Data breaches continue to threaten patient privacy and leave medical service providers with a heavy financial burden. As companies plan their go-to-market strategy, the question that comes up more than any other is protection of the health data. We are faced with the challenge of how to protect the health data that we handle and be within the compliance defined by the HITECH Act, HIPAA, and related regulations.
This talk focused on the security challenges of health data \
7. Costs of Medical Identity Theft 2010
$214 per healthcare record
$20,663 average cost to victim
$2 Million per healthcare data breach
Data courtesy of Ponemon Institute
• 2010 Benchmark Study on Patient Privacy and Data Security
Jean Pawluk •Second Annual Survey on Medical Identity Theft 7
•2010 Annual Study: U.S. Cost of a Data Breach
13. Sensitive Health Information
“Individually identifiable health information” is
information, including demographic data, that
relates to:
individual’s past, present or future physical or mental
health or condition,
provision of health care to the individual, or
past, present, or future payment for the provision of
health care to the individual
Jean Pawluk 13
14. Electronic Protected Health Information
• Name • Health plan beneficiary number
• Address (all geographic subdivisions • Account number
smaller than state, including street • Certificate/license number
address, city, county, zip code)
• Any vehicle or other device serial
• All elements (except years) of dates number
related to an individual (including
• Medical device identifiers or serial
birth date, admission date, discharge
numbers on implants
date, date of death and exact age)
• Finger or voice prints
• Telephone numbers
• Photographic images
• Fax number
• Passport number
• Email address
• State ID card
• Social Security number
• Any other characteristic that could
• Medical record number
uniquely identify the individual
Jean Pawluk 14
15. Gramm-Leach-Bliley Act (GLBA)
Provided to obtain (or in connection Examples of customer private
with) a financial product or service
personal information include
Results from any transaction involving a
financial product or service between
but are not limited to:
you and a customer • Social Security Number
• Credit Card Number
• Account Numbers
• Account Balances
• Any Financial Transactions
• Tax Return Information
• Driver’s License Number
• Date/Location of Birth
Jean Pawluk 15
16. Even More Rules
• PCI
• SOX (public)
• FISMA
• Privacy Rules
– EU
– Canada
– Australia
Jean Pawluk 16
20. Healthcare Security Standards
Data Integrity
Internet Security
Authentication System Security
• Encryption
• Personal Health
• Identification • Communication
• Data Integrity Records
• Signature Process • Processing
• Secure Internet
• Non-repudiation • Permanence • Storage Services
General Security Standards
200+
Standards for Internet and Information Systems
20
21. Key Areas of ISO 17799
Business
Continuity Compliance Security Policy
Planning
Incident Security
Confidentiality Integrity
Handling Organization
DATA
Communication Asset
& Operations Classification
Availability
System Personnel
Access
Development & Physical security security
Control
Maintenance
Jean Pawluk 21
22. ISO 27799
Security management in health using ISO
• Personal health information
• Pseudo- Anonymous data derived from personal health information
• Statistical and research data derived by removal of personally identifying
data
• Clinical / medical knowledge not related to specific patients (e.g., data on
adverse drug reactions)
• Data on health professionals and staff
• Information related to public health surveillance
• Audit trail data that are produced by health information systems containing
personal health information or data about the actions of users in regard to
personal health information
• System security data, e.g.: access control data and other security related
system configuration data for health information systems
22
23. ISO 27799 2008 Healthcare
• Threats to health information security
• How to carry out the tasks of the Healthcare
Information Security Management System
described in ISO 17799
23
24. Healthcare Security Steps
1. Identify Systems At Risk
Systems containing sensitive healthcare, financial and IP data and/or having a high
business risk
2. Information Gathering and Planning
Partner with subject matter experts to gather information to identify system exposures
3. Evaluate Risk & Vulnerability
Risk is the expectation of damage given the probability of attack
4. Identify Possible Solutions (Controls / Mitigation)
Processes, tools & procedures that reduce the probability of a exposure being exploited
Leverage common security architecture & processes
5. Determine Feasibility & Acceptable Risk
Feasibility based on key dependencies, technological know-how and business readiness
May decide to accept lower risk factors based on feasibility
6. Roadmap Prioritization
Putting it all together
7. Execute the Plan
Jean Pawluk 24
8. Repeat
34. Summary
• Health Risk Management means You are Liable
• Use Compensating Controls
• Plan for Failure
• Trust but Verify
• Web Services Security is a oxymoron because
technology is dynamic and browsers are frail
• Good security = Compliance
but Compliance ≠ Good Security
34
37. Resources
NIST Intro Guide to test HIPAA security
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
NIST Health IT Standards and Testing program
http://healthcare.nist.gov/
PCI DSS Quick Reference Guide
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Cloud Security Alliance
http://www.cloudsecurityalliance.org/
JERICHO Forum
http://www.opengroup.org/jericho/
HIPAA & HiTech
http://www.sharedassessments.org/
ISO 27799:2008 Healthcare
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41298
ISO/TS 21091:2005 Directory services for security, communications and identification of professionals and patients
• Open Web Application Security Project
http://www.owasp.org/index.php?title=Category:OWASP_Guide_Project&redirect=no
Jean Pawluk 37