IT Security and Compliance in the Age of the EHR · HCCA Clinical Practice Compliance Conference...

HCCA Clinical Practice Compliance Conference

October 23‐25, 2016

1

IT SECURITY AND COMPLIANCE IN THE AGE OF THE EHRPhillip F. Bressoud, MD, FACPAssociate Professor of MedicineUniversity of LouisvilleOctober 25, 2016

Objectives

•Understand security regulations and risks of electronic records

•Understanding the security threats facing electronic records

•Understanding emerging security threats

•Understand challenges facing EHRs


October 23‐25, 2016

2

Outline

• Origin of Medical Records

• Security Requirements

• Security Risk Assessment

• Regulatory Pressures

• Internal vs External Threats

• Emerging Threats

• Challenges

• Summary

KEEPCALM

AND

PREPARE


October 23‐25, 2016

3

ORIGIN OF THE MEDICAL RECORD

In The Beginning

Richard Napier Simon Forman


October 23‐25, 2016

4

In The Beginning

Regulatory Snowball


October 23‐25, 2016

5

Regulatory Pressures–Health Insurance Portability & Accountability Act (HIPAA)

–HITECH

–NIH Data Sharing Policy

–NIH Genome Wide Association Study Data Sharing Policy

–MACRA

–MIPS

–State-specific laws and regulations

Health Insurance Portability and Accountability Act - HIPAA

• The HIPAA Privacy Rule provides federal protections for individually identifiable health information

• HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to - names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc.

• If you have something that can identify a person together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA.

• ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, FAX, etc.).


October 23‐25, 2016

6

HIPAA Applies to Everyone Touching PHI

• Applies to:

• Health plans

• Health care clearinghouses

• Health care providers

• HITECH extends HIPPA requirements to Business Associates of Covered Entities.

• Even law firms need to comply with HIPAA where they contact PHI.

Security Risk Assessment

•Required as part of HITECH

•Physical component

•Administrative component

•Technical component


October 23‐25, 2016

7


•Physical component•Locks•Peep Holes•Cameras•Hardware locked down•USB/Ports physical blocked


•Administrative Policies• Password policies• Encryption policies• User management• Access appropriate for user


October 23‐25, 2016

8


•Technical Component• Anti-virus and Anti-malware• Intrusion detection software• DDOS Attack Detection• Disaster recovery• Access control• Data backup

HIPPA Enforcement by HHS and OCR

•Health and Human Services• Since April 2003, 137,770 HIPPA Complaints• Conducted 885 compliance reviews

• OCR• Investigated 24,331 cases• Settled 37 cases for $39.9 million• 11,055 no violation occurred• Additional 14,535 provided technical assistance


October 23‐25, 2016

9

Largest HIPPA Fines “Wall of Shame”

Organization Year Records Root Cause Fine

Advocate Health 20134 x 106 Stolen Laptops x 2

BA network breach$5.55

NYPH/Columbia 2010 Unknown Technical failure lead to patient information being available through search engines

$4.8

Cignet Health 2010 41 Denied 41 pts access to chart$3.0 million penalty

$4.3

Triple-S 2013 13,336 Displayed Medicare claim number on brochure; lack of security measures

$3.5

UMMC 2013 10000 Missing password protected laptop; failure to notify pts, no risk management

$2.75

Oregon HSU 2013 7000 Unencrypted laptop; Google Drive $2.7

CVS 2009 Disposing pill bottles in dumpster $2.25

NYPH 2011 2+ Filmed TV show NY Med with consent $2.2

Concentra 2012 148 Unencrypted laptop $1.7

Wellpoint 2010 612,000 Lack of policies and technical safeguards $1.7

Health It and CIO Review August 10, 2016

The Threats

80Internal

20External


October 23‐25, 2016

10

INTERNAL THREATS

Employees Greatest Risk

“81% had a root cause in employee negligence.

-Michael Bruemmer, VP of Consumer Protection at Experian


October 23‐25, 2016

11

Common Ways Employees Compromise Data

• Disgruntled employees• Weak User ID Policies• Poor password practices• Weak access policies• Unsafe downloads• Phishing and Social Engineering• Unprotected Data and Email• Theft

Insider Malice Prevention• Most happen with 30 days before or

after last day. • Prevention

• Limit access as soon as employee is leaving facility—not after

• Block access to USB drives and CD burners



October 23‐25, 2016

12

Weak Access Policies• Employee has more access than

necessary• Prevention

• Develop strict access policies• Revoked access as soon as the employee

doesn’t need it any longer• Make folders inaccessible by default


Unsafe Downloads• Employee downloads infected email

attachments, screen savers, web files

• Prevention• Active virus scanning and data backup

• Web site blocking

• Employee training



October 23‐25, 2016

13


Unprotected Data and emails•Lack of data and/or email encryption•Prevention

•Prevent by requiring encryption for email and data

•Education •Encrypt laptops, USB drives, etc.



October 23‐25, 2016

14

Most Common Ways Employees Compromise Data Security

Poor password polices

Rank 2016 2015 2014

#1 123456 123456 123456

#2 password password password

#3 12345678 12345 12345678

#4 qwerty 12345678 qwerty

#5 12345 qwerty abc123

#6 123456789 1234567890 123456789

#7 football 1234 1111111

#8 1234 baseball 1234567

#9 1234567 dragon iloveyou

#10 baseball football adobe123

Password Strength

PasswordCharacteristics

Password Length

PasswordStrength

Time to Break Password

All lower case 6 Weak < 10 min

Upper and lower case

6 Better 10 hrs

Upper, lower and symbols

6 Best 18 days



October 23‐25, 2016

15

Poor password polices

• Easily hacked passwords

• Prevention• Preferably should be 9 characters or more• Require combination of letters, numbers and

symbols• New password cannot match previously used

password• Frequent password changes


EXTERNAL THREATS


October 23‐25, 2016

16

Types of External Threats

•Viruses•Malware•Phishing•Social Engineering•Ransomware•DDOS Attacks

Internet Attack Map


October 23‐25, 2016

17

Who’s knocking at your door?

Brazil

Italy China

Phishing and Social Engineering

• Phishing• Phone calls—state they are from IT updating software, etc

• “Spear phishing” focused phishing targeting specific users—chase credit cards, specific activity

• Prevention• Employee training• Password requests should be routed through IT


October 23‐25, 2016

18

Social Engineering

Social Engineering in 2 minutes or less


October 23‐25, 2016

19

Disseminated Denial of Service

Disseminated Denial of Service


October 23‐25, 2016

20

Hacktivists

Contractors/Vendors

• Orthopedic group fined after hiring contractor to dispose of x-ray films

• Contracted claims processor hired subcontractor to work claims on physician’s practice management system without BAA.

• Copy Machine Vendor replaces network fax, copy, printer but practice doesn’t have BAA and/or doesn’t clear hard drive prior to sending old machine back to company


October 23‐25, 2016

21

DEVELOPING THREATS


October 23‐25, 2016

22

Developing Threats

Ransom Ware

Developing Threats

Exploiting Data Packets


October 23‐25, 2016

23

Texting Orders

JACHO Approves Texting Orders• Secure sign-on process• Encrypted messaging• Delivery and read receipts• Date and time stamp• Customized message retention time frames • Specified contact list for individuals authorized to receive and record orders

National Security Agency

• NSA recently found out that hackers have posted several espionage tools on line• Epicbanana

• Buzzdirection

• Egregiousblunder


October 23‐25, 2016

24

WHY TARGET ELECTRONIC MEDICAL RECORDS

Reasons to Attack Healthcare• Lots and lots of data including personal and financial

• Rapid expansion of electronic documentation has created new systems to attack

• Large complicated networks with lots of points access with weak security

• Unique complex sets of personal data to create new identities

• Hospitals and healthcare systems are willing to pay to get their systems back on line


October 23‐25, 2016

25

Why Hackers Want Medical Records

• Initially stolen data goes “dark” before resurfacing in different variations.

• “Fulz” is the complete record demographics, financial, etc

• “Fulz” version then go onto dark web and look for a DOX vendor to create counterfeit passports, driver’s licenses, social security cards

• Worth about $1500 to $2000

• May be years before they are used

• These are often used for illegal immigration, pedophilia, launching more social engineering attacks.

Feeling the Pressure?


October 23‐25, 2016

26

Meanwhile We’re Practicing Medicine

•We have added 2 hours to a clinicians day with EHRs

•What goes in …..while isn’t always what comes out

•Legal vs clinic medical record

• Internet dependent resources

•Downtime procedures

Summary

•Most data security issues result from inside your organization•Training, training, training• Insure policies are developed, implemented and enforce

•Web site filtering, anti-virus/malware, intrusion detection

•Drills


October 23‐25, 2016

27

Summary

Manage external threats•Web site filtering, anti-virus/malware, intrusion detection

•Disaster recovery exercises•Staff training in social engineering•Stay up on emerging trends•Downtime processes•Backup procedures

KEEPCALM

AND

PREPARE

IT Security and Compliance in the Age of the EHR · HCCA Clinical Practice Compliance Conference...

Documents

Transcript of IT Security and Compliance in the Age of the EHR · HCCA Clinical Practice Compliance Conference...