HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss!

Transcription

1 Maxxum, Inc. HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss! Medical Device ephi Risk Iden6fica6on and Mi6ga6on

2 Webinar Overview Relevance why this topic? Risk a perspective to consider. Context the domain we re exploring. Examples 4 medical devices. Awareness now what?

3 Relevance Risk iden6fica6on and management for one class of data bearing technology is rela6vely unaddressed today. That class is the medical device. Medical device data storage of electronic Protected Health Informa6on presents breach risks in direct pa6ent care, clinical lab, and medical imaging selngs.

4 It s In The News Relevance Securing PHI in Devices Is Difficult but Essential Reprinted from REPORT ON PATIENT PRIVACY January 2011Volume 11Issue 1 When Mountain Vista Medical Center found that two portable memory cards were missing from endoscopy machines, it notified patients and retrained staff in its gastroenterology unit (see story, above). And it took an additional step: It modified the endoscopy machines to no longer use the compact memory data cards, the Mesa, Ariz., hospital said in a statement last month. This was This was the the first first breach in in recent memory memory that involved that a involved medical device, a medical but such device, equipment but such equipment can be can just be just as as vulnerable to to privacy and security and security lapses as lapses laptops or as networks. laptops or networks. And devices may pose more of a threat because of how they are made, and because hospitals and other covered entities don t always think of them the same way they think of other computer devices when it comes to securing data, says Mac McMillan, chief executive officer of CynergisTek, Inc., and chair of the privacy and security steering committee of the Health Information Management Systems Society. Part of the problem is the nature of these devices. Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind, he says. It s the same issue with printers, faxes, copiers the problem is people don t think of them as storing data. Some medical devices and equipment are not terribly sophisticated from a security standpoint, he says. Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind, he says.

5 Ponemon Study Relevance Ninety percent of healthcare organiza6ons studied had at least one data breach in the past two years. Thirty- eight percent reported more than five breach incidents. The average economic impact of data breaches over the past two years for healthcare organiza6ons in the study was $1,973,895. Fourth Annual Benchmark Study on Pa6ent Privacy & Data Security - Ponemon Ins6tute, March 2014

6 HIPAA Breaches Since 2009 Relevance 1194 breaches of 500 or more records More than 133 million patient records affected Largest breach is over 78 million records Breach types from misplaced paper to cyber attacks Two breach examples under 500 records: Walgreens 1 record, $1.44 million breach judgement Hospice of Northern Idaho s 441 record breach, $50k Commen6ng on the Hospice breach, OCR Director Leon Rodriguez said: This ac6on sends a strong message to the health care industry that, regardless of size, covered en66es must take ac6on and will be held accountable for safeguarding their pa6ents health informa6on. From U.S. Health & Human Services Office of Civil Rights on 4/13/2015 hbps://ocrportal.hhs.gov/ocr/breach

7 And It s Personal! Relevance

8 And It s Personal! Relevance Credit and iden6ty protec6on 5 family members Each individually enrolled Two years of monitoring

9 Risk

10 Our Risk Profile Risk Unmanaged! Managed! Aware! Negligent! Prepared! Unaware! Ignorant! Incompetent!

11 Today s Goal: Awareness Risk Unmanaged! Managed! Aware! In Negligent! Process! Prepared! Unaware! Ignorant! Incompetent!

12 Context Medical Devices OCR HIE ONC HHS HIPAA EHR FDA ACO SAG PHR Courts

13 ephi Context Defini6on: electronic Protected Health Informa2on (ephi) is pa6ent health informa6on created, received, stored, maintained, processed and/or transmibed in, on, or through any form of electronic means. Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015

14 ephi Context The HIPAA Security Rule: Covered En66es must protect and secure all electronic Protected Health Informa2on (ephi) against accidental or inten6onal causes of unauthorized access, thej, loss, or destruc6on, from both internal and external sources. Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015

15 Exi6ng Medical Devices Rental return Lease turn- in Re6rement (EOL) Redeployment Resale Service/repair Context

16 Medical Devices & ephi Examples

17 Small Device Big Surprise! Diagnos6c Spirometer A portable babery operated device for tes6ng respiratory volume and func6on.

18 Small Device Big Surprise! Small enough to fit in the pocket of a pair of scrubs. Holds enough ephi to require HIPAA breach no6fica6on to HHS if lost, stolen or disposed of improperly.

19 Small Device Big Surprise! ephi stored on this device: full name date of birth height and weight sex ethnicity history of asthma history of smoking

20 Small Device Big Surprise! More about this device: No user authen6ca6on Unencrypted stored data Unrestricted expor6ng Holds 2040 pa6ent records

21 Large Device Big Surprise! A line of clinical analyzer systems

22 Large Device Big Surprise! 7 analyzers were evaluated for ephi risk Records found ranged from 1 to 25,000 per device Model Pa/ent Data? ephi Elements Observed 250 Yes first name, last name, test date, test type, test result 350 Yes first name, last name, test date, test type, test result ECi Yes first name, last name, date of birth, sex, test date, test type, test result ECiQ Yes first name, last name, date of birth, sex, test date, test type, test result 5.1 Yes first name, last name, date of birth, sex, test date, test type, test result 5600 Yes first name, last name, date of birth, sex, test date, test type, test result

23 Large Device Big Surprise! More about these devices: No user authen6ca6on Unencrypted stored data Unrestricted expor6ng Breach risk: 50k to 90k pa6ent records for 7 units

24 Smarter Device S6ll Surprised! This ultrasound system has the capability of storing pa6ent data on a hard drive separate from the opera6ng system and applica6on sojware. Removal and destruc6on of the pa6ent data hard drive is easily accomplished.

25 Smarter Device S6ll Surprised! Unfortunately, data elements that qualify as ephi, such as pa6ent name, pa6ent ID, procedure date/ 6me, facility names, doctor names, and descrip6ons of pa6ent history were found on the opera6ng system hard drive.

26 Smarter Device S6ll Surprised! ephi data was also found in the pagefile.sys file on the opera6ng system hard drive. This file is used by the Windows opera6ng system to buffer informa6on before it is wriben to memory for processing.

27 ephi Detec6ve Un6l manufacturers build in ephi safeguards, we have to rely on detec6ve work to make informed choices about ephi disposi6on on medical devices. ephi The MDS 2 form (Manufacturer Disclosure Statement for Medical Device Security) is a good start.

28 ephi Detec6ve Display and Print capability Obvious Input capability Electrocardiograph Portability can be powered by an internal babery pack

29 ephi Detec6ve Block Diagram obtained from the service manual found online - Google.

30 Abundant input and output connec6vity for data transfer. ephi Detec6ve

31 ephi Detec6ve The use of Compact Flash storage media for sojware upgrades is intriguing.

32 Discovery: a common storage device. ephi Detec6ve

33 ephi Detec6ve Findings: 40 pa6ent records first name last name date of birth test date diagnos6c test results preliminary diagnosis provider name clinic loca6on

34 ephi For Sale?

35 ephi For Sale?

36 ephi For Sale?

37 ephi For Sale?

38 Our Risk Profile Risk Unmanaged! Managed! Aware! Negligent! Prepared! Unaware! Ignorant! Incompetent!

39 Awareness: Now What? Awareness Short term ac6vi6es: Confirm or iden6fy who in your organiza6on is responsible for data privacy and security on various device types Iden6fy all [poten6al] data bearing devices in your organiza6on If you are not already using it, adopt the MDS 2 form as a star6ng place to evaluate risk for current device inventory Implement some form of controlled exit for these devices Check for BAAs in place and indemnifica6on when custody transfers

40 Awareness: Now What? Applica6on Long term ac6vi6es: Develop a comprehensive asset disposi6on program that accounts for the complexi6es of ephi bearing medical devices Add ephi mi6ga6on requirements to the equipment procurement process. Ask manufacturers to provide: A completed MDS 2 form. Separate storage media for device opera6ng system/applica6on sojware and pa6ent data Encryp6on of pa6ent data storage media

41 Awareness: Now What? Applica6on Long term ac6vi6es (con6nued): Ask manufacturers to provide: Destruc6ve erasure capability for encrypted pa6ent storage media No system or applica6on logging of ephi elements to device opera6ng system/applica6on sojware storage media Indemnifica6on in the event of a data breach if manufacturer provided steps to remove ephi are followed, but do not result in an ephi free device

42 Discussion Ray Davey CTO Maxxum, Inc

43 Compliance In 3 Steps! The Guard HIPAA Education Series sponsored by: Outside Consultant Other Compliance Software Manuals or Templates Risk Assessmen Provider HIPAA ( ) HIPAA Copyright