Remote Servicing under HIPAA with proposed Solution A

  • Slides: 14
Download presentation
Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote

Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA Security and Privacy Committee Systems Engineering – Security and Privacy in Healthcare GE Medical Systems HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee What you will learn today l l l Remote

NEMA/JIRA/COCIR Security and Privacy Committee What you will learn today l l l Remote Servicing is critical Remote Servicing presents new security risks Vendors are working on a common solution that will a. Reduce administration (Hospital and Vendor) b. Improve Accountability c. Provide a more secure environment Privacy is the Goal, Security is the way. HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee (SPC) l Joint effort by NEMA-MII, COCIR-IT, and JIRA

NEMA/JIRA/COCIR Security and Privacy Committee (SPC) l Joint effort by NEMA-MII, COCIR-IT, and JIRA l Mission: Ensure a level of data security and data privacy in the health care sector that: è Meets legally mandated requirements è Can be implemented in ways that are reasonable and appropriate è Reduces Healthcare costs of compliance l Scope: All systems, devices, components, and accessories used in medical imaging informatics l Scope is not exclusive of other products and is expected to be extendable to all Equipment that maintains Patient Data (PHI) l International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee Efforts of the SPC l Educational Document : ¡

NEMA/JIRA/COCIR Security and Privacy Committee Efforts of the SPC l Educational Document : ¡ http: //medical. nema. org/privacy/education. pdf l Remote Servicing Proposal (This talk) ¡ http: //medical. nema. org/privacy/remote. pdf l Audit Controls: ¡ http: //medical. nema. org/privacy l Secure IHE Profiles ¡ Work in progress l Members: AGFA, GE, Kodak, Konica, Philips, Siemens, Toshiba HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee Why do Remote Servicing? Benefit to Health Care Provider

NEMA/JIRA/COCIR Security and Privacy Committee Why do Remote Servicing? Benefit to Health Care Provider l Better Availability and Integrity of the systems l Quick response as no Travel involved l Higher quality of service ¡ Knowledge base available at the Vendor ¡ Expert can be applied to the problem/solution Benefit to Vendor l Lower costs to service equipment l More service offerings (preemptive diagnosis) l Remote Service Centers (RSC) centralize knowledge and expertise HIMSS – January 28, 2002

Remote Servicing today Hospital Network Remote Service Center Vendor X Vendor Y Vendor Z

Remote Servicing today Hospital Network Remote Service Center Vendor X Vendor Y Vendor Z Modem Connections Complex Wired Infrastructure HIMSS – January 28, 2002

Remote Servicing Solution Hospital Vendor X Vendor Y Uses Hospital Network Access points Vendor

Remote Servicing Solution Hospital Vendor X Vendor Y Uses Hospital Network Access points Vendor Z Ex. Internet VPN HIMSS – January 28, 2002

Access Control Hospital Vendor X 2. Device under service 1. Individual Service Personal Vendor

Access Control Hospital Vendor X 2. Device under service 1. Individual Service Personal Vendor Y Vendor Z 3. Access point Edges HIMSS – January 28, 2002

Audit Trails Hospital Vendor X 2. 2. Device when, and under what service 1.

Audit Trails Hospital Vendor X 2. 2. Device when, and under what service 1. 1. who, Individual what, where, Service when Personal & why Vendor Y Vendor Z 3. 3. Access Session point Edges specifics where and when HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee Health Care Provider gains Control and Manageability l Control

NEMA/JIRA/COCIR Security and Privacy Committee Health Care Provider gains Control and Manageability l Control of each session and/or vendor l Rules that restrict where vendor X can go, what tools they can use, when they can connect, etc l Strong Access Point Authentication l Audit trails to prove accountability HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee Next Steps for SPC Focus Group Charter Define a

NEMA/JIRA/COCIR Security and Privacy Committee Next Steps for SPC Focus Group Charter Define a Reasonable and Practical solution that follows this architecture l. Candidate ‘A’ -- IPSec tunneling over the Internet ¡ ¡ ¡ ESP/AH – 3 DES and SHA 1 IKE – Session Key negotiation Certificates – communicated out-of-band (mail, courier, etc) Filtering and Routing rules maintained by the Healthcare facility Audit trails maintained at RSC Individual Authentication maintained at the RSC HIMSS – January 28, 2002

Solution A: IPSec on Internet Hospital Vendor X Vendor Y IPSec Tunnel, ESP+AH 3

Solution A: IPSec on Internet Hospital Vendor X Vendor Y IPSec Tunnel, ESP+AH 3 DES, SHA 1 IKE-RSA, PKI out-of-band Vendor Z HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee Conclusion l The Focus Group is actively creating these

NEMA/JIRA/COCIR Security and Privacy Committee Conclusion l The Focus Group is actively creating these Descriptions of Candidate Implementations ¡ Vendors are providing experts from their Service organizations ¡ AGFA, GE, Kodak, Philips, Siemens, Toshiba, + l Targeting End of 2002 with demonstration at RSNA l Will seek approval by NEMA, COCIR, and JIRA early 2002 l Likely Vendor implementations mid 2002 HIMSS – January 28, 2002

John F. Moehrke GE Medical Systems 262 -293 -1667 John. Moehrke@med. ge. com HIMSS

John F. Moehrke GE Medical Systems 262 -293 -1667 John. Moehrke@med. ge. com HIMSS – January 28, 2002

How to HIPAA HIPAA How to HIPAA HealthHow to HIPAA HIPAA How to HIPAA Health
HIPAA TRIVIA Do you know HIPAA HIPAA wasHIPAA TRIVIA Do you know HIPAA HIPAA was
TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
TRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTETRUCONNECT REMOTE SERVICE REMOTE SERVICE REMOTE MONITORING REMOTE
Loan Servicing By LSAs LSA Loan Servicing CashLoan Servicing By LSAs LSA Loan Servicing Cash
1 Solution 2 Solution 3 Solution 4 Solution1 Solution 2 Solution 3 Solution 4 Solution
1 Solution 2 Solution 3 Solution 4 Solution1 Solution 2 Solution 3 Solution 4 Solution
Environmental Remote Sensing What is Remote Sensing RemoteEnvironmental Remote Sensing What is Remote Sensing Remote
Wireless Remote IO Wireless Remote IO Wireless RemoteWireless Remote IO Wireless Remote IO Wireless Remote
Remote Sensing What is Remote Sensing Remote meansRemote Sensing What is Remote Sensing Remote means
Remote Sensing What is Remote Sensing Remote meansRemote Sensing What is Remote Sensing Remote means
HIPAA Training Strategies HIPAA Summit Baltimore MD OctoberHIPAA Training Strategies HIPAA Summit Baltimore MD October
Student HIPAA Community Standards HIPAA Health Insurance PortabilityStudent HIPAA Community Standards HIPAA Health Insurance Portability