Geek Sync | Keep your Healthcare Databases Secure and Compliant

Keep Your Healthcare Databases
Secure and Compliant
Kim Brushaber, Senior Product Manager, IDERA
Stan Geiger, Director, Product Management, Multi-Platform Tools, IDERA

Agenda
▪ Overview
▪ What is HIPAA?
▪ HIPAA Violations
▪ Data Breaches
▪ Data Compliance
▪ Demo
▪ Questions

Overview
▪ Healthcare Regulations
– The Social Security Act governs funding and requirements for
Medicare, Medicaid, CHIP, and more.
– HIPAA and the HITECH Act protect patient privacy, requiring
healthcare organizations to implement measures to keep
patient records secure.
– Federal Information Security Management Act (FISMA)
– The False Claims Act makes it illegal to file a false claim for
funds from a federal program.
– The Patient Protection and Affordable Care Act implemented
new requirements for insurance, Medicaid, and more.

HIPAA
▪ The Privacy Rule establishes a set of standards that
address how patient information can be used and
disclosed.
▪ Applies to three entity types:
– Health care providers
– Health plans
– Health care clearinghouses

HIPAA
▪ Health care providers
– Any provider that electronically transmits patient
information in connection with claims, eligibility
requests, referral authorizations, or similar
transactions
– Applicable transaction types are specified in the
HIPAA Transactions Rule

HIPAA
▪ Health plans
– Individual and group plans that provide or pay
the cost of medical care
– Entities
• Health maintenance organizations (HMOs)
• Medicare
• Medicaid
• Health or dental insurers
• Employer-sponsored group health plans

HIPAA
▪ Health care clearinghouses
– Entities that process patient data on behalf of
health plans or health care providers
– Transforms the data in some way from a
nonstandard format to a standard format
– Included organizations:
• Billing services
• Community health management information
services.

HIPAA
▪ Privacy Rule
– Protects all individually identifiable health
information
– Identifiable information
• The patient’s past, preset, or future physical or mental
health
• Any health care services that the patient has received
• Any payment information related to the patient’s care
that can be used to identify the patient

Penalties
▪ Penalties
– Fines of $100 to $50,000 or more per violation
– Calendar cap of $1.5 million
– Individuals can also face criminal penalties up
to $250,000 and 10 years imprisonment

HIPAA
▪ Electronic PHI
– Ensure the integrity, confidentiality, and availability of all e-
PHI data in their possession.
– Identify and protect against anticipated threats to the e-PHI
data.
– Protect against anticipated non-permitted uses or
disclosures.
– Ensure that e-PHI data is not available to or disclosed to
non-authorized individuals in the workforce.

HIPAA
▪ Electronic PHI security
– Protection standards
• Administrative protections
• Physical protections
• Technical protections

HIPAA and the DBA
▪ Ensure the confidentiality, integrity, and
availability of all electronic PHI data
▪ Prevent unauthorized individuals from
viewing, altering, or destroying the data,
while providing authorized users access
▪ Identify and protect against anticipated
threats as well as impermissible uses or
disclosures

HIPAA and the DBA
▪ Training
– Covered entity must train all workforce members on the
policies and procedures with respect to protecting PHI data.
– Covered entity should apply sanctions against workforce
members who fail to comply with the policies and
procedures.
– DBAs will participate in the process of writing policies and
procedures and training workforce members depending on
the organization and their circumstance.
– DBAs should fully understand the risks associated with
violating HIPAA regulations and what steps to take if they
discover a violation.

HIPAA and the DBA
▪ Securing environment
– Covered entity must assess the potential risks and
vulnerabilities to the electronic PHI and then implement
security measures to reduce those risks.
– Implement procedures for guarding against malicious
software as well as for managing and protecting passwords.
– Implement mechanisms for limiting and controlling physical
access to systems and facilities that house PHI data, while
providing for disaster recovery and emergency access.
– Implement safeguards that protect workstations accessing
PHI data, along with any other hardware or electronic media
used for sensitive data.
– Responsible for the proper disposition of PHI data from any
hardware or media on which it has resided.

HIPAA and the DBA
▪ Controlling access
– Ensure that workforce members have “appropriate access”
to electronic PHI, based on their roles in the organization.
– Implement procedures for authorizing workforce members,
supervising their access to data, determining whether that
access is appropriate, and terminating that access when
required.
– Assign a unique ID to each user for identifying and tracking
that user’s activities.
– Implement procedures for obtaining PHI data during an
emergency, terminating electronic sessions after a
predetermined time of inactivity, and encrypting and
decrypting PHI data.

HIPAA and the DBA
▪ Auditing and monitoring systems
– Implement procedures for monitoring log-in attempts and
reporting discrepancies.
– Implement “hardware, software, and/or procedural
mechanisms that record and examine activity in information
systems that contain or use electronic protected health
information.
– Implement electronic mechanisms to verify that the PHI data
has not been “altered or destroyed in an unauthorized
manner.”

HIPAA and the DBA
▪ Prepare for security incidents
– Provide individuals with a process for making complaints
about the organization’s policies and procedures or about its
compliance with those policies and procedures.
– You cannot retaliate against individuals who exercise their
rights, as provided by the Privacy Rule.
– Take the steps necessary to mitigate any harmful effects
that result from PHI data being compromised.
– Identify and respond to “suspected or known security
incidents; mitigate, to the extent practicable security
incidents that are known and document security incidents
and their outcomes.”

HIPAA and the DBA
▪ Document, document, document
– Sanctions against workforce members must be
documented, as well as all policies and procedures.
– Documentation must be retained for six years from the
creation date or when it was last in effect, whichever is later.
– Maintain a “record of the movements of hardware and
electronic media and any person responsible therefore.”
– Documentation should be updated as needed in response to
environmental or operational changes.

Fired Surgeon Sentenced to Prison
• Huping Zhou, former cardiothoracic surgeon, was fired
from his job as a researcher at the UCLA School of
Medicine

Medicine
• After being fired, he illegally accessed the UCLA Medical
Records over 300 times

Medicine
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)

Medicine
• He viewed records on his immediate supervisor, his
coworkers, and several celebrities (including Arnold
Schwarzenegger, Drew Barrymore, Leonardo DiCaprio,
and Tom Hanks)
• OUTCOME: He was sentenced to 4 months in jail and a
$2000 fine

Billing Gone Wrong
• Dr. Barry Helfmann, president-elect of the American
Group Psychotherapy Association

Billing Gone Wrong
• His employees regularly forwarded past due patient bills
to collections firms

Billing Gone Wrong
• The bills contained protected info like CPT codes which
can reveal patient diagnoses

Billing Gone Wrong
• The bills contained protected info like CPT codes which
can reveal patient diagnoses
• OUTCOME: The State of New Jersey sought to suspend
and revoke Helfmann’s license

Sorry, Wrong Number
• In 2013, an HIV-positive patient asked an office manager
to fax his medical records to his new urologist

Sorry, Wrong Number
• The very busy office manager accidentally faxed them to
the man’s new employer

Sorry, Wrong Number
• The very busy office manager accidentally faxed them to
the man’s new employer
• OUTCOME: Luckily, the result was only a sternly worded
warning and a mandate for regular HIPAA training for all
employees

Caught Red-Handed
• A Virginia clinic caught 14 employees who had
improperly viewed the medical files of a high profile
patient without a legitimate need

Caught Red-Handed
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information

Caught Red-Handed
• The clinic caught the employees thanks to a logging
system on the backend of their IT systems which tracked
all access to files containing personal health information
• OUTCOME: The 14 employees were dismissed from
their jobs

Oops, I Did It Again
• In 2008, six doctors and thirteen employees at UCLA
Medical Center viewed Britney Spears’ medical records
after her 2008 psychiatric hospitalization

• Many of the employees were non-medical support staff
and none of them had a legitimate medical need to view
the health records

the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born

the health records
• This was the 2nd breach involving Britney Spears – in
2005, staff at another UCLA hospital were caught
peeking at her records after her son was born
• OUTCOME: The 13 employees were fired and the 6
doctors were suspended

Reality TV Ain’t What It Used to Be
• In 2013, an ABC reality TV show called NY Med filmed
two hospital patients at New York–Presbyterian Hospital
without their consent

• During the filming, one of the patients died in the
emergency room

emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible

emergency room
• The hospital gave ABC unfettered access, creating a
situation where the protection of personal health
information was not possible
• OUTCOME: The hospital paid a $2.2 million settlement

HIPAA Violations – 2018
In October, Anthem, Inc. (a licensee of BCBS) agreed to
pay a record breaking $16 million after the largest health
data breach in US history affected almost 79 million people.
https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
4
4

In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
5

In September, three healthcare institutions were collectively
fined $999,000 after allowing ABC to film a medical
documentary TV series without first obtaining authorization
from the patients.
ABC didn’t learn from 2013
https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-information-during-abc-filming.html
4
6

In June, UT’s MD Anderson Cancer Center was fined $4.3
million due to the theft of an unencrypted laptop and the
loss of two unencrypted USB drives. The hardware
contained details on 33,500 individuals.
https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html
4
7

In February, FMCNA who provided products and services
to 170,000 patients with chronic kidney disease agreed to
pay a $3.5 million fine for a settlement that covered 5
different data breaches.
https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html
4
8

Let’s Talk A Little About Data Breach

In February of 2019, there were a total of 101 data
breaches which exposed over 2M sensitive records and
417M non-sensitive records.
96% of the sensitive records exposed were through
breaches in the Medical/Healthcare sector.
https://www.idtheftcenter.org/2019-data-breaches/

Almost 15 Billion Records have been lost or stolen since
2013. Only 4% were secure breaches where encryption
was used and the stolen data was useless.
BreachLevelIndex.com

Over 6.5 million data records are lost or stolen
every day.
http://breachlevelindex.com/

2018 Cost per Data Breach
• The average cost for each lost or stolen record
containing sensitive and confidential information was
$148 (a 4.8% increase from the year before)
https://www.ibm.com/security/data-breach

• The average size of a data breach was 26,000 records

• The average size of a data breach was 26,000 records
• $148 x 26,000 ~ $3.86 M (increased 6.4% over 2017)

Focusing in on the Data
Aspects of Regulations

Why We Have Regulations
• Improved Security
– Establishing a baseline keeps security levels relatively consistent across
companies and industries

• Minimize Loss
– Good practices in place prevents data breaches

• Minimize Loss
• Increase Internal Control
– Reduce employee mistakes and insider theft

• Minimize Loss
• Maintain Trust
– Customers trust people who follow set standards

• Minimize Loss
• Maintain Trust
– Customers trust people who follow set standards
• Reporting Consistency
– Consistent reports allow audits to go more smoothly

Data Standards vs Security Standards
• Data Standards: “WHAT”
– What information needs to be protected/audited
– What you should do if your data is breached
• Security Standards: “HOW”
– How you should configure your network
– How you should configure your systems (i.e. SQL
Server, Oracle)

What the Regulations Look For
• Reporting (and Maintaining) Audit Data

• Tracking User Access

• Protecting the Data from the Bad Guys (and Watch for
Data Breaches)

Data Breaches)
• Planning and Having Good Processes and Response
Plans

Data Breaches)
• Planning and Having Good Processes and Response
Plans
• Assessing Your Risks

HIPAA
• Tracking
– Monitor log-in attempts

HIPAA
• Tracking
• Protecting
– Protect, detect, contain, and correct security violations
– Detect breaches and notify impacted individuals

HIPAA
• Tracking
• Protecting
– Protect, detect, contain, and correct security violations
– Detect breaches and notify impacted individuals
• Planning
– Implement security measures to reduce risks and vulnerabilities
– Implement procedures to regularly review audit logs, access reports,
and security incidents
– Implement procedures to terminate access

SQL Server Features for Compliance
• Reporting
– SQL Server Audit
– Temporal Tables

• Reporting
– Temporal Tables
• Tracking
– Object Level Permissions
– Role-Based Security

• Reporting
– Temporal Tables
• Tracking
– Object Level Permissions
– Role-Based Security
• Protection
– Authentication Protocols
– Firewalls
– Dynamic Data Masking
– Transport Level Security (TLS)
– Encryption Protocols (TDE, Always Encrypted, Always On)

Oracle Features for Compliance
• Reporting
– Auditing

• Reporting
– Auditing
• Tracking
– Access Control
– Separation of Duties

• Reporting
– Auditing
• Tracking
– Access Control
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction

• Reporting
– Auditing
• Tracking
– Access Control
• Protection
– Encryption
– Security Monitoring and Alerting
– Data Masking and Data Redaction
• Assessing
– Risk Assessments

• Reporting
– Capture Activity On Database (DDL And DML)
– Track The Behavior Of Privileged Users
– Track Who Is Accessing Your Sensitive Data
– Track Who Has Changed Your Data And What Has It Changed To
– Track Security And Administrative Changes
– Track User-Defined Events
– Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
What Can Tools Like SQL
Compliance Manager Do?

• Reporting
• Tracking
– Capture Logins, Logouts, Failed Logins

• Reporting
• Tracking
– Capture Logins, Logouts, Failed Logins
• Protecting
– Determine How Much Data Was Accessed In A Breach

IDERA Products Can Help You
With:
– SQL Compliance Manager
• Protecting the Data from the Bad Guys (and Watch for Data Breaches)
– SQL Secure
• Planning and Having Good Processes and Response Plans
– SQL Secure
– ER/Studio Business Architect
• Assessing Your Risks
– SQL Secure

In Conclusion
▪ Data breach continues to be a growing problem

In Conclusion
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are

In Conclusion
▪ Regulations require organizations to:
– Report audit data
– Track user access
– Protect data from the bad guys
– Have good processes and response plans
– Understand what your risks are
▪ The right tools can help to simplify and automate the
auditing process

Try any of our tools for free!
Email: stan.geiger@idera.com
kim.brushaber@idera.com
www.idera.com

Geek Sync | Keep your Healthcare Databases Secure and Compliant

More Related Content

What's hot (20)

Similar to Geek Sync | Keep your Healthcare Databases Secure and Compliant (20)

More from IDERA Software (20)

Recently uploaded (20)

Geek Sync | Keep your Healthcare Databases Secure and Compliant