Jessica Davis

While only about 6,500 patients were impacted by a cyberattack on Associates in Psychiatry and Psychology in March, the provider's transparency in its breach notification is a valuable example for other organizations.

In March, the Internet Engineering Task Force approved the Transport Layer Security version 1.3, the key function to enable HTTPS function on the web. On the surface, the new encryption model shores up network communications and provides substantially improved security features. As the new encryption model used to browse the internet, the TLS 1.3 standard ensures data is encrypted through cryptographic protocols, using algorithms and ciphers. The previous model, TLS 1.2, had many flaws, which, left unfixed, could have impacted users around the globe. Hackers could have been able to crack the flaws in the TLS 1.2 encryption to complete a downgrade attack. So IETF spent four years on 28 drafts with comment periods and arduous hours crafting the new web standard. Hailed by many in the security industry for advancing security and performance functions, TLS 1.3 removes some of the legacy functions of past encryption models and phases out obsolete protocols. TLS 1.3 also improves the "handshake" between SSL/TLS, to secure the connection between the client and the server. The process includes communication between the two parties to validate security certificates and negotiate data transfer terms. The standard drastically reduces the handshake timeframe with just one round to complete. Not only that, it remembers clients and servers that have met before, which means it won't take additional rounds to complete. The IETF Internet Engineering Steering Group passed the standard with overwhelming support, with eight of the 13 members in support and the other five said 'no objection.' Challenges for HIPAA and patient privacy So with all of these improved security features, why are some experts concerned about this change? To Josh Magri, vice president of Counsel for Regulation and Developing Technologies at the Financial Services Roundtable, some of the concern stems from the encryption standard's premise that communication between endpoints are always between two individuals. In practice, communications, specifically TLS sessions, are often between a person and the enterprise as the endpoint, with the enterprise then distributing the communications throughout their network. But now the enterprise as gatekeeper has been removed and enterprise won’t be able to see the communications occurring between the individual sender and the individual receiver,” said Magri. "The enterprise as an endpoint is no longer.” "The thought among some of the privacy fundamentalists or activists is that when a communication is sent it should only readable by the individual sender and individual receiver," he added. "But I'm thinking about how an enterprise works: : The enterprise needs to know what is going on within its walls to protect itself, its employees, and the people it services – it should be the endpoint and have control, following proper regulations and informed consent requirements." Under the new standard, the data is encrypted on each singular device, for each individual. The problem, as Magri explained, is that these organizations are responsible for the devices on their networks, and they need to be able to see whether an insider is taking data out or doing malicious activities. "When you've encrypted [under TLS 1.3] inside the enterprise won’t necessarily be able to see what's going on between a receiver on its network and a sender and vice versa," he said. This could be problematic for healthcare when it comes to HIPAA and patient privacy. While HIPAA doesn’t require vulnerability scans or penetration tests, it mandates organizations conduct a risk analysis – or a test of security controls. Two important ways to accomplish this are with those tools. NIST actually issued a special HIPAA recommendation that organizations should "conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities." But here’s the catch: Without the ability to view traffic across the whole network, infosec leaders will either need to invest in workarounds, time and or tools to be able to effectively monitor these threats. And in terms of patient safety and HIPAA – that becomes a serious challenge. You want to have idea of what is going from point A to point B on your network, and spot whether there are any bad actors or other malicious behavior even if it isn’t internet bound," said Magri. While there are some workarounds to handle this issue, "it can still cause a lot of problems." Let's get technical It's not that the group wants the new encryption protocol removed. Rather, the group spent two years trying to sway the IETF to keep the critical risk and operational management capabilities in place for TLS, explained Andrew Kennedy, director of BITS, FSR's technology policy division. "The capability to inspect encrypted custodial data has been available for nearly a quarter of a century and serves to protect customers and enterprises against data breach from phishing attacks, advanced persistent threats, and insider threat, and to expedite the diagnosis and resolution of critical network anomalies," Kennedy wrote in reaction to the IETF approval. To Kennedy, the real issue is out-of-band inspection: the "non-invasive way of essentially taking the encrypted data and shifting it elsewhere." "The encrypted data goes to its intended destination, but it is also copied to the side," said Kennedy. However, since the enterprise has the private key, "Using RSA key exchange, enterprises can inspect [the copy of] the data." "There are lots of good reasons to do that: malware, insider threats, DDoS concerns, fraud, insider abuse," he added. But TLS 1.3 took away this capability, Kennedy explained. And although there are other ways to inspect the data, out-of-band is crucial as it's doesn't interrupt data flow or add operational risk. In-line acts like a proxy and gets in front of the client on the server to decrypt. "[In-line] is still possible with TLS 1.3, but it adds operational risk, latency and doesn't scale as well," said Kennedy. "We had this universal tool for inspecting data – and now we're left with [in-line] that does not cover all threat models." Kennedy laid out a use case that explained how a hacker could easily go into a network to steal healthcare or banking data, or flip a switch and turn off the electrical grid – or even worse, undermine the integrity of data. "When you have complex networks, mergers and acquisitions, business partnerships – you need the flexibility to have this inspection capability when you need it," said Kennedy. "It's a universal tool – not just for fraud and security – it's also used for diagnostic and customer experience." Take, for example, if a service goes down because a hacker gets in: It costs money and time, he explained. "You need this universal tool because if you can't inspect the data or firewall – in some cases, it's hundreds of hours of downtime. "There are so many places on the network that it could be a problem in finding that one threat," Kennedy added. "You could be down for hours and finding that problem could be weeks." Uphill battle About two years ago, FSR discovered that the proposed TLS 1.3 protocol changed the key RSA algorithm, which caused these issues with viewing data for the financial and healthcare sectors. Kennedy said it was "a culture shock (for IETF) to learn how everything works." The group went to work on developing standard-based ways of solving these issues – but both were rejected. "The funny thing is that there are solutions out there that technically meet the TLS 1.3 standards, but are probably not what the privacy advocates could want," said Kennedy. "But that's not the way the IETF thinks of things: They think about internet and individual." FSR is no longer pursuing a fix through IETF. The two solutions developed by the group solve the problem in-line, and some may choose to take that path. Organizations can also tune the key and change it for each session, the way previous versions work. But Magri and Kennedy said they're talking to other sectors and standards groups to determine another way forward. They also mentioned there are vendor options that can help – but it doesn't immediately solve the issue. "The unfortunate part is the IETF is the premier standards body for the internet, it makes it harder to get by and get that developed," said Kennedy. "This is going to be solved regardless of them weighing in, but they should have." "TLS 1.3 it has been implemented, so it's going to be hard to unwind that," said Magri. "It will be a matter of trying to look for solutions going forward that will work for the companies and work for the privacy folks. It's just not going to be as thought through as what we would have hoped it would be." .jumbotron{ background-image: url("http://www.himss.org/sites/himssorg/files/u351641/securityforum-jumbotron.jpg"); background-size: cover; color: white; } .jumbotron h2{ color: white; } Healthcare Security Forum The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12. Twitter: @JessieFDavis Email the writer: jessica.davis@himssmedia.com

Passing with a 92-5 vote, the legislation also will mandate the agency participate in national PDMP data sharing network.

As the healthcare sector continues to shift into value-based care and consumers become more involved in the care process, telemedicine and big data will continue to hold a crucial role in advancing patient care. Telemedicine has developed from a “shiny new toy” to “the standard of doing care,” said Lisa Schmitz Mazur, a partner at McDermott Will and Emery, who co-authored the book The Law of Digital Health with Bernadette Broccolo, also a partner at the law firm.  “Telemedicine is really becoming a significant game-changer,” said Mazur. What the 2018 HIMSS US Compensation Survey Results Mean for Women in Health IT Not only will providers use the tool to deliver care -- like telemedicine and tele-psychiatry, but patients are also demanding it and expecting it, said Mazur. “Providers are fueling the expansion.” Doctors, too, are excited about where those opportunities lie and exploring areas where telemedicine can make an impact, she added. Particularly in the area of behavioral health and chronic disease, telemedicine can provide a method to better manage those conditions. “It’s changing the standard of care,” Broccolo said, in agreement. Mazur added that real opportunities exist and hospitals that ignore the possibilities may ultimately expose themselves to risk by not meeting standards of care.  For Broccolo, big data is the other dimension in digital health. While already prominent with EHRs and health information exchanges, big data can be wholly beneficial in the cancer space to accelerate the use of precision medicine and molecular profiling to predict the onset of disease. “The cancer-side of big data is going to expand quickly,” said Broccolo. “The new applications will make data even more valuable than it was before.” Coding and new algorithms will help add depth to the data, as well as collaborations around the development of the information, she explained. But a lack of standards around the data are hindering its use. “Those challenges are being exacerbated by the fact the data is coming from a lot more sources and it’s often unstructured -- as opposed to EHR data,” said Broccolo. “And in particular, the data coming in through consumers … something you’re not as sure of the integrity.” But despite these challenges, there are disruptors and innovators bringing together leading players that are creating these structured stores of data, explained Broccolo. They’re applying the tech to create a pretty robust data set. At the end of the day, what will make the biggest impact on the industry is any solution that is patient facing, said Mazur. “The engagement,” said Mazur. “It’s getting the patient to use the solution as part of their daily life. It needs to be something they build into their daily routines. A lack of engagement, slower user levels limit effectiveness: meaning, reams don’t have the info they need to see if a product works. We need that data in order to get that solution to the next level -- or just perform what it needs to do.” .jumbotron{ background-image: url("http://www.himss.org/sites/himssorg/files/u351641/BigData-Forum2-June2018-712.jpg"); background-size: cover; color: white; } .jumbotron h2{ color: white; } Big Data & Healthcare Analytics Forum The San Francisco forum to focus on utilizing data to make a real impact on costs and care June 13-14. Twitter: @JessieFDavis Email the writer: jessica.davis@himssmedia.com

The provider group worked with its inside responder and outside counsel to restore data and successfully contain the security incident.

On a call with investors, Burke praised the EHR pilot at the Defense Department and suggested those negative media reports may have involved a competitor.

Joking that he “ruined the surprise,” the President made the announcement at the White House prison reform summit Friday afternoon.

MedEvolve, a practice management software vendor, left its FTP server open to the public without the need for a login.

After nearly a year of speculation, the Veterans Affairs Department will implement the same EHR as the Department of Defense.

Retired Navy Commander Kirk Lippold will share his vision for leadership within an organization, including creating a culture of integrity and personal accountability, at the HIMSS Security Forum in June.