Healthcare to Go: Securing Mobile Healthcare Data

Healthcare to Go: Securing

Mobile Healthcare Data

Lee Kim, Esq.

SANS Mobile Device Security Summit 2013

May 30, 2013

Why Information Security is Essential

for Healthcare

• Safeguard patient information from theft, loss, and misuse • Annual cost of security breaches to the healthcare industry is

over $7 billion and 94% of healthcare organizations surveyed had at least one data breach in the past 2 years, according to Ponemon Institute’s Third Annual Benchmark Study on Patient

Privacy & Data Security

• Leading Causes of Data Breaches are the following: – Theft Hacking

– Virus/Malware Loss

Examples of Reported Breaches

• Disabled firewall exposes patient information

• Configuration error occurred at password authentication level allowing hacker to circumvent the security system

• Lost USB drives/disks containing patient information • Theft of laptop with unencrypted hard drive containing

patient information

• Malware leads to potential exposure of patient information • Patient information inadvertently posted online

• Rogue employee (now ex-employee) allegedly transferred patient information to personal e-mail account

Policy Drivers of Healthcare InfoSec

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

– HIPAA Privacy Rule

• Uses and disclosures of protected health information (PHI) (a type of personally identifiable information) – HIPAA Security Rule

• Administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information (ePHI)

HIPAA now applies to covered entities (healthcare

providers, clearinghouses, health plans) and business

associates (entities working on behalf of covered entities

handling their PHI)

Policy Drivers of Healthcare InfoSec

• HITECH Act (part of the American Recovery and Reinvestment Act of 2009)

– Breach notification rule

– Business associates directly liable for HIPAA obligations • HIPAA Omnibus Rule

– Modifies HIPAA and HITECH requirements

– Breach Notification Rule (replaces HITECH rule) – Update to HIPAA Privacy and Security Rules and

changes/clarifies HITECH obligations – Effective date: March 26, 2013

– Compliance date: September 23, 2013

Policy Drivers of Healthcare InfoSec

• Super sensitive information

– Protected by federal and state laws (e.g., HIV/AIDS, drug and alcohol abuse, mental illness)

– While HIPAA may permit the exchange of information, if a more stringent law/regulation applies, then you must

abide by that. • Cybercrime

– Healthcare information is extremely valuable (including in the financial sense)

Government Audits

• HITECH Act Section 13411

– Requires US Department of Health and Human Services (HHS) to perform periodic audits on covered entities and business associates for HIPAA Privacy, Security, and Breach Notification Standard requirements

• HHS Office of Civil Rights (OCR) commenced audits in November 2011 (ongoing)

– Large and small healthcare providers, hospitals, health plans, and physician practices were audited in 2012

– Audits will also include business associates (entities doing a function on behalf of covered entity involving PHI)

– Corrective action plans and fines may result

Government Audits

• OCR HIPAA Audit Program analyzes processes, controls, and policies to determine HIPAA compliance for entities that

create, receive, or retain electronic Protected Health Information (ePHI)

• Healthcare providers and health plans have been audited under the program

• Business associates (those that work for covered entities and handle their PHI) will be audited

• OCR has found from its audits that the lack of HIPAA

compliance has been because the entity was unaware of the requirement, in spite of the rules stating what the entity

Government Audits

• Results of 2012 OCR HIPAA Audit Program

– No findings or observations for 11% of the entities – Security accounted for 60% of the findings and

observations for virtually all entities

• No complete and accurate risk assessment (risk analysis) for two-thirds (2/3) of the entities

• Security addressable implementation specifications – “Addressable” does not mean optional, but

implemented if reasonable & appropriate » Almost every entity could have fully

implemented the addressable implementation specification

• Small entities struggled with HIPAA compliance across the board

HIPAA Security Rule: The Basics

• The HIPAA Security Rule has the following: – Security Standards

– Implementation specifications • Required

• Addressable (not optional) – must be implemented if reasonable and appropriate.

• HIPAA Security Rule is technology-neutral • Policies and procedures need to be in place

• Criminal and civil liabilities for HIPAA violations (including Security Rule)

HIPAA Security Rule: The Basics

• Entity must appoint a HIPAA Security Official for the

organization who oversees the development, implementation, monitoring, and communication of security policies and

procedures in accordance with the Security Rule

HIPAA Security Compliance:

Building the Foundation

• The cornerstones of an effective HIPAA Security compliance program include:

– Ongoing risk analysis and risk management – Routine information system reviews

• This should include mobile devices, whether employer-supplied or employee-provided (BYOD)

• There may be restrictions on what can be reviewed for BYOD devices

– If activity cannot be reviewed, document whether this is reasonable and the rationale for not

HIPAA Security Compliance:

Building the Foundation

• Securing and protecting all health information

– With mobile devices, ensure that the information is protected when used in public, on site, and at remote locations

– Authorization, supervision, and clearance for those who can access, receive, transmit, retain, or otherwise

exchange ePHI on mobile devices

• Sanctions for non-compliance of workforce members – Including and up to termination

HIPAA Security Rule: Best Practices

• Implement a security framework – E.g., HITRUST, NIST, ISO, etc.

• Consider the different types of healthcare data, access and roles, and data usage

– Healthcare data: administrative or clinical • Consider the sensitivity of the data

– Access and roles: clinical staff vs. non-clinical staff (e.g., office manager, billing clerk, appointment scheduler, etc.) – Data usage: Workflow, storage, retrieval

HIPAA Security Rule: Best Practices

• Conduct risk analysis and risk management on a regular (continuous basis)

– Understand the potential threats and vulnerabilities • Outside your organization

• Inside your organization – Insider threats

– Unauthorized use/access

– Understand the impact of the threat / vulnerability • Ensure accuracy of policies and procedures

• Ensure workforce is trained and periodic training occurs • Monitor user and system activity

HIPAA Security Rule: Best Practices

• Establish a security incident management program – Develop a security incident management process – Detect events and declare security incidents

– Respond to and recover from security incidents

• Address and report security incidents (including breaches)

• Organizational resilience

• Continuity of patient care and coordination of are • Business continuity

HIPAA Security Rule: Best Practices

• Risk management

– What are you doing to manage the risks and how can you lower the risks through policies, training, and access

controls?

• Consider following NIST guidance to lower risks.

• Make sure your business associates and subcontractors are complying with HIPAA (including downstream

business associates).

• Make sure expectations are clearly spelled out in business associate and subcontractor agreements.

HIPAA Security Rule:

Application to mHealth

• When do we need to worry about HIPAA with mobile devices, mobile applications, and medical devices?

– Is it being used to create, receive, retain, transmit, or otherwise exchange ePHI?

HIPAA Security Rule: Risk Analysis

What are the potential threats and vulnerabilities for mobile devices and how critical are they (e.g., low, medium, high)?

• Inherent risks with mobile/medical devices

• Attack vectors may be different for mobile devices:

hardware, wireless eavesdropping, software (including web browser), user layer attacks, availability attacks • Malware is evolving and increasingly

machine-generated

HIPAA Security Rule: Risk Analysis

What are the potential threats and vulnerabilities for

mobile/medical devices and how critical are they (e.g., low, medium, high)?

– Inherent risks:

• Easily portable and therefore easily stolen

• Wireless network connection (instead of wired) • Battery (limited power)

– Rogue applications – Loss of devices

HIPAA Security Rule: Risk Analysis

What are the potential threats and vulnerabilities for

mobile/medical devices and how critical are they (e.g., low, medium, high)? (con’t)

– Virus/malware – Phishing

– User error (e.g., inadvertent posting to social media) – Application error/misconfiguration

– Data mining

HIPAA Security Rule: Risk Analysis

(Know Where and What the Data is)

Where is my ePHI?

1. What mobile apps, mobile devices, and medical devices are used to create, transmit, receive, or maintain the ePHI?

2. Is the ePHI stored on the device itself (e.g., e-mail, text message, etc.), as opposed to in a mobile app?

3. Does the mobile app developer create, receive, maintain, or transmit ePHI on your behalf?

HIPAA Security Rule: Risk Analysis

(Know Where and What the Data is)

Practice tip:

1. Make an inventory list of the mobile apps, mobile

devices, and medical devices which handle PHI, the type of PHI, and what is done with the PHI.

2. Do an assessment of the risks given the inventory list.

HIPAA Security Rule: Risk Analysis

Questions to Ask the Developer

• How is the PHI secured?

– If the developer handles the PHI, what are its policies, procedures, and training?

– How secure is the mobile app/device itself? » Have the security controls been validated?

(E.g., FIPS 140-2 validated encryption module) – Who holds the key(s) for encryption/decryption?

The developer or you?

– Is the information encrypted at rest, in transit, and archived?

HIPAA Security Rule: Risk Analysis

Gap Analysis

Where are the gaps in my risk analysis? (What have I not considered?)

Example:

How is my mobile device communicating ePHI with other

servers, medical devices/components, patient mobile devices (not regulated by HIPAA), BYOD or employer-provided mobile devices, etc. and what types of ePHI are involved?

Example:

Have I considered the security of the network and the

software interfaces/connection points? (Holistic approach)

HIPAA Security Rule: Risk Analysis

Factors to Consider

– Authentication

– Complex passwords

– Encryption (data at rest, in transit, and archived) – Segregating BYOD network traffic from other traffic – Network flow analysis

– Intrusion detection system – Mobile device management

– Preventing and detecting rogue network devices (evil twin) – Remote lock and wipe functionality

HIPAA Security Rule: Risk Analysis

Factors to Consider

– Operating system, firmware, application, middleware, interface, etc. updates (mobile devices and medical

devices, including software & hardware components in between & network connectivity)

– Timely account de-provisioning (revoking system access: local and remote)

– Mobile applications

• Is the data remotely or locally stored?

• Does it comply with the HIPAA Privacy (e.g., use and disclosure of PHI) and Security Rules (e.g., technical safeguards)?

• Is the data encrypted and who has the key?

HIPAA Security Rule: Risk Analysis

Factors to Consider

– Secure web browser – Secure e-mail

– Social media (shortened links that lead to malware; improperly posting ePHI)

– Texting and videoconferencing (none vs. secure end-to-end solutions)

– Camera/microphone (improperly recording PHI)

– Remote hosting of data (vs. local storage on device that may be lost or stolen, etc.)

– Media re-use and disposal

HIPAA Security Rule: Risk Analysis

Factors to Consider

– Backing up of data

• Are the backups encrypted? – Network type and connectivity

HIPAA Security Rule: Risk Management

(The Basics)

Always to keep mind the need to ensure confidentiality, integrity, and availability of PHI and manage the risks identified in the risk analysis.

1. Based on the risk analysis, what are the risks that are medium and high?

• I.e., likelihood of exploitation and the impact of the threat / vulnerability

2. What medium and high risks can be lowered through policies, training, and access controls?

• If the risks can be lowered, then the risk analysis needs to be revised and the documentation needs to be

HIPAA Security Rule: Risk Management

Factors to Consider

– How secure is the PHI? (At rest, in transit, archived) – Is the PHI reasonably available?

• Is the application and data (PHI) reasonably available? • Is there an ability to export the PHI in a non-proprietary

format for interoperability purposes or to migrate the information to another app or device?

– In the event of a disaster or emergency, can the mobile data (and access to it via the mobile app/device/portal) enable business continuity?

• Consider: Sum total of mobile data in the aggregate across all mobile users in an organization.

HIPAA Security Rule: Risk Management

Third Parties

What are the business associates and subcontractors doing with your data?

Under the HIPAA Omnibus Rule, business associates include the following (if they handle the healthcare provider’s, health plan’s, or clearinghouse’s PHI):

– Cloud providers

– Health information exchanges – Health information organizations – e-Prescribing gateways

– Personal health record vendors – Subcontractors

HIPAA Security Rule: Risk Management

Business Associates & Subcontractors

What are the business associates and subcontractors

doing with your ePHI?

1. Perform due diligence (e.g., review of Security Rule policies and procedures, training, network/security infrastructure documents, etc.)

– Is the business associate or subcontractor located in the US?

– Where are the hosting facilities and data centers located? 2. Obtain a business associate agreement / subcontractor

agreement and set forth the expectations

– Consider whether you want to permit business

associates/subcontractors to use de-identified (non-personally identifiable) health information (e.g., data

Questions/Contact Information

Lee Kim, Esq.

Tucker Arensberg, P.C.

1500 One PPG Place

Pittsburgh, PA 15222

lkim@tuckerlaw.com

(412)594-3915 (work)

(412)606-5064 (cell)

References

• HIPAA Omnibus Rule

–

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• OCR and NIST Security Rule Guidance

– http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec

urityrule/securityruleguidance.html

• NIST Computer Security Guidance (Special Publications)

– http://csrc.nist.gov/publications/PubsSPs.html

• mHIMSS Mobile Privacy & Security Toolkit

–

http://www.mhimss.org/resource/mhimss-mobile-privacy-security-toolkit

• HIPAA Audits

– http://www.hhs.gov/ocr/privacy

References

• OCR HIPAA Audit Program Protocol

– http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit

/protocol.html

• Breaches Affecting 500 or More Individuals

– http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre

achnotificationrule/breachtool.html

• Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

– http://www.hhs.gov/ocr/privacy/hipaa/administrative/bre

achnotificationrule/brguidance.html

• Safeguarding Health Information: Building Assurance through HIPAA Security

References

• Nationwide Rollup Review of the Centers for Medicare & Medicaid

– http://oig.hhs.gov/oas/reports/region4/40805069.pdf

• Federal Risk and Authorization Management Program

– http://www.fedramp.gov

• OWASP Mobile Security Project - Top Ten Mobile Risks

– https://www.owasp.org/index.php/Projects/OWASP_Mobi

le_Security_Project_-_Top_Ten_Mobile_Risks

• Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules

–

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

References

• HITRUST Common Security Framework

– http://www.hitrustalliance.net/commonsecurityframewor

k/

• ANSI/AAMI/IEC 80001-1:2010, Application of risk

management for IT Networks incorporating medical devices - Part 1: Roles, responsibilities and activities

– http://www.aami.org/publications/standards/80001.html

• Direct: Implementation Guidelines to Assure Security and Interoperability

References

• Health IT Policy Committee Privacy & Security Tiger Team

–

http://www.healthit.gov/policy-researchers- implementers/federal-advisory-committees-facas/privacy-security-tiger-team

• NIST Cybersecurity Framework Workshop

– http://www.nist.gov/itl/csd/framework-042513.cfm

• NIST National Cybersecurity Center of Excellence

– http://csrc.nist.gov/nccoe/

• Third Annual Benchmark Study on Patient Privacy & Data Security

– http://www2.idexpertscorp.com/assets/uploads/ponemon

2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf

References

• 2nd Annual HIMSS Mobile Technology Survey

– http://www.himssanalytics.org/research/AssetDetail.aspx?

pubid=81559&tid=131

• World Privacy Forum