1

Privacy & Security LT5, March 5, 2018

Donna Doneski, NASL

Larry Wolf, MatrixCare

2

• Larry WolfHas no real or apparent conflicts of interest to report.

• Donna DoneskiHas no real or apparent conflicts of interest to report.

Conflict of Interest

3

Agenda

• Privacy, Confidentiality & Security

• LTPAC Regulatory Environment

• HIPAA, Information Sharing & Risk Analysis

• Role-based Security & Breaches

• Disaster Recovery & Business Continuity

• Best Practices

• Q&A

4

Learning Objectives

• Describe key approaches taken by LTPAC provider organizations

in the privacy and security of their IT systems

• Describe the organizational policies and procedures,

that include roles and responsibilities, to ensure

confidentiality, integrity, and availability of data

• Summarize at least one lesson that LTPAC healthcare

providers can learn from OCR-posted privacy breaches

• Describe how HIPAA supports information sharing

• Identify key CAHIMS privacy and security competencies

5

Privacy & Security in LTPAC

• Intense focus on privacy and security, particularly as it relates to

electronic patient records containing protected health information

• Many documented data breaches with a loss of public confidence

• Additional constraints for LTPAC

– More regulation than other healthcare providers

– Technology is often outsourced

– Limited IT-specific resources and workforce

6

Privacy, Confidentiality & Security

• Privacy – Refers to the right of an individual to be left alone and to keep

his or her personal information secret.

• Confidentiality – Relates to sharing information with a focus on sharing

information on a “need to know” basis. The patient may share personal

information with the physician, but the physician must keep that information

confidential.

• Security – Refers to the mechanisms to assure the safety of data and the

systems in which the data reside.

7

Cyber Attacks – Part of Popular Culture

8

LTPAC Regulatory Environment

• HIPAA & OCR

– Chief Privacy Officer requirements

• Survey & Certification, including Federal & State Survey Agencies

• Requirements of Participation

– Disaster Recovery… from a hurricane or from a cyber attack

– Resident Rights

– Quality & Staffing Reporting

9

Outsourced Technology• How to frame the relationship between health IT vendor and

provider

– ONC Contract Resource

– BAA

• What the healthcare provider must cover

– Policies & procedures

– Workforce training

– Response to incidents, issues

– Self & External Audits

10

The Stats Are Not In Your Favor

• 74% of physicians surveyed were most concerned that future attacks could interrupt their

clinical practices

• More than 4 in 5 (83%) physicians have experienced some form of cyberattack –

phishing being the most common type cited.

• 24% uptick in cyber attacks reported to HHS OCR in 2017

– 140 attacks in 2017 compared to 113 in 2016

• 89% increase in ransomware attacks from 2016 to 2017

– 25.7% of all reported major ransomware events affected 500+ individuals

• What’s the average number of days before a breach is detected?

– More than 200 days

11

What Will It Cost?

CMS, OCR, OIG:

Don’t do anything stupid

ONC Security Risk Assessment https://www.healthit.gov/providers-

professionals/security-risk-assessment-tool

12

HIPAA & Risk Analysis

• HIPAA – The Health Insurance Portability & Accountability Act of 1996 and

subsequent revisions

• Title II of HIPAA contains five rules pertaining to administrative simplification

and privacy and security.

– Privacy Rule

– Security Rule

– Transaction Code Set Rule

– Unique Identifier Rule

– Enforcement Rule

13

HIPAA & Information Sharing• Don’t be a data blocker!

– 21st Century Cures Act penalty – up to $1 million per violation

• Agreements for sharing (BAAs)

• Permitted Uses

14

Protected Health Information (PHI)

• All individually identifiable health information created, transmitted, received or maintained by a healthcare institution

– Identification of an individual

– Health condition

– Treatment

– Provision/payment for healthcare

15

Examples of Identifying Information

• Name

• Address

• City

• County

• Names of relatives

• Names of employers

• Photographic images

• DOB

• Telephone number

• Fax number

• Email address

• Social Security #

• Medical record #

• Certificate/license

Patient matching is the first step to ensuring privacy. Data quality leads to care quality.

https://www.cms.gov/medicare/

new-medicare-card/nmc-home.html

16

Safeguards in HIPAA’s Security Rule

Administrative

Physical

Technical

17

Examples of Administrative Safeguards

• Clearly defined roles and responsibilities for who can see what information

– “Minimum Necessary Rule”

• Documented policies including password policies

• Security awareness training

• Security risk assessment

• Privacy/Security Officer

18

Physical Safeguards

• Examples

– Locking down computer

– Placement of computer relative to viewing by others

– Computer does not allow use of jump drives

– Physically securing the data center where servers are located

– Other strategies for theft prevention

19

Technical Safeguards

• Firewalls

• Encryption –Transmission Security

• Audit trails

• Antivirus programs

• Use of passwords or other authentication methods

20

Deidentified Information

• For research & analysis

• TEFCA

21

Audit Control

• A log of each user and what is viewed and accessed in any given

amount of time

• Evaluated for inappropriate access to function or information

• Can run automated reports looking for variance from expected patterns

22

Data Integrity

• Requirements for maintaining data integrity

– Disaster Recovery

– Ensuring Data Validity

• Editing against list of values

• Required Fields

• Required Values

• Compliance with data standards

23

Role-Based Security

• The job a user has will dictate what you have the right to access

and to disclose

• ONLY access information that is absolutely needed and that the

user has the right to see

• Minimum necessary

24

Types of Hacking

• The “Inside Job” – Employee initiated

• Social Engineering – Tricking an employee into releasing information

• Brute Force – Identifies a server and attempts to break into the system from

the administrator account using specialized utilities to make endless password

attempts.

• Eavesdropping – “Sniffing” or “snooping” on network communication that is in

an unsecured or “clear text” format. Use of encryption mitigates this risk.

• Data Modification – Data is modified in the packet, which can lead to erasure or

corrupted data.

25

More Types of Hacking• Identity Spoofing – Attacker assumes a computer’s IP address.

• Password-based Attack – Weak passwords or having only one method of

authentication increase this risk.

• Application Layer Attack – This attack targets application servers, causing a

fault in a server’s operating system or applications. Once the server is

compromised, the attacker can bypass normal access controls.

• Distributed Denial of Service (DDoS) Attack – This attack saturates the

servers with requests for response using a very large number of devices.

• Ransomware Attack – This attack encrypts a server’s or application’s data,

making it unavailable for normal operations.

26

Best Practices• Employee training and awareness

• Proactive testing (e.g., staff reaction to phishing attempts)

• Use of strong passwords

• Use of a “standby mode” or “screen lock” when clinical users leave

a screen with PHI

• Restricted download of aggregate patient data to end-user devices

(hard drives, flash drives, other media) & encryption of all media

• Use of an Intrusion Detection System

• Proactive auditing

27

Disaster Recovery & Business Continuity

• Mind set: Keep operations running in the face all hazards.

• Plan outlines how the system can be returned to operating status in

the event of a catastrophic failure.

• Can be complex in a large healthcare organization because of the

numbers of individual systems.

• Implement hosted solutions to ensure that system services and

data can be accessed when the primary care or data centers are

inaccessible.

• Test your continuity plan in advance of disasters.

28

Risk Management Plan

Risk analysis or assessment

Strategy for database backup

Secure storage of data

Data restore plan

System & network restore plan

Critical incident response plan

Software inventory

Workforce & operational

response plan

Hardware inventory

Logs

29

Good Things to Know

• National Cybersecurity & Communications Integration Centerhttps://www.us-cert.gov/nccic

• HHS Cybersecurity Guidance – HIPAA for Professionalshttps://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

• Department of Homeland Securityhttps://www.dhs.gov/topic/cybersecurity

• Healthcare/Public Health Critical Infrastructure / Disaster Preparednesshttps://www.phe.gov/preparedness/planning/cip/Pages/default.aspx

30

Summary – It’s not if, it’s when.

• Systems must meet requirements for privacy and security and maintain confidentiality of patients

data and security

• HIPAA regulations outline requirements for privacy and security, including administrative,

technical, and physical controls.

• Health IT professionals should

– Conduct regular, system-wide audits;

– Review security policies and procedures on an ongoing basis;

– Develop and maintain recovery and business continuity plans in the event of natural disasters.

• Just like you practice for disaster recovery, you have to practice for cybersecurity.

31

Questions

• Donna Doneski, NASL, donna@nasl.org, @NASLdc

• Larry Wolf, MatrixCare, larry.wolf@matrixcare.com