1.
Keep Your Healthcare Databases
Secure and Compliant
Kim Brushaber, Senior Product Manager, IDERA
Stan Geiger, Director, Product Management, Multi-Platform Tools, IDERA

2.
Agenda
▪ Overview
▪ What is HIPAA?
▪ HIPAA Violations
▪ Data Breaches
▪ Data Compliance
▪ Demo
▪ Questions

3.
Overview
▪ Healthcare Regulations
– The Social Security Act governs funding and requirements for
Medicare, Medicaid, CHIP, and more.
– HIPAA and the HITECH Act protect patient privacy, requiring
healthcare organizations to implement measures to keep
patient records secure.
– Federal Information Security Management Act (FISMA)
– The False Claims Act makes it illegal to file a false claim for
funds from a federal program.
– The Patient Protection and Affordable Care Act implemented
new requirements for insurance, Medicaid, and more.

4.
HIPAA
▪ The Privacy Rule establishes a set of standards that
address how patient information can be used and
disclosed.
▪ Applies to three entity types:
– Health care providers
– Health plans
– Health care clearinghouses

5.
HIPAA
▪ Health care providers
– Any provider that electronically transmits patient
information in connection with claims, eligibility
requests, referral authorizations, or similar
transactions
– Applicable transaction types are specified in the
HIPAA Transactions Rule

6.
HIPAA
▪ Health plans
– Individual and group plans that provide or pay
the cost of medical care
– Entities
• Health maintenance organizations (HMOs)
• Medicare
• Medicaid
• Health or dental insurers
• Employer-sponsored group health plans

7.
HIPAA
▪ Health care clearinghouses
– Entities that process patient data on behalf of
health plans or health care providers
– Transforms the data in some way from a
nonstandard format to a standard format
– Included organizations:
• Billing services
• Community health management information
services.

8.
HIPAA
▪ Privacy Rule
– Protects all individually identifiable health
information
– Identifiable information
• The patient’s past, preset, or future physical or mental
health
• Any health care services that the patient has received
• Any payment information related to the patient’s care
that can be used to identify the patient

9.
Penalties
▪ Penalties
– Fines of $100 to $50,000 or more per violation
– Calendar cap of $1.5 million
– Individuals can also face criminal penalties up
to $250,000 and 10 years imprisonment

10.
HIPAA
▪ Electronic PHI
– Ensure the integrity, confidentiality, and availability of all e-
PHI data in their possession.
– Identify and protect against anticipated threats to the e-PHI
data.
– Protect against anticipated non-permitted uses or
disclosures.
– Ensure that e-PHI data is not available to or disclosed to
non-authorized individuals in the workforce.

11.
HIPAA
▪ Electronic PHI security
– Protection standards
• Administrative protections
• Physical protections
• Technical protections

12.
HIPAA and the DBA
▪ Ensure the confidentiality, integrity, and
availability of all electronic PHI data
▪ Prevent unauthorized individuals from
viewing, altering, or destroying the data,
while providing authorized users access
▪ Identify and protect against anticipated
threats as well as impermissible uses or
disclosures

13.
HIPAA and the DBA
▪ Training
– Covered entity must train all workforce members on the
policies and procedures with respect to protecting PHI data.
– Covered entity should apply sanctions against workforce
members who fail to comply with the policies and
procedures.
– DBAs will participate in the process of writing policies and
procedures and training workforce members depending on
the organization and their circumstance.
– DBAs should fully understand the risks associated with
violating HIPAA regulations and what steps to take if they
discover a violation.

14.
HIPAA and the DBA
▪ Securing environment
– Covered entity must assess the potential risks and
vulnerabilities to the electronic PHI and then implement
security measures to reduce those risks.
– Implement procedures for guarding against malicious
software as well as for managing and protecting passwords.
– Implement mechanisms for limiting and controlling physical
access to systems and facilities that house PHI data, while
providing for disaster recovery and emergency access.
– Implement safeguards that protect workstations accessing
PHI data, along with any other hardware or electronic media
used for sensitive data.
– Responsible for the proper disposition of PHI data from any
hardware or media on which it has resided.

15.
HIPAA and the DBA
▪ Controlling access
– Ensure that workforce members have “appropriate access”
to electronic PHI, based on their roles in the organization.
– Implement procedures for authorizing workforce members,
supervising their access to data, determining whether that
access is appropriate, and terminating that access when
required.
– Assign a unique ID to each user for identifying and tracking
that user’s activities.
– Implement procedures for obtaining PHI data during an
emergency, terminating electronic sessions after a
predetermined time of inactivity, and encrypting and
decrypting PHI data.

16.
HIPAA and the DBA
▪ Auditing and monitoring systems
– Implement procedures for monitoring log-in attempts and
reporting discrepancies.
– Implement “hardware, software, and/or procedural
mechanisms that record and examine activity in information
systems that contain or use electronic protected health
information.
– Implement electronic mechanisms to verify that the PHI data
has not been “altered or destroyed in an unauthorized
manner.”

17.
HIPAA and the DBA
▪ Prepare for security incidents
– Provide individuals with a process for making complaints
about the organization’s policies and procedures or about its
compliance with those policies and procedures.
– You cannot retaliate against individuals who exercise their
rights, as provided by the Privacy Rule.
– Take the steps necessary to mitigate any harmful effects
that result from PHI data being compromised.
– Identify and respond to “suspected or known security
incidents; mitigate, to the extent practicable security
incidents that are known and document security incidents
and their outcomes.”

18.
HIPAA and the DBA
▪ Document, document, document
– Sanctions against workforce members must be
documented, as well as all policies and procedures.
– Documentation must be retained for six years from the
creation date or when it was last in effect, whichever is later.
– Maintain a “record of the movements of hardware and
electronic media and any person responsible therefore.”
– Documentation should be updated as needed in response to
environmental or operational changes.

19.
Head spinning yet?

20.
Notable HIPAA Violations

21.
Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine

22.
Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times

23.
Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)

24.
Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)
• OUTCOME: He was sentenced to 4 months in jail and a
$2000 fine

25.
Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association

26.
Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms

27.
Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms
• The bills contained protected info like CPT codes which
can reveal patient diagnoses

28.
Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association
• His employees regularly forwarded past due patient bills
to collections firms
• The bills contained protected info like CPT codes which
can reveal patient diagnoses
• OUTCOME: The State of New Jersey sought to suspend
and revoke Helfmann’s license

29.
Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist

30.
Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist
• The very busy office manager accidentally faxed them to
the man’s new employer

31.
Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist
• The very busy office manager accidentally faxed them to
the man’s new employer
• OUTCOME: Luckily, the result was only a sternly worded
warning and a mandate for regular HIPAA training for all
employees

32.
Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need

33.
Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information

34.
Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information
• OUTCOME: The 14 employees were dismissed from
their jobs

35.
Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization

36.
Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records

37.
Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born

38.
Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization
• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born
• OUTCOME: The 13 employees were fired and the 6
doctors were suspended

39.
Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent

40.
Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room

41.
Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible

42.
Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent
• During the filming, one of the patients died in the
emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible
• OUTCOME: The hospital paid a $2.2 million settlement

43.
2018 Violations and Fines

44.
HIPAA Violations – 2018
In October, Anthem, Inc. (a licensee of BCBS) agreed to
pay a record breaking $16 million after the largest health
data breach in US history affected almost 79 million people.
https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
4
4

45.
In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
5
HIPAA Violations – 2018

46.
In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
ABC didn’t learn from 2013
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
6
HIPAA Violations – 2018

47.
In June, UT’s MD Anderson Cancer Center was fined $4.3
million due to the theft of an unencrypted laptop and the
loss of two unencrypted USB drives. The hardware
contained details on 33,500 individuals.
https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html
4
7
HIPAA Violations – 2018

48.
In February, FMCNA who provided products and services
to 170,000 patients with chronic kidney disease agreed to
pay a $3.5 million fine for a settlement that covered 5
different data breaches.
https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html
4
8
HIPAA Violations – 2018

49.
Let’s Talk A Little About Data Breach

50.
In February of 2019, there were a total of 101 data
breaches which exposed over 2M sensitive records and
417M non-sensitive records.
96% of the sensitive records exposed were through
breaches in the Medical/Healthcare sector.
https://www.idtheftcenter.org/2019-data-breaches/

51.
Almost 15 Billion Records have been lost or stolen since
2013. Only 4% were secure breaches where encryption
was used and the stolen data was useless.
BreachLevelIndex.com

52.
Over 6.5 million data records are lost or stolen
every day.
http://breachlevelindex.com/

53.
2018 Cost per Data Breach

54.
2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
https://www.ibm.com/security/data-breach

55.
2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
• The average size of a data breach was 26,000 records
https://www.ibm.com/security/data-breach

56.
2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
• The average size of a data breach was 26,000 records
• $148 x 26,000 ~ $3.86 M (increased 6.4% over 2017)
https://www.ibm.com/security/data-breach

57.
Shocking, Right??

58.
Focusing in on the Data
Aspects of Regulations

59.
Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries

60.
Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches

61.
Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft

62.
Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft
• Maintain Trust
– Customers trust people who follow set standards

63.
Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries
• Minimize Loss
– Good practices in place prevents data breaches
• Increase Internal Control
– Reduce employee mistakes and insider theft
• Maintain Trust
– Customers trust people who follow set standards
• Reporting Consistency
– Consistent reports allow audits to go more smoothly

64.
Data Standards vs Security Standards
• Data Standards: “WHAT”
– What information needs to be protected/audited
– What you should do if your data is breached
• Security Standards: “HOW”
– How you should configure your network
– How you should configure your systems (i.e. SQL
Server, Oracle)

65.
What the Regulations Look For
• Reporting (and Maintaining) Audit Data

66.
What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access

67.
What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)

68.
What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)
• Planning and Having Good Processes and Response
Plans

69.
What the Regulations Look For
• Reporting (and Maintaining) Audit Data
• Tracking User Access
• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)
• Planning and Having Good Processes and Response
Plans
• Assessing Your Risks

70.
HIPAA
• Tracking
– Monitor log-in attempts

71.
HIPAA
• Tracking
– Monitor log-in attempts
• Protecting
– Protect, detect, contain, and correct security violations
– Detect breaches and notify impacted individuals

72.
HIPAA
• Tracking
– Monitor log-in attempts
• Protecting
– Protect, detect, contain, and correct security violations
– Detect breaches and notify impacted individuals
• Planning
– Implement security measures to reduce risks and vulnerabilities
– Implement procedures to regularly review audit logs, access reports,
and security incidents
– Implement procedures to terminate access

73.
SQL Server Features for Compliance
• Reporting
– SQL Server Audit
– Temporal Tables

74.
SQL Server Features for Compliance
• Reporting
– SQL Server Audit
– Temporal Tables
• Tracking
– Object Level Permissions
– Role-Based Security

75.
SQL Server Features for Compliance
• Reporting
– SQL Server Audit
– Temporal Tables
• Tracking
– Object Level Permissions
– Role-Based Security
• Protection
– Authentication Protocols
– Firewalls
– Dynamic Data Masking
– Transport Level Security (TLS)
– Encryption Protocols (TDE, Always Encrypted, Always On)

76.
Oracle Features for Compliance
• Reporting
– Auditing

77.
Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties

78.
Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction

79.
Oracle Features for Compliance
• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction
• Assessing
– Risk Assessments

80.
• Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
What Can Tools Like SQL
Compliance Manager Do?

81.
• Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
• Tracking
– Capture Logins, Logouts, Failed Logins
What Can Tools Like SQL
Compliance Manager Do?

82.
What Can Tools Like SQL
Compliance Manager Do?
• Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
• Tracking
– Capture Logins, Logouts, Failed Logins
• Protecting
– Determine How Much Data Was Accessed In A Breach

83.
IDERA Products Can Help You
With:
• Reporting (and Maintaining) Audit Data
– SQL Compliance Manager
• Tracking User Access
– SQL Compliance Manager
• Protecting the Data from the Bad Guys (and Watch for Data Breaches)
– SQL Compliance Manager
– SQL Secure
• Planning and Having Good Processes and Response Plans
– SQL Compliance Manager
– SQL Secure
– ER/Studio Business Architect
• Assessing Your Risks
– SQL Compliance Manager
– SQL Secure

84.
In Conclusion
▪ Data breach continues to be a growing problem

85.
In Conclusion
▪ Data breach continues to be a growing problem
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are

86.
In Conclusion
▪ Data breach continues to be a growing problem
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are
▪ The right tools can help to simplify and automate the
auditing process

87.
Demo

88.
Questions

89.
Try any of our tools for free!
Email: stan.geiger@idera.com
kim.brushaber@idera.com
www.idera.com