Information Security Risk Management in Biomedical Equipment
-
Upload
bart-hubbs -
Category
Healthcare
-
view
40 -
download
3
Transcript of Information Security Risk Management in Biomedical Equipment
![Page 1: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/1.jpg)
www.acesummitandexpo.com
Facilities and Clinical Engineering Track: Addressing Risk Management in Biomedical Equipment
January 14, 2013
Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare
![Page 2: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/2.jpg)
www.acesummitandexpo.com
Overview
• Biomedical devices have evolved from largely stand-alone devices to more digitally integrated data collection and delivery units.
• Device evolution has helped improve and streamline patient monitoring and subsequent care by collecting and delivering actionable patient data to the right caregivers.
• The streamlined collection and delivery of patient data has also increased risk in other areas.
• Making of a good “Partnership” – Identifying Impact and Likelihood with a focus on controls and mitigation tools/approaches.
![Page 3: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/3.jpg)
www.acesummitandexpo.com
What is Risk?
• Risk can be viewed as the intersection of impact and likelihood of negative occurrence.
(Risk = Impact x Likelihood)
• Impact can be experienced via loss of confidentiality, integrity, and/or availability of data.
• Likelihood of loss is generally increased or decreased when controls and/or weaknesses are enhanced or reduced.
![Page 4: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/4.jpg)
www.acesummitandexpo.com
What Risk Management?
• Risk management can be viewed simply as formulating risk to a level that falls within organizational risk tolerance.
• Management activities included adjusting likelihood and/or impact.
• Risk management also includes compliance with federal, state, and industry requirements (examples: HIPAA, PCI-DSS, SOX, GLBA, FERPA, etc.).
![Page 5: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/5.jpg)
www.acesummitandexpo.com
HIPAA and “Protected Health Information”• U.S. Federal Regulations
• PHI is generally defined as individually identifiable health information created or received by a
– Health care provider, health plan, employer, health care clearinghouse, business associate; and
• Relates to an individual's past, present or future physical or mental health or condition, the provision of health care to an individual, or payment for the provision of health care to an individual.
![Page 6: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/6.jpg)
www.acesummitandexpo.com
• When data is classified as PHI, made digital and in the custody of or shared by an entity defined previously, the HIPAA Security Rule is applied.
• The electronic PHI is often referred to as ePHI.
• Risk management activities are then structured based on the HIPAA Security Rule.
• Risk management/mitigation actions are generally focused on reducing likelihood.
• However, risk management/mitigation actions can be focused on impact reduction via data de-identification.
Why is the term “PHI” important?
![Page 7: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/7.jpg)
www.acesummitandexpo.com
• Does not identify nor provide a reasonable basis to identify an individual.
• Not considered PHI − There are no restrictions on the use or disclosure of
de-identified health information.• Two ways to de-identify information:
− Remove certain specified identifiers; or − Obtain a formal determination by a qualified
statistician.
De-Identified Health Information
![Page 8: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/8.jpg)
www.acesummitandexpo.com
• HITECH enhanced the importance of ePHI protection due to the breach notification requirements.
• HITECH was enacted as part of the The American Recovery and Reinvestment Act.
• Millions can be spent on a breach.
• Reputation related costs can be significant.
• Mitigation is increasingly important with EHR adoption in hospitals and increasing “systems of systems” with ePHI.
ePHI Confidentiality Loss and Impact
![Page 9: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/9.jpg)
www.acesummitandexpo.com
• HITECH also establishes that “business associates” are directly required to comply with the HIPAA Security Rule.
• Previously, “business associate” compliance with the HIPAA Security Rule was established via contract with the covered entity.
Business Associates and HITECH
![Page 10: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/10.jpg)
www.acesummitandexpo.com
• Covered Entities (“CE”) -- health plans, health care clearinghouses and most health care providers.
• Business Associates -- Third party who performs or assists a Covered Entity in performing a function or activity.
What are “Covered Entities” and “Business Associates”?
![Page 11: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/11.jpg)
www.acesummitandexpo.com
• MDS2 -- Manufacturer Disclosure Statement for Medical Device. Link: www.himss.org/content/files/MDS2FormInstructions.pdf
• Vendor SMEs – Subject matter experts from the vendor can provide enhanced understanding the information stored or transmitted by the device.
• Vendor Manuals– Many are online and provide detailed information about data, controls and configurations.
Understanding Risk – Information Sources
![Page 12: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/12.jpg)
www.acesummitandexpo.com
Reducing Risk – Management Levers
Impact Likelihood
ePHI element reduction(limited data‐set)
Administrative controls‐Policies‐Security Awareness‐Incident Response Procedures
Data de‐identification Physical controls‐Building and zone controls‐Inventory management‐Workstation/storage controls‐Device Disposal
Technical controls‐Access controls‐Encryption‐User management
![Page 13: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/13.jpg)
www.acesummitandexpo.com
• Consider having a person actively manage PHI in hospital whether Biomed, IT, or Risk Management.
• Define clearly what PHI is in new hire and ongoing training.
• Tell how to de-Identify and what types of data must not be shown.
• Service Procedures Manual wording:“In the normal course of performing services for our Customers, Employees may come into contact with protected health information (PHI). PHI is specific information about an individual patient …. This information is often encountered on display monitors, in storagemedia such as hard drives. You must take every means possible to secure this information. “
Employee Awareness Training
![Page 14: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/14.jpg)
www.acesummitandexpo.com
• Today’s hospital is an internet of devices …system of systems
• Networks can be at risk if not protected. Wireless applications and allowing WIFI for patients/visitors are potential risk areas.
•Real Time Tracking technology/solutions allows for finding all equipment faster, better compliance tracking, and faster incident response.
•Vendor Technologies such as phone home functionality that allow service requests or proactive service should be designed to anonymize data where possible, in order to prevent unnecessary exposure to PHI.
IT Specifics & Mitigation Tools
![Page 15: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/15.jpg)
www.acesummitandexpo.com
PHI Threats/Areas of Concern
![Page 16: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/16.jpg)
www.acesummitandexpo.com
• IT and Risk Management should both have data breach plans.
• When you work with vendors ensure that Business Associate agreements are included to ensure the privacy of PHI. This includes legal indemnifications.
• Service Procedures Manual: “In the event that an information system has been compromised in such a way that unauthorized individuals, either at a customer’s site or at business associate’s location, could access PHI you must report the event immediately. Reports of events shall be made via the Concern and Incident Reporting Portal at Security and Crisis Management Center.”
Proactive Incident Response
![Page 17: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/17.jpg)
www.acesummitandexpo.com
• Not having a “robust, living” Risk Management plan for facility and vendor.
• Not having clearly drawn partnership lines between hospital system and vendor responsibilities on what are risk areas and how are they controlled/mitigated.
• Device security configurations undocumented and inconsistent. All vendors are not created equal in the security space.
• Lack of facility and vendor engagement in controls development for biomed equipment.
Common Issue Areas
![Page 18: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/18.jpg)
www.acesummitandexpo.com
• Human controls in industry now with each site required based on HIPAA to manage.
• Software is being developed to automatically wipe equipment clean of PHI.
• In the future, control of PHI will be a built-in pillar of IT operations and default device configurations.
• Covered Entities & Business Associates will demand risk mitigation due to enhanced fines and the on-going cost of breach notification.
The Future of PHI
![Page 19: Information Security Risk Management in Biomedical Equipment](https://reader036.fdocuments.in/reader036/viewer/2022062514/55a91f7c1a28ab835a8b457f/html5/thumbnails/19.jpg)
www.acesummitandexpo.com
Addressing Risk Management in Biomedical Equipment
Questions
Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare