An HP/Intel Resource Guide

How to Effectively Secure Electronic Health Records

Contents Introduction. ...................................... 2 A Very Scary Story from a Highly Respected Hospital ............. 3 Developing a Blanket of Security for Patients and Your Reputation......... ....................... 4 How Intrusion Protection Can Save You from Savvy Hackers............ 5 Best Practices for Automated Threat Protection................................................... ........... 6 Tips for Protecting Your Network Infrastructure.................................................... ........... 8 Protecting Servers at Launch.................................................... .................................... 10 Beyond Computers: Protecting Medical Devices................................................... ........ 11 EMR Implementation Tips.................................................... ......................................... 11

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

Introduction What happens if one of your patients lives in San Francisco and becomes ill in Boston while traveling on business? If medical records were stored electronically, physicians in Boston could provide proper treatment, taking into account any allergies, previous treatments, or even previous test results. If prescriptions were provided to pharmacists electronically, there would probably be a drastic reduction in preventable handwritingrelated medication errors (not to mention bad doctor handwriting jokes). On a more national level, scientists might have the opportunity to analyze trends with much broader bases of data, without the pitfalls of individual patient identification information. Epidemiologists might be able to spot and effectively squelch sudden outbreaks of dangerous diseases. From a business perspective, electronic health records can be valuable as well. Having a well-organized practice with a complete suite of properly encoded records makes it much easier for a physician to sell a medical practice when its time to retire or cash out. Electronic health records also reduce errors when sending information to insurance companies and to all the various organizations involved in patient treatment. The U.S. Government considers the continued practice of keeping paper health records to be so cumbersome and costly that its initiating considerable incentives for health practitioners to migrate to electronic medical and health record-keeping as part of Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009. There are, of course, two sides to the electronic health records coin. Providing ease of access to health professionals also opens the risk of access to those not authorized to view patient information. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides for standards meant to secure the security of health records and sets out rules for disclosure as well as disciplinary statutes for inappropriate disclosure. There are risks, however, as recently highlighted by the Los Angeles Times: Roughly 150 people, including nursing staff, X-ray technicians and billing clerks, have access to at least part of a patient's records during a hospitalization, according to the U.S. Department of Health and Human Services. And all of that is before the always-present concern of hacker attack, penetration, and exfiltration of valuable and confidential records, which contain a goldmine of personal information that can be exploited with disastrous results.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

In the ongoing effort to reach HIPAA Electronic Medical Record (EMR) compliance standards, one of the biggest concerns is security. Keeping patient data confidential now falls into the hands of IT professionals and the solutions they choose to compensate for security vulnerabilities. The approach must be comprehensive, automated and absolutely focused on preventing intrusion and blocking attacks even before security has been alerted. Fortunately, there is a better way of doing things. But first, a scary story A Very Scary Story from a Highly Respected Hospital August 2011 was not a good month for Stanford Hospital in Palo Alto, California. It was during the dog days of summer that hospital administrators were informed that data on more than 20,000 emergency room patients had been sitting in the open on a Web site called Student of Fortune for more than a year. The breakdown in trust was almost ludicrous in its execution. Apparently, someone posted a spreadsheet containing patient names, diagnosis codes, account numbers, admission and discharge dates, and billing charges to the student help site. The spreadsheet was apparently posted to Student of Fortune as an attachment, used as a sample when asking for some help creating charts from spreadsheet data. And there it sat, from September 9, 2010 through August 22, 2011, containing information (including psychiatric treatment information) on patients seen in the Stanford Hospital emergency room during a six month period in 2009. You can imagine the disruption and chaos this caused at Stanford Hospital when a Stanford Hospital patient reported the breach. Thousands of patients had to be notified that their data had been released to the public. That was a letter someone at Stanford Hospital sure didnt want to have to write. Then there were the local, state, and federal agencies that had to be notified, with the almost sure guarantee that investigations were to follow. In addition to the necessary reporting (and possible fines), there was the public relations crisis this created. Articles about Stanford Hospitals security breach were published everywhere, from the San Jose Mercury News to the New York Times to the Boston Globe, from CBS News to ABC News, TIME Magazine, ZDNet, CNET, and even Consumer Reports.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

You know what made this even worse for Stanford Hospital? Apparently, the breach didnt occur at the hospital, but instead was the result of a 10-employee sub-contractor, Multi Specialty Collection Services, LLC in Woodland Hills, CA releasing the data. Its virtually impossible to calculate what this one breach cost Stanford Hospital in real dollars. Even so, without a doubt, the hospitals reputation was besmirched, and with even less doubt, key administrators and managers at the hospital experienced some very unhealthy job-related stress. Developing a Blanket of Security for Patients and Your Reputation When patient data was stored in row after row of manila folders, there was some level of protection in the simple fact that to access the data, you had to be physically able to access the folders. Of course, the disadvantages were more profound. Short of regularly photocopying every page in every folder, there was no way to backup patient data, so if something happened to your office (fire, flood, etc.), all patient medical history would be lost. Now, however, once your patient data goes online, it can, at least in theory, be accessed from any computer, anywhere in the world. Thats why, as part of a bestpractices implementation, you should implement a range of tiered network security to protect your practice and your patients. At the simplest level, your firewall tries to insulate your internal network from the outside world. A firewall is inexpensive and blocks certain packets and certain intrusions, but its far from completely effective. You can use it to lock down traffic, and to require that physicians and other clinical personnel be accepted into the system, but you begin to reduce the usefulness of a networked practice, and compromise your ability to effectively treat clients, if you have to disconnect the network to keep it safe. Other simple protection resources include vulnerability scanning, a detector for intellectual property leakage (which includes patient records as well as business and financial records), an IP traffic recorder that keeps a record of packet flow on the network, and even node analyzers and compliance tools to help you find out whats already running on your network (and what individual users may be attempting to add). Intels McAfee subsidiary provides a Total Protection solution designed for consumers, laptops, and endpoint protection. Intels McAfee also provides a wide range of health care-specific solutions that can provide excellent protection, and can provide risk and vulnerability management, help secure medical devices, and can help secure protected health information.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

The way Intels McAfee looks at health care is instructive. They look at protected health information at rest and in motion. Information considered at rest is information residing on devices (even if the devices are potentially mobile, like a laptop). Information considered in motion is information that is actually designed to flow throughout a network, like email and messaging. The way Intel manages at rest information, essentially data thats resting on your hard drive, is through aggressive encryption. McAfee provides full-disk encryption that can secure patient data residing on laptops and desktop computers, mobile device encryption that can encrypt data on mobile phones, file and folder encryption that can encrypt files copied from a server, removable media encryption to protect data copied to those troublesome USB drives, and virtual disk encryption, which supports virtualized environments. Additionally, speaking of USB devices, Intels McAfee subsidiary can also implement device control protocols, which limit whether or not (and which) USB devices can be plugged into a desktop or laptop computer. When it comes to information in motion, information transmitted across a network, Intels McAfee provides network data-loss prevention, which transparently analyzes network traffic to prevent loss or data exfiltration, host-data loss prevention, which blocks patient health information from being sent by a computer, email encryption, and software that encrypts and compresses information being sent between severs. Further best practices include making sure you protect your laptops, both from contracting external viruses, and from infecting your network once brought inside your firewall, along with a simple practice of making sure you install (and understand) all the security updates recommended by your software and hardware vendors. These tools are helpful, but theyre not enough. To thwart the determined hacker or criminal, youll need an intrusion detection system. How Intrusion Protection Can Protect You from Savvy Hackers The human body is an amazing machine. For example, when a foreign invader (like a bacteria or virus) enters an individual, the immune system uses antibodies to recognize an invader as foreign and either tags a microbe for attack by other parts of the immune system, or neutralizes the invader directly. A computer networks intrusion detection system is surprisingly similar. The IDS uses a variety of techniques to identify network traffic as foreign (and threatening), can store

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

snapshots of that traffic for later analysis, or can initiate counter-measures immediately (or a combination of the two). There is a paradox in network security and it revolves around a simple thing called port 80. Network programs use different logical ports (port 80 is used for Web browsing, port 53 for DNS, port 21 is for FTP, port 110 is for downloading email, and so forth). Since you must allow some of your users to browse the Web, you have to keep port 80 open to the outside world. Its through this small gap that attacks and infections can get into your network and compromise your security, the same way even a small pinprick in a glove would destroy surgical asepsis. A firewall cant really provide good port 80 protection, but a well-designed intrusion prevention system can, and it can protect in many other ways, as well. In the case of a computer network, your organization may be a specifically-selected target of opportunity, or your organization may simply be part of a sweep, where hackers are feeling out Internet entities, looking for points of penetration. Although you are at risk in both situations, you are particularly at risk if a hacker, competitor, or someone with a grudge has targeted your hospital, facility, or practice. Hackers and criminals often conduct malicious activity and conduct sophisticated attacks in order to gain access to confidential information or cause damage to your systems. Hackers may even occasionally target specific patients in an attempt to gain personal information, cause harm, or interfere with their care. Few organizations have the time to stay ahead of all the new vulnerabilities and exploits developed by hackers the world over, and even fewer organizations have the time to continually write and test detectors that will find and block all malicious traffic while, at the same time, letting all legitimate traffic pass through uninterrupted. You may have heard the term intrusion detection system. The operative word here is detection and, as you might imagine, detection is an information gathering operation. Most intrusion detection systems monitor and report, they dont actively defend. But most healthcare providers cant take the time to painstakingly analyze network reports, especially when that time which could be better used to focus on providing excellent and compassionate patient care. Best Practices for Automated Threat Protection Whats needed, instead, is a system that not only detects intruders, but actively shows them the door. The HP TippingPoint IPS is more than detection; its an intrusion

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

prevention system. Its an appliance (i.e., a box) that your IT technician will install on your network and, once installed, will ensure the continued health of all your network traffic. Cyber-attacks, penetrations, and spyware are constant problems on the wild Internet. But your network needs be a safe sanctuary where you can practice patient-centered medicine without concern about foreign invaders. TippingPoint IPS can help block these malicious packets. It can deny hackers the opportunity to fire off a Denial of Service (DoS) attack at your facility. These DoS attacks are particularly damaging, because they can choke your Internet and internal connections, or they can crash critical applications necessary for quality patient care. It can also prevent spyware from gaining hold in your organization and sending confidential information out of your network. TippingPoint IPS can help you remain HIPAA compliant. Lets talk for a moment about your employees, co-workers, and contractors. We all try to hire the very best people, but we also know that there are often a few bad apples in every bunch. Whether theres a person in your organization violating HIPAA law by removing confidential data, a young or immature individual tweeting about a particular caregiving experience, someone who got the job under false credentials extracting financial information, or even a well-meaning but uninformed individual sharing music or chatting during work-time on Facebook, theres often internally-driven network activity that can cause serious trouble down the line. In fact, according to a Verizon 2010 Data Breach Investigations Report, which includes data from both Verizon and the U.S. Secret Service, 46% of breaches and attacks came, not from outsiders, but from personnel operating inside an organizations firewall. Thats why TippingPoint IPS is so important. Traditional network security systems are designed to block troublesome outside traffic from getting into your organizations network. But TippingPoint IPS monitors all your network behavior, both inside and out, and steps in to block nefarious behavior. This, by the way, is no small feat. Blocking outside traffic from coming into your network can be accomplished at a relatively slow speed, because the speed of data flow from the public Internet to your private network is often quite moderate. But the speed of data flow inside your network could be breathtaking, running at gigabit or even gigabittimes-ten speeds.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

Analyzing, filtering, learning, and then decontaminating the flow of critical data must also occur at super-high speeds and only a dedicated piece of computing hardware, built upon high-performance chipsets, can keep ahead of the flow and keep all your users safe. Youve probably heard the phrase, the cure is worse than the disease. When implementing network security systems, its important to make sure the cure is transparent to users and has no side effects. In the same way that compliance is a problem with patients taking medication or performing other prescribed care practices, user compliance is an issue with network protection systems. If your users are slowed down because some network appliance is getting in the way, its only human nature to bypass it. Unlike most other network appliances, the TippingPoint IPS is so fast that theres no discernible latency in network traffic. In fact, not only does TippingPoint IPS prevent intrusions, it also can improve the performance of your network by prioritizing the most mission-critical network activity, constantly cleansing the network, and eliminating unwanted traffic. Health care is, by its very nature, a mission critical operation. Sick patients cant be turned away just because the network is down or a piece of hardware breaks. Many network security appliances fail closed, in other words, when they break or fail, they stop all traffic into and out of the system. Where life and death is involved, you afford to have a network appliance fail closed, and so the TippingPoint IPS, in the very unlikely event that it fails, will fail open, making sure everything continues to run smoothly and you can continue to provide excellent care to your patients. Its not entirely clear that the Stanford Hospital breach could have been completely prevented by TippingPoint IPS, but TippingPoint certainly might have prevented the document from ever having reached the sub-contractor. TippingPoint IPS includes .ZIP file scanning and filters for blocking file transfer access, so had TippingPoint IPS been installed at the hospital, it might have flagged or blocked the file transfer of the spreadsheet document that caused such harm to the hospitals reputation. Tips for Protecting Your Network Infrastructure TippingPoint IPS is very easy to install, use, and configure. When first installing intrusion prevention, consider where you want to install the appliances. At the minimum, install one appliance between the outside world and your network.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

If you have multiple sub-networks within your organization, you might also want to consider installing a TippingPoint IPS between each network transition, so that you can protect different parts of your organization from any attack or hack. In this way, if you do get an infection on one part of your network, it wont be able to infect other parts of your network. When you install your intrusion prevention system, make sure you plan your installation for the least disruption. Because the TippingPoint IPS devices are installed in-line in your network, a small amount of disruption will occur as you unplug and re-plug cables. Consider installing one device, leaving all the filters open and turned off. Wait and see how your organization reacts in order to find areas that require fine-tuning. You can then add a few more filters and protection measures, again waiting to see how your organization reacts. This is the digital equivalent of making sure your patient is responding well to a new drug or treatment before increasing the dosage. Its expected that you might get a few user complaints, because you might not be aware that youre blocking a perfectly legitimate behavior (for example, an FTP upload process for medical imaging from your facility to an outside service). Once youre aware of the issue, it can be solved by allowing FTP for just that pair of connections. In this way, work continues to get done, but youre not opening up your network to FTP access enterprise-wide. You might also get some user complaints because youve blocked users from engaging in the digital equivalent of self-destructive behavior patterns. You may find users who are using dangerous peer-to-peer network programs, users who are actively using instant messaging and social networking during work, and users who are potentially engaged in willful violations of HIPAA requirements. This, obviously, is a big part of why an intrusion prevention system works, and works to prevent internal misbehavior, not just attacks from the outside. It seems kind of a shame you cant attach a TippingPoint IPS device to a teenager, now doesnt it? Another good practice is to do a routine assessment of the logs that TippingPoint IPS produces. A quick look at log files might reveal dangerous patterns of activity, including phishing activity designed to gain more extensive access to your network. You might decide you need to block certain file types, constrain certain additional types of activity, or impose additional restrictions on certain troublesome users in order to protect your patients and your organization. One way to encourage support of an IPS within the organization is to explain to your users that this not only helps patients and the organization, but protects them as well.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

10

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

No one wants to be in violation of HIPAA or otherwise violate important medical regulations and requirements. TippingPoint IPS can help protect professional licenses by making sure inadvertent digital damage isnt done by medical practitioners. Protecting Servers at Launch In todays highly virtualized data centers, there are a few very low-level components in every server that pose new security risks: the systems firmware, BIOS, and hypervisor. The hypervisor is the low-level system that controls the virtual machines and is the interfaces between the bare metal of the server itself and each of the virtual machines running on a given server. If a hypervisor is compromised by a rootkit attack, the consequences could be devastating. Virtual machines are, by design, meant to be flung between servers and, often, between data centers. A hypervisor on one server could compromise a virtual machine, and then, as that virtual machine image is run on subsequent servers, it, in turn, could compromise those servers. The problem is the hypervisor launches before the main operating system components, and therefore launches before any sort of traditional anti-malware software could operate. This is why the attack is so juicy to attackers and so damaging to IT managers. One practical solution is to embed a defensive architecture in the silicon of the processor itself, and this is just what modern Intel Xeon processors provide. Intels Trusted Execution Technology (TXT) validated the behavior of key components within the server at the pre-startup phase. Intels TXT must establish that the critical subsystem components can exist in a root of trust before the Xeon processor will allow the system to boot into production operation. When a system is powered on or rebooted, the TXT system first compares BIOS, firmware, and hypervisor against known good snapshots stored in a Trusted Platform Module (a hardened snapshot archive used for validation and verification). The Intel Measured Launch Environment first compares the firmware and BIOS against known good variations. Only if they are found to be safe, it then moves on to the hypervisor. The hypervisor itself is also compared against a known good environment, and, if validated, the system is then, and only then, permitted to launch into production. While this silicon-level protection is only one part of Intels enterprise-wide security offerings, its a critically important innovation in processor design and data center security.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

11

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

Beyond Computers: Protecting Medical Devices Malware is nasty, nasty stuff. In a health care environment, not only can malware damage your computers, it can wreak havoc on other health care devices. You may not be aware of it, but your MRI machines, heart rate monitors, and charting tablet computers are also at serious risk. Here, Intels McAfee subsidiary is back with some interesting, special-purpose medical device solutions. Theyre able to protect thin-client devices, as well as MRI-CAD scanners. They incorporate low-footprint integrity checking and, in many cases, your medical device vendor will have already built in some McAfee security into their premarket approved builds. EMR Implementation Tips Moving paper records to a digital format is a large undertaking, but it can have very positive results from both a business point of view, and from the perspective of improving patient care. While some seasoned physicians may believe that electronic records get in the way of a good bedside experience, the opposite can be true. Having good records on-hand arms doctors and nurses with more information about patients and enables better interaction. By the way, EMRs are not just for hospitals. Many small and medium-sized practices have implemented EMRs. In fact, electronic records can make your small office more effective and help you have the chance, if youd like, to grow bigger with less cost. Your assistive staff can spend more time assisting you and patients, and less time filling out forms. Now, thats a win-win. Its important to understand how simple EMR systems can be, after just a little training. In fact, EMR systems do more than just increase productivity and improve quality of care. After a lifetime of dedication to the medical field and to patients, for many physicians contemplating retirement, a medical practice is often not only their lifes work, but also their single most valuable financial asset. Its encouraging to note that EMR systems can increase the value and liquidity of a medical practice, making it more attractive for buyers as a turnkey purchase with fewer interruptions in patient care. Storing patient records has always presented security challenges, but with resources like the TippingPoint IPS, its possible to have electronic patient records that are

Copyright MMXI, Hewlett-Packard. All Rights Reserved.

12

An HP/Intel Resource Guide: How to Effectively Secure Electronic Health Records

substantially more secure than paper ones, especially when you consider the backup potential for electronic records. Here are a few final tips to make sure youre successfully implementing electronic records: Make sure you carefully consider your implementation. Dont just delegate it all to your IT contractors. Many EMR providers have excellent training programs. Be sure to avail yourself of these programs. Youll be surprised how interesting and powerful EMR can be for your practice. Training will help you get all you can out of your new systems. Some EMR vendors will claim the processes you currently perform on paper will be exactly the same with electronic records. You wont have to change your practice in unpleasant ways, but there will be new procedures and processes youll want to put in place. After all, you do want to save as much time and money as possible, dont you?

Finally, make sure to involve your nursing staff in your planning process. Nurses are patient advocates as well as treatment managers. Theyre going to have the most hands-on experience with charting in a clinical environment. Theyll help make sure your practice or facility gets the most patient-centered and efficient system possible.

This report is a result of primary research performed by CBS Interactive (CBSi) on behalf of HewlettPackard (HP) and Intel. Unless otherwise noted, the entire contents of this report are copyrighted by HP. As such, any information made available in this report may not be copied, reproduced, duplicated, published, displayed, transmitted, distributed, given, sold, traded, resold, marketed, offered for sale, modified to create derivative works or otherwise exploited for valuable consideration without prior written consent by HP. Although the information in this report may have been obtained from and/or based on information from sources that CBSi believes to be reliable, CBSi does not guarantee the accuracy, and any such information might be incomplete or condensed. This report is for information purposes only and all responsibility for any interpretations or actions based on the information or commentary contained within this report lie solely with the recipient.

Copyright MMXI, Hewlett-Packard. All Rights Reserved.