1 / 25

Installation and Maintenance of Health IT Systems

Installation and Maintenance of Health IT Systems. System Security Procedures and Standards.

olliet
Download Presentation

Installation and Maintenance of Health IT Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Installation and Maintenance of Health IT Systems System Security Procedures and Standards This material (Comp 8 Unit 6) was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024. This material was updated in 2016 by The University of Texas Health Science Center at Houston under Award Number 90WT0006. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/. Lecture b

  2. System Security Procedures and Standards Learning Objectives • Identify regulatory requirements for EHRs (lecture a) • Provide training for system users regarding the methods and importance of security compliance (lecture a) • Identify administrative, physical, and technical safeguards for system security and regulatory compliance (lectures a, b) • Identify best practices for system security (lecture b) • Identify best practices for risk / contingency management (lecture b)

  3. Technical Safeguards: Access Control • Technical Safeguards include • Access controls • Audit controls • Integrity controls • Transmission security • Most effective: layered approach. • Multiple technologies employed concurrently. • Access controls begin with authorization: • Which persons or groups have been authorized to access ePHI? • Can be implemented with • AD (Active Directory), LDAP (Lightweight Directory Access Protocol) • Vendor-specific controls usually part of EHR (Summary of the HIPAA Security Rule, n.d.)

  4. Technical Safeguards: Audit Control • Hardware/software/procedural mechanisms to record & examine access & other activity • Data to be logged can vary depending on level of access controls to ePHI data. • In general, servers should use OS system logging tools to track: • Who accessed (or tried to access) server. • What data/databases were accessed, any changes made. (Summary of the HIPAA Security Rule, n.d.)

  5. Technical Safeguards: Audit Control(cont’d) • EHR should also support logging: • User access • Patient data accessed • Sign-on failures • Data changes made • Periodic proactive audits (sampling) • Consider for higher-risk patient populations (e.g., employees) or after publicized events • To deter abuse, make users aware. • Reactive audits triggered by defined event (University of Wisconsin-Madison, 2004)

  6. Technical Safeguards: Integrity Control ePHI data must not be altered or destroyed improperly. This should be ensured through proper • Policies • Procedures • Electronic measures and controls • Network access • Computer or Server access • Database access (Summary of the HIPAA Security Rule, n.d.)

  7. Technical Safeguards: Transmission Security Transmission security technologies can include • VPNs, Firewalls, VLANs, Intrusion Detection Network transmissions of ePHI must guard against unauthorized access • Eavesdropping on traffic required access to network medium Offsite access and connections are especially vulnerable • Should be limited and tightly regulated • Use Virtual Private Network (VPN) to encase traffic • Uses encryption, authentication, authorization to protect data. • Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec), OpenVPN, Cisco AnyConnect or similar, but NOT Point-to-Point Tunneling Protocol (PPTP) (Summary of the HIPAA Security Rule, n.d.)

  8. What is a Virtual Private Network (VPN)? Image Courtesy of Scott Neal.

  9. Technical Safeguards: Firewall • Inspects incoming network traffic; permits or denies access based on criteria. • Hardware- or software-driven. • Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). • Most commonly placed on network perimeter (network-based) or network device (host-based). • EHR will require certain ports to remain open. (Summary of the HIPAA Security Rule, n.d.)

  10. Firewalls Image Courtesy of Scott Neal.

  11. Technical Safeguards: Virtual Local Area Network (VLAN) • Divides networks administratively • Multiple VLANs can separate devices and data, so that sensitive traffic is unseen by non-authorized devices • One physical network, multiple virtual networks • One example VLAN setup: • Administration (Internet access, appointments) • Voice (IP Phones and teleconferencing) • Labs (EHR access and lab equipment) • MedData (EHR access, billing, insurance, clinic data)

  12. Technical Safeguards: Intrusion Detection System (IDS) • Monitors networks or systems for malicious activities or policy violations. • Logs such activity and notifies administrator. • Advanced systems can take preemptive actions to stop activities (Intrusion Prevention System, or IPS).

  13. Common Security Vulnerabilities and Breaches According to the TCP/IP Core Networking Guide from Microsoft: • Inside jobs, social engineering • Brute force • Eavesdropping, sniffing, snooping • Data modification • Identity spoofing • Password-based attacks • Denial of service attacks • Man in the middle attacks • Application layer attacks (Microsoft/TechNet, n.d.)

  14. Server & Computer Security Tips • Install firewall, IDS, & monitoring tools to monitor & protect all servers using/storing ePHI • Strong policies for tracking ePHI, and limiting transmission or storage to only approved systems. • Hide or remove default or guest accounts • Provide a method for generating and verifying strong passwords • Monitor user account usage. Disable unused accounts. • Antivirus software, with updates • Attack surface reduction: turn off unneeded server applications & reduce attack surface. • Review and verify vendor recommendation for secure configuration • Create security baseline: scan and verify implementation • Install service packs within 48 hours of release. • Lock down database applications, regularly install updates. (Password Strength, 2012)

  15. Server & Computer Updates and Security Baseline • System updates and service packs • Automatic and immediate for Internet connected systems • Test and verify before patching critical systems • Note: many networked medical devices are only supported by the vendor with specific software of configurations. Check with the system vendor before installing patches on patient medical devices. • Create security baseline: scan and verify implementation • Database applications will have their own updates and patching procedures

  16. Contingency Plans • Back-up and Storage of critical data • Plan to restore systems • List of Emergency Contacts • Contingency plan for temporary office space • Maintaining secure offsite data storage • Criteria for activating contingency plan (Hartley, 2005)

  17. Contingency Plans (cont’d) • Written plans • Risk analysis/assessment • Database backup • Database secure storage • Data restore plan • Disaster recovery plan • Critical incident response plan • Software inventory • Hardware inventory • Logs: transmission points

  18. Data Backup Policy • Data integrity just as important as confidentiality. • Backing up critical files, including patient or EHR databases, helps ensure data recovery after catastrophic failure or security breach. • Determine procedures, hardware, and software required for reliable & efficient backup of production databases.

  19. Secure Data Storage & Restore Policies • Data most susceptible to corruption or loss in state of rest (90% of the time). • Databases need particularly thorough analysis for risks. • Detailed guidelines for securing and safely restoring data stored on network.

  20. Disaster Recovery & Critical Incident Response Plans • Address emergencies requiring immediate intervention to protect network or restore operational status after catastrophe. • Based on original risk analysis. • Outlines elements, procedures, & people needed to restore network or mitigate imminent threat in timely manner.

  21. Hardware & Software Inventories • Hardware inventory • Loss of hardware can mean a loss much greater than just replacement cost. • Helps ensure equipment properly locked down and secure. • Software inventory • Provides insight to manage/mitigate risks to network from software vulnerability. • Facilitates proper software management practices, patching.

  22. Logs: Transmission Points • Effective logging and monitoring strategy is critical to network security. • Logs can be overwhelmingly large. Determine which data need stringent monitoring (e.g., who is accessing); begin by concentrating efforts there. • Written plan of what is logged & why, with procedures for auditing & record of accountability to ensure compliance.

  23. System Security Procedures and StandardsSummary • Technical safeguards for ePHI are those automatically enforced by systems • System vulnerabilities exist, but application of best practices for system security will reduce exposure and risk • Risk and contingency plan development is a critical step in ensuring secure operation of EHR systems and regulatory compliance

  24. System Security Procedures and StandardsReference Reference: Common Types of Network Attacks. (n.d.) Microsoft Windows TCP/IP Core Networking Guide. Distributed Systems Guide, Windows 2000 Server . http://technet.microsoft.com/en-us/library/cc959354.aspx Health Information Privacy - Summary of the HIPAA Security Rule. (n.d.). Retrieved February 8, 2012, from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html How to Implement EHRs. (2013, April 3). Retrieved June 30, 2016, from https://www.healthit.gov/providers-professionals/ehr-implementation-steps Password Strength (n.d.). Retrieved January 12, 2012, from Wikipedia: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords Images: Slide 8: VPN example, 2012. Provided by Scott Neal Slide 10: Firewall example, 2012. Provided by Scott and Nolan Neal

  25. Installation and Maintenance of Health IT Systems System Security Procedures and StandardsLecture b This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024. This material was updated in 2016 by The University of Texas Health Science Center at Houston under Award Number 90WT0006.

More Related