How many electronic devices used in your organization store electronic Protected Health Information (ePHI)? If you work in a healthcare setting, this is not easily answered. While there has been considerable attention paid to ePHI stored on computers and networked servers, and recent attention given to portable devices like tablets and cell phones, one class of ePHI bearing technology remains rather mysterious – medical devices. This webinar shines a light on medical device data storage and introduces ePHI breach risks in direct patient care, clinical lab, and medical imaging settings. A brief case study for each setting will be presented.

1. HIPAA
Compliance
and
Electronic
Protected
Health
Informa6on:
Ignorance
is
not
bliss!
Medical
Device
ePHI
Risk
Iden6fica6on
and
Mi6ga6on
©
Maxxum,
Inc.

2. ‣ Relevance – why this topic?
‣ Risk – a perspective to consider.
‣ Context – the domain we’re exploring.
‣ Examples – 4 medical devices.
‣ Awareness – now what?
Webinar
Overview

3. Relevance
Risk
iden6fica6on
and
management
for
one
class
of
data
bearing
technology
is
rela6vely
unaddressed
today.
That
class
is
the
medical
device.
Medical
device
data
storage
of
electronic
Protected
Health
Informa6on
presents
breach
risks
in
direct
pa6ent
care,
clinical
lab,
and
medical
imaging
seLngs.

4. Relevance
It’s
In
The
News
Securing PHI in Devices Is Difficult but Essential
Reprinted from REPORT ON PATIENT PRIVACY
January 2011Volume 11Issue 1
When Mountain Vista Medical Center found that two portable memory cards were missing from
endoscopy machines, it notified patients and retrained staff in its gastroenterology unit (see
story, above). And it took an additional step: It “modified the endoscopy machines to no longer
use the compact memory data cards,” the Mesa, Ariz., hospital said in a statement last month.
This was the first breach in recent memory that involved a medical device, but such equipment
can be just as vulnerable to privacy and security lapses as laptops or networks.
And devices may pose more of a threat because of how they are made, and because hospitals
and other covered entities don’t always think of them the same way they think of other computer
devices when it comes to securing data, says Mac McMillan, chief executive officer of
CynergisTek, Inc., and chair of the privacy and security steering committee of the Health
Information Management Systems Society.
Part of the problem is the nature of these devices.
“Medical devices are kind of in a special category. They were designed to do a particular
function; they were not necessarily designed with security in mind,” he says. “It’s the same issue
with printers, faxes, copiers…the problem is people don’t think of them as storing data.”
Some medical devices and equipment “are not terribly sophisticated” from a security standpoint,
he says.
This was the first breach in recent memory that involved a medical device, but such equipment
can be just as vulnerable to privacy and security lapses as laptops or networks.
“Medical devices are kind of in a special category. They were designed to do a particular
function; they were not necessarily designed with security in mind,” he says.

5. Relevance
Ponemon
Study
Fourth
Annual
Benchmark
Study
on
Pa6ent
Privacy
&
Data
Security
-­‐
Ponemon
Ins6tute,
March
2014
• Ninety
percent
of
healthcare
organiza6ons
studied
had
at
least
one
data
breach
in
the
past
two
years.
• Thirty-­‐eight
percent
reported
more
than
five
breach
incidents.
• The
average
economic
impact
of
data
breaches
over
the
past
two
years
for
healthcare
organiza6ons
in
the
study
was
$1,973,895.

6. Relevance
HIPAA Breaches Since 2009
From
U.S.
Health
&
Human
Services
Office
of
Civil
Rights
on
4/13/2015
hbps://ocrportal.hhs.gov/ocr/breach
• 1194 breaches of 500 or more records
• More than 133 million patient records affected
• Largest breach is over 78 million records
• Breach types from misplaced paper to cyber attacks
• Two breach examples under 500 records:
• Walgreens’ 1 record, $1.44 million breach judgement
• Hospice of Northern Idaho’s 441 record breach, $50k
Commen6ng
on
the
Hospice
breach,
OCR
Director
Leon
Rodriguez
said:
“This
ac6on
sends
a
strong
message
to
the
health
care
industry
that,
regardless
of
size,
covered
en66es
must
take
ac6on
and
will
be
held
accountable
for
safeguarding
their
pa6ents’
health
informa6on.”

7. Relevance
And It’s Personal!

8. Relevance
And It’s Personal!
Credit
and
iden6ty
protec6on
• 5
family
members
• Each
individually
enrolled
• Two
years
of
monitoring

9. Risk

10. Risk
Unmanaged! Managed!
Aware!Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Our
Risk
Profile

11. Risk
Unmanaged! Managed!
Aware!Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Today’s
Goal:
Awareness
In
Process!

12. Context
Medical
Devices
HIPAA
Courts
SAG
OCR
HHS
ONC
HIE
ACO
PHR
EHR
FDA

13. Context
ePHI
Defini6on:
electronic
Protected
Health
Informa2on
(ePHI)
is
pa6ent
health
informa6on
created,
received,
stored,
maintained,
processed
and/or
transmibed
in,
on,
or
through
any
form
of
electronic
means.
Adapted
from
a
HIPAA
presenta6on
by
Marion
Jenkins,
PhD,
FHIMSS
HiMSS
15
Conference
on
4/13/2015

14. Context
ePHI
The
HIPAA
Security
Rule:
Covered
En66es
must
protect
and
secure
all
electronic
Protected
Health
Informa2on
(ePHI)
against
accidental
or
inten6onal
causes
of
unauthorized
access,
thej,
loss,
or
destruc6on,
from
both
internal
and
external
sources.
Adapted
from
a
HIPAA
presenta6on
by
Marion
Jenkins,
PhD,
FHIMSS
HiMSS
15
Conference
on
4/13/2015

15. Context
Exi6ng
Medical
Devices
• Rental
return
• Lease
turn-­‐in
• Re6rement
(EOL)
• Redeployment
• Resale
• Service/repair

16. Medical
Devices
&
ePHI
Examples

17. Small
Device
–
Big
Surprise!
Diagnos6c
Spirometer
A
portable
babery
operated
device
for
tes6ng
respiratory
volume
and
func6on.

18. Small
Device
–
Big
Surprise!
Small
enough
to
fit
in
the
pocket
of
a
pair
of
scrubs.
Holds
enough
ePHI
to
require
HIPAA
breach
no6fica6on
to
HHS
if
lost,
stolen
or
disposed
of
improperly.

19. Small
Device
–
Big
Surprise!
ePHI
stored
on
this
device:
• full
name
• date
of
birth
• height
and
weight
• sex
• ethnicity
• history
of
asthma
• history
of
smoking

20. Small
Device
–
Big
Surprise!
More
about
this
device:
• No
user
authen6ca6on
• Unencrypted
stored
data
• Unrestricted
expor6ng
• Holds
2040
pa6ent
records

21. Large
Device
–
Big
Surprise!
A
line
of
clinical
analyzer
systems

22. Large
Device
–
Big
Surprise!
Model
Pa/ent
Data?
ePHI
Elements
Observed
250
Yes
first
name,
last
name,
test
date,
test
type,
test
result
350
Yes
first
name,
last
name,
test
date,
test
type,
test
result
ECi
Yes
first
name,
last
name,
date
of
birth,
sex,
test
date,
test
type,
test
result
ECiQ
Yes
first
name,
last
name,
date
of
birth,
sex,
test
date,
test
type,
test
result
5.1
Yes
first
name,
last
name,
date
of
birth,
sex,
test
date,
test
type,
test
result
5600
Yes
first
name,
last
name,
date
of
birth,
sex,
test
date,
test
type,
test
result
7
analyzers
were
evaluated
for
ePHI
risk
Records
found
ranged
from
1
to
25,000
per
device

23. Large
Device
–
Big
Surprise!
More
about
these
devices:
• No
user
authen6ca6on
• Unencrypted
stored
data
• Unrestricted
expor6ng
• Breach
risk:
50k
to
90k
pa6ent
records
for
7
units

24. Smarter
Device
–
S6ll
Surprised!
This
ultrasound
system
has
the
capability
of
storing
pa6ent
data
on
a
hard
drive
separate
from
the
opera6ng
system
and
applica6on
sojware.
Removal
and
destruc6on
of
the
pa6ent
data
hard
drive
is
easily
accomplished.

25. Smarter
Device
–
S6ll
Surprised!
Unfortunately,
data
elements
that
qualify
as
ePHI,
such
as
pa6ent
name,
pa6ent
ID,
procedure
date/
6me,
facility
names,
doctor
names,
and
descrip6ons
of
pa6ent
history
were
found
on
the
opera6ng
system
hard
drive.

26. Smarter
Device
–
S6ll
Surprised!
ePHI
data
was
also
found
in
the
pagefile.sys
file
on
the
opera6ng
system
hard
drive.
This
file
is
used
by
the
Windows
opera6ng
system
to
buffer
informa6on
before
it
is
wriben
to
memory
for
processing.

27. ePHI
Detec6ve
Un6l
manufacturers
build
in
ePHI
safeguards,
we
have
to
rely
on
detec6ve
work
to
make
informed
choices
about
ePHI
disposi6on
on
medical
devices.
The
MDS2
form
(Manufacturer
Disclosure
Statement
for
Medical
Device
Security)
is
a
good
start.
ePHI

28. ePHI
Detec6ve
Obvious
Input
capability
Display
and
Print
capability
Portability
–
can
be
powered
by
an
internal
babery
pack
Electrocardiograph

29. ePHI
Detec6ve
Block
Diagram
obtained
from
the
service
manual
found
online
-­‐
Google.

30. ePHI
Detec6ve
Abundant
input
and
output
connec6vity
for
data
transfer.

31. ePHI
Detec6ve
The
use
of
Compact
Flash
storage
media
for
sojware
upgrades
is
intriguing.

32. ePHI
Detec6ve
Discovery:
a
common
storage
device.

33. ePHI
Detec6ve
Findings:
40
pa6ent
records
• first
name
• last
name
• date
of
birth
• test
date
• diagnos6c
test
results
• preliminary
diagnosis
• provider
name
• clinic
loca6on

34. ePHI
For
Sale?

35. ePHI
For
Sale?

36. ePHI
For
Sale?

37. ePHI
For
Sale?

38. Risk
Unmanaged! Managed!
Aware!Unaware!
Prepared!
Ignorant! Incompetent!
Negligent!
Our
Risk
Profile

39. Short
term
ac6vi6es:
• Confirm
or
iden6fy
who
in
your
organiza6on
is
responsible
for
data
privacy
and
security
on
various
device
types
• Iden6fy
all
[poten6al]
data
bearing
devices
in
your
organiza6on
• If
you
are
not
already
using
it,
adopt
the
MDS2
form
as
a
star6ng
place
to
evaluate
risk
for
current
device
inventory
• Implement
some
form
of
controlled
exit
for
these
devices
• Check
for
BAAs
in
place
and
indemnifica6on
when
custody
transfers
Awareness
Awareness:
Now
What?

40. Applica6on
Awareness:
Now
What?
Long
term
ac6vi6es:
• Develop
a
comprehensive
asset
disposi6on
program
that
accounts
for
the
complexi6es
of
ePHI
bearing
medical
devices
• Add
ePHI
mi6ga6on
requirements
to
the
equipment
procurement
process.
Ask
manufacturers
to
provide:
• A
completed
MDS2
form.
• Separate
storage
media
for
device
opera6ng
system/applica6on
sojware
and
pa6ent
data
• Encryp6on
of
pa6ent
data
storage
media

41. Applica6on
Awareness:
Now
What?
Long
term
ac6vi6es
(con6nued):
• Ask
manufacturers
to
provide:
• Destruc6ve
erasure
capability
for
encrypted
pa6ent
storage
media
• No
system
or
applica6on
logging
of
ePHI
elements
to
device
opera6ng
system/applica6on
sojware
storage
media
• Indemnifica6on
in
the
event
of
a
data
breach
if
manufacturer
provided
steps
to
remove
ePHI
are
followed,
but
do
not
result
in
an
ePHI
free
device

42. Ray
Davey
CTO
Maxxum,
Inc.
651-­‐674-­‐2715
rdavey@maxxum.com
Discussion

43. 855.85HIPAA
www.compliancygroup.com 43Copyright 2007-2015
HIPAA Education Series sponsored by:
www.compliancy-group.com
855.85 HIPAA (855.854.4722)
Compliance In 3 Steps!
The
Guard
Outside
Consultant
Manuals
or
Templates
Risk
Assessmen
Provider
Other
Compliance
Software