AHLA. C. Big Data, Cloud Computing and the New World Order for Health Care Privacy

Transcription

1 AHLA C. Big Data, Clud Cmputing and the New Wrld Order fr Health Care Privacy Marti Arvin Chief Cmpliance Officer UCLA David Geffen Schl f Medicine Ls Angeles, CA Kirk J. Nahra Wiley Rein LLP Washingtn, DC Legal Issues Affecting Academic Medical Centers and Other Teaching Institutins January 22-23, 2015

2 Cybersecurity and Clud Services Cmpliance Cnsideratins AHLA AMC Cnference January 2015 Washingtn, DC Marti Arvin, CHC-F, CCEP-F, CHPC, CHRC Chief Cmpliance Officer UCLA Health System and David Geffen Schl f Medicine MArvin@mednet.ucla.edu Overview Are yu in the clud? The Natinal Institute f Standards and Technlgy (NIST) defines clud cmputing as a mdel fr enabling ubiquitus, cnvenient, n demand netwrk access t a shared pl f cnfigurable cmputing resurces (e.g., netwrks, servers, strage, applicatins, and services) that can be rapidly prvisined and released with minimal management effrt r service prvider interactin. Benefits f Clud Cmputing Fr many healthcare rganizatins, clud cmputing has becme essential fr planning and perfrmance. It can be used fr everything frm string s and persnal phts, t research cllabratin and business cntinuity planning. It allws an rganizatin t be extremely flexible by allcating cmputing resurces n demand, and makes it pssible t data mine large amunts f data in a shrt perid f time. Hsting data with an external clud vendr means that an rganizatin desn t have t supprt the infrastructure necessary t gain all f the benefits f the clud. This can lead t a reductin in cst and imprved system perfrmance and reliability. 2 1

3 Are yu in the clud? Even if yu think yu are nt, yu prbably are Tech savvy users IT staff Students, residents, fellws Researchers eager t cllabrate Mbile device backup iclud are yu using it fr mre than Find My iphne Vendrs, cntractrs and ther third parties 3 Are yu thinking abut being in the clud? Clud Technlgy Have a frmal apprach fr evaluating new hardware and sftware in yur envirnment Perfrm a frmal HIPAA Security Assessment f ptential clud vendrs that includes an analysis f security at the fllwing fur (4) OSI Layers: Applicatin Presentatin (Encryptin and decryptin) Netwrk Physical (Server) 4 2

4 Are yu thinking abut being in the clud? Specific Requirements HIPAA Business Assciate Agreement (BAA) Enterprise Single Sign-On (SSO) Tw Factr Authenticatin Data Encryptin (256-bit AES) in transit and at rest Review f vendr business cntinuity plan & testing, t include: Clud Prvider Backup and Retentin Plan Infrmatin Technlgy Penetratin Test (Pen-Test) 5 S nw yu have the agreement with the clud vendr Have a (fully tested) prcess in place fr cnducting investigatins when an event des ccur. An effective security investigatin is similar t the incident respnse prcess, and many cases will be cnducted cncurrently with yur recvery actins: Preparatin Acquire the necessary tls and training Develp investigatin plicies and prcedures Determine yur evidence cllectin requirements and establish a plicy fr secure strage and handling f ptential evidence Crdinate with Legal & HR t ensure cmplete transparency Investigatin Cllect evidence frm varius surces Transprt and secure evidence (Be mindful f the Chain f Custdy) Examine the evidence and analyze the results Presentatin Present yur investigatin methdlgy, the results f yur analysis, and 6 yur cnclusins 3

5 S nw yu have the agreement with the clud vendr Privacy Cnsideratins with PHI in the Clud Is it part f yur Designated Recrd Set? Patient access and amendment When can infrmatin be dwnladed and stred lcally? When can yur users invite third-parties t cllabrate r access PHI in the clud? Minimum necessary Verificatin f identity and authrity Accunting f disclsures implicatins Are there tls fr mnitring apprpriateness f access t PHI in the clud? 7 Pssible Use Cases If yu can think it, yur users might be ding it r want t! External cllabratin prjects Incming patient data uplads Outside recrds sent in advance f a cnsult Images r phts Telewrking Replacement fr sending files by e mail 8 4

6 AHLA C. Big Data, Clud Cmputing and the New Wrld Order fr Health Care Privacy Marti Arvin Chief Cmpliance Officer UCLA David Geffen Schl f Medicine Ls Angeles, CA Kirk J. Nahra Wiley Rein LLP Washingtn, DC Legal Issues Affecting Academic Medical Centers and Other Teaching Institutins January 22-23, 2015