Building Assurance through HIPAA and Safeguarding Health Information

8th Annual Safeguarding Health Information: Building Assurance through (HIPAA) Security Conference by the National Institute of Standards and Technology (NIST) and the HHS Office for Civil Rights (OCR), Sept 2-3, 2015

This conference offered sessions exploring security management and technical assurance of electronic health information. Presentations covered a variety of current topics including updates on the Omnibus HIPAA/HITECH Final Rule, breach management, business associate liability, managing 3rd party risk, securing medical devices, and more.

Jocelyn Samuels, Director, HHS OCR reported that OCR is hard at work planning the next phase of the audit program.  Focus will be on both Covered Entities and Business Associates.  Watch for an updated audit protocol to be posted soon.

Also look for new guidance this fall from OCR on 1) Accessing ePHI data, 2) Cloud requirements for HIPAA, and 3) Portal where developers can post questions to OCR.

$750K Enforcement Settlement announced September 2, 2015: Cancer Care Group P.C., a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.  The breach was due to a stolen laptop bag with unencrypted backup media containing protected data for 55K cancer patients.  This settlement emphasizes the importance of risk analysis and device and media control policies.

Suzanne B. Schwartz, MD, MBA, Director Emergency Preparedness/Operations & Medical Countermeasures, Center for Device and Radiological Health (CDRH/FDA) – Medical Device Cybersecurity and why FDA cares.

Incidents and research-demonstrated exploits include VA Cath Lab temporary closure (1/10) due to malware infecting computers used during interventional cardiac procedures • “Hacking” of implantable insulin pump (Radcliffe, 8/11) • Security researchers present CDRH with cyber vulnerabilities of medical devices due to hardcoded passwords (Rios & McCorkle, 4/13) • Vulnerabilities identified in PCA and other Infusion Pumps (Rios, 5/14-6/15)

What’s next for Medical Device Cybersecurity? • Articulating Postmarket Expectations for Medical Device Cybersecurity – Total Product Lifecycle Approach for Safety and Security! • Adapting the NIST Framework for the Medical Device Ecosystem • Translating the Common Vulnerability Scoring System (CVSS) for medical devices and the clinical use environment • Promoting adoption of vulnerability disclosure policies with coordinated vulnerability disclosure & proactive vulnerability management.

Lucia Savage, Chief Privacy Officer, HHS Office of the National Coordinator for Health IT, ONC Updates

Excellent Resource:  Guide to Privacy and Security of Electronic Health Information, See Chapter 6: pull out guide to health IT Security.

Coming soon:  Best Privacy & Security Practices for mobile health developers—with Office of Civil Rights (OCR), Federal Trade Commission (FTC) and others • Privacy & Security Framework for PCOR • Security Principles for Precision Medicine, supporting National Institutes of Health (NIH).

There’s a lot going on with Identity Management:  The health care industry has not standardized its Level of Assurance requirements for Identity Proofing and Authentication. ONC is developing guidelines on patient and provider identity proofing and authentication using NIST Level of Assurance guidelines.  The NIST document SP 800-63-2 provides technical guidance that includes the identity proofing process and all aspects of credential management.

Gavin O’Brien, Computer Scientist, NIST National Cybersecurity Center of Excellence (NCCoE), Securing Electronic Health Records on Mobile Devices

The NCCoE is part of the NIST Information Technology Laboratory and operates in close collaboration with the Computer Security Division. As a part of the NIST family, the center has access to a foundation of prodigious expertise, resources, relationships and experience.

Deven McGraw, Deputy Director, Health Information Privacy Division, HHS Office for Civil Rights, Perspectives from OCR

Priorities for OCR include education, outreach and enforcement.  The immediate pipeline includes 1) Guidance on Patient Right of Access, a fundamental right and critical to healthcare reform, 2) The intersection between HIPAA and Meaningful Use, 3) The right to have patient information sent to a 3rd party.  Watch for more guidance on ‘Minimum Necessary’, and examples of ‘Designated Record Set’.