HIPAA and Medical Device Security

Transcription

1 HIMSS Audio Conference Planning Security Compliance: Are You Ready for 4/20/05? HIPAA and Medical Device Security Stephen L. Grimes, FACCE Chair, Medical Device Security Workgroup Healthcare Information and Management Systems Society (HIMSS) Chair, HIPAA Task Force American College of Clinical Engineering (ACCE)

2 Medical Device Security: Is this just a HIPAA issue? NO!.. Even if HIPAA were thrown out Medical device security particularly data integrity & data availability is critical to healthcare quality, timeliness, and cost-effectiveness Today, a reasonable standard of care cannot be maintained without an effective an Information Security Management Program in place that includes biomedical technology SLGrimes / HIMSS / ACCE / ECRI ~ 2 of 47

3 HIPAA s s Security Rule Implications for Biomedical Devices & Systems

4 Security Risks to Healthcare Technology Make sure you are addressing more than the tip of the risk! Risks to Healthcare IT Systems No problem! We re clear! Risks to Biomedical Devices & Systems The inventory of biomedical devices & systems in a typical hospital is times larger than the IT inventory SLGrimes / HIMSS / ACCE / ECRI ~ 4 of 47

5 HIPAA s s Security Rule Implications for Biomedical Technology Scope: Number of biomedical devices/systems now typically exceeds number of information technology systems in a hospital by a factor of 3 to 4 Trends: Increasing number of biomedical devices maintain or transmit ephi Increasing number of interconnections between biomedical/clinical & information systems sharing ephi SLGrimes / HIMSS / ACCE / ECRI ~ 5 of 47

6 HIPAA s s Security Rule Implications for Biomedical Technology Standalone with ephi SLGrimes / HIMSS / ACCE / ECRI ~ 6 of 47

7 HIPAA s s Security Rule Implications for Biomedical Technology Both Standalone and Networked Systems with ephi SLGrimes / HIMSS / ACCE / ECRI ~ 7 of 47

8 HIPAA s s Security Rule Implications for Biomedical Technology Why is security an issue for biomedical technology? Because compromise in ephi can affect Integrity or Availability can result in improper diagnosis or therapy of patient resulting in harm (even death) because of delayed or inappropriate treatment Confidentiality can result in loss of patient privacy and, as a consequence, may result in financial loss to patient and/or provider organization SLGrimes / HIMSS / ACCE / ECRI ~ 8 of 47

9 HIPAA s s Security Rule Overview of Compliance Process

10 HIPAA s s Security Rule Compliance Overview Information Security Management (ISM) Program Risk Analysis & Management Plan (RAMP) SLGrimes / HIMSS / ACCE / ECRI ~ 10 of 47

11 HIPAA s s Security Rule Compliance Overview Establish effective Info Security Management (ISM) program: 1) Assign security official & establish information security committee 2) Develop necessary policies as per security standards 3) Develop necessary procedures, physical/technical safeguards as per implementation specifications 4) Implement Policies/procedures, Business associate agreements, Educate workforce & Install/Configure security tools 5) Test implementation 6) Integrate security measures into organization-wide program SLGrimes / HIMSS / ACCE / ECRI ~ 11 of 47 Increasing Levels of Program Effectiveness Policies Procedures Implementation Testing Integration GOAL: HIPAA Compliance & an Effective Info Security Program

12 HIPAA s s Security Rule Compliance Overview representatives of device users (i.e., clinical staff) Clinical Engineering Information Security Official Information Services / Information Technology Facilities Engineering Staff Education / Inservice Human Resources Information Security Committee Materials Management / Purchasing Quality Assurance Administration Core Members Compliance Officer Privacy Official Risk Management Ad Hoc Members slgrimes SLGrimes / HIMSS / ACCE / ECRI ~ 12 of 47

13 HIPAA s s Security Rule Compliance Overview Establish Risk Analysis/Management Plan (RAMP): 1) Conduct inventory (identify sources of ephi) and survey current security practices & resources 2) Identify and Assess Security Risks 3) Establish Priorities 4) Determine Security Gap (i.e., need for additional safeguards) following best practices and Security Rule s Standards and Implementation Specifications 5) Formulate/Implement Plan for Risk Mitigation Process incorporating Risk-based Priorities 6) Test & Measure Effectiveness of Risk Mitigation Process (Improving as Necessary) SLGrimes / HIMSS / ACCE / ECRI ~ 13 of 47

14 Compliance Overview Risk Analysis/Management 1) Conduct Inventory Identify biomedical devices & systems that maintain and/or transmit ephi For each affected device/system, determine: Types of ephi Who has access & who needs access Description of any connections with other devices Types of security measures currently employed New! HIMSS Manufacturers Disclosure Statement for Medical Device Security (MDS 2 ) SLGrimes / HIMSS / ACCE / ECRI ~ 14 of 47 Nov 8, 2004

15 Compliance Overview Risk Analysis/Management 1) and Survey current security practices & resources to analyze existing processes Policies & procedures Training programs Tools & security measures SLGrimes / HIMSS / ACCE / ECRI ~ 15 of 47

16 Keyboard Create/Input ephi Maintain ephi Hard Disk Component, Device, or System Transmit/Receive ephi Disk Scanning - bar code - magnetic - OCR Memory (e.g., RAM) INSERT THIS END 56K PCMCIA Tape Digital Memory Card Imaging - photo - medical image Biometrics Disk Tape Digital Memory Card INSERT THIS END 56K PCMCIA Optical disk, CD-ROM, DVD Wired Networks Private or Public, Leased or Dial- up lines, Internet Voice Recognition Optical disk, CD-ROM, DVD Wireless Networks SLGrimes / HIMSS / ACCE / ECRI ~ 16 of 47

17 Compliance Overview Inventory of Devices/Systems Physiologic Monitor where ephi may consist of patient identifying information and the following data: ECG waveform Blood pressure Heart rate Temp O 2 Saturation Respiration Alarms SLGrimes / HIMSS / ACCE / ECRI ~ 17 of 47

18 Compliance Overview Inventory of Devices/Systems Infusion pump where ephi may consist of patient identifying information and the following data: Flow Rate Volume delivered Alarms SLGrimes / HIMSS / ACCE / ECRI ~ 18 of 47

19 Ventilator Compliance Overview Inventory of Devices/Systems where ephi may consist of patient identifying information and the following data: Flow Rate Volume Delivered Respiration (Breaths Per Minute) O 2 Saturation Alarms SLGrimes / HIMSS / ACCE / ECRI ~ 19 of 47

20 Compliance Overview Inventory of Devices/Systems Laboratory analyzer where ephi may consist of patient identifying information and the following data : Blood related - Hemoglobin - Glucose - Gas - ph - Electrolyte Urine related - Albumin - Creatinine - Bilirubin SLGrimes / HIMSS / ACCE / ECRI ~ 20 of 47

21 Compliance Overview Inventory of Devices/Systems MRI, CT Scanner, Diagnostic Ultrasound where ephi may consist of patient identifying information and the following data : Image SLGrimes / HIMSS / ACCE / ECRI ~ 21 of 47

22 Confidentiality Availability Medical Device/System with electronic Protected Health Information High Medium Low Compliance Overview Risk Analysis/Management 2) Assess risk with respect to confidentiality, integrity, availability: Criticality Categorize level of risk/vulnerability (e.g., high, medium, low) to CIA Probability Categorize the likelihood of risk (e.g., frequent, occasional, rare) to CIA Composite Score for Criticality/Probability SLGrimes / HIMSS / ACCE / ECRI ~ 22 of 47

23 Taking into account Criticality: Assess Risk associated with compromises to Integrity of ephi Central Station Patient Physiologic Monitor Clinician with Authorized Access Data Actual Maintained/ Transmitted Patient ID Heart Rate 60 bpm 35 bpm Blood Pressure 120/80 mmhg 90/50 mmhg Temp 98.6º F 89.6º F SpO2 92% 92% Integrity SLGrimes / HIMSS / ACCE / ECRI ~ 23 of 47

24 Taking into account Criticality: Assess Risk associated with compromises to Availability of ephi Central Station Patient Physiologic Monitor Clinician with Authorized Access Data Actual Maintained/ Transmitted Patient ID XXXXX Heart Rate 60 bpm Blood Pressure XX bpm 120/80 mmhg XXX/XX mmhg Temp 98.6º F XX.Xº F SpO2 92% XX% Integrity Availability SLGrimes / HIMSS / ACCE / ECRI ~ 24 of 47

25 Taking into account Criticality: Assess Risk associated with compromises to Confidentiality of ephi Central Station Patient Physiologic Monitor Unauthorized Access Clinician with Authorized Access Data Actual Maintained/ Transmitted Confidentiality Patient ID Availability Heart Rate 60 bpm 60 bpm Integrity Blood Pressure 120/80 mmhg 120/80 mmhg Temp 98.6º F 98.6º F SpO2 92% 92% SLGrimes / HIMSS / ACCE / ECRI ~ 25 of 47

26 Assessing Criticality of Risk Associated with Biomedical Devices/Systems with ephi RISK LEVEL High Medium Potential degree to which health care would be adversely impacted by compromise of availability or integrity of ephi Serious impact to patient s health (including loss of life) due to: misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment Minor impact to patient s health due to: misdiagnosis, delayed diagnosis or improper, inadequate or delayed treatment Impact on Patient Potential degree to which privacy would be adversely impacted by compromise of confidentiality of ephi Could identify patient and their diagnosis Could identify patient and their health information (but from which a diagnosis could not be derived) Potential degree to which interests would be adversely impacted by compromise of confidentiality, availability or integrity of ephi Extremely grave damage to organization s interests Serious damage Impact on Organization Potential financial impact Major $1,000K Moderate $100K Low Minor Impact Could identify patient Minor damage Minor $10K Potential legal penalties Imprisonment and/or large fines Moderate Fines None Likely corrective measures required Legal Legal Administrative SLGrimes / HIMSS / ACCE / ECRI ~ 26 of 47

27 Assessing Probability of Risks Associated with Biomedical Devices/Systems with ephi Frequent Likely to occur (e.g., once a month) Occasional Probably will occur (e.g., once a year) Rare Possible to occur (e.g., once every 5-10 years) SLGrimes / HIMSS / ACCE / ECRI ~ 27 of 47

28 Assessing Criticality & Probability of Risks associated with Biomedical Devices/Systems with ephi Determining the Criticality/Probability Composite Score Rare Probability Occasional Frequent High Criticality Medium Low SLGrimes / HIMSS / ACCE / ECRI ~ 28 of 47

29 Compliance Overview Risk Analysis/Management 3) Establish priorities Use Criticality/Probability composite score to prioritize risk mitigation efforts Conduct mitigation process giving priority to devices/systems with highest scores (i.e., devices/systems that represent the most significant risks) SLGrimes / HIMSS / ACCE / ECRI ~ 29 of 47

30 Compliance Overview Risk Analysis/Management 4) Determine security gap Determine what measures are necessary to safeguard data Compare list of necessary measures with existing measures identified during biomedical device/system inventory process Prepare gap analysis for devices/systems detailing additional security measures necessary to mitigate recognized risks (addressing devices/systems according to priority) SLGrimes / HIMSS / ACCE / ECRI ~ 30 of 47

31 Compliance Overview Risk Analysis/Management 5) Formulate & implement mitigation plan Formulate written mitigation plan incorporating additional security measures required (i.e., policies, procedures, technical & physical safeguards) priority assessment, and schedule for implementation Implement plan & document process SLGrimes / HIMSS / ACCE / ECRI ~ 31 of 47

32 Compliance Overview Risk Analysis/Management 6) Monitor process Establish on-going monitoring system (including a security incident reporting system) to insure mitigation efforts are effective Document results of regular audits of security processes SLGrimes / HIMSS / ACCE / ECRI ~ 32 of 47

33 Compliance Overview Risk Analysis/Management Prepare a Risk Mitigation Worksheet 1 Identify ephi 2 Identify & Assess Risks 3 Establish Priorities 4 Determine Gap 5 Formulate & Implement Plan 6 Test & Measure Effectiveness of Plan SLGrimes / HIMSS / ACCE / ECRI ~ 33 of 47

34 HIPAA s s Security Rule Overview of Compliance Process SLGrimes / HIMSS / ACCE / ECRI ~ 34 of 47

35 HIMSS Manufacturer Disclosure Statement for Medical Device Security (MDS 2 ) SLGrimes / HIMSS / ACCE / ECRI ~ 35 of 47

36 The MDS 2 provides the Manufacturer s s Model-specific Description of Device ability to maintain/transmit ephi Is the device capable of maintaining or transmitting ephi? For those devices capable of maintaining/transmitting ephi, a description of type of ephi (e.g., demographic info, diagnostic/therapeutic info, etc.) device mechanisms for maintaining ephi device mechanisms for transmitting ephi Security features associated with the device Safeguards provided with or incorporated in the device, including Administrative Physical Technical A list of any manufacturer-optional recommended safety practices SLGrimes / HIMSS / ACCE / ECRI ~ 36 of 47

37 Key Benefits of the MDS 2 For Manufacturers Facilitates the manufacturers common response to a potentially large volume of requests from providers for information regarding the ephi capability and security-related related features of the devices they manufacture For Healthcare Providers Facilitates the providers review & analysis of the large volume of security-related related information supplied by manufacturers for devices on the providers inventories SLGrimes / HIMSS / ACCE / ECRI ~ 37 of 47

38 MDS 2 Developed by HIMSS Medical Device Security Workgroup Workgroup membership includes representatives from: Healthcare providers (e.g., John Hopkins, University of California, Georgetown U, etc) Manufacturers (e.g., Microsoft, Philips, GE Healthcare, Cardinal Health, Roche, Kodak, Welch Allyn,, etc) Government (e.g., FDA, VA, etc) Consultants (e.g., Booz Allen Hamilton, ECRI, GENTECH, Advanced Technology Institute, etc) Industry Groups (e.g., ASHE, ACCE, IEEE, NCCLS) Law firms SLGrimes / HIMSS / ACCE / ECRI ~ 38 of 47

39 Industry Endorsements for the MDS 2 HIMSS (Health Information and Management Systems Society) ACCE (American College of Clinical Engineering) ECRI NEMA (National Electrical Manufacturers Association) SLGrimes / HIMSS / ACCE / ECRI ~ 39 of 47

40 MDS 2 supplies key data to the ACCE / ECRI Biomedical Equipment Survey Form SLGrimes / HIMSS / ACCE / ECRI ~ 40 of 47

41 MDS 2 Form Side 1 Standard Nomenclature (UMDNS) SLGrimes / HIMSS / ACCE / ECRI ~ 41 of 47

42 SLGrimes / HIMSS / ACCE / ECRI ~ 42 of 47

43 MDS 2 Form Side 2 SLGrimes / HIMSS / ACCE / ECRI ~ 43 of 47

44 Healthcare Providers Use MDS 2 Information Security Committee Reviews manufacturer-supplied MDS 2 forms along with the hospital s medical device inventory & survey forms to assess risks and determine what (if any) safeguards are available with the device Uses MDS 2 to identify common classes of technology with common vulnerabilities Uses MDS 2 to take common approaches to mitigating risks with those common classes where possible SLGrimes / HIMSS / ACCE / ECRI ~ 44 of 47

45 HIMSS on Medical Device Security Web Site for HIMSS Medical Device Security Workgroup with Bibliography of relevant source material HIMSS November 8, 2004 Press Release on MDS Manufacturer's Disclosure Statement for Medical Device Security (MDS2) Form & Instructions Free Download Manufacturers obtain free UMDNS (nomenclature) listing of their products by ing e ECRI at himss-mds@ecri.org mds@ecri.org SLGrimes / HIMSS / ACCE / ECRI ~ 45 of 47

46 ACCE / ECRI on Medical Device Security CD-ROM based Information Security for Biomedical Technology: A HIPAA Compliance Guide Product Description nce_ Guide/Default.aspx Table of Contents Brochure and Order Form Press Release Discount for Members at HIMSS Bookstore _125 SLGrimes / HIMSS / ACCE / ECRI ~ 46 of 47

47 Questions? Stephen L. Grimes, FACCE Health Information and Management Systems Society American College of Clinical Engineering (ACCE) ECRI