hacking healthcare: the current state of healthcare data security

Hacking HealthcareA Hacker’s Paradise

Paradise LostThe Current State of Healthcare Data Security

Presenter – Jeff Franks, vCTO at MapleTronics Computers

Why Healthcare is in the Crosshairs

•Black market medical records are a multi-billion dollar industry• Fraud can take years to

discover• Security is lacking in most

CE environments

Who are the Hackers?

Who are the Hackers?

•Yes, teenagers, but also…•Organized Crime•Nation States (China,

Russia, North Korea, etc.)•Anyone with an agenda

Why You Should Care

Black Market Value of a Credit Card

Black Market Value of a Medical Record

$0.50

$10.00

Size Doesn’t Matter

The Way In Vulnerabilities•Open Firewalls•Unrestricted Web Access•Unpatched Operating

Systems•Out of Date AntiVirus (or

no A/V)• Social Engineering

Your Biggest Vulnerability

Your Own People

• Don’t always follow policies• Can be easily manipulated• Underestimate their

role/impact• Fail to recognize/report

incidents

Because they don’t know!

Your Biggest Vulnerability

Your Own People

Whether they are ignorant, careless or have bad intentions, they have:

•Access•Time•Opportunity

What You Are Facing in 2015•ePHI is a highly valuable asset•ePHI is targeted by numerous people•Your size doesn’t hide you• IT security and risk management has not been a priority •Your own people can break your security• Increased enforcement by HHS & State Gvmnts

So, where do we start?

Beyond ComplianceWinning with the HIPAA Security RulePresenter – Phil Cooper, CIO at MapleTronics

The Stated Purpose of the Security Rule1. Of ePHI, to ensure

a) Confidentialityb) Integrityc) Availability

2. Protect against1. Threats2. Hazards

3. Protect against improper1. Uses2. Disclosures

4. Ensure compliance by workforce

The Real Object of the Security Rule

To create a corporate culture of decision-driven

IT security & risk management

The Real Object of the Security Rule

Your IT can’t be,• An Afterthought• Set & Forget• A one and done checklist

Your IT must be,• Intentional• Decision-Driven• A part of how you do business

The Business CaseA good compliance program will provide:

• Maximum uptime• Customer service/satisfaction• Productivity/efficiency• Employee morale

• Maximum Security• Reduced liability exposure• Marketing opportunity

• Business-wide protection and performance• Not just ePHI should be protected but your

entire business data.

The Business Case

The truth is, many of your IT issues stem from the same root cause:

IT SECURITY AND RISK MANAGEMENT ARE MERELY AN AFTERTHOUGHT.

And you can change that by being intentional with IT.

10 Years and Counting

10 Years and Counting

67%CE’s who have NOT performed an

adequate Risk Analysisand therefore,

“…have not identified the risks and vulnerabilities of their

environment and therefore are failing to adequately safeguard

ePHI.” – OCR, September 2014

10 Years and Counting

~60% The “message” is that these could ALL have been prevented by

encryption (safe harbor).

Theft & Loss

Getting Started or Getting Serious

• Read the Security Rule• Designate and Empower a Security Officer• Establish a HIPAA SR Team• Identify ALL of Your ePHI• Perform a Serious Risk Analysis and Act on it• Document Your Process & Actions• Sell it from the Top…Make it Part of Your Culture

Key Areas to Re-evaluate

• Provide regular security awareness to all workforce members• Craft & enforce an encryption policy• Deploy intrusion detection &

prevention• Perform regular vulnerability

assessments• Apply patching regularly• Control & secure mobile devices or

don’t use them• Use secure texting, or don’t text

• Leverage 3rd party resources & vendors• But don’t abdicate your responsibilities

• Use role-based security• Limit ePHI use by design (minimum

access approach)• Encourage incident reporting by

workforce• Enable proactive auditing• Secure your remote access• Evaluate your WiFi setup

You Can Do This

Questions

DELETED SLIDES

Final Word -- What Did You Attest To?

“Meaningful Use attestation of performing a risk analysis [Core Requirement #15]

equals attesting that you are compliant with the

HIPAA Security Rule.” - Deven McGraw, HHS Tiger Team Chair & Partner at Manat, Phelps & Phillips,

LLP

What’s Next??

Six Things To Do This Week

• Close down RDP from the Internet• Remove BYOD from your business network• Encrypt laptops (if ePHI exists)• Verify your data protection and recovery strategy• Perform/Start a REAL risk analysis• Assess your Security Rule compliance

Why Should You Care?

Your ePHI Health & Human Services