Technologies and procedures for HIPAA compliance

Technologies and Proceduresfor HIPAA Compliance

Jack L. Shaffer, Jr.CIO – Community Health Network of West Virginia

Topics Covered Today• In the News• Acceptable Use Policies

and Enforcement• Protecting PHI with

Encryption Technologies• Auditing and Monitoring

Tools• Questions and Answers

“Take-Aways”• HIPAA policy areas of

concern• Target technology areas

of concern• Sample products and

techniques for auditing/monitoring

• Hopefully a sense of urgency

In the News - a.k.a. “data loss du jour”

March 11, 2005Kaiser Permanente

(Oakland, CA) A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information.

Jan. 25, 2006 Providence Home Services (Portland, OR) Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen.UPDATE: (9/26/06)Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs.

Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen) (Lewiston, NY) Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey.

Aug. 4, 2006 PSA HealthCare(Norcross, GA)A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims.

Aug. 7, 2006 U.S. Dept. of Veteran's Affairs through its contractor Unisys Corp.(Reston, VA) Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations.

Aug. 11, 2006 Madrona Medical Group(Bellingham, WA) On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested.

“Data loss du jour”

TOTAL number of records containing sensitive personal information

involved in security breaches 2005 to present

215,979,650(source - Privacyrights.Org)http://www.privacyrights.org/ar/ChronDataBreaches.htm

Feb. 2, 2007 U.S. Dept. of Veteran's Affairs, VA Medical Center(Birmingham, AL)An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers.UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below.UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below.UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.

http://www.privacyrights.org/ar/ChronDataBreaches.htm

http://www.privacyrights.org/ar/ChronDataBreaches.htm

“Data loss du jour”Most of the data losses

occurred because of lack of policies and

procedures OR the lack of auditing and

monitoring of existing policies and procedures.

“Data loss du jour”October 23, 2007

State info on 200,000 missingA computer tape containing personal information on about 200,000 current and past participants in state insurance programs was lost during shipment, the Public Employees Insurance Agency said Monday.The data file contained full names (including birth names), addresses, phone numbers, Social Security numbers and martial status for 200,000 people insured by the Public Employees Insurance Agency, the Children’s Health Insurance Program and Access West Virginia. The data was reported missing last week while being shipped via United Parcel Service to a data processing center in Pennsylvania, Department of Administration spokeswoman Diane Holley said Monday. She said UPS officials reported on Oct. 16 that the package containing the tape had broken open, and that the tape was missing. However, she said UPS officials believe the tape is somewhere in the distribution center in Louisville, Ky., and asked for time to conduct a search. With the tape still missing as of Monday, PEIA executives decided to send letters to all 200,000 people to notify them of the disappearance of the tape containing their personal data. She said the letters will provide information about identify theft, and will explain to recipients how they can place fraud alerts and security freezes on their credit reporting agency files, in the event their personal data is compromised. A security freeze blocks the credit reporting agencies from releasing information in an individual’s file, which could be used to obtain credit cards or other lines of credit, without that person’s authorization. The tape does not contain any information about individuals’ medical histories, or medical or prescription claims, Holley said. She said that, even if the tape were stolen, it cannot be “read” without access to specialized computer equipment. “It is a specialized computer tape,” she said. “It looks like an eight-track tape.” She said PEIA will operate a call center that people affected can call for updates on the status of the missing tape, or more information about protecting against credit fraud.

Acceptable Use Policies and Enforcement

• Relevant HIPAA rules– 164.308(a)(3)(i) – Workforce Security

• Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

– 164.308(a)(4)(i) – Information Access Management

• Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

– 164.308(a)(5)(i) – Security Awareness and Training

• Implement a security awareness and training program for all members of its workforce (including management).


• Relevant HIPAA rules– 164.310(b) – Workstation Use

• Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

– 164.310(c) – Workstation Security• Implement physical safeguards for all

workstations that access electronic protected health information, to restrict access to authorized users.


• Relevant HIPAA rules– 164.310(d)(1) – Device and Media

Controls• Implement policies and procedures

that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

– 164.312(3)(1) – Transmission Security• Implement technical security

measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.


• Acceptable Use Policies– Hardware

• General Computer Use– No right to privacy– Company ownership– Right to monitor– Passwords– No disabling of system

software such anti-virus or spyware filter


• Acceptable Use Policies– Hardware

• Laptop– Physical protection– Awareness

• PDA/Blackberry/iPhone– Secure with passwords– No storing of passwords on

memory sticks– Warnings about forwarding

corporate E-mail using desktop redirector

• Removable Media– Physical protection– No storing of passwords– No PHI without encryption


• Acceptable Use Policies– E-mail

• Right to monitor• No transmission of PHI

unless encrypted– Internet Access

• Right to monitor• Business use only• Stance on IM and other

applications


• Acceptable Use Policies– Access Control

• Appropriate approvals• Proper identification

methods of users– Transmission of

information• Anytime data leaves• Periodic reviews• Encryption required


• Human Beings are the weakest link– Do not underestimate or

minimize this risk– Kevin Mitnick

• The Art of Deception– Technology is complicated

• Unrealistic to expect people to fully understand all of the risks on their own

– Training is ESSENTIAL• That is why it is required under

HIPAA• Best use of $$$


• Enforcement Technologies– Windows Active Directory

• Access Control / User Account Management

– Password policies– Remote Access

• Desktop / Workstation control with Group Policies

– Control Internet / Email access– Deny removable media


• Enforcement Technologies– Desktop (cont’d)

• Most “hacks” happen here today– Botnets

• Anti-virus• Firewall• Windows Update!

– Auditing and Reporting• DumpSec

– http://www.systemtools.com

– Email Filtering• Restrict use of Internet Email such

as Yahoo, Hotmail, etc.

http://www.systemtools.com/

http://www.systemtools.com/


• Enforcement Technologies– Internet / Content Security

Filters• Sonicwall

– www.sonicwall.com• iPrism / St. Bernard

– http://www.stbernard.com/• Surf Control

– http://www.surfcontrol.com/

http://www.sonicwall.com/

http://www.stbernard.com/



http://www.surfcontrol.com/




• Enforcement Technologies– PKI / Two Factor

Authentication• RSA

– http://www.rsa.com/• Raak Technologies

– http://www.raaktechnologies.com/solutions/pki.html

– Cardkey Access• Physical control• Auditing

http://www.rsa.com/

http://www.rsa.com/

http://www.rsa.com/

http://www.raaktechnologies.com/solutions/pki.html




• Enforcement Technologies– Data Backup

• Tapes• CDP

– Sonicwall• Outsourced Services

– Livevault– Carbonite– Evault

Protecting PHI with Encryption Technologies

– 164.310(d)(1) – Device and Media Controls

– 164.312(3)(1) – Transmission Security

• Key Area often overlooked– VPN’s

• Wireless “hotspots”• Access from home• Tools

– Microsoft– Cisco


– Email encryption• Exchange environment• PGP

– http://www.pgp.com/downloads/datasheets/index.html

• Tumbleweed– http://www.tumbleweed.com/

solutions/outbound_email.html• Public Key Infrastructure

(PKI) Microsoft Outlook Express

• Blackberry

http://www.pgp.com/downloads/datasheets/index.html




– File encryption• Mobile Devices

– Establish user account and passwords to log on

• Windows XP – Be Careful!


– File encryption• OpenPGP

– http://www.pgp.com/downloads/datasheets/index.html

• TrueCrypt (USB)– Open Source– How to:– http://www.juand.ca/?page_id

=3• Dekart Private Disk

– http://www.dekart.com/products/encryption/




http://www.juand.ca/?page_id=3




• Encryption should absolutely be used in every transmission of PHI

• Could have prevented the WV State’s problem with data loss mentioned earlier


– Data Erasure Tools• Proper disposal• Jetico – BCWipe

– http://www.jetico.com/• Ontrack – DataEraser

– http://www.ontrackdatarecovery.com/hard-drive-software/ontrack-eraser.aspx

• Scrub – Lawrence Livermore Labs (Unix)

• Shred (Unix)

Auditing and Monitoring Tools– User Account Monitoring

• Windows Auditing


• Major area to watch• DumpSec

• DumpEvt


• Scripts from Microsoft– Report / disable user Accounts

that have not logged on in 60 days

– Users in specific authority groups

– (Hey, Scripting Guy...)• You can run similar scripts

with Unix– i.e. Last command

Auditing and Monitoring Tools– Security Level Reviews

• ScriptLogic– Enterprise Security Reporter

http://www.scriptlogic.com/products/enterprisesecurityreporter/

Auditing and Monitoring Tools– Access Logs and Reviews

• GFI tools – Events Manager


• GFI tools - LanGuard

http://www.gfi.com/languard/


• GFI tools – Endpoint Control

http://www.gfi.com/endpointsecurity/

Summary• HIPAA policy areas of

concern• Target technology areas

of concern• Sample products and

techniques for auditing/monitoring

• Focus on people

One last thought.....CIO Magazine Study:

Mobile Workforce Represents Security Threat in '08 Due to Lack of Training, Awareness

CIO Study

“Security is not a product, it is a process.”

Questions?