Industry Brief

                            Ensuring Security and Privacy in the Rapidly Growing
                         ...
While HIEs have been getting significant attention
                           lately because of the infusion of government...
Operational Considerations                               to ensure compliance as well as enabling customers
              ...
structured risk management approach must include         Information Management
         identification and valuation of a...
Upcoming SlideShare
Loading in...5
×

Ensuring Security and Privacy in the HIE Market - Redspin Information Security

775

Published on

Ensuring Security and Privacy in the Rapidly Growing
Healthcare Information Exchange Market

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
775
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ensuring Security and Privacy in the HIE Market - Redspin Information Security

  1. 1. Industry Brief Ensuring Security and Privacy in the Rapidly Growing Healthcare Information Exchange Market Recently, the first major distribution of HITECH Act Healthcare Information Exchange Background funds occurred when the Department of Health and Human Services (HHS) awarded over $547 The fundamental forces behind the adoption of million to states and territories for the establishment HIEs are pressures for modernization, improved of public Health Information Exchanges (HIEs). effectiveness of business processes, and increased These exchanges are intended to provide the management efficiencies. Most healthcare providers technology and infrastructure to support electronic in the United States still rely on paper records to sharing of data among hospitals, physicians, maintain, store, and share patient’s information. This clinical laboratories, pharmacies, health plans results in slow and cumbersome communications, (insurers), and public health departments. The often contributes to improper treatment, and lacks adoption of HIEs offers benefits to both providers the capability to secure information at many points and patients resulting from the electronic sharing in the system. HIEs address these deficiencies by The adoption of HIEs of health information such as improved quality of facilitating the sharing of electronic health information care, increased patient safety, reduced cost and by delivering services and technology that allow offers benefits to both increased efficiency of administrative functions. providers to request and receive information about However, HIEs may also increase the potential for providers and patients patients from other providers. A simplified model of misuse of data and they provide a high value target an HIE is shown in Figure 1. resulting from the for cyber crime organizations. This brief explores best practices for ensuring security and privacy electronic sharing of within HIE deployments and considers both the health information such business and technology driven forces shaping this emerging market. as improved quality of care, increased patient safety, reduced cost, and increased efficiency of administrative functions. Laboratories Physician’s Office Healthcare Information Exchange Public Health Dept. Hospital Physician’s Office Public Health Dept. Redspin, Inc. 800-721-9177 Figure 1. Simplified View of a Healthcare Information Exchange www.redspin.com Page 1
  2. 2. While HIEs have been getting significant attention lately because of the infusion of government money, Qual Rptg efforts to establish organizations that enable the Imaging EMR-b EMR-a App-n sharing of electronic healthcare information began One of the major in the early 1990s. These organizations, called Community Health Information Networks, evolved challenges to overcoming into Regional Health Information Organizations in the early 2000s. In 2009, according to the API driving HIE success, is eHealth Initiative (ref.1), there are 57 HIEs in a associated with ensuring fully operational state and nearly 100 others not HIE Cloud yet operational but readying market engagement “Platform as a Service” security and privacy, plans. 2010 represents a crucial year for HIEs as well as efficiently as states form and deploy their strategic and Figure 2. HIE Cloud Platform operational plans, and product vendors as well as demonstrating compliance service providers position themselves to tap into the with HIPAA and HITECH funding. Act requirements. Emerging HIE Deployment Models The platform as a service model can be very powerful in the HIE environment because security One of the major challenges to overcoming driving and privacy services can be leveraged by the HIE success, is associated with ensuring security applications as well as the providers and consumers and privacy, as well as efficiently demonstrating of the information. However, for rapid deployment compliance with HIPAA and HITECH Act and efficient ongoing operations, it is critical the requirements. With user requirements ranging providers of healthcare cloud services communicate from large hospitals to small physician’s offices, security, privacy, and compliance practices and answers to basic questions such as appropriate procedures to customers in a transparent fashion. technical protection mechanisms, and access The hospitals, laboratories, and physician practices controls present significant challenges (ref.2,3). To that form the customer base of the HIE need to be a certain extent, forming the appropriate answers to able to understand this information and ensure their questions of security and privacy requires definition security, privacy, and compliance needs are met. of the compute and storage model that will be most The following sections explore various domains of prevalent in the environment. In many respects, the governance and operation that are relevant in HIE leading model that is emerging in the HIE market deployments and provide guidance for optimizing is that of a cloud services based platform. In this security and privacy both for platform providers as model the cloud service provider is responsible for well as end customers. providing highly scalable services, authorization, access control, audit logging, and data protection. HIE Privacy and Security Considerations Many vendors such as Axolotl, Covisint, IBM, Microsoft HealthVault/Amalga, and Medicity have announced offerings in some form. These have The following sections form an outline for driving included API’s that allow specialized applications optimization of security, privacy, and compliance to be developed rapidly while taking advantage of management processes and practices for HIE the core infrastructure services. Example applications platform providers, operators, and customers. These range from clinical decision support to meaningful considerations have been derived from general use reporting. An illustration of this framework is purpose work done by the Cloud Security Alliance shown in Figure 2. and the Open Group (ref.4,5) that covers security in cloud services environments in forms ranging from Infrastructure as a Service (IaaS) to Software as a Service (SaaS). Redspin, Inc. 800-721-9177 www.redspin.com 1. eHealth Initiative; Migrating Toward Meaningful Use: The State of Health Information Exchange; August 2009 2. New England Journal of Medicine; The Use of Electronic Healthcare Records in U.S. Hospitals; April 2009 3. U.S. General Accounting Office; Electronic Personal Health Information Exchange – Healthcare Entities’ Reported Disclosure Practices and Effects on Quality of Care; February 2010 4. Cloud Security Alliance; Security Guidance for Critical Areas of Focus in Cloud Computing v2.1; December 2009 Page 2 5. The Open Group; Jericho Forum Cloud Computing Self-Assessment; March 2010
  3. 3. Operational Considerations to ensure compliance as well as enabling customers to leverage their existing identity stores. Virtualization Virtual machine technology is a key enabler of Incident Response efficient cloud services. Operators and customers Platform providers need The same principles that make cloud services need to be concerned about the practices for deployments economically efficient can add to build in security compartmentalizing and hardening VM systems. Platform providers need to be able to communicate confusion and complexity in the case of a data processes that facilitate their security processes surrounding these systems. breach or general security incident. It is critical for Particular attention must be placed on the security customers to insist upon a prearranged plan and effective and efficient understand the communications mechanisms with controls used to protect administrative interfaces operation of a Security exposed to operators and customers. the operator’s incident response team. Platform providers need to build in security processes Operations Center (SOC). that facilitate effective and efficient operation Encryption and Key Management of a Security Operations Center (SOC). This This should include a Strong encryption is one of the core mechanisms should include a security information and event security information for protecting sensitive healthcare data. Although management (SIEM) system that consolidates data encryption itself does not prevent data loss, safe sources such as application logs, firewall logs and and event management harbor provisions associated with state laws network monitoring systems into a common analysis (SIEM) system that and HIPAA regulations treat encrypted data as and alerting center. acceptable loss. Customers and operators need consolidates data sources to understand the provisions for encrypting data Business Continuity and Disaster Recovery such as application logs, at rest, data in transit, and data stored on backup The rapid pace of change and in some cases media. Platform providers need to articulate their the lack of transparency associated with cloud firewall logs and network encryption programs and methods associated with computing, requires that customers closely examine monitoring systems into key management. Important areas to understand and continuously monitor the business continuity with respect to key management include protection and disaster recovery capabilities built in by cloud a common analysis and mechanisms for key stores, access procedures to platform providers and implemented by operators. key stores, and key backup/recovery processes. Customers need to ensure that recovery time alerting center. objectives are well defined in contractual documents Application Security and that operational capabilities can satisfy these As the application layer provides the most prevalent requirements. avenue of attack for cyber criminals and hackers, Governance Considerations particular attention must be paid to this area. Applications require design, testing, and change Governance management rigor similar to business critical Effective information security governance calls applications typically residing in a classic DMZ. In for collaboration among customers, operators, an HIE, platform providers are delivering their own and cloud platform providers. Programs must be applications as well as providing system services, structured to scale with business requirements, API’s, and libraries. Platform providers should also provide measurability, sustainability, and continuous ensure consistent usage of application management improvement as well as cost effectiveness on an utilities and coupling to external services. ongoing basis. Customer organizations should include a review of information security governance Identity and Access Management and processes as part of their due diligence in Effective management of identity and access control assessing operational organizations. The review is one of the most significant challenges in the should also include specific security controls that healthcare IT sector and presents multiple compliance support management processes. issues. Platform providers, operators, and customers need to understand several major areas including Risk Management provisioning, authentication, authorization, Given the lack of control over infrastructure and federation, and user profile management. As facilities in cloud services deployments, service an example, coordination across stakeholders level agreements, business associate agreements, groups is essential to provide a consistent single and contractual obligations, and platform sign-on authentication across applications from documentation play a larger role than with multiple sources. Platform providers need to clearly traditional on premise healthcare IT systems. A well Redspin, Inc. communicate their security processes in these areas 800-721-9177 www.redspin.com Page 3
  4. 4. structured risk management approach must include Information Management identification and valuation of assets, ongoing The value of an HIE is dependent upon effective analysis of threats and vulnerabilities coupled with information management across the lifecycle from their potential impact on the assets, analysis of the creation to destruction. Customers, operators, and likelihood of scenarios, and the development of cloud platform providers all play critical roles. In the programs to manage risk (control, avoid, transfer, data creation phase, the cloud platform provider and accept). The risk management program should be application developers must work with customers to facilitated by the cloud platform provider, carried identify data labeling and classification capabilities. out by the operating organization, and reflected in To protect stored data the operators and cloud service agreements with customers. platform providers must identify appropriate access controls and encryption solutions. Data in use must Compliance and Audit be protected by application logic and object level HIE customers are subject to HIPAA and HITECH controls within DBMS systems. Archived data should Act regulations as well as other state or industry be encrypted with a key management process mandated requirements. Customers should involve consistent with other data protection mechanisms. legal and contract teams to ensure their particular Data destruction can be accomplished through compliance requirements will be met given the a variety of means ranging from disk wiping to cloud platform intended for deployment and the physical destruction. Content discovery may be used operational procedures in place. Customers should as a mechanism to confirm destruction processes. insist upon a right to audit clause in contracts given Summary the fluid nature of regulations in the healthcare The HIE market will evolve rapidly over the next industry. The cloud services provider should offer year. Effective and efficient information security a SAS 70 Type II audit statement as a minimum management is a condition for success in the requirement and point of reference for assessors. case of customers, operators, and cloud platform Since HIEs are offering mission critical services and providers. We’ve shown that maximizing the impact protecting high value data, cloud services providers of the promise of HIE systems will require close should strive for ISO/IEC 27001 certification for cooperation in the information security management information security management systems. Consider area among all parties involved and the payback a security assessment focusing on HIPAA and will come in both economic benefits as well as HITECH act compliance to facilitate the process. improved patient outcomes. About Redspin Redspin is a leading provider of Information Security Assessment solutions that utilize a top-down, risk- based approach to providing a gap analysis of companies’ infrastructures. Companies can reduce risk, improve compliance, and increase the value of their business unit and IT portfolio by relying on Redspin as their objective information security partner. By leveraging our award-winning security engineers, Redspin presents detailed and actionable recommendations that provide cost-effective mitigation measures and specific prioritized findings, enabling you to resolve your network vulnerabilities. With more than 10 years of expertise, Redspin delivers its services to companies over a wide range of industries including banks/financial services, healthcare, Fortune 1000, retailers/eCommerce, and technology providers. WHEN YOU REALLY WANT TO KNOW... CALL REDSPIN Phone 800-721-9177 Web WWW.REDSPIN.COM Email INFO@REDSPIN.COM Page 4

×