Healthcare to Go: Securing
Mobile Healthcare Data
Lee Kim, Esq.
SANS Mobile Device Security Summit 2013
May 30, 2013
Why Information Security is Essential
for Healthcare
• Safeguard patient information from theft, loss, and misuse • Annual cost of security breaches to the healthcare industry is
over $7 billion and 94% of healthcare organizations surveyed had at least one data breach in the past 2 years, according to Ponemon Institute’s Third Annual Benchmark Study on Patient
Privacy & Data Security
• Leading Causes of Data Breaches are the following: – Theft Hacking
– Virus/Malware Loss
Examples of Reported Breaches
• Disabled firewall exposes patient information
• Configuration error occurred at password authentication level allowing hacker to circumvent the security system
• Lost USB drives/disks containing patient information • Theft of laptop with unencrypted hard drive containing
patient information
• Malware leads to potential exposure of patient information • Patient information inadvertently posted online
• Rogue employee (now ex-employee) allegedly transferred patient information to personal e-mail account
Policy Drivers of Healthcare InfoSec
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– HIPAA Privacy Rule
• Uses and disclosures of protected health information (PHI) (a type of personally identifiable information) – HIPAA Security Rule
• Administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information (ePHI)
HIPAA now applies to covered entities (healthcare
providers, clearinghouses, health plans) and business
associates (entities working on behalf of covered entities
handling their PHI)
Policy Drivers of Healthcare InfoSec
• HITECH Act (part of the American Recovery and Reinvestment Act of 2009)
– Breach notification rule
– Business associates directly liable for HIPAA obligations • HIPAA Omnibus Rule
– Modifies HIPAA and HITECH requirements
– Breach Notification Rule (replaces HITECH rule) – Update to HIPAA Privacy and Security Rules and
changes/clarifies HITECH obligations – Effective date: March 26, 2013
– Compliance date: September 23, 2013
Policy Drivers of Healthcare InfoSec
• Super sensitive information
– Protected by federal and state laws (e.g., HIV/AIDS, drug and alcohol abuse, mental illness)
– While HIPAA may permit the exchange of information, if a more stringent law/regulation applies, then you must
abide by that. • Cybercrime
– Healthcare information is extremely valuable (including in the financial sense)
Government Audits
• HITECH Act Section 13411
– Requires US Department of Health and Human Services (HHS) to perform periodic audits on covered entities and business associates for HIPAA Privacy, Security, and Breach Notification Standard requirements
• HHS Office of Civil Rights (OCR) commenced audits in November 2011 (ongoing)
– Large and small healthcare providers, hospitals, health plans, and physician practices were audited in 2012
– Audits will also include business associates (entities doing a function on behalf of covered entity involving PHI)
– Corrective action plans and fines may result
Government Audits
• OCR HIPAA Audit Program analyzes processes, controls, and policies to determine HIPAA compliance for entities that
create, receive, or retain electronic Protected Health Information (ePHI)
• Healthcare providers and health plans have been audited under the program
• Business associates (those that work for covered entities and handle their PHI) will be audited
• OCR has found from its audits that the lack of HIPAA
compliance has been because the entity was unaware of the requirement, in spite of the rules stating what the entity
Government Audits
• Results of 2012 OCR HIPAA Audit Program
– No findings or observations for 11% of the entities – Security accounted for 60% of the findings and
observations for virtually all entities
• No complete and accurate risk assessment (risk analysis) for two-thirds (2/3) of the entities
• Security addressable implementation specifications – “Addressable” does not mean optional, but
implemented if reasonable & appropriate » Almost every entity could have fully
implemented the addressable implementation specification
• Small entities struggled with HIPAA compliance across the board
HIPAA Security Rule: The Basics
• The HIPAA Security Rule has the following: – Security Standards
– Implementation specifications • Required
• Addressable (not optional) – must be implemented if reasonable and appropriate.
• HIPAA Security Rule is technology-neutral • Policies and procedures need to be in place
• Criminal and civil liabilities for HIPAA violations (including Security Rule)
HIPAA Security Rule: The Basics
• Entity must appoint a HIPAA Security Official for the
organization who oversees the development, implementation, monitoring, and communication of security policies and
procedures in accordance with the Security Rule
HIPAA Security Compliance:
Building the Foundation
• The cornerstones of an effective HIPAA Security compliance program include:
– Ongoing risk analysis and risk management – Routine information system reviews
• This should include mobile devices, whether employer-supplied or employee-provided (BYOD)
• There may be restrictions on what can be reviewed for BYOD devices
– If activity cannot be reviewed, document whether this is reasonable and the rationale for not
HIPAA Security Compliance:
Building the Foundation
• Securing and protecting all health information
– With mobile devices, ensure that the information is protected when used in public, on site, and at remote locations
– Authorization, supervision, and clearance for those who can access, receive, transmit, retain, or otherwise
exchange ePHI on mobile devices
• Sanctions for non-compliance of workforce members – Including and up to termination
HIPAA Security Rule: Best Practices
• Implement a security framework – E.g., HITRUST, NIST, ISO, etc.
• Consider the different types of healthcare data, access and roles, and data usage
– Healthcare data: administrative or clinical • Consider the sensitivity of the data
– Access and roles: clinical staff vs. non-clinical staff (e.g., office manager, billing clerk, appointment scheduler, etc.) – Data usage: Workflow, storage, retrieval
HIPAA Security Rule: Best Practices
• Conduct risk analysis and risk management on a regular (continuous basis)
– Understand the potential threats and vulnerabilities • Outside your organization
• Inside your organization – Insider threats
– Unauthorized use/access
– Understand the impact of the threat / vulnerability • Ensure accuracy of policies and procedures
• Ensure workforce is trained and periodic training occurs • Monitor user and system activity
HIPAA Security Rule: Best Practices
• Establish a security incident management program – Develop a security incident management process – Detect events and declare security incidents
– Respond to and recover from security incidents
• Address and report security incidents (including breaches)
• Organizational resilience
• Continuity of patient care and coordination of are • Business continuity
HIPAA Security Rule: Best Practices
• Risk management
– What are you doing to manage the risks and how can you lower the risks through policies, training, and access
controls?
• Consider following NIST guidance to lower risks.
• Make sure your business associates and subcontractors are complying with HIPAA (including downstream
business associates).
• Make sure expectations are clearly spelled out in business associate and subcontractor agreements.
HIPAA Security Rule:
Application to mHealth
• When do we need to worry about HIPAA with mobile devices, mobile applications, and medical devices?
– Is it being used to create, receive, retain, transmit, or otherwise exchange ePHI?
HIPAA Security Rule: Risk Analysis
What are the potential threats and vulnerabilities for mobile devices and how critical are they (e.g., low, medium, high)?
• Inherent risks with mobile/medical devices
• Attack vectors may be different for mobile devices:
hardware, wireless eavesdropping, software (including web browser), user layer attacks, availability attacks • Malware is evolving and increasingly
machine-generated
HIPAA Security Rule: Risk Analysis
What are the potential threats and vulnerabilities for
mobile/medical devices and how critical are they (e.g., low, medium, high)?
– Inherent risks:
• Easily portable and therefore easily stolen
• Wireless network connection (instead of wired) • Battery (limited power)
– Rogue applications – Loss of devices
HIPAA Security Rule: Risk Analysis
What are the potential threats and vulnerabilities for
mobile/medical devices and how critical are they (e.g., low, medium, high)? (con’t)
– Virus/malware – Phishing
– User error (e.g., inadvertent posting to social media) – Application error/misconfiguration
– Data mining
HIPAA Security Rule: Risk Analysis
(Know Where and What the Data is)
Where is my ePHI?
1. What mobile apps, mobile devices, and medical devices are used to create, transmit, receive, or maintain the ePHI?
2. Is the ePHI stored on the device itself (e.g., e-mail, text message, etc.), as opposed to in a mobile app?
3. Does the mobile app developer create, receive, maintain, or transmit ePHI on your behalf?
HIPAA Security Rule: Risk Analysis
(Know Where and What the Data is)
Practice tip:
1. Make an inventory list of the mobile apps, mobile
devices, and medical devices which handle PHI, the type of PHI, and what is done with the PHI.
2. Do an assessment of the risks given the inventory list.
HIPAA Security Rule: Risk Analysis
Questions to Ask the Developer
• How is the PHI secured?
– If the developer handles the PHI, what are its policies, procedures, and training?
– How secure is the mobile app/device itself? » Have the security controls been validated?
(E.g., FIPS 140-2 validated encryption module) – Who holds the key(s) for encryption/decryption?
The developer or you?
– Is the information encrypted at rest, in transit, and archived?
HIPAA Security Rule: Risk Analysis
Gap Analysis
Where are the gaps in my risk analysis? (What have I not considered?)
Example:
How is my mobile device communicating ePHI with other
servers, medical devices/components, patient mobile devices (not regulated by HIPAA), BYOD or employer-provided mobile devices, etc. and what types of ePHI are involved?
Example:
Have I considered the security of the network and the
software interfaces/connection points? (Holistic approach)
HIPAA Security Rule: Risk Analysis
Factors to Consider
– Authentication
– Complex passwords
– Encryption (data at rest, in transit, and archived) – Segregating BYOD network traffic from other traffic – Network flow analysis
– Intrusion detection system – Mobile device management
– Preventing and detecting rogue network devices (evil twin) – Remote lock and wipe functionality
HIPAA Security Rule: Risk Analysis
Factors to Consider
– Operating system, firmware, application, middleware, interface, etc. updates (mobile devices and medical
devices, including software & hardware components in between & network connectivity)
– Timely account de-provisioning (revoking system access: local and remote)
– Mobile applications
• Is the data remotely or locally stored?
• Does it comply with the HIPAA Privacy (e.g., use and disclosure of PHI) and Security Rules (e.g., technical safeguards)?
• Is the data encrypted and who has the key?
HIPAA Security Rule: Risk Analysis
Factors to Consider
– Secure web browser – Secure e-mail
– Social media (shortened links that lead to malware; improperly posting ePHI)
– Texting and videoconferencing (none vs. secure end-to-end solutions)
– Camera/microphone (improperly recording PHI)
– Remote hosting of data (vs. local storage on device that may be lost or stolen, etc.)
– Media re-use and disposal
HIPAA Security Rule: Risk Analysis
Factors to Consider
– Backing up of data
• Are the backups encrypted? – Network type and connectivity
HIPAA Security Rule: Risk Management
(The Basics)
Always to keep mind the need to ensure confidentiality, integrity, and availability of PHI and manage the risks identified in the risk analysis.
1. Based on the risk analysis, what are the risks that are medium and high?
• I.e., likelihood of exploitation and the impact of the threat / vulnerability
2. What medium and high risks can be lowered through policies, training, and access controls?
• If the risks can be lowered, then the risk analysis needs to be revised and the documentation needs to be
HIPAA Security Rule: Risk Management
Factors to Consider
– How secure is the PHI? (At rest, in transit, archived) – Is the PHI reasonably available?
• Is the application and data (PHI) reasonably available? • Is there an ability to export the PHI in a non-proprietary
format for interoperability purposes or to migrate the information to another app or device?
– In the event of a disaster or emergency, can the mobile data (and access to it via the mobile app/device/portal) enable business continuity?
• Consider: Sum total of mobile data in the aggregate across all mobile users in an organization.
HIPAA Security Rule: Risk Management
Third Parties
What are the business associates and subcontractors doing with your data?
Under the HIPAA Omnibus Rule, business associates include the following (if they handle the healthcare provider’s, health plan’s, or clearinghouse’s PHI):
– Cloud providers
– Health information exchanges – Health information organizations – e-Prescribing gateways
– Personal health record vendors – Subcontractors
HIPAA Security Rule: Risk Management
Business Associates & Subcontractors
What are the business associates and subcontractors
doing with your ePHI?
1. Perform due diligence (e.g., review of Security Rule policies and procedures, training, network/security infrastructure documents, etc.)
– Is the business associate or subcontractor located in the US?
– Where are the hosting facilities and data centers located? 2. Obtain a business associate agreement / subcontractor
agreement and set forth the expectations
– Consider whether you want to permit business
associates/subcontractors to use de-identified (non-personally identifiable) health information (e.g., data
Questions/Contact Information
Lee Kim, Esq.
Tucker Arensberg, P.C.
1500 One PPG Place
Pittsburgh, PA 15222
lkim@tuckerlaw.com
(412)594-3915 (work)
(412)606-5064 (cell)
References
• HIPAA Omnibus Rule
–
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
• OCR and NIST Security Rule Guidance
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec
urityrule/securityruleguidance.html
• NIST Computer Security Guidance (Special Publications)
– http://csrc.nist.gov/publications/PubsSPs.html
• mHIMSS Mobile Privacy & Security Toolkit
–
http://www.mhimss.org/resource/mhimss-mobile-privacy-security-toolkit
• HIPAA Audits
– http://www.hhs.gov/ocr/privacy
References
• OCR HIPAA Audit Program Protocol
– http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit
/protocol.html
• Breaches Affecting 500 or More Individuals
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre
achnotificationrule/breachtool.html
• Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre
achnotificationrule/brguidance.html
• Safeguarding Health Information: Building Assurance through HIPAA Security
References
• Nationwide Rollup Review of the Centers for Medicare & Medicaid
– http://oig.hhs.gov/oas/reports/region4/40805069.pdf
• Federal Risk and Authorization Management Program
– http://www.fedramp.gov
• OWASP Mobile Security Project - Top Ten Mobile Risks
– https://www.owasp.org/index.php/Projects/OWASP_Mobi
le_Security_Project_-_Top_Ten_Mobile_Risks
• Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules
–
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
References
• HITRUST Common Security Framework
– http://www.hitrustalliance.net/commonsecurityframewor
k/
• ANSI/AAMI/IEC 80001-1:2010, Application of risk
management for IT Networks incorporating medical devices - Part 1: Roles, responsibilities and activities
– http://www.aami.org/publications/standards/80001.html
• Direct: Implementation Guidelines to Assure Security and Interoperability
References
• Health IT Policy Committee Privacy & Security Tiger Team
–
http://www.healthit.gov/policy-researchers- implementers/federal-advisory-committees-facas/privacy-security-tiger-team
• NIST Cybersecurity Framework Workshop
– http://www.nist.gov/itl/csd/framework-042513.cfm
• NIST National Cybersecurity Center of Excellence
– http://csrc.nist.gov/nccoe/
• Third Annual Benchmark Study on Patient Privacy & Data Security
– http://www2.idexpertscorp.com/assets/uploads/ponemon
2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf
References
• 2nd Annual HIMSS Mobile Technology Survey
– http://www.himssanalytics.org/research/AssetDetail.aspx?
pubid=81559&tid=131
• World Privacy Forum