Transcript Slide 1

Health IT Privacy and Security:
Lock IT, Don’t Leave IT
Nicholas P. Heesters, Jr., M.Eng., J.D., C.H.P.
Privacy and Security Specialist
302.478.3600, ext. 136
[email protected]
http://www.dehitec.org
Disclaimer
 The information included in this presentation
is for informational purposes only and is not a
substitute for legal advice.
 Please consult your attorney if you have any
particular questions regarding specific legal
issues.
Agenda






Why Is Security Important
What Is HIPAA
HIPAA Security Rule
PHI and Breaches
Components of Network Security
How You Can Help Keep the Network Secure
3
Why Should We Care About
Network Security?
 Potential for downtime and impact on patient care
 Expense to the practice
 Damage to reputation for security breaches
(newspaper headlines, HHS Wall of Shame)
 Fines and/or prison for security breaches
 HIPAA requires the implementation of security
measures to protect PHI on paper and electronically
4
HIPAA - What is it?
Health Insurance Portability and Accountability Act
 Privacy Rule (compliance: April 2003)
 Security Rule (compliance: April 2005)
 Enforcement Rule (effective: March 2006)
 HITECH Act of 2009
Who is covered under HIPAA?
 Health Plans
 Health Care Providers
– Every health care provider, regardless of size, who electronically
transmits health information in connection with certain
transactions is a covered entity.
– These transactions include claims, benefit eligibility inquiries,
referral authorization requests, or other transactions for which
HHS has established standards under the HIPAA Transactions
Rule.
 Health Care Clearinghouses
 Business Associates
HIPAA Privacy Rule
 Established national standards protecting the privacy
and security of personal health information
 Protects the confidentiality of Protected Health
Information (PHI)
 Empowered individuals with rights concerning
disclosure of health information
 Minimum Necessary Rule: “… take reasonable steps
to limit the use or disclosure of, and requests for,
[PHI] to the minimum necessary to accomplish the
intended purpose.”
HHS OCR HIPAA Video
HIPAA Security Rule
 Applies to Protected Health Information in
electronic form (ePHI)
 Security Rule Safeguard Standards
– Administrative (10 Required; 11 Addressable)
– Physical (2 Required; 6 Addressable)
– Technical (2 Required; 5 Addressable)
HHS OCR HIPAA Video
Required v. Addressable
 Required:
– Must be implemented
 Addressable:
– NOT optional
– If not reasonable and appropriate, can
implement equivalent alternative, or
– If security standard is already met, or if
identified risk is negligible, an addressable
specification may be left not implemented
Administrative Safeguards
 Security Management Process
– Risk Analysis, Risk Management,
Sanctions
 Workforce Security
– Termination, Clearance, Authorization
 Security Incident Response Procedures
 Contingency Plan
– Disaster Recovery, Emergency Operations
 Training
Physical Safeguards
 Facility Access Control
– Security Plan, Access Control, Maintenance
 Workstation Use
 Workstation Security
 Device and Media Controls
– Backup and Storage
– Media Reuse and Disposal
Technical Safeguards
 Access Control
– Implement policies and procedures to permit only
authorized personnel access to ePHI
– Unique User Identification (Required)
• Assign a unique user name and/or number
for identifying and tracking user identity
• Ensure system activity can be traced to a specific user
• Certified EHR criteria (§ 170.302(o))
– Only permit authorized users to access ePHI
– Emergency Access Procedure (Required)
• Procedures to obtain ePHI during an emergency
– Pre-stage break glass user ids
• Certified EHR criteria (§ 170.302(p))
– Permit users authorized in emergency situations to access ePHI
Technical Safeguards Cont.
 Access Control Cont.
– Automatic Logoff (Addressable)
• What period of system inactivity is considered reasonable
before initiating automatic logoff
• Certified EHR criteria (§ 170.302(q))
– Encryption and Decryption (Addressable)
•
•
•
•
Implement a mechanism to encrypt and decrypt ePHI
Full disk encryption, file or folder encryption
Breach Notification safe harbor
Certified EHR criteria (§ 170.302(u))
– Symmetric 128-bit fixed block cipher using a
128-, 192-, or 256-bit encryption key
Technical Safeguards Cont.
 Audit Controls
– Implement hardware, software and/or procedures to record and
examine activity in systems that contain or use ePHI
– Correlate to Information System Activity Review procedures
– Certified EHR criteria (§ 170.302(r))
• Record date, time, patient ID and user ID whenever ePHI is created,
modified, deleted or printed
• User can generate an audit log for a specific time period
 Person or Entity Authentication
– Verify identify of person or entity seeking access to ePHI
– Password, token/smartcard, biometric
• 8 – 10 characters, include upper and lower case characters along with a
number and symbol, change every 90 days
– Certified EHR criteria (§ 170.302(t))
Technical Safeguards Cont.
 Integrity
– Implement policies and procedures to protect
ePHI from improper alteration or destruction
– Mechanism to Authenticate ePHI
(Addressable)
• Mechanism to verify that ePHI has not been
altered or destroyed in an unauthorized manner
– ECC RAM, checksums, logs
• Certified EHR criteria (§ 170.302(s))
– Detect the alteration of audit logs
Technical Safeguards Cont.
 Transmission Security
– Implement security measure to guard against unauthorized
access to ePHI transmitted electronically
– Integrity Controls (Addressable)
• Ensure detection of the improper modification of PHI when
electronically transmitted
• Certified EHR criteria (§ 170.302(s))
– Use a secure hashing algorithm (SHA-1 or higher) to verify that ePHI
has not been altered during transmission
– Encryption (Addressable)
• Certified EHR criteria (§ 170.302(v))
– When exchanging ePHI an encrypted and
integrity protected link must be used
Technical Safeguards Audit
 HIPAA Audit document requests:
– Authentication Policies and Procedures
– Encryption Policies and Procedures
– Audit Policies and Procedures
– System list of all users with access to ePHI
– System list of new users within the past year
PHI and Breach
Protected Health Information (PHI)
 Protected Health Information (PHI) under
HIPAA is any information identifying an
individual and that relates to at least one of
the following:
– The individual’s past, present or future physical or mental
health
– The provision of health care to the individual
– The past, present or future payment for health care
– Information identifies an individual if it includes either the
individual’s name or any other information that could
enable someone to determine the individual’s identity
19
Personally Identifiable Information (PII)
Names
Geographical information
Dates related to an individual
Phone numbers
Fax numbers
Email addresses
Social Security numbers (SSN)
Medical record numbers
Health plan numbers
Account numbers
Certificate/license numbers
Vehicle identifiers
Device identifiers
Web Addresses
IP Addresses
Biometric identifiers
Photographs
Any unique identifying number, characteristic, or code
Breach Headlines
 Breaches of Unsecured PHI affecting 500 or more individuals
– Posted on the OCR Web site - “Wall of Shame”
 Out of 380 breaches, 264 (over 15 million affected individuals) could
have been prevented with encryption
21
More Breach Headlines
 In April 2012, Phoenix Cardiac Surgery agreed to a
settlement of $100,000 for posting PHI on the
Internet and related deficiencies.
 On Feb. 4, 2011, OCR assessed a civil monetary
penalty against Cignet Health of Prince Georges
County, MD of $4.3MM.
 On April 27, 2010, Dr. Huping Zhou of UCLA
Healthcare was sentenced to four months in
federal prison for HIPAA violations.
What is a Breach?
According to the Health Information Technology for
Economic and Clinical Health (HITECH) Act:

A breach is the impermissible use or disclosure of PHI
such that said use or disclosure poses a significant risk
of financial, reputational, or other harm to the affected
individual.

Breach notification is only required where unsecured
PHI is involved.
•
Unsecured PHI is PHI which has not been rendered unusable,
unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by
the Secretary in guidance.
23
Breach Penalties
 Civil:
– $100 to $50,000 per breach ($1.5MM
calendar year cap; was $25,000 pre-HITECH)
 Criminal:
– $50,000 - $250,000 fine and/or 1 – 10 years
in federal prison
 State attorneys general permitted to civilly
sue on behalf of affected residents
Breach Safe Harbor: Encryption
Electronic PHI (ePHI): any device or medium used
to store, transmit or receive PHI electronically.
 Desktops, tablets, or laptops
 External devices or media, including
iPads, tapes, or disks
 Removable storage devices
(USB drives, tapes, keys, CDs, DVDs, etc.)
 PDAs, Smart Phones
 Electronic transmission including e-mail,
File Transfer Protocol (FTP), wireless, etc.
25
Components of
Network Security
26
The Front Door of Your Network
 Hardware Firewall
–
–
–
Protects your network
Provides access rules
Allows only trusted partners access to your
network
 Remote Access

– Allows only trusted users (authentication)
– Must be encrypted (VPN or SSL/TLS)
– Security wins over ease of use
Wireless Devices
– Must be encrypted
– Allow only trusted devices
27
The Back Door of Your Network
 E-mail born threats
– Viruses – software that reproduces
– Malware – malicious software
– Keyloggers – software that steals
your passwords
 Out-of-date antivirus system
 Outdated operating systems
 Missing patches for operating
systems
28
The Danger Within
 Lost laptops, tablets, PDAs, and smart phones with ePHI
 Sharing passwords or using the same password for




everything
Transmission of ePHI without encryption
Responding to bogus requests: phone, e-mail, Web
(phishing)
ePHI leaving the building on electronic media without
encryption (tapes, CDs, USB drives, etc.)
Installing risky software (Audiogalaxy, Limewire,
uTorrent, etc.)
29
Phishing
 You have received an urgent system
message from the Citibank Department.
To read your message, please go to your
account immediately.
Citibank Service Center
Attn: E-mail/Internet Services
100 Citibank Drive
Building 3, 1st Floor
San Antonio, TX 78245
Other Security Risks:
Disposal of Equipment
 Many technologies today use hard drives that can
contain ePHI!
 Care must be taken in disposal so that ePHI is
erased. Always ensure that IT has cleaned or
destroyed hard drives prior to disposal.
31
How Can You Keep the
Network Secure?
32
User Access Control and
Password Guidance
 Unique User ID
– Never share your user ID!
– All system access with your ID is YOUR
responsibility
 Password Guidelines
–
–
–
–
Do not reuse the last 12 passwords
Change your password at least every 90 days
Passwords must be at least 8 characters
Passwords must be a combination of upper and
lower case letters, number and special characters
– User account locks after 3 failed attempts
33
Automatic Logoff
Automatic Logoff

Your EHR session should terminate after 15 minutes
of inactivity.
–

Always save your work before leaving your workstation!
Your Windows screensaver should lock your
workstation after 15 minutes of inactivity.
–
Pushing Windows+L or Ctrl+Alt+Delete and Enter on
your keyboard will manually lock your workstation.
34
Remote Access
 Remote Access
– Must use a VPN tunnel or
SSL/TLS connection.
– Requires user authentication.
– Always physically secure your
laptop, PDA, or other mobile
device when traveling!
35
Certified EHR Security Requirements
 Access Controls
 Emergency Access
 Automatic Log-off
 Audit Log
 Integrity
 Authentication
 General Encryption
 Encryption when exchanging electronic
health information
36
Tasks for “The IT Guy” (or Gal)





Role-Based Access: Manage who gets access to
what
Firewall Review: Make sure that communication
with the outside world is secure
Wireless Security: Manage who gets WiFi access
Antivirus: Manage software to keep viruses and
malware at bay
Server/Workstation Updates: Make sure all
software gets appropriate updates to mitigate
problems
37
Tasks for “The IT Guy” (or Gal)
 Backup: Keep a backup of all data, just in


case!
Backup Encryption: Make backup data
unreadable to snoopers.
Recovery: Have a plan in case disaster
strikes!
38
Summary
 Protecting data is
everyone’s responsibility
 Understand HIPAA
 Hold each other
accountable
39
Quality Insights of Delaware IHPC LAN
Join theHITCommunity.org

theHITCommunity.org is a unique Health IT (HIT) user hub
which provides access to useful tools, resources, educational
materials and practical information surrounding HIT. This Web
site also allows you to start a forum of sharing about the EHR
system that you are using in your practice, allowing you to not only
share best practices with your peers, but also providing you the
opportunity to problem solve with fellow EHR users.
To create your account:
 Go to https://www.thehitcommunity.org
 Click 'JOIN'
 Create an account
 Complete the requested info
 Use the referral code 'QIDIHPC'
After account created:

Select 'Communities’

Select 'Dedicated Communities'

Quality Insights of Delaware
(you can set this as your home
page)
Q & A Session
QUESTIONS?
For more information about Network Security for
end users in health care, please contact QIDE REC.
Ph: 1.866.475.9669
Web: www.dehitrec.org
This project is made possible through a grant from the Office of the National Coordinator with Department of Health and
Human Services support. Grant No. 90RC0044/01. Publication No. DEREC-LF-090712. App 9/12.