hipaa cybersecurity best practices · cyber findings • risk based security mid-year 2018 data...
TRANSCRIPT
HIPAA Cybersecurity Best Practices“Cybersecurity is a Journey…not a Destination”
● Physicians who apply cybersecurity best practices have peace of mind.
● We can help you sleep at night.
What Happens?
- Data loss (Resulting in re-work)
- Downtime
- Loss of business
- Fines
- Reputation damage
Not following cybersecurity best practices could lead to:
In the News
Advocate Health slapped with
lawsuit after massive data breach
Advocate "flagrantly disregarded"
privacy of 4 million patients, lawsuit
says…
Advocate Health Care to Pay $5.5M
in HIPAA Penalties
It is the largest fine for a single entity,
stemming from three separate
breaches of the electronic health
records of more than 4 million
patients…
Advocate data breach highlights
lack of encryption, a widespread
issue
Cyber Findings
• Risk Based Security mid-year 2018 Data Breach QuickView Report-2,308 publicly disclosed data compromise events through June 30th (2.6 billion records YTD 2018; 6 billion, 1st half 2017)*
• Approximately 1 million pieces of known malware (computer viruses or malicious software) are released every day
Ponemon 2017 Cost of Data Breach Study: Global Analysis
• $3.62 million is the average total cost of a data breach
• $141 is the average cost per lost or stolen record (healthcare $380)
• 59% of all breaches caused by malicious or criminal attacks
Ponemon 2017 Cost of Data Breach Study: United States
• $7.35 million is the average total cost of a data breach
• $225 is the average cost per lost or stolen record
• $380 (Healthcare) is the average cost per lost or stolen record
• 52% of incidents involved malicious or criminal attacks
• Notification costs average $0.69 million
• Post data breach costs (not including notification costs) average $1.56 million
*Source: [email protected] on behalf of Inga Goddijn, EVA at RSA 8/16/2018
Know the Law
Let’s distill HIPAA law
into what you need to
know and care about.
HIPAA Security Rule In Brief
Take all reasonable measures to protect against risks to the integrity, availability and confidentiality of PHI in all forms, physical or digital.
○ Someone needs to take responsibility and charge.
○ Regular formal risk assessments need to be conducted to define “risks”, and “reasonable measures”.
○ Reasonable controls must be planned and implemented to reduce these risks (Anti-virus, Firewalls, Web Proxy, DLP, etc... )
○ Encryption, access control, access audit should be used to control access to information in accordance to “principles of least privilege”.
*Source: Identity Theft Resource Center Data Breach Report 2009
Protected Health Information (PHI) – HIPAA, HHS/OCR regulations define health information as “any
information, whether oral or recorded in any form or medium” that:
a) “is created or received by a health care provider,
health plan, public health authority, employer,
life insurer, school or university, or health care
clearinghouse” and (Medical Info. Bureau-Quincy)
b) “relates to the past, present or future physical
or mental health or condition of an individual;
the provision of health care to an individual; or
the past, present or future payment for the
provision of health care to an individual.”
Most valuable-PHI never dies-Highest value on Black Market-$100+/record
Can be used for:
Medical treatment (you pay for it)
Obtain prescription drugs (personal use or sell on street)
Co-mingle health info.-misdiagnosis or death
Obtain mortgage, credit, other type loans
Protected Health Information*
*Source: Identity Theft Resource Center Data Breach Report 2009
Personally Identifiable Information (PII) – as used in information security and data privacy laws, refers
to information that can be used to uniquely identify, contact, or locate a single person or can be
used with other sources to uniquely identify a single individual. The types of information normally
associated with PII include: (at least three of the following combined)
a) Name and Address (NAA)
b) Date of Birth (DOB) (not confidential in MA)
c) Social Security Number (SSN)
d) Credit Card Number
e) Account Number/PIN or other Financial
Account Information
f) Emails
g) Telephone numbers
Personally Identifiable Information*
Confidential Business Customer Data
1. Trade secret information
2. Confidential financial data (business customers)
3. Other non-public confidential data of business customers
i. employee personal data (benefit providers, 401k info. and other Plan info.)
ii. payroll data (Example-ADP or other payroll service providers)
iii. billing information (medical billing services, utility companies)
4. Any customer confidential business data subject to a signed Non-Disclosure Agreement (NDA)
5. Intellectual property-i.e. manufacturing processes; marketing strategies
Massachusetts Data Breach/Security Laws**
3 General Laws:
1. G.L.c. 93H-Data Breach Notice Law-requires notification
of state agencies and affected individuals of a data breach
2. MA GL 201 CMR 17.00-Standards for The Protection of
Personal Information (Pl) of Residents of the
Commonwealth of Massachusetts
3. G.L.c. 931-Data Destruction Law-establishes minimum
requirements for securely destroying or deleting Personal
Identifiable Information of MA residents
ENFORCEMENT OF THE MASSACHUSEITS DATA BREACH/SECURITY LAWS IS BY THE
CONSUMER PROTECTION DIVISION OF THE ATTORNEY GENERAL'S OFFICE
PERSONAL IDENTIFIABLE INFORMATION (ELECTRONIC OR PAPER FORM)
Defined as the first name or initial and last name of a MA resident plus one or more of the following:
1. SSN
2. Driver's license number or other state-issued identification card or number; and/or
3. Financial account number or a debit/credit card number (with or without a security code)
Information legally obtained from publicly available sources is not considered
confidential Personal Identifiable Information
Massachusetts Data Breach/Security Laws**
G.L.c. 93H- Data Breach Notification Law
1. Breach of Security-unauthorized acquisition of or use of confidential data whether unencrypted or
encrypted with decryption key that can possibly compromise the security, confidentiality or the integrity of
the Pll held by the entity that creates a risk of ID theft
2. ID Theft/Fraud-the PII was used or acquired by an unauthorized party for an unauthorized purpose-(CC,
loans)
Who Must Be Notified :
1. Attorney General's Office
2. Office of Consumer Affairs and Business Regulation
3. Each affected MA resident
4. Owner or licensor of the Pl (must be notified by 3rd party vendor or out-sourced vendor)
**THE OWNER OR LICENSOR OF THE Pl IS THE REQUIRED PARTY THAT NEEDS TO NOTIFY
Notice to the Attorney General's Office or Office of Consumer Affairs & Business Regulation must include
the following:
1. Nature of the breach
2. Number of residents affected
3. Steps entity has/will take relating to the breach
4. Include a sample copy of the consumer notice
What must the Notice to MA residents disclose:
1. Individual's right to obtain a police report
2. How an individual can request a security freeze
3. Information an individual needs to provide to request a security freeze
4. Complete disclosure of fees for placing, lifting or removing a security freeze
Massachusetts Data Breach/Security Laws**
The Notice cannot disclose:
1. The nature of the breach, unauthorized access or use
2. Number of individuals affected
What is the timing of the Notice?
1. "as soon as reasonably practicable and without unreasonable delay" when the entity
"knows or has reason to know" of the breach
2. The Notice may be delayed "if a law enforcement agency determines that provision of
such notice may impede a criminal investigation and has notified the attorney general in
writing thereof and informs the entity of such determination"
Information and sample notices can be found at:
http://www.mass.gov/ago/consumer-resources/consumer-information/scams-and-identity-
theft/security-breaches.html
Massachusetts Data Breach/Security Laws**
201 CMR 17.00-Standards for The Protection of Personal Information of Residents of the
Commonwealth of Massachusetts
Key Requirements:
1. Develop, implement, maintain and monitor a comprehensive Written Information Security
Program (WISP) establishing safeguards against a data breach
2. Maintain minimum computer security systems such as password management protocols,
firewalls, updated virus definitions and patches
3. Encrypt all records containing Pl transmitted across public networks or wirelessly or stored on
laptops or other portable devices
4. Identify and assess reasonably foreseeable internal and external risks to security, confidentiality
as well as the integrity of Pl in any physical form
5. Monitor service providers and require them by written contract to implement and maintain
safeguards to protect and secure Pl-you warrant to the State service providers meet the MA privacy
law requirements
G.L. c. 931 -Data Disposal and Destruction Law
Minimum Requirements:
1. Paper records are to burned, redacted, pulverized or shredded so the Pl cannot be read or
reconstructed
2. Electronic records and other non-disposable media shall be destroyed or erased so the Pl cannot be
read or reconstructed
Massachusetts Data Breach/Security Laws**
PENALTIES FOR VIOLATING MA DATA BREACH NOTICE LAW/SECURITY
REGULATIONS
1. Civil penalties of $5,000 per violation
2. Restitution to harmed individuals
PENALTIES FOR VIOLATING DATA DESTRUCTION AND DISPOSAL LAW
1. Civil fine of up to $100 per data subject affected
2. Up to $50,000 for each instance of improper disposal
**Overview of Massachusetts Data Breach/Security Laws, Tom Ralph, Asst. AG, Cyber Crime
Division, Office of MA AG Maura Healey
Good news… we can help.
Let’s go over best practices and then talk about some
solutions.
Need Help?
Pick a Security Framework
Cybersecurity frameworks
help you assess and
improve your ability to
prevent, detect, and
respond to cyber attacks.
Where am I vulnerable?
HIPAA requires a risk assessment
§164.308(a)(1)(ii)(A)
Risk analysis (Required). Conduct an
accurate and thorough assessment
of the potential risks and
vulnerabilities to the confidentiality,
integrity, and availability of electronic
protected health information held by
the covered entity or business
associate.
a) Hackers are motivated by greed, anger, and opportunity.
b) They want your money, or your destruction, -basically "cold heart cash".
c) They rely on the weakest link in your organization-your employees-take advantage of human qualities to serve attacker’s purpose
d) Hackers try to get an employee to think they are a customer, senior management or a vendor.
e) They gain access to your system through a phishing attack via email-containing embedded malware, Trojan Horse, Spyware
f) Their goal is to get funds transferred out of the country to places like China, Russia, Nigeria, etc.
g) They are experts at setting up false domain names and email addresses that look like a customer's, vendor's or senior management's email.
h) They use social media to unleash their fraud:
i. spoof senior management
ii. through social media accounts, Outlook calendars and emails they know comings and goings of senior management-sometimes called business email compromise
iii. send email to an unsuspecting employee posing as executive of company requesting funds to be transferred right away for a secret business deal-email looks legitimate and funds are transferred never to be seen again
i) Every organization is a target regardless of size or industry.
j) Federal law enforcement is overwhelmed by these crimes and cannot keep up (1300% increase since 1/2015)
Social Engineering Fraud
I’m Cloud Based…I Should Be Safe
Third party vendor management for
business associates
If you’re a Covered Entity, chances are
you have BAAs in place with one or more
companies. But, do you have a policy
and set of procedures for vetting business
associates?
BYOD – Prudent Steps
Prudent steps employers can take to reduce the risk of a breach through BYOD practices:
1. Have written policies in place governing the types and use of personal devices for business purposes and require every employee to sign off and accept these policies.
2. Written policies should clearly state what these devices can access, store and transmit.
3. If remote access is allowed it should only be through a VPN or other comparable secure network. VPN means Virtual Private Network (across public network or internet)
4. Require devices to be encrypted at all times and subject to random spot checks to confirm encryption software is in place and utilized.
5. Require an employee to report a stolen or lost device to company immediately
6. Policy in place to retrieve information from employee’s device upon termination
7. Ensure corporate data is backed-up in corporation’s network
8. Identify and segregate your corporate “trade secret” information/data, in other words, your “crown jewels”, and limit access to this data
MOST PRUDENT STEP:
Your rules should be carved in stone as you ultimately bear the responsibility
for the actions of your employees. By not establishing and enforcing written
guidelines you run a great risk of loss of customers, revenues, reputational harm
and possible ensuing litigation.
Internet of Things
What does the Internet of Things (IoT) mean?
Devices connected to the Internet for the purpose of information transfer and process automation- real time IoT networks
Examples:
1. Manufacturing & automation systems
2. Heating and air conditioning-remote access
3. Industrial robotics
4. Family car using on-board computers to regulate speed, operate rear-view cameras and "blind spot" alarms,
parallel park and even tint windows, environmental sensing, manufacturing, urban planning and health
monitoring
5. Critical connected healthcare solutions and devices-pacemakers
It is estimated there will be 20.4 billion devices connected via the internet by 2020*
It is estimated every workplace has approximately 16,000 IoT devices connected to its network*
Potential Problems
1. Developers are building interactivity and data storage into hundreds of common products without any security
whatever in mind-security must be implemented at the design stage
2. Devices are not being developed to common standards
3. They increase the vulnerability of a system by creating more avenues for hackers to exploit
4. Hackers are becoming more familiar with how loT devices work
*Source: [email protected]> on behalf of Audrey McNeil-May 15, 2018
Know Your Controls
Administrative
Deals with the
workforce
Technical
Deals with IT
“stuff” like
encryption and
unique user
identification
Physical
Deals with facilities,
workstations, and
media
HIPAA Security Rule Standards
Passwords Are Not Everything
§164.308(a)(5)(ii)(D)
Password
management:
“Procedures for
creating, changing,
and safeguarding
passwords.”
Protection Tools
Data Loss Prevention (DLP) for Covered
Entities and Business Associates
While DLP isn’t strictly required, protection of
ePHI is… so DLP should at least be considered.
• Endpoint, web, and email
• Data classification (what and where is ePHI?)
• Create simple policy rules in monitor-only
mode
• Tweak the policy rules.
• Deploy to a subset of users
• Go from monitoring to actively blocking
• Expand to other departments
Safeguard Outside the Office
How to store
HIPAA data
§164.312(2)(iv)
Encryption and
decryption:
“Implement a
mechanism to
encrypt and
decrypt electronic
protected health
information.”
Knowledge is Key
§164.308(a)(5)(i)
Security awareness
and training:
“Implement a security
awareness and
training program for all
members of its
workforce (including
management).”
Business Continuity and Disaster Recovery
§164.308(a)(7)(ii)(A)
“Establish and implement procedures
to create and maintain retrievable
exact copies of electronic protected
health information.”
§164.308(a)(7)(ii)(B)
“Establish (and implement as needed)
procedures to restore any loss of
data.”
Sanction Policy
HIPAA requires a sanction policy
§164.308(a)(1)(C)
Sanction policy: “Apply appropriate sanctions against workforce
members who fail to comply with the security policies and
procedures of the covered entity or business associate.”
Example Sanction Clause:
I understand that violations of the information security policies
and standards may lead to:
• Disciplinary Action
• Termination
• Removal from Projects
• Criminal Penalties
I have been breached….Now What?
HIPAA Breach Notification Rule
§§164.400-414 What do I do if I
learn of or suspect a breach?
1. Determine the nature and
extent of PHI involved.
2. Determine whether the PHI was
acquired or viewed.
3. Notify individuals affected by
breach within 60 days.
4. Notify HHS & prominent media
outlets if breach affects more
than 500 individuals.
What could this cost me?
Violation
CategoryEach Violation
Total CMP for Violations of an
Identical Provision in a Calendar
Year
Unknowing $100 – $50,000 $1,500,000
Reasonable
Cause$1,000 – $50,000 $1,500,000
Willful Neglect –
Corrected$10,000 – $50,000 $1,500,000
Willful Neglect –
Not CorrectedAt least $50,000 $1,500,000
HIPAA Omnibus Final Rule - Violations
Steps You Can Take To Minimize Your Exposure To A Data Breach
START HERE:
10 Common Sense Steps:
1. Know where your data is, map it and know who has access to it
2. Identify your information asset-client lists, client/customer data, business strategies, marketing
information-rank from high to low
3. Have an automated back-up process that occurs every day
4. Perform due diligence on all out-sourced/3'' party vendors who store or service your data-be
sure they have strong security protections and protocols in place equal to or greater than yours
5. Implement a strong password management program - change passwords every 45-60 days
6. Limit remote access to your system-Examples: supply chain vendors or other service providers
(Target/HVAC contractor)
7. Maintain a strong firewall-upgrade when necessary or prompted
8. Perform comprehensive background checks on ALL potential hires
9. Employ and enforce a "clean-desk" policy. Secure all "non-electronic" confidential/sensitive
information in locked containers, locked file cabinets or locked rooms with restricted access
10. Encrypt data at rest on servers
Steps You Can Take To Minimize Your Exposure To A Data Breach
NEXT STEPS:
1. Have a system vulnerability assessment done by a qualified outside 3rd party firm
2. Have a Breach Incident Response Plan-internally who is point, privacy attorney, forensic expert,
notification firm, public relations firm-test it at the very least on an annual basis
3. Have a Disaster Recovery Plan-you've had breach-how and when do you get back to operational status
4. Have a written Network Security Plan, Client Notification Plan and Internet Usage Plan
5. Employ anti-virus software on ALL devices/continuously update
6. Install intrusion detection/protection software on all devices and test it regularly
7. Encrypt all hard drives, servers, back-up tapes and portable devices
8. Employ two-factor authentication
9. Employ and enforce continuous employee training in the handling of confidential data-key risk
management
10. Conduct regular scans of your network
11. If you have a POS system ensure it complies with PCI/Data Security Standards (PCI/DSS)
12. Ensure all credit card data is encrypted
13. Separate encrypted data from user data on your network
14. Before disposal, wipe data from all hardware when it is replaced
15. Never have a "universal passcode" for all employees to use to access data
16. Install scanners and filters for email attachments
17. Install remote lock or kill software to shut down all mobile devices that are lost or
stolen and have protected information
Steps You Can Take To Minimize Your Exposure To A Data Breach
NEXT STEPS CONTINUED:18. Purge on line records or decades old records of former customers if not needed or not legally required to
retain
19. Do not allow 3rd party storage devices to be installed on any employee work station
20. Coordinate data breach responses with you HR Department
21. Employ and enforce a duty for all employees to report a potential security incident and cooperate in any
investigations
As per former FBI Director James Comey:
"There are only two kinds of companies left in the world-those that have been hacked
and those that don't know they've been hacked. No one is safe. Unfortunately, there is
no simple fix-it app for that - not even adequate insurance."
Questions?
THANK YOU
Contact Info:
Paul Smith, President
Datasmith Network Solutions
17-2 West Street
Walpole, MA 02081