule.
The Security Rule comprises five general rules and a number of standards that encompass 1. general requirements; 2. flexibility of approach; 3. standards related to administrative, physical, and technical safeguards; organizational requirements; policies, procedures, and documentation requirements; 4. implementation specifications; and 5. maintenance of security measures (see figure 12.1), all of which will be discussed later in the chapter.
Until HIPAA was enacted, there were no generally accepted security standards for protecting health information. There were, however, a number of state and federal initiatives that addressed privacy, as discussed in chapter 10. With increased reliance on the use of information technology to electronically capture, store, retrieve, transmit, and exchange health information, Congress recognized the need for national security standards, resulting in the HIPAA Security Rule. The Privacy and Security Rules work in tandem to protect health information. The Privacy Rule set standards for how PHI should be controlled by establishing uses and disclosures that are authorized or required and what rights patients have in regard to their health information.
The Security Rule was written to protect ePHI and to guide how electronic health information can be accessed appropriately. There are two primary distinctions between the HIPAA Security Rule and the HIPAA Privacy Rule:
Source: Adapted from Scholl et al. 2008.
compliance was required in 2005 at the earliest, actions taken by CEs to implement the Privacy Rule may have addressed some security requirements. However, the Security Rule provides far more comprehensive and detailed security requirements (HHS 2007a, 4).
For example, to address the growing concern for the use of devices and tools that enable access to or use of ePHI outside the CE’s physical purview, HHS issued a HIPAA Security Guidance report on remote access (HHS 2006a). The report lists risks of off-site use or access and possible risk management strategies for identified risks. It also contains potential security strategies for conducting business activities through 1. portable media/devices (such as USB flash drives) that store ePHI; and 2. off-site access or transport of ePHI via laptops, mobile devices, home computers, and other personal equipment. The report also encourages rigor in policy and procedure development for off-site use or access to ePHI (HHS 2006a).
The Security Rule applies to individuals or organizations identified as CEs and, with the recent enactment of the HITECH provisions, business associates (BAs) and the subcontractors of BAs. The Security Rule applies to the following covered entities (CEs):268
HITECH holds BAs to the same standards as CEs in regard to protection of health information. BAs are identified as such by the types of functions they carry out, not by contract only.
These changes are a result of HITECH which requires BAs to comply with the Security Rule provisions mandating administrative, physical, and technical safeguards, in addition to adherence to the terms of their BA agreements. They must also adhere to Privacy Rule requirements, which were discussed in chapter 10. The definition of a BA has been revised to include subcontractors of BAs, who must also follow the Security Rule or be held liable for violations. BAs must execute BA agreements with their subcontractors as well (HHS 2010a). In addition, the definition of a BA has been expanded to include entities that manage the exchange of PHI through networks, including patient locator services, e-prescribing gateways, others that provide data transmission services of PHI to a CE and require routine access to such information, or vendors that contract with CEs to offer personal health records to patients as part of the CEs’ EHRs (HHS 2010a). Thus, the Security Rule now applies to a broader range of individuals and organizations (CEs, BAs, and BA subcontractors) in an effort to further protect the privacy and confidentiality of ePHI.
Security is not a one-time project but an ongoing process that requires constant analysis as the business practices of the CE and BA change, technologies advance, and new systems are implemented.
HHS has a seven-step guide to implementing a security management process:
CEs and BAs must decide which security measures to implement, using a risk analysis to determine circumstances that leave them open to unauthorized access and disclosure of ePHI. An ongoing security analysis will assess what security measures are already in place and what measures are still necessary. Compliance with the Privacy and Security Rules should be included in the organization’s compliance assurance and information governance plans and program. More information about corporate compliance programs is included in chapter 17.
|Security Component||Examples of Vulnerabilities||Examples of Security Mitigation Strategies|
|Policies and Procedures||
Source: ONC 2015.
A CE or BA should also conduct a financial analysis to determine the cost of compliance, because implementing the Security Rule may be a challenge for a CE and especially for a BA who is new to the rule. Figure 12.2 provides five security components for risk management. In addition, in 2003 the Centers for Medicare and Medicaid Services (CMS) published a series of educational documents called the HIPAA Information Series to assist with the implementation of HIPAA requirements (CMS 2003). Addi
Hi there! Click one of our representatives below and we will get back to you as soon as possible.