Cybersecurity: That s not in the Hippocratic Oath Carol Steltenkamp, MD, MBA October 21, 2106
Objectives Review the clinician view of Cybersecurity Discuss hot topics in clinical IT security Describe best practices and tactics to address the challenges
The Hippocratic Oath I ὄμνυμι swear Ἀπόλλωνα to fulfill, to ἰητρὸν the best καὶ Ἀσκληπιὸν of my ability καὶ and Ὑγείαν judgment, καὶ Πανάκειαν this covenant:... καὶ θεοὺς πάντας τε καὶπάσας, ἵστορας ποιεύμενος, I will respect ἐπιτελέα the hard won ποιήσειν scientific κατὰ δύναμιν gains of καὶ those κρίσιν physicians ἐμὴν ὅρκον in τόνδε whose καὶσυγγραφὴν steps I walk, τήνδε: and gladly share ἡγήσεσθαι such knowledge μὲν τὸν as διδάξαντά is mine with με τὴν those τέχνην who ταύτην are to ἴσα follow. γενέτῃσιν ἐμοῖς,καὶ βίου κοινώσεσθαι, καὶ χρεῶν χρηΐζοντι I will apply, μετάδοσιν for the benefit ποιήσεσθαι, of the καὶ sick, γένος all τὸ measures ἐξ αὐτοῦἀδελφοῖς which are ἴσον required, ἐπικρινεῖν avoiding ἄρρεσι, those καὶ twin διδάξειν traps τὴν of τέχνην overtreatment ταύτην, ἢν and χρηΐζωσι therapeutic μανθάνειν,ἄνευ nihilism. μισθοῦ καὶ συγγραφῆς, παραγγελίης τε καὶ ἀκροήσιος καὶ τῆς λοίπης I will remember ἁπάσης μαθήσιοςμετάδοσιν that there is art to ποιήσεσθαι medicine as υἱοῖς well τε as ἐμοῖς science, καὶ τοῖς and τοῦ that ἐμὲ warmth, διδάξαντος, sympathy, καὶ and μαθητῇσισυγγεγραμμένοις understanding may outweigh τε καὶ the ὡρκισμένοις surgeon's knife νόμῳ or ἰητρικῷ, the chemist's ἄλλῳ δὲ drug. οὐδενί. διαιτήμασί I will not be τε ashamed χρήσομαιἐπ to say ὠφελείῃ "I know καμνόντων not," nor κατὰ will I δύναμιν fail to call καὶ in κρίσιν my colleagues ἐμήν, ἐπὶ δηλήσει when the δὲ καὶ skills ἀδικίῃ of εἴρξειν. another are needed for a patient's recovery. οὐδώσω I will respect δὲ οὐδὲ the φάρμακον privacy of οὐδενὶ my patients, αἰτηθεὶς for θανάσιμον, their problems οὐδὲ ὑφηγήσομαι are not disclosed συμβουλίην to me that τοιήνδε: the ὁμοίως world may δὲ οὐδὲ know. γυναικὶ Most especially πεσσὸν φθόριον must I δώσω. tread with care in matters of life and death. Above all, I must not play at God. ἁγνῶς δὲ καὶ ὁσίως διατηρήσω βίοντὸν ἐμὸν καὶ τέχνην τὴν ἐμήν. οὐ I will τεμέω remember δὲ οὐδὲthat μὴνi λιθιῶντας, do not treat ἐκχωρήσω a fever chart, δὲ ἐργάτῃσιν a cancerous ἀνδράσι growth, πρήξιος but τῆσδε. a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related ἐς problems, οἰκίας δὲ if ὁκόσας I am to ἂν care ἐσίω, adequately ἐσελεύσομαι for the ἐπ ὠφελείῃκαμνόντων, sick. ἐκτὸς ἐὼν πάσης ἀδικίης ἑκουσίης καὶ φθορίης, τῆς τε ἄλλης καὶ ἀφροδισίωνἔργων ἐπί τε γυναικείων σωμάτων καὶ ἀνδρῴων, ἐλευθέρων τε καὶ I will prevent disease whenever I can, for prevention is preferable to cure. δούλων. I will remember that I remain a member of society, with special obligations to all my fellow human ἃ beings, δ ἂν ἐνθεραπείῃ those sound ἢ ἴδω of mind ἢ ἀκούσω, and body ἢ καὶ as ἄνευ well θεραπείης as the infirm. κατὰ βίον ἀνθρώπων, ἃ μὴ χρή ποτεἐκλαλεῖσθαι ἔξω, σιγήσομαι, ἄρρητα ἡγεύμενος εἶναι τὰ τοιαῦτα. If I do not violate this oath, may I enjoy life and art, respected while I live and remembered with ὅρκον affection μὲνthereafter. οὖν μοι τόνδεἐπιτελέα May I always ποιέοντι, act so as καὶ to μὴ preserve συγχέοντι, the εἴη finest ἐπαύρασθαι traditions καὶ of βίου my calling καὶ τέχνης and may I long δοξαζομένῳ experience the παρὰπᾶσιν joy of healing ἀνθρώποις those ἐς who τὸν αἰεὶ seek χρόνον: my help. παραβαίνοντι δὲ καὶ ἐπιορκέοντι, τἀναντία τούτων
National Library of Medicine
National Library of Medicine
So what are the clinicians working on?
HIPAA Health Insurance Portability and Accountability Act (1996) HITECH Health Information Technology for Economic and Clinical Health (2009) Meaningful Use MU guidelines for EHR (2010) Before HIPAA there was no universally recognized security standard or basic mandates for Protected Health Information (PHI). HITECH, The goal as of part HIPAA of American was to protect Recovery patients and Reinvestment confidentiality Act of while 2009, enabling contains specific healthcare incentives organizations designed to to pursue accelerate initiatives adoption that of furthered electronic health innovation records and among patient providers. care. It broadens the scope of privacy and However, enforcement was very security protections listed under limited. HIPAA and also increases the repercussions and enforcement potential for non compliance. CMS Meaningful Use incentive program provides incentives to further encourage compliance measures set forth in HITECH and HIPAA, including conducting a risk analysis
Medicare Physician Incentive Timeline Fall 2010 Certification of EHR vendors will start April 2011 Attestation of meaningful use begins 2011-2012 Clinicians can begin using a certified EHR in a meaningful Manner (must use for 90 days) 2010 2011 Jan. 2011 Registration with CMS can begin. This will be done through PECOS May 2011 CMS payments Will begin *Medicaid EHR incentives will be managed by states
Meaningful Use Stage 2: The Escalator Add in key elements of NQS/delivery system reforms
CMS PQRS & Value Modifier (VM) Affect Physician Payment 2014 PQRS Performance modifies 2016 Medicare payment for Practices with 10 or more EPs 2015 PQRS Performance modifies 2017 payment for All Medicare Part B FFS physicians
Medicare Physician Incentive Timeline (cont) October 6, 2015 Final Rule Released December 1, 2015 All KHIE signed agreements must be submitted January 1, 2016 Start of full year reporting period for participants that have attested previously February 29, 2016 Medicare attestation deadline July 2016* Hardship application for PY 2015 due, to avoid 2017 penalty 2016 2015 ~November 25, 2015 Stage 3 comments due *Final dates may change or are still TBD. December 31, 2015 90 day reporting period must be completed January 4, 2016 Medicare website ready to accept attestations *KY Medicaid may be delayed as well March 31, 2016* Medicaid attestation deadline ** 2016 last year to enroll in the Medicaid EHR Incentive Program
Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) Physicians will recognize this legislation as: The Doc Fix Bill SGR Repeal Sustainable Growth Rate Repeal Passed in April 2015 Broad Bipartisan Support: Both Houses of Congress and the Obama Administration
Shifting to Value Based Payment (VBP)
What is Value Based Payment? Quality VALUE Cost
Volume to Value Based Shift Recent legislative and marketplace developments suggest that the transition from volume to value based payment is accelerating from a testing phase to a scaling phase Pioneer ACO Program January 2012 Bundled Payments for Care Improvement (BPCI) April 2013 First Year of Value Based Modifier; CMS Announces Value Based Payment Goals January 2015 President Announces 30% of Medicare A&B Payments Flow Through APMs March 2016 March 2010 The Affordable Care Act Enacted October 2012 Hospital Value Based Purchasing Program May 2014 626 ACOs served >50 million patients April 2015 Medicare Access and CHIP Reauthorization Act (MACRA) Enacted Testing Phase Scaling Phase
Too Close to Home. Appalachian Regional Healthcare Hit with Cyber Attack, Systems Down for a Week
I bitcoin = 630 US Dollars
How does it infect a system?
OCR Annual Settlements 2008 16 (Office of Civil Rights=OCR) 12 10 10 7 8 5 5 5 6 1 1 2 3 4 2 0
OCR Settlements 2008 2016 $25,000,000 $20,000,000 $15,000,000 $10,000,000 $5,000,000 $0
UKHC Incidents & Breaches FY 15 16 Total Incidents & Breaches 140 120 100 80 60 40 Total Reports Total Breaches 20 0 Q1 15 Q2 15 Q3 15 Q4 15 Q1 16 Q2 16 Q3 16 Q4 16
UKHC Reported Incidents FY 2016 UKHC Reported Incidents 149, 27% Disclosure Identity Theft 265, 48% Laptop Loss / Theft Lost / Found Marketing 4, 1% 10, 2% 41, 8% Patient Requests Questions Reports of Violations Self Access 12, 2% 1, 0% 56, 10% Unclassified Access 1, 0% 4, 1% 5, 1%
Protected Health Information (PHI) Individually identifiable information plus health information Held or Transmitted In any form or medium, whether electronic, paper or oral.
Information includes office addresses, phone numbers, and cell phone number
Why Should I Care? UKHC has dismissed 5 workers in the past year for Privacy violations One previous medical student has a letter in the student s file following the student post medical school for a 5 year mandatory reporting period HIPAA Privacy compliance is mandatory anywhere that you practice medicine in the U.S.
Mitigation Strategies Awareness campaigns Anti malware software Group policy restrictions Blocking known malicious Internet sites System assessments to determine risk Strategy development
Awareness Campaigns Self access Hold on to the paper (really?) Social media
Reminder 1: Self Access of Medical Records Correct Way Wrong Way UK faculty, staff, or students should not use the internal medical record systems (such as SCM and AEHR) to access records outside their scope of duty
Reminder 2: Hold onto the paper with patient notes Most EMR printouts from UKHC contain Person printing Date/Time printed Physician requesting the report Personal email and calendars
Name Removed PHI Example
Reminder 3: Social Media & Pictures Names Removed
Anti malware Software
Group Policy Restrictions