• No results found

Securing Patient Portals

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Securing Patient Portals"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Securing Patient Portals

What you need to know to comply with HIPAA

Omnibus and Meaningful Use

Brian Selfridge, Partner, Meditology Services, LLC

(2)

6/3/15  

2  

Brian Selfridge, Meditology

•  12+ years experience in healthcare IT security

and compliance leadership

•  Previously CISO of AtlantiCare and healthcare

security practice at PricewaterhouseCoopers

•  Published author, certified CISSP and Info

systems security and info assurance by CNSS & NSA

•  Leads Meditology’s IT Risk Management

practice

Meditology is dedicated to delivering expertise and

leadership in information privacy and security, compliance,

(3)

6/3/15  

3  

Blake Sutherland, Trend Micro

•  15+ years experience in security

•  Helped to bring Cloud Security to the

forefront at Third Brigade – acquired by Trend Micro

•  Experience with HITRUST

Trend  Micro  Incorporated,  a  global  leader  in  security  so<ware,   strives  to  make  the  world  safe  for  exchanging  digital  informaDon.      

Our  innovaDve  security  soluDons  for  consumers,  businesses  and   governments  protect  informaDon  on  mobile  devices,  endpoints,   gateways,  servers  and  the  cloud.

(4)

6/3/15  

4  

Agenda

•  Introductions

•  Healthcare Industry Trends

•  Incentives & Penalties

•  Patient Portal Security Requirements

•  How to Address Security Requirements

•  Trend Micro Security for Patient Portals

(5)

HEALTHCARE INDUSTRY TRENDS

5  

(6)

Healthcare Industry Trends

•  The move to 3rd party hosted applications is shifting

security administration, but not the risk

•  Market and regulatory pressures are driving rapid portal

adoption

•  Mandatory breach notification under HITECH is

increasing visibility for data loss events

•  Oversight from federal and state agencies is ramping up

o OCR

o CMS

o State Attorneys General

6/3/15  

(7)

INCENTIVES & PENALTIES

7  

(8)

Incentives & Penalties

•  Patient Portals and Meaningful Use (MU)

o

HITECH provides

$19.2 billion

in incentive

payments to promote EHR adoption

o Requires “certified” EHR technology and deployment of

a secure patient portal

o Incentive payments scale from individual providers to

large health systems

o MU also establishes penalties in future years for

providers that have not met requirements

6/3/15  

(9)

Incentives & Penalties

(continued)

•  HIPAA / HITECH / Omnibus

o

Penalties can be up to

$1.5 million

per year per

violation

6/3/15  

9  

Covered  En*ty   OCR  Fine  

New  York  and  Presbyterian  Hospital  (NYP)     $4,800,000  

Columbia  University  (CU)   $4,800,000  

WellPoint  Inc.   $1,700,000  

Affinity  Health  Plan,  Inc.   $1,215,780  

Idaho  State  University   $400,000  

Shasta  Regional  Medical  Center   $275,000  

Skagit  County   $215,000  

(10)

PATIENT PORTAL SECURITY

REQUIREMENTS

6/3/15  

(11)

6/3/15  

11  

(12)

Portal Security Scope

12  

6/3/15  

Risk  Analysis   AdministraDve  

Physical     Technical  

HIPAA   Security  Rule  

Secure  Messaging   Download  Data  PaDents  

Reminders   EducaDonal  Materials  

ARRA  /  MU   PaDent  Portal   Requirements  

(1)  

(13)

MU & Portal Security Myths

13  

6/3/15  

Source:  The  Office  of  the  Na-onal  Coordinator  for  Health  Informa-on  Technology  (ONC),  2014.  

(14)

HOW TO ADDRESS SECURITY

REQUIREMENTS

6/3/15  

(15)

Risk Assessment Process

•  There is no single prescriptive

method that guarantees compliance with the Security Rule, but a typical security risk assessment includes the following steps:

o  Assess risks and identify potential threats to the confidentiality,

integrity and availability of ePHI.

o  Respond to risks by creating a Corrective Action Plan and prioritizing remediation efforts.

o  Continuously monitor changes that may affect security controls and

update the Corrective Action Plan. 15  

6/3/15  

Assess   Risks  

Respond   to  Risks   Monitor  

(16)

Determination of Risk

16  

6/3/15  

Relevant   Threats  

Internal  and   External   VulnerabiliDes  

Degree  of   harm  that   may  occur  

Likelihood   that  harm  will  

(17)

Corrective Action Plan

17  

6/3/15  

Correc*ve  Ac*on  Plan  

•     Start  &  End  Date   •     Owner  

•     Milestones  

RemediaDon   Priority   Degree  of  Risk  

Threats  &   VulnerabiliDes  

(18)

Monitor Risks

18  

6/3/15  

Monitor  Risk  

Key   Performance  

Indicators  

Changes  to   systems,   environment  

Compliance  

CAP   Progress  

(19)

Sharing the Risk

19  

6/3/15  

“Third-­‐party  snafus  are  adributed  for  41  percent  of  breaches.”  

“Over  the  past  three  years,  the  number  of  security  incidents  at  

companies    adributed  to  partners  and  vendors  has  risen—increasing   from  20%  in  2010  to  28%  in  2012.”  

“76%  of  data  breaches  analyzed  by  TrustWave  resulted  from  a  third-­‐party   which  introduced  the  security  deficiencies  that  were  ulDmately  exploited.”  

(20)

Technical Vulnerabilities

•  Identify potential vulnerabilities to the patient portal

through technical testing including:

o Application-level vulnerabilities

o Supporting infrastructure and platforms

o Web servers

o Databases

o Access and authentication

•  Assess against standards such as HITRUST and the

Open Web Application Security Project (OWASP)

•  Conduct routine scanning to identify vulnerabilities over

time

20  

(21)

21  

6/3/15  

Source:  OWASP,  2014  

(22)

Technical Vulnerabilities

•  Encryption Requirements

o Stage 2 of MU specifically requires addressing the

encryption and security of data stored and transmitted via the certified EHR technology

o Verify encryption is in place and actively protecting ePHI

•  Encryption Solutions

o Encrypt data at rest including in backups, laptops, and

mobile devices

o Use Extended Validation (EV) SSL certificates to secure all

transactions and communications on the portal and to visually indicate to visitors that the site is secure.

22  

(23)

Blake  Sutherland          

What  to  look  for  in  a  PaDent  Portal  

Security  SoluDon  

(24)

Trend  Micro  Security  for  PaDent  Portals  

24   Patient Portal

web app

On-Premise Data Center

Third Party / Cloud Hosted Data Center

Patient Portal Landscape

Medical Devices

EHR   EHR  

Billing  /  Finance  

Billing   AnalyDcs  

AnalyDcs   Lab  

Claims   Claims  

Pharmacy  

Home   Health   Home  

Health  

Human   Resources  

Human   Resources  

EHR  

PaDent   Portal  

Lab  

PaDent   Portal  

Patient Portal Vendors

•   Epic MyChart

•   Cerner Patient Portal

•   RelayHealth Portal

•   McKesson My Care Plus

•   Intuit Health Portal

•   AllScripts Portal

•   eClinicalWorks Portal

•   Jardog’s FollowMyHealth

•   NextGen

Security for Patient Portals Web site: DS for Web Apps Data: SecureCloud

Data Center: Deep Security

Advanced Threats: Deep Discovery Endpoints: OfficeScan, Email Encryption, InterScan Web Security, InterScan Messaging Security, ScanMail

(25)

RecommendaDon  Reminder  

Trend Micro can help.

Request your Patient portal health check today!

 

25  

webappsecurity.

trendmicro.com

You need a Patient Portal security approach that addresses: •  Routine risk assessment and corrective action tracking •  Comprehensive vulnerability detection

•  Actionable insight on vulnerabilities for faster mitigation

•  Security for your entire ecosystem – including

patient portal, data center, medical devices, end user devices and sensitive data

(26)

Questions?

•  Thank you for your time

(27)

6/3/15  

27   For more information visit

webappsecurity.trendmicro.com Brian Selfridge

Meditology Services

[email protected]

Blake Sutherland

Trend Micro

[email protected]

©  2014  Meditology  Services,  Atlanta,  GA.  All  Rights  Reserved  

References

Download now ( PDF - 27 Page - 4.07 MB )

Related documents

An exploration of the boat form and the element of water through craft based sculptural works

‘This  thesis  contains  no  material  which  has  been  accepted  for  a  degree  or  diploma  by  the  University  or  any  other  institution,  except  by 

2(1)

(A) In the situation shown (p) Distribution of charge on inner surface of conductor is uniform (B) If outside charge is not present (q) Distribution of charge on

Modelling of total dissolved solids in water supply systems using regression and supervised machine learning approaches

In the present study, three different modelling approaches: Gaussian process regression (GPR), backpropagation neural network (BPNN) and principal component regression (PCR)

AHLA. E. Big Data, Big Promise and (Potentially) Big Problems. Kent Bottles Principal, Healthcare Consulting PYA Knoxville, TN

Incomplete Work Product Big Data, Big Promises, and.. (Potentially)

Associations Between Body Composition and Movements During Gait in Women.

on the study of the acceleration of the body is considered to be valid and reliable for predicting the risk of falling or for discriminating between population groups with

Computerization of Programming Basics Teaching Course

Programavimas – tai žmoniškosios kultūros dalis, kurios įgijimo metu suformuojamas konstruktyvaus elgesio stereotipas – išmokstama uždavinį skaldyti į

Front Loading Dishwashers Pass Through Dishwashers. Professional Dishwashing and Cooking Equipment

system PULL UP Wash Cycle 1 and 2 minutes - Water consumption per cycle 2.3 litres Optional digital thermometer. Automatic cycle start

Technical Report 1, 2015 Mapping of organisations in Indonesia in disaster risk reduction (MOIDRR)

The Mapping of Organisations in Indonesia in Disaster Risk Reduction (MOIDRR) survey sought to understand the barriers and enablers that DRR actors face in including people