8. Not Safe -- Data Records
Compromised: 2000 - 2007
Source: Perimeter Security
A Comprehensive Study of Healthcare Data Security Breaches In the United States From 2000 - 2007
7
9. Even the best find it tricky to
monitor…..
• Kaiser Permanente:
• July 2009 -- California regulators fined Kaiser Permanente’s
Bellflower Hospital an additional $187,500 for failing to
prevent unauthorized access to confidential patient
information
• M 2009 – K i
May Kaiser fi d $250 000 after 21 patients and t
fined $250,000 ft ti t d two
doctors looked at a mother’s records without authorization.
• Cl
Cleveland Cli i
l d Clinic:
• A clinic employee stole personal information from electronic
files and sold it to her cousin, owner of Advanced Medical
Claims,
Claims who used it to file fraudulent Medicare claims totaling
more than $2.8 million.
8
10. Advanced logging and
monitoring for Health Information
• CONTEXT
• WHAT WE NEED
• THE SOLUTION
9
12. CONTEXT in 2010
• At cusp of massive growth in Health
p g
Information
• Sophistication of security attacks
• Impact of “meaningful use”
• Compliance landscape
11
14. Massive Growth in Health
Information Exchange
• Electronic Health Care records: new push by
President Obama (ARRA, HITECH ACT)
• Stark Law exceptions, coupled with stimulus money, extend
information to affiliated physicians and other third parties
• Local and State HIEs are growing rapidly -- Federal NHIN is on its
way and “data exchange is a component of meaningful use
data exchange”
• The end of silos: end-end clinical decision
systems
• Remote medical diagnosis and treatment
13
16. Data Breach types (1)
• A hacker breaking in and downloading sensitive data
• A system (or systems) being infected with malicious
software that captures sends or otherwise puts
captures, sends,
sensitive data into criminal hands
• A social-engineering technique whereby employees or
other insiders are tricked into exposing sensitive
information
• A theft of computer systems, devices, or storage media
p y , , g
that have sensitive data stored
15
17. Data Breach types (2)
• Sending sensitive information in e-mail
• Posting sensitive information to a public forum,
such as a Web site
• Where a computer glitch or a poorly written
application exposes sensitive data
• Lost laptops or media
p p
16
18. Breaches….we are not in Kansas
Capability of the People’s Republic of China to Conduct Cyber Warfare and
Computer Network Exploitation
p p
Prepared for The US-China Economic and Security Review Commission
“The Chinese have adopted a formal IW strategy
The
called “Integrated Network Electronic Warfare”
(INEW) that consolidates the offensive mission for
both computer network attack (CNA) and EW under
People’s Liberation Army (PLA) LA General Staff
Department’s (GSD) 4th D
D t t’ Department (El t i
t t (Electronic
Countermeasures)”
17
19. Sophistication of Security attacks
• Multiple vectors
– Applications/ Operating systems / Network
/Web interface DBMS)
– Internal versus external
• Coordinated attacks
–M l
Malware, Password H
P d Harvesting, Di t ib t d
ti Distributed
Denial of Service
• Microsoft’s lesson
18
20. Impact of “Meaningful Use”?
1. Improve quality, safety, efficiency, and reduce health
disparities
2. Engage patients and families (giving them access to
data)
3. Improve care coordination among health providers,
p g p ,
insurers and other actors
4. Improve population and public health
5.
5 Ensure adequate privacy and security protections for
personal health information
19
21. “Meaningful use” -- Core Security
and Privacy Issues
• Who needs to look at health records?
• Who actually has access to health records?
• Who has seen these health records?
20
22. Stringent Compliance looms…
• New requirements under stimulus bill (ARRA /
HITECH) are stringent:
• “Meaningful use”
• Breach notification
• Federal Trade Commission “Red flag” rules
effective June 1 2010
1,
• St t also ti ht i – C lif
States l tightening California, Mass.
i M
Impose penalties for violations
21
23. Physicians subject to red flag rule if:
• Physicians do not require full payment up-front at
the time th see patients, b t rather bill patients
th ti they ti t but th ti t
after the physician’s services are rendered
• The patient is ultimately responsible for medical
fees (as is routinely the case with respect to co-
pays or d d ibl or services not covered b
deductibles i d by
insurance)
22
25. Solving the problem...
• Complicated environment (increasingly
networked - multiple systems and devices)
• Misuse of “authorized” access
authorized
• Providing right information in near real-time
• Reporting and alerting
• Not enough to track how a system is being used but how
it is being used with other systems to create damage?
24
26. “Simplified” view of information
exchange
Eligibility
verification
Discharge
Admission
or Transfer
Coding Resource
and billing scheduling
Follow-up p Diagnosis
g
care and and Patient
referrals history
Lab Requisition
and Information
25
27. Possible Misuse Cases
• A father accessing his future son-in-law’s records
for incriminating information
g
• A divorced woman looking at her ex-husband’s
information for ammunition i a custody battle
i f ti f iti in t d b ttl
• Clinicians reading the records of a detested
neighbor
• Clerical workers selling celebrity information to the
media
26
28. Reporting and Alerting
• Rapid response (including real-time)
• Reducing false positives
• Ad hoc
• Intelligent pattern recognition
27
35. Indexing
• Allows for faster retrieval (Best example: Google)
• Indexing unstructured data
• Indexing tradeoffs:
• Before or after normalization
• Number of indexing parameters
34
36. Correlation
• Creating “patterns” of what may look like unrelated
activities
• Developing actions for responding to malicious
patterns
• Automated reporting
A t t d ti
• Deny access or authorization
• Monitor suspicious beha ior
s spicio s behavior
35
37. Event Management and Reporting
• What defines an “event” -- separating noise from insight
• Exception reporting
• Compliance
• Regularly scheduled reports
g y p
• Custom and ad hoc reporting
ad-hoc
36
38. Configuration
• What is a normal system? (Baseline)
• What systems do we need to log and why?
• Encryption requirements (at rest and during transfer)
• Local and archival storage, retrieval,
g , ,
• Frequency of collection, transmission analysis and
collection transmission,
reporting
37
39. Storage
• What is enough storage?
• Is storage secure?
• Retention period
• When to apply f
forced deletion?
?
• Legal custody protection
38
40. Best Practices for Health Providers
Form tight Audit
Separate Excellence
Security relationship
“information
awareness between
security” (Best Available
program IT and Control
from IT
p
Compliance gy)
technology)
39
41. Suggested Next Steps
• Start small
• Work to reduce top 20 misuse cases
1 • Segregate network devices, applications, users locations
• Develop a strategic view of logging
• Audit requirements will increase exponentially
• Involve Compliance and IT Audit – Develop a coalition of the willing
2
• Evaluate p oducts from an “architectural” sta dpo t
a uate products o a a c tectu a standpoint
3
40
42. Summary -- a good logging system:
• Rapidly identifies system misuse
• Reduces the hassle of collection
• Allows inputs from many sources
• Is efficient (e.g. limits bandwidth requirements, lowers storage)
• Can improve using newer, sophisticated algorithms, event
triggers and rules
41
43. info@techumen.com
www.techumen.com
(917) 434 2857
Securing Health
Information
info@logrhythm.com
info@logrhythm com
www.logrhythm.com
(303) 413 8745
42