Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting PHI On Medical Devices

Texas Natural Resources Information System
October 24, 2019
Technology
0
14

Protecting PHI On Medical Devices

Salman Khan, MBA, CISSP, CISA

Brook Syers, CPA, CIA, CFE, CISA

Texas Natural Resources Information System

October 24, 2019
Tweet

More Decks by Texas Natural Resources Information System

See All by Texas Natural Resources Information System
The 3rd Quarter GIS Community Meeting of 2020
texasnaturalresourcesinformationsytem
0
120
The 2nd Quarter GIS Community Meeting of 2020
texasnaturalresourcesinformationsytem
0
460
2020 1st Quarter GIS Community Meeting
texasnaturalresourcesinformationsytem
0
650
PLANET OVERVIEW for TNRIS first Quarter Meeting
texasnaturalresourcesinformationsytem
0
600
Hurricane Harvey H-E-B Disaster Response
texasnaturalresourcesinformationsytem
0
250
Improving Community Services by Helping Citizens Find Their Lost Pets
texasnaturalresourcesinformationsytem
0
190
National Address Database (NAD) and NG9-1-1
texasnaturalresourcesinformationsytem
0
67
StratMap Celebrating Successful Public and Private Partnerships
texasnaturalresourcesinformationsytem
1
200
2019 State of the State Town Hall Meeting
texasnaturalresourcesinformationsytem
1
190

Other Decks in Technology

See All in Technology
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.5k
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
280
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
290
私が trocco を推す理由
__allllllllez__
1
230
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
650
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
190
開発パフォーマンスを最大化するための開発体制
ham0215
2
420
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
300
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
250
Databricks における 『MLOps』
databricksjapan
2
170
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
410

Featured

See All Featured
Scaling GitHub
holman
457
140k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
Designing for humans not robots
tammielis
248
25k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
Designing for Performance
lara
601
67k
The Invisible Side of Design
smashingmag
294
49k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Become a Pro
speakerdeck
PRO
11
4.5k
The Pragmatic Product Professional
lauravandoore
25
5.8k

Transcript

  1. Protecting PHI On Medical Devices Salman Khan, MBA, CISSP, CISA

    Manager, IT Security Brook Syers, CPA, CIA, CFE, CISA Senior IT Audit Manager, Auditing & Advisory Services

  2. In The News…

  3. An unencrypted medical device with more than 500 records is

    lost or stolen, resulting in: • Loss of trust with patients • Bad publicity • Investigation • Financial exposure • Unplanned Capital Expenditure

  4. In August 2013, an unencrypted UTHealth laptop containing 596 patient

    records was stolen from a locked closet inside an orthopedic clinic. The laptop was not inventoried because it was considered a medical device. Breach notification was made to patients, media, and HHS. OCR investigated; fortunately, UTHealth was cleared. The Case Of The Missing Laptop…

  5. Medical and Scientific Device Policy (implemented 11/13/13): All medical &

    scientific devices that are able to store PHI must be encrypted or configured so that PHI is unable to accumulate beyond 100 records if encryption is not permitted by the manufacturer. Policy & Work Flow Any exceptions to this policy must be submitted (Requests) to the CISO for review and approval. A Work Flow Agreement is signed, indicating the individuals who are responsible for performing compensating controls and verifying compliance.

  6. Requests

  7. Requests – Cont.

  8. Work Flow Agreement

  9. Work Flow Agreement – Cont.

  10. Quarterly Procedures [Performed By Audit/IT Security] 1. Obtain a list

    of all clinics and select a sample. 2. For each clinic: • Obtain all current Requests and Work Flow Agreements for all medical devices. • Perform an unannounced field inspection and verify compliance with all Requests/Work Flow Agreements regarding number of patient records (100 or less) and deletion of records at the stated time interval (25 days or less) • Verify implementation of compensating controls, if applicable. • While onsite, search for medical devices with no Request/Work Flow Agreement.

  11. Audit Report to Management FY19 4Q

  12. Insights & Trends Quarter Devices Audited Exception Rate Devices >

    500 Records 1Q 53 30% 1 2Q 28 14% 0 3Q 33 43% 2 4Q 30 40% 1 1Q ---> 2Q: Word getting out that Medical Device audits are taking place [in Med Center]. 3Q ---> 4Q: Expanded audits to satellite clinics.

  13. • Management awareness and follow-up on exceptions • Requests/Work Flow

    Agreements added for medical devices identified by audits • Revision of Clinical Technology policies & procedures • Identification of missing medical devices • Increase in user community awareness/saving money Benefits

  14. • TigerConnect (past) • FairWarning (past) • School of Dentistry

    SD Cards (past) • Cloud Vendors (ongoing) • Medical Devices (ongoing) • Practice Websites (future) IT Security & Audit Collaboration