Big Data, Security and Privacy: The EHR Vendor View

Transcription

1 Taking a step towards Big Data, Security and Privacy: proactive health + care The EHR Vendor View Bob Harmon, MD Physician Executive, Cerner Corporation Presented to Preventive Medicine 2016 Washington, DC, February 25, 2016

2 Outline Background EHR vendor trends in use of big data for population health improvement Vendor efforts to assure privacy and security Q&A

3 The individual person should be the focus for big data Connect the continuum Clinic Employer Hospital Person Home Fitness Center Empower people, care teams and organizations Facilitate knowledge-driven care and continuous learning Assure informed consent, privacy and security for data use School Retail Pharmacy Long-Term Care to move from reactive care to proactive health.

4 Know, engage, manage populations with data Care venue automation Electronic health record Interoperability Community-based care Care management Home and community care Long-term care Retail pharmacy Sports medicine Public health Clinical programs and outcomes Clinical research Performance improvement Predictive modeling Quality measures Registries and scorecards Financial management Contract management Revenue cycle Longitudinal record Health information exchange Member engagement Personal health portals Network management Provider network management Referral management Enterprise and population health analytics Data warehouse Data analytics

5 Typical approach to big data and population health management Contract management EDW and analytics Scorecards Patient record Networking Registry Medication management Risk modeling Care management Person EHR Device HIE Payer Pharmacy Post-acute Open data

6 A better approach to population health management Contract management EDW and analytics Scorecards Patient record Networking Registry Medication management Risk modeling Care management Secure big data platform & EDW Person EHR Device HIE Payer Pharmacy Post-acute Open data

7 Examples of open big data connections Open data The Dartmouth Atlas of Healthcare Data types American Time Use Survey HCAHPS (patient survey) Health care associated infection HUD census/zip NPPES Outpatient imaging efficiency Readmission, complication & death Relative value unit Social vulnerability index Timely & effective care Value-based purchasing 6

8 Types of personal information PHI (Protected Health Information) Any information that links a person with his/her health condition ephi (Electronic Protected Health Information) Any PHI created or received electronically PII (Personally Identifiable Information) Name or number used to identify a person 7

9 PHI identifiers PHI includes, but is not limited to: Patient name, address, phone or fax number, and address All elements of dates (i.e. birth, admission, discharge and/or death date) Biometric identifiers, including finger and voice prints Full face photographic images or genetic information Any diagnosis and treatment related information Any unique identifying number, characteristic, or code Account numbers (financial, insurance plan IDs, etc.) Health plan beneficiary number Patient medical record, person ID, or other system assigned IDs Social Security number or IP address 8

10 Data breaches Occur when sensitive information that is protected by law is: Lost Stolen Hacked Improperly disposed of Communicated to others without permission 85,611,528 records were exposed in the U.S. in 2014! An employee s responsibility is to report privacy or security breaches involving PHI to: Direct manager or executive Compliance specialist/quality representative Review the company breach notification policy/procedure for more information regarding how to handle a breach 9

11 Malware An all-encompassing term to describe programs that can do damage to you and your computer. Causes of damage: Out of date anti-virus software Clicking on suspicious links Downloading programs from unknown sources Opening unfamiliar attachments 10

12 Social engineering A human interaction technique used by attackers to gain your trust to obtain or compromise information Phishing: Vishing : Shoulder surfing: Pretexting: Legitimate looking s, text messages or even pop-up messages that ask for sensitive information Voice phishing involving fraudulent calls that are soliciting personal information Watching someone as they enter their sensitive data Utilizing your identity to obtain additional sensitive information 11

13 HIPAA Privacy and Security Rule HIPAA, the Health Insurance Portability and Accountability Act, sets the national standard for protecting an individual s health information HIPAA Privacy Rule: Provides protection for an individual's health information and gives patients an array of rights with respect to that information HIPAA Security Rule: Concentrates on safeguarding and the security around ephi by focusing on the confidentiality, integrity, and availability of ephi 12

14 HITECH and health information laws HITECH (Health Information Technology for Economic and Clinical Health) act widens the scope of privacy and security protections available under HIPAA. It increases the potential legal liability for non-compliance and provides for more enforcement. There are additional federal and state laws that have more strict requirements around the use and disclosure of certain "sensitive" information (such as drug and alcohol abuse treatment and HIV status). For questions on other health information laws contact your legal team 13

15 Payment card industry compliance Payment card industry data security standards are the technical and operational requirements to protect credit card data Cardholder data (CHD) = Primary account number (PAN) + sensitive authentication data (ex: cardholder name, expiration date, CVV code) Applies wherever account data are stored, processed, or transmitted. Applies to organizations which outsource payment operations or card data environment management. 14

16 Access control Never allow door drafters enter a building or loan your badge to others Always scan and visibly wear your badge at company sites Report lost or stolen devices and suspicious activity to Security 15

17 Protect PHI and PII Use a secure method (encryption) when sending sensitive information Only access information that is required for your scope of work Do not disclose information to unauthorized individuals Never leave computer screen open or patient information unattended Use privacy screens if available Shred confidential information after use 16

18 Protect your computer 1.Don t be click happy 2.Form good habits 3.Surf Securely 4.Never download unknown applications from the internet 5.Beware of removable media 6.Reboot your computer daily 7.Patch your computer 8.If your computer detects a virus, disconnect and call your help desk 17

19 Password Control Change regularly (<90 days) Use different passwords for different accounts Use strong passwords (>8 characters, combinations of upper/lower case, symbols, numbers) Password protect your devices Keep passwords confidential Never store un-encrypted passwords on device 1Doggie 18

20 Identifying Suspicious s 19

21 Internal Threat- Zip file attachment No one listed in the to or cc field **Immediate red flag alert!** Attached zip file No greeting or closing How do you know it s your document? Your name is not included in the subject line, to or cc fields and message body If you do happen to open up attachments and become infected, shutdown your computer immediately and call your help desk. 20

22 Laptop & Mobile Device Safety Best practices: DO NOT store device in vehicle unless you absolutely must. If so, do not put in plain site CONNECT through a secure network NEVER store sensitive information on unauthorized storage devices ALWAYS password protect your devices When traveling: KEEP your laptop or mobile device with you at all times DO NOT check your company-issued computer system as airline luggage DISABLE all network and file sharing SET a public profile when connecting to wireless LOCK your devices in a room safe when away, if available NEVER allow others to use your company-issued resources 21

23 Security best practices Neither company nor client Sensitive Information may reside on any medium not provided by company or the client Failure to comply with this policy Includes: Cloud Storage Services Personal mobile devices USB/Flash Drives SD memory cards Grounds for: Up to & including termination of employment Report to: Security Includes: Copyright, trademark, patent or other proprietary rights appearing on or embedded with company information But is not limited to: Information posted on company s Intranet s & attachments Business plans Contracts You are responsible to report violations of this policy Alteration of deletion of company Information is prohibited Company Information must not be disclosed to anyone outside company. 22