1 / 37

Security and eHealth

Security and eHealth. Edward Meyers Antonio Wilkinson Dalavone Phothisen April 3, 2009. OVERVIEW. Introduction OIG/OAS HIPAA Security Rule OIG HIPAA Audits Summary IT Security Vulnerabilities Threats/Exploits. OVERVIEW. HIT Emerging Issues Funding Studies

Download Presentation

Security and eHealth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security and eHealth Edward Meyers Antonio Wilkinson Dalavone Phothisen April 3, 2009

  2. OVERVIEW • Introduction • OIG/OAS • HIPAA • Security Rule • OIG HIPAA Audits • Summary • IT Security • Vulnerabilities • Threats/Exploits

  3. OVERVIEW • HIT Emerging Issues • Funding • Studies • Data Exchange vs. Data Warehouse • Demo: Wireless Hack

  4. INTRODUCTIONOFFICE OF THE INSPECTOR GENERAL • MISSION: the mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452 (as amended), is to protect the integrity of Department of Health and Human Services (HHS) programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has a responsibility to report both to the Secretary and to the Congress program and management problems and recommendations to correct them. The OIG's duties are carried out through a nationwide network of audits, investigations, inspections and other mission-related functions performed by OIG components.

  5. INTRODUCTIONOIG ORGANIZATION CHART

  6. INTRODUCTIONOFFICE OF AUDIT SERVICES (OAS) • Mission We, the independent auditors for the Department of Health and Human Services (HHS), identify and report ways to improve, through a shared commitment with management, the economy, efficiency and effectiveness of operations and services to beneficiaries of HHS programs.

  7. INTRODUCTIONOAS ORGANIZATION CHART Deputy Inspector General for Audit Services Assistant Inspector General for Centers for Medicare & Medicaid Audits Assistant Inspector General for Financial Management andRegional Operations Assistant Inspector General for Grants, Internal Activities, and IT Audits Regional Inspectors General for Audit Services Region I Region II Region III Region IV Assistant Inspector General for Audit Management & Policy Region V Region VI Region VII Region IX

  8. HIPAA: SECURITY RULE • Issued on: February 20, 2003 • Effective Date: April 21, 2003 • Compliance Date: April 21, 2005 (for most) April 21, 2006 (small plans) • Security Safeguards: Administrative Safeguards • Physical Safeguards • Technical Safeguards

  9. BACKGROUND Title II of HIPAA • Sets civil and criminal penalties • Creates several programs to control fraud and abuse within the healthcare system • Creates standards for use and dissemination of health care information (Administrative Simplification rules) • Most Significant • Apply to “covered entities”

  10. CRITERIA HHS has promulgated final rules for privacy and security of health information and for the enforcement of these rules. (45 CFR Parts 160 and 164)

  11. HIPAA: SECURITY RULE Standard Specifications • Required Implementation Specifications (R) • Must be adopted and administered • Addressable Implementation Specifications (A) • Flexible, but must perform an assessment to determine reasonableness • “Covered entities” must document assessments and all decisions

  12. HIPAA: SECURITY RULE • Security should not be confused with Privacy or Confidentiality • Privacy: refers to the rights of an individual to control his/her personal information without risk of divulging or misuse by others against his or her wishes • Confidentiality: only becomes an issue when the individuals personal information has been received by another entity. Confidentiality is then a means of protecting this information • Security: refers to the spectrum of physical, technical and administrative safeguards used for this protection

  13. HIPAA: SECURITY RULE • Purpose of Safeguards: • To ensure integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information (45 CFR Part 164 Subpart C) • Applicability: • To covered entities who engage in standard HIPAA transactions, which includes electronic transactions for plan enrollment, submission of claims or health encounter records, coordination of benefits, and payments; Focuses on ePHI

  14. HIPAA: TECHNICAL SAFEGUARDS • Access Control • A documented procedure for granting emergency access to data • Provision for unique user-id’s • The optional use of encryption and decryption • Provision for an automatic logoff after idling for a period of time

  15. HIPAA: TECHNICAL SAFEGUARDS • Audit Controls • HIPAA requires that every technical system employ logging of information accesses • The specific mechanisms of parsing of logins is not specified • Logs themselves should be protected

  16. HIPAA: TECHNICAL SAFEGUARDS • Integrity • Steps must be taken to ensure that the protected data has not been modified in any unauthorized manner • Use of checksums, double keying, message authentication codes and digital signatures are ways of accomplishing this

  17. HIPAA: TECHNICAL SAFEGUARDS • Person or Entity Authentication • Organizations must take steps to validate the authenticity of an entity attempting to access data • Many solutions exist for this (biometrics, passwords, PIN numbers, tokens and telephone callback procedures)

  18. HIPAA: TECHNICAL SAFEGUARDS • Transmission Security • All covered entities must maintain at a minimum • Authenticity of the entity at the other end of the wire • Alarms to sense abnormal conditions • Auditing to allow the reconstruction of events • Event reporting to identify problems • May use encryption of transmitted data to accomplish these tasks

  19. CIVIL MONEY PENALTIES(Outdated) Penalties • Failure to Comply • $100 per failure • $25,000 maximum per calendar year • Deliberate Violations: Potential Penalties • $50,000 - $250,000 and 1-10 years imprisonment

  20. CURRENT OAS WORK • Primary Focus is the Security Rule • Exceptions Categories to Date: • Access Controls • Audit Controls • Integrity • Person or Entity Authentications • Transmission Security

  21. OIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDS • TECHNICAL SAFEGUARDS VULNERABILITIES • Access Control vulnerabilities • Wireless – No encryption or WEP • Adequate security settings not applied • User Access Levels Not Reviewed • Inactive Accounts not disabled or locked • User accounts inactive for excessive periods • Audit Control Vulnerability • Server settings for audit logging disabled

  22. OIG SUMMARY OF FINDINGSTECHNICAL SAFEGUARDS • INTEGRITY CONTROL VULNERABILITIES • Unsupported OS by Manufacturer • Inconsistently applied security patches • Computers lacked current antivirus update • Personal computers and servers lacked current service packs • TRANSMISSION SECURITY VULNERABILITY • Unencrypted sensitive information on compact discs

  23. OIG SUMMARY OF FINDINGSPHYSICAL SAFEGUARDS • PHYSICAL SAFEGUARD VULNERABILITIES • Uncontrolled access to EPHI • Deactivated alarm on emergency door • EQUIPMENT CONTROL VULNERABILITIES • No computer equipment inventory • No password Protection for Computers on Portable Carts • No Written Plan for Media disposal

  24. OIG SUMMARY OF FINDINGSADMINISTRATIVE SAFEGUARDS • ADMINISTRATIVE SAFEGUARD VULNERABILITIES • Contingency plan incomplete • Backup tapes at risk-once a week offsite • No backup tape catalogs

  25. IT SECURITY THREATS/EXPLOITS • Medical Identity theft • Access to medical information for sale/profit • Theft of equipment • Environmental and Natural Disasters • Internet malware

  26. AMERICAN RECOVERY & REINVESTMENT ACT(ARRA) • P.L. 111-05, signed February 17, 2009 • Title XIII of Division A comprise the provisions known as HITECH

  27. ARRA CONT • HITECH enacts five components • The national coordinator of HIT policy • Est. federal advisory committees (policy & std) • An expanded role for testing and research • To test and certify HIT, including EHR • Federal subsidies for promoting and implementing HIT (primarily for states) • $17.2 billion of incentive payments for EHR • Revisions to current privacy and security rules

  28. RECOVERYINCENTIVE PAYMENTS Section 4101: Incentives for Eligible Professionals • Purpose: To provide incentives to eligible professionals for meaningful use of certified electronic health records (EHRs) • For eligible Medicare Professionals. Also, certain MA organizations.

  29. RECOVERYINCENTIVE PAYMENTS Section 4102: Incentives for Hospitals • Purpose: To provide incentives to eligible hospitals for the meaningful use of certified EHRs.

  30. RECOVERYINCENTIVE PAYMENTS Section 4201: Medicaid Provider HIT adoption & operation payments • Purpose: To provide incentives to eligible Medicaid providers to purchase, implement, and operate certified electronic health record technology. • Medicaid definition of eligible professionals is not statutorily defined and includes physicians, dentists, certified nurse-midwives, nurse practitioners, and physician assistants who are practicing physician-assistant led FQHC and RHC (provided other requirements are met)

  31. RECOVERYINCENTIVE PAYMENTS • Amounts • Under both Medicaid components, providers can receive up to $64,000 (est.). • Formulas for the other components

  32. HIT EMERGING ISSUESFUNDING FOR THE UNFUNDED Section 4104: Studies and Report on HIT • Incentives Payments to MA organizations • EHR Incentive Payments for Providers • Providers receiving minimal or no incentive payments include SNF, HHA/Hospice, Labs and non-physicians will be covered by a study conducted by secretary on later inclusion.

  33. STUDY ON OPEN SOURCE HEALTH INFORMATION TECHNOLOGY SYSTEMS • Availability of Open source HIT systems • VA • IHS • AHRQ • HRSA

  34. ARRAHIPAA PENALTY Under the new law, the Secretary may impose fines ranging from $100 up to $50,000 for each violation of HIPAA depending on whether a violation was inadvertent, reasonable, or due to willful neglect. The maximum penalty faced by an offender ranges from $25,000 to $1.5 million during a calendar year, again depending upon an offender’s culpability.

  35. Privacy and Security • Security Breach Notification • Establishes a federal security breach notification requirement for health information that is not encrypted or otherwise made indecipherable.

  36. Privacy and Security • Business Associates • Are now subject to same privacy and security rules as providers and health insurers

  37. Where do we go from here? • Data exchange vs. data warehouse • Wireless Hack THE END

More Related