1 The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 1
2 Disclosure Please note that the views expressed by the conference speakers do not necessarily reflect the views of the American Hospital Association, the Center for Healthcare Governance, or PricewaterhouseCoopers LLP. Presentation includes partial content from Cybersecurity: What the Board of Directors Needs to Ask, IIARF Research Report, The Institute of Internal Auditors Research Foundation: Permission has been obtained from the copyright holder, The Institute of Internal Auditors Research Foundation to publish this reproduction, which is the same in all material respects, as the original unless approved as changed. No parts of this document may be reproduced, stored in any retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of IIARF. 2
3 Learning Objectives 1. Identify current healthcare privacy and cybersecurity threats and risks 2. Assess the readiness of healthcare providers, business associates, leadership and trustees to respond to current cybersecurity threats 3. Explain the role of the board in managing cybersecurity risks in the context of enterprise risk management 4. Explain the value of a cybersecurity framework for healthcare and hospital governance and enterprise risk management 3
4 Why is Cybersecurity a Board Oversite Issue? Financial / reputational loss at a level relevant to the Board s fiduciary responsibility to sustain corporate mission Data breach laws make response costly / fines Class-action lawsuits are costly Consideration of cyber liability insurance Cybersecurity incidents disrupt operations Attackers include nation-states and organized crime targeting theft of trade secrets and economic sabotage Risks of disruption of industrial controls (smart buildings) Threat to medical devices 4 US cybersecurity: Progress stalled, Key findings from the 2015 US State of Cybercrime Survey, PwC, July 2015
5 How Boards Participate in Security Data from The Global State of Information Security Survey % 36% 32% 25% Overall security strategy Security budget Security policies Review of security & privacy risks 24% 18% 15% Security technologies Review roles & responsibilities of security organization Review of security & privacy testing 5 The Global State of Information Security Survey 2015, PwC
6 2015: The Rise of Criminal Attacks on Healthcare Data for the first time, criminal attacks are the number-one cause of healthcare data breaches. Criminal attacks on healthcare organizations are up 125% compared to 5 years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack, and 12% say it was due to a malicious insider. 6 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts Independently conducted by Ponemon Institute LLC, May 2015
7 Healthcare Data Breaches Are Costly 90% had a data breach in the past 2 years, 40% had more than 5 Average economic impact due to data breaches is 2.1 million dollars / healthcare organization and 1 million dollars / business associate organizations over 2 years Criminal attacks are now the #1 cause of data breaches 56% of healthcare organizations and 59% of business associates don t believe their incident response process has adequate funding and resources 7
8 Healthcare Data Breaches Are Costly Data breaches in healthcare are the most expensive to remediate In the U.S. healthcare industry, the average cost was $398 per record Average cost across all industries: $154 per record 8
9 FBI Cyber Division: Private Industry Notification Cyber actors will likely increase cyber intrusions again health care systems to include medical devices due to Mandatory transition from paper to electronic health records (EHR) Lax cybersecurity standards A higher financial payout for medical records in the black market The healthcare industry is not technically prepared to combat cybercriminals basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs) 9
10 Healthcare Cybersecurity Risks: Cybercrime & Hacking Until the recently, cybercriminals didn't have healthcare data in their sight. Now healthcare data is considered a top criminal target by the FBI % of breaches identified in 2014 were in the medical/healthcare industry. Leading cause: Hacking incidents. 3 Cybercrime is a clear, present, and permanent danger. While it s a permanent condition, however, the actors, threats, and techniques are very dynamic. Tom Ridge CEO of Ridge Global 1 st Secretary of the US Department of Homeland Security US cybercrime: Rising risks, reduced readiness - Key findings from the 2014 US State of Cybercrime Survey, PwC 2 James Trainor, deputy assistant director of the FBI, Cyber Division (speaking at HIMSS15, April 2015) 3 Identity Theft Resource Center:
11 What Makes Healthcare Data So Valuable to Cybercriminals? Healthcare records are a rich set of data: Financial, medical, family, and personal data Healthcare data can be used to: Obtain healthcare services Obtain drugs or medical devices Insurance fraud Financial fraud (open financial accounts) A healthcare record can be worth $50 to $1,000 Credit card data typically sells for $1 each Healthcare fraud detection is poor 11 Managing cyber risks in an interconnected world, Key findings from The Global State of Information Security Survey 2015, PwC
12 Healthcare Cybersecurity Risks: Medical Identity Theft More than 2.3 million Americans have been victims How victims learn of the crime: Hospital invoice Collection letter Insurance statement Errors in health record Credit report Difficult for victims to prove the theft 65% of victims spent money to resolve: Average cost: $13,453 Incorrect medical records could jeopardize safety 12 Fifth Annual Study on Medical Identity Theft, Sponsored by the Medical Identity Fraud Alliance, Independently conducted by Ponemon Institute LLC, February 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts, Independently conducted by Ponemon Institute LLC, May 2015 See also: Medical Identity Fraud Alliance:
13 Healthcare Cybersecurity Risks: Insider Threats Insiders refers to your workforce who are trusted with access to your systems They make mistakes They violate policies (snooping, shortcuts) A few have criminal intentions Huge problem in healthcare! Solutions Security awareness training Monitor / manage / discipline Access controls Data Leak Prevention User Activity Monitoring 13
14 Healthcare Cybersecurity Risks: Third Party Risks Third parties were the #2 cause of breaches in Healthcare providers need to manage third party risks Evaluate whether third parties have access to PHI Evaluate the level of risk For high-risk third parties evaluate the security program Before contracting Ongoing Contract terms to manage third party risks 14 1 Identity Theft Resource Center:
15 15 Healthcare Cybersecurity Risks: Medical Device Vulnerabilities
16 Recent Breaches & Settlement Agreements May 20, ,100,000 June 10, 2015 August 18, 2014 May 5, ,900,000 4,500,000 4,500,000 March 17, ,000,000 Breaches due to hackers Anthem is the largest healthcare data breach in US history Medical Informatics Engineering is an EMR vendor with some very large customers 16 March 15, , 800,000 patient records
17 Recent Breaches & Settlement Agreements June 14, ,000 Est. cost: $13.5M November 30, Settlement agreement: $1.7M SRMH: Stolen unencrypted USB drive Concentra: Stolen unencrypted laptop March 4, ,000 Est. cost: $6M Third-party: Transcriptionist lacked technical safeguards on server Patient records accessible on Internet 17
18 Recent Breaches & Settlement Agreements March 3, ,743 patient records Settlement agreement: $150K September 24, 2010 Settlement agreements: $3.5M NYP 6,800 $1.5M CUMC ACMHS: Due to malware, fined for unpatched / unsupported systems NYP / CUMC: Server data accessible on the Internet due to lack of technical safeguards - Server installed and managed by a physician, not an IT professional 18
19 Five Guiding Principles for the Board 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide management framework with adequate staffing and budget. 5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. 19 Cyber-Risk Oversight Executive Summary, Director s Handbook Series 2014 Edition [National Association of Corporate Directors (NACD) in collaboration with AIG and Internet Security Alliance (ISA); Washington, DC; 2014]
20 Principle 1: Approach Not Just an IT Issue Board must assume role of fourth line of defense to protect against cyber risks within the whole organization 20 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
21 Principle 1: Approach Not Just an IT Issue Board must require an internal audit for a comprehensive report that covers all domains of cybersecurity Conducted by internal audit staff or external security program Board must monitor whether risk levels are improving or deteriorating and must evaluate the adequacy / severity of the pace of improvement / deterioration 21 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
22 Principle 2: Legal Implications Board must understand cyber risks associated with thirdparty service providers IT outsourcing Business process outsourcing Cloud solution SOC 1 and SOC 2 assurance reports performed Chain of trust Agreements with providers that cover responsibility Agreements with any downstream providers of that thirdparty provider Note: HIPAA mandates Business Associate Agreements and Business Associate Compliance, but this is not enough. 22 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
23 Principle 2: Legal Implications Understand what constitutes a data breach and what notifications are required by state and federal law HIPAA/HITECH breach notification requirements In which states does the organization conduct business? Are there states where the data breach and privacy laws may be stricter than others (e.g., Mass. and Cali. are perceived to be strict )? What constitutes a data breach in those states? What are the reporting requirements? Under some state laws, if breached data is encrypted, reporting is not required or is minimized Board should be made aware of all major data breaches and security incidents 23 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
24 Principle 2: Legal Implications Federal Breach Notification (Omnibus rule of 2013) Covered Entities must report security breaches directly to individuals Without unreasonable delay and in no case later than 60 days following the discovery If the individual cannot be contacted notice must be posted on the hospital website or notify local media Large security breaches (500 or more records) must be reported to the U.S. Department of Health and Human Services and prominent media outlets HHS will post all large breaches to their website Small breaches (under 500 records) must be reported to HHS annually 24
25 Principle 2: Legal Implications an acquisition, access, use or disclosure of [PHI] in a manner not permitted under [the HIPAA Privacy rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the [PHI] has been compromised based on a risk assessment of at least the four following factors: 1. Nature and extent of the PHI 2. The unauthorized person who used or received the PHI 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Safe harbor (no breach) if the data was properly encrypted or destroyed 25
26 Principle 3: Discuss with Experts Board should take time to meet with the Chief Information Security Officer (CISO) Understand key issues from CISO s perspective Discuss security strategy and current projects Identify roadblocks (e.g., budget, political agenda, arrogance) Understand data breaches occurring within the industry Verify that management has established relationships with local and national authorities Annual meetings with local FBI FBI actively involved in cybersecurity (Infragard formed in 1996) 26 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
27 Principle 4: Enterprise-Wide Management Framework Board must require management to communicate the enterprise risk management organization structure and provide staffing and budget details Enterprise risk management comprised of several risks: Operational, credit, regulatory, legal, medical errors / liability, cybersecurity Board should review security budget metrics What percentage of the total revenue is the IT budget? What percentage of the IT budget is the security budget? How many security dollars being spent per employee within the organization? Beyond corporate IT, what other departments maintain security budgets? 27 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
28 Principle 5: Avoiding & Accepting Risks Board should meet with the Chief Risk Officer (CRO) or equivalent annually to review all risks that were avoided and accepted Be aware of decisions made in the Risk Acceptance Report Board must verify that cyber insurance coverage is sufficient Ask management to provide cost per record of a data breach Understand the impact of a major data breach 28 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
29 Six Questions the Board Should Ask 1. Does the organization have a security framework? 2. What are the top risks the organization has related to cybersecurity? 3. How are employees made aware of their role relating to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? 29 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
30 Six Questions the Board Should Ask 1. Does the organization have a security framework? HIPAA / HITECH, HITRUST (healthcare) PCI-DSS for credit card acceptance The National Institute of Standards and Technology (NIST) Cybersecurity Framework President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in Feb ISO 27001, NIST , COBIT 30 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
31 HIPAA Requires A Risk-Based Approach to Security Protect against any reasonably anticipated threats or hazards (a) Conduct a risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ephi] held by the covered entity (a)(1)(ii)(A) Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (a)(1)(ii)(B) 31
32 National Institute of Standards & Technology (NIST) Cybersecurity Framework Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond: Response Planning, Communications, Analysis, Mitigation, Improvements Recover: Recovery Planning, Improvements, Communications 32 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
33 NIST Cybersecurity Framework FRAMEWORK CORE Framework Core: a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. 33 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
34 NIST Cybersecurity Framework Framework Implementation Tiers: Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. Tier 1 Tier 2 Tier 3 Tier 4 Partial Risk Informed Repeatable Adaptive Risk management is ad hoc, with limited awareness of risks and no collaboration with others Risk management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Formal policies for risk management processes and programs are in place enterprise-wide, with partial external collaboration Risk management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration 34 Why you should adopt the NIST Cybersecurity Framework, PwC, May 2014
35 NIST Cybersecurity Framework Framework Profile: ( Profile ) represents the [security] outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 35 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
36 NIST Cybersecurity Framework Benefits of using the Cybersecurity Framework: Improve cybersecurity: The NIST Framework core is up to date in terms of cyber threats / risks / effective controls with an emphasis on Detect, Respond, Recover not just Protect. It is much more up to date and comprehensive than the HIPAA rule. Reduce legal exposure: This process can demonstrate due care in case of a breach and federal / state investigation or even law suit. The NIST Framework is founded on a presidential order and represents best practices. Improve collaboration and communication of security posture with executives and others 36 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
37 Six Questions the Board Should Ask 2. What are the top risks the organization has related to cybersecurity? Potential areas of risk (examples): Bring your own device (BYOD) and smart devices Cloud computing Outsourcing critical business controls to third parties (and lack of controls around third-party services) Disaster recovery and business continuity Hacking / malware / Advanced Persistent Threats Insider risks Medical device vulnerabilities 37 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
38 Six Questions the Board Should Ask 3. How are employees made aware of their role relating to cybersecurity? Security awareness training program Review and annual test for employees Communication plan from CEO or other top executive 38 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
39 Six Questions the Board Should Ask 4. Are external and internal threats considered when planning cybersecurity activities? 39 US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey, PwC Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
40 Six Questions the Board Should Ask 5. How is security governance managed within the organization? 1 st Line of Defense IT operations function Implements policies and standards Day-to-day monitoring of networks and infrastructure 2 nd Line of Defense Perform majority of governance functions related to cybersecurity Headed by CISO, who defines policies, standards, and technical configurations Ensure that IT performs monitoring, reporting, and tracking 3 rd Line of Defense Internal audit ensures that 1 st and 2 nd lines of defense are functioning as designed 40 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
41 Six Questions the Board Should Ask 6. In the event of a serious breach, has management developed a robust response protocol? Incident response program / team / skills / tools Crisis management program Crisis management team and their responsibilities 41 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
42 Board of Directors Responsibility A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole. -Tom Horton, Directors & Boards 42
43 The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Questions? Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 43
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
Greenway Marketplace Hear from GSG Compliance & White Plume November 14, 2013 Marketplace Mission Statement To enhance the Greenway customer user experience by offering innovative, forwardthinking technologies
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA HANS HENRIK BERTHING Married with Louise and dad for Dagmar and Johannes CPA, CRISC, CGEIT, CISA and CIA ISO 9000 Lead Auditor Partner and owner for Verifica
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney firstname.lastname@example.org K&L Gates LLP State Street
Aalborg Universitet Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
IIARF Research Report CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK Copyright 2014 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. Published by The Institute
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
New Privacy Laws Impacting the Health Care Work Place Presented by Thomas E. Jeffry, Jr., Esq. Arent Fox LLP Washington, DC New York, NY Los Angeles, CA November 12 & 19, 2009 Overview 1. Overview of California
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
Finding a Cure for Medical Identity Theft A look at the rise of medical identity theft and what small healthcare organizations are doing to address threats October 2014 www.csid.com TABLE OF CONTENTS SUMMARY
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
The New Normal Healthcare s New Threat Profile Matthew Sadler National Director, Healthcare Cyber Security KPMG November 2015 Recent Events Cybercriminals Today Cyber Threats Why Are We Such a Big Target?
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
WHITE PAPER: RISK MANAGEMENT AND COMPLIANCE: HEALTHCARE............. BEST.... PRACTICES........... GUIDE............ Risk Management and Compliance: Healthcare Best Practices Guide Who should read this
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services email@example.com April 23, 2012 Overview Technology