Network Security for End Users in Health Care

Name of PresenterTitle of Presenter

Agenda

Why Is Security Important?

Components of Network Security

How You Can Help Keep the Network Secure

Why is Security Important?

Why Should We Care about Network Security?

Potential for downtime and impact on patient care

Expense to the practice (the dreaded blank check scenario)

Damage to reputation for security breaches (newspaper headlines)

Possible fines for security breaches

HIPAA requires we implement security measures to protect PHI on paper and electronically!

PHI

Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

The individual’s past, present or future physical or mental health.

The provision of health care to the individual.

The past, present or future payment for health care.

Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.

ePHI and Encryption

Desktops, tablets, or laptopsExternal hard drives, including iPods, tapes, or disksRemovable storage devices (USB drives, keys, CDs, DVDs, etc.)PDAs, Smart PhonesElectronic transmission including Email, File Transfer (FTP), wireless, etc.

Electronic PHI (ePHI) includes any device or medium used to store, transmit or receive PHI electronically.

Headlines

July 07, 2010

Conn. AG, Health Net Reach Settlement Over Medical Data Breach• On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. The hard drive contained medical and financial information on about 500,000 members from the state.

(Solsman, Dow Jones/Wall Street Journal, 7/6).

Headlines

June 2, 2010

“Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.”

Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala.

What is a Breach?

A breach is the impermissible use or disclosure of PHI such that said use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.Breach notification is only required where unsecured PHI is involved. Unsecured PHI is PHI which has not been rendered

unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.

According to the Health Information Technology for Economic and Clinical Health (HITECH) Act:

Data Breach – Lost CDs with ePHI

Components of Network Security

Typical Practice Network

Firewall

Remote Access

Wireless Tablet PC’s

Wireless Access Point

Light duty Scanner

Copier/Scanner

Office Workstations

InternetSwitch

High Speed Scanner

Front Desk

EHR Server

The Front Door of Your Network

Internet Firewall Hides your network Provides access rules Allows only trusted partners access to

your network

Remote Access Allows only trusted users (authentication) Must be encrypted (VPN or SSL/TLS) Security wins over ease of use

Wireless Devices Must be encrypted Allow only trusted devices

The Back Door of Your Network

Email born threats Viruses – software that reproduces Malware – malicious software

Out of date Antivirus systemOutdated Operating SystemsMissing patches for Operating Systems

The Danger Within

Lost laptops, tablets, PDAs, and smart phones with ePHISharing passwords or using the same password for everythingEmailing ePHI without encryptionResponding to bogus requests: phone, email, webePHI leaving the building on electronic media without encryption (tapes, CDs, USB drives, etc.)Installing Risky Software (Audiogalaxy, Limewire, etc.)

Phishing:Tricking the user to go to a web site and give up private information or passwords.

If you receive the email below with the subject “Reset your symquest.com password”, please delete it.  This was not sent by the Information Systems department.Thanks,Darrin>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>From: symquest.com [mailto:support@symquest.com] Sent: Tuesday, June 29, 2010 11:48 AMTo: odinability@symquest.comSubject: Reset your symquest.com passwordHello, odinability@symquest.com.

We received your request to reset your symquest.com password. To confirm your request and reset your password, follow the instructions below. Confirming your request helps prevent unauthorized access to your account.

If you didn't request that your password be reset, please follow the instructions below to cancel your request.CONFIRM REQUEST AND RESET PASSWORD Click on the following web address:

https://symquest.com/EmailPage.srf?emailid=mail/?shva=1#inbox/12983ccaa8732d93

CANCEL PASSWORD RESET

Click on the following web address:

Other Security Risks: Disposal of Equipment

Many technologies today use hard drives that can contain ePHI!

Care must be taken in disposal so that ePHI is erased. Always ensure that IT has cleaned or

destroyed hard drives prior to disposal.

Risks of Social Networks:Malware attacks – Facebook rated the riskiestCompromises the user’s machineCollects personal information for sale on the black marketTargets circle of friends to get to primary target

Other Security Risks: Social Networking Sites

How You Can Help Keep the Network Secure

Typical Network Health

Firewall

Network Printer

Front Desk

Office Workstations

InternetSwitch

User Access Control and Password Guidance

Unique User IDNever share your user ID!All system access with your ID is YOUR responsibility.

Password GuidelinesDo not re-use the last 12 passwords.Change your password at least every 90 days.Passwords must be at least 8 characters.Passwords must be a combination of upper and lower case letters, number and special characters.User account locks after 3 failed attempts.

Automatic Logoff

Automatic LogoffYour EHR session should terminate after 15 minutes of inactivity. Always save your work before leaving your workstation!

Your Windows screen-saver should lock your workstation after 15 minutes of inactivity. Pushing Windows+L or Ctrl+Alt+Delete and Enter on your

keyboard will manually lock your workstation.

Remote Access

Remote AccessMust use a VPN tunnel or SSL/TLS connection.Requires user authentication.Always physically secure your laptop, PDA, or other mobile device when traveling!(Remember the headline on Slide 8?)

Accounting for Disclosures

Accounting for DisclosuresAlways indicate why treatment, payment, or authorization information is being disclosed.Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.”

Role-Based Access: Manage who gets access to what.Firewall Review: Make sure that communication with the outside world is secure.Wireless Security: Manage who gets WiFi access.Antivirus: Manage software to keep viruses and malware at bay.Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems.

Tasks for “the IT Guy” (or Gal)

Tasks for “the IT Guy” (or Gal)

Backup: Keep a backup of all data, just in case!Backup Encryption: Make backup data unreadable to snoopers.Recovery: Have a plan in case disaster strikes!

Summary

Protecting data is everyone’s responsibility.

Understand HIPAA.

Hold each other accountable.