hipaa compliant cloud computing, an overview

removing barriers to healthier healthcare

HIPPA, Security & Cloud

Presented By:Chris Bowen, MBA, CISSP, CIPP/US, CIPTFounder, Chief Privacy & Security Officer

Matt FerrariChief Technology Officer

Using the Cloud as an enabler.

2PROPRIETARY AND CONFIDENTIAL

Learning Objectives

Understand HIPAA and HIPAA

Understand the patients’ rights under HIPAA and how those relate to the BAA

Examine the purpose of the BAA – what it is designed to do

Review Meaningful Use and its place in driving Security Risk Assessments

Know the penalties for a data breach

Understand what makes up a SRA

Discuss some real breaches, what happened and how it could have been prevented


Objectives for HIPAA

• Make Health Insurance More Portable• Reduce Healthcare Fraud• Improve Efficiency of Payment, Claims, Etc.• Protect Personal Medical Information• Gather Statistical Data About Diseases


The HIPAA Security Rule• Establishes national standards to protect ePHI that is created, received, used, or maintained by a covered entity.

• Applies to:– Covered Entities– Business Associates

• Maintain reasonable and appropriate– Administrative– Technical– Physical safeguards for protecting e-PHI


Specifically• Ensure the confidentiality, integrity, and availability of all e-PHI Covered Entities create, receive, maintain or transmit

• Identify and protect against reasonably anticipated threats to the security or integrity of the information

• Protect against reasonably anticipated, impermissible uses or disclosures

• Ensure compliance by their workforce.


Patient Rights Under HIPAA• Right to receive a notice of privacy practices• Right to copy and inspect One’s own PHI• Right to request PHI Amendments• Right to restrict disclosures to others• Right to receive PHI by alternate means

– PO Box not home address, for example• Right to file a privacy complaint (anyone)


The Business Associate Agreement• Covered Entities must enter into these with service providers like ClearDATA

• ClearDATA must enter into these with our service providers

• Three Major Obligations of a BAA– Facilitate Patient Rights– Complete Risk Analysis, Policies and Procedures– Report Breaches and Liability


BAA: Safeguarding Data• ClearDATA and our subcontractors (such as AWS) must:– Assess risk and implement the safeguards, policies, and procedures.

– Conform and comply with the HIPAA Rules.

– And ensure that our service providers do the same!

Risk Management

Assess

Evaluate

Manage

Measure


Askew

If you search for “Askew” inGoogle, the content will tilt slightly to the right.


Breach Notification• CE/BA must investigate any and all legitimate potential breaches of unsecured PHI.

• Investigation Process:– Isolate– Investigate– Remediate– Report

Unsuccessful Security Incidents

Breaches of less than 500 records

Internal Logging

Successful Security Incidents

Breaches of more than 500 records

External Reporting


Meaningful Use: Basic Requirements1. Use of certified EHR in a meaningful manner

(e.g., e-prescribing)

2. Use of certified EHR technology for electronic exchange of health information to improve quality of health care

3. Use of certified EHR technology to submit clinical quality measures (CQM)

4. Meaningful Use is how the EHR is used. This is the responsibility of providers with assistance from local, area, and national staff


Use vs. Meaningful Use

Pumpkin PumpkinUsed Meaningfully


Meaningful Use

2009HITECH Policies

2011Stage 1

Capture/ShareData

2014Stage 2

Advanced CareProcesses w/Decision Support

2016Stage 3Improved Outcomes


Objective: 45 CFR 164.308 (a)(1)

SRA Objectives: Core 9 Meaningful Use•Assessment of the Administrative, Physical and Technical Safeguards per Security Rule.

•Review of physical computing environment.

•Interrogation of security software & protocols.

•Assessment of electronic transmission procedures for PHI.

•Assess vulnerabilities to the confidentiality, integrity and availability of ePHI.


Review of Safeguards

Administrative

Physical

Technical

Organizational

1

2

3

4


OCR Audit Protocol

New & Stricter Requirements

Preventative Measures

Written Policies & Procedures

Management Accountability

Significant Documentation

1

2

3

4

5

ClearDATA’s SRA Meets OCR Audit Protocol


SRA Urgency

$Important to Avoid Security Breaches & Fine

Required to Receive Incentive Funding

Meaningful Use Requirement

Required Regularly or When Systems Change


Source: https://cybersponse.com/data-breaches-by-the-numbers


The Attack


Breaches by Business AssociatesJanuary 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. A laptop was stolen – there was no encryption.

January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. A network server was stolen –there was no encryption.

May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption.

August 2014 - Community Health Pro-Services CorporationUnauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals.

December 2014 - Senior Health PartnersTheft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported.

1

2

3

4

5


Value of PHI

2% - Credit report was accessed or modified

29% - Obtain healthcare services or treatments

28% - Obtain prescription drugs or medical equipment

Obtain government benefits - 26% Including Medicare or Medicaid

My healthcare records - 11% were accessed or modified

Obtain fraudulent – 2%credit accounts in my name

2% - Don’t know


Why Breaches Are Occurring

Hackers have incentive and opportunity

A single stolen password tends to access multiple accounts

Selling personal information has become a profitable global enterprise

Weak passwords and authentication are a big part of that opportunity.


The Aftermath

Identity Theft Espionage

Future AttacksMoney Spent

Reputations Lost


HIPAA Fines and Penalties

Violation Category Each Violation All Identical Violationsper Calendar Year

Did Not Know $100 - $50,000 $1,500,000Reasonable Cause $1,000 - $50,000 $1,500,000Willful Neglect -Corrected

$10,000 - $50,000 $1,500,000

Willful Neglect –Not Corrected

$50,000 $1,500,000


How Much This Graph Reminds Me of Mr. T

Reminds me of Mr. T

Still kind of remindsme of Mr. T


More Learning Objectives

Understand Cloud challenges for healthcare and how we solve for them

Review how to use the Cloud to overcome security challenges

Discuss trends in the Cloud, such as Multi-cloud

The AWS overlay and its drivers

Understand how to get the best out of both worlds – HIPAA Managed Services + Multi-cloud

Review a real-world example – case study


The Cloud’s Role in Transforming Healthcare

Data AggregationCentralized, high-performance access

Agility / SpeedSpeed & flexibility

to implement new services

SimplicityNo hardware, no software, no new staff

Reduce CostsLower costs, no capex, pay as you grow

Security70% less breach, HITRUST certified

Reliability / ScalabilityGreater uptime/redundancy, SLAs, scalability


Healthcare IT Transformation Challenges: Problems We Solve

• Aging infrastructure• Maintenance costs

• Support costs• Standardization

• Virtualization• Scalability / Reliability

• Capital & Personnel Constraints

~50% of Challenges in IT Operations and Maintenance?

Aging Infrastructure, Support and Maintenance?

Healthcare IT Complexity Increasing? HIT Know How?

Lack of IT Visibility:Utilization of Systems, Applications, Data?

Security & Complianceby Application• Visibility, What is Secure?• Compliancy by App

• Maintaining HIPAA IT Policy and Procedures • Annual Risk Analysis

75% Reduction of Breach Potential

• Application sprawl• Data sprawl

• Image / archive• Intelligent storage• Backups / DR

• Agility• Impeding Innovation

• BYOD• Adoption of Advanced Apps

Innovation Throttles to ~30%?

• Multiple IT Portals• Increased Regulatory Compliance

• IT Transformation Tech:Wireless, BYOD, Telemedicine, Cloud, Analytics

Reduce IT Complexity by ~50%


ClearDATA: The Vision for Transformation

healthcare IT infrastructure,

network, security

secure patient data, data lifecycle management

organize, normalize, access & share healthcare data

+++ST

ORE

MANAGE

PROTE

CT

SHARE

fix and modernize the infrastructure, store HC applications and data

BAA Covered AWS Services

ClearDATA Healthcare Managed PlatformHealthDATA™ Cloud Suite

HealthDATA™ Security & Privacy

HealthDATA™ Management

Healthcare ITService & Support

ClearDATA Enhanced Security, Compliance & BAA

Risk AssessmentPolicy DevelopmentAdvisory Services

Hardened HostingComplete EncryptionHC PaaS Portal/API

Scalable HostingFlexible InterchangeHC Analytics

24 x 7 SupportCompliance TrainedHIT ProServ

Gov HealthcarePhysicians Medical DevicesLife SciencesHospitalsHealthcare Software

Compute DataStorage

NetworkServices

AppServices

What AWS services could be BAA covered today?

DynamoDB – NoSQL Cloud Database ServiceElastic Block Store (EBS)Elastic Compute Cloud (EC2)Elastic Map Reduce (EMR)Elastic Load Balancer (ELB)GlacierRelational Database Service (RDS)Redshift – Cloud Data WarehouseSimple Storage Service - S3

Managed Service overviewCapability Customer ClearDATA ClearDATA with

AWS

Application development, deployment &monitoring X Option

Compliance Scorecard X

Cloud Infrastructure Healthcare Architecture, Optimization & Support X

On demand Security Risk Assessments X

Quarterly Vulnerability Scanning X

Breach detection, notification & remediation X

PHI and other data Encryption at rest and in motion including key management access X

Intrusion Detection X

OS deployment, hardening, patching X

Managed Backup configuration & management X

VPN & Firewall configuration & management X

Anti virus configuration & management X

Infrastructure Ecosystem X

Infrastructure Development, Availability, Scaling, Security X

Geo Diversity & Physical security X

34

ClearDATA1600 W. Broadway Road � Tempe, AZ 85282Ph: (888) 899-2066 � [email protected] � www.cleardata.com

Healthcare Infrastructure That is Controlled, Managed, and Optimized By Our HealthDATA™ Platform

Key Benefits

• Healthcare specific portal for all managed services

• Cloud automation, templates & HIPAA compliant dashboard

• API for direct access to ClearDATA configured AWS services

HealtDATA™ HIT & Cloud Management Platform • Centralizing management across ClearDATA products• Secure support request management• ITIL-Aligned Configuration Management Database• Deploy AWS environments with Cloud Formations• View billing and invoice information• Security hardened AMIs for common services


Questions

36

ClearDATA1600 W. Broadway Road � Tempe, AZ 85282Ph: (888) 899-2066 � [email protected] � www.cleardata.com

Thank YouFor additional information please contact:

Joseph VadakkanSolution [email protected]