1. Securing Data at a Physician’s Practice
A guide to keeping your healthcare data safe and secure
2. Agenda
1 Common terms
2 Why we need to secure data in Healthcare
3 Where to start
4 Security Awareness Program
5 Password discussion
6 Keep your data safe – data protection 101
7 More recommendations – data protection 102
3. Common terms
You will recognize these terms when they come across your desk
•Password
A string of characters used to authenticate yourself (usually) to a computer
- Used to authenticate (user name is used for identification).
- Can also use a PIN# (after a password has been entered.)
•Encryption
A way to transform plain text into unreadable material.
- Purpose is to hide the plain text from non-authorized agents/readers
- Need a key to encrypt and decrypt the message
•HIE / Remote Access / Patient Portal
This is the main way SJH make our data available to Offices and Physicians
- Health Information Exchange – This is the recommended way to connect to our database
- Netilla
- Patient Portal
•ePHI
Electronic Protected Health Information Any PHI created, stored or transmitted elctronically
•Phishing
Method for hackers to gather information about you
- email containing links
- websites containing links
•Social Engineering
Manipulation of people to get information from them or to get them to perform certain actions.
- Many ways
4. Data
A little of everything
Should be classified: secret, confidential, private
Data and public – depending on the classification, it
may require to be encrypted …
This is where the data is being moved from
in motion - 1 closet to another
- 1 computer to another
- From the file closet to the consult room
- Etc…
This is where the data is stored
- In a file closet
At rest
- In the main file server
- On the computer desktop
- In the computer memory
- Etc…
Your Logo
5. Why we need to secure data in Healthcare
So many reasons, so little time … If you haven’t, act now!
Government regulation Your patient data is under attack
1 HIPAA – Health Insurance Portability and 2 Healthcare Data is extremely valuable.
Accountability Act. But it is vulnerable – It is just sitting there.
HITECH – Health Information Technology It cannot defend itself so you have to
for Economic and Clinical Heath is part of protect it.
ARRA of 2009 (American Recovery and Physical risks
Reinvestment Act) – Also called HIPAA Software risks
with teeth because it implements Latest trend - Blackmail
enforcement.
Loss of business – Financial consequences Reputation
3 Data is extremely important to medicine – 4 You could lose the trust of the patients
Chart, computer records, … You could lose the trust of the physicians
Medical Identity Theft Reputation of the office is key
You may have to close the office during an
investigation
Loss of income for employees if office is
closed
Your Logo
8. Other Technical Risks
More risks !!!!
• Hacking
• Phishing
• Viruses and Malware
• Blackmail
• Misconfiguration
• …
Your Logo
9. Where to start
Why not with the weakest link?
Weakest link, you said ???
3 Google – Many Definitions:
In Information Security, employees
1 are the weakest link. Why?
Social Engineering: “art of manipulating
people into performing actions of divulging
confidential information.”
People want to trust each others
“act of manipulating a person to accomplish
goals that may or may not be in the target’s
This is a characteristic that we all
2 have. We want to trust others. This best interest.
is where “Social Engineering” comes This translates into deception either over the
in.
phone, in person, via a computer or any other
ways. It includes obtaining information,
Necessary steps
gaining access or getting the target to take
Background checks
certain actions.
4 Good Policies and Procedures
Information Security Awareness Program
Doctors must lead by example
Password – complex and change regularly
(3 months)
Access codes should be changed when an
employee leaves (recover keys ...) Your Logo
10. Security Awareness Program
Teach any chance you get
Starts with the Hiring Process Repeat every year Teachable moments
1 It starts during the Hiring 2 Repeat the program every 3 tEvery chance you get,
process. You should have year and document that you reinforce the training and
a section of your GEO did. the concepts. Look for
dedicated to Information Test the employees those “moments”.
Security. Keep it simple Use what is readily
Make everyone sign an available on the web –
agreement to keep userID Google Information Security
and PASSWORD awareness
confidential Be creative with passwords
(more later)
Your Logo
12. Passwords
Don’t like them but that is all we have right now.
Why we do not like them (can be shared too easily …)
✓ 1
✓ 2 Change your password regularly
✓ 3 Do not reuse or use the same password for multiple apps
✓ 4 Complexity while required should be used with caution
✓ 5 Components, rules and examples of complex passwords
✓ 6 Passwords alternatives – tokens …
✓ 7 Use these recommendations for home (personal accounts)
Your Logo
14. Keep your data safe and secure
Data Protection 101
Do not leave paper charts, USB, CDs etc … laying around the office
1
Use complex passwords to authenticate to the computer system
2
3 Do not use generic accounts (no accountability). A patient could ask to see a log of who had access to his data
Review access and privileges regularly (privilege transfer …) at least once a year and audit yourself.
4
Know where your data is (map it) and classify it if you can (ePhi is classified as confidential by default) Consider
5
data flows (data in transit)
Back up your data – you may need to restore it in the event of a disaster or even data corruption. Review your
6
backup strategy (When, What …). Test your backups – restore a randomly chosen file once a month.
7 Encrypt your data – if necessary. This means during transit and when it is stored in a location you do not control
(USB key, CD, cloud, …)
Your Logo
15. More recommendations
Data Protection 102
Use an Information Security Professional or at least an IT Professional. They have the experience and should
1 guarantee their work. Ask for references and Healthcare experience.
Incorporate Redundancy and Fault Tolerance in your designs (computers, servers, networks – wired and wireless)
2
so that you always have a safe and secure access to your data.
3 Think about BYOD – secure access, easily stolen, encryption is necessary …
Do a DRP test yearly. Get with a local business who will let you use their facilities in the event of a disaster
4
Keep your servers patched to the latest level. Do not forget the patching of databases (SQL …). Do not forget to
5
turn on the security features in your “certified software”. Do not trust the vendor to do this. You have to initiate!
Remote access should be secured via encryption, passwords, dual factor authentication...
6
7 Don’t forget that your data could be on some hardware you are getting rid of … PC, server, copier, … if you
encrypt, you are OK.
Your Logo
16. More recommendations
Data Protection 102 - continued
Make sure your PCs auto logoff or use password protected screen savers
1
Use computer privacy screen filters for the computers placed if full view of the public
2
3 Deactivate USB ports and CD writers to prevent unauthorized copy of ePHI – Discuss DLP with a professional
If you want to communicate with patients, use a portal instead of email. Email is NOT secure.
4
Save the logs of who is accessing which record
5
Download the following pdf from the OCR site (this is an information Security guide for small practices)
6
http://healthit.hhs.gov/portal/server.pt?open=512&objID=1173&parentname=CommunityPage&parentid=34&mode=2&in_hi_userid=10732&cached=true
7 Be aware of your environment!
Your Logo
17. Make Information Security part of what you do
Bake it into your processes
Information Security should always be
considered in everything you do. It will help
later (during audits) especially if you document
your efforts.
Your Logo