Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IDERA Geek Sync: Keep your Healthcare Databases Secure and Compliant - 032719

80 views

Published on

You can watch the replay for this Geek Sync webcast, Keep your Healthcare Databases Secure and Compliant, on the IDERA Resource Center, https://www.idera.com/resourcecentral

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IDERA Geek Sync: Keep your Healthcare Databases Secure and Compliant - 032719

  1. 1. Keep Your Healthcare Databases Secure and Compliant Kim Brushaber, Senior Product Manager, IDERA Stan Geiger, Director, Product Management, Multi-Platform Tools, IDERA
  2. 2. Agenda ▪ Overview ▪ What is HIPAA? ▪ HIPAA Violations ▪ Data Breaches ▪ Data Compliance ▪ Demo ▪ Questions
  3. 3. Overview ▪ Healthcare Regulations – The Social Security Act governs funding and requirements for Medicare, Medicaid, CHIP, and more. – HIPAA and the HITECH Act protect patient privacy, requiring healthcare organizations to implement measures to keep patient records secure. – Federal Information Security Management Act (FISMA) – The False Claims Act makes it illegal to file a false claim for funds from a federal program. – The Patient Protection and Affordable Care Act implemented new requirements for insurance, Medicaid, and more.
  4. 4. HIPAA ▪ The Privacy Rule establishes a set of standards that address how patient information can be used and disclosed. ▪ Applies to three entity types: – Health care providers – Health plans – Health care clearinghouses
  5. 5. HIPAA ▪ Health care providers – Any provider that electronically transmits patient information in connection with claims, eligibility requests, referral authorizations, or similar transactions – Applicable transaction types are specified in the HIPAA Transactions Rule
  6. 6. HIPAA ▪ Health plans – Individual and group plans that provide or pay the cost of medical care – Entities • Health maintenance organizations (HMOs) • Medicare • Medicaid • Health or dental insurers • Employer-sponsored group health plans
  7. 7. HIPAA ▪ Health care clearinghouses – Entities that process patient data on behalf of health plans or health care providers – Transforms the data in some way from a nonstandard format to a standard format – Included organizations: • Billing services • Community health management information services.
  8. 8. HIPAA ▪ Privacy Rule – Protects all individually identifiable health information – Identifiable information • The patient’s past, preset, or future physical or mental health • Any health care services that the patient has received • Any payment information related to the patient’s care that can be used to identify the patient
  9. 9. Penalties ▪ Penalties – Fines of $100 to $50,000 or more per violation – Calendar cap of $1.5 million – Individuals can also face criminal penalties up to $250,000 and 10 years imprisonment
  10. 10. HIPAA ▪ Electronic PHI – Ensure the integrity, confidentiality, and availability of all e- PHI data in their possession. – Identify and protect against anticipated threats to the e-PHI data. – Protect against anticipated non-permitted uses or disclosures. – Ensure that e-PHI data is not available to or disclosed to non-authorized individuals in the workforce.
  11. 11. HIPAA ▪ Electronic PHI security – Protection standards • Administrative protections • Physical protections • Technical protections
  12. 12. HIPAA and the DBA ▪ Ensure the confidentiality, integrity, and availability of all electronic PHI data ▪ Prevent unauthorized individuals from viewing, altering, or destroying the data, while providing authorized users access ▪ Identify and protect against anticipated threats as well as impermissible uses or disclosures
  13. 13. HIPAA and the DBA ▪ Training – Covered entity must train all workforce members on the policies and procedures with respect to protecting PHI data. – Covered entity should apply sanctions against workforce members who fail to comply with the policies and procedures. – DBAs will participate in the process of writing policies and procedures and training workforce members depending on the organization and their circumstance. – DBAs should fully understand the risks associated with violating HIPAA regulations and what steps to take if they discover a violation.
  14. 14. HIPAA and the DBA ▪ Securing environment – Covered entity must assess the potential risks and vulnerabilities to the electronic PHI and then implement security measures to reduce those risks. – Implement procedures for guarding against malicious software as well as for managing and protecting passwords. – Implement mechanisms for limiting and controlling physical access to systems and facilities that house PHI data, while providing for disaster recovery and emergency access. – Implement safeguards that protect workstations accessing PHI data, along with any other hardware or electronic media used for sensitive data. – Responsible for the proper disposition of PHI data from any hardware or media on which it has resided.
  15. 15. HIPAA and the DBA ▪ Controlling access – Ensure that workforce members have “appropriate access” to electronic PHI, based on their roles in the organization. – Implement procedures for authorizing workforce members, supervising their access to data, determining whether that access is appropriate, and terminating that access when required. – Assign a unique ID to each user for identifying and tracking that user’s activities. – Implement procedures for obtaining PHI data during an emergency, terminating electronic sessions after a predetermined time of inactivity, and encrypting and decrypting PHI data.
  16. 16. HIPAA and the DBA ▪ Auditing and monitoring systems – Implement procedures for monitoring log-in attempts and reporting discrepancies. – Implement “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. – Implement electronic mechanisms to verify that the PHI data has not been “altered or destroyed in an unauthorized manner.”
  17. 17. HIPAA and the DBA ▪ Prepare for security incidents – Provide individuals with a process for making complaints about the organization’s policies and procedures or about its compliance with those policies and procedures. – You cannot retaliate against individuals who exercise their rights, as provided by the Privacy Rule. – Take the steps necessary to mitigate any harmful effects that result from PHI data being compromised. – Identify and respond to “suspected or known security incidents; mitigate, to the extent practicable security incidents that are known and document security incidents and their outcomes.”
  18. 18. HIPAA and the DBA ▪ Document, document, document – Sanctions against workforce members must be documented, as well as all policies and procedures. – Documentation must be retained for six years from the creation date or when it was last in effect, whichever is later. – Maintain a “record of the movements of hardware and electronic media and any person responsible therefore.” – Documentation should be updated as needed in response to environmental or operational changes.
  19. 19. Head spinning yet?
  20. 20. Notable HIPAA Violations
  21. 21. Fired Surgeon Sentenced to Prison • Huping Zhou, former cardiothoracic surgeon, was fired from his job as a researcher at the UCLA School of Medicine
  22. 22. Fired Surgeon Sentenced to Prison • Huping Zhou, former cardiothoracic surgeon, was fired from his job as a researcher at the UCLA School of Medicine • After being fired, he illegally accessed the UCLA Medical Records over 300 times
  23. 23. Fired Surgeon Sentenced to Prison • Huping Zhou, former cardiothoracic surgeon, was fired from his job as a researcher at the UCLA School of Medicine • After being fired, he illegally accessed the UCLA Medical Records over 300 times • He viewed records on his immediate supervisor, his coworkers, and several celebrities (including Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks)
  24. 24. Fired Surgeon Sentenced to Prison • Huping Zhou, former cardiothoracic surgeon, was fired from his job as a researcher at the UCLA School of Medicine • After being fired, he illegally accessed the UCLA Medical Records over 300 times • He viewed records on his immediate supervisor, his coworkers, and several celebrities (including Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks) • OUTCOME: He was sentenced to 4 months in jail and a $2000 fine
  25. 25. Billing Gone Wrong • Dr. Barry Helfmann, president-elect of the American Group Psychotherapy Association
  26. 26. Billing Gone Wrong • Dr. Barry Helfmann, president-elect of the American Group Psychotherapy Association • His employees regularly forwarded past due patient bills to collections firms
  27. 27. Billing Gone Wrong • Dr. Barry Helfmann, president-elect of the American Group Psychotherapy Association • His employees regularly forwarded past due patient bills to collections firms • The bills contained protected info like CPT codes which can reveal patient diagnoses
  28. 28. Billing Gone Wrong • Dr. Barry Helfmann, president-elect of the American Group Psychotherapy Association • His employees regularly forwarded past due patient bills to collections firms • The bills contained protected info like CPT codes which can reveal patient diagnoses • OUTCOME: The State of New Jersey sought to suspend and revoke Helfmann’s license
  29. 29. Sorry, Wrong Number • In 2013, an HIV-positive patient asked an office manager to fax his medical records to his new urologist
  30. 30. Sorry, Wrong Number • In 2013, an HIV-positive patient asked an office manager to fax his medical records to his new urologist • The very busy office manager accidentally faxed them to the man’s new employer
  31. 31. Sorry, Wrong Number • In 2013, an HIV-positive patient asked an office manager to fax his medical records to his new urologist • The very busy office manager accidentally faxed them to the man’s new employer • OUTCOME: Luckily, the result was only a sternly worded warning and a mandate for regular HIPAA training for all employees
  32. 32. Caught Red-Handed • A Virginia clinic caught 14 employees who had improperly viewed the medical files of a high profile patient without a legitimate need
  33. 33. Caught Red-Handed • A Virginia clinic caught 14 employees who had improperly viewed the medical files of a high profile patient without a legitimate need • The clinic caught the employees thanks to a logging system on the backend of their IT systems which tracked all access to files containing personal health information
  34. 34. Caught Red-Handed • A Virginia clinic caught 14 employees who had improperly viewed the medical files of a high profile patient without a legitimate need • The clinic caught the employees thanks to a logging system on the backend of their IT systems which tracked all access to files containing personal health information • OUTCOME: The 14 employees were dismissed from their jobs
  35. 35. Oops, I Did It Again • In 2008, six doctors and thirteen employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization
  36. 36. Oops, I Did It Again • In 2008, six doctors and thirteen employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization • Many of the employees were non-medical support staff and none of them had a legitimate medical need to view the health records
  37. 37. Oops, I Did It Again • In 2008, six doctors and thirteen employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization • Many of the employees were non-medical support staff and none of them had a legitimate medical need to view the health records • This was the 2nd breach involving Britney Spears – in 2005, staff at another UCLA hospital were caught peeking at her records after her son was born
  38. 38. Oops, I Did It Again • In 2008, six doctors and thirteen employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization • Many of the employees were non-medical support staff and none of them had a legitimate medical need to view the health records • This was the 2nd breach involving Britney Spears – in 2005, staff at another UCLA hospital were caught peeking at her records after her son was born • OUTCOME: The 13 employees were fired and the 6 doctors were suspended
  39. 39. Reality TV Ain’t What It Used to Be • In 2013, an ABC reality TV show called NY Med filmed two hospital patients at New York–Presbyterian Hospital without their consent
  40. 40. Reality TV Ain’t What It Used to Be • In 2013, an ABC reality TV show called NY Med filmed two hospital patients at New York–Presbyterian Hospital without their consent • During the filming, one of the patients died in the emergency room
  41. 41. Reality TV Ain’t What It Used to Be • In 2013, an ABC reality TV show called NY Med filmed two hospital patients at New York–Presbyterian Hospital without their consent • During the filming, one of the patients died in the emergency room • The hospital gave ABC unfettered access, creating a situation where the protection of personal health information was not possible
  42. 42. Reality TV Ain’t What It Used to Be • In 2013, an ABC reality TV show called NY Med filmed two hospital patients at New York–Presbyterian Hospital without their consent • During the filming, one of the patients died in the emergency room • The hospital gave ABC unfettered access, creating a situation where the protection of personal health information was not possible • OUTCOME: The hospital paid a $2.2 million settlement
  43. 43. 2018 Violations and Fines
  44. 44. HIPAA Violations – 2018 In October, Anthem, Inc. (a licensee of BCBS) agreed to pay a record breaking $16 million after the largest health data breach in US history affected almost 79 million people. https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html 4 4
  45. 45. In September, three healthcare institutions were collectively fined $999,000 after allowing ABC to film a medical documentary TV series without first obtaining authorization from the patients. https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html 4 5 HIPAA Violations – 2018
  46. 46. In September, three healthcare institutions were collectively fined $999,000 after allowing ABC to film a medical documentary TV series without first obtaining authorization from the patients. ABC didn’t learn from 2013 https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html 4 6 HIPAA Violations – 2018
  47. 47. In June, UT’s MD Anderson Cancer Center was fined $4.3 million due to the theft of an unencrypted laptop and the loss of two unencrypted USB drives. The hardware contained details on 33,500 individuals. https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html 4 7 HIPAA Violations – 2018
  48. 48. In February, FMCNA who provided products and services to 170,000 patients with chronic kidney disease agreed to pay a $3.5 million fine for a settlement that covered 5 different data breaches. https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html 4 8 HIPAA Violations – 2018
  49. 49. Let’s Talk A Little About Data Breach
  50. 50. In February of 2019, there were a total of 101 data breaches which exposed over 2M sensitive records and 417M non-sensitive records. 96% of the sensitive records exposed were through breaches in the Medical/Healthcare sector. https://www.idtheftcenter.org/2019-data-breaches/
  51. 51. Almost 15 Billion Records have been lost or stolen since 2013. Only 4% were secure breaches where encryption was used and the stolen data was useless. BreachLevelIndex.com
  52. 52. Over 6.5 million data records are lost or stolen every day. http://breachlevelindex.com/
  53. 53. 2018 Cost per Data Breach
  54. 54. 2018 Cost per Data Breach • The average cost for each lost or stolen record containing sensitive and confidential information was $148 (a 4.8% increase from the year before) https://www.ibm.com/security/data-breach
  55. 55. 2018 Cost per Data Breach • The average cost for each lost or stolen record containing sensitive and confidential information was $148 (a 4.8% increase from the year before) • The average size of a data breach was 26,000 records https://www.ibm.com/security/data-breach
  56. 56. 2018 Cost per Data Breach • The average cost for each lost or stolen record containing sensitive and confidential information was $148 (a 4.8% increase from the year before) • The average size of a data breach was 26,000 records • $148 x 26,000 ~ $3.86 M (increased 6.4% over 2017) https://www.ibm.com/security/data-breach
  57. 57. Shocking, Right??
  58. 58. Focusing in on the Data Aspects of Regulations
  59. 59. Why We Have Regulations • Improved Security – Establishing a baseline keeps security levels relatively consistent across companies and industries
  60. 60. Why We Have Regulations • Improved Security – Establishing a baseline keeps security levels relatively consistent across companies and industries • Minimize Loss – Good practices in place prevents data breaches
  61. 61. Why We Have Regulations • Improved Security – Establishing a baseline keeps security levels relatively consistent across companies and industries • Minimize Loss – Good practices in place prevents data breaches • Increase Internal Control – Reduce employee mistakes and insider theft
  62. 62. Why We Have Regulations • Improved Security – Establishing a baseline keeps security levels relatively consistent across companies and industries • Minimize Loss – Good practices in place prevents data breaches • Increase Internal Control – Reduce employee mistakes and insider theft • Maintain Trust – Customers trust people who follow set standards
  63. 63. Why We Have Regulations • Improved Security – Establishing a baseline keeps security levels relatively consistent across companies and industries • Minimize Loss – Good practices in place prevents data breaches • Increase Internal Control – Reduce employee mistakes and insider theft • Maintain Trust – Customers trust people who follow set standards • Reporting Consistency – Consistent reports allow audits to go more smoothly
  64. 64. Data Standards vs Security Standards • Data Standards: “WHAT” – What information needs to be protected/audited – What you should do if your data is breached • Security Standards: “HOW” – How you should configure your network – How you should configure your systems (i.e. SQL Server, Oracle)
  65. 65. What the Regulations Look For • Reporting (and Maintaining) Audit Data
  66. 66. What the Regulations Look For • Reporting (and Maintaining) Audit Data • Tracking User Access
  67. 67. What the Regulations Look For • Reporting (and Maintaining) Audit Data • Tracking User Access • Protecting the Data from the Bad Guys (and Watch for Data Breaches)
  68. 68. What the Regulations Look For • Reporting (and Maintaining) Audit Data • Tracking User Access • Protecting the Data from the Bad Guys (and Watch for Data Breaches) • Planning and Having Good Processes and Response Plans
  69. 69. What the Regulations Look For • Reporting (and Maintaining) Audit Data • Tracking User Access • Protecting the Data from the Bad Guys (and Watch for Data Breaches) • Planning and Having Good Processes and Response Plans • Assessing Your Risks
  70. 70. HIPAA • Tracking – Monitor log-in attempts
  71. 71. HIPAA • Tracking – Monitor log-in attempts • Protecting – Protect, detect, contain, and correct security violations – Detect breaches and notify impacted individuals
  72. 72. HIPAA • Tracking – Monitor log-in attempts • Protecting – Protect, detect, contain, and correct security violations – Detect breaches and notify impacted individuals • Planning – Implement security measures to reduce risks and vulnerabilities – Implement procedures to regularly review audit logs, access reports, and security incidents – Implement procedures to terminate access
  73. 73. SQL Server Features for Compliance • Reporting – SQL Server Audit – Temporal Tables
  74. 74. SQL Server Features for Compliance • Reporting – SQL Server Audit – Temporal Tables • Tracking – Object Level Permissions – Role-Based Security
  75. 75. SQL Server Features for Compliance • Reporting – SQL Server Audit – Temporal Tables • Tracking – Object Level Permissions – Role-Based Security • Protection – Authentication Protocols – Firewalls – Dynamic Data Masking – Transport Level Security (TLS) – Encryption Protocols (TDE, Always Encrypted, Always On)
  76. 76. Oracle Features for Compliance • Reporting – Auditing
  77. 77. Oracle Features for Compliance • Reporting – Auditing • Tracking – Access Control – Separation of Duties
  78. 78. Oracle Features for Compliance • Reporting – Auditing • Tracking – Access Control – Separation of Duties • Protection – Encryption – Security Monitoring and Alerting – Data Masking and Data Redaction
  79. 79. Oracle Features for Compliance • Reporting – Auditing • Tracking – Access Control – Separation of Duties • Protection – Encryption – Security Monitoring and Alerting – Data Masking and Data Redaction • Assessing – Risk Assessments
  80. 80. • Reporting – Capture Activity On Database (DDL And DML) – Track The Behavior Of Privileged Users – Track Who Is Accessing Your Sensitive Data – Track Who Has Changed Your Data And What Has It Changed To – Track Security And Administrative Changes – Track User-Defined Events – Audit Systems Tables, Stored Procedures, Views, Indexes, Etc. What Can Tools Like SQL Compliance Manager Do?
  81. 81. • Reporting – Capture Activity On Database (DDL And DML) – Track The Behavior Of Privileged Users – Track Who Is Accessing Your Sensitive Data – Track Who Has Changed Your Data And What Has It Changed To – Track Security And Administrative Changes – Track User-Defined Events – Audit Systems Tables, Stored Procedures, Views, Indexes, Etc. • Tracking – Capture Logins, Logouts, Failed Logins What Can Tools Like SQL Compliance Manager Do?
  82. 82. What Can Tools Like SQL Compliance Manager Do? • Reporting – Capture Activity On Database (DDL And DML) – Track The Behavior Of Privileged Users – Track Who Is Accessing Your Sensitive Data – Track Who Has Changed Your Data And What Has It Changed To – Track Security And Administrative Changes – Track User-Defined Events – Audit Systems Tables, Stored Procedures, Views, Indexes, Etc. • Tracking – Capture Logins, Logouts, Failed Logins • Protecting – Determine How Much Data Was Accessed In A Breach
  83. 83. IDERA Products Can Help You With: • Reporting (and Maintaining) Audit Data – SQL Compliance Manager • Tracking User Access – SQL Compliance Manager • Protecting the Data from the Bad Guys (and Watch for Data Breaches) – SQL Compliance Manager – SQL Secure • Planning and Having Good Processes and Response Plans – SQL Compliance Manager – SQL Secure – ER/Studio Business Architect • Assessing Your Risks – SQL Compliance Manager – SQL Secure
  84. 84. In Conclusion ▪ Data breach continues to be a growing problem
  85. 85. In Conclusion ▪ Data breach continues to be a growing problem ▪ Regulations require organizations to: – Report audit data – Track user access – Protect data from the bad guys – Have good processes and response plans – Understand what your risks are
  86. 86. In Conclusion ▪ Data breach continues to be a growing problem ▪ Regulations require organizations to: – Report audit data – Track user access – Protect data from the bad guys – Have good processes and response plans – Understand what your risks are ▪ The right tools can help to simplify and automate the auditing process
  87. 87. Demo
  88. 88. Questions
  89. 89. Try any of our tools for free! Email: stan.geiger@idera.com kim.brushaber@idera.com www.idera.com

×