FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES



Similar documents
White paper. Four Best Practices for Secure Web Access

TECHNOLOGY PARTNER CERTIFICATION BENEFITS AND PROCESS

The Impact of HIPAA and HITECH

Preemptive security solutions for healthcare

Stay ahead of insiderthreats with predictive,intelligent security

HIPAA and HITECH Compliance for Cloud Applications

CA Technologies Healthcare security solutions:

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

CYBERCRIME AND THE HEALTHCARE INDUSTRY

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Teradata and Protegrity High-Value Protection for High-Value Data

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

SIEM and DLP Together: A More Intelligent Information Risk Management Strategy

Realizing business flexibility through integrated SOA policy management.

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

ALERT LOGIC FOR HIPAA COMPLIANCE

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Security: A Perspective for Higher Education

The Cloud App Visibility Blindspot

Security Overview. BlackBerry Corporate Infrastructure

The Oracle Mobile Security Suite: Secure Adoption of BYOD

EMC PERSPECTIVE. The Private Cloud for Healthcare Enables Coordinated Patient Care

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Strengthen security with intelligent identity and access management

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Feature. Log Management: A Pragmatic Approach to PCI DSS

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Securing SharePoint 101. Rob Rachwald Imperva

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

HIPAA Security Alert

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

Payment Card Industry Data Security Standard

Provide access control with innovative solutions from IBM.

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Demonstrating the ROI for SIEM: Tales from the Trenches

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

2016 OCR AUDIT E-BOOK

Information Security Program Management Standard

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

KEY STEPS FOLLOWING A DATA BREACH

how can I comprehensively control sensitive content within Microsoft SharePoint?

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

DEMONSTRATING THE ROI FOR SIEM

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Protecting Data and Privacy in the Cloud

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Authorized. User Agreement

Data Management Policies. Sage ERP Online

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

My Docs Online HIPAA Compliance

Overview of the HIPAA Security Rule

10 Building Blocks for Securing File Data

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

HIPAA Compliance Review Analysis and Summary of Results

White Paper. Imperva Data Security and Compliance Lifecycle

Addressing Cloud Computing Security Considerations

For healthcare, change is in the air and in the cloud

Securing the Cloud Infrastructure

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

PCI Compliance for Cloud Applications

SUPPLIER SECURITY STANDARD

Transcription:

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely expected to provide a range of important benefits for patients, physicians, and the healthcare industry as a whole. In an effort to foster the development of these exchanges and facilitate a move to electronic health records, the U.S. government passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This legislation provides more than $48 billion in grants and loans to build a technology environment in which patients and providers can exchange information. But as with any electronic exchange, the privacy and security of the information being collected, used or disclosed is a critical consideration. As part of the HITECH Act, many U.S. states have already taken advantage of the various financial incentives to implement statewide HIEs that offer new levels of functionality and services for patients and providers. For providers, HIEs offer the benefits of better connectivity to medical records, efficient delivery of results and improved continuity of care. For patients, HIEs will enable new services such as electronic prescription refill requests and the ability to view laboratory results, medical history, eligibility, and claims transactions over the Internet. Ultimately, the over-arching goal of instituting HIEs is to improve patient care and lower the overall cost of delivering healthcare services. But as HIEs open the healthcare industry up to new points of risk and exposure, it is imperative that privacy and security issues are adequately addressed from the outset. HIE ARCHITECTURE MODELS As organizations and states approach the nuts and bolts of how their HIEs will be built, they likely will select from three main architectural models. The three common HIE architectural models include: Peer-to-Peer. With no centralized database or hub to interact with other systems and databases, a peer-to-peer model can be implemented more quickly and cost-effectively than other models. Operationally, however, it may prove slow if queries need to be broadcast over a large system, and communication between systems can be difficult if no standards are established. White Paper

Centralized/Data Warehouse. Because all data resides in a centralized database that is accessible to the querying system, the centralized or data warehouse model offers faster response times. However, the data itself may not always be accurate because this model is dependent on participating systems to provide updated information. This opens the door for data duplication and other data management issues. Federated/Hybrid. With this model, participants maintain ownership of their data; rather than actual records, a central hub maintains only a master index of the information. This reduces the incidence of data duplication and other inconsistencies, and facilitates the implementation of privacy controls. If not implemented correctly, however, response times can be less than ideal. HIPAA requires that measures be taken to protect against reasonably anticipated threats to the security and integrity of health information. In addition to the architectural model, the governance structure of the HIE will determine the privacy considerations that must be addressed. For example, with several state governments leading the effort to build HIEs, governance decisions may be made by the agency after consultation with stakeholders. CHALLENGES TO BUILDING A SECURE HIE Security has traditionally been designed to protect the network perimeter from unauthorized access. Yet, as more users require access to information and that access is extended over the Internet, the network boundaries are becoming less effective. As with any online portal or application, the same challenges to achieving secure web access must be addressed in building a secure health information exchange. Two of the biggest challenges to be addressed in the HIE design phase are how to effectively meet compliance and ensure the privacy of patient information. Regulatory compliance The healthcare industry is fast becoming among the most regulated, particularly in terms of protecting patient information. The time and cost to prove compliance and ensure ongoing adherence to regulatory requirements often poses a challenge. Most regulations today contain rules about securing web access across a number of areas, including data discovery and protection, access control, authentication, reporting and auditing. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that measures be taken to protect against reasonably anticipated threats to the security and integrity of health information. This might include encrypting certain classes of highly sensitive data or requiring users with privileges to that data to validate their identity with two-factor authentication. In most cases, however, the regulations do not specify a particular strategy or technology for achieving compliance. Privacy Privacy is not just about securing protected health data. With information being shared within an HIE across disparate users and organizations, the fundamental issue of privacy extends to the collection, dissemination and use of personal information. Privacy concerns touch everyone from healthcare organizations to individual patients and strike at the core of the trust people place in the online environment. The Identity Theft Resource Center reports that there were nine times as many data breaches in healthcare as in financial services in 2012. But what is the real value of healthcare data? For a data thief, healthcare data is becoming an attractive target for a number of reasons: It is easy to steal. The portability and increased exchange of healthcare data has created another point for cybercriminals to gain unauthorized access. It is quality data. According to Javelin Strategy and Research, the volume and quality of data available within an HIE can be used to commit fraud and identity theft for four times longer as compared to other types of identity theft. This doesn t even take into account the many other scams, such as medical identity theft, that can be perpetrated with stolen healthcare information. PAGE 2

It increases the value of other stolen data. The personally identifiable information (PII) data available in an HIE enhances the value of other data for sale by cybercriminals. Research at RSA s Anti-Fraud Command Center shows that a single credit card sells for around $1.50 in the black market. But when that data is sold with a full set of PII, the price jumps to about $15. Protecting patient privacy and securing sensitive information are activities that must be at the heart of risk management and compliance efforts and must be pushed upstairs to the level of governance. FIVE KEY CONSIDERATIONS FOR SECURING HIES There are many issues that must be addressed in building a secure health information exchange. The five key considerations that healthcare organizations and government agencies should be asking before they embark on such an effort are: How do I create a consolidated governance program that ensures privacy and security provisions across a number of regulations? How do I centrally manage and control access privileges to protected health information for authorized users? How do I verify that an individual who has been authorized and is requesting access to my HIE is who he or she claims to be? How do I provide for continuous monitoring of the HIE environment to manage my risk and ensure compliance? How do I control sensitive data and what policies do I have in place to prevent patients privacy from being compromised? The following sections describe these five key considerations in greater detail and their importance to helping organizations developing a comprehensive framework for building a secure environment for the exchange of protected health information. CONSIDERATION #1: CREATE A CONSOLIDATED GOVERNANCE PROGRAM TO ENSURE PRIVACY The theft of personal information in the healthcare industry can lead to serious consequences for patients and have a direct effect on the quality of care. Therefore, protecting patient privacy and securing sensitive information are activities that must be at the heart of risk management and compliance efforts. and must be pushed upstairs to the level of governance. By creating a consolidated governance program, organizations create institution-wide visibility into how sensitive information is collected, where it is stored, who is accessing it, and how it is being used. This visibility enables executives to identify areas of chief concern and establish priorities for what actions need to be taken. In consideration of securing an HIE environment within a governance framework, healthcare organizations could consider the following categories and questions for ensuring the privacy of patient information: Governance and Accountability Does my organization have an assigned owner for the privacy program? Does the executive team understand the risks associated with privacy and the management of personal information? Is patient privacy viewed as a multi-disciplinary problem and does my organization have the proper resources to meet the many different aspects of the issue? Is there an established process, with assigned responsibilities, for staying on top of privacy-related requirements such as new laws and regulations? PAGE 3

Policies, Standards and Procedures Does my organization have an enterprise approach defined for policy management? Are policies, standards and procedures communicated across the organization and easily accessible by the general employee population? Does my organization regularly review policies to ensure compliance with privacy and data protection requirements? Do policies and procedures address the full lifecycle of data management including collection, dissemination, usage, storage, retention and disposal? Education and Awareness Is there an established venue for my organization to communicate privacy requirements to employees? Is there a defined approach to employee training and education? Are privacy-related topics included in employee training? Is special training available for employees who deal with or process patient information on a daily basis? Are the expectations for the proper management of patient information communicated to contractors, vendors and others who have access to it? The first thing to ensure is that access privileges be granted only to those who need them, and that only the specific kinds of information they legitimately need to do their job are accessible to them. Risk and Compliance Management Does my organization have a consistent method to identify instances of personal information? Does my organization have the proper data protection requirements in place for ensuring the privacy of patient information pertinent to ensuring compliance? Does my organization understand the technical prerequisites for the use, transmission and storage of patient information? Are compliance efforts (audits, external assessments, etc.) aligned with the privacy program? Breach Notification Is there a defined incident response program, including special provisions for any breaches involving patient information? Does my organization have an established process to deal with the liability, public relations and legal ramifications of a breach to patient information? Elevating privacy to the level of strategic and providing institution-wide visibility into privacy requirements allows organizations to be more efficient in defusing problems before they become true crises. CONSIDERATION #2: CENTRALLY MANAGE AND CONTROL ACCESS PRIVILEGES TO PROTECTED HEALTH INFORMATION As web access is extended to a number of different external user groups such as patients, third-party providers, and researchers, each with their own unique access requirements and privileges the number of network endpoints increases, which in turn increases the points of potential exposure. Organizations must anticipate this expanding set of threats and challenges, and initiate controls to mitigate risk at every possible point of vulnerability. PAGE 4

The first thing to ensure is that access privileges be granted only to those who need them, and that only the specific kinds of information they legitimately need to do their job are accessible to them. For example, an employee in the medical billing department does not require access to the same records a doctor or nurse would need to provide care to a patient. Furthermore, those with access privileges to patient information must be required to prove their identity before gaining access to critical systems and information. Access controls, therefore, must include both authentication (are users who they claim to bet) and authorization (what can users do once they gains access). Risk-based authentication is a flexible option that provides a means to authenticate users through device and network forensics, behavioral analysis and information taken from the end-user s computer itself. The HIPAA Access Control 164.312(a)(1) requirement states that healthcare organizations must restrict access to information resources and allow access only to privileged entities. Given the large number of users, applications, and data records, healthcare organizations need a consistent framework for managing access control policy across multiple applications, ensuring that user privileges are up-to-date, and that access rights are granted in accordance with institutional policies. Indeed, a centralized, standards-based policy management and enforcement platform is essential to ensuring that access controls are truly effective and helping the organization protect patient privacy, reduce risk, and maintain compliance. By removing security decisions from applications and creating a centralized access control administration policy platform, healthcare organizations can be sure that changes in policy or user status are reflected quickly, accurately and efficiently throughout the system. And by combining provisioning with role-based access, organizations can reduce the complexity of user administration by mapping a potentially large number of users with related functions into a smaller number of well-defined IT accounts and entitlements. CONSIDERATION #3: VERIFY USER IDENTITIES Granting someone a passport gives that person certain rights and privileges, and the photo inside ensures that the person using the passport is the same person to whom it was issued. In the realm of web-based systems, there is no photographic evidence to verify a user s identity. Therefore, healthcare organizations must rely on authentication systems to validate a user s identity from the time access credentials are issued through the lifespan of a valid user s privileges. For new users, identity verification must be implemented as soon as they enroll into a new application or system or make a request to be issued credentials. For existing users, organizations must provide ongoing authentication controls for subsequent logins once the user has been initially verified. In determining which authentication solution(s) will work best and they may vary for different classes of users and types of data or systems that user will be accessing organizations must consider the following: Access methods to be used. Different users (physicians vs. patients for example), their access rights (limited vs. unlimited), and their planned usage (restricted to certain times of the day and/or a specified length of time) will require authentication methods that best serve their needs and best protect the information they are trying to access. The demand for anywhere, anytime access. This is especially important for providers that may work across multiple locations. Their need to securely access patient information is critical to the quality of care. Control over the end-user environment. A healthcare organization will have direct control over the individual machines within their environment used by providers and administrators accessing the HIE. However, they will not have that same level of control over a patient s machine which is accessing the same HIE. These limitations directly affect the kinds of authentication methods that can be deployed to each user population. PAGE 5

For these factors and others, a broadly functional authentication strategy is required to meet the needs of all user populations. Risk-based authentication, for example, is a flexible option that provides a means to authenticate users through device and network forensics, behavioral analysis and information taken from the end-user s computer itself. Today, some healthcare organizations are using risk-based authentication for physicians to secure access to patient data and for patients logging into healthcare portals. CONSIDERATION #4: CONTINUOUSLY MONITOR THE HIE ENVIRONMENT Compliance refers not only to the act of adhering to regulations but also to the ability to demonstrate and sustain adherence to regulations and not just externally imposed laws and regulations, but internal corporate policies and procedures as well. Managing compliance becomes increasingly difficult when faced with principle-based regulations, which focus on outcomes rather than checklists of requirements. In many cases, healthcare organizations are not told how to comply but rather what they have to achieve. The first thing they need to do is know what is going on at all times within all their systems. Because healthcare delivery is a 24x7 proposition, organizations need real-time tracking and correlation of security events in order to respond quickly and appropriately to breaches of policy. Throughout any large healthcare organization, there can be millions of data-related activities and events occurring across multiple systems and applications every day. Having insight into those activities by retaining access logs, deploying automated tools to monitor system events, and implementing controls that can send alerts at the first sign of a policy violations (i.e., unauthorized access to a system) is essential to ensuring compliance with internal policies and external regulations. Because healthcare delivery is a 24x7 proposition, organizations need real-time tracking and correlation of security events in order to respond quickly and appropriately to breaches of policy. To enable proper auditing of the data security infrastructure, organizations should implement solution that automatically collects, managers, and analyzes event logs produced by each of the security systems, networking devices, operating systems, applications and storage platforms deployed throughout the IT environment. Organizations need a solution that not only facilitates the ability to meet the reporting mandates required by most regulations, but also provides insight into the risks that networks are exposed to by initiating security alerts in real time. This enables organizations to respond more quickly and appropriately to threats and policy violations, whether they originate from an internal or external source. CONSIDERATION #5: DISCOVER AND CONTROL HOW SENSITIVE DATA IS USED From a security perspective, not all data is equally sensitive or in critical need of exceptional protection. Providing equal protection to all data regardless of its potential for risk is costly and inefficient, and hampers efforts to respond quickly and decisively to potential privacy breaches. Therefore, it is critical to ensuring privacy within an HIE that organizations determine which data is most sensitive or at highest risk to be targeted and then define appropriate polices around that data. In order to accomplish this, organizations need to understand what data exists, how it is used, where it resides, and to what extent it is deemed sensitive. The answers may be different depending on the regulations in play and the departments in question. For example, the data that technicians rely on in the lab may be subject to different rules and policies than the data that the finance department needs to process medical claims. PAGE 6

Once the regulatory and corporate compliance universe is understood, healthcare organizations need to prioritize their data by grouping information into various classes of sensitivity and risk. Finally, after the data has been classified, policies must be defined, including which employees and applications are authorized to access this data and how, when, and from where they are allowed to access it. The use of data loss protection (DLP) technology within the HIE environment is a key consideration to prevent a breach of sensitive data. DLP technology allows policies to be attached to certain classes of data and how it can be used or handled. For example, users could receive a warning that they are in violation of policy if they attempt to send sensitive patient information outside the organization via e-mail (either as an attachment or as part of the body of the message), or if they try to download protected health data onto a memory stick or other external device. And because DLP technology does not assume that user actions are malicious, it can serve as an effective means to educate and raise awareness among employees about data security policies, while at the same time enforcing those policies to ensure privacy. CONCLUSION Securing access to health information exchanges is critical to assure patient privacy, the quality of healthcare services and continuity of care. As healthcare organizations extend access to more users and enable information sharing across more applications and systems, a secure access strategy is essential. By applying these considerations and appropriate security technologies, healthcare organizations can effectively manage the risks to their sensitive information while realizing the numerous benefits of health information exchanges. PAGE 7

ABOUT RSA RSA, The Security Division of EMC, is the premier provider of intelligence-driven security solutions. RSA helps the world s leading organizations solve their most complex and sensitive security challenges: managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. Combining agile controls for identity assurance, fraud detection, and data protection, robust Security Analytics and industry-leading GRC capabilities, and expert consulting and advisory services, RSA brings visibility and trust to millions of user identities, the data they create, the transactions they perform, and the IT infrastructure they rely on. For more information, please visit www.rsa.com and www.emc.com. www.emc.com/rsa EMC 2, EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. 2011 EMC Corporation. All rights reserved. Published in the USA. HIESEC WP 0713

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information