Posted on

HIPAA GLEAMS ITS LIGHT ON THE IMPORTANCE OF AUDIT CONTROL THROUGH ITS $5.5 MILLION SETTLEMENT

Memorial Healthcare Systems (MHS) offers the U.S. Department of Health and Human Services (HHS) the sum of $5 .5 million to clear up prospective transgression of the Medical Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Guidelines and additionally consented to put into effect a highly effective corrective action plan. MHS is a nonprofit establishment which manages six hospitals, an urgent care facility, a nursing home, including a range of ancillary health care centers in every area of the South Florida vicinity. MHS is as well associated with healthcare professional offices via an Organized Health Care Arrangement (OHCA).

MHS disclosed to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 persons had previously been impermissibly reached by a number of staffs members and also impermissibly reported to associated healthcare professional office personnel. These records consisted of the seriously affected individuals’ names, dates of birth, not to mention social security numbers. The sign on the identification of a past personnel of an associated physician’s office was employed to gain access to the ePHI handled by MHS on a day-to-day basis without detection from April 2011 to April 2012, which affects 80,000 men and women. Even though it had workforce access policies and strategies in place, MHS was unable to instigate techniques with reference to reviewing, modifying and/or terminating users’ right of access, as demanded by the HIPAA Guidelines. Additional, MHS was incapable to frequently assess data records of information system activity on applications that maintained electronic secured health information by employees users and users at associated physician practices, even with acknowledged this associated risk on numerous HIPAA risk analyses conducted by MHS from 2007 to 2012.

Access to ePHI should always be available to only certified people, which includes associated health care professionals office staff” declared Robinsue Frohboese, Acting Directo, HHS Office for Civil Right. “Further, corporations will need to execute audit controls and also examine audit logs consistently. Because this case shows, a lack of access controls and regular review of audit logs facilitates hackers or possibly malevolent insiders to take care of their electronic trails, which makes it challenging for protected establishments and business affiliates to not just recoup from breaches, nonetheless to protect against them before they ensue.”

Posted on

Children’s Medical Centre of Dallas to pay HIPAA fines of $3,217,000 for non-compliance with multiple security rule standards

The U. S. Department of Health and Human Services, the Office of Civil Rights (OCR) of has announced civil money penalty against Children’s Medical Centre of Dallas (Children’s) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and this based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standard of the HIPAA Security Rule. A noticed of proposed Determination in accordance with 45 CFR 160.420 was issued by OCR and the notice included instruction for how Children’s could file a request for a hearing. Accordingly, OCR issued another Notice of Final Determination and Children’s paid the full civil money penalty of $3.2 million. Children’s pediatric hospital in Dallas, Texas, which is part of Children’s Health, and the seventh-largest pediatric health care provider in the nation.

Children’s with OCR on January 18, 2010, file a breach report to indicate the loss of an unencrypted, non-password BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. Another HIPAA breach Notification Report was filed separate by Children with OCR, this reports the theft of an unencrypted laptop from its premises between April 4 and April 9, 2013. The Children’s also reported a device contained the ePHI of 2,462 individuals, though they implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to the workforce not authorized to access ePHI.

The OCR’s investigation revealed the Children’s noncompliance with HIPAA Rules, specifically, their failure to implement risk management plans, which was contrary to prior external recommendations to do so, also a failure to deploy encryption or an equivalent alternative measure on all of its laptops, workstations, mobile devices and removable storage media until April 9, 2013.  Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013, which shows that they have knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007. According to OCR Acting Director Robinsue Frohboese who said “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them”, He furthers that, “OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

OCR Notice of Final Determination – Children’s Notice of final determination

Posted on

The HIPAA Privacy Rule and Same Sex Relationships

There is a great deal of social change underway in terms of how we collect, use and share information about organizations and people.  Privacy seems to be threatened from all sides by many forms of compromise:  from cybercriminals seeking to exploit personal information for gain, to we ourselves sharing our own stories through Social Media across the World-Wide Web.  Certainly, today there is more information “out there” than ever before, and this is cause for concern.

One of the areas where control is being enforced is over patient information:  how it is to be shared, who can have access, what uses can be made of it, what is legal and illegal, who has what rights, and so on.  HIPAA, HITECH and Omnibus are the main sources of this control, and much progress has been made to keep correct authorized sharing to that vital minimum that protects and benefits patients.  Nevertheless, it remains a very high value target for exploitation, and billions of dollars annually are lost to false claims, identity theft, and now “ransomware” – the latest malware threat to electronically-stored health information.

As serious as these threats are, we must never forget the importance of our normal processes for authorized ways of handling information.  In the OCR Audits of 2016, the focus was predominantly on the existence of the documentation that governs our daily programs:  policy, procedure, forms, etc.  Without these to guide our decisions and workflows, the mishandling of PHI becomes more prevalent, which of course leads to complaints, investigations and ultimately fines.

Part of our dilemma is that we often find ourselves struggling to balance “what is compliant” with what may, from time to time, seem to conflict with “what is best” for the patient.  So, to ensure that we are following these regulations on balance with appropriate attention to patient care and safety, I thought it would be timely to revisit certain aspects of the Privacy Rule, and refresh our awareness of its aspects.

This time out I am going to address the “Designated Personal Representative” portion of the Privacy Rule with respect to who these persons are and how we must deal with them, and specifically a point about same-sex couples.   I have included the OCR website text below to ensure we refer to the official source.

Please bear in mind that this article is intended to raise awareness of the contents of the Privacy Rule – nothing presented here should be taken as legal advice.

The Basic Issue

Our normal legal recognizes marriage as both a personal and a legal state:  meaning, one of a commitment of one person to another (historically, man and woman), and one that accords certain rights and responsibilities to each person in that union.  This can be a very expansive discussion, but in the context of this piece, I will confine my remarks to the area of healthcare and its related actions and information.

One particular area of concern is what happens to all this when the couple are a same-sex union.  Some states now recognize this, if properly conducted through legal/clergical channels, as a legitimate state of marriage.  Many states still do not.  For a current listing, the Wikipedia provides this information here: https://en.wikipedia.org/wiki/List_of_U.S._state_laws_on_same-sex_unions.  What is also important not note here is that some states grant full spousal rights where others place certain limits on these (you should ensure you are familiar with the conditions in your own state when you draft policy governing how your organization will handle this situation should it arise).

The basic point here is that laws vary, sometimes widely across all jurisdictions where HIPAA applies.  With societal conditions in the state of flux they currently are, I have run into an increasing number of clients wanting guidance on this, and I thought it best to research it thoroughly before offering any.

Since there is great variance in the statutes, it often leaves Privacy Officers adrift at sea when they try to sort this out.  Their corporate attorneys are often in no better position to direct the institution’s response because the law is simply not black-and-white, but rather leaves all concerned in the position of having to decide for themselves what approach they will take.  Knowing that compliance must be achieved, but that patient rights must also be respected, finding the balance can prove to be tricky at times.

A few other things seem pretty clear, however:  a) changes in the law seem to follow very slowly when changes in a society occur, and often open doors even while erecting other barriers to the given issue; and b) sometimes when the laws do address such issues and grant the conditions being sought, they often create a maelstrom of paperwork for those attempting to achieve the now permitted result.  In either case, the choice we face appears as either a minefield or whitewater rapids.  And navigating either one requires caution, a sharp eye, and a clear idea of the best path to follow while trying to avert disaster.

Reading the OCR guidance below, it becomes immediately clear that anyone acting as the personal representative is given certain rights under HIPAA, but that certain conditions and limitations must be observed when doing so.  The guidance also actually gives you an acceptable way of correctly and compliantly dealing with this.  Please be sure to run this by your Chief Counsel before formalizing it – you need their approval to ensure that both the Law and your Organization will be satisfied with it.

  • First, do the above and make sure you know the stance of your State Law on this.
  • Second, make sure you ask the right questions of your patient and their partner so that you have a clear and accurate understanding of their situation and their wishes.
  • Third, ensure that you know what the necessary things are that will create the workflow you will need: HIPAA Consent, HIPAA Authorization, and any forms you create to be included in the flow to document all the steps.
  • Fourth, discuss with your attorneys whether or not a properly worded Power of Attorney executed by the patient will enable you to meet their desires in this regard. If it can do so, this may solve the problem and enable you to achieve the delicate balance you are attempting.

Like many issues of personal rights, this one can be difficult to work through and achieve the right solutions under certain conditions.  No law can be expected to deal with every possible situation that might arise, and recognizing this, HIPAA provides a certain degree of latitude to Privacy Officers and their organizations to determine their approach for specific cases and issues.  For the sake of your patients in same-sex relationships, taking these steps can make things more convenient by satisfying the legal requirement and removing the disgruntlement this particular case can create.

One thing:  the above suggestion is in no way intended to circumvent the law.  It is intended only to use existing, legal vehicles and processes to establish a cleaner, easier solution to handle situations where traditional assumptions about spousal or survivor’s rights normally arise.  If the law does not prohibit this course outright, it may just be that even with requiring additional paperwork and possible expense, you can simplify dealing with “Personal Representatives” under HIPAA to your and your patient’s compliant advantage.

 

Background

The HIPAA Privacy Rule establishes a foundation of Federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information. Along with these rights, the Privacy Rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures. The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which family members or other persons who are involved in the individual’s health care or payment for care may receive protected health information about the individual even if they are not expressly authorized to act on the individual’s behalf.

How the Rule Works

General Provisions. Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule.

The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information.

In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation.

For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities).1   State or other law should be consulted to determine the authority of the personal representative to receive or access the individual’s protected health information.

Who Must Be Recognized as the Individual’s Personal Representative. The following chart displays who must be recognized as the personal representative for a category of individuals:

If the Individual Is: The Personal Representative Is:
An Adult or
An Emancipated Minor
A person with legal authority to make health care decisions on behalf of the individual

Examples: Health care power of attorney
Court appointed legal guardian
General power of attorney or durable power of attorney that includes the power to make health care decisions

Exceptions: See abuse, neglect, and endangerment situations discussion below.

An Unemancipated Minor A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child

Exceptions: See parents and unemancipated minors, and abuse, neglect and endangerment situations discussion below.

Deceased A person with legal authority to act on behalf of the decedent or the estate (not restricted to persons with authority to make health care decisions)

Examples: Executor or administrator of the estate
Next of kin or other family member (if relevant law provides authority)

 

Parents and Unemancipated Minors. In most cases under the Rule, a parent, guardian, or other person acting in loco parentis (collectively, “parent”) is the personal representative of the minor child and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child.

However, the Privacy Rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:

  • When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;

Example:  A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.

  • When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent;

Example:  A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.

  • When a parent agrees to a confidential relationship between the minor and a health care provider.

Example:  A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.

Regardless, however, of whether a parent is the personal representative of a minor child, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child.  In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law).

In cases in which State or other applicable law is silent concerning parental access to the minor’s protected health information, and a parent is not the personal representative of a minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent with access under 45 CFR 164.524 to the minor’s health information, if doing so is consistent with State or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.

Abuse, Neglect, and Endangerment Situations. When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the Privacy Rule permits the physician to decline to provide such access.

____________________________________

1Note that the Privacy Rule does not apply to the health information of an individual who has been deceased for more than 50 years; thus, a personal representative need not authorize disclosures of the decedent’s health information nor does a personal representative have rights under the Privacy Rule with respect to such information.

Posted on

University of Mississippi Medical Center slapped with fine of $2.75 million for alleged violations of HIPAA

The University of Mississippi (UM) Medical Center (UMMC) agrees to resolve with the U.S. Department of Health and Human Services Officer for Civil rights (OCR)  for multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) for amount of $2.75 million. While investigating, OCR informed that UMMC knew about the consequences and risk that might create problems since April 2005, but they have not taken any security or risk management steps until the breach happened. This happened entirely due to the deficiency of work and management from the part of UMMC. Thus to compensate they will pay $2,750,000 and will implement a plan of action which will assure that further, no such instance takes place. They also further should compliance with HIPAA Privacy, Security, and Breach Notification Rules.

OCR on March 21, 2013, was informed about the breach of action when UMMC’s one of the privacy officers found that a laptop which was totally protected by password could not be found anywhere which means in other way could be determined to be missing from the Medical Intensive Care Unit (MICU) of UMMC’s. When UNMC themselves investigated the matter, they found that it might be taken by a visitor who has come to see MICU. OCR also found that in UNMC’s network drive ePHI was stored, which was easily accessible by an unauthorized person with the help of a wireless network of UMMC. The unauthorized people could find all the information from the directory which contains more than 67,000 files very easily as the username and password is very general to imply on. The directory is full of information about ePHI of 10, 000 patients or more than that and about 328 files in it since 2008.

Moreover, OCR disclosed much information about UMMC and their failures like:-

  • They didn’t execute proper policies to take prevention, neither took any action nor checked the securities against violations;
  • They also not executed any kind of policies nor security manpower in any of the workplaces who will check the unauthorized access of ePHI;
  • They also failed to implement a unique name and password for identifying the particular user using the system;
  • They failed to even inform the individuals that who will not follow the policy and illegally access the system would consider as a breach of policies.

In entire Mississippi, the only health care centre for the academy is UM, which provides education, research and also take care of the patients. They have four specialized hospitals on the campus of Jackson and have clinics all over in Jackson as well as in the entire State. It is one of the reputed healthcare institutes. The breach which has happened is located on the main UMMC campus in Jackson.

If want to know more about health care laws and other information, privacy rights, civil rights or want to file a complaint kindly visit at http://www.hhs.gov/ocr.

Posted on

Feinstein’s security and procedural failures results in $3.9 million HIPAA settlement

The Feinstein Institute for Medical Research has agreed to pay a fee to the United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in the amount of $3.9 million as a court settlement against allegedinfractions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Like most OCR settlements, the penalty Feinstein will incur also includes a major corrective plan to ensure its future actions are brought into compliance.

OCR released a statement regarding the incident, emphasizing OCR’s steadfast resolve to enforcing HIPAA Privacy and Security Rules. OCR released in a press statement, “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.”

According to OCR’s research, Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began when Feinstein filed a breach report on September 2, 2012, in which a laptop holding the electronic protected health information of approximately 13,000 patients and research participants was stolen out of a Feinstein employee’s car.

The electronic protected health information that waswithin the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. This large amount of protected health information available in such a vulnerable cache is nothing more than simple foolishness.

OCR’s investigation into Feinstein discovered their security protections we limited in scope and in size.Moreover, Feinstein did not have the properregulations and follow-through for ensuring that there is only authorized access to electronic protected health information. Specifically by its laborers whowere incapable of enactingprotections to halt any adulterated access to its files by unauthorized users. They also failed to possess policiesand procedures which prevent the breach of information via a laptop, because there would be a system of checking in and out such materials containing electronic protected health information.

For all electronic caches of electronic protected health information equipment which was acquiredexternally of Feinstein’s standard acquisition process, Feinstein did notenactsound and propersystems for guarding electronic protected health information as is required by the HIPAA Privacy and Security Rules

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

In sum, Feinstein’s gross error in maintaining the electronic protected health information of several thousand patients. However, this scenario could have easily been avoided with simple HIPAA Security training. The issue here was not a personnel issue but instead a procedural issue and policy issue.

Posted on

Resources for Mobile Health Apps Developers

Are you developing a Mobile Health App? Please look to this Mobile Health Apps Interactive Tool for the scoop on what laws you’ll need to abide by!

The United States Federal Trade Commission (FTC) decided to pioneer the mobile health app service sphere. This new web-based tool has been designed to aidcreators of mobile health apps in their continued understanding of which federal laws will apply to them. The FTC built the interactive tool in team with the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).

The interactive tool addressesapp creators with a series of “high-level” queries. These will be on the nature of their app, its function, the data it collects, and the services it provides to users. Then, depending on the responses to different questions the developer will receive a list of information regarding which laws should be abided by. These laws include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Food, Drug and Cosmetics Act (FD&C Act).

OCR want developers to ask questions to ensure HIPAA Security and Privacy compliance

OCR, has recently released a statement about the tremendously large influx of health information technology. This statement outlines the results of the increase of technology as well.

“We are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes. Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected.”

It is in the spirit of this message that the app was created to ensure abidance to federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules. However a large number of health information technology developers are not aware of the relationship that HIPAA law has on their app.

OCR has also created a site to answer users who want to submit questions, offer comments on other submissions or vote on how relevant the topic is will sign in using their email address. The site will also carry various safeguards for the users, including complete anonymity when questions were asked. OCR will use the information received through this site to better strengthen its resolve and direction.

OCR has also made it very clear that posting or commenting on a question will not subject anyone to law enforcement action unless a threat has been made. While OCR will be monitoring for the site for “appropriateness” it cannot ensure the accuracy of answered question. OCR stated, “While we cannot respond individually to questions, we will try to post links to existing relevant resources when we can. We appreciate input from stakeholders and will consider comments as we develop our priorities for additional guidance and technical assistance.”

Posted on

Raleigh Orthopedic loses thousands in HIPAA paperwork error

Raleigh, N.C.—The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently announced that the Raleigh Orthopedic Clinic of North Carolina has agreed to pay $750,000 in settlement fees. The clinic faced charges that it had potentially violated HIPAA privacy rules. The “potential violation” as released by the OCR is meant to obfuscate the role the Raleigh Clinic had in its infraction of HIPAA privacy rules, the company unequivocally broke the law. The violation occurred when the Raleigh clinic handed over the protected health information of approximately 17,300 patients to a potential business associate without first executing a business associate agreement—a requirement necessary of all entities when disclosing such information to unauthorized persons.

The lack of a business associate agreement left this sensitive health information without protection and easily available to abuse, misuse or illegal disclosure. OCR began its investigation of Raleigh Orthopedic when it received a breach-report on April 30, 2013. OCR discovered that Raleigh Orthopedic had given away x-ray films and other protected health information, which belonged to approximately 17,300 patients. This information was given to a business associate that had promised to transfer the images of the x-rays to electronic media—simultaneously promising the exchange for harvesting the silver from the x-ray films. However, Raleigh Orthopedic failed to complete a business associate agreement before turning over the protected health information.

Jocelyn Samuels, Director of the OCR emphasized the importance of completing business associate agreements. She stated, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” further adding, “it is critical for entities to know to whom they are handing protected health information and to obtain assurances that the information will be protected.”

Raleigh Orthopedic will also, in addition to their $750,000 penalty, be required to revise their policies and procedures to, as OCR dictates, “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing protected health information to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of protected health information to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

The staggering oversight of what may be described as superficial paper work has dealt a body blow to a practice that will face not only monetary reparations but an injured reputation as well. These effects can only be explained as the result of a lack of understanding by the staff of Raleigh Orthopedic of HIPAA law. Simple HIPAA training could have preserved the integrity of their patients’ protected health information. This was nothing more than mere human error, the actions of which were done without malice or forethought. Supremus Group offers the only sound, safe, and simple education to healthcare staff for HIPAA certification training.

Posted on

How HIPAA Certification Training of Certified HIPAA Privacy Security Expert (CHPSE) could’ve saved New York Presbyterian $2.2M

Washington, D.C. – The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it reached a $2.2M court settlement with the New York Presbyterian Hospital for its calamitous infraction of HIPAA privacy rules. This settlement was announced April 21, 2016.

The hospital made an amateur and egregious error when it disclosed the protected health information of two of its patients. The hospital provided this information to film crews and their staff during the filming of an ABC television series called “NY Med.” The hospital provided the protected information to without consulting with and obtaining authorization from the patients. In point of fact, OCR has claimed that the hospital allowed the film crew to visually document a patient dying and another patient in significant distress. This was done even after medical staff pleaded that the crew stop. OCR’s subsequent investigation had found that the film crew was also given near to completely unfettered access to the hospital and its patients—potentially infringing upon the protected health information of every other patient.

Such catastrophic infractions of HIPAA privacy & security law are notable in that they could have easily been prevented with Certified HIPAA Privacy Security Expert (CHPSE) education and training of the compliance staff. It is important to note that with the potency of federal penalties, HIPAAtraining.net stands as the only resolute prevention to human error; which, is the most rational interpretation of the events at New York Presbyterian.

OCR has also made a point to emphasize its role in doling out well-investigated and proper justice to those who break HIPAA law. Jocelyn Samuels, Director of the OCR, stated “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.” She continued, “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

Director Samuels, in more ways than one reaffirmed the necessity for proper execution of HIPAA privacy rules, as well as the top to bottom training of all healthcare employees. To momentarily digress, training also provides supplemental protection from various audits currently being executed by the OCR.

OCR released this statement the day the settlement was released, “By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s protected health information, including images, in circumstances such as these.”

OCR is confident in their ability to investigate, identify, and in more serious cases, punish, covered entities and their business associates. At the same time it is important that those who must comply with HIPAA law are equally confident in their ability to prevent the million dollar mistakes that New York Presbyterian fell upon. To be forthright, HIPAAtraining.net could have saved New York Presbyterian $2.2M, OCR probationary status, and the public relations nightmare which the hospital has been forced to endure. It’s simple, ensuring that healthcare employees know healthcare law is a logical imperative.

Posted on

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework

Download ePUB file of HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework for iPad and other mobile devices.

Download Mobi Kindle file of HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework for Kindle devices.

HHS.gov released HIPAA security rule crosswalk to NIST cybersecurity framework which maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.

Due to the granularity of the NIST Cybersecurity Framework’s Subcategories, some HIPAA Security Rule requirements may map to more than one Subcategory.

Activities to be performed for a particular Subcategory of the NIST Cybersecurity Framework may be more specific and detailed than those performed for the mapped HIPAA Security Rule requirement. However, the HIPAA Security Rule is designed to be flexible, scalable and technology-neutral, which enables it to accommodate integration with frameworks such as the NIST Cybersecurity Framework. A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits.

PDF for HIPAA security rule crosswalk to NIST cybersecurity framework

If you want MS Word file for the Crosswalk then contact Bob@hipaatraining.net. Please send email only from your office email. Any request not coming from office email will not be replied with the file.

Function
Category
Subcategory
Relevant Control Mappings
ID.AM-1: Physical devices and systems within the organization are inventoried • CCS CSC 1
• COBIT 5 BAI09.01, BAI09.02
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
• HIPAA Security Rule 45 C.F.R. §§164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(d)
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-2: Software platforms and applications within the organization are inventoried • CCS CSC 2
• COBIT 5 BAI09.01, BAI09.02, BAI09.05
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E )
ID.AM-3: Organizational communication and data flows are mapped • CCS CSC 1
• COBIT 5 DSS05.02
• ISA 62443-2-1:2009 4.2.3.4
• ISO/IEC 27001:2013 A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(3)(ii)(A),

164.308(a)(8), 164.310(d)
ID.AM-4: External information systems are catalogued • COBIT 5 APO02.02
• ISO/IEC 27001:2013 A.11.2.6
• NIST SP 800-53 Rev. 4 AC-20, SA-9
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(4)(ii)(A), 164.308(b),
164.314(a)(1), 164.314(a)(2)(i)(B),
164.314(a)(2)(ii), 164.316(b)(2)
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value • COBIT 5 APO03.03, APO03.04, BAI09.02
• ISA 62443-2-1:2009 4.2.3.6
• ISO/IEC 27001:2013 A.8.2.1
• NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(7)(ii)(E )
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third- party stakeholders (e.g., suppliers, customers, partners) are established • COBIT 5 APO01.02, DSS06.03
• ISA 62443-2-1:2009 4.3.2.3.3
• ISO/IEC 27001:2013 A.6.1.1
• NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.314
ID.BE-1: The organization’s role in the supply chain is identified and communicated • COBIT 5 APO08.04, APO08.05, APO10.03,
APO10.04, APO10.05
• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1,
A.15.2.2
• NIST SP 800-53 Rev. 4 CP-2, SA-12
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(4)(ii),
164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E),
164.308(a)(8), 164.310(a)(2)(i), 164.314, 164.316
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated • COBIT 5 APO02.06, APO03.01
• NIST SP 800-53 Rev. 4 PM-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(4)(ii),
164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E),
164.308(a)(8), 164.310(a)(2)(i), 164.314, 164.316
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated • COBIT 5 APO02.01, APO02.06, APO03.01
• ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
• NIST SP 800-53 Rev. 4 PM-11, SA-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C),
164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.316
ID.BE-4: Dependencies and critical functions for delivery of critical services are established • ISO/IEC 27001:2013 A.11.2.2, A.11.2.3,
A.12.1.3
• NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(i), 164.308.(a)(7)(ii)(E),
164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314(a)(1), 164.314(b)(2)(i)
ID.BE-5: Resilience requirements to support delivery of critical services are established • COBIT 5 DSS04.02
• ISO/IEC 27001:2013 A.11.1.4, A.17.1.1,
A.17.1.2, A.17.2.1
• NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(B), 164.308(a)(6)(ii),
164.308(a)(7), 164.308(a)(8), 164.310(a)(2)(i),
164.312(a)(2)(ii), 164.314(b)(2)(i)
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. ID.GV-1: Organizational information security policy is established • COBIT 5 APO13.12
• ISA 62443-2-1:2009 4.3.2.3.3
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.1
• NIST SP 800-53 Rev. 4 PM-1, PS-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.316
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners • COBIT 5 APO13.12
• ISA 62443-2-1:2009 4.3.2.3.3
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.1
• NIST SP 800-53 Rev. 4 PM-1, PS-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3),
164.308(a)(4), 164.308(b), 164.314
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed • COBIT 5 MEA03.01, MEA03.04
• ISA 62443-2-1:2009 4.4.3.7
• ISO/IEC 27001:2013 A.18.1
• NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1)
• HIPAA Security Rule 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, 164.314, 164.316
ID.GV-4: Governance and risk management processes address cybersecurity risks • COBIT 5 DSS04.02
• ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8,
4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
• NIST SP 800-53 Rev. 4 PM-9, PM-11
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1), 164.308(b)
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RA-1: Asset vulnerabilities are identified and documented • CCS CSC 4
• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
• ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12
• ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E),
164.308(a)(8), 164.310(a)(1), 164.312(a)(1),
164.316(b)(2)(iii)
ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
• ISO/IEC 27001:2013 A.6.1.4
• NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
• No direct analog to HIPAA Security Rule
ID.RA-3: Threats, both internal and external, are identified and documented • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
• NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D),
164.308(a)(3), 164.308(a)(4),
164.308(a)(5)(ii)(A), 164.310(a)(1),
164.310(a)(2)(iii), 164.312(a)(1), 164.312(c),
164.312(e), 164.314, 164.316
ID.RA-4: Potential business impacts and likelihoods are identified • COBIT 5 DSS04.02
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.308(a)(1)(ii)(A),
164.308(a)(1)(ii)(B), 164.308(a)(6),
164.308(a)(7)(ii)(E), 164.308(a)(8), 164.316(a)
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk • COBIT 5 APO12.02
• ISO/IEC 27001:2013 A.12.6.1
• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B),
164.308(a)(1)(ii)(D), 164.308(a)(7)(ii)(D),
164.308(a)(7)(ii)(E), 164.316(a)
ID.RA-6: Risk responses are identified and prioritized • COBIT 5 APO12.05, APO13.02
• NIST SP 800-53 Rev. 4 PM-4, PM-9
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(B), 164.314(a)(2)(i)(C),
164.314(b)(2)(iv)
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders • COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
• ISA 62443-2-1:2009 4.3.4.2
• NIST SP 800-53 Rev. 4 PM-9
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(1)(ii)(B)
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RM-2: Organizational risk tolerance is determined and clearly expressed • COBIT 5 APO12.06
• ISA 62443-2-1:2009 4.3.2.6.5
• NIST SP 800-53 Rev. 4 PM-9
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(1)(ii)(B)
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis • NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(B), 164.308(a)(6)(ii),
164.308(a)(7)(i),
164.308(a)(7)(ii)(C),164.308(a)(7)(ii)(E),
164.310(a)(2)(i)
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users • CCS CSC 16
• COBIT 5 DSS05.04, DSS06.03
• ISA 62443-2-1:2009 4.3.3.5.1
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
• NIST SP 800-53 Rev. 4 AC-2, IA Family
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C),
164.308(a)(4)(i), 164.308(a)(4)(ii)(B),
164.308(a)(4)(ii)(C ), 164.312(a)(2)(i),
164.312(a)(2)(ii), 164.312(a)(2)(iii),
164.312(d)
PR.AC-2: Physical access to assets is managed and protected • COBIT 5 DSS01.04, DSS05.05
• ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
• ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3
• NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(B), 164.308(a)(7)(i),
164.308(a)(7)(ii)(A), 164.310(a)(1),
164.310(a)(2)(i), 164.310(a)(2)(ii),
164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
PR.AC-3: Remote access is managed • COBIT 5 APO13.01, DSS01.04, DSS05.03
• ISA 62443-2-1:2009 4.3.3.6.6
• ISA 62443-3-3:2013 SR 1.13, SR 2.6
• ISO/IEC 27001:2013 A.6.2.2, A.13.1.1,
A.13.2.1
• NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(4)(i), 164.308(b)(1),
164.308(b)(3), 164.310(b), 164.312(e)(1),
164.312(e)(2)(ii)
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties • CCS CSC 12, 15
• ISA 62443-2-1:2009 4.3.3.7.3
• ISA 62443-3-3:2013 SR 2.1
• ISO/IEC 27001:2013 A.6.1.2, A.9.1.2,
A.9.2.3, A.9.4.1, A.9.4.4
• NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3), 164.308(a)(4),
164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PR.AC-5: Network integrity is protected, incorporating
network segregation where appropriate
• ISA 62443-2-1:2009 4.3.3.4
• ISA 62443-3-3:2013 SR 3.1, SR 3.8
• ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, SC-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(4)(ii)(B), 164.310(a)(1),
164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e)
PR.AT-1: All users are informed and trained • CCS CSC 9
• COBIT 5 APO07.03, BAI05.07
• ISA 62443-2-1:2009 4.3.2.4.2
• ISO/IEC 27001:2013 A.7.2.2
• NIST SP 800-53 Rev. 4 AT-2, PM-13
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(5)
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security- related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT-2: Privileged users understand roles & responsibilities • CCS CSC 9
• COBIT 5 APO07.02, DSS06.03
• ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
• NIST SP 800-53 Rev. 4 AT-3, PM-13
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(3)(i),
164.308(a)(5)(i), 164.308(a)(5)(ii)(A),
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C),
164.308(a)(5)(ii)(D)
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities • CCS CSC 9
• COBIT 5 APO07.03, APO10.04, APO10.05
• ISA 62443-2-1:2009 4.3.2.4.2
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
• NIST SP 800-53 Rev. 4 PS-7, SA-9
• HIPAA Security Rule 45 C.F.R. §§
164.308(b), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PR.AT-4: Senior executives understand roles & responsibilities • CCS CSC 9
• COBIT 5 APO07.03
• ISA 62443-2-1:2009 4.3.2.4.2
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
• NIST SP 800-53 Rev. 4 AT-3, PM-13
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(3)(i),
164.308(a)(5)(i), 164.308(a)(5)(ii)(A),
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C),
164.308(a)(5)(ii)(D)
PR.AT-5: Physical and information security personnel understand roles & responsibilities • CCS CSC 9
• COBIT 5 APO07.03
• ISA 62443-2-1:2009 4.3.2.4.2
• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
• NIST SP 800-53 Rev. 4 AT-3, PM-13
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(3)(i),
164.308(a)(5)(i), 164.308(a)(5)(ii)(A),
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C),
164.308(a)(5)(ii)(D), 164.530(b)(1)
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-1: Data-at-rest is protected • CCS CSC 17
• COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06
• ISA 62443-3-3:2013 SR 3.4, SR 4.1
• ISO/IEC 27001:2013 A.8.2.3
• NIST SP 800-53 Rev. 4 SC-28
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(b)(1),
164.310(d), 164.312(a)(1), 164.312(a)(2)(iii),
164.312(a)(2)(iv), 164.312(b), 164.312(c)
164.314(b)(2)(i), 164.312(d)
PR.DS-2: Data-in- transit is protected • CCS CSC 17
• COBIT 5 APO01.06, DSS06.06
• ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1,
A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 SC-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(b)(1), 164.308(b)(2), 164.312(e)(1),
164.312(e)(2)(i), 164.312(e)(2)(ii),
164.314(b)(2)(i)
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition • COBIT 5 BAI09.03
• ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1
• ISA 62443-3-3:2013 SR 4.2
• ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7
• NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.310(a)(2)(ii),
164.310(a)(2)(iii), 164.310(a)(2)(iv),
164.310(d)(1), 164.310(d)(2)
PR.DS-4: Adequate capacity to ensure availability is maintained • COBIT 5 APO13.01
• ISA 62443-3-3:2013 SR 7.1, SR 7.2
• ISO/IEC 27001:2013 A.12.3.1
• NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B),
164.308(a)(7), 164.310(a)(2)(i), 164.310(d)(2)(iv), 164.312(a)(2)(ii)
PR.DS-5: Protections against data leaks are implemented • CCS CSC 17
• COBIT 5 APO01.06
• ISA 62443-3-3:2013 SR 5.2
• ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(3),
164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity • ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8
• ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 SI-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PR.DS-7: The development and testing environment(s) are separate from the production environment • COBIT 5 BAI07.04
• ISO/IEC 27001:2013 A.12.1.4
• NIST SP 800-53 Rev. 4 CM-2
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(4)

Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes,
and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained • CCS CSC 3, 10
• COBIT 5 BAI10.01, BAI10.02, BAI10.03,
BAI10.05
• ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
• ISA 62443-3-3:2013 SR 7.6
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4,
CM-5, CM-6, CM-7, CM-9, SA-10
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(8), 164.308(a)(7)(i),
164.308(a)(7)(ii)
PR.IP-2: A System Development Life Cycle to manage systems is implemented • COBIT 5 APO13.01
• ISA 62443-2-1:2009 4.3.4.3.3
• ISO/IEC 27001:2013 A.6.1.5, A.14.1.1,
A.14.2.1, A.14.2.5
• NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, PL-8
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(1)(i)
PR.IP-3:
Configuration change control processes are in place
• COBIT 5 BAI06.01, BAI01.06
• ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
• ISA 62443-3-3:2013 SR 7.6
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
• NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(8)
PR.IP-4: Backups of information are conducted, maintained, and tested periodically • COBIT 5 APO13.01
• ISA 62443-2-1:2009 4.3.4.3.9
• ISA 62443-3-3:2013 SR 7.3, SR 7.4
• ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3
• NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B),
164.308(a)(7)(ii)(D), 164.310(a)(2)(i), 164.310(d)(2)(iv)
PR.IP-5: Policy and regulations regarding the physical
operating environment for organizational assets are met
• COBIT 5 DSS01.04, DSS05.05
• ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,
4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
• ISO/IEC 27001:2013 A.11.1.4, A.11.2.1,
A.11.2.2, A.11.2.3
• NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310,
164.316(b)(2)(iii)
PR.IP-6: Data is destroyed according to policy • COBIT 5 BAI09.03
• ISA 62443-2-1:2009 4.3.4.4.4
• ISA 62443-3-3:2013 SR 4.2
• ISO/IEC 27001:2013 A.8.2.3, A.8.3.1,
A.8.3.2, A.11.2.7
• NIST SP 800-53 Rev. 4 MP-6
• HIPAA Security Rule 45 C.F.R. §§
164.310(d)(2)(i), 164.310(d)(2)(ii)
PR.IP-7: Protection processes are continuously improved • COBIT 5 APO11.06, DSS04.05
• ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3,
4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
• HIPAA Security Rule 45 C.F.R. §§
164.306(e), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.316(b)(2)(iii)
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties • ISO/IEC 27001:2013 A.16.1.6
• NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(6)(ii)
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed • COBIT 5 DSS04.03
• ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1
• ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2
• NIST SP 800-53 Rev. 4 CP-2, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6), 164.308(a)(7), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PR.IP-10: Response and recovery plans are tested • ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
• ISA 62443-3-3:2013 SR 3.3
• ISO/IEC 27001:2013 A.17.1.3
• NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(7)(ii)(D)
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) • COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2,
4.3.3.2.3
• ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4
• NIST SP 800-53 Rev. 4 PS Family
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(C), 164.308(a)(3)
PR.IP-12: A vulnerability management plan is developed and implemented • ISO/IEC 27001:2013 A.12.6.1, A.18.2.2
• NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B)
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools • COBIT 5 BAI09.03
• ISA 62443-2-1:2009 4.3.3.3.7
• ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5
• NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3)(ii)(A), 164.310(a)(2)(iv)
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that
prevents unauthorized access
• COBIT 5 DSS05.04
• ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8
• ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
• NIST SP 800-53 Rev. 4 MA-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3)(ii)(A), 164.310(d)(1),
164.310(d)(2)(ii), 164.310(d)(2)(iii),
164.312(a), 164.312(a)(2)(ii),
164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e), 164.308(a)(1)(ii)(D)
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy • CCS CSC 14
• COBIT 5 APO11.04
• ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12
• ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
• NIST SP 800-53 Rev. 4 AU Family
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C),
164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
PR.PT-2: Removable media is protected and its use restricted according to policy • COBIT 5 DSS05.02, APO13.01
• ISA 62443-3-3:2013 SR 2.3
• ISO/IEC 27001:2013 A.8.2.2, A.8.2.3,
A.8.3.1, A.8.3.3, A.11.2.9
• NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3)(i), 164.308(a)(3)(ii)(A),
164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality • COBIT 5 DSS05.02
• ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,
4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6,
4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2,
4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,
4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR
2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
• ISO/IEC 27001:2013 A.9.1.2
• NIST SP 800-53 Rev. 4 AC-3, CM-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3), 164.308(a)(4),
164.310(a)(2)(iii), 164.310(b), 164.310(c),
164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PR.PT-4: Communications and control networks are protected • CCS CSC 7
• COBIT 5 DSS05.02, APO13.01
• ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
• ISO/IEC 27001:2013 A.13.1.1, A.13.2.1
• NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.312(a)(1), 164.312(b), 164.312(e)
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed • COBIT 5 DSS03.01
• ISA 62443-2-1:2009 4.4.3.3
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.312(b)
Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. DE.AE-2: Detected events are analyzed to understand attack targets and methods • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
• ISO/IEC 27001:2013 A.16.1.1, A.16.1.4
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
• HIPAA Security Rule 45 C.F.R. §
164.308(6)(i)
DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors • ISA 62443-3-3:2013 SR 6.1
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B),
164.308(a)(5)(ii)(C), 164.308(a)(6)(ii),
164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii)
DE.AE-4: Impact of events is determined • COBIT 5 APO12.06
• NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(6)(ii)
DE.AE-5: Incident alert thresholds are established • COBIT 5 APO12.06
• ISA 62443-2-1:2009 4.2.3.10
• NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(6)(i)
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-1: The network is monitored to detect potential cybersecurity events • CCS CSC 14, 16
• COBIT 5 DSS05.07
• ISA 62443-3-3:2013 SR 6.2
• NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B),
164.308(a)(5)(ii)(C), 164.308(a)(8), 164.312(b), 164.312(e)(2)(i)
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events • ISA 62443-2-1:2009 4.3.3.3.8
• NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
• HIPAA Security Rule 45 C.F.R. §§
164.310(a)(2)(ii), 164.310(a)(2)(iii)
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events • ISA 62443-3-3:2013 SR 6.2
• ISO/IEC 27001:2013 A.12.4.1
• NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A),
164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
DE.CM-4: Malicious code is detected • CCS CSC 5
• COBIT 5 DSS05.01
• ISA 62443-2-1:2009 4.3.4.3.8
• ISA 62443-3-3:2013 SR 3.2
• ISO/IEC 27001:2013 A.12.2.1
• NIST SP 800-53 Rev. 4 SI-3
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B)
DE.CM-5: Unauthorized mobile code is detected • ISA 62443-3-3:2013 SR 2.4
• ISO/IEC 27001:2013 A.12.5.1
• NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B)
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events • COBIT 5 APO07.06
• ISO/IEC 27001:2013 A.14.2.7, A.15.2.1
• NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(1)(ii)(D)
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed • NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B),
164.308(a)(5)(ii)(C), 164.310(a)(1),
164.310(a)(2)(ii), 164.310(a)(2)(iii),
164.310(b), 164.310(c), 164.310(d)(1),
164.310(d)(2)(iii), 164.312(b), 164.314(b)(2)(i)
DE.CM-8: Vulnerability scans are performed • COBIT 5 BAI03.10
• ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7
• ISO/IEC 27001:2013 A.12.6.1
• NIST SP 800-53 Rev. 4 RA-5
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(i), 164.308(a)(8)
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability • CCS CSC 5
• COBIT 5 DSS05.01
• ISA 62443-2-1:2009 4.4.3.1
• ISO/IEC 27001:2013 A.6.1.1
• NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(3)(ii)(A),
164.308(a)(3)(ii)(B), 164.308(a)(4),
164.310(a)(2)(iii), 164.312(a)(1), 164.312(a)(2)(ii)
DE.DP-2: Detection activities comply with all applicable requirements • ISA 62443-2-1:2009 4.4.3.2
• ISO/IEC 27001:2013 A.18.1.4
• NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.308(a)(8)
DE.DP-3: Detection processes are tested • COBIT 5 APO13.02
• ISA 62443-2-1:2009 4.4.3.2
• ISA 62443-3-3:2013 SR 3.3
• ISO/IEC 27001:2013 A.14.2.8
• NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4
• HIPAA Security Rule 45 C.F.R. § 164.306(e)
DE.DP-4: Event detection information is communicated to appropriate parties • COBIT 5 APO12.06
• ISA 62443-2-1:2009 4.3.4.5.9
• ISA 62443-3-3:2013 SR 6.1
• ISO/IEC 27001:2013 A.16.1.2
• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6)(ii), 164.314(a)(2)(i)(C),
164.314(a)(2)(iii)
DE.DP-5: Detection processes are continuously improved • COBIT 5 APO11.06, DSS04.05
• ISA 62443-2-1:2009 4.4.3.4
• ISO/IEC 27001:2013 A.16.1.6
• NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
• HIPAA Security Rule 45 C.F.R. §§
164.306(e), 164.308(a)(8)
Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. RS.RP-1: Response plan is executed during or after an event • COBIT 5 BAI01.10
• CCS CSC 18
• ISA 62443-2-1:2009 4.3.4.5.1
• ISO/IEC 27001:2013 A.16.1.5
• NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6)(ii), 164.308(a)(7)(i),
164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B),
164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.312(a)(2)(ii)
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. RS.CO-1: Personnel know their roles and order of operations when a response is needed • ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3,
4.3.4.5.4
• ISO/IEC 27001:2013 A.6.1.1, A.16.1.1
• NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(2), 164.308(a)(7)(ii)(A),
164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C),
164.310(a)(2)(i), 164.308(a)(6)(i), 164.312(a)(2)(ii)
RS.CO-2: Events are reported consistent with established criteria • ISA 62443-2-1:2009 4.3.4.5.5
• ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
• NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C),
164.308(a)(6)(ii), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii)
RS.CO-3: Information is shared consistent with response plans • ISA 62443-2-1:2009 4.3.4.5.2
• ISO/IEC 27001:2013 A.16.1.2
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.314(a)(2)(i)(C)
RS.CO-4: Coordination with stakeholders occurs consistent with response plans • ISA 62443-2-1:2009 4.3.4.5.5
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6), 164.308(a)(7), 164.310(a)(2)(i), 164.312(a)(2)(ii)
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness • NIST SP 800-53 Rev. 4 PM-15, SI-5
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(6)
RS.AN-1: Notifications from detection systems are investigated • COBIT 5 DSS02.07
• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
• ISA 62443-3-3:2013 SR 6.1
• ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(i), 164.308(a)(1)(ii)(D),
164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.312(b)
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities. RS.AN-2: The impact of the incident is understood • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
• ISO/IEC 27001:2013 A.16.1.6
• NIST SP 800-53 Rev. 4 CP-2, IR-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6)(ii), 164.308(a)(7)(ii)(B),
164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E)
RS.AN-3: Forensics are performed • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1
• ISO/IEC 27001:2013 A.16.1.7
• NIST SP 800-53 Rev. 4 AU-7, IR-4
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(6)
RS.AN-4: Incidents are categorized consistent with response plans • ISA 62443-2-1:2009 4.3.4.5.6
• ISO/IEC 27001:2013 A.16.1.4
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(6)(ii)
RS.MI-1: Incidents are contained • ISA 62443-2-1:2009 4.3.4.5.6
• ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
• ISO/IEC 27001:2013 A.16.1.5
• NIST SP 800-53 Rev. 4 IR-4
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(6)(ii)
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. RS.MI-2: Incidents are mitigated • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10
• ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
• NIST SP 800-53 Rev. 4 IR-4
• HIPAA Security Rule 45 C.F.R. § 164.308(a)(6)(ii)
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks • ISO/IEC 27001:2013 A.12.6.1
• NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii)
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. RS.IM-1: Response plans incorporate lessons learned • COBIT 5 BAI01.13
• ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
• ISO/IEC 27001:2013 A.16.1.6
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(D), 164.308(a)(8), 164.316(b)(2)(iii))
RS.IM-2: Response strategies are updated • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(D), 164.308(a)(8)
RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are
executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
RC.RP-1: Recovery
• CCS CSC 8
• COBIT 5 DSS02.05, DSS03.04
• ISO/IEC 27001:2013 A.16.1.5
• NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7), 164.310(a)(2)(i)
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. RC.IM-1: Recovery plans incorporate lessons learned • COBIT 5 BAI05.07
• ISA 62443-2-1:2009 4.4.3.4
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(D), 164.308(a)(8),
164.316(b)(2)(iii)
RC.IM-2: Recovery strategies are updated • COBIT 5 BAI07.08
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(7)(ii)(D), 164.308(a)(8)
Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. RC.CO-1: Public relations are managed • COBIT 5 EDM03.02
• HIPAA Security Rule 45 C.F.R. §
164.308(a)(6)(i)
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams • NIST SP 800-53 Rev. 4 CP-2, IR-4
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(6)(ii), 164.308(a)(7)(ii)(B),
164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.314(a)(2)(i)(C)
Posted on

Physical Therapy provider to pay $25000 for adding patient testimonials with images without proper authorization.

Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area.  The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one year period.

On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals’ protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.  OCR’s investigation revealed that Complete P.T.:

  • Failed to reasonably safeguard PHI;
  • Impermissibly disclosed PHI without an authorization; and
  • Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.

“The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.” said OCR Director Jocelyn Samuels.  “All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”