Information Security Risk Management in Biomedical Equipment

www.acesummitandexpo.com
Facilities and Clinical Engineering Track:
Addressing Risk Management in Biomedical
Equipment
January 14, 2013
Bart Hubbs - Chief Information Security Officer, FMOL Health System
Bud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare

Overview
• Biomedical devices have evolved from largely stand-
alone devices to more digitally integrated data collection
and delivery units.
• Device evolution has helped improve and streamline
patient monitoring and subsequent care by collecting
and delivering actionable patient data to the right
caregivers.
• The streamlined collection and delivery of patient data
has also increased risk in other areas.
• Making of a good “Partnership” – Identifying Impact and
Likelihood with a focus on controls and mitigation
tools/approaches.

What is Risk?
• Risk can be viewed as the intersection of impact and
likelihood of negative occurrence.
(Risk = Impact x Likelihood)
• Impact can be experienced via loss of confidentiality,
integrity, and/or availability of data.
• Likelihood of loss is generally increased or decreased
when controls and/or weaknesses are enhanced or
reduced.

What Risk Management?
• Risk management can be viewed simply as formulating
risk to a level that falls within organizational risk
tolerance.
• Management activities included adjusting likelihood
and/or impact.
• Risk management also includes compliance with federal,
state, and industry requirements (examples: HIPAA,
PCI-DSS, SOX, GLBA, FERPA, etc.).

HIPAA and “Protected Health
Information”
• U.S. Federal Regulations
• PHI is generally defined as individually identifiable health
information created or received by a
– Health care provider, health plan, employer, health
care clearinghouse, business associate; and
• Relates to an individual's past, present or future physical
or mental health or condition, the provision of health care
to an individual, or payment for the provision of health
care to an individual.

• When data is classified as PHI, made digital and in the
custody of or shared by an entity defined previously,
the HIPAA Security Rule is applied.
• The electronic PHI is often referred to as ePHI.
• Risk management activities are then structured based
on the HIPAA Security Rule.
• Risk management/mitigation actions are generally
focused on reducing likelihood.
• However, risk management/mitigation actions can be
focused on impact reduction via data de-identification.
Why is the term “PHI” important?

• Does not identify nor provide a reasonable basis to
identify an individual.
• Not considered PHI
− There are no restrictions on the use or disclosure of
de-identified health information.
• Two ways to de-identify information:
− Remove certain specified identifiers; or
− Obtain a formal determination by a qualified
statistician.
De-Identified Health Information

• HITECH enhanced the importance of ePHI protection
due to the breach notification requirements.
• HITECH was enacted as part of the The American
Recovery and Reinvestment Act.
• Millions can be spent on a breach.
• Reputation related costs can be significant.
• Mitigation is increasingly important with EHR adoption
in hospitals and increasing “systems of systems” with
ePHI.
ePHI Confidentiality Loss and Impact

• HITECH also establishes that “business associates” are
directly required to comply with the HIPAA Security Rule.
• Previously, “business associate” compliance with the
HIPAA Security Rule was established via contract with the
covered entity.
Business Associates and HITECH

• Covered Entities (“CE”) -- health plans, health care
clearinghouses and most health care providers.
• Business Associates -- Third party who performs or
assists a Covered Entity in performing a function or
activity.
What are “Covered Entities” and
“Business Associates”?

• MDS2 -- Manufacturer Disclosure Statement for Medical
Device. Link:
www.himss.org/content/files/MDS2FormInstructions.pdf
• Vendor SMEs – Subject matter experts from the vendor
can provide enhanced understanding the information
stored or transmitted by the device.
• Vendor Manuals– Many are online and provide detailed
information about data, controls and configurations.
Understanding Risk – Information Sources

Reducing Risk – Management Levers
Impact Likelihood
ePHI element reduction
(limited data‐set)
Administrative controls
‐Policies
‐Security Awareness
‐Incident Response Procedures
Data de‐identification Physical controls
‐Building and zone controls
‐Inventory management
‐Workstation/storage controls
‐Device Disposal
Technical controls
‐Access controls
‐Encryption
‐User management

• Consider having a person actively manage PHI in
hospital whether Biomed, IT, or Risk Management.
• Define clearly what PHI is in new hire and ongoing
training.
• Tell how to de-Identify and what types of data must
not be shown.
• Service Procedures Manual wording:
“In the normal course of performing services for our Customers,
Employees may come into contact with protected health information
(PHI). PHI is specific information about an individual patient …. This
information is often encountered on display monitors, in storage
media such as hard drives. You must take every means possible to
secure this information. “
Employee Awareness Training

• Today’s hospital is an internet of devices …
system of systems
• Networks can be at risk if not protected. Wireless
applications and allowing WIFI for patients/visitors are
potential risk areas.
•Real Time Tracking technology/solutions allows for
finding all equipment faster, better compliance tracking,
and faster incident response.
•Vendor Technologies such as phone home
functionality that allow service requests or proactive
service should be designed to anonymize data where
possible, in order to prevent unnecessary exposure to
PHI.
IT Specifics & Mitigation Tools

PHI Threats/Areas of Concern

• IT and Risk Management should both have data
breach plans.
• When you work with vendors ensure that Business
Associate agreements are included to ensure the
privacy of PHI. This includes legal indemnifications.
• Service Procedures Manual: “In the event that an
information system has been compromised in such a way that
unauthorized individuals, either at a customer’s site or at
business associate’s location, could access PHI you must
report the event immediately. Reports of events shall be made
via the Concern and Incident Reporting Portal at Security and
Crisis Management Center.”
Proactive Incident Response

• Not having a “robust, living” Risk Management plan
for facility and vendor.
• Not having clearly drawn partnership lines between
hospital system and vendor responsibilities on what
are risk areas and how are they controlled/mitigated.
• Device security configurations undocumented and
inconsistent. All vendors are not created equal in
the security space.
• Lack of facility and vendor engagement in controls
development for biomed equipment.
Common Issue Areas

• Human controls in industry now with each site
required based on HIPAA to manage.
• Software is being developed to automatically wipe
equipment clean of PHI.
• In the future, control of PHI will be a built-in pillar of
IT operations and default device configurations.
• Covered Entities & Business Associates will demand
risk mitigation due to enhanced fines and the on-
going cost of breach notification.
The Future of PHI

Addressing Risk Management in Biomedical
Equipment
Questions
Bart Hubbs - Chief Information Security Officer, FMOL Health System
Bud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare

Information Security Risk Management in Biomedical Equipment

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Information Security Risk Management in Biomedical Equipment

Similar to Information Security Risk Management in Biomedical Equipment (20)

Recently uploaded

Recently uploaded (20)

Information Security Risk Management in Biomedical Equipment