| Date post: | 22-Jan-2018 |
| Category: |
Healthcare |
| Upload: | william-buddy-gillespie-itil-certified |
| View: | 307 times |
| Download: | 5 times |
Sustainability of HIEs under Cyber Security
The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges
Carnegie Mellon University's Posner CenterPittsburgh, Pennsylvania
June 26, 2013
William “Buddy” GillespieChair Business, Health Outcomes & HIE Committee, PAeHI
Director of HealthCare Solutions
Distributed Systems Services (DSS)
Sustainability of HIEs under Cyber SecurityAgenda
• HIE Overview
• The Problem
• Concerns/Trends/HIMSS Survey
• Guidelines
• Architecture
• Medical Devices/Robotic Surgery
• Best Practices
• Future
HIE - Seven Sustainability Strategies
1 • Innovative stakeholder negotiations
2 • Building the right relations hospitals & payers
3 • Physician adoption as driver of sustainability
4 • Innovation to bring payers/providers together
5 • Innovative sources for fee income
6 • Stake Holders drive healthcare transformation
7 • Cyber Security Best Practice
Health Information ExchangeServices Provided
Majority Provide
• Clinical messaging and Inquiry (CCD)
• PH Dept. reportable conditions or Immunization Registry
Most Provide
• Had or planning eRX, orders, physician workflow tools
• Six of 11 had or planning low-cost, Web-based certified EHRS that meets Meaningful Use
Unique Services
• INHS (WA) offers shared IT services to 38 hospitals plus majority of physicians; others use Virtual Private Network
• MiHIN Resource Services plans to implement 7 sub-state HIEs over 18 months.
HIE Cyber Security -The Problem
“Not only do medical EHR systems themselves pose security risks, but the movement towards making patient data available wherever they may access medical services, implemented through participation in health information exchanges (HIEs), exacerbates the level of risk by posing additional threat vulnerabilities. HIEs face funding challenges due to the fact that they lack clear-cut and profitable business models, and yet federal grants and deadlines maintain a level of time pressure for implementing these systems that do not allow for thorough considerations of security………..”
Doug Pollack, strategy officer at ID Experts, responsible for strategy and innovation including prevention analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computersystems, software, and security concerns focusing on creating successful new products in new emerging markets.
HIE Cyber Security -The Problem
HIE
HIE Cyber Security -Comparing HIE Models & Cyber Security
Integrated delivery networks (IDNs)
•Organized by one Institution
•Hospital to connect its physicians & provider partners & ensures that hospitals and physicians can participate in Meaningful Use Incentive
•Costs are absorbed by Institution & Hospital vendors set up networks
•Examples: Pinnacle Health System and Doylestown Hospital
Community/Regional HIE
•Organized around one or more medical referral regions with a multi-stakeholder governing body
•Fees are paid by the stakeholders based on benefits received & startup funding coming from key stakeholders or outside funding sources (grants)
•Examples: Geisinger’s KeyHIE and UPMC’s HIE are blended IDN/Regional HIEs.
State-level HIE
• State geographic boundaries
• Responsible for addressing barriers to HIE adoption around privacy and security, standards, and legal issues with bordering states
• Funded by federal government to include state agencies such as Medicaid and Public Health
• Example: Designation of a state-level HIE in Pennsylvania
PAeHI Research Studies and White Papers
Establishing widespread adoption of
electronic health records and electronic
prescribing in Pennsylvania
(2008)
Ensuring privacy and security of
Health Information Exchange in
Pennsylvania (2009)
Building a Sustainable Model
for Health Information Exchange in
Pennsylvania (2009)
Financing Research and Framework
Development for a Health Information
Exchange (2010)
10paehi.org
HIE Cyber Security –Internet Usage
• In 1995, 16 million users (0.4%)
• In 2010, 1.6 billion users (23.5%)
HIE Cyber Attack - Trends
• Increasing sophistication
• Decreasing costs
• Increasing attack frequency
• Difficulties in patching systems
• Increasing network connections, dependencies,
and trust relationships
HIE Cyber Security –Top Concerns
• Mobile Devices - BYOD
• Medical Devices/Robotic Surgery
• HIPAA & BAAs
• Internal & External Breaches
• Data Leakage
• Limits of Technology & Inadequate Security Systems
• Funding
• Patient’s Lack of Confidence
• Third Parties-Vendors
• Remote Connections
HIE Cyber Security -Concepts of Information Assurance
• Confidentiality (privacy)
• Integrity (quality, accuracy, relevance)
• Availability (accessibility)
HIE Cyber Security – ONC Guidelines
• New privacy and security guidelines--aimed at protecting the vast amount of healthcare information transmitted by state Health Information Exchanges--are now in place.
• HIEs are networks intended to help states manage the electronic exchange of health information among health care providers and hospitals within their states and across state lines.
• Privacy and security policies are required as a condition of accepting part of the $550 million federal grant money funding the development of state-based HIEs.
“The guidelines, issued by the Office of the National Coordinator for Health IT (ONC), provide a common set of "rules of the road" designed to build confidence in the system on both the provider and patient level”…….. ONC
HIE Cyber Security – ONC Guidelines
• Under the new guidelines, state HIE grantees are required to develop privacy and security policies to address each of the fair information practice principles as outlined by ONC.
• The principles include individual access to information; the right to correct errors; openness and transparency; collection, use and disclosure limitations; security safeguards; data quality and integrity; individual choice; and accountability.
HIE Cyber Security – ONC Guidelines• The ONC also noted that there was no "one size fits all"
approach when developing policy for HIEs. – For example, some state HIEs merely serve as information
conduits, ensuring the secure exchange of identifiable health information among health care providers, without accessing or storing any of that data. This type of HIE doesn't have to worry about data quality or providing individuals access to copies of their health information or to have errors corrected or noted.
– However, state HIEs that "store, assemble, or aggregate" identifiable health information are required to develop policies to address all of the fair information practices, including data quality, individual access and the right to correct errors
HIE Cyber Security – ONC Guidelines
• If an HIE's current privacy and security policies don't comply with the new requirements and guidance, they have to be rewritten and a timeline for making those changes given to the ONC.
• The new requirements are consistent with the recommendations developed and issued by the Privacy and Security Tiger Team of the Federal Health IT Policy Committee.
HIE Cyber Security –Privacy & Security Policies
• All of the information that passes through the HIE is password protected and encrypted at its source using state of the art tools to protect the transmission and security of the data.
• Access to the network is monitored and restricted to only those qualified medical professionals who have demonstrated a need to know the requested information.
HIE Cyber Security –Security Architecture
• The secure exchange of electronic health information is important to the development of electronic health records (EHRs) and to the improvement of the U.S. healthcare system.
• While the U.S. healthcare system is widely recognized as one of the most clinically advanced in the world, costs continue to rise, and often preventable medical errors occur.
• Health information technology (HIT), especially the development of electronic health records for use in both inpatient and ambulatory care settings, has the potential for providing reliable access to health information and thereby improving the healthcare system. However, the prospect of storing, moving, and sharing health information in electronic formats raises new challenges on how to ensure that the data is adequately protected.
HIE Cyber Security –NHIN Security Architecture
• Protecting electronic patient health information is crucial to developing systems and structures that support the exchange of that information among healthcare providers, payers, and consumers using Health Information Exchanges (HIEs).
• As noted in the Summary of the Nationwide Health Information Network (NHIN) report from the Office of the National Coordinator, "An important core competency of the HIE is to maintain a trusting and supportive relationship with the organizations that provide data to, and retrieve data from, one another through the HIE. The trust requirement is met through a combination of legal agreements, advocacy, and technology for ensuring meaningful information interchange in a way that has appropriate protections."
HIE Cyber Security –NIST Security Architecture
• NIST published "Security Architecture Design Process for Health Information Exchanges (HIEs) (NISTIR 7497)" in September 2010, to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that demonstrates how these practices can be applied to the development of HIEs.
• The publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
HIE Cyber Security –Security Architecture
• The operating model outlined in the NIST publication will help organizations that are implementing HIEs to:– Understand major regulations and business drivers.
– Identify cross-organizational enabling services.
– Define supporting business processes (for each service).
– Develop notional architectures (as a blueprint to support services, processes, and the selection of technical solutions).
– Select technical solutions.
HIE Cyber Security –Medical Devices/Robotic Surgery
• Summary of Problem and Scope:
– Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber security breaches.
– In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cyber security breaches, which could affect how a medical device operates
HIE Cyber Security –Medical Devices/Robotic Surgery
• General Principles
– Manufacturers should develop a set of security controls to assure medical device cyber security to maintain information confidentiality, integrity, and availability.
HIE Cyber Security –Medical Devices - FDA
• On June 13, 2013, in response to increased reports of computer viruses and other cyber security breaches concerning medical devices and hospital networks, the Food and Drug Administration (FDA) issued a safety communication on cyber security for medical devices and hospital networks and a new draft guidance document, "Content of Premarket Submissions for Management of Cyber security in Medical Devices."– As software has become increasingly prevalent in medical devices, allowing
for more sophisticated uses and networked connectivity, the cyber security risks for these devices also have increased.
– Recognizing that these risks may impact device performance and safety, FDA clarified that device manufacturers are responsible for identifying and mitigating cyber security risks for their medical device products.
– Although the new draft guidance makes clear that FDA expects device manufacturers to evaluate and address these issues for new devices going forward, questions remain as to the extent of manufacturers' obligations for cyber security risks affecting older devices, particularly with respect to discontinued devices that are still in use but are no longer supported by a device manufacturer.
HIE Cyber Security –Medical Devices - FDA
• FDA acknowledges that the extent of security controls will depend on the medical device, its use environment, and the risks presented to patients by a potential security breach, the draft guidance includes several general recommendations.– Manufacturers are encouraged to justify, in their submissions,
the security controls chosen, including the following:• limiting access to trusted users only, particularly for life-sustaining
devices or devices that could be directly connected to hospital networks;
• ensuring the trusted content of software by restricting software and firmware updates to authenticated code, using systematic procedures for authorized users to download the manufacturer's software and firmware, and ensuring secure data transfer to and from the device;
• using "fail safe" modes to maintain a device's critical functionality, even when the device's security has been compromised.
HIE Cyber Security –Medical Devices - FDA
• FDA recommends that manufacturers include the following with their submissions: – Hazard analysis, mitigations, and design considerations to
identify and control cyber security risks; a traceability matrix linking actual cyber security controls to the risks considered;
– A systematic plan for providing validated updates and patches to operating systems or software to update the protections;
– Documentation to demonstrate that the device will be provided free of malware to purchasers and users; and
– Instructions for use and specifications related to antivirus software and/or firewall use appropriate for the device and its use environment.
HIE Cyber Security –Medical Devices
• Cyber Security risk analysis and management plan as part of the risk analysis required by 21 CFR 820.30(g):
• Identification of assets, threats, and vulnerabilities;
• Impact assessment of the threats and vulnerabilities on device functionality;
• Assessment of the likelihood of a threat and of a vulnerability being exploited;
• Determination of risk levels and suitable mitigation strategies;
• Residual risk assessment and risk acceptance criteria.
HIE Cyber Security –FDA Recommendations for HIEs
• Restricting unauthorized access to the network and networked medical devices.
• Making certain appropriate antivirus software and firewalls are up-to-date.
• Monitoring network activity for unauthorized use.
HIE Cyber Security –FDA Recommendations for HIEs
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
• Contacting the specific device manufacturer if you think you may have a cyber security problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
• Developing and evaluating strategies to maintain critical functionality during adverse conditions.
HIE Cyber Security –FDA Recommendations for HIEs
• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
• Contacting the specific device manufacturer if you think you may have a cyber security problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
• Developing and evaluating strategies to maintain critical functionality during adverse conditions.
HIE Cyber Security –ICS-CERT
• What is ICS-CERT? – The Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) provides a control system security focus in collaboration with US-CERT to:
• Conduct vulnerability and malware analysis • Provide onsite support for incident response and forensic
analysis • Provide situational awareness in the form of actionable
intelligence • Coordinate the responsible disclosure of
vulnerabilities/mitigations • Share and coordinate vulnerability information and threat
analysis through information products and alerts.
HIE Cyber Security –Best Practices
• Best Practices for Technology Environment
– Configuration Management
– Software Maintenance
– Operating Maintenance
• Mobile Device Management (BYOD)
• Security Culture
• Backup and DR
• Checklists and ITSM for all Elements
HIE Cyber Security –Best Practices
• Passwords & Strong Authentication
• Anti-Virus Software
• Firewall(s)
• Controlled Access to PHI
• Controlled Physical Access
• Limit Network Access
• Plan for the Unexpected
HIE Cyber Security –The Next Frontier
• Accountable Care Organizations (ACOs)
• Direct-HISPs
• Cloud Hosting
• Meaningful Use-Stage 2 and 3
• HIPAA Omnibus Bill
HIE Cyber Security –Expert Opinion
Camillla Hull Brown, Principal, Strategies for Tomorrow, Inc. (sftvision.com)
“Cyber Security opens the doors for HIEs to cross geographic boundaries if they successfully address Security issues in the minds of users and participating organizations. Combined with data exchange standards, this has the potential for some HIEs to expand nationally establishing sustainability through volume. Private, local or regional HIEs can thrive by accessing additional data from the national HIEs while providing services tailored to the needs of the local system or region. Put remote devices in the hands of clinicians and patients, and the benefits can be exponential. It's the think global, act local concept”.
HIE Cyber Security –Reference Sites
HHS Office for Civil Rights website (http://www.hhs.gov/ocr/privacy/hipaa/understanding/) NIST 800 Series Special Publications (http://csrc.nist.gov/publications/PubsSPs.html) In particular: • NIST SP 800-36 Guide to Selecting Information Technology Security Products • NIST SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations • NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule • NIST SP 800-88 Guidelines for Media Sanitization • NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices • NIST SP 800-114 User's Guide to Securing External Devices for Telework and Remote Access • NIST SP 800-124 Guidelines on Cell Phone and PDA Security 44
HIE Cyber Security –Reference Sites
CYBER SECURITY GuideThe protection of data and systems in networks that connect to the Internet 10 Best Practices
http://nyehealth.org/wp-content/uploads/2012/07/ONC_Cyber-Security-Guide-V-1.0.pdf
Click to edit Master title style
Thank youThank you
Healthcare Solutions & Overview
William “Buddy” Gillespie
www.dsscorp.com
Discussion
