Securing Health Data - Public Health Informatics Conference


Securing Health Data Melina Scotto CISSP, CISA, HCISPP Sr. Network Security Engineer NIH SRA International

Course Overview Securing Medical Data presents the history of medical data regulations, explains the technical details of the regulations from a network engineering perspective and develops a deep understanding of medical data risk management.

Training Audience • • • •

Technical staff on Healthcare networks Privacy Officers, Privacy Regulation Enthusiasts Project Managers in Healthcare sector Clinicians (Extensive technical background not required)

Introductions and Ice Breaker Write these words on the notecards at your table. Each word on one notecard. RISK THREAT EVENT

exploits causing






Agenda Pre Lunch •

Introductions – Risk icebreaker. General Healthcare IT Environment Knowledge baseline quiz. (Audience response clickers if possible)

Healthcare Regulatory Environment – Review Resource Packet

True stories from the field – Health data security failures from the HHS Wall of Shame

Lunch Break

Agenda Post Lunch • Risk Management and Mitigation • Information Risk Assessment from NIST Sp 800-30 (rev 1) groups work in teams to apply appropriate technical controls to stories from the field. • HCISPP certification topics: 3rd party Risk Management, Cloud computing and International Health data standards.



HIPAA Terms CFR - Code of Federal Regulations


HIPAA Terms HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Public Law 104-191 104th Congress An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled…

HIPAA Terms HIPAA – Covered Entities (CE)

CE – Covered Entity BA – Business Associate

HIPAA Terms HIPAA – Business Associate (BA)

HIPAA Terms HITECH (ARRA) DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 160 RIN 0991–AB55 HIPAA Administrative Simplification: Enforcement AGENCY: Office of the Secretary, HHS. ACTION: Interim final rule; request for comments SUMMARY: The Secretary of the Department of Health and Human Services (HHS) adopts this interim final rule to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).


HIPAA Terms PHI – Protected Health Information 18 Protected Identifiers • • • • • • • • • • • • • • • • • •

Names; All geographic subdivisions smaller than a State, including street address, city, county, precinct, and their equivalent geocodes; All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images; Any other unique identifying number, characteristic, or code.

HIPAA Terms Location of ePHI EMRs Backups Mobile Devices such as laptops/tablets/cell phones Digital Copiers PC Hard Drives Embedded Flash devices Biomedical Devices

HIPAA Terms Privacy The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. Privacy is a right. Privacy Rule covers written, print and oral disclosures.

Security Security Rule covers electronic PHI or ePHI. With respect to HIPAA, the term security is used for policies, mechanisms or systems which keep ePHI confidential using Administrative, Technical and Physical controls. Security is the mechanism that maintains privacy. .

HIPAA Terms HHS – US Department of Health and Human Services

ONC – Office of the National Coordinator for Health Information Technology OCR – Office for Civil Rights NIST – National Institutes for Standards and Technology

CMS – Centers for Medicare and Medicaid Services

Quick Check-in…. True or False? Under HIPAA, Privacy ensures Security.

Recommended Resource. Herzig’s Information Security in Healthcare, Managing Risk

Introduction of Privacy by Sheila Searson

Medical Data Regulatory Environment Overlaps in Medical Organizations with other Data Security and Privacy Laws 1974 Privacy Act Computer Fraud and Abuse Act Grahm Leach Bliley


HIPAA Breaches


California Department of Developmental Services 2013. Stolen laptop and iPhone containing Names, Social Security numbers, and other personal information. Laptop unnencrypted. AFFECTED Over 18, 000 patients. The program served disabled infants and toddlers.

HIPAA Breaches VIOLATION Massachusetts General Hospital employee printed the records of 192 infectious disease patients before going on holiday. Left the printed records on the RedLine public transit system.

OCR Settlement $1M

HIPAA Breaches VIOLATION Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all Included on the server. OCR PENALTY Not yet assessed.

HIPAA Breaches VIOLATION Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity failed to incorporate copier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. OCR PENALTY $1.2M + Corrective Action Plan

HIPAA Breaches Corrective Action Plan 1. Within five (5) days of the Effective date, AHP shall use its best efforts to retrieve all photocopier hard drives that were contained in photocopiers previously leased by AHP that remain in the possession of Canon Financial Services, and safeguard all EPHI contained therein from impermissible disclosure. If AHP cannot retrieve said hard drives, AHP shall provide OCR with documentation explaining its “best efforts” and the reason it was unable to retrieve said hard drives. If AHP retrieves said hard drives, AHP shall provide OCR written certification that it has completed the requirements specified in this paragraph. AHP’s compliance with this corrective action will be based on the Region’s review and approval of the documentation explaining why its efforts failed to retrieve the hard drives. 2. Within thirty (30) days of the Effective Date, AHP shall conduct a comprehensive risk analysis of the EPHI security risks and vulnerabilities that incorporates all electronic equipment and systems controlled, owned or leased by AHP. AHP shall also, within this time period develop a plan, to address and mitigate any security risks and vulnerabilities found in this analysis and, if necessary, revise its present policies and procedures. The plan and any revised policies and procedures shall be forwarded to OCR for its review consistent with paragraph 3 below. 3. OCR shall review and recommend changes to the plan and any revised policies and procedures specified in paragraph 2. Upon receiving OCR’s recommended changes, AHP shall have thirty calendar days to provide a revised plan and any revised policies and procedures to OCR for review and approval. AHP shall implement the plan and distribute and train staff members on any revised policies and procedures within thirty (30) calendar days of OCR’s approval.

HIPAA Breaches VIOLATION Cignet Health Care (Prince Georges County, MD) denied 41 patients access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations with each complaint. The HIPAA privacy rule requires that a covered entity provide a patient a copy of their medical records no later than 60 days of the patient’s request. OCR PENALTY $4.3 Million The fine for these violations alone is $1.3M. A $3M fine was imposed for obstructing the HHS investigation. It is believed that Cignet failed to provide the requested records because it could not locate the medical records. DOJ then opened an investigation to criminal fraud charges.

HIPAA Breaches VIOLATION TRICARE contractors had no encryption in place for backup tapes. Unencrypted tapes with the ePHI of 4.9M military clinic and hospital patients were stolen from the back of a car. OCR PENALTY Not yet assessed. CIVIL PENALTY 7 lawsuits are seeking $1000/record or $4.9B in damages.

HIPAA Breaches

Regulation Details CFR Code of Federal Regulations HIPAA CFR Health Insurance Portability and Accountability Act

HITECH (ARRA) Health Information Technology for Economic and Clinical Health Act NIST MU - Meaningful Use

Lunch Break

Risk Assessment

Threat Threat Source: The intent and method targeted at the intentional exploitation of a vulnerability or situation and method that may accidentally exploit a vulnerability. Threat Event: An event or situation that has the potential for causing undesirable consequences or impact.

Threat Landscape Examples of threats:

Fire Flood Power Outage Snooping Theft Acts of war/terrorism


Vulnerability is a flaw or weakness in a system security procedure, design, implementation, or internal control that could result in a breach or violation.

Information Risk Assessment Where do threats attack a network?



The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).


Adverse Impact An adverse impact is a failure of data availability, integrity or confidentiality.

Risk Definition

The probability that a particular threat will accidentally trigger or intentionally exploit a particular vulnerability.

Risk = Threats x Asset Value x Vulnerability

Risk Framing

Risk Management

Risk Management – Security Control Assessment

Risk Assessment Resources

Security Rule Toolkit

Security Rule Toolkit

Demo Security Rule Toolkit

NIST Risk Assessment Tools

Risk Assessment Tools

Risk Management – Cloud Data


We will break into small groups and complete mock risk assessments for our organizations based on true breach events. Discuss each events threat source, liklihood, vulnerability and technical controls. Indicate appropriate adverse impact. Finally assess risk in a qualitative table.

Risk Assessment Findings From Groups

Tell us a little about your breach and what technical controls you would recommend to reduce risk.


HCISPP Domains Include: 1. Healthcare Environment 2. Regulations 3. Privacy and Security in Health Care 4. Information Governance and Risk Management 5. Information Risk Assessment 6. Third Party Risk Management

HCISPP Study Resources Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. Subtitle F (1996). Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 42 U.S.C. § 13001-13424 (2009). Information Commissioner’s Office (2008). Data Protection Act 1998 -The Eighth Data Protection Principle and international data

transfers. f National Health Service (2009). NHS Information Risk Management. London: Author. Organization for Economic Co-operation and Development (1980). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: Author. Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C. D., and Steinberg, D. I. (2008). NIST Special Publication 800-66 (Rev.1), An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Gaithersburg, MD: National Institute of Standards and Technology. The European Data Protection Directive 2001.

HCISPP Study Outline International Privacy Regulations Safe Harbor Allows for transfer of EU data to US for commerce, without application of full EU privacy measures. Must follow Safe Harbor Framework to provide “adequate” privacy. In affect since 1998 (though EU is voting to revoke)

HCISPP Study Outline International Privacy Regulations European Commission EU Privacy • Purpose of data collection • Relevance of collected data • Data storage limits • Access to collected data

HCISPP Know what SNOMED and HL7 are…

HCISPP Risk Equations

Total Risk = Threats x Asset Value x Vulnerability

Residual Risk = (Threats x Asset Value x Vulnerability) * control gap

HCISPP Sample Questions from ISC2 Which layer of the OSI model is responsible for

determining the best route through a network? 1) Network layer 2) Physical layer

3) Session layer 4) None of the above

HCISPP Sample Questions from ISC2 What is different about wireless networks versus wired networks?

1. A wireless network is constrained to a 1-meter radius versus a wired network that can span rooms or city blocks. 2. The OSI stack is different for a wireless network versus a wired

network. 3. Wired networks use radio waves to communicate. 4. Wireless networks use radio waves to communicate.

HCISPP Sample Questions HL7 is mainly a _________________. 1. messaging standard 2. an XML variant 3. a programming language 4. None of the above

HCISPP Sample Questions What is the correct order of risk components? 1. Threat event, threat source, risk, likelihood, vulnerability 2. Vulnerability, adverse impact, threat event, likelihood, risk. 3. Likelihood, threat source, risk, vulnerability, threat event. 4. Threat source, threat event, vulnerability, adverse impact, risk

HCISPP Examination Details

Test sites at Pearson VUE – 125 questions Bring 2 types of ID Palm Print/Biometrics taken


Thank You


Securing Health Data - Public Health Informatics Conference

Securing Health Data Melina Scotto CISSP, CISA, HCISPP Sr. Network Security Engineer NIH SRA International Course Overview Securing Medical Data pre...

2MB Sizes 11 Downloads 25 Views

Recommend Documents

Population Health Management Software - Public Health Informatics
Jun 30, 2016 - ER - emergency room. FQHC - Federally Qualified Health Center. HIE - health information exchange. HIMSS -

Jun 15, 2017 - Spanish National Health System and Public Health. • National Health System and Public Health (PH) servi

The Role of Public Health Informatics in Enhancing Public Health
Jul 27, 2012 - Planning and system design – Identifying information and sources that best address a surveillance goal;

International Conference on Public Health
Mempercepat Pencapaian Tujuan Pembangunan Berkelanjutan untuk Peningkatan Kesehatan dan Keadilan Kesehatan Populasi”

Project Management and Public Health Informatics | SpringerLink
Oct 25, 2013 - Key issues in the management of public health informatics projects are also highlighted in the project co

Data Mining in Health Informatics - Yavar Naddaf
Human errors cause the death of between 44000 to 98000 American patients annually [30 as cited in 9]. ... warehousing in

Health Informatics vs. Health Information Management
Health Informatics and Health Information Management. HEALTH ... Health Informatics connects people, technology, and dat

Health Informatics Education in Canada - Canada's Health Informatics
Victoria Aceti Chlebus, MA. British Columbia Institute of. Technology (BCIT). Shan Satoglu, BSc, MBA. Conestoga College.

Health Informatics - Northeastern University
Health Informatics. Meet the demand for health informatics professionals. Professionals who understand the relationship

Health Informatics - Documents - SlideUs.Org
Dec 1, 2017 - INTRODUCTION TO HEALTH INFORMATICS OBJECTIVES ã Explain how Health and Nursing informatics relates to and