Transcript Slide 1
Health IT Privacy and Security: Lock IT, Don’t Leave IT Nicholas P. Heesters, Jr., M.Eng., J.D., C.H.P. Privacy and Security Specialist 302.478.3600, ext. 136 [email protected] http://www.dehitec.org Disclaimer The information included in this presentation is for informational purposes only and is not a substitute for legal advice. Please consult your attorney if you have any particular questions regarding specific legal issues. Agenda Why Is Security Important What Is HIPAA HIPAA Security Rule PHI and Breaches Components of Network Security How You Can Help Keep the Network Secure 3 Why Should We Care About Network Security? Potential for downtime and impact on patient care Expense to the practice Damage to reputation for security breaches (newspaper headlines, HHS Wall of Shame) Fines and/or prison for security breaches HIPAA requires the implementation of security measures to protect PHI on paper and electronically 4 HIPAA - What is it? Health Insurance Portability and Accountability Act Privacy Rule (compliance: April 2003) Security Rule (compliance: April 2005) Enforcement Rule (effective: March 2006) HITECH Act of 2009 Who is covered under HIPAA? Health Plans Health Care Providers – Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity. – These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Health Care Clearinghouses Business Associates HIPAA Privacy Rule Established national standards protecting the privacy and security of personal health information Protects the confidentiality of Protected Health Information (PHI) Empowered individuals with rights concerning disclosure of health information Minimum Necessary Rule: “… take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” HHS OCR HIPAA Video HIPAA Security Rule Applies to Protected Health Information in electronic form (ePHI) Security Rule Safeguard Standards – Administrative (10 Required; 11 Addressable) – Physical (2 Required; 6 Addressable) – Technical (2 Required; 5 Addressable) HHS OCR HIPAA Video Required v. Addressable Required: – Must be implemented Addressable: – NOT optional – If not reasonable and appropriate, can implement equivalent alternative, or – If security standard is already met, or if identified risk is negligible, an addressable specification may be left not implemented Administrative Safeguards Security Management Process – Risk Analysis, Risk Management, Sanctions Workforce Security – Termination, Clearance, Authorization Security Incident Response Procedures Contingency Plan – Disaster Recovery, Emergency Operations Training Physical Safeguards Facility Access Control – Security Plan, Access Control, Maintenance Workstation Use Workstation Security Device and Media Controls – Backup and Storage – Media Reuse and Disposal Technical Safeguards Access Control – Implement policies and procedures to permit only authorized personnel access to ePHI – Unique User Identification (Required) • Assign a unique user name and/or number for identifying and tracking user identity • Ensure system activity can be traced to a specific user • Certified EHR criteria (§ 170.302(o)) – Only permit authorized users to access ePHI – Emergency Access Procedure (Required) • Procedures to obtain ePHI during an emergency – Pre-stage break glass user ids • Certified EHR criteria (§ 170.302(p)) – Permit users authorized in emergency situations to access ePHI Technical Safeguards Cont. Access Control Cont. – Automatic Logoff (Addressable) • What period of system inactivity is considered reasonable before initiating automatic logoff • Certified EHR criteria (§ 170.302(q)) – Encryption and Decryption (Addressable) • • • • Implement a mechanism to encrypt and decrypt ePHI Full disk encryption, file or folder encryption Breach Notification safe harbor Certified EHR criteria (§ 170.302(u)) – Symmetric 128-bit fixed block cipher using a 128-, 192-, or 256-bit encryption key Technical Safeguards Cont. Audit Controls – Implement hardware, software and/or procedures to record and examine activity in systems that contain or use ePHI – Correlate to Information System Activity Review procedures – Certified EHR criteria (§ 170.302(r)) • Record date, time, patient ID and user ID whenever ePHI is created, modified, deleted or printed • User can generate an audit log for a specific time period Person or Entity Authentication – Verify identify of person or entity seeking access to ePHI – Password, token/smartcard, biometric • 8 – 10 characters, include upper and lower case characters along with a number and symbol, change every 90 days – Certified EHR criteria (§ 170.302(t)) Technical Safeguards Cont. Integrity – Implement policies and procedures to protect ePHI from improper alteration or destruction – Mechanism to Authenticate ePHI (Addressable) • Mechanism to verify that ePHI has not been altered or destroyed in an unauthorized manner – ECC RAM, checksums, logs • Certified EHR criteria (§ 170.302(s)) – Detect the alteration of audit logs Technical Safeguards Cont. Transmission Security – Implement security measure to guard against unauthorized access to ePHI transmitted electronically – Integrity Controls (Addressable) • Ensure detection of the improper modification of PHI when electronically transmitted • Certified EHR criteria (§ 170.302(s)) – Use a secure hashing algorithm (SHA-1 or higher) to verify that ePHI has not been altered during transmission – Encryption (Addressable) • Certified EHR criteria (§ 170.302(v)) – When exchanging ePHI an encrypted and integrity protected link must be used Technical Safeguards Audit HIPAA Audit document requests: – Authentication Policies and Procedures – Encryption Policies and Procedures – Audit Policies and Procedures – System list of all users with access to ePHI – System list of new users within the past year PHI and Breach Protected Health Information (PHI) Protected Health Information (PHI) under HIPAA is any information identifying an individual and that relates to at least one of the following: – The individual’s past, present or future physical or mental health – The provision of health care to the individual – The past, present or future payment for health care – Information identifies an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity 19 Personally Identifiable Information (PII) Names Geographical information Dates related to an individual Phone numbers Fax numbers Email addresses Social Security numbers (SSN) Medical record numbers Health plan numbers Account numbers Certificate/license numbers Vehicle identifiers Device identifiers Web Addresses IP Addresses Biometric identifiers Photographs Any unique identifying number, characteristic, or code Breach Headlines Breaches of Unsecured PHI affecting 500 or more individuals – Posted on the OCR Web site - “Wall of Shame” Out of 380 breaches, 264 (over 15 million affected individuals) could have been prevented with encryption 21 More Breach Headlines In April 2012, Phoenix Cardiac Surgery agreed to a settlement of $100,000 for posting PHI on the Internet and related deficiencies. On Feb. 4, 2011, OCR assessed a civil monetary penalty against Cignet Health of Prince Georges County, MD of $4.3MM. On April 27, 2010, Dr. Huping Zhou of UCLA Healthcare was sentenced to four months in federal prison for HIPAA violations. What is a Breach? According to the Health Information Technology for Economic and Clinical Health (HITECH) Act: A breach is the impermissible use or disclosure of PHI such that said use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach notification is only required where unsecured PHI is involved. • Unsecured PHI is PHI which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. 23 Breach Penalties Civil: – $100 to $50,000 per breach ($1.5MM calendar year cap; was $25,000 pre-HITECH) Criminal: – $50,000 - $250,000 fine and/or 1 – 10 years in federal prison State attorneys general permitted to civilly sue on behalf of affected residents Breach Safe Harbor: Encryption Electronic PHI (ePHI): any device or medium used to store, transmit or receive PHI electronically. Desktops, tablets, or laptops External devices or media, including iPads, tapes, or disks Removable storage devices (USB drives, tapes, keys, CDs, DVDs, etc.) PDAs, Smart Phones Electronic transmission including e-mail, File Transfer Protocol (FTP), wireless, etc. 25 Components of Network Security 26 The Front Door of Your Network Hardware Firewall – – – Protects your network Provides access rules Allows only trusted partners access to your network Remote Access – Allows only trusted users (authentication) – Must be encrypted (VPN or SSL/TLS) – Security wins over ease of use Wireless Devices – Must be encrypted – Allow only trusted devices 27 The Back Door of Your Network E-mail born threats – Viruses – software that reproduces – Malware – malicious software – Keyloggers – software that steals your passwords Out-of-date antivirus system Outdated operating systems Missing patches for operating systems 28 The Danger Within Lost laptops, tablets, PDAs, and smart phones with ePHI Sharing passwords or using the same password for everything Transmission of ePHI without encryption Responding to bogus requests: phone, e-mail, Web (phishing) ePHI leaving the building on electronic media without encryption (tapes, CDs, USB drives, etc.) Installing risky software (Audiogalaxy, Limewire, uTorrent, etc.) 29 Phishing You have received an urgent system message from the Citibank Department. To read your message, please go to your account immediately. Citibank Service Center Attn: E-mail/Internet Services 100 Citibank Drive Building 3, 1st Floor San Antonio, TX 78245 Other Security Risks: Disposal of Equipment Many technologies today use hard drives that can contain ePHI! Care must be taken in disposal so that ePHI is erased. Always ensure that IT has cleaned or destroyed hard drives prior to disposal. 31 How Can You Keep the Network Secure? 32 User Access Control and Password Guidance Unique User ID – Never share your user ID! – All system access with your ID is YOUR responsibility Password Guidelines – – – – Do not reuse the last 12 passwords Change your password at least every 90 days Passwords must be at least 8 characters Passwords must be a combination of upper and lower case letters, number and special characters – User account locks after 3 failed attempts 33 Automatic Logoff Automatic Logoff Your EHR session should terminate after 15 minutes of inactivity. – Always save your work before leaving your workstation! Your Windows screensaver should lock your workstation after 15 minutes of inactivity. – Pushing Windows+L or Ctrl+Alt+Delete and Enter on your keyboard will manually lock your workstation. 34 Remote Access Remote Access – Must use a VPN tunnel or SSL/TLS connection. – Requires user authentication. – Always physically secure your laptop, PDA, or other mobile device when traveling! 35 Certified EHR Security Requirements Access Controls Emergency Access Automatic Log-off Audit Log Integrity Authentication General Encryption Encryption when exchanging electronic health information 36 Tasks for “The IT Guy” (or Gal) Role-Based Access: Manage who gets access to what Firewall Review: Make sure that communication with the outside world is secure Wireless Security: Manage who gets WiFi access Antivirus: Manage software to keep viruses and malware at bay Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems 37 Tasks for “The IT Guy” (or Gal) Backup: Keep a backup of all data, just in case! Backup Encryption: Make backup data unreadable to snoopers. Recovery: Have a plan in case disaster strikes! 38 Summary Protecting data is everyone’s responsibility Understand HIPAA Hold each other accountable 39 Quality Insights of Delaware IHPC LAN Join theHITCommunity.org theHITCommunity.org is a unique Health IT (HIT) user hub which provides access to useful tools, resources, educational materials and practical information surrounding HIT. This Web site also allows you to start a forum of sharing about the EHR system that you are using in your practice, allowing you to not only share best practices with your peers, but also providing you the opportunity to problem solve with fellow EHR users. To create your account: Go to https://www.thehitcommunity.org Click 'JOIN' Create an account Complete the requested info Use the referral code 'QIDIHPC' After account created: Select 'Communities’ Select 'Dedicated Communities' Quality Insights of Delaware (you can set this as your home page) Q & A Session QUESTIONS? For more information about Network Security for end users in health care, please contact QIDE REC. Ph: 1.866.475.9669 Web: www.dehitrec.org This project is made possible through a grant from the Office of the National Coordinator with Department of Health and Human Services support. Grant No. 90RC0044/01. Publication No. DEREC-LF-090712. App 9/12.