Health IT Privacy and Security:

collarlimabeansΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

168 εμφανίσεις

Health IT Privacy and Security:

Lock IT, Don’t Leave IT

Nicholas P. Heesters, Jr.,
M.Eng
., J.D., C.H.P.

Privacy and Security Specialist

302.478.3600, ext. 136

nheesters@wvmi.org

http://
www.dehitec.org

Disclaimer


The information included in this presentation
is for informational purposes only and is not a
substitute for legal advice.


Please consult your attorney if you have any
particular questions regarding specific legal
issues.


Agenda


Why Is Security Important


What Is HIPAA


HIPAA Security Rule


PHI and Breaches


Components of Network Security


How You Can Help Keep the Network Secure


3

Why Should We Care About

Network Security?


Potential for downtime and impact on patient care


Expense to the practice


Damage to reputation for security breaches
(newspaper headlines, HHS Wall of Shame)


Fines and/or prison for security breaches


HIPAA requires the implementation of security
measures to protect PHI on paper and electronically


4

HIPAA
-

What is it?

Health Insurance Portability and Accountability Act


Privacy Rule (compliance: April 2003)


Security Rule (compliance: April 2005)


Enforcement Rule (effective: March 2006)


HITECH Act of 2009


Who is covered under HIPAA?


Health Plans


Health Care Providers


Every health care provider, regardless of size, who electronically
transmits health information in connection with certain
transactions is a covered entity.


These transactions include claims, benefit eligibility inquiries,
referral authorization requests, or other transactions for which
HHS has established standards under the HIPAA Transactions
Rule.


Health Care Clearinghouses


Business Associates

HIPAA Privacy Rule


Established national standards protecting the privacy
and security of personal health information


Protects the confidentiality of Protected Health
Information (PHI)


Empowered individuals with rights concerning
disclosure of health information


Minimum Necessary Rule: “… take reasonable steps
to limit the use or disclosure of, and requests for,
[PHI] to the minimum necessary to accomplish the
intended purpose.”


HHS OCR HIPAA Video

HIPAA Security Rule


Applies to Protected Health Information in
electronic form (
ePHI
)


Security Rule Safeguard Standards


Administrative (10 Required; 11 Addressable)


Physical (2 Required; 6 Addressable)


Technical (2 Required; 5 Addressable)


HHS OCR HIPAA Video

Required v. Addressable


Required:


Must be implemented


Addressable:


NOT optional


If not reasonable and appropriate, can
implement equivalent alternative, or


If security standard is already met, or if
identified risk is negligible, an addressable
specification may be left not implemented


Administrative Safeguards


Security Management Process


Risk Analysis, Risk Management,
Sanctions


Workforce Security


Termination, Clearance, Authorization


Security Incident Response Procedures


Contingency Plan


Disaster Recovery, Emergency Operations


Training


Physical Safeguards


Facility Access Control


Security Plan, Access Control, Maintenance


Workstation Use


Workstation Security


Device and Media Controls


Backup and Storage


Media Reuse and Disposal

Technical Safeguards


Access Control


Implement policies and procedures to permit only


authorized personnel access to
ePHI


Unique User Identification (Required)


Assign a unique user name and/or number


for identifying and tracking user identity


Ensure system activity can be traced to a specific user


Certified EHR criteria (
§

170.302(o))


Only permit authorized users to access
ePHI


Emergency Access Procedure (Required)


Procedures to obtain
ePHI

during an emergency


Pre
-
stage break glass user ids


Certified EHR criteria (
§

170.302(p))


Permit users authorized in emergency situations to access
ePHI

Technical Safeguards Cont.


Access Control Cont.


Automatic Logoff (Addressable)


What period of system inactivity is considered reasonable
before initiating automatic logoff


Certified EHR criteria (
§

170.302(q))


Encryption and Decryption (Addressable)


Implement a mechanism to encrypt and decrypt
ePHI


Full disk encryption, file or folder encryption


Breach Notification safe harbor


Certified EHR criteria (
§

170.302(u))


Symmetric 128
-
bit fixed block cipher using a


128
-
, 192
-
, or 256
-
bit encryption key


Technical Safeguards Cont.


Audit Controls


Implement hardware, software and/or procedures to record and
examine activity in systems that contain or use
ePHI


Correlate to Information System Activity Review procedures


Certified EHR criteria (
§

170.302(r))


Record date, time, patient ID and user ID whenever
ePHI

is created,
modified, deleted or printed


User can generate an audit log for a specific time period


Person or Entity Authentication


Verify identify of person or entity seeking access to
ePHI


Password, token/smartcard, biometric


8


10 characters, include upper and lower case characters along with a
number and symbol, change every 90 days


Certified EHR criteria (
§

170.302(t))


Technical Safeguards Cont.


Integrity


Implement policies and procedures to protect
ePHI

from improper alteration or destruction


Mechanism to Authenticate
ePHI

(Addressable)


Mechanism to verify that
ePHI

has not been
altered or destroyed in an unauthorized manner


ECC RAM, checksums, logs


Certified EHR criteria (
§

170.302(s))


Detect the alteration of audit logs

Technical Safeguards Cont.


Transmission Security


Implement security measure to guard against unauthorized
access to
ePHI

transmitted electronically


Integrity Controls (
Addressable)


Ensure detection of the improper modification of PHI when
electronically transmitted


Certified EHR criteria (
§

170.302(s))


Use a secure hashing algorithm (SHA
-
1 or higher) to verify that
ePHI

has not been altered during transmission


Encryption (Addressable)


Certified EHR criteria (
§

170.302(v))


When exchanging
ePHI

an encrypted and


integrity protected link must be used


Technical Safeguards Audit


HIPAA Audit document requests:


Authentication Policies and Procedures


Encryption Policies and Procedures


Audit Policies and Procedures


System list of all users with access to
ePHI


System list of new users within the past year



PHI and Breach

Protected Health Information (PHI)


Protected Health Information (PHI) under
HIPAA is any information identifying an
individual and that relates to at least one of
the following:


The individual’s past, present or future physical or mental
health


The provision of health care to the individual


The past, present or future payment for health care


Information identifies an individual if it includes either the
individual’s name or any other information that could
enable someone to determine the individual’s identity


19

Personally Identifiable Information (PII)


Names





Account numbers

Geographical information


Certificate/license numbers

Dates related to an individual


Vehicle identifiers

Phone numbers




Device identifiers

Fax numbers




Web Addresses

Email addresses



IP Addresses

Social Security numbers (SSN)


Biometric identifiers

Medical record numbers



Photographs

Health plan numbers




Any unique identifying number, characteristic, or code


Breach Headlines

21



Breaches of Unsecured PHI affecting 500 or more individuals


Posted on the OCR Web site
-

“Wall of Shame”


Out of 380 breaches, 264 (over 15 million affected individuals) could
have been prevented with encryption

More Breach Headlines


In April 2012, Phoenix Cardiac Surgery agreed to a
settlement of $100,000 for posting PHI on the
Internet and related deficiencies.


On Feb. 4, 2011, OCR assessed a civil monetary
penalty against
Cignet

Health of Prince Georges
County, MD of $4.3MM.


On April 27, 2010, Dr.
Huping

Zhou of UCLA
Healthcare was sentenced to four months in
federal prison for HIPAA violations.



A breach is the impermissible use or disclosure of PHI
such that said use or disclosure poses a significant risk
of financial, reputational, or other harm to the affected
individual
.



Breach notification is only required where unsecured
PHI is involved
.



Unsecured PHI is PHI which has not been rendered unusable,
unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by
the Secretary in guidance.

According to the Health Information Technology for
Economic and Clinical Health (HITECH) Act:

What is a Breach?

23

Breach Penalties


Civil:


$100 to $50,000 per breach ($1.5MM
calendar year cap; was $25,000 pre
-
HITECH)


Criminal:


$50,000
-

$250,000 fine and/or 1


10 years
in federal prison


State attorneys general permitted to civilly
sue on behalf of affected residents

Breach Safe Harbor: Encryption

Electronic PHI (
ePHI
):

any device or medium used
to store, transmit or receive PHI electronically.



Desktops, tablets, or laptops


External devices or media, including


iPads
, tapes, or disks


Removable storage devices


(USB drives, tapes, keys, CDs, DVDs, etc.)


PDAs, Smart Phones


Electronic transmission including e
-
mail,


File Transfer Protocol (FTP), wireless, etc.



25

Components of

Network Security

26

The Front Door of Your Network


Hardware Firewall


Protects your network


Provides access rules


Allows only trusted partners access to your
network


Remote Access


Allows only trusted users (authentication)


Must be encrypted (VPN or SSL/TLS)


Security wins over ease of use


Wireless Devices


Must be encrypted


Allow only trusted devices


27

The Back Door of Your Network


E
-
mail born threats


Viruses



software that reproduces


Malware



malicious software


Keyloggers



software that steals
your passwords


Out
-
of
-
date antivirus system


Outdated operating systems


Missing patches for operating
systems


28

The Danger Within


Lost laptops, tablets, PDAs, and smart phones with
ePHI


Sharing passwords or using the same password for
everything


Transmission of
ePHI

without encryption


Responding to bogus requests: phone, e
-
mail, Web
(phishing)


ePHI

leaving the building on electronic media without
encryption (tapes, CDs, USB drives, etc.)


Installing risky software (
Audiogalaxy
,
Limewire
,
uTorrent
, etc.)


29

Phishing


You have received an urgent system
message from the Citibank Department.


To read your message, please go to

your
account

immediately.


Citibank Service Center

Attn: E
-
mail/Internet Services

100 Citibank Drive

Building 3, 1st Floor

San Antonio, TX 78245


Other Security Risks:

Disposal of Equipment


Many technologies today use hard drives that can
contain
ePHI
!


Care must be taken in disposal so that
ePHI

is
erased. Always ensure that IT has cleaned or
destroyed hard drives prior to disposal.


31

32

How Can You Keep the

Network Secure?

User Access Control and

Password Guidance


Unique User ID


Never share your user ID!


All system access with your ID is
YOUR

responsibility


Password Guidelines


Do not reuse the last 12 passwords


Change your password at least every 90 days


Passwords must be at least 8 characters


Passwords must be a combination of upper and
lower case letters, number and special characters


User account locks after 3 failed attempts


33

Automatic Logoff

Automatic Logoff


Your EHR session should terminate after 15 minutes
of inactivity
.


Always save your work before leaving your workstation!



Your Windows screensaver should lock your
workstation after 15 minutes of inactivity.


Pushing
Windows+L

or
Ctrl+Alt+Delete

and Enter
on
your keyboard will manually lock your workstation.


34

Remote Access


Remote Access


Must use a VPN tunnel or
SSL/TLS connection.


Requires user authentication.


Always physically secure your
laptop, PDA, or other mobile
device when traveling!



35


Access Controls


Emergency Access


Automatic Log
-
off


Audit Log


Integrity


Authentication


General Encryption


Encryption when exchanging electronic
health information


Certified EHR Security Requirements

36

Tasks for “The IT Guy” (or Gal)


Role
-
Based Access:
Manage who gets access to
what


Firewall Review:
Make sure that communication
with the outside world is secure


Wireless Security:
Manage who gets
WiFi

access


Antivirus:
Manage software to keep viruses and
malware at bay


Server/Workstation Updates:
Make sure all
software gets appropriate updates to mitigate
problems


37


Backup:
Keep a backup of all data, just in
case!


Backup Encryption:

Make backup data
unreadable to snoopers.


Recovery:
Have a plan in case disaster
strikes!


Tasks for “The IT Guy” (or Gal)

38


Protecting data is
everyone’s

responsibility


Understand
HIPAA


Hold each other
accountable

Summary

39

Quality Insights of Delaware IHPC LAN

Join theHITCommunity.org


theHITCommunity.org

is a unique Health IT (HIT) user hub
which

provides access to useful tools, resources, educational
materials and practical information surrounding HIT. This Web
site

also allows you to start a forum of sharing about the EHR
system that you are using in your practice, allowing you to not only
share best practices with your peers, but also providing you

the
opportunity to problem solve with fellow EHR users.


To create your account:



Go to
https://www.thehitcommunity.org


Click 'JOIN'


Create an account


Complete the requested info


Use the referral code 'QIDIHPC'



After account created:



Select 'Communities’



Select 'Dedicated Communities'



Quality Insights of Delaware


(you can set this as your home


page)

Q & A Session

QUESTIONS?






For more information about Network Security for

end users in health care, please contact QIDE REC.

Ph: 1.866.475.9669 Web: www.dehitrec.org

This project is made possible through a grant from the Office of the National Coordinator with Department of Health and
Human Services support. Grant No. 90RC0044/01. Publication No. DEREC
-
LF
-
090712. App 9/12.