 and welcome to the Certified Healthcare Information Systems Security Practitioner course. The CHISSP will be focusing on all of the areas related to the healthcare industry. So we'd like to start this off with a brief introduction. My name is John Glover, and I will be leading you through the various domains of this particular area of information security collateral. It's a very complex and very intensive sort of area to consider related to information security. So there may be a lot of very brand new information and concepts that would be presented to you, even if you were a fairly well informed and articulated information security professional. So bear with me as we move forward. What we're attempting to provide to you today is the scope and capability of knowledge that would be normally contained within the Certified Information Systems Security Professional designation, the CHISSP, as promoted by ISC squared. However, we're going to shift the emphasis on this information to provide a strong focus on issues related to the healthcare industry. So if we start looking at this course, there are a number of chapters. The first of these being, of course, understanding the healthcare industry and all of the idiosyncrasies of that particular industry sector. The next thing that we want to look at is where the regulatory environment has to pay special attention to healthcare related issues due to privacy and confidentiality concerns. Next thing we want to do is we really want to focus in on the privacy and security in healthcare and the fact that the healthcare information is extremely personal and very sort of useful to attackers or people who would like to take advantage and compromise individuals who are undergoing any of the healthcare activities. So we want to think about the way that we manage information in the healthcare environment from the point of view of the governance issues and treat everything from a risk management perspective. So governance, risk management and compliance become a very large component of what we're talking about. So then we have to think about information from the perspective of how do we handle the risk assessment and let's call it areas of activity where healthcare information could be exposed and what additional mechanisms or procedures need to be put into place in order to cover the ground appropriately. And finally, we'll start talking about those other areas of the industry where the healthcare provider or the healthcare tertiary healthcare issues may not have as much control as they like because of the fact that there are a number of third parties that get involved in this process. So we have to think about risk management not only from an informational perspective but how do we handle the third party, the vendor, the provider of tertiary services as well as the actual healthcare delivery itself. So what we want to try and achieve during this course activity is we want to give you specialized knowledge and skills. This is important so that you can understand and provide good, competent advice to the healthcare delivering system so that they know that the information security prerequisites have been taken into account. And so we want to prepare you to apply this knowledge and give you some extra skills so that you can in fact be a viable participant in the protection of healthcare information. You need to understand the importance of recognizing and respecting what healthcare information really means and how viable or volatile it can be if it's not managed properly to the highest standards that we expect for information security, confidentiality and privacy. And hopefully we will give you an opportunity to do a cross-correlation between this particular course and its content and the scope of knowledge that would normally be provided by the Certified Information Systems Security Professional, the CISSP designation, that gives you an opportunity to take that collateral and shift it and focus it onto healthcare-related matters as a specialty area. So the Certified Healthcare Information Systems Security Practitioner. A different spin on information security as traditionally thought of through the CISSP lens. And let's just go through a brief reminder of the scope of the material that we'll be looking at. Healthcare industry, regulatory environment, privacy and security focus, information governance, risk management, compliance, information risk assessment and a look at the third parties, the vendor community, those people who provide products and services to the healthcare delivery system. So domain number one, the healthcare industry in and of itself. This is going to be a very heavy-duty, perhaps very fresh, new concept area for many people who come at this particular discipline from an information technology focus. So we need to think through what causes the healthcare environment to be significantly different that we have to look at it with a different lens. So we'll have an introduction to talk about the healthcare industry in and of itself. And then we'll understand that the healthcare environment is made up of a variety of healthcare sectors. And then we start thinking about the information technology aspect in healthcare and all of the tools and techniques and support services that information technology delivers to the healthcare system in the form of digital health records, health information exchange, various technology activities that take place, MRIs, ultrasounds, all of these areas where information technology plays a very strong component part. Then we have to consider what happens after the fact when the healthcare service has been dispensed. How do we deal with the actual cost and benefit of the healthcare activity or experience that we have just undergone? So we have to look at the various capabilities of the healthcare insurance industry and try to understand the various opportunities and aspects of healthcare insurance that cause us to have to reconcile all of our costs related to our benefits. And we start thinking very seriously about the mechanics behind billing and payment and reimbursement. So we have to look at things like workflow management. What happens from the time that you have this first exposure to the healthcare delivery system when you come into a healthcare environment and you have a healthcare record created for you and it follows you through your treatment process until you have in fact achieved the health objective that you were looking for. And there are various rules and regulations that will control this, not the least of which is the HIPAA Act, the Health Insurance Portability and Accountability Act. And there are other government regulations that fall into place to make sure that there is equity and completeness in the way that healthcare is delivered and the way that healthcare is paid for, whether it be personal pay or through the medical insurance capability or through some type of government subsidy. We have to think now about all of the data that gets massaged and created during the healthcare experience and understanding that a lot of this data is captured after the fact evaluation to support things like clinical research, better care experiences, greater understanding of the various morbidities within the health system and how data management and data awareness can help to create better patient care and more health safety. And then of course looking at those external third parties. Who are they? What do they deliver to us? What are the concerns? What are the constraints? What are the relationships that the healthcare delivery system has to develop with those third parties to make sure that information security is being sponsored and maintained in a very cohesive, very complete manner? And there will be a lot of data sharing and we have to understand that. So there has to be guidelines and rules as to how that data can be shared and what some of the intrinsic requirements are to ensure that it's being properly protected. So we're going to dig into the health information management process a little bit to understand what health data looks like and what some of the medical and legal and social restrictions or concerns are related to this area of activity. And then we'll do a bit of a brief summary. So there's going to be an awful lot of new concepts and issues that will be uncovered through this particular domain. This is a heavy-duty domain. So the healthcare industry, it's a composite. Many markets, many occupations, many industry sectors. If you think it through, you have a whole wide spectrum of capabilities all the way from the doctors, the nurses, the clinicians, the professional caregivers all the way through to the laboratories, the pharmaceutical companies, the pharmacies, government agencies, insurance companies, the transportation and logistical support systems, ambulances, medivacs, all of these kinds of things that happen that are put into this composite called the healthcare industry. Healthcare industry segment is different from many others, but we have to realize that they all have the same risks. There's always a chance of exposing patient confidential data regardless of whether you're inside the healthcare delivery environment or providing external support services through many of the other agencies that are part of the whole healthcare experience. Primary focus, providing best care to patient, protecting personal health information known as PHI. It's a critical necessity to understand the healthcare environment and the scope of all of these external and internal entities to be able to recognize and manage the risk. That's where we're at and it will ultimately protect the business and the operations if we understand it properly and we can deal with it from an end-to-end relationship. So we're understanding the healthcare environment. This is a very interesting area that is not totally well understood. Healthcare these days is very specialized. There are highly technical procedures, lots of tools and techniques. This enables a more precise diagnosis and treatment. Some would say that it's somewhat impersonal, but it does extend our ability and our health lifespan. So physical health and quality of life obviously have been improved by this. And we can see that people are living very active lives well into their 70s and 80s. There are many government programs such as Medicare and the Affordable Health Care Act. Many other countries globally have brought forward many of these changes and the U.S. has become a recipient of this capability. If we look at the healthcare industry from a very top-down view, there are two areas. There's the Medicare and the similar initiatives and there's the consumer-driven healthcare. So what we're talking about here is employers and insurers are adopting to various healthcare delivery changes to make their consumers more price-conscious so that we don't automatically go into the emergency at the hospital when we get a sniffle or some particular type of minor health indication. We understand that there is a cost involved in delivering these kinds of services and definitely will impact the actual overall, let's call it price points for delivery of similar services. So what we're talking about is making an opportunity available for the consumer to be more involved in the actual delivery of healthcare. So we've got social media. We've got online nursing advisory services. We have all kinds of webpages that have some type of diagnostic information for various types of medical morbidities. And this gives us an opportunity now for things like the Internet to allow interaction between the healthcare person that wants the service and the system that can deliver the service. Very interesting trends for more, let's call it deployment down to the endpoint of the actual healthcare delivery capability. So we now have technology acting as an assist so that we can very quickly respond to any kind of changing demand. And so we're now talking about things like the Internet of Things where there are devices that can be implanted like wearables that will provide an opportunity for remote management of the health of an individual where we can actually through the Internet activate or access something like a heart monitor or a pacemaker or any of these other kinds of, let's call them blood testing devices that could be worn by the patient and could be accessed remotely. And of course, because of the capability to travel and move around the world, healthcare becomes one of the fastest growing industries. Changing demographics, rapid entry of tools and techniques. So the issue is all of this activity is creating a fairly high level of stress for the industry. And that's something that the industry has to be cognizant of and put the proper price point capability in place to make sure that they can continue to support this rapidly evolving area. So lots of dynamic growth, healthcare responsibility today, same as they were in the past, best level of health capability and safety of information. We want to make sure that the trained and licensed professionals get the tools that they need to do a cheaper, better, faster job of providing healthcare. And we're also concerned about the personal information that has to be available to all of these professionals in order to deliver the healthcare while reminding ourselves about the dignity and the privacy of the patient. So the goal is to deliver the care faster, more economically and provide better outcomes, all the while making sure that we are honoring the dignity and privacy of the patient. The healthcare environment has a number of challenges. As you can tell, if it is becoming a global healthcare industry, there will be concerns about standardization. We also have to be concerned about the technology because as we know, many of these delivery systems are computer assisted. And if we understand what's been going on in the evolution of the computer industry, there's constant change and all kinds of development taking place that needs to be able to track to the way that the medical system delivers their services. So if we start to think about the fact that we have an ultrasound or an MRI that is being driven by a computer, perhaps a personal computer or a desktop, and it may have an obsolete operating system on it. So now we've got to be concerned about how do we keep that technology current so that the MRI or the ultrasound can continue to deliver the quality of care that is expected. And of course as costs go up and budgets go down, the first thing that gets impacted likely will be the qualified people that need to deliver this service. So now we need to put some kind of overarching standards in place, some regulation or statute that will allow us to be able to manage this dynamic change environment that we're being faced with. So what we're trying to do is we're trying to regulate quality, affordability, portability and security. This healthcare industry is one of the most heavily regulated industries in the world. And what we're trying to do, we're trying to guide the government and their supervisory responsibility to make sure that we can continue to address this increased demand for healthcare services. It's not going to get less expensive, so we need to find all sorts of ways to optimize that will give us an opportunity to take advantage of what the technology can do for us. So let's look at a couple of the various healthcare sectors. And this is a very interesting sort of observation of the number of areas that get involved in healthcare. Many types of organizations fall away from the large general hospitals, walk-in clinics, extended care facilities, all of these issues. Hospitals in fact may be specialized. They may be psychiatric. They may be rehabilitation only. They may be sort of extended care facilities. Maybe they're palliative. Maybe they're medical group practices and clinics that have nursing practitioners involved. Could be all kinds of healthcare organizations. Occupational therapy, cardiology, pulmonology, neurology could have any kind of a specialty. Perhaps you had someone that was specializing in feet, or somebody that was specializing in hearing loss, or somebody that was specializing in sight-related issues. Many medical services, many medical groups offering the diagnostic testing, outpatient surgery, and similar types of care that would normally have been delivered through the central medical facility. So you start thinking then about the various healthcare sectors. All of these need to be taken into account, and this is where the personal health information of this particular patient would be available and would be moving through these various healthcare sectors and have the same sort of threat and risk assessment associated with them, regardless of where they were. In many cases, it might be a home care type of issue. The assisted living services, or nurses on call, or any kind of variation of a similar nature. So we have to start thinking from a much more global perspective as to where this PHI, or this personal health information is going, and how it's being managed and maintained. So the various types of organizations that are involved in how we pay for these services. So we have HMOs, or we have the preferred provider, or we have the point of service and combinations of each. And we also have these people providing other services, like the ability to store images, or the ability to store health data records, or the ability to provide specialist information services. And so we have this concept of this HMO where you have several hospitals and you have a group like Kaiser Permanente as an example, or any of the others of a similar nature. And then you have the PPO's, where we have a network of physicians and hospitals that are more focused and they in fact have a clientele that has been accumulated over time. And unless you're a client of the PPO, you wouldn't go to them for any of these kind of medical services. Or we may have walk-in clinics, point of service areas where we just go in and get our health care activity taken care of and pay for it over the counter. And so we need now to have some kind of basic information management issue in place. So information technology in health care becomes a really big deal. So let's take a hard look at information technology in health care and see where we go with this. If we look at the ways that medical data are handled these days, there's the concept of an electronic health record. But the issue is that there are actually three electronic health records. There's the one for the hospital, there's the one for the pharmacy, and there's the one for the doctor community. So we're trying to combine these three into a single integrated electronic health record that will be manageable and highly controlled. And this is where rules like HIPAA come into play. So digital health records perhaps contained on an ID card that would allow the patient to present the card when they were going for health care delivery and all of their historical information would be in place. Now, if this particular database, if you like, for that patient is not well protected, we have a serious problem on our hands. Not the least of which is identity fraud. We can in fact have a whole bunch of information on that record, including previous, let's call them medical events, medical experiences, and the ways that those health care activities were paid for through credit card perhaps or through some kind of special billing arrangement. And this information has significant value for hackers and crackers. And lots of organizational crime is in the business of harvesting this information and making it available at high cost to people that have a negative intent to do bad things with it. So we have to worry about how well is the HIPAA Act providing protection for this particular area. So now the other issue we have to be concerned about is that if in fact we go with the Internet of Things and we have wearables and the ability to implant devices that are IP addressable and wireless, we now have a problem with the hacker community where it could be manipulated by a malicious intruder and it could steal significant information or in fact modify the actual medical process that this particular implant was managing. And to the point where it could change the medication and perhaps create serious damage, not the least of which could be death. And that's something that we didn't really consider when we were thinking about information technology having these three legs of confidentiality, integrity, and availability. Now we've got this other issue that we worry about that could cause serious problems. So we have to not only deal with the top three, but we have to deal with the way that the various innovations in information technology manifest the range of capabilities that we're not thought of earlier. So we now have other issues that we have to deal with. As we know, there are many opportunities for getting some kind of financial recompense, class action lawsuits. If in fact this threat is extended to the Internet of Things and IP addressable implants and medical services, can you see the sort of layers of concern that health care providers might have and the legal system will be watching this extremely closely. So we've got these issues that we have to deal with from a very different perspective. So the electronic health record has information from all of the doctors involved in a patient's care and can be accessed by those authorized doctors and shared with anybody. Insurance companies, government agencies, laboratories, specialists, other patients and employers following that patient wherever that patient goes to different facility or location. So we have this concept of the health care record actually follows with the patient because the patient has some token or some indication of who they are and that relates back to the electronic health record for them specifically. So then we've got this personal health record thing and we're talking about managing it on a person basis rather than on a medical delivery history basis. So we now know what all of the various medical concerns might be for an individual patient, drug and action, reaction, interaction, those kinds of things or if they've got some kind of lingering medical issue that has been dealt with over time. So we now have to take a look at the digital health records and how we manage this in some kind of an information exchange. If you think back perhaps 20, 30 years ago, there are extremely different areas to focus on in health care technology between yesterday and today. We now know that we have different technologies and we have concerns about interoperability, so we have to have standards in place in order to be able to manage the whole information security spectrum appropriately. So what we're now talking about is what are the formatting and handling concerns that we would have with this medical data. It's a major concern and unfortunately a lot of this evolved without really thinking through the impact on information security. So the technology was rapidly introduced without really thinking through what had to be added in in order to make sure that the information would subscribe to confidentiality, integrity and availability. So now we call this whole area information governance and we're trying to deal with issues related to access, related to confidentiality and related to disclosure. And it doesn't matter what the medium is. It's either in paper or an electronic format, but both of them contain information about treatment, chronological progress, various sort of after discharge medical activities that have to take place and all of the sort of book work that follows after the delivery of the health care. So this is a very, very complex area and one that has to be thought through quite carefully. And the interoperability between these vendors, these third party folks. This has always has been a little bit of a an enigma for information technology per se, where we always had other equipment manufacturers and we always had various protocols and standards that had interoperability problems. Well, now this is going to be happening in spades in a medical environment where we have a variety of vendors that have different development and programmatic standards. And much of the vendor product is proprietary, which means that if we tried to get in and achieve a standard between all of these vendors, there's going to be resistance. And so it's going to be difficult to get it all lined up appropriately so that it can act as a very seamless congruent EHR type of format. So the electronic health record, we could say, is still a work in progress. An open standard has been developed, but we're still at the point where deployment has not been completely taken into place. So we start thinking about this. We start thinking about how then do we develop a health information exchange that has the capability to deal with all of these organizations that are external from the health care delivery, like the government and the private organizations. So we call this the HIE, the Health Information Exchange, which means that there has to be a number of preamble and postamble capabilities to make sure that information coming in can be standardized for processing purposes and then can be exported out back to the various external organizations where it might have to be reformatted back to their original requirements in order to maintain this interoperability. But it's going to be a real challenge. We have to get the stakeholders coming together. They have to develop and implement a standard or services and policies to make sure that this HIE will be a viable way of managing all of this information. A managed channel for health information to improve quality and safety of patient care. That's the bottom line expectation that we're looking for here. So if we do this well, then obviously there will be a lot of benefits, not the least of which will be advising patients about what they can do to take responsibility for their own health care. Perhaps helping public health officials make decisions that allow society to be able to take advantage of the latest developments in health care without any serious conflicts. And so understanding that there's a requirement for ongoing health related research and how do we get access to the information from actual practice to be able to support that. Can we in fact use this HIE to help us deploy emerging technology and still maintain the information security aspect of it so that it's happening in a very sort of seamless non-threatening manner. And this will also support the technical infrastructure which will give us leverage both at the national and the state level so that we can get some type of progress between entities and organizations across the country and in fact globally. And so what we're trying to do is we're trying to harmonize all of the issues related to digital health records so that they can deliver these benefits. We start thinking about this. We have a common health record, a common method developed called the PHR. And what this is going to do is going to focus on preventative health control and personal devices because if in somebody has an implant of some kind then that has to be noted on their personal health record. And if in fact they're using monitors for blood sugar, for fitness, for sleep cycles, for all of these what we're trying to do is we're trying to correlate different pieces of information into one central location. Electronic monitoring devices can report to a data repository which can create some kind of an action item. So that means that the connectivity on the internet can be almost anywhere and it will eliminate the requirement for paper records which always get out of date and get mis-filed or lost or not appropriate for the particular activity at the time. And the issue now is trying to make sure that this would all come together congruently so that we wouldn't in fact exacerbate the problem that we already have. So as you can see digital health records and health information exchange is going to be a very strong element of health care delivery. So who pays for all of this? Well, if you stop and think about it there are a number of capabilities. There is the Social Security Act. There is the Medicaid and there is the areas where we talked about the HMOs and the PPOs and the other ways that organizations can receive reimbursement for the delivery of health care. So Medicare deals with people 65 years and above, allows access to medical care for folks that are disadvantaged, perhaps indigent, blind, disabled. The HMOs patients pay a premium. Service delivery is restricted to providers in the HMO network but at least it's being under a prepaid type of system. So if the patient receives care from the providers that have been aligned with the HMO it might be in fact a preferred provider organization. And that's the type of thing that we would expect on a fee for service activity, a medical insurance premium of sorts. Or it might be a point of service situation that combines both of these. And so the issue is we have to determine ahead of time how this medical delivery is all going to be paid for. Because at the end of the day there is a real cost and it has to be recovered. And you could say that typically today if you're an employee you would get health insurance from your employer. If the employer is exposed to some kind of a system where there is equal access across all of their employees then that's going to raise the cost of doing business. And that's become a little bit of a pushback from many organizations that say you know what we just can't afford this. And the issue is that it's taken a while for the U.S. specifically to get to this point and now they have a sort of a leap to catch up with other countries that are ahead because they had significantly lower healthcare costs than a different model. So then we have to think about the issue related to Obamacare. And this was intended to make healthcare affordable to Americans. However, guess what? We had to sort of come up with some kind of medical classification. And that medical classification is determining how the industry can actually charge for particular medical delivery. So we have a industry standard medical code number. And this codification system is used by everybody that's involved in the back office part of it. The government health programs, private health insurance, workers' compensation, every of these areas where we have to have some kind of tracking mechanism to determine what particular medical capability was delivered, how is it codified, what are the standard charges and rules and regulations related to that delivery, and how do we recover those costs in a very equitable and non-threatening manner. So we now have to be sure that there's lots of editing and validation on the coding of these various morbidity types to make sure that patients are going to be treated correctly and that the payment will be the right amount. They won't be denied and it won't be paid too much. And so there's a standard for billing and payment. Medical codes have unified healthcare and as a result, life is a lot smoother after the fact when we're trying to recover the costs for healthcare. Coding determines which healthcare services are reimbursed and how much is paid. Standard billing and payment. Medical codes have been a godsend for that particular area. But then let's look at some of the medical classifications. This ICD is the universal accepted method, but it changes over time because of the World Health Organization. And so if you don't have this ICD, this international statistical classification of diseases and related health problems in your billing system, then you're using the wrong parameters for the right code. And so this becomes a little bit of a challenge. And as early as 1928, they came up with a study by the health organization of the League of Nations. And so they called this the Bertillon classification to remember the person that actually discovered it, a fellow by the name of Bertillon. This ICD, and I think it's at release level 10 these days, and lots of healthcare delivery systems, insurance providers, and third party provisioners of healthcare support services are having difficulty retrofitting their billing systems to accommodate the latest ICD standard. So it's a bit of a challenge. So if we think about medical classification, what we're trying to do here is talk to the various medical entities to come up with some kind of simplified form that would allow HIPAA to become the governing capability. So we had this concept of the Centers for Medical and Medicaid Services to determine how quickly organizations could be able to retrofit to ICD-10. And it was intended for readiness by October the 1st, 2015, and for sure there are a number of organizations worldwide that have yet to achieve that readiness level. So billing, payment, and reimbursement. If we start thinking about the cycle that happens, we can see that healthcare organizations have to contract with insurance companies to get reimbursed. The rates are pre-negotiated. Medical billing is nothing but submitting a claim against the insurance, but they have to use the correct ICD codes and the correct level of codification to make sure that the rates that they're actually claiming are in line with where the industry is currently. So patient visits a hospital, gets logged into the system, the medical billing process starts. Medical codes are assigned to the patient record. Claim is digitally sent to the hospital healthcare provider, from the hospital healthcare provider to the patient's insurance company. So there's a concept of a clearinghouse in some cases for processing before it gets submitted to the patient's insurance company, if they have one. Or they might be one of these other end-of-service payment options available, like the PPO's or patient pay, and there could be a shared payment capability. So we now need to have this concept of a healthcare clearinghouse that reformats the various claims that makes sure that the HIPAA transaction format is correct, that the ICD codes are correct, and then digitally forwards this clean claim to the third-party payer, which speeds up the actual reconciliation of that payment. Or the patient may be co-insurance, and that co-insurance may be some kind of a percentage split depending on the way that the insurance scheme is put together, 70, 30, 80, 20, 90, 10, whatever the combination might be, then that means that the patient has the liability to pay their share before that claim goes to the third-party payer to make sure that the actual medical facility has done their job appropriately. So, guess what? Lots of workflow management. So what we're trying to do now is we're trying to take that healthcare data and make sure that it gets to the appropriate entity throughout the medical, let's call it delivery process and after the fact, to make sure that everybody that is involved in the actual payment process and the billing activity is included in this workflow management. And as this healthcare information moves from one entity to another, it obviously needs to have some controls in place to make sure that nothing can happen that would cause a problem. And the various things we might expect workflow management to include. And this list is not certainly all-encompassing, but it might in fact include things like discharge processes and notice of privacy practices. There might be some kind of a follow-on. There might be some way of getting that information for that particular morbidity into the Center for Disease Control. And there may be other kinds of activities that take place to make sure that health research activities could take benefit from it, perhaps. So all of these things come into this concept of workflow management. Now obviously, when this information is moving from one entity to another, the CIA triad comes into play big time. And the issue here is segregation and separation of duties. Who should in fact be privy to that information as it flows from one particular entity in the healthcare system to another? And it uses HIPAA's digital transactions and code simplifications to make sure that all of the international codification scheme like ICD-10 is taken into account. And it allows clinical decision-making by making sure that the information is available to the right users. It also reduces clinical and administrative activity by making sure that the data information is changed only by authorized users. So here's where this segregation and separation of duties comes in. And it keeps unauthorized access under control to make sure that confidentiality and privacy is observed. Now what we need is we need to focus heavily on separation of duties to restrict fraud and conflict of interest, particularly when it comes to anything dealing with cash handling as a method of payment. And so what we're trying to do here is we're trying to use the HIPAA digital transaction and codes to aid the coordination that is involved in the ICD-10. So it's probably an opportune time to take a really hard look at the Health Insurance Portability and Accountability Act. This is an act that was passed in 1996. It had a number of iterations and it created a whole bunch of issues related to privacy and security. So the goals, obviously, were to be able to allow the continual health insurance coverage as people were moving from job to job or location to location. It was intended to reduce health care fraud and abuse. Many states in the U.S. had laws to protect that their citizen information would not go outside of the state jurisdiction, but across the U.S. this particular capability was not as consistent as it needed to be. So that was the rationale for the Federal HIPAA Act. And the whole benefit of this was to reduce health care fraud and abuse. But there are more. If we start talking about mandating industry standards for health care information, that's also part of HIPAA. It makes it necessary to handle the PHI from a confidential basis. And so we've got a number of rules. We've got the privacy rule, the security rule, the omnibus final rule, and the high tech act. So we've got a whole bunch of rules that apply to all forms of PHI, whether it's paper or it's oral or it's electronic. So HIPAA deals with all of the electronic pieces, but there are other rules in place like the high tech act. And the high tech act is the one that has the major amount of teeth in it. So the HIPAA enforcement rule. What it states is that there are certain permissible uses and disclosures of PHI. And what it says, if you don't have the relative number of safeguards or the relative number of patient access controls, that you're not going to be able to enforce the HIPAA rules. And it's a situation where you could have users, uses or disclosures of more than the minimum information necessary for actually delivering the health care. So you've got to be able to compartmentalize the information to deliver just exactly and precisely what's required for the actual health care activity to take place. And many of the complaints that came prior to HIPAA coming into effect were very sort of rampant and very sort of disjointed. Now HIPAA has dealt with at least 94% of the complaints by having an issue that would allow us to have some standardization. The health care industry has laws, and these laws are related to various types of morbidities. If you're talking about, for instance, HIV AIDS or sexually transmitted diseases or substance abuse, alcohol or drug addiction or mental illness or genetics, these are all taken care of by the HIPAA rules, the compliance rules. So the cost of health care breaches, as you can understand, can be significant. And if you've been paying attention to any of the press recently, hospitals and academia seem to be the targets of choice because a whole bunch of information is contained within their specific databases that might not be available in other industry sectors. And so we've got things like the Hippocratic Oaths. We have obligations on the part of the medical professionals to benefit the sick and keep them from harm, which means that that gets extended into the information that is in their personal health information record. And that's why many countries will not withhold basic health care to citizens and why many patients must be treated in U.S. emergency rooms even if they're external to the system. So the issue is that the information that gets dispensed as a result of that might be more than what the HIPAA law was intended to provide. The issue of health care data management becomes a big deal. All the information related to the health care practice and all of the behind the scenes, non-clinical information, accounts, contracts, agreements, it might be non-clinical information, other business-related information. All information about a patient is contained in his or her PHR, personal health record. So that's a very volatile database and it has to be managed extremely carefully. And of course, because of HIPAA, there are specific steps that all entities involved in the health care delivery system, the word should, must take to protect health care records. They should, of course, take those steps, but if they don't and they are, let's call it, convicted of some kind of a privacy breach, because they didn't, they will be found guilty as charged and the penalty will be much more severe than if they did take the steps and then were unfortunately breached. So we have to be concerned about how are those records created and how are those records managed throughout their life cycle, including things like encryption, and then how are they properly disposed of at the end of the medical experience, either because the patient has passed on or the actual morbidity has been solved and they're no longer under doctor care. That information would still be available to places like the CDC, the Center for Disease Control, and would also be available for capability of medical research. So what we're talking about is all of the data management, whether it's in one particular medium or another, PHI in paper records, the various ways that they have to be disposed of, maintaining labeled prescription bottles in opaque bags in a secure area, using a disposal vendor to shred or destroy the PHI, so much more severe than strict business records. And the issue is that this information is traveling through a variety of entities, and all of those entities have to adopt the same control methods and structures. So it's a real challenge. So this issue on electronic media, as with any other type of sensitive information on electronic media, there has to be a very positive, very thorough mechanism for destroying that information. And what we're talking about, can we do electronic purging, or do we have to, in fact, destroy the media in order to make sure that all of the traces of that information have been eliminated if that was the requirement? So if a record is requiring destruction in a records retention policy, it's important that they're destroyed in a secure manner, and there should be a very positive disposal procedure in place to make sure that that happens. And that includes all of the sort of leftover medication or prescriptions that were part of the process. Which brings us to the issue of clinical research, and the fact that information that is being harvested throughout this medical delivery experience would be available to the clinical research capabilities. So we need to have some type of an issue that will protect us in the event that something comes along that perhaps creates an interruption because of a technical issue. If we were in the middle of doing some clinical research regarding a particular morbidity, and all of a sudden we had a technical issue that caused that research to fail, it could be life-threatening. So we have a whole bunch of complex administrative issues to deal with to make sure that that doesn't happen. For smaller companies, this is a difficult issue for them to address. In many cases, it might be beyond their capability to accommodate. And so what we're talking about here is whoever has that information, the variety and sensitivity of that data creates a significant risk for the information security practitioner. They really have to pay particular attention to this area. The CIA triad, obviously, becomes very important big time for a research firm. And we have to manage the data as it transitions from one stage of the trial to the next, which creates a new set of integrity and confidentiality issues. So we may have data from one stage of the trial creating a new hurdle for the technical support team in the form of the infrastructure team, locations and participants can all change through different stages of a typical research study. We might go from plea clinical testing to investigation of new drug applications to a variety of phases throughout the clinical test. Phase one, access safety. Phase two, test for effectiveness. Phase three, large-scale testing. And then all of the licensing and the approval and the post-marketing studies that all take place before this clinical research activity takes place. So if the information security professional is working in some type of a medical clinical research environment, there are an awful lot of additional things to worry about. And then we come to the concept of how do we deliver healthcare in a way that provides the patient with what they need in a safe environment. And as we said, the Hippocratic Oath is taken by healthcare professionals swearing to practice medicine honestly. Benefit the sick and keep them from harm. So the issue we run into is patient care and safety becomes the main goal and objective of the Hippocratic Oath. Here's the issue. How capable are we to effectively measure harm? And the issue is we need to have some kind of benchmark to work against. And a trigger tool has been developed that would be able to help us in this area. And you can see that there's a web URL link at the bottom of this slide that will step through a particular model that would allow people to be able to effectively measure harm in a particular medical environment. Tool can be easily customized, enabling consistent and accurate measurement of harm. Let's talk a little bit about external third parties. And they will come from a variety of sectors. And because we know that healthcare is somewhat decentralized and many parties are involved, then we need to become much more serious about each new entity that is induced into the mix and each new iteration of regulations everywhere in the world, because there's going to be some crossover between those organizations, those nations, and our own. Many nations have enacted laws that are different from the laws that are in effect in, let's say, our nation-state, the U.S. Many parties are involved, so it's inherently insecure. And it affects everyone in the healthcare industry. Safety and privacy are becoming more serious with each new iteration of regulations everywhere in the world. So if we thought we had problems with interoperability of business data from an information security perspective, think about the additional layers of complexity that have been added through the healthcare industry treatment of third parties. And this is where things like the Hightech Act would come into play. And the issue is that third-party concern that handle, store, transmit, or process these particular electronic PHI files on behalf of the healthcare industry have to follow a different set of rules to make sure that they're providing services appropriately. The external third parties are really at risk because if there are any data security breaches, they could be liable for very heavy fines and other penalties. If they provide transport only, they may not be culpable, but they're going to have to demonstrate that, perhaps, in a court of law. Everyone in the healthcare industry should be aware of these new legal requirements and extra caution is the word of the day. So now, let's just try and gain an understanding of who these external third parties might be. So we talk about vendors. Vendors that provide all kinds of medication, hospital linens, infrastructure, any of the appliances, you name it, MRIs, ultrasounds, radiation devices, lots of vendors out there that have a very specialized role to play in the delivery of healthcare. And the issue is that they're in the business of building goods and services and products, and they may not have the internal expertise or staffing to deal with things from a very strict information security perspective. So if they get exposed to these compliance issues, they have to face the cost associated with mitigating their risks, which means that they may, in fact, have to bring in consulting specialists from an information security perspective in order to make sure that they're doing the right thing and they're not going to be culpable in the event that they have a breach. And they need to really have an understanding of how their products and services will be inheriting growing threats to healthcare information because of the very nature of it. And the statistic is rather, perhaps, stale-dated, 2011, but it says that an average data breach is 214 U.S. dollars per record. So if the database had a million records, you can just very quickly do the math. And the figures, of course, will differ by industry, and they will certainly differ by country. But there's an awful lot of evidence out there and going to something like the Poneman Institute to get a current picture of what the actual cost of a data breach would be would be a useful activity. So what we're interested in is we're interested in secure services and the various things that have to come along. We need to make sure that we've got all of these areas taken into account. And for a vendor, this is quite a shopping list of things that need to be put into place. In fact, they may have to have CISA audits from time to time, or they may have to have some internal nucleus of information security expertise in order to be able to approach these various requirements because they're all part of the HIPAA expectation for external third parties. So we now start to think about them from the point of view of a business partner. And a partnership has a level of involvement, and it also has a level of responsibility to make sure that that involvement is not creating another kind of problem. So we can say that as the healthcare industry becomes more complex and diverse, the advantages of expertise sharing and risk becomes an unavoidable form of doing business. So that means that we have to have some kind of business agreement that we will stay on top of this issue of information security risk. And it might be driven or mandated by some type of a legal structure. Could be called a general partnership perhaps. And then if this business ally brings a unique value to the partnership, then that means that they become a highly respected and well trusted external third party. But we need to have a contract that clarifies and limits the relationship between the partners, and HIPAA has a way of defining this particular relationship. And that's all part of the lead up to the High Tech Act. Okay? There's three issues here. HIPAA, the omnibus rule, and the High Tech Act. And then there's something called the Office of Civil Rights that says if a breach is discovered, each party involved in the breach, whether it was a provider, a healthcare deliverer, a healthcare professional, a hospital, a clinic, whatever, they would all be fined directly by the Office of Civil Rights. And this is an office of the Department of Health and Human Services in the U.S. government. And we need to understand the technologies and flows of information between these partners so that in fact we can identify where the breach happened and who was actually culpable, and who was the entity in this end-to-end relationship that caused this breach to happen in the first place. So there's going to be an awful lot of data-sharing. And we have to know exactly what to expect in this environment. Okay? And in fact, we're now going to transcend borders. So that might become another issue that we have to be concerned about. And there were many ways of transferring this information in a safe and secure method electronically. In the early days, we used to use something called electronic data interchange. Eliminated the need for facts and paper and made great strides for exchange between partners. And each of them would follow the rules of the EDI standard, and that would have embedded information security as part of the actual transmission process. So when we start thinking about data sharing, there are a number of other issues that we need to consider. In this case, we're going to use EDI for patient details and insurance information, which means that many agencies will have their own particular set of guidance rules for the sharing of data. So we've got the World Work Group for electronic data interchange that was created to standardize electronic health care. HIPAA requires the use of EDI. The scientific community has a long history of sharing data with other agencies. And they have all kinds of guidance for methods. So the Department of Health and Human Services and other federal agencies are collaborating together to develop an interoperable data infrastructure to support research and data sharing. And they're listed here. National Institute of Health, the National Science Foundation, Center for Disease Control, Medical Research Council, Economic and Social Research Council, and so on. And you'll note that some of these are international. And if they're global, they will have global interoperability standards. So who are the owners of the health care information? Well, in health care firms, it would likely fall to the CIO. And of course the IT professionals working for the CIO have to achieve some kind of a balance between the demand for access and the requirement to ensure security and privacy. So this is a real sort of challenge for organizations to be able to step up to. It might be worthwhile to understand what the foundational health information management processes might look like. We understand that there is an awful lot of data growth. Now, where is that data being used and stored and generated? We now have a situation where there is increased mobile device usage. So mobile device management becomes a big deal for access to the internet anywhere and anytime. And we've got this concept of deploying cloud capabilities or portable storage devices such as jump drives or USBs. And we've got email communication. All of these mechanisms have to be protected for privacy. So, if we say that this data is generated and stored in multiple smart devices with multi-vendor interoperability challenges, then that exacerbates the requirement for having a very comprehensive information security process in place that will make sure that we don't have data breaches. We have to comply with standards from a regulatory environment. We have the HIPAA rules. We have the HITECH Act. So that will be the driving factor. Let's look at what healthcare data looks like. Something called the healthcare data characterization. As we know, there's a variety of healthcare data used for numerous reasons. Classification of data is going to be a significant event that has to be done very carefully. And we know that data can be broken down by different classification methods, including the ICD-10. Physical characteristics in fact could come into play here. It might be the file type. It might be the operating platform. It might be the average file size. We already know that there are different classification methods. And ICD-10 in the healthcare industry would be the prominent of these. So we have to then look at data based on its risk management aspects. What are the issues around confidentiality, privacy, legal discovery, and what are the compliance issues that we have to be concerned about? So we've got a whole bunch of information in these data elements. We've got identity for social security. We've got financial for credit card. We've got the patient health history, the patient health data. And we've got all of the financial data about the patient and their ability to pay for these services. What we've got to talk about here, healthcare data is, in fact, one of the most valuable assets owned by the healthcare industry. So we've got to protect that one as it is the crown jewel of information that we need in order to deliver appropriate healthcare. Legal medical records. Here's another area so as we say if there was some kind of a data breach or there was some sort of a class action lawsuit, in the USA, the legal medical record is the set of records that would be released for legal proceedings. It would have special capability in the court of law. And it includes an electronic medical record system. So we're having to worry about the next storage of medical records that have unexpected consequences. Increased potential for misuse and abuse. And so legal medical records tend to be very sort of volatile and dangerous and have to be given particular care in terms of their protection. So if we look at this, it would include patient health information and the European Union has a certain set of rights and laws relating to personal information that is very advanced and much more stringent and specific than what is currently in place in other countries including the US. So medical record privacy and security measures control and regulate the use and transfer of health care and personal data. So that means similar to the Safe Harbor Act that was used in traditional information technology transfer of information like employment records between nation states. There will be other laws and to handle the transfer of medical information because of its volatility. So we have to be very careful about that. So at the end of the day we have a very complex and very extensive environment to deal with that has to treat various areas of the medical industry with a different perspective in terms of health care security and privacy. A few things to remember the various health care sectors in the health care environment the role that information technology plays in health care related to digital health records and health information exchange and all of the issues around how electronic health records have to come together to provide the capability that is required for affordable and competent health care delivery. So then we need the health care insurance issues understood and the various medical classifications that have to take place in order to make sure that the codes for submitting a health care claim would be viable to the health care payer or the insurance company because the standard has been adopted and then the concept of all of the workflow management and HIPAA rules related to what's going on behind the scenes or back office type of activity. Health care data management what happens in a clinical research environment focusing always on the delivery of the best health care possible that can be afforded with the best degree of safety that can be enjoyed. The external third parties the vendors what are some of the problems and concerns that they have that really cause them to become a very viable entity in this end to end relationship and the exposure that they have in the event that something goes awry and then understanding what health information management processes look like once we can characterize health data and thinking through the implications of legal medical records.