Impact of Healthcare Information Technology (HIT) on Privacy and Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to
00:00
the HCISPP certification course with Cybrary.
00:00
Impact of health care IT on privacy and security.
00:00
My name is Charlene Hutchins and I'll
00:00
be your instructor for this course.
00:00
Today, we'll talk about
00:00
understanding the threat landscape,
00:00
oversight and regulatory changes,
00:00
interoperability, and medical devices.
00:00
Understanding the threat landscape is imperative to
00:00
being a health care security and privacy professional.
00:00
The threat vectors are many
00:00
and expanding as technology expands.
00:00
As I read on the t-shirt at a conference,
00:00
"Data is the new bacon."
00:00
Everyone wants data and access to
00:00
data and to use the data for various reasons.
00:00
Health care information technology
00:00
requires different frameworks to manage
00:00
the comprehensive information across
00:00
multiple platforms and between multiple parties.
00:00
The cybersecurity industry is growing
00:00
rapidly as more and more businesses are
00:00
transforming their systems and
00:00
infrastructure to enable a presence on the Internet,
00:00
to facilitate relationships with
00:00
others across various borders.
00:00
With increased presence in the worldwide web,
00:00
comes vulnerabilities that may be easily
00:00
exploited and or exposed by various actors,
00:00
some accidentally and others purposefully.
00:00
Some examples are the most
00:00
prevalent threats to information
00:00
in the healthcare industry are phishing attacks.
00:00
Fake emails to get a user to click on a link or download
00:00
an attachment with a malicious payload or virus attached.
00:00
There are new attacks in
00:00
the advanced persistent threat space where
00:00
someone can get access to a user's email credentials,
00:00
they can actually send the user
00:00
an email from their own inbox,
00:00
posing as a coworker,
00:00
or even from the outside and get them to
00:00
download an attachment or click on a link.
00:00
They can gain access to the user's files on
00:00
their computer and begin to
00:00
find ways to traverse the network.
00:00
There are now a trusted source
00:00
using the user's authenticated tokens.
00:00
It's pretty slick. As security professionals,
00:00
we must stay vigilant and aware.
00:00
Ransomware is another threat vector
00:00
that is very prevalent in the healthcare space.
00:00
Medical records are 10-20 times more valuable
00:00
than financial data or
00:00
bank account numbers on the dark wide web.
00:00
Why? Because all of the information attached to
00:00
a medical record can be broken
00:00
apart and sold in different pieces.
00:00
Think about the information
00:00
that's contained in the health record.
00:00
You have patient name,
00:00
patient address, age,
00:00
social security number, birth date,
00:00
employer name, health insurance member number, pharmacy,
00:00
the doctor's name, the doctors number,
00:00
the pharmacy address, the pharmacy number.
00:00
Think about how knowing all of
00:00
this information can be useful to an attacker.
00:00
Would you want someone to have
00:00
all that information about you?
00:00
Well, I'm sorry to say that they probably already do.
00:00
Everyone's information has already
00:00
been leaked out on the Internet.
00:00
Stay alert and do what you can to
00:00
monitor your information and Internet activity.
00:00
Medical devices.
00:00
Now, medical device attacks in most hospitals,
00:00
the sole method of connectivity between
00:00
electronic medical records and
00:00
medical devices is through network connections.
00:00
Many organizations are now using wireless connections.
00:00
The benefits to health care,
00:00
including a reduction in medical errors,
00:00
lead to improved quality of care.
00:00
Yet the risk of medical devices
00:00
being hacked also increases.
00:00
These are just some of the threat vectors that
00:00
security and privacy professionals need to be aware of.
00:00
Let's give a little background
00:00
about the regulatory requirements.
00:00
The OCR established an audit protocol that contains
00:00
the requirements to be assessed based on the HITECH Act.
00:00
The HITECH legislation was
00:00
created to stimulate the adoption
00:00
of electronic health records and
00:00
supporting technology in the United States.
00:00
President Obama signed the HITECH Act
00:00
into law on February 17th, 2009.
00:00
The HITECH Act was created as part of
00:00
the ARRA economic stimulus bill.
00:00
This bill said that beginning 2011 and until 2015,
00:00
health care providers would be offered
00:00
financial incentives for demonstrating
00:00
meaningful use of electronic records.
00:00
After 2015,
00:00
if health care entities didn't
00:00
demonstrate meaningful use of electronic records,
00:00
meaning not using technology
00:00
to facilitate treatment, payment,
00:00
or operations of health care penalties
00:00
could be assessed against them.
00:00
Now in order to comply with these new laws,
00:00
technology needed to have interoperability.
00:00
As we discussed in our previous model,
00:00
interoperability means the data must be
00:00
standardized for use across disparate technologies.
00:00
To facilitate information exchange,
00:00
medical coding and clinical coding systems are used.
00:00
These coding systems assign
00:00
a distinct numeric value to medical diagnosis,
00:00
procedures and surgery, signs,
00:00
and symptoms of diseases and conditions.
00:00
These assigned codes and
00:00
other patient data are processed by a group of
00:00
software to determine a diagnosis related group or DRG.
00:00
SNOMED is
00:00
the most widely recognized nomenclature in health care.
00:00
It's current version, SNOMED CT,
00:00
is intended to provide a set of
00:00
concepts and relationships that offer
00:00
a common reference point for comparison and
00:00
aggregation of data about the health care process.
00:00
ICD 10 is
00:00
the most widely recognized medical classification
00:00
maintained by the World Health Organization or WHO.
00:00
Its primary purpose is to categorize
00:00
diseases for mobility and mortality reporting.
00:00
Health care providers worldwide were
00:00
obligated to be ICD 10 ready by October 2015.
00:00
ICD 11 is the next major update
00:00
and has been released on June 18th,
00:00
2018 and officially endorsed by
00:00
the WHO on May 25th, 2019.
00:00
In a nutshell, it is fully
00:00
electronic and provides access to over
00:00
17,000 diagnostic categories in
00:00
over 100,000 medical diagnostic index terms.
00:00
The index-based search algorithm
00:00
interprets more than 1.6 million terms.
00:00
SNOMED CT and ICD 10 are designed for
00:00
different purposes and each should be
00:00
used for the purposes for which it was designed.
00:00
Mapping of the two sources has been done through
00:00
the Unified Medical Language System, Metathesaurus.
00:00
Although each term is not truly synonymous,
00:00
but in the same neighborhood because
00:00
SNOMED has far more specific terms.
00:00
Let's talk about medical devices.
00:00
The World Health Organization,
00:00
WHO commented that medical devices range from
00:00
simple thermometers to
00:00
sophisticated and costly diagnostic imaging equipment.
00:00
A medical device is intended for use in the diagnosis
00:00
of disease or other conditions in the cure,
00:00
mitigation, treatment, or prevention of disease.
00:00
The various types of medical devices are listed here.
00:00
They include self-care, electronic,
00:00
diagnostic, and so on.
00:00
Please study these terms for the exam.
00:00
Based on the Food,
00:00
Drug, and Cosmetic Act,
00:00
the FDA recognizes there are
00:00
classes of medical devices based on
00:00
the level of control
00:00
necessary to assure safety and effectiveness.
00:00
Listed here are examples of
00:00
different medical devices and their classes.
00:00
All classes are subject to general controls.
00:00
General controls include provisions that relate
00:00
to adulteration, misbranding,
00:00
device registration and listing,
00:00
banned devices,
00:00
including notification, repair, and replacement.
00:00
Controls must be in place to prevent
00:00
these things from happening with these devices.
00:00
When general controls alone
00:00
cannot assure safety and effectiveness,
00:00
an additional special control is required,
00:00
the device falls into the Class II category.
00:00
A Class III device meets pre-market approval and
00:00
scientific review to ensure
00:00
the device's safety and effectiveness.
00:00
In summary, today we talked about threat landscape,
00:00
oversight and regulatory requirements,
00:00
interoperability and medical devices,
00:00
and how they all have an impact
00:00
on privacy and security in health care.
00:00
Thank you for watching,
00:00
and I'll see you in the next video.
Up Next