Hipaa sECURITY

1
Hipaa sECURITY

• How not to get lost in the Big Ocean of Portable
  Electronic Health Records Riding the Wave of
  Digital Health Information

Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008
2
Influencing the move to eHealthcare

• Need to reduce the cost of health care
• Increase quality of health care
• Consumer driven health care
• Online health records
• Payer support for community health records
• Transparency in health care
• Pay for performance programs
• Governmental

3
Terminology
EMR
HR
EHR
PHR
CCR
Acronyms
Hybrids
PHI
4
Terminology

• Health Records (AHIMA)
• The legal business record for a healthcare
  organization.
• Individually identifiable information
• Any medium
• Collected, processed, stored, displayed

5
Terminology

• Health Records contain
• Diagnosis
• Medications
• Procedures
• Problems
• Clinical Notes
• Diagnostic Results
• Images
• Graphs
• Other items deemed necessary

6
Terminology

• Health Records
• Support continuity of care
• Planning patient care
• Provides planning information
• Resource allocation
• Trend analysis
• Forecasting
• Workload management
• Justification for billing information

7
Terminology

• Electronic Medical Record (EMR) (HIMSS)
• An application environment composed of
• Clinical Data Repository (CDR)
• Clinical Decision Support (CDS)
• Controlled medical terminology
• Order entry
• Computerized provider order entry
• Pharmacy
• Clinical document applications
• Enterprise support
• Inpatient and Outpatient
• Use to document, monitor and manage delivery of
  health care
• Electronic Medical Record (EMR) (HIMSS)
• The EMR is the legal record
• Owned by the Care Delivery Organization (CDO)

8
Terminology

• Electronic Health Record (EHR) (HIMSS)
• Longitutal electronic medical record across
  encounters in any care delivery setting.
• Resource for clinicians
• Secure
• Real-time
• Point-of-care
• Patient centric information source
• Aids collection of data for other uses
• Billing
• Quality management
• Outcomes reporting
• Resource planning
• Public health disease surveillance
• Reporting

9
Terminology

• Electronic Health Record (EHR) (HIMSS)
• Includes
• Patient demographics
• Progress notes
• Problems
• Medications
• Vital signs
• Past medical history
• Immunizations
• Laboratory data
• Radiology reports

10
Terminology

• Electronic Health Record (EHR) (HIMSS)
• Automates / streamlines clinicians workflow
• Complete record of clinical encounter
• Supports other care-related activities
• Evidence-based decision support
• Quality management
• Outcome reporting

11
Terminology

• Personal Health Record (PHR)
• Created by the individual
• Summarizes health and medical history
• Gathered from many sources
• Format of PHR
• Paper
• Personal computer
• Internet based
• Portable storage

12
Terminology

• Continuity of Care Record (CCR)
• Patient Health Summary Standard
• ASTM / MMS / HIMSS / AAFP / AAP co-development
• Core health care components
• Sent from one provider to another
• Includes
• Patient demographics
• Insurance information
• Diagnosis and problem
• Medications
• Allergies
• Care plan

13
Terminology

• Hybrid Health Record
• Both
• Paper health records
• Electronic health records

14
Terminology

• Protected Health Information (PHI)
• Any health care information linked to a person
• Health Status
• Provision of Health Care
• Payment of Health Care
• Includes

• Names
• Geographic subdivision smaller than a state
• Dates related to an individual
• Phone Numbers
• Fax Numbers
• Email Addresses
• SSN
• Medical Record Numbers
• Beneficiary Numbers
• Account Numbers
• Certificate/license numbers

• Vehicle identifiers and serial numbers
• license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers
• Finger
• voice prints
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, or code

15
Security Concerns

• Privacy
• Can anyone else read it?
• Authentication
• How do I know who sent it?
• Data Integrity
• Did it arrive exactly as sent?
• Non-repudiation of receipt
• Can the receiver deny receipt?
• How do I know it got there?
• How do I track these activities?

16
Modes of Communication

• Internet / Intranet
• Wired
• Wireless
• Wifi (802.11a, b, g, i, n)
• Bluetooth (Personal Area Network - PAN)
• VoiP
• Dial-up
• Mobile Devices
• Smart Phones
• Mobile Standards (GSM, GPRS, etc.)
• PDA
• Tablet PCs
• Physical Media
• Magnetic, optical, flash (thumb drives), others

17
Wireless Security

• RC4 (ARC4 /ARCFOUR) Stream Cypher (easily
  broken)
• Secure Sockets Layer (SSL)
• WEP Wire Equivalent Privacy
• WPA WiFi Protected Access
• WPA2 (based upon 802.11i)
• Data Encryption Standards (DES)
• Advanced Encryption Standards (AES)
• Government strength encryption

18
Internet Security

• Firewall machines
• IP address selection
• ID Passwords
• Security techniques
• Encryption
• Digital Signatures
• Data Integrity Verification
• Non-repudiation
• Trading Partner Agreements (TPA)

19
Symmetric Key(Private)
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PRIVATE KEY
20
Symmetric Key(Private)

• n (n-1) / 2 keys to manage
• 100 users would require 4950 keys
• Key size 128 bits
• Generally considered fast

Gary
Alice
Julie
Karen
Frank
Erin
Dale
Mary
21
Asymmetric Keys (Public/Private)PKI
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PAYERS PUBLIC KEY
PAYERS PRIVATE KEY
22
Asymmetric Keys (Public/Private)

• n key pairs needed for n partners
• key size (128, 768, 1024, 2048 bits)
• Generally considered slower
• What happens if you lose your key?

Gary
Alice
Julie
Public Key Directory
Karen
Frank
Gary Mary E Alice Dale F Frank
Karen G Erin Julie H
Erin
Dale
Mary
23
AuthenticationDigitized vs. Digital Signature

• A digitized signature is a scanned image
• A digital signature is a numeric value that is
  created by performing a cryptographic
  transformation of the hash of the data using the
  signers private key.

Ö m25_ __ò_5wA___enru\½PÑ7qGß__
Ae_7?ââ-áH-90Y åú'Ælt_8óXpìÉ_V1ª
Gary A. Beatty ltgaryb_at_eci.comgt
24
Data Integrity

• Part of the digital signature process
• A secure one way hashing algorithm used to create
  a hash of the data

Provider B
PROVIDER A
Encoded
Cypher
Cypher
Encoded
EHR
EHR
PROVIDER A PRIVATE KEY
PROVIDER A PUBLIC KEY
Provider B PRIVATE KEY
Provider B PUBLIC KEY
25
Applicability Statement StandardsEDIINT
Workgroup of IETF

• AS1 Applicability Statement 1
• Email exchange of electronic transactions
• S/MIME Secure Multi-Purpose Internet Mail
  Extensions
• Uses SMTP (Simple Mail Transfer Protocol)
• Satisfies Security Requirements
• Encryption
• Authentication
• Integrity
• Non-repudiation
• Whats needed
• Email capability
• Electronic Transaction
• Digital Certificate

26
Applicability Statement StandardsEDIINT
Workgroup of IETF

• AS2 Applicability Statement 2
• HTTP exchange of electronic transactions
• S/MIME Secure Multi-Purpose Internet Mail
  Extensions
• Uses HTTPS
• Hypertext Transfer Protocol over Secure Socket
  Layer
• Allows for REAL TIME delivery
• Satisfies Security Requirements
• Encryption
• Authentication
• Integrity
• Non-repudiation
• Whats needed
• Web Server (static IP address)
• Electronic Transaction
• Digital Certificate

27
Applicability Statement StandardsEDIINT
Workgroup of IETF

• AS3 Applicability Statement 3
• FTP exchange of electronic transactions
• S/MIME Secure Multi-Purpose Internet Mail
  Extensions
• Uses FTP File Transfer Protocol
• Allows for REAL TIME delivery
• Satisfies Security Requirements
• Encryption
• Authentication
• Integrity
• Non-repudiation
• Whats needed
• FTP Server
• Electronic Transaction
• Digital Certificate

28
Digital Certificates

• Electronic Credit Card
• Establishes Credentials for electronic
  transactions
• Issues by Credential Authority
• Name
• Serial Number
• Expiration Dates
• Certificate Holders Public Key
• Digital Certificate of Certification Authority
• Verified by Registration Authority
• X.509 Standards
• Registry of Digital Certificates
• Access with HIPAA Identifiers

29
Security Weak Links

• We can secure transmission of data!
• Weakest link usually when data is
• AT REST!
• Paper
• On the screen
• Waste baskets
• Physical Security
• Building access
• Data Center access
• Electronic Security
• Screen Savers
• Auto Logoff

30
Thank you
Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008