Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting PHI On Medical Devices

Texas Natural Resources Information System
October 24, 2019
Technology
0
15

Protecting PHI On Medical Devices

Salman Khan, MBA, CISSP, CISA

Brook Syers, CPA, CIA, CFE, CISA

Texas Natural Resources Information System

October 24, 2019
Tweet

More Decks by Texas Natural Resources Information System

See All by Texas Natural Resources Information System
The 3rd Quarter GIS Community Meeting of 2020
texasnaturalresourcesinformationsytem
0
140
The 2nd Quarter GIS Community Meeting of 2020
texasnaturalresourcesinformationsytem
0
520
2020 1st Quarter GIS Community Meeting
texasnaturalresourcesinformationsytem
0
680
PLANET OVERVIEW for TNRIS first Quarter Meeting
texasnaturalresourcesinformationsytem
0
610
Hurricane Harvey H-E-B Disaster Response
texasnaturalresourcesinformationsytem
0
340
Improving Community Services by Helping Citizens Find Their Lost Pets
texasnaturalresourcesinformationsytem
0
250
National Address Database (NAD) and NG9-1-1
texasnaturalresourcesinformationsytem
0
120
StratMap Celebrating Successful Public and Private Partnerships
texasnaturalresourcesinformationsytem
1
250
2019 State of the State Town Hall Meeting
texasnaturalresourcesinformationsytem
1
240

Other Decks in Technology

See All in Technology
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
Platform Engineering for Software Developers and Architects
syntasso
1
520
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
380
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Terraform Stacks入門 #HashiTalks
msato
0
350
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120

Featured

See All Featured
A Tale of Four Properties
chriscoyier
156
23k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Documentation Writing (for coders)
carmenintech
65
4.4k
How STYLIGHT went responsive
nonsquared
95
5.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Gamification - CAS2011
davidbonilla
80
5k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Optimizing for Happiness
mojombo
376
70k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
A Modern Web Designer's Workflow
chriscoyier
693
190k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
880

Transcript

  1. Protecting PHI On Medical Devices Salman Khan, MBA, CISSP, CISA

    Manager, IT Security Brook Syers, CPA, CIA, CFE, CISA Senior IT Audit Manager, Auditing & Advisory Services

  2. In The News…

  3. An unencrypted medical device with more than 500 records is

    lost or stolen, resulting in: • Loss of trust with patients • Bad publicity • Investigation • Financial exposure • Unplanned Capital Expenditure

  4. In August 2013, an unencrypted UTHealth laptop containing 596 patient

    records was stolen from a locked closet inside an orthopedic clinic. The laptop was not inventoried because it was considered a medical device. Breach notification was made to patients, media, and HHS. OCR investigated; fortunately, UTHealth was cleared. The Case Of The Missing Laptop…

  5. Medical and Scientific Device Policy (implemented 11/13/13): All medical &

    scientific devices that are able to store PHI must be encrypted or configured so that PHI is unable to accumulate beyond 100 records if encryption is not permitted by the manufacturer. Policy & Work Flow Any exceptions to this policy must be submitted (Requests) to the CISO for review and approval. A Work Flow Agreement is signed, indicating the individuals who are responsible for performing compensating controls and verifying compliance.

  6. Requests

  7. Requests – Cont.

  8. Work Flow Agreement

  9. Work Flow Agreement – Cont.

  10. Quarterly Procedures [Performed By Audit/IT Security] 1. Obtain a list

    of all clinics and select a sample. 2. For each clinic: • Obtain all current Requests and Work Flow Agreements for all medical devices. • Perform an unannounced field inspection and verify compliance with all Requests/Work Flow Agreements regarding number of patient records (100 or less) and deletion of records at the stated time interval (25 days or less) • Verify implementation of compensating controls, if applicable. • While onsite, search for medical devices with no Request/Work Flow Agreement.

  11. Audit Report to Management FY19 4Q

  12. Insights & Trends Quarter Devices Audited Exception Rate Devices >

    500 Records 1Q 53 30% 1 2Q 28 14% 0 3Q 33 43% 2 4Q 30 40% 1 1Q ---> 2Q: Word getting out that Medical Device audits are taking place [in Med Center]. 3Q ---> 4Q: Expanded audits to satellite clinics.

  13. • Management awareness and follow-up on exceptions • Requests/Work Flow

    Agreements added for medical devices identified by audits • Revision of Clinical Technology policies & procedures • Identification of missing medical devices • Increase in user community awareness/saving money Benefits

  14. • TigerConnect (past) • FairWarning (past) • School of Dentistry

    SD Cards (past) • Cloud Vendors (ongoing) • Medical Devices (ongoing) • Practice Websites (future) IT Security & Audit Collaboration