PYA Principal Barry Mathis served on a panel discussion at the American Medical Informatics Association iHealth 2017 Clinical Informatics Conference.
The panel explored the state of cybersecurity in healthcare organizations and related legal considerations, including the HIPAA privacy and security rules. It considered institutional preparedness, provided examples, and offered preventive measures. The panel also discussed ransomware attacks, including tactics for negotiating with hackers, and provided best practices for organizations to avoid such attacks.
Jesse Jhaj: Building Relationships with Patients as a Doctor or Healthcare Wo...
Data and Network Security: What You Need to Know
1. May 2–4, Philadelphia
iHealth 2017 Clinical Informatics Conference
WHAT YOU NEED TO KNOW!
Data and Network Security
Paul R. DeMuro, Ph.D.
Nova Southeastern University
Broad and Cassel LLP
Barry Mathis
Principal, PYA
Information Technology
John T. Rasmussen, MA, MBA
Vice President,
Chief Information Security Officer,
MedStar Health Columbia, MD
Cathy Beech
Chief Information Security Officer,
Children's Hospital of Philadelphia
amia.orgTwitter: iHealth17
2. Prepared for iHealth 2017 Clinical Informatics Conference Page 1
Disclosure
We have no relevant relationships with commercial
interests to disclose.
3. Prepared for iHealth 2017 Clinical Informatics Conference Page 2
Learning Objectives
After participating in this session the learner should be
better able to:
Appreciate the state of cybersecurity in healthcare organizations
and the lack of preparedness
Be familiar with certain legal considerations, particularly the
Health Insurance Portability and Accountability Act (HIPAA)
Its privacy and security rules
Its limited scope
Its gaps
4. Prepared for iHealth 2017 Clinical Informatics Conference Page 3
Learning Objectives (cont.)
Understand the focus on biomedical devices, particularly patient
safety and liability
Distinguish forms of ransomware
Understand what is needed for institutional preparedness
5. Prepared for iHealth 2017 Clinical Informatics Conference Page 4
The State of Cybersecurity in Healthcare
Organizations
Healthcare Organizations had almost one cyber attack
per month in the last 12 months
Many experienced the loss of patient information
Threats include:
System failures, unsecure medical devices, cyber attackers,
employee-owned mobile devices, and unsecure mobile
devices
Web-borne malware attacks
Focus: patient information
6. Prepared for iHealth 2017 Clinical Informatics Conference Page 5
An Underlying Lack of Preparedness for a
New World Filled with Threats
An increasing wave of cybersecurity threats, particularly
ransomware attacks
Challenges include:
A lack of awareness of the magnitude of the ransomware
challenge in healthcare
A relatively low level of investment in data security in U.S.
patient care organizations (PCOs)
A lack of commitment on the part of health systems to address
the threat of ransomware
7. Prepared for iHealth 2017 Clinical Informatics Conference Page 6
An Underlying Lack of Preparedness for a
New World Filled with Threats (cont.)
Challenges include (cont.):
Insufficient staffing of information security (IS) departments
Insufficient training, preparedness, and expertise of those
assigned to manage cybersecurity and data security in PCOs
A lack of data security strategic planning and execution of
strategic plans
A rapidly surging threat that is exposing more hospitals, medical
groups, and health systems to ransomware and other malware
and hacking
[M. Hagland, With The Ransomware Crisis, The Landscape of Data Security Shifts in Healthcare, Healthcare Informatics Special Report
Ransomeware Crisis, Jun. 2016, http://www.healthcare-informatics.com/]
8. Prepared for iHealth 2017 Clinical Informatics Conference Page 7
The State of Cyber Security in Healthcare
Organizations and Legal Considerations
Security posture is business line dependent
Based on institutional priority and culture
Type of data protected
Culture of sharing
Reputation and risk exposure
Types of industry
Provider
Payer
Pharma
Biomedical device manufacturer
9. Prepared for iHealth 2017 Clinical Informatics Conference Page 8
The Gaps in HIPAA
HIPAA does not protect information that is not Personal
Health Information (PHI)
Business Associate Agreements (BAA) are limited in
their ability to reduce exposure
Business Associates and sub-contractor accountability is
not front and center
Competing regulations – differing priorities
HIPAA may punish the victim
10. Prepared for iHealth 2017 Clinical Informatics Conference Page 9
Ransomware, Institutional Preparedness,
and Recommendations
To prepare for the worst – layered approach to defenses
User awareness – user is the weakest link
System patching
Up-to-date anti-virus
Offline backups
Segmentation and isolation of exception systems
11. Prepared for iHealth 2017 Clinical Informatics Conference Page 10
Is Privacy the Only Issue?
Privacy is not the only issue; data integrity and
availability are of equal or more importance
Vulnerabilities present in infrastructure and medical
devices
Patient safety can be impacted through manipulation of
medical device data and environmental control systems
Interface errors and device defects could introduce
inaccurate information to the electronic health records
(EHR)
12. Prepared for iHealth 2017 Clinical Informatics Conference Page 11
HIPAA Security Rule
Requires that covered entities (CE) and their business
associates (BA) perform a security risk assessment to
identify and mitigate risks to the confidentiality, integrity,
and availability of the ePHI they create, receive,
maintain, or transmit.
Specifies a series of administrative, physical, and
technical safeguards that CEs and their BAs must
implement to prevent unauthorized or inappropriate
access, use, or disclosure of ePHI
Administrative safeguards include:
Risk analysis and management, access management, workforce
training, and evaluation of security measures
13. Prepared for iHealth 2017 Clinical Informatics Conference Page 12
HIPAA Security Rule (cont.)
Physical safeguards include:
Physical measures, policies, and procedures to safeguard the
CE or BA's electronic information systems
Facility access controls, workstation security, and device and
media controls
Technical safeguards include:
Access controls, audit controls, integrity, person or entity
authentication, and transmission security
[Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. U.S. Department of Health
and Human Services, https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf]
14. Prepared for iHealth 2017 Clinical Informatics Conference Page 13
HIPAA Security Rule (cont.)
Requires implementation of security measures that can
help prevent the introduction of malware, like
ransomware, including:
Implementing a security management process
Implementing procedures to guard against and detect malicious
software
Training users on malicious software protection
Implementing access controls
[FACT SHEET: Ransomware and HIPAA, http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf]
15. Prepared for iHealth 2017 Clinical Informatics Conference Page 14
HIPAA Security Rule (cont.)
Requires CEs and BAs to implement policies and
procedures that can assist an entity in responding to,
and recovering from, a ransomware attack
Security incident procedures, including procedures for
responding to and reporting security incidents.
Robust security incident procedures for responding to a
ransomware attack should include processes to:
Detect and conduct an initial analysis of the ransomware
Contain the impact and propagation of the ransomware
16. Prepared for iHealth 2017 Clinical Informatics Conference Page 15
HIPAA Security Rule (cont.)
Robust security incident procedures include:
Eradicating the instances of ransomware and mitigating or
remediating vulnerabilities that permitted the ransomware attack
and propagation
Recovering from the ransomware attack by restoring data lost
during the attack and returning to "business as usual" operations
Conducting post-incident activities, and incorporating any
lessons learned into the overall security management process of
the entity to improve incident response effectiveness for the
future of security incidents
[FACT SHEET: Ransomware and HIPAA, http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf]
17. Prepared for iHealth 2017 Clinical Informatics Conference Page 16
HIPAA Security Rule (cont.)
The presence of ransomware (or any malware) on a
CE's or BA's computer system is a security incident
Once it is detected, the CE or BA must initiate its security
incident and response reporting procedures
They must be reasonable and appropriate to guidance regarding
the implementation of security incidents, including ransomware
attacks
Whether or not the presence of ransomware would be a
breach under HIPAA is a fact-specific determination
Does it compromise the security of PHI?
18. Prepared for iHealth 2017 Clinical Informatics Conference Page 17
HIPAA Security Rule (cont.)
Is there a low probability that the PHI has been
compromised?
Four factor test:
1. The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the
disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated
There should be a thorough and accurate evaluation of
all the evidence
[FACT SHEET: Ransomware and HIPAA, http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf]
19. Prepared for iHealth 2017 Clinical Informatics Conference Page 18
Limited Scope of HIPAA
Applies only to organizations known as CEs, health
plans, healthcare clearing houses, and healthcare
providers conducting electronic transactions, and their
BAs, persons or entities that perform certain functions or
activities involving the use or disclosure of PHI
Wearable fitness trackers, social media sites where
individuals share health information through specific
social networks, and other technologies that are
common today did not exist when HIPAA was enacted in
1996
Many of these are outside the scope of HIPAA
20. Prepared for iHealth 2017 Clinical Informatics Conference Page 19
Privacy and Security Protections of Health
Information Have Not Kept Up with the Technology
New types of entities that collect, share, and use health
information are not regulated by HIPAA
Individuals may have a limited or incorrect understanding of
when data about their health is protected by law, and when it
is not
Health information collected in more places without consistent
security standards may pose a cybersecurity threat
Individuals generally have greater rights regarding access to
data held by HIPAA CE than data held by non-CE
Lack of understanding of what rules apply may hinder
economic growth and development of beneficial products that
could help generate better health, smarter spending, and
healthier people
21. Prepared for iHealth 2017 Clinical Informatics Conference Page 20
Physical Security and Social Engineering
Audit Case #1
Outline
• 13,000 sq. ft. datacenter
audited for large SE client
• Team of two
• Planning, one week
including “wrong number”
visit
• Original plan (controls
passed)
• Adaptive plan based on use
of call log
Results:
• Successful breach using
pressure and names from
call log and 2nd cell phone
• Full unescorted access onto
datacenter floor and client’s
secure cage
• Control tested and exploited
– Call log pin number
22. Prepared for iHealth 2017 Clinical Informatics Conference Page 21
Physical Security and Social Engineering
Audit Case #2
Outline
• 550,000 sq. ft. datacenter
audited for massive MW
client
• Team of two
• Planning, three weeks
• Original plan – one week on-
site (most controls passed)
• Adaptive plan based on
observation on last day of
audit
Results:
• Successful breach of critical
infrastructure area due to
“nut in door jam” and shared
access with education center
and relaxed posture
• Full unescorted access onto
datacenter’s critical
substructure
• Control tested and
exploited– hardened access
controls to substructure
23. Prepared for iHealth 2017 Clinical Informatics Conference Page 22
Physical Security and Social Engineering
Audit Case #3
Outline
• 200,000 sq. ft. datacenter
audited for massive MW
client
• Team of two
• Planning, two weeks
• Original Plan – one week on-
site (access controls failed
day one)
• Security was 3rd party DOD
certified
Results:
• Successful breach of entire
facility due to relaxed
posture and weak
authorization process;
included piggy backing “man
trap gate”
• Full unescorted and
“authorized” access to
facility
• Controls tested and
exploited – video monitored
trap gate and access
authorization process
24. Prepared for iHealth 2017 Clinical Informatics Conference Page 23
# 1 Question
How do we
stop these
threats to our
organizations?
26. Prepared for iHealth 2017 Clinical Informatics Conference Page 25
Information Security Forum
Threat Horizon 2019 Report
Source: https://www.securityforum.org/https://www.securityforum.org/research/threat-horizon-2on-deterioration/
Disruption
Distortion
Deterioration
Overreliance on fragile
connectivity
Trust in the integrity of
information is lost
Controls are eroded by
regulations and
technology
27. Prepared for iHealth 2017 Clinical Informatics Conference Page 26
Prevent–Detect–Respond Measures
Source: https://www.securityforum.org/https://www.securityforum.org/research/threat-horizon-2on-deterioration/
Disruption
Distortion
Deterioration
• Integrate with BioMed procurement
• Assess BioMed security risks
• Identify critical assets-ownership and
access (RECERTIFY)
• Conduct cybersecurity tabletops
• Review cybersecurity response plan
• Monitor access to sensitive
information
• Collaborate across org to understand
impact to lost information
• Monitor insider threat—with legal
guidance
• Train talent - new technology (e.g., cloud)
28. Prepared for iHealth 2017 Clinical Informatics Conference Page 27
Summary and Conclusions
Cybersecurity in healthcare
organizations is challenging
PREVENT
DETECT
RESPOND
Legal protections are not
always sufficient
Understand
Impact of Lost
INFORMATION
Biomedical devices pose
significant risks
Conduct Inventory
Integrate - Procurement
Assess security RISKS
Ransomware attacks will
continue
Prepare Workforce
Conduct Tabletops
Develop Response Plan
29. Prepared for iHealth 2017 Clinical Informatics Conference Page 28
Question
When conducting a breach risk assessment, what
threshold must be assessed to consider a disclosure a
breach?
A. High risk of harm
B. Patient safety risk
C. Low probability of compromise
D. Excessive risk of disclosure
30. Prepared for iHealth 2017 Clinical Informatics Conference Page 29
Answer
A. High risk of harm
B. Patient safety risk
C. Low probability of compromise
D. Excessive risk of disclosure
Explanation: The HIPAA Security Rule provides that whether or
not the presence of ransomware would be a breach is a fact-
specific determination, and one of the considerations is whether
there is a low probability that the PHI has been compromised.
31. Prepared for iHealth 2017 Clinical Informatics Conference Page 30
Question
Which of these controls represents a “physical
safeguard” under HIPAA?
A. Audit logging
B. Identity badge policy
C. Anti-virus
D. Security cameras
32. Prepared for iHealth 2017 Clinical Informatics Conference Page 31
Answer
A. Audit logging
B. Identity badge policy
C. Anti-virus
D. Security cameras
Explanation: Of the choices, only security cameras are physical
in nature.
33. Prepared for iHealth 2017 Clinical Informatics Conference Page 32
Question
Which of the following represents the BEST strategy for
recovering from a ransomware infection?
A. Tape backup
B. User education
C. Anti-virus
D. Data loss prevention
34. Prepared for iHealth 2017 Clinical Informatics Conference Page 33
Answer
A. Tape backup
B. User education
C. Anti-virus
D. Data loss prevention
Explanation: Of the choices, only a tape backup could have the
information available prior to the infection.
35. Prepared for iHealth 2017 Clinical Informatics Conference Page 34
Question
The HIPAA Privacy Rule
A. Provides state protections for individually identifiable health
information held by covered entities and their business
associates
B. Requires that covered entities and their business associates
perform a risk assessment
C. Provides federal protections for individually identifiable health
information held by covered entities and their business
associates
D. Requires implementation of security measures that can help
prevent the introduction of malware, including ransomware
36. Prepared for iHealth 2017 Clinical Informatics Conference Page 35
Answer
A. Provides state protections for individually identifiable health
information held by covered entities and their business
associates
B. Requires that covered entities and their business associates
perform a risk assessment
C. Provides federal protections for individually identifiable
health information held by covered entities and their
business associates
D. Requires implementation of security measures that can help
prevent the introduction of malware, including ransomware
Explanation: HIPAA is a federal law and thus, does not provide state
protections. Thus, answer a. is wrong. Answers b. and d. are from the
HIPAA Security Rule.
37. Prepared for iHealth 2017 Clinical Informatics Conference Page 36
Question
The HIPAA Privacy Rule
A. Protects all health information wherever it is found
B. Does not protect all health information wherever it is found
C. Applies to health information about an individual that has been
de-identified
D. Requires covered entities and business associates to
implement policies and procedures that can assist an entity in
responding to, and recovering from, a ransomware attack
38. Prepared for iHealth 2017 Clinical Informatics Conference Page 37
Answer
The HIPAA Privacy Rule
A. Protects all health information wherever it is found
B. Does not protect all health information wherever it is
found
C. Applies to health information about an individual that has been
de-identified
D. Requires covered entities and business associates to
implement policies and procedures that can assist an entity in
responding to, and recovering from, a ransomware attack
Explanation: HIPAA protects most individually identifiable health information
held or transmitted by a covered entity or its business associate in any form or
medium, whether electronic, on paper, or oral (PHI). It does not protect all
health information wherever it is found. Thus, answer a. is incorrect. It does
not apply to de-identified information, and thus, answer c. is incorrect. Answer
d. is from the HIPAA Security Rule.
39. Prepared for iHealth 2017 Clinical Informatics Conference Page 38
Question
The HIPAA Security Rule does not
A. Require that covered entities and their business associates
perform a security risk assessment
B. Require covered entities and business associates to
implement policies and procedures that can assist an entity in
responding to and recovering from a ransomware attack
C. Require training users on malicious software protection
D. Extend to all wearable fitness trackers
40. Prepared for iHealth 2017 Clinical Informatics Conference Page 39
Answer
A. Require that covered entities and their business associates
perform a security risk assessment
B. Require covered entities and business associates to
implement policies and procedures that can assist an entity in
responding to and recovering from a ransomware attack
C. Require training users on malicious software protection
D. Extend to all wearable fitness trackers
Explanation: The HIPAA Security Rule applies to answers a., b.,
and c. It does not apply to all wearable fitness trackers. Such devices
were designed, created, and used after the drafting of HIPAA in 1996,
and thus were not anticipated at the time.
41. Prepared for iHealth 2017 Clinical Informatics Conference Page 40
References
Health Insurance Portability and Accountability Act, Pub. L. 104-191,
110 Stat. 1936 (1996); http://library.clerk.house.gov/reference-
files/PPL_HIPAA_HealthInsurancePortabilityAccountabilityAct_1996
.pdf
Examining Oversight of the Privacy & Security of Health Data
Collected by Entities Not Regulated by HIPAA. U.S. Department of
Health and Human Services;
https://www.healthit.gov/sites/default/files/non-
covered_entities_report_june_17_2016.pdf
FACT SHEET: Ransomware and HIPAA.
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
42. PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com
Contact Information
Cathy Beech:
beech@email.chop.edu
Direct 267.426.0532
Paul R. DeMuro:
pdemuro@broadandcassel.com
Direct 954.745.5224|Mobile 213.308.7859
Barry Mathis:
bmathis@pyapc.com
Direct 865.684.2785 | Mobile 423.827.7893
John T. Rasmussen:
John.T.Rasmussen@medstar.net
Thank you!