Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1
Why Information Security is Essential for Healthcare Safeguard patient information from theft, loss, and misuse Annual cost of security breaches to the healthcare industry is over $7 billion and 94% of healthcare organizations surveyed had at least one data breach in the past 2 years, according to Ponemon Institute s Third Annual Benchmark Study on Patient Privacy & Data Security Leading Causes of Data Breaches are the following: Theft Hacking Virus/Malware Loss Public Access or Distribution Unauthorized Access/Use Improper Disposal Copyright 2013 Lee Kim 2
Examples of Reported Breaches Disabled firewall exposes patient information Configuration error occurred at password authentication level allowing hacker to circumvent the security system Lost USB drives/disks containing patient information Theft of laptop with unencrypted hard drive containing patient information Malware leads to potential exposure of patient information Patient information inadvertently posted online Rogue employee (now ex-employee) allegedly transferred patient information to personal e-mail account Copyright 2013 Lee Kim 3
Policy Drivers of Healthcare InfoSec Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Privacy Rule Uses and disclosures of protected health information (PHI) (a type of personally identifiable information) HIPAA Security Rule Administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information (ephi) HIPAA now applies to covered entities (healthcare providers, clearinghouses, health plans) and business associates (entities working on behalf of covered entities handling their PHI) Copyright 2013 Lee Kim 4
Policy Drivers of Healthcare InfoSec HITECH Act (part of the American Recovery and Reinvestment Act of 2009) Breach notification rule Business associates directly liable for HIPAA obligations HIPAA Omnibus Rule Modifies HIPAA and HITECH requirements Breach Notification Rule (replaces HITECH rule) Update to HIPAA Privacy and Security Rules and changes/clarifies HITECH obligations Effective date: March 26, 2013 Compliance date: September 23, 2013 Copyright 2013 Lee Kim 5
Policy Drivers of Healthcare InfoSec Super sensitive information Protected by federal and state laws (e.g., HIV/AIDS, drug and alcohol abuse, mental illness) While HIPAA may permit the exchange of information, if a more stringent law/regulation applies, then you must abide by that. Cybercrime Healthcare information is extremely valuable (including in the financial sense) Identity theft Alteration of medical records or other patient information or data may lead to patient harm or death Copyright 2013 Lee Kim 6
Government Audits HITECH Act Section 13411 Requires US Department of Health and Human Services (HHS) to perform periodic audits on covered entities and business associates for HIPAA Privacy, Security, and Breach Notification Standard requirements HHS Office of Civil Rights (OCR) commenced audits in November 2011 (ongoing) Large and small healthcare providers, hospitals, health plans, and physician practices were audited in 2012 Audits will also include business associates (entities doing a function on behalf of covered entity involving PHI) Corrective action plans and fines may result Copyright 2013 Lee Kim 7
Government Audits OCR HIPAA Audit Program analyzes processes, controls, and policies to determine HIPAA compliance for entities that create, receive, or retain electronic Protected Health Information (ephi) Healthcare providers and health plans have been audited under the program Business associates (those that work for covered entities and handle their PHI) will be audited OCR has found from its audits that the lack of HIPAA compliance has been because the entity was unaware of the requirement, in spite of the rules stating what the entity needs to exactly do to comply Copyright 2013 Lee Kim 8
Government Audits Results of 2012 OCR HIPAA Audit Program No findings or observations for 11% of the entities Security accounted for 60% of the findings and observations for virtually all entities No complete and accurate risk assessment (risk analysis) for two-thirds (2/3) of the entities Security addressable implementation specifications Addressable does not mean optional, but implemented if reasonable & appropriate» Almost every entity could have fully implemented the addressable implementation specification Small entities struggled with HIPAA compliance across the board Copyright 2013 Lee Kim 9
HIPAA Security Rule: The Basics The HIPAA Security Rule has the following: Security Standards Implementation specifications Required Addressable (not optional) must be implemented if reasonable and appropriate. HIPAA Security Rule is technology-neutral Policies and procedures need to be in place Criminal and civil liabilities for HIPAA violations (including Security Rule) Copyright 2013 Lee Kim 10
HIPAA Security Rule: The Basics Entity must appoint a HIPAA Security Official for the organization who oversees the development, implementation, monitoring, and communication of security policies and procedures in accordance with the Security Rule Copyright 2013 Lee Kim 11
HIPAA Security Compliance: Building the Foundation The cornerstones of an effective HIPAA Security compliance program include: Ongoing risk analysis and risk management Routine information system reviews This should include mobile devices, whether employersupplied or employee-provided (BYOD) There may be restrictions on what can be reviewed for BYOD devices If activity cannot be reviewed, document whether this is reasonable and the rationale for not reviewing (if that is the case) Copyright 2013 Lee Kim 12
HIPAA Security Compliance: Building the Foundation Securing and protecting all health information With mobile devices, ensure that the information is protected when used in public, on site, and at remote locations Authorization, supervision, and clearance for those who can access, receive, transmit, retain, or otherwise exchange ephi on mobile devices Sanctions for non-compliance of workforce members Including and up to termination Copyright 2013 Lee Kim 13
HIPAA Security Rule: Best Practices Implement a security framework E.g., HITRUST, NIST, ISO, etc. Consider the different types of healthcare data, access and roles, and data usage Healthcare data: administrative or clinical Consider the sensitivity of the data Access and roles: clinical staff vs. non-clinical staff (e.g., office manager, billing clerk, appointment scheduler, etc.) Data usage: Workflow, storage, retrieval Copyright 2013 Lee Kim 14
HIPAA Security Rule: Best Practices Conduct risk analysis and risk management on a regular (continuous basis) Understand the potential threats and vulnerabilities Outside your organization Inside your organization Insider threats Unauthorized use/access Understand the impact of the threat / vulnerability Ensure accuracy of policies and procedures Ensure workforce is trained and periodic training occurs Monitor user and system activity Copyright 2013 Lee Kim 15
HIPAA Security Rule: Best Practices Establish a security incident management program Develop a security incident management process Detect events and declare security incidents Respond to and recover from security incidents Address and report security incidents (including breaches) Organizational resilience Continuity of patient care and coordination of are Business continuity Engage law enforcement when necessary or prudent (with authorization from organization s stakeholders) Copyright 2013 Lee Kim 16
HIPAA Security Rule: Best Practices Risk management What are you doing to manage the risks and how can you lower the risks through policies, training, and access controls? Consider following NIST guidance to lower risks. Make sure your business associates and subcontractors are complying with HIPAA (including downstream business associates). Make sure expectations are clearly spelled out in business associate and subcontractor agreements. Copyright 2013 Lee Kim 17
HIPAA Security Rule: Application to mhealth When do we need to worry about HIPAA with mobile devices, mobile applications, and medical devices? Is it being used to create, receive, retain, transmit, or otherwise exchange ephi? If yes, then HIPAA applies! Copyright 2013 Lee Kim 18
HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile devices and how critical are they (e.g., low, medium, high)? Inherent risks with mobile/medical devices Attack vectors may be different for mobile devices: hardware, wireless eavesdropping, software (including web browser), user layer attacks, availability attacks Malware is evolving and increasingly machinegenerated Copyright 2013 Lee Kim 19
HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile/medical devices and how critical are they (e.g., low, medium, high)? Inherent risks: Easily portable and therefore easily stolen Wireless network connection (instead of wired) Battery (limited power) Rogue applications Loss of devices Unauthorized users or entities getting access to ephi Copyright 2013 Lee Kim 20
HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile/medical devices and how critical are they (e.g., low, medium, high)? (con t) Virus/malware Phishing User error (e.g., inadvertent posting to social media) Application error/misconfiguration Data mining Copyright 2013 Lee Kim 21
HIPAA Security Rule: Risk Analysis (Know Where and What the Data is) Where is my ephi? 1. What mobile apps, mobile devices, and medical devices are used to create, transmit, receive, or maintain the ephi? 2. Is the ephi stored on the device itself (e.g., e-mail, text message, etc.), as opposed to in a mobile app? 3. Does the mobile app developer create, receive, maintain, or transmit ephi on your behalf? 4. Is the ephi encrypted (at rest, in motion, archived)? Copyright 2013 Lee Kim 22
HIPAA Security Rule: Risk Analysis (Know Where and What the Data is) Practice tip: 1. Make an inventory list of the mobile apps, mobile devices, and medical devices which handle PHI, the type of PHI, and what is done with the PHI. 2. Do an assessment of the risks given the inventory list. Copyright 2013 Lee Kim 23
HIPAA Security Rule: Risk Analysis Questions to Ask the Developer How is the PHI secured? If the developer handles the PHI, what are its policies, procedures, and training? How secure is the mobile app/device itself?» Have the security controls been validated? (E.g., FIPS 140-2 validated encryption module) Who holds the key(s) for encryption/decryption? The developer or you? Is the information encrypted at rest, in transit, and archived? Copyright 2013 Lee Kim 24
HIPAA Security Rule: Risk Analysis Gap Analysis Where are the gaps in my risk analysis? (What have I not considered?) Example: How is my mobile device communicating ephi with other servers, medical devices/components, patient mobile devices (not regulated by HIPAA), BYOD or employer-provided mobile devices, etc. and what types of ephi are involved? Example: Have I considered the security of the network and the software interfaces/connection points? (Holistic approach) Copyright 2013 Lee Kim 25
HIPAA Security Rule: Risk Analysis Factors to Consider Authentication Complex passwords Encryption (data at rest, in transit, and archived) Segregating BYOD network traffic from other traffic Network flow analysis Intrusion detection system Mobile device management Preventing and detecting rogue network devices (evil twin) Remote lock and wipe functionality Anti-virus and anti-malware protection Copyright 2013 Lee Kim 26
HIPAA Security Rule: Risk Analysis Factors to Consider Operating system, firmware, application, middleware, interface, etc. updates (mobile devices and medical devices, including software & hardware components in between & network connectivity) Timely account de-provisioning (revoking system access: local and remote) Mobile applications Is the data remotely or locally stored? Does it comply with the HIPAA Privacy (e.g., use and disclosure of PHI) and Security Rules (e.g., technical safeguards)? Is the data encrypted and who has the key? Copyright 2013 Lee Kim 27
HIPAA Security Rule: Risk Analysis Secure web browser Secure e-mail Factors to Consider Social media (shortened links that lead to malware; improperly posting ephi) Texting and videoconferencing (none vs. secure end-to-end solutions) Camera/microphone (improperly recording PHI) Remote hosting of data (vs. local storage on device that may be lost or stolen, etc.) Media re-use and disposal Has the ephi/data really been destroyed? Copyright 2013 Lee Kim 28
HIPAA Security Rule: Risk Analysis Factors to Consider Backing up of data Are the backups encrypted? Network type and connectivity Copyright 2013 Lee Kim 29
HIPAA Security Rule: Risk Management (The Basics) Always to keep mind the need to ensure confidentiality, integrity, and availability of PHI and manage the risks identified in the risk analysis. 1. Based on the risk analysis, what are the risks that are medium and high? I.e., likelihood of exploitation and the impact of the threat / vulnerability 2. What medium and high risks can be lowered through policies, training, and access controls? If the risks can be lowered, then the risk analysis needs to be revised and the documentation needs to be updated. Copyright 2013 Lee Kim 30
HIPAA Security Rule: Risk Management Factors to Consider How secure is the PHI? (At rest, in transit, archived) Is the PHI reasonably available? Is the application and data (PHI) reasonably available? Is there an ability to export the PHI in a non-proprietary format for interoperability purposes or to migrate the information to another app or device? In the event of a disaster or emergency, can the mobile data (and access to it via the mobile app/device/portal) enable business continuity? Consider: Sum total of mobile data in the aggregate across all mobile users in an organization. Copyright 2013 Lee Kim 31
HIPAA Security Rule: Risk Management Third Parties What are the business associates and subcontractors doing with your data? Under the HIPAA Omnibus Rule, business associates include the following (if they handle the healthcare provider s, health plan s, or clearinghouse s PHI): Cloud providers Health information exchanges Health information organizations e-prescribing gateways Personal health record vendors Subcontractors Copyright 2013 Lee Kim 32
HIPAA Security Rule: Risk Management Business Associates & Subcontractors What are the business associates and subcontractors doing with your ephi? 1. Perform due diligence (e.g., review of Security Rule policies and procedures, training, network/security infrastructure documents, etc.) Is the business associate or subcontractor located in the US? Where are the hosting facilities and data centers located? 2. Obtain a business associate agreement / subcontractor agreement and set forth the expectations Consider whether you want to permit business associates/subcontractors to use de-identified (nonpersonally identifiable) health information (e.g., data mining risk) Copyright 2013 Lee Kim 33
Questions/Contact Information Lee Kim, Esq. Tucker Arensberg, P.C. 1500 One PPG Place Pittsburgh, PA 15222 lkim@tuckerlaw.com (412)594-3915 (work) (412)606-5064 (cell) Copyright 2013 Lee Kim 34
References HIPAA Omnibus Rule http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf OCR and NIST Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/securityruleguidance.html NIST Computer Security Guidance (Special Publications) http://csrc.nist.gov/publications/pubssps.html mhimss Mobile Privacy & Security Toolkit http://www.mhimss.org/resource/mhimss-mobile-privacysecurity-toolkit HIPAA Audits http://www.hhs.gov/ocr/privacy Copyright 2013 Lee Kim 35
References OCR HIPAA Audit Program Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit /protocol.html Breaches Affecting 500 or More Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre achnotificationrule/breachtool.html Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre achnotificationrule/brguidance.html Safeguarding Health Information: Building Assurance through HIPAA Security http://www.nist.gov/itl/csd/2013-hipaa-conference.cfm Copyright 2013 Lee Kim 36
References Nationwide Rollup Review of the Centers for Medicare & Medicaid http://oig.hhs.gov/oas/reports/region4/40805069.pdf Federal Risk and Authorization Management Program http://www.fedramp.gov OWASP Mobile Security Project - Top Ten Mobile Risks https://www.owasp.org/index.php/projects/owasp_mobi le_security_project_-_top_ten_mobile_risks Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140val-all.htm Copyright 2013 Lee Kim 37
References HITRUST Common Security Framework http://www.hitrustalliance.net/commonsecurityframewor k/ ANSI/AAMI/IEC 80001-1:2010, Application of risk management for IT Networks incorporating medical devices - Part 1: Roles, responsibilities and activities http://www.aami.org/publications/standards/80001.html Direct: Implementation Guidelines to Assure Security and Interoperability http://www.healthit.gov/sites/default/files/direct_implem entation_guidelines_to_assure_security_and_interoperabi lity.pdf Copyright 2013 Lee Kim 38
References Health IT Policy Committee Privacy & Security Tiger Team http://www.healthit.gov/policy-researchersimplementers/federal-advisory-committees-facas/privacysecurity-tiger-team NIST Cybersecurity Framework Workshop http://www.nist.gov/itl/csd/framework-042513.cfm NIST National Cybersecurity Center of Excellence http://csrc.nist.gov/nccoe/ Third Annual Benchmark Study on Patient Privacy & Data Security http://www2.idexpertscorp.com/assets/uploads/ponemon 2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf Copyright 2013 Lee Kim 39
References 2nd Annual HIMSS Mobile Technology Survey http://www.himssanalytics.org/research/assetdetail.aspx? pubid=81559&tid=131 World Privacy Forum http://www.worldprivacyforum.org/ Copyright 2013 Lee Kim 40