session # 9 nanji himss10 presentation sent to himss revised and final
TRANSCRIPT
SECURING MEDICAL RECORDS:Advanced approaches for monitoring and logging pp g gg g
(917) 434 2857
Conflict of Interest Disclosure
Feisal Nanji, MPP
Has no real or apparent conflicts of interest to report.
1
Are we still in Kansas ?Are we still in Kansas ?
• Simple• Simple
• Organized
• Safe
2
Not simple..….Not simple..….
3
Not organized..….Not organized..….
4
Not organized..….Not organized..….
5
Not Not safesafe..….The Wicked..….The Wicked WitchWitch
6
Not Safe Not Safe ---- Data Records Data Records Compromised: 2000 Compromised: 2000 -- 20072007
Source: Perimeter Security
A Comprehensive Study of Healthcare Data Security Breaches In the United States From 2000 - 2007
7
Even the best find it tricky to Even the best find it tricky to monitor…..monitor…..
• Kaiser Permanente: • July 2009 -- California regulators fined Kaiser Permanente’s
Bellflower Hospital an additional $187,500 for failing to prevent unauthorized access to confidential patient information M 2009 K i fi d $250 000 ft 21 ti t d t• May 2009 – Kaiser fined $250,000 after 21 patients and two doctors looked at a mother’s records without authorization.
Cl l d Cli i• Cleveland Clinic:• A clinic employee stole personal information from electronic
files and sold it to her cousin, owner of Advanced Medical Claims who used it to file fraudulent Medicare claims totalingClaims, who used it to file fraudulent Medicare claims totaling more than $2.8 million.
8
Advanced logging and Advanced logging and monitoring for Health Informationmonitoring for Health Information
CONTEXT• CONTEXT
• WHAT WE NEED• WHAT WE NEED
• THE SOLUTION
9
CONTEXTCONTEXT
10
CONTEXT in 2010CONTEXT in 2010
• At cusp of massive growth in Health p gInformation
• Sophistication of security attacks
Impact of “meaningful use”• Impact of “meaningful use”
• Compliance landscapeCompliance landscape
11
Exponential Growth in transactionsExponential Growth in transactions
12
Massive Growth in Health Massive Growth in Health Information ExchangeInformation Exchange
• Electronic Health Care records: new push by President Obama (ARRA, HITECH ACT)
• Stark Law exceptions, coupled with stimulus money, extend information to affiliated physicians and other third parties
• Local and State HIEs are growing rapidly -- Federal NHIN is on its way and “data exchange” is a component of meaningful useway and data exchange is a component of meaningful use
• The end of silos: end-end clinical decision systemssystems
• Remote medical diagnosis and treatmentRemote medical diagnosis and treatment
13
Metaphor: a leaky houseMetaphor: a leaky house
14
Data Breach types (1) Data Breach types (1)
• A hacker breaking in and downloading sensitive data
• A system (or systems) being infected with malicious software that captures sends or otherwise putssoftware that captures, sends, or otherwise puts sensitive data into criminal hands
• A social-engineering technique whereby employees or other insiders are tricked into exposing sensitive informationinformation
• A theft of computer systems, devices, or storage media p y , , gthat have sensitive data stored
15
Data Breach types (2) Data Breach types (2)
• Sending sensitive information in e-mail
• Posting sensitive information to a public forum, such as a Web site
• Where a computer glitch or a poorly written application exposes sensitive dataapplication exposes sensitive data
• Lost laptops or mediap p
16
Breaches….we are Breaches….we are notnot in Kansasin Kansas
Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitationp p
Prepared for The US-China Economic and Security Review Commission
“The Chinese have adopted a formal IW strategyThe Chinese have adopted a formal IW strategy called “Integrated Network Electronic Warfare” (INEW) that consolidates the offensive mission for both computer network attack (CNA) and EW under People’s Liberation Army (PLA) LA General Staff D t t’ (GSD) 4th D t t (El t iDepartment’s (GSD) 4th Department (Electronic Countermeasures)”
17
Sophistication of Security attacksSophistication of Security attacks
• Multiple vectors– Applications/ Operating systems / NetworkApplications/ Operating systems / Network
/Web interface DBMS)– Internal versus external
• Coordinated attacksM l P d H ti Di t ib t d– Malware, Password Harvesting, Distributed Denial of Service
• Microsoft’s lesson
18
Impact of “Meaningful Use”?Impact of “Meaningful Use”?
1. Improve quality, safety, efficiency, and reduce health disparities
2. Engage patients and families (giving them access to data)data)
3. Improve care coordination among health providers, p g p ,insurers and other actors
4. Improve population and public health
55 Ensure adequate privacy and security protections forEnsure adequate privacy and security protections for5.5. Ensure adequate privacy and security protections for Ensure adequate privacy and security protections for personal health personal health information
19
““Meaningful use” Meaningful use” ---- Core Security Core Security and Privacy Issuesand Privacy Issues
Who needs to look at health records?• Who needs to look at health records?
• Who actually has access to health records?
• Who has seen these health records?
20
Stringent Compliance looms…Stringent Compliance looms…
• New requirements under stimulus bill (ARRA / HITECH) are stringent:HITECH) are stringent:• “Meaningful use”• Breach notification
• Federal Trade Commission “Red flag” rules effective June 1 2010effective June 1, 2010
St t l ti ht i C lif i M• States also tightening – California, Mass. Impose penalties for violations
21
Physicians Physicians subjectsubject to red flag rule if:to red flag rule if:
• Physicians do not require full payment up-front at th ti th ti t b t th bill ti tthe time they see patients, but rather bill patients after the physician’s services are rendered
• The patient is ultimately responsible for medical fees (as is routinely the case with respect to co-
d d ibl i d bpays or deductibles or services not covered by insurance)
22
So what do we need?So what do we need?
23
Solving the problem...Solving the problem...
• Complicated environment (increasingly networked multiple systems and devices)networked - multiple systems and devices)
• Misuse of “authorized” accessMisuse of authorized access
• Providing right information in near real-time
• Reporting and alerting • Not enough to track how a system is being used but how
it is being used with other systems to create damage?
24
“Simplified” view of information “Simplified” view of information exchange exchange
Eligibility verification
AdmissionDischarge or Transfer
Resource scheduling
Coding and billing
Diagnosis Follow-up gand Patient
history
Lab Requisition and Information
pcare and referrals
25
Possible Misuse CasesPossible Misuse Cases
• A father accessing his future son-in-law’s records for incriminating informationg
• A divorced woman looking at her ex-husband’s i f ti f iti i t d b ttlinformation for ammunition in a custody battle
• Clinicians reading the records of a detestedClinicians reading the records of a detested neighbor
• Clerical workers selling celebrity information to the media
26
Reporting and AlertingReporting and Alerting
• Rapid response (including real-time)
• Reducing false positives
• Ad hoc
• Intelligent pattern recognition
27
SOLUTIONSOLUTION
28
SOLUTION :SOLUTION :
Create a proactive organization in:
• Security and privacy compliance
• Ancillary benefits: – Systems management– Application tuning and troubleshooting
29
Log management BasicsLog management Basics
• Collection
• Analysis (Normalization, Indexing and Correlation)
• Event management and reporting
• Configuration
• Storage
31
CollectionCollection
• What logs to collect?
• Handling distributed collection requirementsg q
• Compression needs?• Compression needs?
• Back-up and recovery design
32
NormalizationNormalization
• Time synchronization
• Different naming conventions
• Log formats
• Structured versus unstructured data
33
IndexingIndexing
• Allows for faster retrieval (Best example: Google)
• Indexing unstructured data
• Indexing tradeoffs:• Before or after normalization
• Number of indexing parameters
34
CorrelationCorrelation
• Creating “patterns” of what may look like unrelatedactivitiesactivities
• Developing actions for responding to malicious patterns• A t t d ti• Automated reporting
• Deny access or authorization
• Monitor s spicio s beha ior• Monitor suspicious behavior
35
Event Management and ReportingEvent Management and Reporting
• What defines an “event” -- separating noise from insight
• Exception reporting
• Compliance
• Regularly scheduled reportsg y p
• Custom and ad hoc reporting• Custom and ad-hoc reporting
36
ConfigurationConfiguration
• What is a normal system? (Baseline)
• What systems do we need to log and why?
• Encryption requirements (at rest and during transfer)
• Local and archival storage, retrieval, g , ,
• Frequency of collection transmission analysis and• Frequency of collection, transmission, analysis and reporting
37
StorageStorage
• What is enough storage?
• Is storage secure?
• Retention periodRetention period
f ?• When to apply forced deletion?
• Legal custody protection
38
Best Practices for Health ProvidersBest Practices for Health Providers
SecurityForm tight
relationship Separate Audit ExcellenceSecurity
awareness program
relationship between IT and
Compliance
“information security” from IT
Excellence
(Best Available Control
technology)p gy)
39
Suggested Next StepsSuggested Next Steps
• Start small• Work to reduce top 20 misuse cases
1Work to reduce top 20 misuse cases
• Segregate network devices, applications, users locations
Develop a strategic view of logging
2• Develop a strategic view of logging
• Audit requirements will increase exponentially• Involve Compliance and IT Audit – Develop a coalition of the willing
• Evaluate products from an “architectural” standpoint3
a uate p oducts o a a c tectu a sta dpo t
40
Summary Summary ---- a good logging system:a good logging system:
• Rapidly identifies system misuse
• Reduces the hassle of collection
• Allows inputs from many sources
• Is efficient (e.g. limits bandwidth requirements, lowers storage)
• Can improve using newer, sophisticated algorithms, event triggers and rules
41
Advanced Logging and Monitoring isAdvanced Logging and Monitoring is
• Secure
• Complex
• Compliant
43