Upload
bart-hubbs
View
41
Download
3
Embed Size (px)
Citation preview
www.acesummitandexpo.com
Facilities and Clinical Engineering Track: Addressing Risk Management in Biomedical Equipment
January 14, 2013
Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare
www.acesummitandexpo.com
Overview
• Biomedical devices have evolved from largely stand-alone devices to more digitally integrated data collection and delivery units.
• Device evolution has helped improve and streamline patient monitoring and subsequent care by collecting and delivering actionable patient data to the right caregivers.
• The streamlined collection and delivery of patient data has also increased risk in other areas.
• Making of a good “Partnership” – Identifying Impact and Likelihood with a focus on controls and mitigation tools/approaches.
www.acesummitandexpo.com
What is Risk?
• Risk can be viewed as the intersection of impact and likelihood of negative occurrence.
(Risk = Impact x Likelihood)
• Impact can be experienced via loss of confidentiality, integrity, and/or availability of data.
• Likelihood of loss is generally increased or decreased when controls and/or weaknesses are enhanced or reduced.
www.acesummitandexpo.com
What Risk Management?
• Risk management can be viewed simply as formulating risk to a level that falls within organizational risk tolerance.
• Management activities included adjusting likelihood and/or impact.
• Risk management also includes compliance with federal, state, and industry requirements (examples: HIPAA, PCI-DSS, SOX, GLBA, FERPA, etc.).
www.acesummitandexpo.com
HIPAA and “Protected Health Information”• U.S. Federal Regulations
• PHI is generally defined as individually identifiable health information created or received by a
– Health care provider, health plan, employer, health care clearinghouse, business associate; and
• Relates to an individual's past, present or future physical or mental health or condition, the provision of health care to an individual, or payment for the provision of health care to an individual.
www.acesummitandexpo.com
• When data is classified as PHI, made digital and in the custody of or shared by an entity defined previously, the HIPAA Security Rule is applied.
• The electronic PHI is often referred to as ePHI.
• Risk management activities are then structured based on the HIPAA Security Rule.
• Risk management/mitigation actions are generally focused on reducing likelihood.
• However, risk management/mitigation actions can be focused on impact reduction via data de-identification.
Why is the term “PHI” important?
www.acesummitandexpo.com
• Does not identify nor provide a reasonable basis to identify an individual.
• Not considered PHI − There are no restrictions on the use or disclosure of
de-identified health information.• Two ways to de-identify information:
− Remove certain specified identifiers; or − Obtain a formal determination by a qualified
statistician.
De-Identified Health Information
www.acesummitandexpo.com
• HITECH enhanced the importance of ePHI protection due to the breach notification requirements.
• HITECH was enacted as part of the The American Recovery and Reinvestment Act.
• Millions can be spent on a breach.
• Reputation related costs can be significant.
• Mitigation is increasingly important with EHR adoption in hospitals and increasing “systems of systems” with ePHI.
ePHI Confidentiality Loss and Impact
www.acesummitandexpo.com
• HITECH also establishes that “business associates” are directly required to comply with the HIPAA Security Rule.
• Previously, “business associate” compliance with the HIPAA Security Rule was established via contract with the covered entity.
Business Associates and HITECH
www.acesummitandexpo.com
• Covered Entities (“CE”) -- health plans, health care clearinghouses and most health care providers.
• Business Associates -- Third party who performs or assists a Covered Entity in performing a function or activity.
What are “Covered Entities” and “Business Associates”?
www.acesummitandexpo.com
• MDS2 -- Manufacturer Disclosure Statement for Medical Device. Link: www.himss.org/content/files/MDS2FormInstructions.pdf
• Vendor SMEs – Subject matter experts from the vendor can provide enhanced understanding the information stored or transmitted by the device.
• Vendor Manuals– Many are online and provide detailed information about data, controls and configurations.
Understanding Risk – Information Sources
www.acesummitandexpo.com
Reducing Risk – Management Levers
Impact Likelihood
ePHI element reduction(limited data‐set)
Administrative controls‐Policies‐Security Awareness‐Incident Response Procedures
Data de‐identification Physical controls‐Building and zone controls‐Inventory management‐Workstation/storage controls‐Device Disposal
Technical controls‐Access controls‐Encryption‐User management
www.acesummitandexpo.com
• Consider having a person actively manage PHI in hospital whether Biomed, IT, or Risk Management.
• Define clearly what PHI is in new hire and ongoing training.
• Tell how to de-Identify and what types of data must not be shown.
• Service Procedures Manual wording:“In the normal course of performing services for our Customers, Employees may come into contact with protected health information (PHI). PHI is specific information about an individual patient …. This information is often encountered on display monitors, in storagemedia such as hard drives. You must take every means possible to secure this information. “
Employee Awareness Training
www.acesummitandexpo.com
• Today’s hospital is an internet of devices …system of systems
• Networks can be at risk if not protected. Wireless applications and allowing WIFI for patients/visitors are potential risk areas.
•Real Time Tracking technology/solutions allows for finding all equipment faster, better compliance tracking, and faster incident response.
•Vendor Technologies such as phone home functionality that allow service requests or proactive service should be designed to anonymize data where possible, in order to prevent unnecessary exposure to PHI.
IT Specifics & Mitigation Tools
www.acesummitandexpo.com
PHI Threats/Areas of Concern
www.acesummitandexpo.com
• IT and Risk Management should both have data breach plans.
• When you work with vendors ensure that Business Associate agreements are included to ensure the privacy of PHI. This includes legal indemnifications.
• Service Procedures Manual: “In the event that an information system has been compromised in such a way that unauthorized individuals, either at a customer’s site or at business associate’s location, could access PHI you must report the event immediately. Reports of events shall be made via the Concern and Incident Reporting Portal at Security and Crisis Management Center.”
Proactive Incident Response
www.acesummitandexpo.com
• Not having a “robust, living” Risk Management plan for facility and vendor.
• Not having clearly drawn partnership lines between hospital system and vendor responsibilities on what are risk areas and how are they controlled/mitigated.
• Device security configurations undocumented and inconsistent. All vendors are not created equal in the security space.
• Lack of facility and vendor engagement in controls development for biomed equipment.
Common Issue Areas
www.acesummitandexpo.com
• Human controls in industry now with each site required based on HIPAA to manage.
• Software is being developed to automatically wipe equipment clean of PHI.
• In the future, control of PHI will be a built-in pillar of IT operations and default device configurations.
• Covered Entities & Business Associates will demand risk mitigation due to enhanced fines and the on-going cost of breach notification.
The Future of PHI
www.acesummitandexpo.com
Addressing Risk Management in Biomedical Equipment
Questions
Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare