EMR Security in Healthcare

Information Security in Healthcare
- a perspective on EMR Security
Presented By :
Madhav Chablani
@ IIHMR , New Delhi – Feb 12 , 2012
TippingEdge Consulting Pvt. Ltd.
CONFIDENTIAL: This document is for your company's internal use only Independent Risk & Business Consulting
and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory
Enterprise Architecture and Integration Advisory

Recurring Issues

• The need for an overall standard in medical / clinical terminology
• The need for data privacy, security and confidentiality
• The challenges of data entry by physicians
• The difficulties of integrating EMRs within the health care setting


Premise @ US

• To encourage adoption of electronic health record (EHR) technology, the
Health Information Technology for Economic and Clinical Health (HITECH)
Act portion of the US American Recovery and Reinvestment Act (ARRA) of
2009 includes financial incentives for health care providers and professionals
who can demonstrate “meaningful use” of electronic health records.
• While meaningful use measures cover a wide range of functional and
technical capabilities, there is only one measure related to security and
privacy:
• Organizations implementing EHR technology must “conduct or review a
security risk analysis…and implement security updates as necessary,”
something they are already required to do under the US Health Insurance
Portability and Accountability Act (HIPAA) Security Rule.
• The fact that this measure is already an obligation under HIPAA should make
it easy to satisfy, but many health care organizations are not prepared to
comply.


HITECH: How the Pieces Fit Together

Regional Extension Centers
Improved Individual &
ADOPTION
ADOPTION Population Health
Workforce Training Outcomes

Increased
Transparency &
Efficiency
Medicare and Medicaid
Incentives and Penalties MEANINGFUL USE
MEANINGFUL USE
Improved
Ability to Study &
Improve Care Delivery

State Grants for
Health Information Exchange

Standards & Certification Framework EXCHANGE
EXCHANGE

Privacy & Security Framework

Health IT Practice Research

CONFIDENTIAL: This document is for your company's internal use only
4
Independent Risk & Business Consulting

“MEANINGFUL USE”

• Hospitals can’t just buy a system
• Have to implement and use it “meaningfully”
• Three phases, increasing test requirements:
2011, 2013, 2015
• Some examples
– Stage 1 – 23 criteria, self attestation
• Record vital signs: Ht, Wt, BP, BMI
– Stage 2 – not finalized, will require 3rd party certification
• record clinical documentation
– Stage 3 – still vague
• real-time surveillance, clinical dashboards, safety, efficiency


STATE HEALTH INFORMATION EXCHANGE
THE BEACON COMMUNITY PROGRAM
NHIN

Visit the ONC Web site:
healthit.hhs.gov


Where are we @ India

Terms of Reference of the Committee - Sept. 2010

Objective
• The objective of the said Committee will be to recommend a set of
EMR Standards for India to be followed by both public and private
healthcare providers, implementation of the standards, procedure for
dissemination and the procedure for continuous updation of the
standards.


2. Scope
• The standards to be developed will include the following:
– Diagnosis coding
– Procedure coding
– Laboratory coding
– Clinical Standards
• EDI (Electronic Data Interchange) including¬
– Data flow across hospitals
– Integration with Telemedicine program
– Integration with National Administrative Labs for data analysis
– Middleware for interpreting with proprietary system
• Standards for Continuity of Care Records which include administrative, demographic and clinical information
• Common drug codes
• Guidelines to meet standards set by organizations such as CCHIT, NABH, JCAHO, Meaningful Use etc.
• Standards for interoperability both in terms of hardware and software
• Security protocols for information security
• Data privacy
• Legal compliance
• Standard formats/templates for clinical information capture including preparation of a data dictionary
• As a part of its activities towards the above, the committee will, among other things;
• Study the existing standards prevalent in the developed countries¬
• Adopt, as far as possible, standards such as ICD 10, HL7, DICOM, LOINC and CPT, wholly or partly as applicable in the Indian environment.
• Study the work done by the Task Force on Tele Medicine commissioned by the Ministry of Health and Family welfare in the year 2007.
• Study and recommend coding procedures for coding of hospitals, healthcare providers, healthcare professionals, drug manufacturers, healthcare providers
and insurance companies.
• Develop Standards for reporting
• Study guiding standards such as WHO standards for interoperability
•


3. Deliverables
• Draft set of Indian EMR Standards and guidelines.¬
• Organize the workshop with a broad set of stakeholders to deliberate on draft
EMR standards and guidelines¬
• Create subcommittees for adoption / implementation of standards¬
4. Schedule
• All activities are to be completed in a timeframe of six months from the date of
issue of the OM. The Committee may submit an interim report within 2-3
months.
5. Resources and Budget allocation
• MoHFW will provide the requisite resources and budget to the Committee for
completing the activities.


NABH Requirements


Guidance on Risk Assessment

• NIST Special Publication 800-30.
• ISO/IEC 27000 series of international standards covers risk
assessment and risk management for information systems,
particularly in ISO/IEC 27005and the risk assessment section of
ISO/IEC 27002.
• Enterprise-level perspectives on assessing and managing risk can
find relevant guidance in ISO 31000,
• within major IT governance frameworks such as ISACA’s Risk
IT: Based on COBIT
• or the risk management section of the Information Technology
Infrastructure Library (ITIL).


ISO 27799:2008
Health informatics -- Information security management in health using ISO/IEC 27002

• ISO 27799:2008 defines guidelines to support the interpretation and
implementation in health informatics of ISO/IEC 27002 and is a companion to
that standard.
• ISO 27799:2008 specifies a set of detailed controls for managing health
information security and provides health information security best practice
guidelines. By implementing this International Standard, healthcare
organizations and other custodians of health information will be able to
ensure a minimum requisite level of security that is appropriate to their
organization's circumstances and that will maintain the confidentiality,
integrity and availability of personal health information.
• ISO 27799:2008 applies to health information in all its aspects; whatever
form the information takes (words and numbers, sound recordings, drawings,
video and medical images), whatever means are used to store it (printing or
writing on paper or electronic storage) and whatever means are used to
transmit it (by hand, via fax, over computer networks or by post), as the
information must always be appropriately protected.


• The confidentiality of personal health information is
often largely subjective, rather than objective. In
other words, only the data subject (i.e., the subject of
care) can make a proper determination of the relative
confidentiality of various fields or groupings of data. For
example, a person escaping from an abusive
relationship may consider his/her new address and
phone number to be much more confidential than
clinical data about setting his/her broken arm.
• The confidentiality of personal health information is
context-dependent. For example, the name and
address of a subject of care in a list of admissions to a
hospital’s emergency department may not be
considered especially confidential by that individual, yet
the same name and address in a list of admissions to a
clinic treating sexual impotence may be considered
highly confidential by the individual.
• The confidentiality of personal health information
can shift over the lifetime of an individual’s health
record. For example, changing societal attitudes over
the last 20 years have resulted in many subjects of care
no longer considering their sexual orientation to be
confidential. Conversely, attitudes toward drug and
alcohol dependency have caused some subjects of
care to consider addiction-counseling data to be even
more confidential today than such data would have
been considered 20 years ago.


Establishing, monitoring, maintaining and
improving its ISMS

• Identify information assets and their associated security
requirements.
• Assess information security risks.
• Select and implement relevant controls to manage unacceptable
risks.
• Monitor, maintain and improve the effectiveness of security controls
associated with the organization’s information assets.


EMR Security !

• The solution to many of the security problems facing EMRs today can
be found already solved, like internet protocols which support secure
transfer of data between hosts (https, ssh, etc.)
• The reason for this is that, from a computer science perspective,
EMRs are no different than other data being transferred across a
network. Therefore, the problems associated with keeping the
information secure are problems which were for the most part already
in existence, and thus already countered.


Frauds in Healthcare !

• Fraud in the health care sector can happen at any point, from the
services’ providers to the payers, employers, sponsors, users
/patients and third-party vendors.
• Motivation :
– Pursuit of money
– Avoidance of liability
– Malicious harm
– Competitive advantage
– Research and product market advantage
– Addiction
– Theft of personal effects
– Theft of individual and/or corporate identity


• The legal elements of fraud, according to this definition, are
– Misrepresentation of a material fact
– Knowledge of the falsity of the misrepresentation or ignorance of its truth
– Intent
– A victim acting on the misrepresentation
– Damage to the victim

• Healthcare fraud differs from healthcare abuse. Abuse refers to
– Incidents or practices that are not consistent with the standard of care (substandard care)
– Unnecessary costs to a program, caused either directly or indirectly
– Improper payment or payment for services that fail to meet professional standards
– Medically unnecessary services
– Substandard quality of care (e.g., in nursing homes)
– Failure to meet coverage requirements

• Healthcare fraud, typically takes one or more of these forms:
– False statements or claims
– Elaborate schemes
– Cover-up strategies
– Misrepresentations of value
– Misrepresentations of service


Insider’s Threat

• A recent Insider Threat Study Challenges
by CERT found that 86 percent Medical Device Service and Maintenance
of insider attacks in enterprises Visibility Gaps in Healthcare
originated from people who are
or were previously full-time
Merging IT Operations and Medical Device
employees in a technical
Service and Maintenance Platforms
position within the enterprise.
• Insiders typically have access to IT Operations Visibility Gaps in Healthcare
privileged data beyond their
authorization and are far more
capable of exploiting loopholes
in a network than outsiders. Control :
Implementation, automation and
validation of controls for privileged
users


Control :
Implementation, automation and validation of controls for privileged users

• Understanding “ Privileged User “
• Security Architecture – Layered / Defense in Depth
• Know the Access Model
• Secure Sockets Layer (SSL) or IP Security (IPSec) protocol
• “deny all, permit by exception” (DAPE).

• Separation of Duties Through Compartmentalization
• Eg. - port-based access provisioning provide highly granular control

• Containment to Authorized Access Areas
• Tracking and Reporting of User Activities
• Centralized Reporting for Testing of Controls
• E.g security information management (SIM)/security event management (SEM) systems


You can have security without Privacy ,
But you can’t have Privacy without Security


Privacy and Security Expectations

• Ensure privacy and security protections for confidential information
through operating policies, procedures and technologies, and
compliance with applicable law
• Provide transparency of data sharing to patient
• Protect electronic health information created or maintained by the
certified EHR technology through the implementation of appropriate
technical capabilities.
• These capabilities correspond to certification criteria for EHR
technology and are summarized in figure 1.


Techniques and methods and the implementation effort
Technologies Methods Classification Implementation Effort Computational Cost

Authentication One-factor authentication Basic Few Few

Two-factor Basic Few/moderate Few

Anonymous Enhanced Moderate/expensive Moderate/expensive

Authorization Server-based Basic Few Few

User-based Enhanced Moderate Moderate

Anonymous Enhanced Expensive Moderate

Confidentiality Transmission Basic Few Moderate

Server-based Basic Few Few

User-based Enhanced Moderate Moderate

Integrity Transmission Basic Few Few

Storage Basic Moderate Few

Data anonymity Anonymous communication Enhanced Few Moderate/expensive

Obfuscation Enhanced Moderate Moderate

Unlinkability Enhanced Expensive Moderate

Information hiding Pseudo-information hiding Basic Few Few

Information hiding with plausible deniability Enhanced Expensive Few


HIPAA Security

• Security should not be confused with Privacy or Confidentiality
– Privacy: The rights of an individual to control his/her personal information without
risk of divulging or misuse by others against his or her wishes
– Confidentiality only becomes an issue when the individuals personal information
has been received by another entity. Confidentiality is then a means of protecting
this information
– Security refers to the spectrum of physical, technical and administrative safeguards
used for this protection


HIPAA
Heath Information Portability and Accountability Act

• Final Security Rule Published in the Federal Register on February 20, 2003
(effective 60 days)
– http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
• Designation: 45 CFR 160, 162, 164
• Compliance Dates: April 20, 2005
– Covered Entities: 24 months after effective date
– Small Health Plans: 36 months after effective date


HIPAA Security

• Addresses 3 tiers of protection:
– Administrative Safeguards
– Physical Safeguards
– Technical Safeguards


Administrative Safeguards

• Institutional level
– Develop security management process where potential “threats” to PHI
are determined
– Provide training to all employees about HIPAA
– Provides appropriate level of authorization based on a protocol for
granting access
– Violations should be clearly documented and investigated
– A disaster recovery plan should be in place


Physical Safeguards

• Applies to 3 elements of the PHI data storage infrastructure:
– Facility where PHI data is stored
– Workstations on which it is stored
– Media on which it is stored


Physical Safeguards

• Require that the facility have access control
• Contingency plans need to be in place in case an intruder gains access
• Workstation security measures be in place
– Automatic logoff
– Screen is placed away from potential viewers
– PDAs should be password protected
• Devices and media should be appropriately disposed of in case they are no
longer needed and data should be erased properly


Technical Safeguards

• Applies to how information is stored, verified, accessed and
transmitted/received
• Access and audit controls
• Emergency access to information when needed
• Automatic logoff is enforced
• Data is encrypted and decrypted during transmission
• Verify integrity of the storage and transmission (digital signatures)


Am I HIPAA Compliant?

Questions to ask yourself and your institution


Questions to ask your institution

1. Was a security audit done and if so what are the results?
2. Did I get the appropriate HIPAA training and do I have a certificate to prove
this?
3. Are there procedures in place to grant access to PHI to authorized users?
4. What are the procedures in place in case of disaster, data loss or data theft?
Are Backups made frequently?


Facility, Workstation, Media

• 1. What are the procedures in place to safeguard the facility from intruders?
Are there contingency plans for dealing with intruders, data theft or other
event?

• 2. How do protect the safety of workstations? Are they password protected?

• 3. Can bystanders view the screens on which PHI may potentially be
displayed?


Facility, Workstation, Media

• 4. Is an automatic logoff mechanism enforced? What time limits are provided
before this occurs?
• 5. What types of data are stored on PDA devices and if PHI is stored is it
password protected or encrypted?
• 6. What procedures are used when disposing of, reusing or archiving data on
hard disks, CDs, floppys and Zip disks? Are PHI data erased properly if the
disks are to be disposed of or reused?


Data Level

• 1. Are there audit mechanisms for checking who is accessing the PHI data
and is this done on a regular basis by authorized personnel?
• 2. Are there procedures in place to grant emergency access to information if
needed?
• 3. Is data integrity checked when the data is transmitted or received? (digital
signatures, digital certificates, checksums etc.)
• 4. Is the data encrypted and decrypted during the transmission process?


HIPAA Wireless Security


Before you Begin

• Do I really need to be wireless of can I get by with a wired
connection?
– Is space limitation a problem?
– Is mobility absolutely necessary?
• Do I have the permission of my institution to install wireless networks?
• Do I have adequate IT support to do this?


11 Steps to Wireless Security

• Wireless is inherently unsecure
• Many Many ways of hacking into wireless networks
• Technology base is there to make it secure
• Some simple steps can be taken to maximize the security of your
wireless network



• 1. Change the default SSID (network name) on the router so that your
name/location is kept secret
• 2. Disable the SSID broadcast, if your router supports it. This will
prevent hackers from seeing you
• 3. Change the administrator’s password on your router.



• 4. Turn on the highest level of security supported by your hardware (i.e.
Wireless Equivalent Privacy – WEP, which is older or WPA which is the latest
and most secure)
• 5. Make sure you have the latest firmware updates. Implement MAC (media
access control), which specifies exactly which WLAN PC cards can access
the network and excludes others



• 6. Place the Wireless Access Point (WAP) towards the middle of the building,
keeping the zone of potential access within the building.
• 7. Do your own security audit. Use Network Stumbler (www.netstumbler.com)
on your Tablet PC, laptop of PDA and walk around the perimeter of your
building to see where and what a would-be hacker may see



• 8. If you have a limited number of wireless clients (Tablet PC’s), provide them
with static IP addresses, and disable DHCP on your router. This ensures that
only “authorized” machines can “see” your network.



• 9. If we are in an enterprise setting, use VPN’s (Virtual Private Networks). You
can isolate your WLAN from the wired network using products such as the
Netgear FVM318 or the SonicWall SOHO TZW. Then you can use the VPN to
tunnel directly into the wired network securely



• 10. Avoid using public hotspots, areas that are insecure and open for general
use.

• 11. Turn off file and print sharing on your Tablet PCs. Most devices do not
prevent client-to-client traffic, so people sitting across the street from you can
be looking at your shared directory remotely.


Conclusion

• Health-informatics systems must meet unique demands to remain
operational in the face of natural disasters, system failures and denial-
of-service attacks.
• At the same time, the data they contain are confidential and their
integrity must be preserved.
• Because of these critical requirements, and regardless of their size,
location and model of service delivery, all health care organizations
need to have stringent controls in place to protect the health
information entrusted to them.


Thanks & Let us collaborate

Presented by :
Madhav Chablani
Founder CEO & Principal Consultant | TippingEdge Consulting Pvt. Ltd
Member - India Growth Task Force – ISACA HQ ( US ) | Founder Member ( NCR ) – Cloud Security Alliance |
www.tippingedge.in | E: madhav.chablani@tippingedge.in | madhav.chablani@gmail.com | M: +91-9313749494
Twitter: @tippingedge | Join me on Linkedin !


Madhav Chablani
Founder CEO &
Principal Consultant

Contact Information :
Mobile : +91 9313749494
Direct : 0120-4284374 Professional Experience
E-Mail madhav.chablani@tippingedge.in I am Innovative , passionate , customer focused , committed for value delivery and a professional with
madhav.chablani@gmail.com over twenty years experience in IT Services and consulting industry , with proven success in
developing, managing and advising global enterprise clients on strategy and solutions that minimize
Industry Lines
IT Services / ITES risks in an enterprise, caused due to business environment, people, process, technology and
Healthcare , Life-sciences & Pharma extended relationships
BFSI
I have worked with Protiviti , HP Consulting, NIIT Technologies , Agilent , Xansa , PCS, WIPRO,
Education/Qualifications on both Domestic and Global Offshore Projects & Consulting assignments.
B.E. (Electronics and telecommunications)
PG-ADM (PG Advanced Diploma in Management) I have worked at various layers, with engagement in lead roles and varied domain projects,
MASTER CNE – also accrtd as Novell’s Professional developer contributing in value creation, reinforcing Organizational Process & Project Management
QPMP – Qualified Project Management Professional ( IPMA )
CISA - Certified Information System Auditor– ISACA ( US ) excellence and agility, Enterprise Risk Management / IT Governance , IS audits /control and
CISM - Certified Information Security Manager – ISACA ( US ) Assurance, IT Service and Performance Management , contributing in “ GRCS “ – Governance ,
SEI CMM / PCMM-Trained/Certified ( Internally ) Risk Management , Compliance and Sustainability initiatives , involved in organizational change
ISO 27000 LA - BSI management program’s, enriched outsourced delivery capabilities , Practice-level competency
ITIL Service Management 2.0 / 3.0 – Trained 700+ professionals
towards Foundation’s/ Service Manager’s requirements and Enterprise Architectures
ISO/IEC 20000 Consultant – Certified ITSMF • I have contributed from Concept to Delivery - Designing & implementing enterprise-wide
BS 25999-2:2007 - RABQSA certified Lead Auditor competency technical architectures ,involvement in applications lifecycle management – achieving maturity
levels desired .
Industry association / Professional Memberships
Member of ISACA ( US) • Designed and implemented solutions for enterprise infrastructure, security, identity management /
Member - Indian Growth Task force – ISACA HQ ( 2010-11) entitlement, disaster recovery, business continuity strategy and planning, fault tolerant
Member of Project Management Associates (India) & infrastructure, contingency planning, crisis management, application / infrastructure integrity.
IPMA ( Switzerland )
Member – DSCI
Member – GRAPA • Consulted and provided solutions in the areas of enterprise business / technology strategy,
Founder Member – CSA ( Cloud Security Alliance ) – NCR business process optimization / re-engineering, enterprise infrastructure design & optimization,
ISACA – Knowledge Board – Subject Matter Expert establishing and managing global business and technology operations and change management

I have also been , involved in initiatives of “ Thought Leadership “ for technology strategies ,
investments and M&A ( also Separations / Disinvestments ) , focused on building and enriching “
Business Value “ and “ keeping stride in remaining competitive “.

Involvement in Healthcare Initiatives
• Captive Projects with US Medical University ( 1992 -95 ) for development of HIMS integration components , used
standards – now DICOM / PACS
• A Major Heart Hospital and Research Institute in NCR ( 2000-02 ) - Involved as “ Program Director / Principal “ for
Implementation of HIMS / ERP
• Agilent Technologies – A Global major in Life-sciences & Test / Measuring equipments ( 2002 -2004 )
– Participated in articulating Enterprise vision , strategy , principles , guidelines and standards for Enterprise
application integration and architecture for supporting Major Business Process - Product Generation , Order
Generation , Order Management , Planning , Sourcing / Procurement , Manufacturing / Production , Shipping &
Delivery / Logistics , Customer Service Delivery , Financial Management and Reporting
• Member of “ India Growth Task Force “ – ISACA HQ ( 2007 – Present ) , Also Involved as part of Knowledge Board in
co-creating IT Governance framework adaptation and Audit / Assurance Work Programs for Ecosystem players in
Healthcare and Life-sciences verticals.
• Ranbaxy Laboratories - A leading Indian MNC in Pharmaceutical and Healthcare (2006 )
– A leadership role for responsibilities in Global Information Systems Audits and control ( includes Applications and
Infrastructure ) Involved in Enterprise Risk Management , Information Security and Privacy- established IT controls for
compliance related to – ISO 27001 , Clause 49 , SOX 404 & FDA’s requirements.
• Protiviti Consulting - US Headquartered MNC in Independent Risk / Solutions Consulting Organization - 6th Largest Risk
Consulting Firm , Over 3,300 personnel globally , 60 offices in 23 countries (Originated from Auther Anderson’s Practice -
Partner Advisor ( 2007-2009 ) - Specializing in Strategy & Transformation Consulting in Healthcare and life-sciences
vertical
• Presently Specializing in Strategy & Transformation Consulting in Medical / Healthcare Informatics , Sales & Marketing and
Managed Care – with over decade of experience in Strategy & transformation consulting , delivered projects with Fortune
500 companies , helping clients boost sales , accelerate revenue generation and improve their bottom-line , includes
projects such as corporate and business unit strategy , Merger and Acquisitions , Go-to-market strategy , growth strategy &
product launch , business planning , cost reduction and sales and marketing effectiveness .
• Recent projects have demonstrated the power of digital transformation for life sciences companies , through better
understanding of customer behavior ( such as root causes for non-adherance ) and design of innovative outreach
programs ( social CRM and Patient Opinion communities ) .
• Been passionately involved in practice and learning from new dimension projects on - m-Health/ e-Health , Data-Analytic's ,
Role of IT Governance in Healthcare , IT Audit and Assurance – EMR Security audits for meaningful use .


EMR Security in Healthcare

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (17)

Destacado

Destacado (20)

Similar a EMR Security in Healthcare

Similar a EMR Security in Healthcare (20)

Último

Último (20)

EMR Security in Healthcare