hipaa compliant cloud computing, an overview
TRANSCRIPT
removing barriers to healthier healthcare
HIPPA, Security & Cloud
Presented By:Chris Bowen, MBA, CISSP, CIPP/US, CIPTFounder, Chief Privacy & Security Officer
Matt FerrariChief Technology Officer
Using the Cloud as an enabler.
2PROPRIETARY AND CONFIDENTIAL
Learning Objectives
Understand HIPAA and HIPAA
Understand the patients’ rights under HIPAA and how those relate to the BAA
Examine the purpose of the BAA – what it is designed to do
Review Meaningful Use and its place in driving Security Risk Assessments
Know the penalties for a data breach
Understand what makes up a SRA
Discuss some real breaches, what happened and how it could have been prevented
3PROPRIETARY AND CONFIDENTIAL
Objectives for HIPAA
• Make Health Insurance More Portable• Reduce Healthcare Fraud• Improve Efficiency of Payment, Claims, Etc.• Protect Personal Medical Information• Gather Statistical Data About Diseases
4PROPRIETARY AND CONFIDENTIAL
The HIPAA Security Rule• Establishes national standards to protect ePHI that is created, received, used, or maintained by a covered entity.
• Applies to:– Covered Entities– Business Associates
• Maintain reasonable and appropriate– Administrative– Technical– Physical safeguards for protecting e-PHI
5PROPRIETARY AND CONFIDENTIAL
Specifically• Ensure the confidentiality, integrity, and availability of all e-PHI Covered Entities create, receive, maintain or transmit
• Identify and protect against reasonably anticipated threats to the security or integrity of the information
• Protect against reasonably anticipated, impermissible uses or disclosures
• Ensure compliance by their workforce.
6PROPRIETARY AND CONFIDENTIAL
Patient Rights Under HIPAA• Right to receive a notice of privacy practices• Right to copy and inspect One’s own PHI• Right to request PHI Amendments• Right to restrict disclosures to others• Right to receive PHI by alternate means
– PO Box not home address, for example• Right to file a privacy complaint (anyone)
7PROPRIETARY AND CONFIDENTIAL
The Business Associate Agreement• Covered Entities must enter into these with service providers like ClearDATA
• ClearDATA must enter into these with our service providers
• Three Major Obligations of a BAA– Facilitate Patient Rights– Complete Risk Analysis, Policies and Procedures– Report Breaches and Liability
8PROPRIETARY AND CONFIDENTIAL
BAA: Safeguarding Data• ClearDATA and our subcontractors (such as AWS) must:– Assess risk and implement the safeguards, policies, and procedures.
– Conform and comply with the HIPAA Rules.
– And ensure that our service providers do the same!
Risk Management
Assess
Evaluate
Manage
Measure
9PROPRIETARY AND CONFIDENTIAL
Askew
If you search for “Askew” inGoogle, the content will tilt slightly to the right.
10PROPRIETARY AND CONFIDENTIAL
Breach Notification• CE/BA must investigate any and all legitimate potential breaches of unsecured PHI.
• Investigation Process:– Isolate– Investigate– Remediate– Report
Unsuccessful Security Incidents
Breaches of less than 500 records
Internal Logging
Successful Security Incidents
Breaches of more than 500 records
External Reporting
11PROPRIETARY AND CONFIDENTIAL
Meaningful Use: Basic Requirements1. Use of certified EHR in a meaningful manner
(e.g., e-prescribing)
2. Use of certified EHR technology for electronic exchange of health information to improve quality of health care
3. Use of certified EHR technology to submit clinical quality measures (CQM)
4. Meaningful Use is how the EHR is used. This is the responsibility of providers with assistance from local, area, and national staff
12PROPRIETARY AND CONFIDENTIAL
Use vs. Meaningful Use
Pumpkin PumpkinUsed Meaningfully
13PROPRIETARY AND CONFIDENTIAL
Meaningful Use
2009HITECH Policies
2011Stage 1
Capture/ShareData
2014Stage 2
Advanced CareProcesses w/Decision Support
2016Stage 3Improved Outcomes
14PROPRIETARY AND CONFIDENTIAL
Objective: 45 CFR 164.308 (a)(1)
SRA Objectives: Core 9 Meaningful Use•Assessment of the Administrative, Physical and Technical Safeguards per Security Rule.
•Review of physical computing environment.
•Interrogation of security software & protocols.
•Assessment of electronic transmission procedures for PHI.
•Assess vulnerabilities to the confidentiality, integrity and availability of ePHI.
15PROPRIETARY AND CONFIDENTIAL
Review of Safeguards
Administrative
Physical
Technical
Organizational
1
2
3
4
16PROPRIETARY AND CONFIDENTIAL
OCR Audit Protocol
New & Stricter Requirements
Preventative Measures
Written Policies & Procedures
Management Accountability
Significant Documentation
1
2
3
4
5
ClearDATA’s SRA Meets OCR Audit Protocol
17PROPRIETARY AND CONFIDENTIAL
SRA Urgency
$Important to Avoid Security Breaches & Fine
Required to Receive Incentive Funding
Meaningful Use Requirement
Required Regularly or When Systems Change
18PROPRIETARY AND CONFIDENTIAL
Source: https://cybersponse.com/data-breaches-by-the-numbers
19PROPRIETARY AND CONFIDENTIAL
Source: https://cybersponse.com/data-breaches-by-the-numbers
20PROPRIETARY AND CONFIDENTIAL
The Attack
21PROPRIETARY AND CONFIDENTIAL
Breaches by Business AssociatesJanuary 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. A laptop was stolen – there was no encryption.
January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. A network server was stolen –there was no encryption.
May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption.
August 2014 - Community Health Pro-Services CorporationUnauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals.
December 2014 - Senior Health PartnersTheft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported.
1
2
3
4
5
22PROPRIETARY AND CONFIDENTIAL
Value of PHI
2% - Credit report was accessed or modified
29% - Obtain healthcare services or treatments
28% - Obtain prescription drugs or medical equipment
Obtain government benefits - 26% Including Medicare or Medicaid
My healthcare records - 11% were accessed or modified
Obtain fraudulent – 2%credit accounts in my name
2% - Don’t know
23PROPRIETARY AND CONFIDENTIAL
Why Breaches Are Occurring
Hackers have incentive and opportunity
A single stolen password tends to access multiple accounts
Selling personal information has become a profitable global enterprise
Weak passwords and authentication are a big part of that opportunity.
24PROPRIETARY AND CONFIDENTIAL
The Aftermath
Identity Theft Espionage
Future AttacksMoney Spent
Reputations Lost
25PROPRIETARY AND CONFIDENTIAL
HIPAA Fines and Penalties
Violation Category Each Violation All Identical Violationsper Calendar Year
Did Not Know $100 - $50,000 $1,500,000Reasonable Cause $1,000 - $50,000 $1,500,000Willful Neglect -Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect –Not Corrected
$50,000 $1,500,000
26PROPRIETARY AND CONFIDENTIAL
How Much This Graph Reminds Me of Mr. T
Reminds me of Mr. T
Still kind of remindsme of Mr. T
27PROPRIETARY AND CONFIDENTIAL
More Learning Objectives
Understand Cloud challenges for healthcare and how we solve for them
Review how to use the Cloud to overcome security challenges
Discuss trends in the Cloud, such as Multi-cloud
The AWS overlay and its drivers
Understand how to get the best out of both worlds – HIPAA Managed Services + Multi-cloud
Review a real-world example – case study
28PROPRIETARY AND CONFIDENTIAL
The Cloud’s Role in Transforming Healthcare
Data AggregationCentralized, high-performance access
Agility / SpeedSpeed & flexibility
to implement new services
SimplicityNo hardware, no software, no new staff
Reduce CostsLower costs, no capex, pay as you grow
Security70% less breach, HITRUST certified
Reliability / ScalabilityGreater uptime/redundancy, SLAs, scalability
29PROPRIETARY AND CONFIDENTIAL
Healthcare IT Transformation Challenges: Problems We Solve
• Aging infrastructure• Maintenance costs
• Support costs• Standardization
• Virtualization• Scalability / Reliability
• Capital & Personnel Constraints
~50% of Challenges in IT Operations and Maintenance?
Aging Infrastructure, Support and Maintenance?
Healthcare IT Complexity Increasing? HIT Know How?
Lack of IT Visibility:Utilization of Systems, Applications, Data?
Security & Complianceby Application• Visibility, What is Secure?• Compliancy by App
• Maintaining HIPAA IT Policy and Procedures • Annual Risk Analysis
75% Reduction of Breach Potential
• Application sprawl• Data sprawl
• Image / archive• Intelligent storage• Backups / DR
• Agility• Impeding Innovation
• BYOD• Adoption of Advanced Apps
Innovation Throttles to ~30%?
• Multiple IT Portals• Increased Regulatory Compliance
• IT Transformation Tech:Wireless, BYOD, Telemedicine, Cloud, Analytics
Reduce IT Complexity by ~50%
30PROPRIETARY AND CONFIDENTIAL
ClearDATA: The Vision for Transformation
healthcare IT infrastructure,
network, security
secure patient data, data lifecycle management
organize, normalize, access & share healthcare data
+++ST
ORE
MANAGE
PROTE
CT
SHARE
fix and modernize the infrastructure, store HC applications and data
BAA Covered AWS Services
ClearDATA Healthcare Managed PlatformHealthDATA™ Cloud Suite
HealthDATA™ Security & Privacy
HealthDATA™ Management
Healthcare ITService & Support
ClearDATA Enhanced Security, Compliance & BAA
Risk AssessmentPolicy DevelopmentAdvisory Services
Hardened HostingComplete EncryptionHC PaaS Portal/API
Scalable HostingFlexible InterchangeHC Analytics
24 x 7 SupportCompliance TrainedHIT ProServ
Gov HealthcarePhysicians Medical DevicesLife SciencesHospitalsHealthcare Software
Compute DataStorage
NetworkServices
AppServices
What AWS services could be BAA covered today?
DynamoDB – NoSQL Cloud Database ServiceElastic Block Store (EBS)Elastic Compute Cloud (EC2)Elastic Map Reduce (EMR)Elastic Load Balancer (ELB)GlacierRelational Database Service (RDS)Redshift – Cloud Data WarehouseSimple Storage Service - S3
Managed Service overviewCapability Customer ClearDATA ClearDATA with
AWS
Application development, deployment &monitoring X Option
Compliance Scorecard X
Cloud Infrastructure Healthcare Architecture, Optimization & Support X
On demand Security Risk Assessments X
Quarterly Vulnerability Scanning X
Breach detection, notification & remediation X
PHI and other data Encryption at rest and in motion including key management access X
Intrusion Detection X
OS deployment, hardening, patching X
Managed Backup configuration & management X
VPN & Firewall configuration & management X
Anti virus configuration & management X
Infrastructure Ecosystem X
Infrastructure Development, Availability, Scaling, Security X
Geo Diversity & Physical security X
34
ClearDATA1600 W. Broadway Road � Tempe, AZ 85282Ph: (888) 899-2066 � [email protected] � www.cleardata.com
Healthcare Infrastructure That is Controlled, Managed, and Optimized By Our HealthDATA™ Platform
Key Benefits
• Healthcare specific portal for all managed services
• Cloud automation, templates & HIPAA compliant dashboard
• API for direct access to ClearDATA configured AWS services
HealtDATA™ HIT & Cloud Management Platform • Centralizing management across ClearDATA products• Secure support request management• ITIL-Aligned Configuration Management Database• Deploy AWS environments with Cloud Formations• View billing and invoice information• Security hardened AMIs for common services
35PROPRIETARY AND CONFIDENTIAL
Questions
36
ClearDATA1600 W. Broadway Road � Tempe, AZ 85282Ph: (888) 899-2066 � [email protected] � www.cleardata.com
Thank YouFor additional information please contact:
Joseph VadakkanSolution [email protected]