Securing Health Data. Melina Scotto CISSP, CISA, HCISPP. Sr. Network Security Engineer NIH SRA International

Transcription

1 Securing Health Data Melina Scotto CISSP, CISA, HCISPP Sr. Network Security Engineer NIH SRA International

2 Course Overview Securing Medical Data presents the history of medical data regulations, explains the technical details of the regulations from a network engineering perspective and develops a deep understanding of medical data risk management.

3 Training Audience Technical staff on Healthcare networks Privacy Officers, Privacy Regulation Enthusiasts Project Managers in Healthcare sector Clinicians (Extensive technical background not required)

4 Introductions and Ice Breaker Write these words on the notecards at your table. Each word on one notecard. RISK THREAT EVENT VULNERABILITY THREAT SOURCE exploits causing initiates producing ADVERSE IMPACT

5 Agenda Pre Lunch Introductions Risk icebreaker. General Healthcare IT Environment Knowledge baseline quiz. (Audience response clickers if possible) Healthcare Regulatory Environment Review Resource Packet True stories from the field Health data security failures from the HHS Wall of Shame Lunch Break

6 Agenda Post Lunch Risk Management and Mitigation Information Risk Assessment from NIST Sp (rev 1) groups work in teams to apply appropriate technical controls to stories from the field. HCISPP certification topics: 3 rd party Risk Management, Cloud computing and International Health data standards.

7 HIPAA Terms HIPAA HITECH/ARRA ephi Privacy Security CFR CE BA HHS ONC OCR NIST CMS

8 HIPAA Terms CFR - Code of Federal Regulations

9 HIPAA Terms HIPAA

10 HIPAA Terms HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Public Law th Congress An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled

11 HIPAA Terms HIPAA Covered Entities (CE) CE Covered Entity BA Business Associate

12 HIPAA Terms HIPAA Business Associate (BA)

13 HIPAA Terms HITECH (ARRA) DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 160 RIN 0991 AB55 HIPAA Administrative Simplification: Enforcement AGENCY: Office of the Secretary, HHS. ACTION: Interim final rule; request for comments SUMMARY: The Secretary of the Department of Health and Human Services (HHS) adopts this interim final rule to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

14 HIPAA Terms HITECH

15 HIPAA Terms PHI Protected Health Information 18 Protected Identifiers Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, and their equivalent geocodes; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; Any other unique identifying number, characteristic, or code.

16 HIPAA Terms Location of ephi EMRs Backups Mobile Devices such as laptops/tablets/cell phones Digital Copiers PC Hard Drives Embedded Flash devices Biomedical Devices

17 HIPAA Terms Privacy The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. Privacy is a right. Privacy Rule covers written, print and oral disclosures. Security. Security Rule covers electronic PHI or ephi. With respect to HIPAA, the term security is used for policies, mechanisms or systems which keep ephi confidential using Administrative, Technical and Physical controls. Security is the mechanism that maintains privacy.

18 HIPAA Terms HHS US Department of Health and Human Services ONC Office of the National Coordinator for Health Information Technology OCR Office for Civil Rights NIST National Institutes for Standards and Technology CMS Centers for Medicare and Medicaid Services

19 Quick Check-in. True or False? Under HIPAA, Privacy ensures Security. Recommended Resource. Herzig s Information Security in Healthcare, Managing Risk Introduction of Privacy by Sheila Searson

20 Medical Data Regulatory Environment Overlaps in Medical Organizations with other Data Security and Privacy Laws 1974 Privacy Act Computer Fraud and Abuse Act Grahm Leach Bliley SOX GINA

21 HIPAA Breaches

22 HIPAA Breaches VIOLATION California Department of Developmental Services Stolen laptop and iphone containing Names, Social Security numbers, and other personal information. Laptop unnencrypted. AFFECTED Over 18, 000 patients. The program served disabled infants and toddlers.

23 HIPAA Breaches VIOLATION Massachusetts General Hospital employee printed the records of 192 infectious disease patients before going on holiday. Left the printed records on the RedLine public transit system. OCR Settlement $1M

24 HIPAA Breaches VIOLATION Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all Included on the server. OCR PENALTY Not yet assessed.

25 HIPAA Breaches VIOLATION Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity failed to incorporate copier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. OCR PENALTY $1.2M + Corrective Action Plan

26 HIPAA Breaches Corrective Action Plan 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its best efforts and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP s compliance with this corrective action will be based on the Region s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR s approval.

27 HIPAA Breaches VIOLATION Cignet Health Care (Prince Georges County, MD) denied 41 patients access to their medical records when requested between September 2008 and October These patients individually filed complaints with OCR, initiating investigations with each complaint. The HIPAA privacy rule requires that a covered entity provide a patient a copy of their medical records no later than 60 days of the patient s request. OCR PENALTY $4.3 Million The fine for these violations alone is $1.3M. A $3M fine was imposed for obstructing the HHS investigation. It is believed that Cignet failed to provide the requested records because it could not locate the medical records. DOJ then opened an investigation to criminal fraud charges.

28 HIPAA Breaches VIOLATION TRICARE contractors had no encryption in place for backup tapes. Unencrypted tapes with the ephi of 4.9M military clinic and hospital patients were stolen from the back of a car. OCR PENALTY Not yet assessed. CIVIL PENALTY 7 lawsuits are seeking $1000/record or $4.9B in damages.

29 HIPAA Breaches

30 Regulation Details CFR Code of Federal Regulations HIPAA CFR Health Insurance Portability and Accountability Act HITECH (ARRA) Health Information Technology for Economic and Clinical Health Act NIST MU - Meaningful Use meaningful_use_announcement/2996

31 Lunch Break

32 Risk Assessment

33 Threat Threat Source: The intent and method targeted at the intentional exploitation of a vulnerability or situation and method that may accidentally exploit a vulnerability. Threat Event: An event or situation that has the potential for causing undesirable consequences or impact.

34 Threat Landscape Examples of threats: Fire Flood Power Outage Snooping Theft Acts of war/terrorism

35 Vulnerability Vulnerability is a flaw or weakness in a system security procedure, design, implementation, or internal control that could result in a breach or violation.

36 Information Risk Assessment Where do threats attack a network?

37 Vulnerability

38 Likelihood The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).

39 Likelihood

40 Adverse Impact An adverse impact is a failure of data availability, integrity or confidentiality.

41 Risk Definition The probability that a particular threat will accidentally trigger or intentionally exploit a particular vulnerability. Risk = Threats x Asset Value x Vulnerability

42 Risk Framing

43 Risk Management

44 Risk Management Security Control Assessment

45 Risk Assessment Resources

46 Security Rule Toolkit

47 Security Rule Toolkit

48 Demo Security Rule Toolkit

49 NIST Risk Assessment Tools

50 Risk Assessment Tools

51 Risk Management Cloud Data

52 RISK ASSESSMENT ACTIVITY We will break into small groups and complete mock risk assessments for our organizations based on true breach events. Discuss each events threat source, liklihood, vulnerability and technical controls. Indicate appropriate adverse impact. Finally assess risk in a qualitative table.

53 Risk Assessment Findings From Groups Tell us a little about your breach and what technical controls you would recommend to reduce risk.

54 HCISPP

55 HCISPP Domains Include: 1. Healthcare Environment 2. Regulations 3. Privacy and Security in Health Care 4. Information Governance and Risk Management 5. Information Risk Assessment 6. Third Party Risk Management

56 HCISPP Study Resources Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. Subtitle F (1996). Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 42 U.S.C (2009). Information Commissioner s Office (2008). Data Protection Act The Eighth Data Protection Principle and international data transfers. f National Health Service (2009). NHS Information Risk Management. London: Author. Organization for Economic Co-operation and Development (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: Author. Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C. D., and Steinberg, D. I. (2008). NIST Special Publication (Rev.1), An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Gaithersburg, MD: National Institute of Standards and Technology. The European Data Protection Directive

57 HCISPP Study Outline International Privacy Regulations Safe Harbor Allows for transfer of EU data to US for commerce, without application of full EU privacy measures. Must follow Safe Harbor Framework to provide adequate privacy. In affect since 1998 (though EU is voting to revoke)

58 HCISPP Study Outline International Privacy Regulations European Commission EU Privacy Purpose of data collection Relevance of collected data Data storage limits Access to collected data

59 HCISPP Know what SNOMED and HL7 are

60 HCISPP Risk Equations Total Risk = Threats x Asset Value x Vulnerability Residual Risk = (Threats x Asset Value x Vulnerability) * control gap

61 HCISPP Sample Questions from ISC2 Which layer of the OSI model is responsible for determining the best route through a network? 1) Network layer 2) Physical layer 3) Session layer 4) None of the above

62 HCISPP Sample Questions from ISC2 What is different about wireless networks versus wired networks? 1. A wireless network is constrained to a 1-meter radius versus a wired network that can span rooms or city blocks. 2. The OSI stack is different for a wireless network versus a wired network. 3. Wired networks use radio waves to communicate. 4. Wireless networks use radio waves to communicate.

63 HCISPP Sample Questions HL7 is mainly a. 1. messaging standard 2. an XML variant 3. a programming language 4. None of the above

64 HCISPP Sample Questions What is the correct order of risk components? 1. Threat event, threat source, risk, likelihood, vulnerability 2. Vulnerability, adverse impact, threat event, likelihood, risk. 3. Likelihood, threat source, risk, vulnerability, threat event. 4. Threat source, threat event, vulnerability, adverse impact, risk

65 HCISPP Examination Details Test sites at Pearson VUE 125 questions Bring 2 types of ID Palm Print/Biometrics taken

66 Questions?

67 Thank You