This document provides an overview of healthcare data privacy regulations and compliance. It discusses key regulations like HIPAA, the types of entities covered, and penalties for violations. Specific examples of notable HIPAA violations from 2018 are also summarized, including large fines against organizations for data breaches exposing millions of patient records. The costs of data breaches are increasing, with the average breach costing over $3 million in 2018. Overall, the document outlines the importance of securing healthcare databases and staying compliant with regulations to avoid penalties and protect sensitive patient information.
Geek Sync | Keep your Healthcare Databases Secure and Compliant
1. Keep Your Healthcare Databases
Secure and Compliant
Kim Brushaber, Senior Product Manager, IDERA
Stan Geiger, Director, Product Management, Multi-Platform Tools, IDERA
2. Agenda
▪ Overview
▪ What is HIPAA?
▪ HIPAA Violations
▪ Data Breaches
▪ Data Compliance
▪ Demo
▪ Questions
3. Overview
▪ Healthcare Regulations
– The Social Security Act governs funding and requirements for
Medicare, Medicaid, CHIP, and more.
– HIPAA and the HITECH Act protect patient privacy, requiring
healthcare organizations to implement measures to keep
patient records secure.
– Federal Information Security Management Act (FISMA)
– The False Claims Act makes it illegal to file a false claim for
funds from a federal program.
– The Patient Protection and Affordable Care Act implemented
new requirements for insurance, Medicaid, and more.
4. HIPAA
▪ The Privacy Rule establishes a set of standards that
address how patient information can be used and
disclosed.
▪ Applies to three entity types:
– Health care providers
– Health plans
– Health care clearinghouses
5. HIPAA
▪ Health care providers
– Any provider that electronically transmits patient
information in connection with claims, eligibility
requests, referral authorizations, or similar
transactions
– Applicable transaction types are specified in the
HIPAA Transactions Rule
6. HIPAA
▪ Health plans
– Individual and group plans that provide or pay
the cost of medical care
– Entities
• Health maintenance organizations (HMOs)
• Medicare
• Medicaid
• Health or dental insurers
• Employer-sponsored group health plans
7. HIPAA
▪ Health care clearinghouses
– Entities that process patient data on behalf of
health plans or health care providers
– Transforms the data in some way from a
nonstandard format to a standard format
– Included organizations:
• Billing services
• Community health management information
services.
8. HIPAA
▪ Privacy Rule
– Protects all individually identifiable health
information
– Identifiable information
• The patient’s past, preset, or future physical or mental
health
• Any health care services that the patient has received
• Any payment information related to the patient’s care
that can be used to identify the patient
9. Penalties
▪ Penalties
– Fines of $100 to $50,000 or more per violation
– Calendar cap of $1.5 million
– Individuals can also face criminal penalties up
to $250,000 and 10 years imprisonment
10. HIPAA
▪ Electronic PHI
– Ensure the integrity, confidentiality, and availability of all e-
PHI data in their possession.
– Identify and protect against anticipated threats to the e-PHI
data.
– Protect against anticipated non-permitted uses or
disclosures.
– Ensure that e-PHI data is not available to or disclosed to
non-authorized individuals in the workforce.
12. HIPAA and the DBA
▪ Ensure the confidentiality, integrity, and
availability of all electronic PHI data
▪ Prevent unauthorized individuals from
viewing, altering, or destroying the data,
while providing authorized users access
▪ Identify and protect against anticipated
threats as well as impermissible uses or
disclosures
13. HIPAA and the DBA
▪ Training
– Covered entity must train all workforce members on the
policies and procedures with respect to protecting PHI data.
– Covered entity should apply sanctions against workforce
members who fail to comply with the policies and
procedures.
– DBAs will participate in the process of writing policies and
procedures and training workforce members depending on
the organization and their circumstance.
– DBAs should fully understand the risks associated with
violating HIPAA regulations and what steps to take if they
discover a violation.
14. HIPAA and the DBA
▪ Securing environment
– Covered entity must assess the potential risks and
vulnerabilities to the electronic PHI and then implement
security measures to reduce those risks.
– Implement procedures for guarding against malicious
software as well as for managing and protecting passwords.
– Implement mechanisms for limiting and controlling physical
access to systems and facilities that house PHI data, while
providing for disaster recovery and emergency access.
– Implement safeguards that protect workstations accessing
PHI data, along with any other hardware or electronic media
used for sensitive data.
– Responsible for the proper disposition of PHI data from any
hardware or media on which it has resided.
15. HIPAA and the DBA
▪ Controlling access
– Ensure that workforce members have “appropriate access”
to electronic PHI, based on their roles in the organization.
– Implement procedures for authorizing workforce members,
supervising their access to data, determining whether that
access is appropriate, and terminating that access when
required.
– Assign a unique ID to each user for identifying and tracking
that user’s activities.
– Implement procedures for obtaining PHI data during an
emergency, terminating electronic sessions after a
predetermined time of inactivity, and encrypting and
decrypting PHI data.
16. HIPAA and the DBA
▪ Auditing and monitoring systems
– Implement procedures for monitoring log-in attempts and
reporting discrepancies.
– Implement “hardware, software, and/or procedural
mechanisms that record and examine activity in information
systems that contain or use electronic protected health
information.
– Implement electronic mechanisms to verify that the PHI data
has not been “altered or destroyed in an unauthorized
manner.”
17. HIPAA and the DBA
▪ Prepare for security incidents
– Provide individuals with a process for making complaints
about the organization’s policies and procedures or about its
compliance with those policies and procedures.
– You cannot retaliate against individuals who exercise their
rights, as provided by the Privacy Rule.
– Take the steps necessary to mitigate any harmful effects
that result from PHI data being compromised.
– Identify and respond to “suspected or known security
incidents; mitigate, to the extent practicable security
incidents that are known and document security incidents
and their outcomes.”
18. HIPAA and the DBA
▪ Document, document, document
– Sanctions against workforce members must be
documented, as well as all policies and procedures.
– Documentation must be retained for six years from the
creation date or when it was last in effect, whichever is later.
– Maintain a “record of the movements of hardware and
electronic media and any person responsible therefore.”
– Documentation should be updated as needed in response to
environmental or operational changes.
21. Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
22. Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times
23. Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)
24. Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)
• OUTCOME: He was sentenced to 4 months in jail and a
$2000 fine
25. Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
26. Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms
27. Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms
• The bills contained protected info like CPT codes which
can reveal patient diagnoses
28. Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms
• The bills contained protected info like CPT codes which
can reveal patient diagnoses
• OUTCOME: The State of New Jersey sought to suspend
and revoke Helfmann’s license
29. Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist
30. Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist
• The very busy office manager accidentally faxed them to
the man’s new employer
31. Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist
• The very busy office manager accidentally faxed them to
the man’s new employer
• OUTCOME: Luckily, the result was only a sternly worded
warning and a mandate for regular HIPAA training for all
employees
32. Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need
33. Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information
34. Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information
• OUTCOME: The 14 employees were dismissed from
their jobs
35. Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
36. Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records
37. Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born
38. Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born
• OUTCOME: The 13 employees were fired and the 6
doctors were suspended
39. Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
40. Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room
41. Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible
42. Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible
• OUTCOME: The hospital paid a $2.2 million settlement
44. HIPAA Violations – 2018
In October, Anthem, Inc. (a licensee of BCBS) agreed to
pay a record breaking $16 million after the largest health
data breach in US history affected almost 79 million people.
https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
4
4
45. In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
5
HIPAA Violations – 2018
46. In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
ABC didn’t learn from 2013
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
6
HIPAA Violations – 2018
47. In June, UT’s MD Anderson Cancer Center was fined $4.3
million due to the theft of an unencrypted laptop and the
loss of two unencrypted USB drives. The hardware
contained details on 33,500 individuals.
https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html
4
7
HIPAA Violations – 2018
48. In February, FMCNA who provided products and services
to 170,000 patients with chronic kidney disease agreed to
pay a $3.5 million fine for a settlement that covered 5
different data breaches.
https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html
4
8
HIPAA Violations – 2018
50. In February of 2019, there were a total of 101 data
breaches which exposed over 2M sensitive records and
417M non-sensitive records.
96% of the sensitive records exposed were through
breaches in the Medical/Healthcare sector.
https://www.idtheftcenter.org/2019-data-breaches/
51. Almost 15 Billion Records have been lost or stolen since
2013. Only 4% were secure breaches where encryption
was used and the stolen data was useless.
BreachLevelIndex.com
52. Over 6.5 million data records are lost or stolen
every day.
http://breachlevelindex.com/
54. 2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
https://www.ibm.com/security/data-breach
55. 2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
• The average size of a data breach was 26,000 records
https://www.ibm.com/security/data-breach
56. 2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
• The average size of a data breach was 26,000 records
• $148 x 26,000 ~ $3.86 M (increased 6.4% over 2017)
https://www.ibm.com/security/data-breach
59. Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
60. Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
61. Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft
62. Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft
• Maintain Trust
– Customers trust people who follow set standards
63. Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft
• Maintain Trust
– Customers trust people who follow set standards
• Reporting Consistency
– Consistent reports allow audits to go more smoothly
64. Data Standards vs Security Standards
• Data Standards: “WHAT”
– What information needs to be protected/audited
– What you should do if your data is breached
• Security Standards: “HOW”
– How you should configure your network
– How you should configure your systems (i.e. SQL
Server, Oracle)
66. What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
67. What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)
68. What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)
• Planning and Having Good Processes and Response
Plans
69. What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)
• Planning and Having Good Processes and Response
Plans
• Assessing Your Risks
77. Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties
78. Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction
79. Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction
• Assessing
– Risk Assessments
80. • Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
What Can Tools Like SQL
Compliance Manager Do?
81. • Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
• Tracking
– Capture Logins, Logouts, Failed Logins
What Can Tools Like SQL
Compliance Manager Do?
82. What Can Tools Like SQL
Compliance Manager Do?
• Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
• Tracking
– Capture Logins, Logouts, Failed Logins
• Protecting
– Determine How Much Data Was Accessed In A Breach
83. IDERA Products Can Help You
With:
• Reporting (and Maintaining) Audit Data
– SQL Compliance Manager
• Tracking User Access
– SQL Compliance Manager
• Protecting the Data from the Bad Guys (and Watch for Data Breaches)
– SQL Compliance Manager
– SQL Secure
• Planning and Having Good Processes and Response Plans
– SQL Compliance Manager
– SQL Secure
– ER/Studio Business Architect
• Assessing Your Risks
– SQL Compliance Manager
– SQL Secure
85. In Conclusion
▪ Data breach continues to be a growing problem
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are
86. In Conclusion
▪ Data breach continues to be a growing problem
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are
▪ The right tools can help to simplify and automate the
auditing process