H H D ow ealtHcare ata P I a rivacy s lmost D … w c eaD anD Hat an B D r i ! e one to evive t OTHER INFORMATION SECURITY BOOKS FROM AUERBACH A Guide to the National Initiative for Mastering the Five Tiers of Audit Competency: Cybersecurity Education (NICE) The Essence of Effective Auditing Cybersecurity Workforce Framework (2.0) Ann Butera • ISBN 978-1-4987-3849-1 Dan Shoemaker, Anne Kohnke, and Ken Sigler Network and Data Security for Non-Engineers ISBN 978-1-4987-3996-2 Frank M. Groom, Kevin Groom, and Stephan S. Jones Analyzing and Securing Social Networks ISBN 978-1-4987-6786-6 Bhavani Thuraisingham, Satyen Abrol, Raymond Operational Assessment of IT Heatherly, Murat Kantarcioglu, Vaibhav Khadilkar, Steve Katzman • ISBN 978-1-4987-3768-5 and Latifur Khan ISBN 978-1-4822-4327-7 Practical Cloud Security: A Cross-Industry View Anti-Spam Techniques Based on Artificial Melvin B. Greer, Jr. and Kevin L. Jackson Immune System ISBN 978-1-4987-2943-7 Ying Tan • ISBN 978-1-4987-2518-7 Securing an IT Organization through Corporate Defense and the Value Preservation Governance, Risk Management, and Audit Imperative: Bulletproof Your Corporate Ken E. Sigler and James L. Rainey, III Defense Program ISBN 978-1-4987-3731-9 Sean Lyons • ISBN 978-1-4987-4228-3 Securing Cyber-Physical Systems Cyber Security for Industrial Control Systems: Edited by Al-Sakib Khan Pathan From the Viewpoint of Close-Loop ISBN 978-1-4987-0098-6 Peng Cheng, Heng Zhang, and Jiming Chen ISBN 978-1-4987-3473-8 Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Electronically Stored Information: Implementations The Complete Guide to Management, Edited by Fei Hu • ISBN 978-1-4987-2318-3 Understanding, Acquisition, Storage, Search, and Retrieval, Second Edition Security without Obscurity: A Guide to PKI David R. Matthews • ISBN 978-1-4987-3958-0 Operations Jeff Stapleton and W. Clay Epstein Enterprise Level Security: Securing ISBN 978-1-4987-0747-3 Information Systems in an Uncertain World William R. Simpson • ISBN 978-1-4987-6445-2 Software Quality Assurance: Integrating Testing, Security, and Audit Honeypots and Routers: Collecting Abu Sayed Mahfuz • ISBN 978-1-4987-3553-7 Internet Attacks Mohssen Mohammedand Habib-ur Rehman The Cognitive Early Warning Predictive ISBN 978-1-4987-0219-5 System Using the Smart Vaccine: The New Digital Immunity Paradigm Information Security Policies, Procedures, for Smart Cities and Standards: A Practitioner’s Reference Rocky Termanini • ISBN 978-1-4987-2651-1 Douglas J. Landoll • ISBN 978-1-4822-4589-9 The Complete Guide to Cybersecurity Insider’s Guide to Cyber Security Architecture Risks and Controls Brook S. Schoenfield • ISBN 978-1-4987-4199-6 Anne Kohnke, Dan Shoemaker, and Ken E. Sigler Introduction to Certificateless Cryptography ISBN 978-1-4987-4054-8 Hu Xiong, Zhen Qin, and Athanasios V. Vasilakos Touchless Fingerprint Biometrics ISBN 978-1-4822-4860-9 Ruggero Donida Labati, Vincenzo Piuri, Leading the Internal Audit Function and Fabio Scotti Lynn Fountain • ISBN 978-1-4987-3042-6 ISBN 978-1-4987-0761-9 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: [email protected] H H D ow ealtHcare ata P I a rivacy s lmost D … w c eaD anD Hat an B D r i ! e one to evive t J J. t , J . oHn rinckes r CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2017 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper Version Date: 20161115 International Standard Book Number-13: 978-1-138-19775-6 (Hardback), 978-1-4987-8395-8 (Paperback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans- mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Names: Trinckes, John J., Jr., author. Title: How healthcare data privacy is almost dead ... and what can be done to revive it! / John Trinckes, Jr. Description: Boca Raton : Taylor & Francis, 2017. Identifiers: LCCN 2016035054| ISBN 9781138197756 (hb : alk. paper) | ISBN 9781498783958 (pb : alk. paper) Subjects: | MESH: Health Information Management--methods | Computer Security | Electronic Health Records--standards | Medical Errors--prevention & control | Privacy | United States Classification: LCC R864 | NLM WX 175 | DDC 651.5/042610285--dc23 LC record available at https://lccn.loc.gov/2016035054 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword ix PreFace xi acknowledgments xvii author xix contributing author xxi chaPter 1 code blue 1 Erroneous Information 1 Medical Identity Theft 6 Credit Troubles 9 Internet of Things 12 Medical Devices 19 FDA Draft Guidance 23 Hippocratic Oath for Connected Medical Devices 25 Cyber Independent Testing Laboratory 27 Privacy by Design 28 Ethical Design Manifesto 30 Open Web Application Security 31 Legal/Constitutional Issues 36 Fingerprints Are Not Protected by the Fifth Amendment 43 chaPter 2 Privacy concerns 47 Information…Information…Everywhere 47 New Social Disorder 50 Medical Records 52 v vi Contents De-Identification 57 Meaningful Use 58 21st Century Cures Bill 59 Cybersecurity Information Sharing Act 2015 (CISA) 61 Health Information Technologies Standards Committee 66 Improving Health Information Technology Act 66 Governmental Issues 67 Healthcare.gov 68 OPM Data Breach 70 Einstein Program 72 IRS 72 Telemedicine 75 NASA 77 Medical Information Is Highly Coveted 78 Ease of Obtaining Information 81 Security versus Privacy 82 Consumer Scores 83 chaPter 3 healthcare armageddon 87 2015 Year of the Hack: Medical Breaches 87 Another Search Engine to the Rescue 90 Hackers Are the Problem 91 Patients Trust Healthcare 95 The Standard Response 97 EU Doesn’t Trust U.S. Privacy: Agreement Made 99 chaPter 4 victims 103 Costs 103 Identity Theft/Fraud 107 Tax Fraud 111 Healthcare Resources 112 Untold Victims 113 chaPter 5 healthcare security 117 Ignorance Is Bliss: State of Healthcare Security 117 Constructive Ambiguity and the HIPAA Regulations 121 State Requirements 124 California 124 Florida 128 Massachusetts 135 Nevada 138 Oregon 140 Texas 143 Privacy Culture; Not a Security Culture 146 All Stick and No Carrot 149 Contents vii Resource Availability 150 Excuses 154 A Funny Thing Happened on the Way to Security…Nothing 156 chaPter 6 enForcement 161 OCR 161 Omnibus Rule 172 Business Associate Agreements 173 ONC 175 Office of Inspector General (OIG) 177 State Attorney General 181 FTC 182 CMS 189 FCC 192 Class Action Lawsuits 194 Violation of Privacy 197 chaPter 7 Privacy…clear…<shock> 199 Individual Rights 199 Withholding Medical Information 203 Privacy Platform 204 Put a Tourniquet On: Stop the Bleeding 206 Shock to the Industry 208 National Patient Identifier 210 Revive Security Posture 211 Preventive Medicine 212 Social Engineering 212 Monitoring 213 Anti-Malware 216 Multi-Factor Authentication 218 Data Loss Protection 220 Data Collection/Retention 221 Data Encryption 222 Incident Response Plan 225 Vendor Management 229 Health Application Use 234 Standards/Certification/Accreditation 235 CIS Critical Security Controls 235 NIST CsF 236 HITRUST 237 EHNAC 239 FHIR 241 Recovery 241 Cybersecurity Insurance 247 viii Contents chaPter 8 summary 251 Message to the Board Room 251 Steely-Eyed Missile Man 252 Asking the Right Questions 255 Message to Chief Executive Officers 257 Message to the Legislators 259 Message to Private Citizens 261 Final Thoughts 263 reFerences 265 index 291 Foreword Before the turn of this century, Scott McNealy (then CEO of Sun Microsystems) was quoted as saying: “[P]rivacy issues are a ‘red her- ring.’ You have zero privacy anyway. Get over it.” Fast forward more than 15 years, and his (then) inflammatory comments have become prophecy of how the world has evolved. From the Patriot Act and gov- ernment surveillance to the type of data collected by Google, Facebook, and ad networks along with the type of daily surveillance networks that are blanketing cities like London, we find that the concepts of privacy that our parents and grandparents held are becoming obsolete. Nowhere is this trend more significantly affecting the world than healthcare. The industry is collecting many petabytes of informa- tion that never existed before—from the immense amount of data collected by providers for quality of care measures to advanced data like genetic information (e.g., 23 and Me), we are collecting data on humans that have never been able to be assessed in a scalable and centralized way. This is causing significant privacy impacts—we’ve had more than 100,000,000 healthcare records breached in the past few years. This is also increasing spending within the healthcare industry, causing the entire industry to slow down and implement massive sets of security controls. This complexity makes it hard for the security experts the indus- try relies on to fully engage the problems. When I moved from the ix