hipaa crackdown

HIPAA CRACKDOWN

A N I T I A N

intelligent information securityA N I T I AN

Meet the Speakers

Jordan Wiseman• Certified Risk Assessor, QSA, GSEC

• 18+ years experience in Information Technology and Security

• 13+ years in Healthcare and HIPAA compliance

Phil Johnson• Certified Information Systems Security Professional (CISSP),

Certified Information Systems Auditor (CISA)

• 9+ years in Medicaid Management Information Systems (MMIS’s) and Health Exchanges for Texas, New Hampshire, and Hawaii

• 6+ years in IT Audit and Information Security

Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders.

ANITIAN

Rapid Risk Assessment Compliance Assessment and Audit

Full-Spectrum Security Testing Managed Threat Intelligence

Intelligent Information Security


Overview

Intent

• Help you understand the current HIPAA enforcement landscape

• Increase your awareness of HIPAA-related threats

• Share with you valuable takeaways from Anitian’s HIPAA practice

Outline

1. Office of Civil Rights (OCR) audit program

2. The evolving HIPAA threat landscape

3. Tales from the Anitian front line of HIPAA engagements


Assumptions

• You have a basic understanding of HIPAA

• Privacy Rule

• Security Rule

• Breach Notification Rule

• Awareness of recent public OCR enforcement actions


HIPAA Timeline

HIPAA Act (1996)

HITECH Act (2009)

OCR Phase I Audit (2011)

Final HIPAA Omnibus

Rule (2013)

OCR Phase II Audit (2016)


OCR 2016 Audits

It seems like audits are more extreme this year…

are they?!


OCR 2016 Audits

• In a word: yes.

• Why?

• Findings from the 2011 OCR audit cycle

• Publicity around high profile breaches

• Findings from the Office of the Inspector General (OIG)


OCR Audit Targets and Process


OCR Audit Targets and Process

• Who is being audited?

• Individual and organizational healthcare providers

• Health plans (all types/sizes)

• Healthcare clearing houses

• OCR will not audit entities having an open complaint or undergoing a compliance review

• Selection process

• OCR verifies entity contact information

• Entity completes questionnaire informing OCR of business associates

• OCR chooses auditees through random sampling of the ‘audit pool’


Sample Audit Notification Letter


Sample of HIPAA-Related Breaches and Findings



Hospital / University OCR Settlement (2016 - $2.7M)

• Over 3,000 unencrypted patient records stored in Google Mail and Google Drive

• Over 4,000 patient records breached when unencrypted laptop and thumb drive stolen

• OCR investigation found that entity’s risk assessment was inadequate

• Key takeaway from OCR Director:

“This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”



Large Healthcare System (2016 - $5.55M)

• Largest HIPAA settlement fine to date

• Combined breach of ePHI for over 4 million individuals

• Shortcomings:• Risk assessment lacking in accuracy and thoroughness

• Lack of policy/procedures restricting physical access to data centers where ePHI stored

• Lack of contracts with Business Associates requiring associates to safeguard ePHI

• Key takeaway from OCR Director:

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”


Recent Trends in the PHI Threat Landscape



Accidental, careless, and uninformed actions• Lost or stolen items

• Cell phones

• Laptops

• Backpacks/bags

• Unmanaged cloud service use

• “But, it’s okay, they use AES-256!”

• Advertised with IT-less setup/support



Insider Threats• Malicious use on the rise

• Identity theft

• Medicare fraud

• Tax fraud

• HHS, Secret Service, and OCR suggest

• Treating external and insider threats equally



Ransomware• OCR ‘FACT Sheet’ on Ransomware and HIPAA

http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

• Key points:

• Ransomware attacks are security incidents

• Successful ransomware attacks might be breaches

• HIPAA-mandated controls can help

http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf


Tales from the Front Lines



The Usual Suspects• Mandatory outdated software

• Windows

• IE

• Adobe

• Data Loss Prevention

• SFTP/FTPS

• Vendor support

• Equipment

• VPN



End-user Remote Access

• Valuable business/patient care uses

• Emergent or after-hours EHR access

• Web-based email (OWA) and scheduling

• Direct to own desktops; usual tools

• Control gaps

• Multi-factor authentication

• Successful login monitoring

• LogMeIn, GoToMyPC, etc.

• RDP resource redirection



Personal Cell Phones• May contain PHI

• Emails

• Text messages

• Attachments

• Pictures

• Most providers require passcodes to unlock

• But overlook device encryption!

• This is why MDM is important



Access Logging Gaps• Reporting and custom databases

• How many copies of live PHI do you have?

• How are they accessed?

• Who is accessing them?

• What about Microsoft Access?

• File shares

• XLS, CSV, or TXT files with PHI

• SACLS, auditd, selinux


Remember…

• The time is now, do not wait for a crisis to setup a plan

• Use third party resources, they are objective

• Take it slow and act rationally

• Risk assessments are a key part of HIPAA and should encompass not only technology but business processes as well

• The PHI you protect is probably YOUR OWN DATA


? ? ?Use the chat feature to ask your questions

Or email [email protected]

Questions


EMAIL: [email protected]

[email protected]

WEB: anitian.com

BLOG: blog.anitian.com

SLIDES: http://bit.ly/anitian

CALL: 888-ANITIAN

THANK YOU

mailto:[email protected]

mailto:[email protected]