HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
1
IT SECURITY AND COMPLIANCE IN THE AGE OF THE EHRPhillip F. Bressoud, MD, FACPAssociate Professor of MedicineUniversity of LouisvilleOctober 25, 2016
Objectives
•Understand security regulations and risks of electronic records
•Understanding the security threats facing electronic records
•Understanding emerging security threats
•Understand challenges facing EHRs
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
2
Outline
• Origin of Medical Records
• Security Requirements
• Security Risk Assessment
• Regulatory Pressures
• Internal vs External Threats
• Emerging Threats
• Challenges
• Summary
KEEPCALM
AND
PREPARE
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
3
ORIGIN OF THE MEDICAL RECORD
In The Beginning
Richard Napier Simon Forman
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
4
In The Beginning
Regulatory Snowball
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
5
Regulatory Pressures–Health Insurance Portability & Accountability Act (HIPAA)
–HITECH
–NIH Data Sharing Policy
–NIH Genome Wide Association Study Data Sharing Policy
–MACRA
–MIPS
–State-specific laws and regulations
Health Insurance Portability and Accountability Act - HIPAA
• The HIPAA Privacy Rule provides federal protections for individually identifiable health information
• HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to - names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc.
• If you have something that can identify a person together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA.
• ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, FAX, etc.).
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
6
HIPAA Applies to Everyone Touching PHI
• Applies to:
• Health plans
• Health care clearinghouses
• Health care providers
• HITECH extends HIPPA requirements to Business Associates of Covered Entities.
• Even law firms need to comply with HIPAA where they contact PHI.
Security Risk Assessment
•Required as part of HITECH
•Physical component
•Administrative component
•Technical component
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
7
Security Risk Assessment
•Physical component•Locks•Peep Holes•Cameras•Hardware locked down•USB/Ports physical blocked
Security Risk Assessment
•Administrative Policies• Password policies• Encryption policies• User management• Access appropriate for user
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
8
Security Risk Assessment
•Technical Component• Anti-virus and Anti-malware• Intrusion detection software• DDOS Attack Detection• Disaster recovery• Access control• Data backup
HIPPA Enforcement by HHS and OCR
•Health and Human Services• Since April 2003, 137,770 HIPPA Complaints• Conducted 885 compliance reviews
• OCR• Investigated 24,331 cases• Settled 37 cases for $39.9 million• 11,055 no violation occurred• Additional 14,535 provided technical assistance
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
9
Largest HIPPA Fines “Wall of Shame”
Organization Year Records Root Cause Fine
Advocate Health 20134 x 106 Stolen Laptops x 2
BA network breach$5.55
NYPH/Columbia 2010 Unknown Technical failure lead to patient information being available through search engines
$4.8
Cignet Health 2010 41 Denied 41 pts access to chart$3.0 million penalty
$4.3
Triple-S 2013 13,336 Displayed Medicare claim number on brochure; lack of security measures
$3.5
UMMC 2013 10000 Missing password protected laptop; failure to notify pts, no risk management
$2.75
Oregon HSU 2013 7000 Unencrypted laptop; Google Drive $2.7
CVS 2009 Disposing pill bottles in dumpster $2.25
NYPH 2011 2+ Filmed TV show NY Med with consent $2.2
Concentra 2012 148 Unencrypted laptop $1.7
Wellpoint 2010 612,000 Lack of policies and technical safeguards $1.7
Health It and CIO Review August 10, 2016
The Threats
80Internal
20External
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
10
INTERNAL THREATS
Employees Greatest Risk
“81% had a root cause in employee negligence.
-Michael Bruemmer, VP of Consumer Protection at Experian
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
11
Common Ways Employees Compromise Data
• Disgruntled employees• Weak User ID Policies• Poor password practices• Weak access policies• Unsafe downloads• Phishing and Social Engineering• Unprotected Data and Email• Theft
Insider Malice Prevention• Most happen with 30 days before or
after last day. • Prevention
• Limit access as soon as employee is leaving facility—not after
• Block access to USB drives and CD burners
Common Ways Employees Compromise Data
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
12
Weak Access Policies• Employee has more access than
necessary• Prevention
• Develop strict access policies• Revoked access as soon as the employee
doesn’t need it any longer• Make folders inaccessible by default
Common Ways Employees Compromise Data
Unsafe Downloads• Employee downloads infected email
attachments, screen savers, web files
• Prevention• Active virus scanning and data backup
• Web site blocking
• Employee training
Common Ways Employees Compromise Data
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
13
Common Ways Employees Compromise Data
Unprotected Data and emails•Lack of data and/or email encryption•Prevention
•Prevent by requiring encryption for email and data
•Education •Encrypt laptops, USB drives, etc.
Common Ways Employees Compromise Data
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
14
Most Common Ways Employees Compromise Data Security
Poor password polices
Rank 2016 2015 2014
#1 123456 123456 123456
#2 password password password
#3 12345678 12345 12345678
#4 qwerty 12345678 qwerty
#5 12345 qwerty abc123
#6 123456789 1234567890 123456789
#7 football 1234 1111111
#8 1234 baseball 1234567
#9 1234567 dragon iloveyou
#10 baseball football adobe123
Password Strength
PasswordCharacteristics
Password Length
PasswordStrength
Time to Break Password
All lower case 6 Weak < 10 min
Upper and lower case
6 Better 10 hrs
Upper, lower and symbols
6 Best 18 days
Common Ways Employees Compromise Data
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
15
Poor password polices
• Easily hacked passwords
• Prevention• Preferably should be 9 characters or more• Require combination of letters, numbers and
symbols• New password cannot match previously used
password• Frequent password changes
Common Ways Employees Compromise Data
EXTERNAL THREATS
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
16
Types of External Threats
•Viruses•Malware•Phishing•Social Engineering•Ransomware•DDOS Attacks
Internet Attack Map
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
17
Who’s knocking at your door?
Brazil
Italy China
Phishing and Social Engineering
• Phishing• Phone calls—state they are from IT updating software, etc
• “Spear phishing” focused phishing targeting specific users—chase credit cards, specific activity
• Prevention• Employee training• Password requests should be routed through IT
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
18
Social Engineering
Social Engineering in 2 minutes or less
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
19
Disseminated Denial of Service
Disseminated Denial of Service
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
20
Hacktivists
Contractors/Vendors
• Orthopedic group fined after hiring contractor to dispose of x-ray films
• Contracted claims processor hired subcontractor to work claims on physician’s practice management system without BAA.
• Copy Machine Vendor replaces network fax, copy, printer but practice doesn’t have BAA and/or doesn’t clear hard drive prior to sending old machine back to company
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
21
DEVELOPING THREATS
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
22
Developing Threats
Ransom Ware
Developing Threats
Exploiting Data Packets
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
23
Texting Orders
JACHO Approves Texting Orders• Secure sign-on process• Encrypted messaging• Delivery and read receipts• Date and time stamp• Customized message retention time frames • Specified contact list for individuals authorized to receive and record orders
National Security Agency
• NSA recently found out that hackers have posted several espionage tools on line• Epicbanana
• Buzzdirection
• Egregiousblunder
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
24
WHY TARGET ELECTRONIC MEDICAL RECORDS
Reasons to Attack Healthcare• Lots and lots of data including personal and financial
• Rapid expansion of electronic documentation has created new systems to attack
• Large complicated networks with lots of points access with weak security
• Unique complex sets of personal data to create new identities
• Hospitals and healthcare systems are willing to pay to get their systems back on line
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
25
Why Hackers Want Medical Records
• Initially stolen data goes “dark” before resurfacing in different variations.
• “Fulz” is the complete record demographics, financial, etc
• “Fulz” version then go onto dark web and look for a DOX vendor to create counterfeit passports, driver’s licenses, social security cards
• Worth about $1500 to $2000
• May be years before they are used
• These are often used for illegal immigration, pedophilia, launching more social engineering attacks.
Feeling the Pressure?
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
26
Meanwhile We’re Practicing Medicine
•We have added 2 hours to a clinicians day with EHRs
•What goes in …..while isn’t always what comes out
•Legal vs clinic medical record
• Internet dependent resources
•Downtime procedures
Summary
•Most data security issues result from inside your organization•Training, training, training• Insure policies are developed, implemented and enforce
•Web site filtering, anti-virus/malware, intrusion detection
•Drills
HCCA Clinical Practice Compliance Conference
October 23‐25, 2016
27
Summary
Manage external threats•Web site filtering, anti-virus/malware, intrusion detection
•Disaster recovery exercises•Staff training in social engineering•Stay up on emerging trends•Downtime processes•Backup procedures
KEEPCALM
AND
PREPARE