1 / 41

Health IT Privacy and Security: Lock IT, Don’t Leave IT

Health IT Privacy and Security: Lock IT, Don’t Leave IT. Nicholas P. Heesters, Jr., M.Eng ., J.D., C.H.P. Privacy and Security Specialist 302.478.3600, ext. 136 nheesters@wvmi.org http:// www.dehitec.org. Disclaimer.

juliet
Download Presentation

Health IT Privacy and Security: Lock IT, Don’t Leave IT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Health IT Privacy and Security:Lock IT, Don’t Leave IT Nicholas P. Heesters, Jr., M.Eng., J.D., C.H.P. Privacy and Security Specialist 302.478.3600, ext. 136 nheesters@wvmi.org http://www.dehitec.org

  2. Disclaimer • The information included in this presentation is for informational purposes only and is not a substitute for legal advice. • Please consult your attorney if you have any particular questions regarding specific legal issues.

  3. Agenda • Why Is Security Important • What Is HIPAA • HIPAA Security Rule • PHI and Breaches • Components of Network Security • How You Can Help Keep the Network Secure

  4. Why Should We Care About Network Security? • Potential for downtime and impact on patient care • Expense to the practice • Damage to reputation for security breaches (newspaper headlines, HHS Wall of Shame) • Fines and/or prison for security breaches • HIPAA requires the implementation of security measures to protect PHI on paper and electronically

  5. HIPAA - What is it? Health Insurance Portability and Accountability Act • Privacy Rule (compliance: April 2003) • Security Rule (compliance: April 2005) • Enforcement Rule (effective: March 2006) • HITECH Act of 2009

  6. Who is covered under HIPAA? • Health Plans • Health Care Providers • Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity. • These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. • Health Care Clearinghouses • Business Associates

  7. HIPAA Privacy Rule • Established national standards protecting the privacy and security of personal health information • Protects the confidentiality of Protected Health Information (PHI) • Empowered individuals with rights concerning disclosure of health information • Minimum Necessary Rule: “… take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” HHS OCR HIPAA Video

  8. HIPAA Security Rule • Applies to Protected Health Information in electronic form (ePHI) • Security Rule Safeguard Standards • Administrative (10 Required; 11 Addressable) • Physical (2 Required; 6 Addressable) • Technical (2 Required; 5 Addressable) HHS OCR HIPAA Video

  9. Required v. Addressable • Required: • Must be implemented • Addressable: • NOT optional • If not reasonable and appropriate, can implement equivalent alternative, or • If security standard is already met, or if identified risk is negligible, an addressable specification may be left not implemented

  10. Administrative Safeguards • Security Management Process • Risk Analysis, Risk Management, Sanctions • Workforce Security • Termination, Clearance, Authorization • Security Incident Response Procedures • Contingency Plan • Disaster Recovery, Emergency Operations • Training

  11. Physical Safeguards • Facility Access Control • Security Plan, Access Control, Maintenance • Workstation Use • Workstation Security • Device and Media Controls • Backup and Storage • Media Reuse and Disposal

  12. Technical Safeguards • Access Control • Implement policies and procedures to permit only authorized personnel access to ePHI • Unique User Identification (Required) • Assign a unique user name and/or number for identifying and tracking user identity • Ensure system activity can be traced to a specific user • Certified EHR criteria (§ 170.302(o)) • Only permit authorized users to access ePHI • Emergency Access Procedure (Required) • Procedures to obtain ePHI during an emergency • Pre-stage break glass user ids • Certified EHR criteria (§ 170.302(p)) • Permit users authorized in emergency situations to access ePHI

  13. Technical Safeguards Cont. • Access Control Cont. • Automatic Logoff (Addressable) • What period of system inactivity is considered reasonable before initiating automatic logoff • Certified EHR criteria (§ 170.302(q)) • Encryption and Decryption (Addressable) • Implement a mechanism to encrypt and decrypt ePHI • Full disk encryption, file or folder encryption • Breach Notification safe harbor • Certified EHR criteria (§ 170.302(u)) • Symmetric 128-bit fixed block cipher using a 128-, 192-, or 256-bit encryption key

  14. Technical Safeguards Cont. • Audit Controls • Implement hardware, software and/or procedures to record and examine activity in systems that contain or use ePHI • Correlate to Information System Activity Review procedures • Certified EHR criteria (§ 170.302(r)) • Record date, time, patient ID and user ID whenever ePHI is created, modified, deleted or printed • User can generate an audit log for a specific time period • Person or Entity Authentication • Verify identify of person or entity seeking access to ePHI • Password, token/smartcard, biometric • 8 – 10 characters, include upper and lower case characters along with a number and symbol, change every 90 days • Certified EHR criteria (§ 170.302(t))

  15. Technical Safeguards Cont. • Integrity • Implement policies and procedures to protect ePHI from improper alteration or destruction • Mechanism to Authenticate ePHI (Addressable) • Mechanism to verify that ePHI has not been altered or destroyed in an unauthorized manner • ECC RAM, checksums, logs • Certified EHR criteria (§ 170.302(s)) • Detect the alteration of audit logs

  16. Technical Safeguards Cont. • Transmission Security • Implement security measure to guard against unauthorized access to ePHI transmitted electronically • Integrity Controls (Addressable) • Ensure detection of the improper modification of PHI when electronically transmitted • Certified EHR criteria (§ 170.302(s)) • Use a secure hashing algorithm (SHA-1 or higher) to verify that ePHI has not been altered during transmission • Encryption (Addressable) • Certified EHR criteria (§ 170.302(v)) • When exchanging ePHI an encrypted and integrity protected link must be used

  17. Technical Safeguards Audit • HIPAA Audit document requests: • Authentication Policies and Procedures • Encryption Policies and Procedures • Audit Policies and Procedures • System list of all users with access to ePHI • System list of new users within the past year

  18. PHI and Breach

  19. Protected Health Information (PHI) • Protected Health Information (PHI) under HIPAA is any information identifying an individual and that relates to at least one of the following: • The individual’s past, present or future physical or mental health • The provision of health care to the individual • The past, present or future payment for health care • Information identifies an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity

  20. Personally Identifiable Information (PII) Names Account numbers Geographical information Certificate/license numbers Dates related to an individual Vehicle identifiers Phone numbers Device identifiers Fax numbers Web Addresses Email addresses IP Addresses Social Security numbers (SSN) Biometric identifiers Medical record numbers Photographs Health plan numbers Any unique identifying number, characteristic, or code

  21. Breach Headlines • Breaches of Unsecured PHI affecting 500 or more individuals • Posted on the OCR Web site - “Wall of Shame” • Out of 380 breaches, 264 (over 15 million affected individuals) could have been prevented with encryption

  22. More Breach Headlines • In April 2012, Phoenix Cardiac Surgery agreed to a settlement of $100,000 for posting PHI on the Internet and related deficiencies. • On Feb. 4, 2011, OCR assessed a civil monetary penalty against Cignet Health of Prince Georges County, MD of $4.3MM. • On April 27, 2010, Dr. Huping Zhou of UCLA Healthcare was sentenced to four months in federal prison for HIPAA violations.

  23. What is a Breach? According to the Health Information Technology for Economic and Clinical Health (HITECH) Act: • A breach is the impermissible use or disclosure of PHI such that said use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. • Breach notification is only required where unsecured PHI is involved. • Unsecured PHI is PHI which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.

  24. Breach Penalties • Civil: • $100 to $50,000 per breach ($1.5MM calendar year cap; was $25,000 pre-HITECH) • Criminal: • $50,000 - $250,000 fine and/or 1 – 10 years in federal prison • State attorneys general permitted to civilly sue on behalf of affected residents

  25. Breach Safe Harbor: Encryption Electronic PHI (ePHI): any device or medium used to store, transmit or receive PHI electronically. • Desktops, tablets, or laptops • External devices or media, including iPads, tapes, or disks • Removable storage devices (USB drives, tapes, keys, CDs, DVDs, etc.) • PDAs, Smart Phones • Electronic transmission including e-mail, File Transfer Protocol (FTP), wireless, etc.

  26. Components of Network Security

  27. The Front Door of Your Network • Hardware Firewall • Protects your network • Provides access rules • Allows only trusted partners access to your network • Remote Access • Allows only trusted users (authentication) • Must be encrypted (VPN or SSL/TLS) • Security wins over ease of use • Wireless Devices • Must be encrypted • Allow only trusted devices

  28. The Back Door of Your Network • E-mail born threats • Viruses – software that reproduces • Malware – malicious software • Keyloggers – software that steals your passwords • Out-of-date antivirus system • Outdated operating systems • Missing patches for operating systems

  29. The Danger Within • Lost laptops, tablets, PDAs, and smart phones with ePHI • Sharing passwords or using the same password for everything • Transmission of ePHI without encryption • Responding to bogus requests: phone, e-mail, Web (phishing) • ePHI leaving the building on electronic media without encryption (tapes, CDs, USB drives, etc.) • Installing risky software (Audiogalaxy, Limewire, uTorrent, etc.)

  30. Phishing • You have received an urgent system message from the Citibank Department.To read your message, please go to your account immediately.Citibank Service CenterAttn: E-mail/Internet Services100 Citibank DriveBuilding 3, 1st FloorSan Antonio, TX 78245

  31. Other Security Risks:Disposal of Equipment • Many technologies today use hard drives that can contain ePHI! • Care must be taken in disposal so that ePHI is erased. Always ensure that IT has cleaned or destroyed hard drives prior to disposal.

  32. How Can You Keep the Network Secure?

  33. User Access Control and Password Guidance • Unique User ID • Never share your user ID! • All system access with your ID is YOUR responsibility • Password Guidelines • Do not reuse the last 12 passwords • Change your password at least every 90 days • Passwords must be at least 8 characters • Passwords must be a combination of upper and lower case letters, number and special characters • User account locks after 3 failed attempts

  34. Automatic Logoff Automatic Logoff • Your EHR session should terminate after 15 minutes of inactivity. • Always save your work before leaving your workstation! • Your Windows screensaver should lock your workstation after 15 minutes of inactivity. • Pushing Windows+L or Ctrl+Alt+Delete and Enter on your keyboard will manually lock your workstation.

  35. Remote Access • Remote Access • Must use a VPN tunnel or SSL/TLS connection. • Requires user authentication. • Always physically secure your laptop, PDA, or other mobile device when traveling!

  36. Certified EHR Security Requirements • Access Controls • Emergency Access • Automatic Log-off • Audit Log • Integrity • Authentication • General Encryption • Encryption when exchanging electronic health information

  37. Tasks for “The IT Guy” (or Gal) • Role-Based Access: Manage who gets access to what • Firewall Review: Make sure that communication with the outside world is secure • Wireless Security: Manage who gets WiFi access • Antivirus: Manage software to keep viruses and malware at bay • Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems

  38. Tasks for “The IT Guy” (or Gal) • Backup: Keep a backup of all data, just in case! • Backup Encryption:Make backup data unreadable to snoopers. • Recovery: Have a plan in case disaster strikes!

  39. Summary • Protecting data is everyone’sresponsibility • Understand HIPAA • Hold each other accountable

  40. Quality Insights of Delaware IHPC LANJoin theHITCommunity.org • theHITCommunity.orgis a unique Health IT (HIT) user hub which provides access to useful tools, resources, educational materials and practical information surrounding HIT. This Web site also allows you to start a forum of sharing about the EHR system that you are using in your practice, allowing you to not only share best practices with your peers, but also providing youthe opportunity to problem solve with fellow EHR users. To create your account:  • Go to https://www.thehitcommunity.org • Click 'JOIN' • Create an account • Complete the requested info • Use the referral code 'QIDIHPC' After account created: • Select 'Communities’ • Select 'Dedicated Communities' • Quality Insights of Delaware • (you can set this as your home • page)

  41. Q & A Session QUESTIONS? For more information about Network Security for end users in health care, please contact QIDE REC. Ph: 1.866.475.9669 Web: www.dehitrec.org This project is made possible through a grant from the Office of the National Coordinator with Department of Health and Human Services support. Grant No. 90RC0044/01. Publication No. DEREC-LF-090712. App 9/12.

More Related