Securing Patient Portals What you need to know to comply with HIPAA Omnibus and Meaningful Use Brian Selfridge, Partner, Meditology Services, LLC Blake Sutherland, VP Enterprise Business, Trend Micro
Brian Selfridge, Meditology 12+ years experience in healthcare IT security and compliance leadership Previously CISO of AtlantiCare and healthcare security practice at PricewaterhouseCoopers Published author, certified CISSP and Info systems security and info assurance by CNSS & NSA Leads Meditology s IT Risk Management practice Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. 2
Blake Sutherland, Trend Micro 15+ years experience in security Helped to bring Cloud Security to the forefront at Third Brigade acquired by Trend Micro Experience with HITRUST Trend Micro Incorporated, a global leader in security so<ware, strives to make the world safe for exchanging digital informadon. Our innovadve security soludons for consumers, businesses and governments protect informadon on mobile devices, endpoints, gateways, servers and the cloud. 3
Agenda Introductions Healthcare Industry Trends Incentives & Penalties Patient Portal Security Requirements How to Address Security Requirements Trend Micro Security for Patient Portals Questions 4
HEALTHCARE INDUSTRY TRENDS 5
Healthcare Industry Trends The move to 3 rd party hosted applications is shifting security administration, but not the risk Market and regulatory pressures are driving rapid portal adoption Mandatory breach notification under HITECH is increasing visibility for data loss events Oversight from federal and state agencies is ramping up o OCR o CMS o State Attorneys General 6
INCENTIVES & PENALTIES 7
Incentives & Penalties Patient Portals and Meaningful Use (MU) o HITECH provides $19.2 billion in incentive payments to promote EHR adoption o Requires certified EHR technology and deployment of a secure patient portal o Incentive payments scale from individual providers to large health systems o MU also establishes penalties in future years for providers that have not met requirements 8
Incentives & Penalties (continued) HIPAA / HITECH / Omnibus o Penalties can be up to $1.5 million per year per violation Covered En*ty OCR Fine New York and Presbyterian Hospital (NYP) Columbia University (CU) WellPoint Inc. Affinity Health Plan, Inc. Idaho State University Shasta Regional Medical Center Skagit County Adult & Pediatric Dermatology, P.C. $4,800,000 $4,800,000 $1,700,000 $1,215,780 $400,000 $275,000 $215,000 $150,000 9
PATIENT PORTAL SECURITY REQUIREMENTS 10
MU Security Requirements 11
Portal Security Scope (1) Risk Analysis AdministraDve HIPAA Security Rule Physical Technical (2) Secure Messaging PaDents Download Data ARRA / MU PaDent Portal Requirements Reminders EducaDonal Materials 12
MU & Portal Security Myths Source: The Office of the Na-onal Coordinator for Health Informa-on Technology (ONC), 2014. hap://www.healthit.gov/sites/default/files/pdf/privacy/privacy- and- security- guide- chapter- 2.pdf 13
HOW TO ADDRESS SECURITY REQUIREMENTS 14
Risk Assessment Process There is no single prescriptive method that guarantees compliance with the Security Rule, but a typical security risk assessment includes the following steps: o Assess risks and identify potential threats to the confidentiality, integrity and availability of ephi. o Respond to risks by creating a Corrective Action Plan and prioritizing remediation efforts. o Continuously monitor changes that may affect security controls and update the Corrective Action Plan. Monitor Results Respond to Risks Assess Risks 15
Determination of Risk Relevant Threats Internal and External VulnerabiliDes Degree of harm that may occur Likelihood that harm will occur 16
Corrective Action Plan Degree of Risk Threats & VulnerabiliDes RemediaDon Priority Correc*ve Ac*on Plan Start & End Date Owner Milestones 17
Monitor Risks Key Performance Indicators Monitor Risk Changes to systems, environment Compliance CAP Progress 18
Sharing the Risk Third- party snafus are adributed for 41 percent of breaches. Over the past three years, the number of security incidents at companies adributed to partners and vendors has risen increasing from 20% in 2010 to 28% in 2012. 76% of data breaches analyzed by TrustWave resulted from a third- party which introduced the security deficiencies that were uldmately exploited. 19
Technical Vulnerabilities Identify potential vulnerabilities to the patient portal through technical testing including: o Application-level vulnerabilities o Supporting infrastructure and platforms o Web servers o Databases o Access and authentication Assess against standards such as HITRUST and the Open Web Application Security Project (OWASP) Conduct routine scanning to identify vulnerabilities over time 20
21 Source: OWASP, 2014 haps://www.owasp.org/index.php/top_10_2013
Technical Vulnerabilities Encryption Requirements o Stage 2 of MU specifically requires addressing the encryption and security of data stored and transmitted via the certified EHR technology o Verify encryption is in place and actively protecting ephi Encryption Solutions o Encrypt data at rest including in backups, laptops, and mobile devices o Use Extended Validation (EV) SSL certificates to secure all transactions and communications on the portal and to visually indicate to visitors that the site is secure. 22
What to look for in a PaDent Portal Security SoluDon Blake Sutherland
Trend Micro Security for PaDent Portals Patient Portal Landscape Patient Portal Vendors Epic MyChart Cerner Patient Portal RelayHealth Portal McKesson My Care Plus Intuit Health Portal AllScripts Portal eclinicalworks Portal Jardog s FollowMyHealth NextGen Third Party / Cloud Hosted Data Center Home Health PaDent Portal Claims EHR Billing Human Resources AnalyDcs Security for Patient Portals Web site: DS for Web Apps Data: SecureCloud Data Center: Deep Security Advanced Threats: Deep Discovery Endpoints: OfficeScan, Email Encryption, InterScan Web Security, InterScan Messaging Security, ScanMail EHR Human Resources Claims Patient Portal web app PaDent Portal Pharmacy Home Health Lab AnalyDcs Billing / Finance EHR Lab Patient Portal On-Premise Data Center Medical Devices 24
RecommendaDon Reminder You need a Patient Portal security approach that addresses: Routine risk assessment and corrective action tracking Comprehensive vulnerability detection Actionable insight on vulnerabilities for faster mitigation Security for your entire ecosystem including patient portal, data center, medical devices, end user devices and sensitive data Trend Micro can help. Request your Patient portal health check today! webappsecurity.trendmicro.com 25
Questions? Thank you for your time 26
Contact Us Brian Selfridge Meditology Services brian.selfridge@meditologyservices.com Blake Sutherland Trend Micro Blake_sutherland@trendmicro.com For more information visit webappsecurity.trendmicro.com 27 2014 Meditology Services, Atlanta, GA. All Rights Reserved