Securing Health Data Melina Scotto CISSP, CISA, HCISPP Sr. Network Security Engineer NIH SRA International
Course Overview Securing Medical Data presents the history of medical data regulations, explains the technical details of the regulations from a network engineering perspective and develops a deep understanding of medical data risk management.
Training Audience • • • •
Technical staff on Healthcare networks Privacy Officers, Privacy Regulation Enthusiasts Project Managers in Healthcare sector Clinicians (Extensive technical background not required)
Introductions and Ice Breaker Write these words on the notecards at your table. Each word on one notecard. RISK THREAT EVENT
Agenda Pre Lunch •
Introductions – Risk icebreaker. General Healthcare IT Environment Knowledge baseline quiz. (Audience response clickers if possible)
Healthcare Regulatory Environment – Review Resource Packet
True stories from the field – Health data security failures from the HHS Wall of Shame
Agenda Post Lunch • Risk Management and Mitigation • Information Risk Assessment from NIST Sp 800-30 (rev 1) groups work in teams to apply appropriate technical controls to stories from the field. • HCISPP certification topics: 3rd party Risk Management, Cloud computing and International Health data standards.
HIPAA Terms HIPAA HITECH/ARRA ePHI Privacy Security CFR CE BA
HHS ONC OCR NIST CMS
HIPAA Terms CFR - Code of Federal Regulations
HIPAA Terms HIPAA
HIPAA Terms HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Public Law 104-191 104th Congress An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled…
HIPAA Terms HIPAA – Covered Entities (CE)
CE – Covered Entity BA – Business Associate
HIPAA Terms HIPAA – Business Associate (BA)
HIPAA Terms HITECH (ARRA) DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 160 RIN 0991–AB55 HIPAA Administrative Simplification: Enforcement AGENCY: Office of the Secretary, HHS. ACTION: Interim final rule; request for comments SUMMARY: The Secretary of the Department of Health and Human Services (HHS) adopts this interim final rule to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
HIPAA Terms HITECH
HIPAA Terms PHI – Protected Health Information 18 Protected Identifiers • • • • • • • • • • • • • • • • • •
Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, and their equivalent geocodes; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; Any other unique identifying number, characteristic, or code.
HIPAA Terms Location of ePHI EMRs Backups Mobile Devices such as laptops/tablets/cell phones Digital Copiers PC Hard Drives Embedded Flash devices Biomedical Devices
HIPAA Terms Privacy The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. Privacy is a right. Privacy Rule covers written, print and oral disclosures.
Security Security Rule covers electronic PHI or ePHI. With respect to HIPAA, the term security is used for policies, mechanisms or systems which keep ePHI confidential using Administrative, Technical and Physical controls. Security is the mechanism that maintains privacy. .
HIPAA Terms HHS – US Department of Health and Human Services
ONC – Office of the National Coordinator for Health Information Technology OCR – Office for Civil Rights NIST – National Institutes for Standards and Technology
CMS – Centers for Medicare and Medicaid Services
Quick Check-in…. True or False? Under HIPAA, Privacy ensures Security.
Recommended Resource. Herzig’s Information Security in Healthcare, Managing Risk
Introduction of Privacy by Sheila Searson
Medical Data Regulatory Environment Overlaps in Medical Organizations with other Data Security and Privacy Laws 1974 Privacy Act Computer Fraud and Abuse Act Grahm Leach Bliley
HIPAA Breaches VIOLATION
California Department of Developmental Services 2013. Stolen laptop and iPhone containing Names, Social Security numbers, and other personal information. Laptop unnencrypted. AFFECTED Over 18, 000 patients. The program served disabled infants and toddlers.
HIPAA Breaches VIOLATION Massachusetts General Hospital employee printed the records of 192 infectious disease patients before going on holiday. Left the printed records on the RedLine public transit system.
OCR Settlement $1M
HIPAA Breaches VIOLATION Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all Included on the server. OCR PENALTY Not yet assessed.
HIPAA Breaches VIOLATION Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity failed to incorporate copier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. OCR PENALTY $1.2M + Corrective Action Plan
HIPAA Breaches Corrective Action Plan 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval.
HIPAA Breaches VIOLATION Cignet Health Care (Prince Georges County, MD) denied 41 patients access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations with each complaint. The HIPAA privacy rule requires that a covered entity provide a patient a copy of their medical records no later than 60 days of the patient’s request. OCR PENALTY $4.3 Million The fine for these violations alone is $1.3M. A $3M fine was imposed for obstructing the HHS investigation. It is believed that Cignet failed to provide the requested records because it could not locate the medical records. DOJ then opened an investigation to criminal fraud charges.
HIPAA Breaches VIOLATION TRICARE contractors had no encryption in place for backup tapes. Unencrypted tapes with the ePHI of 4.9M military clinic and hospital patients were stolen from the back of a car. OCR PENALTY Not yet assessed. CIVIL PENALTY 7 lawsuits are seeking $1000/record or $4.9B in damages.
Regulation Details CFR Code of Federal Regulations HIPAA CFR Health Insurance Portability and Accountability Act http://ecfr.gpoaccess.gov/cgi/t/text/textidx?c=ecfr&sid=9ac0051fdde04c0fea59af7073cb6dff&rgn=div6&view=text&node=45:220.127.116.11.79.3&idno=45
HITECH (ARRA) Health Information Technology for Economic and Clinical Health Act http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.htm NIST http://csrc.nist.gov/publications/PubsSPs.html MU - Meaningful Use http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__meaningful_use_announcement/2996
Threat Threat Source: The intent and method targeted at the intentional exploitation of a vulnerability or situation and method that may accidentally exploit a vulnerability. Threat Event: An event or situation that has the potential for causing undesirable consequences or impact.
Threat Landscape Examples of threats:
Fire Flood Power Outage Snooping Theft Acts of war/terrorism
Vulnerability is a flaw or weakness in a system security procedure, design, implementation, or internal control that could result in a breach or violation.
Information Risk Assessment Where do threats attack a network?
The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).
Adverse Impact An adverse impact is a failure of data availability, integrity or confidentiality.
The probability that a particular threat will accidentally trigger or intentionally exploit a particular vulnerability.
Risk = Threats x Asset Value x Vulnerability
Risk Management – Security Control Assessment
Risk Assessment Resources
Security Rule Toolkit
Security Rule Toolkit
Demo Security Rule Toolkit
NIST Risk Assessment Tools
Risk Assessment Tools
Risk Management – Cloud Data
RISK ASSESSMENT ACTIVITY
We will break into small groups and complete mock risk assessments for our organizations based on true breach events. Discuss each events threat source, liklihood, vulnerability and technical controls. Indicate appropriate adverse impact. Finally assess risk in a qualitative table.
Risk Assessment Findings From Groups
Tell us a little about your breach and what technical controls you would recommend to reduce risk.
HCISPP Domains Include: 1. Healthcare Environment 2. Regulations 3. Privacy and Security in Health Care 4. Information Governance and Risk Management 5. Information Risk Assessment 6. Third Party Risk Management
HCISPP Study Resources Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. Subtitle F (1996).
http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 42 U.S.C. § 13001-13424 (2009). http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf Information Commissioner’s Office (2008). Data Protection Act 1998 -The Eighth Data Protection Principle and international data
transfers.http://www.ico.org.uk/upload/documents/library/data_protection/detailed_specialist_guides/international_transfers_legal_guidance_v2.0_300606.pd f National Health Service (2009). NHS Information Risk Management. London: Author. http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/risk/inforiskmgtgpg.pdf Organization for Economic Co-operation and Development (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: Author. http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C. D., and Steinberg, D. I. (2008). NIST Special Publication 800-66 (Rev.1), An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Gaithersburg, MD: National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf The European Data Protection Directive 2001. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:en:PDF
HCISPP Study Outline International Privacy Regulations Safe Harbor Allows for transfer of EU data to US for commerce, without application of full EU privacy measures. Must follow Safe Harbor Framework to provide “adequate” privacy. In affect since 1998 (though EU is voting to revoke)
HCISPP Study Outline International Privacy Regulations European Commission EU Privacy • Purpose of data collection • Relevance of collected data • Data storage limits • Access to collected data
HCISPP Know what SNOMED and HL7 are…
HCISPP Risk Equations
Total Risk = Threats x Asset Value x Vulnerability
Residual Risk = (Threats x Asset Value x Vulnerability) * control gap
HCISPP Sample Questions from ISC2 Which layer of the OSI model is responsible for
determining the best route through a network? 1) Network layer 2) Physical layer
3) Session layer 4) None of the above
HCISPP Sample Questions from ISC2 What is different about wireless networks versus wired networks?
1. A wireless network is constrained to a 1-meter radius versus a wired network that can span rooms or city blocks. 2. The OSI stack is different for a wireless network versus a wired
network. 3. Wired networks use radio waves to communicate. 4. Wireless networks use radio waves to communicate.
HCISPP Sample Questions HL7 is mainly a _________________. 1. messaging standard 2. an XML variant 3. a programming language 4. None of the above
HCISPP Sample Questions What is the correct order of risk components? 1. Threat event, threat source, risk, likelihood, vulnerability 2. Vulnerability, adverse impact, threat event, likelihood, risk. 3. Likelihood, threat source, risk, vulnerability, threat event. 4. Threat source, threat event, vulnerability, adverse impact, risk
HCISPP Examination Details
Test sites at Pearson VUE – 125 questions Bring 2 types of ID Palm Print/Biometrics taken