AMC Security and Privacy Conference: Daily Track Report

1
AMC Security and Privacy Conference Daily Track
Report

• Security Track
• Rob Adams and Gordon Apple

2
AKA Butch and Sundance!
3
Sessions Being Reported On

• E-mailing ePHI
• Risky Business Analyzing Your AMCs Security Risk
• Authentication Traditional Innovative
  Techniques

4
E-mailing ePHI

• Two portals one content filtering
• One portal integrated with EMR
• Vanderbilt - high value beyond e-mail to promote
  acceptance
• Process - move from intra-department to
  inter-department to patient messaging
• Mapped to triage system - common basket approach
• Penn - Content filtering - transparent to end
  user using lexicon to trigger encryption

5
E-mailing ePHI

• Recipient options
• Between clients (institutions)
• Between clients ( providers)
• SSL - pull technology
• Authentication challenges
• No physical presentation of credentials
• Shared recipient accounts
• UConn - portal approach
• Desire to leverage IDX patient data
• E-mail notification of mail in portal
• Proxy MD authentication to internal directory

6
Risky Business - Analyzing Your AMCs Security
Risk

• Can delegate authority but not responsibility
• Need enterprise approach
• You get what you inspect, but not what you
  expect!
• IT Security posture establishes confidence with
  patients
• Need to map beyond HIPAA
• Identification of reasonably anticipated risks
  dependent on robust process

7
Risky Business - Analyzing Your AMCs Security
Risk

• Balkanization is a major challenge!
• System configuration debates
• Vendor relationships
• Resources dependent on senior management
  commitment
• Can lead a horse to water, but you cant make it
  drink!

8
Authentication - Traditional and Innovative
Techniques

• Diverse users - doctors, nurses weird people!
• Need to track across systems
• Need to track role changes
• Ability of AMC to absorb change
• Data Steward policy approach
• Responsibility for safeguards at the lowest
  levels
• If you access the network, YOU are a data
  steward!

9
Authentication Traditional and Innovative
Techniques

• Authentication challenge - wetware interface!
• Trust me, I have my own security methodology
• We dont know what we dont know.
• Application or database layer
• User ID Password
• Certificates for select applications
• Domain level
• Active directory
• Becoming single point of turn-on/disconnect

10
Authentication Traditional and Innovative
Techniques

• Authentication to network is a hot button
• Not 100
• Single sign-on..a career, not an initiative
• Goalone identity, one password, one entitlement
  repository

11
Authentication Traditional and Innovative
Techniques

• One identity
• Unique user ID
• Central directory
• One password
• Closestandardize on two authentication sources
  LDAP AD
• Small victorymajor clinical applications
• One entitlement repository
• Policy and standards
• Still looking for methods/applications

12
Authentication Traditional and Innovative
Techniques

• Put responsibility on HR to initiate process of
  hire, change, terminationsprovides the feed to
  IT.
• Challenge - within 6 months4600 transients!