Impact of healthcare information technology (HIT) on privacy and security

Welcome back to the HCISPP certification course with Cybrary. Impact of healthcare IT on privacy and security. My name is Schlaine Hutchins and I will be your instructor for this course. Today, we'll talk about understanding the threat landscape oversight and regulatory changes, interoperability and medical devices. Understanding the threat landscape is imperative to being a healthcare, security and privacy professional. The threat vectors are many and expanding as technology expands. As I read on the T-shirt at a conference: "Data is the new bacon". Everyone wants data and access to data and to use the data for various reasons. Healthcare information technology requires different frameworks to manage the comprehensive information across multiple platforms and between multiple parties. The cybersecurity industry is growing rapidly as more and more businesses are transforming their systems and infrastructure to enable a presence on the Internet to facilitate relationships with others across various borders, and with increased presence in the World Wide Web come vulnerabilities that may be easily exploited and/or exposed by various actors, some accidentally and others purposefully. Some examples of the most prevalent threats to information in the healthcare industry are phishing attacks. Fake emails to get a user to click on a link or download an attachment with a malicious payload or virus attached. There are new attacks in the advanced persistent threat space where if someone can get access to a user's email credentials, they can actually send the user an email from their own inbox posing as a co-worker or even from the outside, and get them to download an attachment or click on a link. They can gain access to the user's files on their computer and begin to find ways to traverse the network. They're now a trusted source using the user's authenticated tokens. It's pretty slick. So as security professionals, we must stay vigilant and aware. Ransomware is another threat vector that is very prevalent in the healthcare space. Medical records are 10 to 20 times more valuable than financial data or bank account numbers on the dark Wide Web. Why? Because all of the information attached to a medical record can be broken apart and sold in different pieces. Think about the information that's contained in the health record. You have patient name, patient address, age, social security number, birth date, employer name, health insurance member number. The pharmacy. The doctor's name. The doctor's number. The pharmacy address. The pharmacy number. Think about how knowing all of this information can be useful to an attacker. Would you want someone to have all that information about you? Well, I'm sorry to say that they probably already do. Everyone's information is already been leaked out on the Internet. So stay alert and do what you can to monitor your information and Internet activity. Medical devices. Now, medical device attacks in most hospitals, the sole method of connectivity between electronic medical records and medical devices is through network connections. Many organizations are now using wireless connections. The benefits to healthcare, including a reduction in medical errors, lead to improved quality of care, and yet the risk of medical devices being hacked also increases. These are just some of the threat vectors that security and privacy professionals need to be aware of. So let's give a little background about the regulatory requirements. The OCR established an audit protocol that contains the requirements to be assessed based on the Hitech Act. The Hitech legislation was created to stimulate the adoption of electronic health records and supporting technology in the United States. President Obama signed the Hitech Act into law on February 17th, 2009. The Hitech Act was created as part of the ARRA economic stimulus bill. This bill said that beginning 2011 and until 2015, healthcare providers would be offered financial incentives for demonstrating meaningful use of electronic records. After 2015, if healthcare entities didn't demonstrate meaningful use of electronic records, meaning not using technology to facilitate treatment, payment or operations of healthcare, penalties could be assessed against them. Now, in order to comply with these new laws, technology needed to have interoperability. As we discussed in a previous model, interoperability means the data must be standardized for use across disparate technologies to facilitate information exchange. Medical coding and clinical coding systems are used. These coding systems assign a distinct numeric value to medical diagnosis procedures and surgery signs and symptoms of diseases and conditions. These assigned codes and other patient data are processed by a group or software to determine a diagnosis-related group or DRG. Snomed is the most widely recognized nomenclature in healthcare. Its current version, Snomed CT, is intended to provide a set of concepts and relationships that offer a common reference point for comparison and aggregation of data about the healthcare process. ICD 10 is the most widely recognized medical classification maintained by the World Health Organization or WHO. Its primary purpose is to categorize diseases for mobility and mortality reporting. Healthcare providers worldwide were obligated to be ICD 10-ready by October 2015. ICD 11 is the next major update and has been released on June 18th, 2018 and officially endorsed by the WHO on May 25th, 2019. In a nutshell, it is fully electronic and provides access to over 17,000 diagnostic categories and over 100,000 medical diagnostic index terms. The index based search algorithm interprets more than 1.6 million terms. Snomed CT and ICD 10 are designed for different purposes and each should be used for the purposes for which it was designed. Mapping of the two sources has been done through the unified medical language system Meta Thesaurus. Although each term is not truly synonymous but in the same neighborhood because Snomed has far more specific terms. Let's talk about medical devices. The World Health Organization, WHO, commented that medical devices range from simple thermometers to sophisticated and costly diagnostic imaging equipment. A medical device is intended for use in the diagnosis of disease or other conditions in the cure mitigation, treatment or prevention of disease. The various types of medical devices are listed here. They include self care, electronic diagnostic and so on. Please study these terms for the exam. Based on the Food, Drug and Cosmetic Act, the FDA recognizes their classes of medical devices based on the level of control necessary to assure safety and effectiveness. Listed here are examples of different medical devices and their classes. All classes are subject to general controls. General controls include provisions that relate to adulteration, misbranding, device registration and listing, banned devices, including notification, repair and replacement. Controls must be in place to prevent these things from happening with these devices. When general controls alone cannot assure safety and effectiveness, an additional special control is required. The device falls into the class 2 category. A class 3 device needs pre-market approval in scientific review to ensure the device's safety and effectiveness. In summary, today we talked about threat landscape oversight and regulatory requirements, interoperability and medical devices and how they all have an impact on privacy and security in healthcare. Thank you for watching and I'll see you in the next video.