Information Assurance: The Healthcare Perspective

1
Information Assurance The Healthcare
Perspective
Lisa Gallagher, Senior Vice President, IT
Accreditations, URAC
2
Agenda

• Background
• About URAC
• URAC HIPAA Accreditations
• NIST/URAC/WEDI Health Security Workgroup
• IA issues in Healthcare

3
About URAC

• Founded in 1990
• Private, non-profit 501c3
• Originally focused on utilization review
  accreditation
• Now accredits a full range of managed care
  offerings and has new IT accreditations
• Broad representation on Board of Directors
  industry, provider, public representatives
• Committee driven

4
URAC Mission

• To promote continuous improvement in the quality
  and efficiency of healthcare delivery by
  achieving a common understanding of excellence
  among purchasers, providers, and patients through
  the establishment of standards, programs of
  education and communication, and a process of
  accreditation.

5
 
6
URAC Accreditation Programs

• Utilization Management
• Case Management
• Health Plan and Health Network (HMO and PPO)
• Credentialing and CVO
• Health Call Center
• Workers Compensation UM and Network
• External Review Organization
• Health Web Site
• Core and Core Plus Certification
• Claims Management
• Disease Management
• HIPAA Privacy and Security

7
Value of URAC Accreditation

• Improves operations internally
• Creates regulatory compliance efficiencies
• Differentiates organizations from the competition
• Satisfies many RFP/RFI requirements
• Qualifies companies for professional liability
  premium discounts
• Provides support for risk management strategies
• Aggregates cross-fertilizes best practices

8
Standards Development Process

• Broad-based committee process
• Public input
• Forums
• Comment period
• Beta-testing
• Final revisions
• Board Approval
• 2 year update cycle with interim changes as
  needed, e.g. Regulatory changes

9
Accreditation Process

• Applicant self-evaluation
• Submission of application
• Desk-top review
• Additional information requested
• Site visit
• Scoring
• Accreditation Committee
• Executive Committee

10
URAC HIPAA Privacy and Security Accreditation
Programs

• Purpose To assist organizations to verify that
  they have put in place the necessary
  infrastructure and implemented the necessary
  processes to comply with the HIPAA Privacy and
  Security Rules
• Not a guarantee of compliance
• Indicator of good faith efforts to implement and
  maintain an effective compliance program

11
Accreditation Standards

• Track the HIPAA Privacy and Security Rules
• Standards applies to Covered Entities (and
  various sub-types) and Business Associates
• Standards language expresses regulatory
  requirements in direct, verifiable language

12
Standards Categories - Privacy

• Implementation of Compliance Plan
• Policies and Procedures
• Workforce Training and Oversight
• Notice of Privacy Practices
• Rights of Individuals
• Authorizations
• Use and Disclosures
• Complaints
• Business Associate Relationships
• Special Requirements for Organizational
• Sub-types

13
Standards Categories Security

• Implementation of Security Compliance Plan
• Management of Policies and Procedures and
  Documentation
• Administrative Safeguards
• Physical Security Safeguards
• Technical Safeguards
• Special Requirements for Hybrid Entities
• Special Requirements for Affiliated Covered
  Entities
• Special Requirements for Group Health Plans
• Special Requirements for Business Associates

14
HIPAA Accreditations - Value

• Government will only get involved after a problem
  occurs.
• Civil litigation may pose a risk.
• Organizations must have strong internal
  compliance programs and implement proactively.
• Due diligence with Business Partners is an issue.
• Organizations must have strong internal
  compliance programs.
• Good faith compliance efforts help with risk
  management and may mitigate penalties.
• External audits/accreditation can augment
  internal compliance programs.

15
NIST/URAC/WEDI Health Care Security Workgroup

• Co-facilitated by URAC and NIST
• Lisa Gallagher, URAC, IT Accreditations
• Ron Ross, NIST
• Mark McLaughlin, WEDI
• Agreement with WEDI for co-sponsorship
• Participation open,
• register as interested party
• http//www.urac.org/securityworkgroup/

16
Why did we form the Security WG?

• Currently, no standard measures exist in the
  health care industry that address all aspects of
  the security of electronic health information
  while it is being stored or during the exchange
  of that information between entities.
• - Preamble to the HIPAA Security Rule, February
  2003

17
Mission

• Bring together key stakeholders from the public
  and private sectors to facilitate communication
  and consensus on best practices for information
  security in healthcare.
• Promote the implementation of a uniform approach
  to security practices and assessments by
  developing white papers and crosswalks, and
  provide educational programs, as appropriate.

18
Goals

• Identify security standards that cover security
  policies, procedures, controls and auditing
  practices
• Review NIST Special Publications for possible use
  in the healthcare sector
• Review other security standards, such as
• the HIPAA Security Rule,
• ISO 17799,
• CMS' CAST requirements,
• Systems Security Engineering Capability Maturity
  Model (SSECMM),
• CMS Internet Security Requirements,
• other existing requirements or standards.
• Discuss current industry practice for security in
  health care organizations drive consensus on
  best practice

19
Work to Date

• Review of
• NIST 800-30 and 800-26,
• ISO 17799,
• CMS CAST Reqts/Tool
• VA Security Methods and Tools
• ISO 15408 Common Criteria
• SSE-CMM
• OCTAVE from SEI
• Facilitated healthcare industry comments on NIST
  800-37 during public comment period,
• Wrote Guidance document on Security provisions in
  HIPAA Privacy Rule
• Will review NIST 800-53 and provide formal
  input

20
New NIST Guidelines

• NIST Special Publication 800-37, Guidelines for
  the Security Certification and Accreditation of
  Federal Information Technology Systems
• NIST Special Publication 800-53, (TBR)
• Minimum Security Controls for Federal
  Information Technology Systems
• NIST Special Publication 800-53A, (TBR)
• Techniques and Procedures for the Verification
  of Security Controls in Federal Information
  Technology Systems

21
WG Future Work Products

• Review of 800-53
• Security Standards requirements crosswalk
• Guidance White Papers
• Educational Programs
• Continue dialog and consensus-building on best
  practices for information security in health care

22
HC Security Conference

• November 17, 2003 in Washington, DC
• In conjunction with WEDI SNIP Conference
• Key Agenda Items
• Security Requirements Crosswalk
• Medical Device Security
• Review of NIST 800-53 with NIST Authors
• Industry Leadership Roundtable

23
HIPAA Security -Preliminary Implementation
Issues

• Current Approach
• Just passed Privacy and Transactions Standards
  deadlines
• More difficult concepts
• Dependence upon outside consultants
• Want to be told what to do, know what peers
  are doing
• Risk Management
• Organizations continue to implement expensive
  technology solutions without adequately
  defining/understanding protection needs or having
  capability of measuring success,
• Risk Decisions being made by technology owners
  (IT) and not PHI owners (business)
• Processes are not repeatable long-term
  (Scope/Changing environment, Budget, Skills)
• Formalization
• Few processes are documented
• Reactive
• Security Knowledge
• Some general security training provided
• Few IT Security professionals

24
IA Issues for Healthcare

• Covered by patchwork of privacy/security
  requirements
• HIPAA
• GLBA
• ISO 17799
• CMS, VA, etc.
• Potential Future regulation (e.g., Putnam bill)
• Risk Analysis/Risk Management
• How to?
• Business Risk Issue
• HC not a homogeneous industry
• Cost is a factor
• Specific Implementations/Architectures
• CA - cost and process prohibitive
• Vendors
• Industry initiatives (NIST/URAC/WEDI)