Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5...
Transcript of Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5...
![Page 1: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/1.jpg)
Risk and Opportunities in EMR Technology
Shanit Gupta Director of Information Security
EMR In-Depth Seminar – Session 2
![Page 2: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/2.jpg)
The U.S. spends 17.4% of GDP on healthcare, more than
twice the average for developed countries
80% of US doctors are still using paper health records
195,000 annual deaths from preventable medical errors • 7,000 of those deaths are tied to illegible handwriting alone
The Changing Healthcare Landscape
![Page 3: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/3.jpg)
Fundamental Goal: Save Lives
“…just wanted to let you know PF saved a patient’s life. I admitted through the emergency room a patient
seen by one of my partners and needed to start a blood thinner. Had I not had her electronic info on
Practice Fusion and seen that she had a history of a clotting disorder, I likely would have killed her. It was
not found anywhere else.”
![Page 4: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/4.jpg)
What Is EHR?
9%
![Page 5: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/5.jpg)
Key Requirements
![Page 6: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/6.jpg)
Security is Fundamental Requirement
![Page 7: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/7.jpg)
Traditional EHR
![Page 8: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/8.jpg)
![Page 9: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/9.jpg)
![Page 10: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/10.jpg)
Patient In Patient Out
Prac
tice
Mak
es M
oney
![Page 11: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/11.jpg)
Rethink EHR
![Page 12: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/12.jpg)
![Page 13: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/13.jpg)
Goal 1: We want it Now Yesterday
![Page 14: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/14.jpg)
Goal 2: Open Anywhere for Anyone
![Page 15: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/15.jpg)
Makes Security Interesting
![Page 16: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/16.jpg)
Where Do We Start?
![Page 17: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/17.jpg)
EHR Security 101
![Page 18: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/18.jpg)
HIPAA in a Slide
Holistic Attempt at Security – Administrative
– Physical
– Technical
Documentation – Policies, Procedures, Standards
Consistency – Follow the documentation
Subject to Interpretation
![Page 19: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/19.jpg)
HIPAA – Beyond Security Best Practices
Training
Information Security Officer
Periodic Risk Assessments and Audits
Identify PHI and Define Boundaries
Data Retention Requirements
![Page 20: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/20.jpg)
HITECH in a Slide Combination of Incentives and Penalties
Enforcement of HIPAA – Mandatory Penalties up to $1.5 million
– HHS required to conduct periodic audits
Notification of Breach – Breach of > 500 patients will result in public disclosure
Right to PHI – Personal
– Delegated Authority
Business Associates – Subject to HIPAA Security Rule
– Subject to civil and criminal penalties
![Page 21: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/21.jpg)
1) Adopt a Certified EHR
2) Check Eligibility and
Register
3) Meaningfully Use your EHR
4) Apply for HITECH
Incentives
How can I Qualify for HITECH Incentives?
Core Requirement 15: Conduct Privacy and Risk Audit
![Page 22: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/22.jpg)
What’s with the Cloud?
![Page 23: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/23.jpg)
We use private + public cloud
ain’t perfect
ain’t broken
Cloud FUD
Cloud does not provide or break
HIPAA compliance – They provide the tools
Cloud Security is getting better
Yes – We are in the Cloud
![Page 24: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/24.jpg)
Physical Security
Armed Guards
Surveillance Systems
Access Card/Biometric Authentication
24/7/365 Monitoring
Redundant Utilities
Man Traps
Concrete Structures
Fire Detection and Flood Protection
List goes on..
![Page 25: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/25.jpg)
Top 5 Breaches
* http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Covered Entity Individuals Affected Year Type
TRICARE Management Activity (TMA) 4,901,432 2011 Backup Tapes
HeaHealth Net, Inc. 1,900,000 2011 Lost Drives
New York City Health & Hospitals Corporation's North Bronx Healthcare Network 1,700,000 2010 Lost Drives
AvMed, Inc. 1,220,000 2009 Lost Laptop
The Nemours Foundation 1,055,489 2011 Lost Backup Tapes
![Page 26: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/26.jpg)
![Page 27: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/27.jpg)
WHEN WHAT WHERE HOW WHO
Yes – We do have the Standard Challenges
![Page 28: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/28.jpg)
Background Checks
Isolation of PHI
Segregation of Roles
Malware Detection
Strong Cryptography
Firewalls, IPS, VPN
List goes on..
We do have the Standard Solutions
![Page 29: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/29.jpg)
![Page 30: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/30.jpg)
Identify to Proceed
![Page 31: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/31.jpg)
![Page 32: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/32.jpg)
![Page 33: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/33.jpg)
![Page 34: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/34.jpg)
Authentication and Identification
Successful Authentication – Practice Identifier
– Username
– Password
Password Hashing – SHA-512
– Random Salt
Account Lockout
Audit Logs
![Page 35: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/35.jpg)
How do you Protect Against Password Reuse?
Beyond Username + Password
Practice Identifier has served well
![Page 36: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/36.jpg)
Cryptography All EHR calls are encrypted (HTTPS) – Support for strong ciphers (128 bit and above)
– Disable support for weak encryption
Passwords are hashed – SHA-512
– Random Salt
Backups are encrypted – No physical media
Laptops are protected using Full Disk Encryption – Equipment will get stolen/lost
![Page 37: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/37.jpg)
if (Authorize.IsUserAuthorized("Chart ", i_Session.lUserID,
Authorize.UserAccessEntity.Patient, lPatientID,))
{
…..
}
else
{
throw new BL_Exception(XXXX);
}
We Know Our Application Better
![Page 38: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/38.jpg)
This Code Path is Used
![Page 39: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/39.jpg)
Security is My Everyone’s Responsibility
![Page 40: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/40.jpg)
Starbucks Workforce
Workers cannot be confined any longer
BYOD
IT as Business Enabler
![Page 41: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/41.jpg)
Think Beyond Boundaries
Goal : Any where anytime protection – Device Verification
– User Verification
– Web Traffic Filtering
– Device Encryption
![Page 42: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/42.jpg)
Reduce Risk
![Page 43: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/43.jpg)
Isolate PHI and Business
Employees provides EMR
EMR uses PHI
Employees do NOT need access to PHI
![Page 44: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/44.jpg)
Social Engineering
Problem: Humans are nice
Strong verification processes – Physical
– Support
– Application
Awareness about Social Engineering – Enforcement of the process is the key
Never Reveal Passwords
![Page 45: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/45.jpg)
Clinical Research
Safe Harbor Rules – De-Identify PHI
– 18 Identifiers (Name, Address, Dates, SSN ..)
We go above and beyond the safe harbor rules – Remove records for individuals older than 80
– Remove records for individuals with rare conditions
![Page 46: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/46.jpg)
Patient Access to their Records Holy Grail: One Patient One Record
Several Challenges – Incomplete records
– Incorrect records
– Lack of Standards
– Lack of Policy
Currently: Practitioner provisions a patient account
Meaningful Use Criteria?
![Page 47: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/47.jpg)
Privacy != Security
We need clear/consistent privacy rules
Lack of rules causing – Too cautious approach
– Too risky approach
– Silos in the industry
Security know how exists to enforce the rules
![Page 48: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/48.jpg)
Zero Days – Underground marketplace for vulnerabilities
Targeted Attack – Social Engineering + Zero Days
What Keeps Me Up
![Page 49: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/49.jpg)
What will the Future Bring?
![Page 50: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/50.jpg)
Online Referrals
Labs
eRx
Billing
Health Personalization
Healthcare Apps
Goal 3: Healthcare Ecosystem
![Page 51: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/51.jpg)
Health Information Exchange
A few regional success stories
Trust/Participation is lacking
Little integration between HIEs
Do we want one size?
![Page 52: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/52.jpg)
Comprehensive Health Care
![Page 53: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/53.jpg)
Personalized Medicine
Symmetrel: Genetic markers (from Pathway Genomics ) for this patient indicate Symmetrel may increase the risk of medication induced side effects such as hallucination, impulse control behaviors, and dyskinesias and is not recommended.
Pathway Genomics Genetic Information eRx Portal
![Page 54: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/54.jpg)
![Page 55: Risk and Opportunities in EMR Technology · Enforcement of HIPAA – Mandatory Penalties up to $1.5 million – HHS required to conduct periodic audits Notification of Breach –](https://reader033.fdocuments.us/reader033/viewer/2022051916/6007bc89fcd69f52235ce25b/html5/thumbnails/55.jpg)