Privacy & Security - HIMSS365 · Risk Management Plan Risk analysis or assessment Strategy for...
Transcript of Privacy & Security - HIMSS365 · Risk Management Plan Risk analysis or assessment Strategy for...
1
Privacy & Security LT5, March 5, 2018
Donna Doneski, NASL
Larry Wolf, MatrixCare
2
• Larry WolfHas no real or apparent conflicts of interest to report.
• Donna DoneskiHas no real or apparent conflicts of interest to report.
Conflict of Interest
3
Agenda
• Privacy, Confidentiality & Security
• LTPAC Regulatory Environment
• HIPAA, Information Sharing & Risk Analysis
• Role-based Security & Breaches
• Disaster Recovery & Business Continuity
• Best Practices
• Q&A
4
Learning Objectives
• Describe key approaches taken by LTPAC provider organizations
in the privacy and security of their IT systems
• Describe the organizational policies and procedures,
that include roles and responsibilities, to ensure
confidentiality, integrity, and availability of data
• Summarize at least one lesson that LTPAC healthcare
providers can learn from OCR-posted privacy breaches
• Describe how HIPAA supports information sharing
• Identify key CAHIMS privacy and security competencies
5
Privacy & Security in LTPAC
• Intense focus on privacy and security, particularly as it relates to
electronic patient records containing protected health information
• Many documented data breaches with a loss of public confidence
• Additional constraints for LTPAC
– More regulation than other healthcare providers
– Technology is often outsourced
– Limited IT-specific resources and workforce
6
Privacy, Confidentiality & Security
• Privacy – Refers to the right of an individual to be left alone and to keep
his or her personal information secret.
• Confidentiality – Relates to sharing information with a focus on sharing
information on a “need to know” basis. The patient may share personal
information with the physician, but the physician must keep that information
confidential.
• Security – Refers to the mechanisms to assure the safety of data and the
systems in which the data reside.
7
Cyber Attacks – Part of Popular Culture
8
LTPAC Regulatory Environment
• HIPAA & OCR
– Chief Privacy Officer requirements
• Survey & Certification, including Federal & State Survey Agencies
• Requirements of Participation
– Disaster Recovery… from a hurricane or from a cyber attack
– Resident Rights
– Quality & Staffing Reporting
9
Outsourced Technology• How to frame the relationship between health IT vendor and
provider
– ONC Contract Resource
– BAA
• What the healthcare provider must cover
– Policies & procedures
– Workforce training
– Response to incidents, issues
– Self & External Audits
10
The Stats Are Not In Your Favor
• 74% of physicians surveyed were most concerned that future attacks could interrupt their
clinical practices
• More than 4 in 5 (83%) physicians have experienced some form of cyberattack –
phishing being the most common type cited.
• 24% uptick in cyber attacks reported to HHS OCR in 2017
– 140 attacks in 2017 compared to 113 in 2016
• 89% increase in ransomware attacks from 2016 to 2017
– 25.7% of all reported major ransomware events affected 500+ individuals
• What’s the average number of days before a breach is detected?
– More than 200 days
11
What Will It Cost?
CMS, OCR, OIG:
Don’t do anything stupid
ONC Security Risk Assessment https://www.healthit.gov/providers-
professionals/security-risk-assessment-tool
12
HIPAA & Risk Analysis
• HIPAA – The Health Insurance Portability & Accountability Act of 1996 and
subsequent revisions
• Title II of HIPAA contains five rules pertaining to administrative simplification
and privacy and security.
– Privacy Rule
– Security Rule
– Transaction Code Set Rule
– Unique Identifier Rule
– Enforcement Rule
13
HIPAA & Information Sharing• Don’t be a data blocker!
– 21st Century Cures Act penalty – up to $1 million per violation
• Agreements for sharing (BAAs)
• Permitted Uses
14
Protected Health Information (PHI)
• All individually identifiable health information created, transmitted, received or maintained by a healthcare institution
– Identification of an individual
– Health condition
– Treatment
– Provision/payment for healthcare
15
Examples of Identifying Information
• Name
• Address
• City
• County
• Names of relatives
• Names of employers
• Photographic images
• DOB
• Telephone number
• Fax number
• Email address
• Social Security #
• Medical record #
• Certificate/license
Patient matching is the first step to ensuring privacy. Data quality leads to care quality.
https://www.cms.gov/medicare/
new-medicare-card/nmc-home.html
16
Safeguards in HIPAA’s Security Rule
Administrative
Physical
Technical
17
Examples of Administrative Safeguards
• Clearly defined roles and responsibilities for who can see what information
– “Minimum Necessary Rule”
• Documented policies including password policies
• Security awareness training
• Security risk assessment
• Privacy/Security Officer
18
Physical Safeguards
• Examples
– Locking down computer
– Placement of computer relative to viewing by others
– Computer does not allow use of jump drives
– Physically securing the data center where servers are located
– Other strategies for theft prevention
19
Technical Safeguards
• Firewalls
• Encryption –Transmission Security
• Audit trails
• Antivirus programs
• Use of passwords or other authentication methods
20
Deidentified Information
• For research & analysis
• TEFCA
21
Audit Control
• A log of each user and what is viewed and accessed in any given
amount of time
• Evaluated for inappropriate access to function or information
• Can run automated reports looking for variance from expected patterns
22
Data Integrity
• Requirements for maintaining data integrity
– Disaster Recovery
– Ensuring Data Validity
• Editing against list of values
• Required Fields
• Required Values
• Compliance with data standards
23
Role-Based Security
• The job a user has will dictate what you have the right to access
and to disclose
• ONLY access information that is absolutely needed and that the
user has the right to see
• Minimum necessary
24
Types of Hacking
• The “Inside Job” – Employee initiated
• Social Engineering – Tricking an employee into releasing information
• Brute Force – Identifies a server and attempts to break into the system from
the administrator account using specialized utilities to make endless password
attempts.
• Eavesdropping – “Sniffing” or “snooping” on network communication that is in
an unsecured or “clear text” format. Use of encryption mitigates this risk.
• Data Modification – Data is modified in the packet, which can lead to erasure or
corrupted data.
25
More Types of Hacking• Identity Spoofing – Attacker assumes a computer’s IP address.
• Password-based Attack – Weak passwords or having only one method of
authentication increase this risk.
• Application Layer Attack – This attack targets application servers, causing a
fault in a server’s operating system or applications. Once the server is
compromised, the attacker can bypass normal access controls.
• Distributed Denial of Service (DDoS) Attack – This attack saturates the
servers with requests for response using a very large number of devices.
• Ransomware Attack – This attack encrypts a server’s or application’s data,
making it unavailable for normal operations.
26
Best Practices• Employee training and awareness
• Proactive testing (e.g., staff reaction to phishing attempts)
• Use of strong passwords
• Use of a “standby mode” or “screen lock” when clinical users leave
a screen with PHI
• Restricted download of aggregate patient data to end-user devices
(hard drives, flash drives, other media) & encryption of all media
• Use of an Intrusion Detection System
• Proactive auditing
27
Disaster Recovery & Business Continuity
• Mind set: Keep operations running in the face all hazards.
• Plan outlines how the system can be returned to operating status in
the event of a catastrophic failure.
• Can be complex in a large healthcare organization because of the
numbers of individual systems.
• Implement hosted solutions to ensure that system services and
data can be accessed when the primary care or data centers are
inaccessible.
• Test your continuity plan in advance of disasters.
28
Risk Management Plan
Risk analysis or assessment
Strategy for database backup
Secure storage of data
Data restore plan
System & network restore plan
Critical incident response plan
Software inventory
Workforce & operational
response plan
Hardware inventory
Logs
29
Good Things to Know
• National Cybersecurity & Communications Integration Centerhttps://www.us-cert.gov/nccic
• HHS Cybersecurity Guidance – HIPAA for Professionalshttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
• Department of Homeland Securityhttps://www.dhs.gov/topic/cybersecurity
• Healthcare/Public Health Critical Infrastructure / Disaster Preparednesshttps://www.phe.gov/preparedness/planning/cip/Pages/default.aspx
30
Summary – It’s not if, it’s when.
• Systems must meet requirements for privacy and security and maintain confidentiality of patients
data and security
• HIPAA regulations outline requirements for privacy and security, including administrative,
technical, and physical controls.
• Health IT professionals should
– Conduct regular, system-wide audits;
– Review security policies and procedures on an ongoing basis;
– Develop and maintain recovery and business continuity plans in the event of natural disasters.
• Just like you practice for disaster recovery, you have to practice for cybersecurity.
31
Questions
• Donna Doneski, NASL, [email protected], @NASLdc
• Larry Wolf, MatrixCare, [email protected]