Keep Your Records Private. Addressing The Need for Display Security in Healthcare Environments. PrivateEye Enterprise

Transcription

1 Keep Your Records Private Addressing The Need for Display Security in Healthcare Environments PrivateEye Enterprise

2 1 Introduction Protecting the privacy of medical records, clinical systems, medical imaging and securing IT infrastructure involves far more than networked security threats. The healthcare workplace requires continuous real-world interaction between people and data, and each of those interactions is an opportunity for risk and loss. Security practitioners need to understand a threat landscape that includes social engineering, staff errors, inappropriate access, casual observations and unintended consequences. The successful organization takes a fresh look at threats regularly and implements to target specific areas of risk with an eye to the overall cost of the solution. Tools that automate, monitor and report on real-world events save IT organizations time and money, while helping rapidly improve overall security compliance. This whitepaper describes the unique challenges to security and privacy of data in the healthcare domain where every computer display represents a potential point of leakage.

3 Contents Introduction... 1 Patient Privacy, Security & Regulatory Compliance... 3 The Cost of Healthcare Breaches... 4 Healthcare Security Regulations... 5 Healthcare Data Protection with PrivateEye... 6 Overview: PrivateEye Enterprise... 8 Highlights... 9 Top Features... 9 System Requirements Alternatives: Plastic Privacy Filters PrivateEye advantages over plastic screen filters Cost-Benefit Analysis Use Case: Walk-away Security Cost and Convenience Conclusions About Oculis Labs References

4 3 Patient Privacy, Security & Regulatory Compliance Healthcare automation especially the adoption of electronic medical records is being driven by factors ranging from the desire to improve quality of care, to opportunities to reduce costs. The American Recovery and Reinvestment Act (ARRA) of 2009 is also a driver with a $19 billion i funding incentive for organizations that adopt electronic medical record systems ii. One requirement to receiving ARRA funding incentives is that organizations need to include significant patient privacy and security capabilities in their record systems. Healthcare workspaces deal with enormous quantities of patient data in an ever-expanding, mobile, interconnected set of networks between hospitals, clinics, suppliers and universities. Further network connections include payers, pharmacies, other providers and patients. The traditional view of IT security does not suffice to secure healthcare information. The problem is that network-focused security cannot protect information at the human interface: the computer screen. Any information valuable enough to be considered private, or regulated, must enter the real world on occasion where it can be viewed. When the data is on the computer screen, it is vulnerable. Display security is a significant problem that is overlooked by traditional security tools. Tools like firewalls, antivirus, intrusion detection, encryption, VPNs and access control are components in security architecture, but they only protect information on-the-wire. When a physician opens a patient record on his laptop, the data that had been previously secured is then broadcast for anyone to see. When patient records can be exposed with a simple look over a shoulder, where the incidents are undetected and unreported, and when they are multiplied by millions of incidents per day across the country there is a clear and pressing need to implement privacy protections for the last 2 feet of the network: from the display to the healthcare worker. Fortunately, there is a new technology that ensures only authorized personnel can view healthcare records: PrivateEye Enterprise. PrivateEye Enterprise authenticates users with face recognition, protects records whenever authorized users walk away, and actively monitors and prevents over-the-shoulder eavesdropping. With centralized policy management and audit logging, PrivateEye Enterprise helps healthcare organizations meet or exceed data privacy laws and internal security goals.

5 4 The Cost of Healthcare Breaches Most practitioners recognize that breaches are possible, and have seen the news of other organizations being affected by direct losses, damages to reputation, and government fines. Regrettably, breaches occur frequently, and have affected more than 250 million records of all types over the past 5 years iii. The cost of these breaches is what keeps healthcare organizations awake at night. In 2007 Forrester Research iv published a study showing the total cost of a breach to average $305 per record. These costs included regulatory fines, restitution, lost productivity and lost customers. A similar study by Ponemon in 2008 found the average breach cost companies an average of $6.7 million. Regulatory fines are increasing, and violations are being detected and prosecuted more often. For example, in 2009, California regulators fined Kaiser Permanente $250,000 for failure to properly protect the 1. Reported Security Breaches by Cause records of a single patient from access by unauthorized employees. An analysis of healthcare security v breaches by AARP in 2006 found that 30% of all breaches were caused by improper information display, and improper insider access (see figure 1). Traditional healthcare information security solutions do not properly address this significant gap in data protection. The potential financial loss to healthcare institutions due to improper patient record protection is receiving significant attention in corporate risk management planning.

6 5 Healthcare Security Regulations Industry, federal and state regulations for information security apply to all healthcare providers. These regulations include provisions for significant fines and penalties for non-compliant organizations HITECH HITECH toughens the existing HIPAA regulations to increase fines, expand the requirements and define broader reporting responsibilities. HITECH penalties for unintentional violations are $100 to $25,000 per violation. For violation due to reasonable cause, the penalty is $1000 to $100,000 per violation. In case of willful neglect, the penalties range from $10,000 to $250,000. For willful neglect that is not corrected within 30 days, the minimum penalty is $50,000 and the maximum is $1,500,000 vi. Fines have already been levied under HITECH to multiple organizations, including $2.25 million to CVS Pharmacy. PCI-DSS The Payment Card Industry Data Security Standards (PCI-DSS) were developed by the payment industry to protect credit card processing. The majority of healthcare providers accept credit cards, and so they are required to comply with these non-governmental standards. Given the direct connection to payment, and the increasing use of co-payments and flexible spending plans, PCI-DSS controls must be carefully implemented to protect against loss. FTC - Identity Theft Protections The Federal Trade Commission has recently implemented rules to protect against identity theft through the use of Social Security Numbers, insurance information or health records. Healthcare providers are now required to implement programs to detect and report signs of identity theft. State Regulations Individual states have begun passing regulations for the protection healthcare records containing information about any state resident. These typically define minimum protection levels for any form of record containing personal information. To date, both Massachusetts and California have passed such regulations. More states will follow.

7 6 Healthcare Data Protection with PrivateEye Complying with data protection regulations in healthcare environments starts with identifying where data is exposed to loss, then taking steps to protect it, and finally monitoring ongoing compliance with an effective management and audit solution. A review of computer networks in healthcare organizations will identify large numbers of computer terminals fixed and mobile used at all stages of patient care and administration in the organization, and extending outside to include the patient and a network of external partners, suppliers and contractors. Each of these computer nodes is a potential weak point a window into the healthcare system that could leak private information. The potential problem is of enormous scope so organizations will typically start by identifying functions most at risk from undesirable over-the-shoulder observation. These can be categorized both by the concentration and value of information processed, and their potential exposure to observation. The areas of highest priority for protection typically include: 1. Laptops and Tablets that are in daily use by nurses, physicians and other healthcare professionals. These devices are at extreme risk of data loss and cannot be adequately protected by network-based solutions. As medical staff move throughout their work, these devices are continuously at risk of being observed, picked up by non-staff, lost or even stolen. 2. Stationary computer workstations at hospitals, clinics and physician s offices can contain the same information as mobile devices, and can have additional applications with workflow information specific to the institution such as billing records, insurance, schedules, contact information, and a wide range of provider data. Although less subject to outright theft, stationary terminals are easier targets for social engineering attacks aimed to extract patient data systematically. 3. Hospital Administration Functions. Electronic scheduling systems, billing and claims systems, inpatient and outpatient services, validation of insurance and other services are highly prized monetary assets for identity thieves as well as targets for privacy intrusions. Information viewed on these terminals needs to be protected as well as data sent over the network.

8 4. Human Resources Information Systems. Within the organization, any employee information related to salary, benefits, performance reviews, SSN and contact information, and career information must be protected as it would in any organization. Larger organizations are likely targets for professional identity thieves, and other criminal enterprises due to the higher payoff from a successful breach. 7 Organizations will also look at the threat profiles to other vital IT functions. These can include laboratory information systems, radiology department systems, medication administration subsystems, Pharmacy systems, operating room management systems, and clinical data repositories. Where private information is regularly used in environments where outsiders can get a clear view, or where there are no effective access control and audit capabilities on the workstations to prevent improper insider access, the use of PrivateEye Enterprise should also be considered. Moving to Electronic Health Records to comply with HITECH laws raises significant new privacy and security concerns vii.

9 8 Overview: PrivateEye Enterprise PrivateEye Enterprise ensures authorized staff can work normally, but stops anyone else from viewing the display. Centralized management and policy control ensures a healthcare organization can control and monitor for policy compliance. PrivateEye performs 4 functions automatically: 1. Recognizes users by face, and unlocks the workstation 2. Protects the screen when the user looks away & brings it back when they return 3. Detects unwanted eavesdroppers and instantly protects the screen 4. Creates an audit trail showing proof-of-compliance and actionable security warnings The fundamental difference between PrivateEye Enterprise and traditional information security tools is the use of attention-sensing computer vision technology to sense and protect against threats in the real world beyond the computer network. The analysis technology in the product is sophisticated, but the hardware requirements are not. PrivateEye uses a standard webcam and runs on standard Windows computers. PrivateEye s unique focus on observation threats in the real world addresses the 30% of data breaches that are caused by lack of protection on healthcare computer screens. PrivateEye is a convenient, transparent, automatic display security solution that just works. After installation the product is ready to run without configuration. User controls are simple and intuitive. PrivateEye Enterprise includes central management, policy control, and audit capabilities for large deployments. System administrators can set and manage security controls, distribute licenses, and review security audit logs from PrivateEye clients.

10 9 Highlights Eavesdropper Protection Automatic Display Protection Efficient, Non-Intrusive Operation Prying eyes may try to look when healthcare staff are viewing patient data, but PrivateEye catches them in the act and opens a thumbnail-sized video window showing the intruder s face on the display. It s like an intelligent rear-view mirror. This warning immediately alerts the staff member about the risk, and typically discourages the eavesdropper if they are not supposed to be looking. Unattended workstations will no longer display unprotected data. Whenever an authorized user looks away, or walks away from the computer, PrivateEye will protect the display. When the staff member looks again, PrivateEye automatically clears the screen without interrupting the normal workflow. Physicians, nurses and other staff do not need to remember to lock the computer, and they will not be inconvenienced by continually logging in again. PrivateEye runs invisibly in the background, paying attention to the user s needs automatically without user intervention. Top Features Central Policy Management Compliance, Audit & Security Alerts User-Aware Protection Face Recognition Zero Configuration The healthcare organization can set and manage user security policies through Microsoft Group Policy. There is no need for a new management console. Groups of machines or users can be configured with different display protection security settings, according to the environment and compliance requirements. Real-world security threats are detected and pictures of the offenders are captured and saved. Logging includes failed access attempts and eavesdropping attempts. This feature enables the organization to intelligently respond to incidents and to prove compliance with a high level of protection. PrivateEye minimizes opportunities for eavesdroppers while staying out of the user s way. Only authorized users can clear the screen. The face recognition algorithms adapt over time to recognize authorized users in a wide variety of lighting conditions, and to changes in appearance. Multiple users can be enrolled to access the computer. PrivateEye runs immediately after installation with minimal user intervention. A wizard checks the system configuration and enrolls the user while introducing the product features.

11 System Requirements Client: Microsoft Windows XP, Vista, and Windows 7. Requires a standard embedded or USB webcam. 1 GHz processor, 1 Gb memory. Server (for Enterprise installations): Windows Server functioning as a Domain Controller with Active Directory and Group Policy Management 10 Alternatives: Plastic Privacy Filters For a long time the only solution in the market, plastic filters have many deficiencies that have limited their use. While effective against oblique eavesdropping, privacy filters can t protect against threats from behind the user. Users often remove these filters because they distort and darken the display, which jeopardizes the organization s protections. Healthcare organizations need a better solution that cannot be easily disabled, protects data more effectively, and can prove compliance with regulations. PrivateEye advantages over plastic screen filters Price Eavesdropper Protection PrivateEye PrivateEye costs less than physical screen filters when purchased in volume ($60 list price per seat) PrivateEye stops and warns about eavesdroppers who are behind the user Screen Filters Expensive - $49-$295 Does not protect behind the user. Is not active, and not aware of eavesdroppers Data Protection PrivateEye reacts to the user Static Compliance IT can centrally manage PrivateEye software ensuring it is always running when sensitive data is displayed. Audit logs can prove a high standard of care was applied at all times There is no way to know if a plastic filter is still attached to the monitor Manageability As a software application, the IT manager can easily install it on all webcam-enabled PCs from a central location, and ensure it is running Requires physical installation, and sourcing the correct size filter for each different monitor. Can be removed by users Usability Convenience PrivateEye stays out of the way of the user. When the user is looking, the screen is perfectly clear The face recognition feature in PrivateEye automatically locks and unlocks the computer without a password Introduces distortion and reduces screen brightness by 30% Screen filters do not provide user-aware features

12 11 Cost-Benefit Analysis PrivateEye Enterprise delivers greater benefit than cost to healthcare institutions. The incremental cost of adding and supporting PrivateEye Enterprise at a price of $60 per workstation is smaller than both the investment in the EHR systems and the cost of a data breach. A 2011 survey viii found startup costs of Electronic Health Record systems to be around $32,000 per physician, with additional annual maintenance costs of $8500. The cost of a healthcare data breach, as detailed earlier in this whitepaper, averages $305 per record with an average total impact of $6.7 million to affected organizations. Regulations will continue to raise security expectations, and fines for non-compliance will continue to increase. In that context, adding PrivateEye Enterprise is a very prudent and cost-effective initiative to reduce financial exposure. At a minimum, the presence of PrivateEye Enterprise security in an organization will discourage a significant percentage of fraud attempts due to evident risk of being caught and the increased evidence trail in the audit log showing captured faces during incidents. Use Case: Walk-away Security In healthcare environments staff attention is primarily on tending to the needs of their patients. Remembering to log out of computer systems takes a much lower priority, and having to repeatedly log back into computer systems ranks low on a physician s preferred activities. The challenge in these environments is to streamline access to information while simplifying and strengthening security. IT technology can be a strategic asset in medical facilities improving patient care, increasing staff efficiency and reducing costs. However, procedural burdens of accessing data can be a drain on efficiency and a challenge to user cooperation. Worse still, improper use of technology can expose organizations to serious security gaps, ultimately resulting in financial loss and brand damage. PrivateEye Enterprise automatically locks displays whenever users walk away, and re-opens the desktop when the user returns by using facial recognition and attention awareness. This results in significant benefits for users and the healthcare organization. Increased Security Expecting employees to always lock their computers when the walk away is unreliable and risky. In practice, 50% of displays are unsecured. Neither is it sufficient to rely on time-out mechanisms such as screen savers.

13 PrivateEye Enterprise will ensure that sensitive data is displayed only when an authorized user is present, and will immediately protect the data when the user leaves. PrivateEye also stops other people from surreptitiously viewing private data through its eavesdropper detection and alerting feature. PrivateEye significantly improves an organizations overall security protection. 12 Streamlined Access Security is important, but so is ease-of-use for medical staff who need to frequently access information and then get back to the patient. By using a combination of attention-detection and face recognition PrivateEye anticipates user activities quickly to ensure transparent access to the computer. Without delays, or the need for passwords, PrivateEye unlocks the system for authorized users as soon as they approach. Automatic Authentication Unattended workstations can no longer leak information, as PrivateEye performs automatic face recognition. When authorized users approach the system, the screen clears. When anyone else attempts to access data, they are locked out. Proof of Compliance Having proof of compliance with security regulations is almost as important as the security itself. PrivateEye Enterprise is centrally managed, and maintains an audit log of all security-related activity at the workstation. This enables IT to review security incidents either confirming overall compliance or identifying problem areas for further investigation. The information that PrivateEye collects about real-world threats is a new and valuable diagnostic prevention tool. The logs will show proper functioning of the security system, and indicate whenever a potential security threat such as an eavesdropping attempt occurred. PrivateEye Enterprise also records and timestamps images of any individual attempting unauthorized access. This log is invaluable evidence for responding to security incidents, and improving operational procedures. Cost and Convenience PrivateEye Enterprise can be purchased and run at a lower cost, and provides important security features like eavesdropper prevention that are missing in traditional walk-away systems. Unlike RFID token systems that require employees to carry cards at all times, PrivateEye requires only standard Windows workstations equipped with standard webcams. There is nothing for an employee to lose, and hence no need to continually spend money and administrative time on card replacements. PrivateEye Enterprise sells for $60 per workstation. Including the cost of equipping each system with a new webcamera brings the total one-time fee to less than $100. This compares very favorably to competing walk-away systems that typically charge $150 per user per year. Over a 3 year deployment to a healthcare facility with 100 workstations and 500 FTEs, PrivateEye will save the organization approximately $211,400 while increasing overall security.

14 13 Conclusions Healthcare organizations are already motivated to improve security around their electronic patient records, and are actively complying with ever increasing regulation and enforcement to minimize financial risk and brand protection. The costs of healthcare data breaches continue to increase every year. Improper display of sensitive patient data and improper insider access comprise 30% of all incidents, and an increasing share of the costs. Organizations need security solutions to protect computer screens against unintended disclosure, and need reporting tools to prove compliance. PrivateEye Enterprise is a highly effective solution for authenticating users automatically, protecting patient data, preventing eavesdropping, and creating an audit trail that can improve operational security. The solution protects against data leakage without affecting staff productivity, and can be installed and operated for significantly less cost than traditional plastic filters or RFID tags. Organizations dealing with healthcare privacy concerns should evaluate PrivateEye Enterprise to see how it will solve problems in your environment. About Oculis Labs Computer screens are an unprotected frontier for mobile people working with private, proprietary, or classified information. Oculis Labs products are security software systems that protect information displayed on computer screens from leaking to the wrong people, while ensuring the right people can use them normally. Our products surpass the capabilities of physical and computer access control systems at a far more attractive price. Supported by an investment from In-Q-Tel, the company has strong relationships with the government community as well as partnerships with large OEMs. Contact sales@oculislabs.com (410) Clubhouse Road Hunt Valley, Maryland 21117

15 14 References i ii iii iv v vi vii viii Fleming, N. S.; Culler, S. D.; McCorkle, R.; Becker, E. R.; Ballard, D. J. (2011). "The Financial and Nonfinancial Costs of Implementing Electronic Health Records in Primary Care Practices". Health Affairs 30 (3):