Embed Size (px)
Citation preview
HIPAA Compliance and Electronic Protected Health Informa6on:
Ignorance is not bliss!
Medical Device ePHI Risk Iden6fica6on and Mi6ga6on
© Maxxum, Inc.
‣ Relevance – why this topic?
‣ Risk – a perspective to consider.
‣ Context – the domain we’re exploring.
‣ Examples – 4 medical devices.
‣ Awareness – now what?
Webinar Overview
Relevance
Risk iden6fica6on and management for one class of data bearing technology is rela6vely unaddressed today. That class is the medical device. Medical device data storage of electronic Protected Health Informa6on presents breach risks in direct pa6ent care, clinical lab, and medical imaging seLngs.
Relevance It’s In The News
Securing PHI in Devices Is Difficult but Essential
Reprinted from REPORT ON PATIENT PRIVACY
January 2011Volume 11Issue 1 When Mountain Vista Medical Center found that two portable memory cards were missing from endoscopy machines, it notified patients and retrained staff in its gastroenterology unit (see story, above). And it took an additional step: It “modified the endoscopy machines to no longer use the compact memory data cards,” the Mesa, Ariz., hospital said in a statement last month. This was the first breach in recent memory that involved a medical device, but such equipment can be just as vulnerable to privacy and security lapses as laptops or networks. And devices may pose more of a threat because of how they are made, and because hospitals and other covered entities don’t always think of them the same way they think of other computer devices when it comes to securing data, says Mac McMillan, chief executive officer of CynergisTek, Inc., and chair of the privacy and security steering committee of the Health Information Management Systems Society. Part of the problem is the nature of these devices. “Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind,” he says. “It’s the same issue with printers, faxes, copiers…the problem is people don’t think of them as storing data.” Some medical devices and equipment “are not terribly sophisticated” from a security standpoint, he says.
This was the first breach in recent memory that involved a medical device, but such equipment can be just as vulnerable to privacy and security lapses as laptops or networks.
“Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind,” he says.
Relevance Ponemon Study
Fourth Annual Benchmark Study on Pa6ent Privacy & Data Security -‐ Ponemon Ins6tute, March 2014
• Ninety percent of healthcare organiza6ons studied had at least one data breach in the past two years.
• Thirty-‐eight percent reported more than five breach incidents.
• The average economic impact of data breaches over the past two years for healthcare organiza6ons in the study was $1,973,895.
Relevance HIPAA Breaches Since 2009
From U.S. Health & Human Services Office of Civil Rights on 4/13/2015 hbps://ocrportal.hhs.gov/ocr/breach
• 1194 breaches of 500 or more records • More than 133 million patient records affected • Largest breach is over 78 million records • Breach types from misplaced paper to cyber attacks • Two breach examples under 500 records:
• Walgreens’ 1 record, $1.44 million breach judgement • Hospice of Northern Idaho’s 441 record breach, $50k
Commen6ng on the Hospice breach, OCR Director Leon Rodriguez said: “This ac6on sends a strong message to the health care industry that, regardless of size, covered en66es must take ac6on and will be held accountable for safeguarding their pa6ents’ health informa6on.”
Relevance And It’s Personal!
Relevance And It’s Personal!
Credit and iden6ty protec6on • 5 family members • Each individually enrolled • Two years of monitoring
Risk
Risk
Unmanaged! Managed!
Aware!
Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Our Risk Profile
Risk
Unmanaged! Managed!
Aware!
Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Today’s Goal: Awareness
In Process!
Context
Medical Devices
HIPAA
Courts
SAG
OCR HHS
ONC
HIE
ACO
PHR
EHR
FDA
Context ePHI
Defini6on: electronic Protected Health Informa2on (ePHI) is pa6ent health informa6on created, received, stored, maintained, processed and/or transmibed in, on, or through any form of electronic means.
Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015
Context ePHI
The HIPAA Security Rule: Covered En66es must protect and secure all electronic Protected Health Informa2on (ePHI) against accidental or inten6onal causes of unauthorized access, thej, loss, or destruc6on, from both internal and external sources.
Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015
Context Exi6ng Medical Devices
• Rental return • Lease turn-‐in • Re6rement (EOL) • Redeployment • Resale • Service/repair
Medical Devices & ePHI Examples
Small Device – Big Surprise!
Diagnos6c Spirometer
A portable babery operated device for tes6ng respiratory volume and func6on.
Small Device – Big Surprise!
Small enough to fit in the pocket of a pair of scrubs. Holds enough ePHI to require HIPAA breach no6fica6on to HHS if lost, stolen or disposed of improperly.
Small Device – Big Surprise!
ePHI stored on this device: • full name • date of birth • height and weight • sex • ethnicity • history of asthma • history of smoking
Small Device – Big Surprise!
More about this device: • No user authen6ca6on • Unencrypted stored data • Unrestricted expor6ng • Holds 2040 pa6ent records
Large Device – Big Surprise!
A line of clinical analyzer systems
Large Device – Big Surprise!
Model Pa/ent Data? ePHI Elements Observed
250 Yes first name, last name, test date, test type, test result
350 Yes first name, last name, test date, test type, test result
ECi Yes first name, last name, date of birth, sex, test date, test type, test result
ECiQ Yes first name, last name, date of birth, sex, test date, test type, test result
5.1 Yes first name, last name, date of birth, sex, test date, test type, test result
5600 Yes first name, last name, date of birth, sex, test date, test type, test result
7 analyzers were evaluated for ePHI risk
Records found ranged from 1 to 25,000 per device
Large Device – Big Surprise!
More about these devices: • No user authen6ca6on • Unencrypted stored data • Unrestricted expor6ng • Breach risk: 50k to 90k pa6ent records for 7 units
Smarter Device – S6ll Surprised!
This ultrasound system has the capability of storing pa6ent data on a hard drive separate from the opera6ng system and applica6on sojware. Removal and destruc6on of the pa6ent data hard drive is easily accomplished.
Smarter Device – S6ll Surprised!
Unfortunately, data elements that qualify as ePHI, such as pa6ent name, pa6ent ID, procedure date/6me, facility names, doctor names, and descrip6ons of pa6ent history were found on the opera6ng system hard drive.
Smarter Device – S6ll Surprised!
ePHI data was also found in the pagefile.sys file on the opera6ng system hard drive. This file is used by the Windows opera6ng system to buffer informa6on before it is wriben to memory for processing.
ePHI Detec6ve
Un6l manufacturers build in ePHI safeguards, we have to rely on detec6ve work to make informed choices about ePHI disposi6on on medical devices. The MDS2 form (Manufacturer Disclosure Statement for Medical Device Security) is a good start.
ePHI
ePHI Detec6ve
Obvious Input capability Display and Print capability
Portability – can be powered by an internal babery pack Electrocardiograph
ePHI Detec6ve
Block Diagram obtained from the service manual found online -‐ Google.
ePHI Detec6ve
Abundant input and output connec6vity for data transfer.
ePHI Detec6ve
The use of Compact Flash storage media for sojware upgrades is intriguing.
ePHI Detec6ve
Discovery: a common storage device.
ePHI Detec6ve
Findings: 40 pa6ent records • first name • last name • date of birth • test date • diagnos6c test results • preliminary diagnosis • provider name • clinic loca6on
ePHI For Sale?
ePHI For Sale?
ePHI For Sale?
ePHI For Sale?
Risk
Unmanaged! Managed!
Aware!
Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Our Risk Profile
Short term ac6vi6es: • Confirm or iden6fy who in your organiza6on is responsible for data privacy and security on various device types
• Iden6fy all [poten6al] data bearing devices in your organiza6on
• If you are not already using it, adopt the MDS2 form as a star6ng place to evaluate risk for current device inventory
• Implement some form of controlled exit for these devices • Check for BAAs in place and indemnifica6on when custody transfers
Awareness Awareness: Now What?
Applica6on Awareness: Now What?
Long term ac6vi6es: • Develop a comprehensive asset disposi6on program that accounts for the complexi6es of ePHI bearing medical devices
• Add ePHI mi6ga6on requirements to the equipment procurement process. Ask manufacturers to provide:
• A completed MDS2 form. • Separate storage media for device opera6ng system/applica6on sojware and pa6ent data
• Encryp6on of pa6ent data storage media
Applica6on Awareness: Now What?
Long term ac6vi6es (con6nued): • Ask manufacturers to provide:
• Destruc6ve erasure capability for encrypted pa6ent storage media
• No system or applica6on logging of ePHI elements to device opera6ng system/applica6on sojware storage media
• Indemnifica6on in the event of a data breach if manufacturer provided steps to remove ePHI are followed, but do not result in an ePHI free device
855.85HIPAA www.compliancygroup.com 43 Copyright 2007-2015
HIPAA Education Series sponsored by:
www.compliancy-group.com 855.85 HIPAA (855.854.4722)
Compliance In 3 Steps!
To find out more call: 855.854.4722or email: [email protected]
TheGuard
OutsideConsultant
Manualsor
Templates
RiskAssessment
Provider
OtherCompliance
Software
