2017 AMC Privacy & Security Conference. New Technologies, Old Regulations Jeremy Maxwell, PhD Director of Information Security, Allscripts

Size: px

Start display at page:

Download "2017 AMC Privacy & Security Conference. New Technologies, Old Regulations Jeremy Maxwell, PhD Director of Information Security, Allscripts"

Brent Brown
5 years ago
Views:

1 2017 AMC Privacy & Security Conference New Technologies, Old Regulations Jeremy Maxwell, PhD Director of Information Security, Allscripts

3 The Problem Not all sub-regulatory guidance is slow E.g., ONC/OCR/NIST PMI Data Security Principles Implementation Guide BUT even when guidance is available, it may not fit an organization s use case Bottom line: Organizations must be prepared to move forward with Privacy & Security (and the business) without having perfect compliance knowledge, especially when new technologies are involved. Copyright 2017 Allscripts Healthcare Solutions, Inc. 3

5 Back to Basics Risk management, risk management, risk management. then more risk management Oftentimes, simply doing privacy & security risk assessment can identify controls that should protect against risks from new technology Take APIs as an example Copyright 2017 Allscripts Healthcare Solutions, Inc. 5

6 APIs Application Programming Interfaces (APIs) allow one software program to access services provided by another software program In the technology world, not new. Software has used APIs internally for decades In healthcare, API is typically shorthand for publicly web accessible APIs Required under ONC 2015 Edition Certification Rule: Readonly, patient-facing API to search & retrieve data for that patient Supports view, download, transmit (VDT) Copyright 2017 Allscripts Healthcare Solutions, Inc. 6

7 Concerns Over APIs Expressed to ONC Fraudulent apps could use patient data for malfeasance Deceptive apps selling/misusing patient data Patient data disclosure Risk to provider systems? How to vet patient users Copyright 2017 Allscripts Healthcare Solutions, Inc. 7

8 Risk Analysis: APIs vs Patient Portals Both APIs and patient portals are: Public, Internet facing Grant readonly access to patient data a single patient record at a time Rely on patient user credentials to secure Grant patients control over their own data Both can be exploited using fraudulent sites/apps (e.g., phishing) When performing your risk assessment, you may find that patient portals & APIs can be protected by the same controls Patient portals have been required by ONC Certification Rule since 2014 Copyright 2017 Allscripts Healthcare Solutions, Inc. 8

9 ONC API Task Force November 2015 May 2016 Tasked with determining which P&S concerns with APIs were legitimate and which were not Determined that there are no show stopping barriers to deploying APIs in the short term Identified numerous opportunities and challenges App oversight & certification/endorsement App privacy policies & info sharing Patient authorization, identify proofing, and authentication Copyright 2017 Allscripts Healthcare Solutions, Inc. 9

10 In Other Words The API Task Force conclusions matched what a P&S risk assessment may have found Mechanisms for providing additional guidance (like the Task Force) are very valuable, but do not take the place of an organizational P&S risk assessment Don t be paralyzed waiting for permission from a regulator. Do your own risk assessment and come to a defensible position Benefits of new technology on patient care/access may outweigh P&S risks Copyright 2017 Allscripts Healthcare Solutions, Inc. 10

11 Other Actions You Can Do Rely on existing guidance OCR cloud guidance ONC permitted uses fact sheets On exchange, healthcare ops, public health, and health oversight activities Mobile app guidance PMI Security Policy Principles and Implementation Guide Ask questions OCR developer portal Collaborate Be careful of group think Seek out like minded P&S professionals at your peer organizations Copyright 2017 Allscripts Healthcare Solutions, Inc. 11

response plans should be in place Gather contacts, create runbooks Who should you have on retainer?

12 Things to Remember Wearables, APIs, precision medicine, the list of new technologies will continue to grow New technology so mistakes will be made we still make mistakes with old technology Incident response plans should be in place Gather contacts, create runbooks Who should you have on retainer? Perform table top exercises Learn from each incident Copyright 2017 Allscripts Healthcare Solutions, Inc. 12