Information Security Risk Management in Biomedical Equipment

www.acesummitandexpo.com

Facilities and Clinical Engineering Track: Addressing Risk Management in Biomedical Equipment

January 14, 2013

Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare


Overview

• Biomedical devices have evolved from largely stand-alone devices to more digitally integrated data collection and delivery units.

• Device evolution has helped improve and streamline patient monitoring and subsequent care by collecting and delivering actionable patient data to the right caregivers.

• The streamlined collection and delivery of patient data has also increased risk in other areas.

• Making of a good “Partnership” – Identifying Impact and Likelihood with a focus on controls and mitigation tools/approaches.


What is Risk?

• Risk can be viewed as the intersection of impact and likelihood of negative occurrence.

(Risk = Impact x Likelihood)

• Impact can be experienced via loss of confidentiality, integrity, and/or availability of data.

• Likelihood of loss is generally increased or decreased when controls and/or weaknesses are enhanced or reduced.


What Risk Management?

• Risk management can be viewed simply as formulating risk to a level that falls within organizational risk tolerance.

• Management activities included adjusting likelihood and/or impact.

• Risk management also includes compliance with federal, state, and industry requirements (examples: HIPAA, PCI-DSS, SOX, GLBA, FERPA, etc.).


HIPAA and “Protected Health Information”• U.S. Federal Regulations

• PHI is generally defined as individually identifiable health information created or received by a

– Health care provider, health plan, employer, health care clearinghouse, business associate; and

• Relates to an individual's past, present or future physical or mental health or condition, the provision of health care to an individual, or payment for the provision of health care to an individual.


• When data is classified as PHI, made digital and in the custody of or shared by an entity defined previously, the HIPAA Security Rule is applied.

• The electronic PHI is often referred to as ePHI.

• Risk management activities are then structured based on the HIPAA Security Rule.

• Risk management/mitigation actions are generally focused on reducing likelihood.

• However, risk management/mitigation actions can be focused on impact reduction via data de-identification.

Why is the term “PHI” important?


• Does not identify nor provide a reasonable basis to identify an individual.

• Not considered PHI − There are no restrictions on the use or disclosure of

de-identified health information.• Two ways to de-identify information:

− Remove certain specified identifiers; or − Obtain a formal determination by a qualified

statistician.

De-Identified Health Information


• HITECH enhanced the importance of ePHI protection due to the breach notification requirements.

• HITECH was enacted as part of the The American Recovery and Reinvestment Act.

• Millions can be spent on a breach.

• Reputation related costs can be significant.

• Mitigation is increasingly important with EHR adoption in hospitals and increasing “systems of systems” with ePHI.

ePHI Confidentiality Loss and Impact


• HITECH also establishes that “business associates” are directly required to comply with the HIPAA Security Rule.

• Previously, “business associate” compliance with the HIPAA Security Rule was established via contract with the covered entity.

Business Associates and HITECH


• Covered Entities (“CE”) -- health plans, health care clearinghouses and most health care providers.

• Business Associates -- Third party who performs or assists a Covered Entity in performing a function or activity.

What are “Covered Entities” and “Business Associates”?


• MDS2 -- Manufacturer Disclosure Statement for Medical Device. Link: www.himss.org/content/files/MDS2FormInstructions.pdf

• Vendor SMEs – Subject matter experts from the vendor can provide enhanced understanding the information stored or transmitted by the device.

• Vendor Manuals– Many are online and provide detailed information about data, controls and configurations.

Understanding Risk – Information Sources


Reducing Risk – Management Levers

Impact Likelihood

ePHI element reduction(limited data‐set)

Administrative controls‐Policies‐Security Awareness‐Incident Response Procedures

Data de‐identification Physical controls‐Building and zone controls‐Inventory management‐Workstation/storage controls‐Device Disposal

Technical controls‐Access controls‐Encryption‐User management


• Consider having a person actively manage PHI in hospital whether Biomed, IT, or Risk Management.

• Define clearly what PHI is in new hire and ongoing training.

• Tell how to de-Identify and what types of data must not be shown.

• Service Procedures Manual wording:“In the normal course of performing services for our Customers, Employees may come into contact with protected health information (PHI). PHI is specific information about an individual patient …. This information is often encountered on display monitors, in storagemedia such as hard drives. You must take every means possible to secure this information. “

Employee Awareness Training


• Today’s hospital is an internet of devices …system of systems

• Networks can be at risk if not protected. Wireless applications and allowing WIFI for patients/visitors are potential risk areas.

•Real Time Tracking technology/solutions allows for finding all equipment faster, better compliance tracking, and faster incident response.

•Vendor Technologies such as phone home functionality that allow service requests or proactive service should be designed to anonymize data where possible, in order to prevent unnecessary exposure to PHI.

IT Specifics & Mitigation Tools


PHI Threats/Areas of Concern


• IT and Risk Management should both have data breach plans.

• When you work with vendors ensure that Business Associate agreements are included to ensure the privacy of PHI. This includes legal indemnifications.

• Service Procedures Manual: “In the event that an information system has been compromised in such a way that unauthorized individuals, either at a customer’s site or at business associate’s location, could access PHI you must report the event immediately. Reports of events shall be made via the Concern and Incident Reporting Portal at Security and Crisis Management Center.”

Proactive Incident Response


• Not having a “robust, living” Risk Management plan for facility and vendor.

• Not having clearly drawn partnership lines between hospital system and vendor responsibilities on what are risk areas and how are they controlled/mitigated.

• Device security configurations undocumented and inconsistent. All vendors are not created equal in the security space.

• Lack of facility and vendor engagement in controls development for biomed equipment.

Common Issue Areas


• Human controls in industry now with each site required based on HIPAA to manage.

• Software is being developed to automatically wipe equipment clean of PHI.

• In the future, control of PHI will be a built-in pillar of IT operations and default device configurations.

• Covered Entities & Business Associates will demand risk mitigation due to enhanced fines and the on-going cost of breach notification.

The Future of PHI


Addressing Risk Management in Biomedical Equipment

Questions

Bart Hubbs - Chief Information Security Officer, FMOL Health SystemBud DeGraff - GM, Diagnostic & Clinical Services, GE Healthcare