The Privacy – Security Partnership in Managing Risk

June 22, 2015

Angel Hoffman, Dennis Schmidt, Jay Trinckes

11th AMC Conference

1

Session objectives • Describe the respective roles and responsibilities of privacy and

security, and how they can benefit by working together • Explain opportunities for cross-training for enhanced

effectiveness • Outline a strategy for assessing and managing privacy and

security risks through teamwork.

2

Angel Hoffman

Phone: 412-559-6703

Email: Angel@APHCcompliance.com

www. APHCcompliance.com © 2014 ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC

ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC

3

Where are we twelve years later?

Let’s Review: HIPAA Privacy – April 2003 HIPAA EDI – October 2003 HIPAA Security – 2005 HITECH – 2009 HIPAA Omnibus – 2013

4

Role of the Privacy Officer

HITECH - created a lot of changes and stricter protections along with the Breach Notification Rule which created: Increased responsibility Increased knowledge and skills required Increased hours to handle issues during the work day

HIPAA Omnibus Enforcement Rule However, it is not just about the regulations, but much more… 5

Changes in Tasks and Activities

Process development and implementation Training development and implementation Conduct online and live training for: - Board (more emphasis today) - Management (follow-up) - Staff - Others Policy development – have the new policies been added to the

training?

6

Changes in Tasks and Activities (cont.)

Managing complaints/breaches – have increased; use of technology to track and trend; producing reliable reports

Conduct investigations – have increased and there are more things to track now (breach notification more recently)

Maintaining documentation and keeping all paper and electronic information available

Working with other departments – communication is increasingly critical and impacts: Human Resources, Quality and Information Security

Reporting

7

External Influences

State Attorney General Role HIEs – newer state and federal government activity Impact of Social Media Age of the workforce

8

Partnering with the Security Officer

“…managing risks in the medical information realm takes effective teamwork.”

The Privacy Officer must partner with the Security Officer in order to have a successful program.

Sharing of information is not always easy, but when we work collaboratively vs. in silos the organization succeeds and this leads to better outcomes. And as we all know now…

You cannot not have privacy without security!

9

Roles of a Chief Information Security Officer

Dennis Schmidt Assistant Dean for Information Technology

HIPAA Security Officer 10

University of North Carolina

• Nation’s first public university, chartered 1789 • 29,000 students • 3,600 faculty • Number of servers: Unknown, but it’s a lot!!! • 5% or campus is protected by firewall

‒Block 87 million unwanted connections weekly • IPS blocks 5.1 million malicious threat events

11

UNC School of Medicine

• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff • ~1,000 servers • 98 Server administrators (Self identified) • 47 different O/S’s (Self reported)

12

CISO Job Description • Primarily responsible for all ongoing activities related to the

availability, integrity and confidentiality of patient, provider, employee, and business information in compliance with the healthcare organization's security policies and procedures, regulations and law.

• Could report to: • CIO • Chief Compliance Officer • Chief Risk Manager

• Qualifications: • BS/BA, usually in related field • Certifications: CISSP, GSEC, PMP……..

13

Desired Soft Skills • Manager

• Supervises the security team • Author

• Writes security policies • Drafts or edits incident reports

• Teacher • Formal HIPAA Training • Security Presentations • Security Bytes/Tips of the Week

• Mentor • Leads by Example

14

More Soft Skills

• Collaborator • Seeks input from the community while developing policies

• Protector • Develops environment to keep the bad guys out

• Consultant • Advises customers on best practices

• Enforcer • Blocks bad practices • Firm but fair

• Visionary • Looks ahead for solutions to new threats

15

Undesired Traits

• Dictator • Sets policies without collaborating or consulting with affected users • My way or the highway

• Isolationist • Fails to communicate with community

• Do what I say, not what I do

16

Privacy and Security Collaboration

• HIPAA Training • BAAs • Investigation support

• The 4 item test

• Knowledge sharing

17

18

New Role: Chief Information Privacy & Security Officer (CIPSO) • Privacy/Security are so intertwined • Executive Level Position • Approved by the Board of Directors with a direct line of

communication to BoD • Demonstrates the commitment of organization to Privacy/Security • As related to HIPAA, would be responsible for all Privacy Rules and

Security Rules (which is a subset of the Privacy Rules)

19

Build a Culture of Privacy/Security •People are weakest link •Top Down Approach; emphasize importance of privacy/security

•Assign CIPSO; Delegate Authority to Carry Out Role

20

People Concerns – Current Threats

•Social Engineering – art of convincing someone to do something that may not be in their best interest

•Being too helpful – giving more information away than is necessary

21

Real World Examples:

• Physical Breach – obtaining unauthorized physical access • Targeted Phishing Attacks – wire transfer requests that

appear to come from CEO • Limit information available on-line

• Malicious Software – unaware users clicking on links; opening unsolicited attachments

22

Administrative Safeguards

•Four Tenants of Information Security - CIAP •Confidentiality • Integrity •Availability •Privacy

23

Policies/Procedures –

•Must be implemented •Staff must be aware of existence •Must be ‘easy’ to follow •Must be relevant

24

Physical Safeguards

•First Line of Defense •Castle Scenario – layers of defenses

•Security Rule: If someone is able to gain physical access to a system, the system no longer belongs to the organization.

25

Real World Examples:

•Cipher Locks on doors – numbers worn; ‘view over shoulder’

•Key Logging/USB Devices •Boot to CD/USB Drive; BIOS flaws •Monitor Locations •System Locks – password screen savers

26

Technical Controls • Weak Passwords – user controlled

• No amount of security can prevent against weak passwords

• Authentication Process – limited by application developers • Need to consider multi-factor authentication; • Stronger authentication methods

• Encryption – not all encryption is the same • SSL Encryption flawed – (HeartBleed, FREAK, weak

pseudo-random generators)

27

System Logging Activities • ‘There are only two types of companies: those that

have been hacked and those that will be.’ – Former FBI Director Robert Mueller

• And once you are hacked, would you even know? • User Activity Logging; Suspicious Activities; Security

Incident Event Management (SIEM) Solutions; Intrusion Detection/Intrusion Prevention Solutions

28

Group Discussion

29