Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Transcription

1 Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer

2 HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health Information) HIPAA must be your baseline specifically the HIPAA Security Rule The HIPAA Security Rule establishes national standards to protect individuals ephi that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

3 HIPAA Security Rule: The HIPAA Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. A covered entity or business associate is required to have administrative, technical, and physical safeguards to protect the privacy of PHI. Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems (including social networking sites such as Facebook, Twitter, and others) and work areas; Limit accidental disclosures (such as discussions in waiting rooms and hallways); and Include practices such as document shredding, locking doors and file storage areas, and use of passwords and codes for access.

4 HIPAA Security Rule: Implementation specifications in the Security Rule are either Required or Addressable. See 45 C.F.R (d). If an implementation specification is required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. If an implementation specification is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity s environment. Addressable does not mean optional.

5 HIPAA Security Rule: Security Standards divided into 3 categories: Administrative Safeguards The administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. Physical Safeguards The mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. Technical Safeguards The automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted. Regulatory definitions of the safeguards can be found in the Security Rule at 45 CFR

6 Administrative Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility Isolating Health Care Clearinghouse Function Response and Reporting Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Evaluation Written Contract or Other Arrangement Addressable Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Access Authorization Access Establishment and Modification Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Testing and Revision Procedure Applications and Data Criticality Analysis

7 Physical Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Workstation Use Workstation Security Disposal Media Re-use Addressable Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Accountability Data Backup and Storage

8 Technical Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Unique User Identification Emergency Access Procedure Audit Controls Person or Entity Authentication Addressable Automatic Logoff Encryption and Decryption Mechanism to Authenticate Electronic PHI Transmission Security Integrity Controls Transmission Security Encryption

9 Sample Safeguards: Some safety measures that may be built in to EHR systems include: Access controls like passwords and PIN numbers, to help limit access to your information; (VistA has already) Encrypting your stored information. This means your health information cannot be read or understood except by someone who can decrypt it, using a special key made available only to authorized individuals; (Next slide) An audit trail, which records who accessed your information, what changes were made and when. (VistA has already)

10 Technical Safeguard: Encryption Intersystems Cache and GT.M CAN encrypt data at rest: Can be done outside of VistA at database level. Allows secure on-disk storage of CACHE.DAT files. Minimal performance impact. Encryption Key based system cannot be unencrypted if key is lost or password is unknown. Intersystems GT.M CAS_encrypt If data is encrypted then safe harbor provisions of breach notification rule applies. (i.e. loss of media is not a reportable event)

11 Important Resources: NIST SP Introductory Guide for Implementing the HIPAA Security Rule NIST SP Rev. 4 catalog of security controls for all US Federal IT systems NIST SP Guide to storage encryption technologies for end user devices NIST Security Rule Toolkit Software to help implement HIPAA security rule