Adopting a Cybersecurity Framework for Governance and Risk Management

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Adopting a Cybersecurity Framework for Governance and Risk Management"

Transcription

1 The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 1

2 Disclosure Please note that the views expressed by the conference speakers do not necessarily reflect the views of the American Hospital Association, the Center for Healthcare Governance, or PricewaterhouseCoopers LLP. Presentation includes partial content from Cybersecurity: What the Board of Directors Needs to Ask, IIARF Research Report, The Institute of Internal Auditors Research Foundation: Permission has been obtained from the copyright holder, The Institute of Internal Auditors Research Foundation to publish this reproduction, which is the same in all material respects, as the original unless approved as changed. No parts of this document may be reproduced, stored in any retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of IIARF. 2

3 Learning Objectives 1. Identify current healthcare privacy and cybersecurity threats and risks 2. Assess the readiness of healthcare providers, business associates, leadership and trustees to respond to current cybersecurity threats 3. Explain the role of the board in managing cybersecurity risks in the context of enterprise risk management 4. Explain the value of a cybersecurity framework for healthcare and hospital governance and enterprise risk management 3

4 Why is Cybersecurity a Board Oversite Issue? Financial / reputational loss at a level relevant to the Board s fiduciary responsibility to sustain corporate mission Data breach laws make response costly / fines Class-action lawsuits are costly Consideration of cyber liability insurance Cybersecurity incidents disrupt operations Attackers include nation-states and organized crime targeting theft of trade secrets and economic sabotage Risks of disruption of industrial controls (smart buildings) Threat to medical devices 4 US cybersecurity: Progress stalled, Key findings from the 2015 US State of Cybercrime Survey, PwC, July 2015

5 How Boards Participate in Security Data from The Global State of Information Security Survey % 36% 32% 25% Overall security strategy Security budget Security policies Review of security & privacy risks 24% 18% 15% Security technologies Review roles & responsibilities of security organization Review of security & privacy testing 5 The Global State of Information Security Survey 2015, PwC

6 2015: The Rise of Criminal Attacks on Healthcare Data for the first time, criminal attacks are the number-one cause of healthcare data breaches. Criminal attacks on healthcare organizations are up 125% compared to 5 years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack, and 12% say it was due to a malicious insider. 6 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts Independently conducted by Ponemon Institute LLC, May 2015

7 Healthcare Data Breaches Are Costly 90% had a data breach in the past 2 years, 40% had more than 5 Average economic impact due to data breaches is 2.1 million dollars / healthcare organization and 1 million dollars / business associate organizations over 2 years Criminal attacks are now the #1 cause of data breaches 56% of healthcare organizations and 59% of business associates don t believe their incident response process has adequate funding and resources 7

8 Healthcare Data Breaches Are Costly Data breaches in healthcare are the most expensive to remediate In the U.S. healthcare industry, the average cost was $398 per record Average cost across all industries: $154 per record 8

9 FBI Cyber Division: Private Industry Notification Cyber actors will likely increase cyber intrusions again health care systems to include medical devices due to Mandatory transition from paper to electronic health records (EHR) Lax cybersecurity standards A higher financial payout for medical records in the black market The healthcare industry is not technically prepared to combat cybercriminals basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs) 9

10 Healthcare Cybersecurity Risks: Cybercrime & Hacking Until the recently, cybercriminals didn't have healthcare data in their sight. Now healthcare data is considered a top criminal target by the FBI % of breaches identified in 2014 were in the medical/healthcare industry. Leading cause: Hacking incidents. 3 Cybercrime is a clear, present, and permanent danger. While it s a permanent condition, however, the actors, threats, and techniques are very dynamic. Tom Ridge CEO of Ridge Global 1 st Secretary of the US Department of Homeland Security US cybercrime: Rising risks, reduced readiness - Key findings from the 2014 US State of Cybercrime Survey, PwC 2 James Trainor, deputy assistant director of the FBI, Cyber Division (speaking at HIMSS15, April 2015) 3 Identity Theft Resource Center:

11 What Makes Healthcare Data So Valuable to Cybercriminals? Healthcare records are a rich set of data: Financial, medical, family, and personal data Healthcare data can be used to: Obtain healthcare services Obtain drugs or medical devices Insurance fraud Financial fraud (open financial accounts) A healthcare record can be worth $50 to $1,000 Credit card data typically sells for $1 each Healthcare fraud detection is poor 11 Managing cyber risks in an interconnected world, Key findings from The Global State of Information Security Survey 2015, PwC

12 Healthcare Cybersecurity Risks: Medical Identity Theft More than 2.3 million Americans have been victims How victims learn of the crime: Hospital invoice Collection letter Insurance statement Errors in health record Credit report Difficult for victims to prove the theft 65% of victims spent money to resolve: Average cost: $13,453 Incorrect medical records could jeopardize safety 12 Fifth Annual Study on Medical Identity Theft, Sponsored by the Medical Identity Fraud Alliance, Independently conducted by Ponemon Institute LLC, February 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts, Independently conducted by Ponemon Institute LLC, May 2015 See also: Medical Identity Fraud Alliance:

13 Healthcare Cybersecurity Risks: Insider Threats Insiders refers to your workforce who are trusted with access to your systems They make mistakes They violate policies (snooping, shortcuts) A few have criminal intentions Huge problem in healthcare! Solutions Security awareness training Monitor / manage / discipline Access controls Data Leak Prevention User Activity Monitoring 13

14 Healthcare Cybersecurity Risks: Third Party Risks Third parties were the #2 cause of breaches in Healthcare providers need to manage third party risks Evaluate whether third parties have access to PHI Evaluate the level of risk For high-risk third parties evaluate the security program Before contracting Ongoing Contract terms to manage third party risks 14 1 Identity Theft Resource Center:

15 15 Healthcare Cybersecurity Risks: Medical Device Vulnerabilities

16 Recent Breaches & Settlement Agreements May 20, ,100,000 June 10, 2015 August 18, 2014 May 5, ,900,000 4,500,000 4,500,000 March 17, ,000,000 Breaches due to hackers Anthem is the largest healthcare data breach in US history Medical Informatics Engineering is an EMR vendor with some very large customers 16 March 15, , 800,000 patient records

17 Recent Breaches & Settlement Agreements June 14, ,000 Est. cost: $13.5M November 30, Settlement agreement: $1.7M SRMH: Stolen unencrypted USB drive Concentra: Stolen unencrypted laptop March 4, ,000 Est. cost: $6M Third-party: Transcriptionist lacked technical safeguards on server Patient records accessible on Internet 17

18 Recent Breaches & Settlement Agreements March 3, ,743 patient records Settlement agreement: $150K September 24, 2010 Settlement agreements: $3.5M NYP 6,800 $1.5M CUMC ACMHS: Due to malware, fined for unpatched / unsupported systems NYP / CUMC: Server data accessible on the Internet due to lack of technical safeguards - Server installed and managed by a physician, not an IT professional 18

19 Five Guiding Principles for the Board 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide management framework with adequate staffing and budget. 5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. 19 Cyber-Risk Oversight Executive Summary, Director s Handbook Series 2014 Edition [National Association of Corporate Directors (NACD) in collaboration with AIG and Internet Security Alliance (ISA); Washington, DC; 2014]

20 Principle 1: Approach Not Just an IT Issue Board must assume role of fourth line of defense to protect against cyber risks within the whole organization 20 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

21 Principle 1: Approach Not Just an IT Issue Board must require an internal audit for a comprehensive report that covers all domains of cybersecurity Conducted by internal audit staff or external security program Board must monitor whether risk levels are improving or deteriorating and must evaluate the adequacy / severity of the pace of improvement / deterioration 21 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

22 Principle 2: Legal Implications Board must understand cyber risks associated with thirdparty service providers IT outsourcing Business process outsourcing Cloud solution SOC 1 and SOC 2 assurance reports performed Chain of trust Agreements with providers that cover responsibility Agreements with any downstream providers of that thirdparty provider Note: HIPAA mandates Business Associate Agreements and Business Associate Compliance, but this is not enough. 22 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

23 Principle 2: Legal Implications Understand what constitutes a data breach and what notifications are required by state and federal law HIPAA/HITECH breach notification requirements In which states does the organization conduct business? Are there states where the data breach and privacy laws may be stricter than others (e.g., Mass. and Cali. are perceived to be strict )? What constitutes a data breach in those states? What are the reporting requirements? Under some state laws, if breached data is encrypted, reporting is not required or is minimized Board should be made aware of all major data breaches and security incidents 23 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

24 Principle 2: Legal Implications Federal Breach Notification (Omnibus rule of 2013) Covered Entities must report security breaches directly to individuals Without unreasonable delay and in no case later than 60 days following the discovery If the individual cannot be contacted notice must be posted on the hospital website or notify local media Large security breaches (500 or more records) must be reported to the U.S. Department of Health and Human Services and prominent media outlets HHS will post all large breaches to their website Small breaches (under 500 records) must be reported to HHS annually 24

25 Principle 2: Legal Implications an acquisition, access, use or disclosure of [PHI] in a manner not permitted under [the HIPAA Privacy rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the [PHI] has been compromised based on a risk assessment of at least the four following factors: 1. Nature and extent of the PHI 2. The unauthorized person who used or received the PHI 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Safe harbor (no breach) if the data was properly encrypted or destroyed 25

26 Principle 3: Discuss with Experts Board should take time to meet with the Chief Information Security Officer (CISO) Understand key issues from CISO s perspective Discuss security strategy and current projects Identify roadblocks (e.g., budget, political agenda, arrogance) Understand data breaches occurring within the industry Verify that management has established relationships with local and national authorities Annual meetings with local FBI FBI actively involved in cybersecurity (Infragard formed in 1996) 26 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

27 Principle 4: Enterprise-Wide Management Framework Board must require management to communicate the enterprise risk management organization structure and provide staffing and budget details Enterprise risk management comprised of several risks: Operational, credit, regulatory, legal, medical errors / liability, cybersecurity Board should review security budget metrics What percentage of the total revenue is the IT budget? What percentage of the IT budget is the security budget? How many security dollars being spent per employee within the organization? Beyond corporate IT, what other departments maintain security budgets? 27 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

28 Principle 5: Avoiding & Accepting Risks Board should meet with the Chief Risk Officer (CRO) or equivalent annually to review all risks that were avoided and accepted Be aware of decisions made in the Risk Acceptance Report Board must verify that cyber insurance coverage is sufficient Ask management to provide cost per record of a data breach Understand the impact of a major data breach 28 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

29 Six Questions the Board Should Ask 1. Does the organization have a security framework? 2. What are the top risks the organization has related to cybersecurity? 3. How are employees made aware of their role relating to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? 29 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

30 Six Questions the Board Should Ask 1. Does the organization have a security framework? HIPAA / HITECH, HITRUST (healthcare) PCI-DSS for credit card acceptance The National Institute of Standards and Technology (NIST) Cybersecurity Framework President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in Feb ISO 27001, NIST , COBIT 30 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

31 HIPAA Requires A Risk-Based Approach to Security Protect against any reasonably anticipated threats or hazards (a) Conduct a risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ephi] held by the covered entity (a)(1)(ii)(A) Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (a)(1)(ii)(B) 31

32 National Institute of Standards & Technology (NIST) Cybersecurity Framework Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond: Response Planning, Communications, Analysis, Mitigation, Improvements Recover: Recovery Planning, Improvements, Communications 32 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

33 NIST Cybersecurity Framework FRAMEWORK CORE Framework Core: a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. 33 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

34 NIST Cybersecurity Framework Framework Implementation Tiers: Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. Tier 1 Tier 2 Tier 3 Tier 4 Partial Risk Informed Repeatable Adaptive Risk management is ad hoc, with limited awareness of risks and no collaboration with others Risk management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Formal policies for risk management processes and programs are in place enterprise-wide, with partial external collaboration Risk management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration 34 Why you should adopt the NIST Cybersecurity Framework, PwC, May 2014

35 NIST Cybersecurity Framework Framework Profile: ( Profile ) represents the [security] outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 35 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

36 NIST Cybersecurity Framework Benefits of using the Cybersecurity Framework: Improve cybersecurity: The NIST Framework core is up to date in terms of cyber threats / risks / effective controls with an emphasis on Detect, Respond, Recover not just Protect. It is much more up to date and comprehensive than the HIPAA rule. Reduce legal exposure: This process can demonstrate due care in case of a breach and federal / state investigation or even law suit. The NIST Framework is founded on a presidential order and represents best practices. Improve collaboration and communication of security posture with executives and others 36 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

37 Six Questions the Board Should Ask 2. What are the top risks the organization has related to cybersecurity? Potential areas of risk (examples): Bring your own device (BYOD) and smart devices Cloud computing Outsourcing critical business controls to third parties (and lack of controls around third-party services) Disaster recovery and business continuity Hacking / malware / Advanced Persistent Threats Insider risks Medical device vulnerabilities 37 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

38 Six Questions the Board Should Ask 3. How are employees made aware of their role relating to cybersecurity? Security awareness training program Review and annual test for employees Communication plan from CEO or other top executive 38 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

39 Six Questions the Board Should Ask 4. Are external and internal threats considered when planning cybersecurity activities? 39 US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey, PwC Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

40 Six Questions the Board Should Ask 5. How is security governance managed within the organization? 1 st Line of Defense IT operations function Implements policies and standards Day-to-day monitoring of networks and infrastructure 2 nd Line of Defense Perform majority of governance functions related to cybersecurity Headed by CISO, who defines policies, standards, and technical configurations Ensure that IT performs monitoring, reporting, and tracking 3 rd Line of Defense Internal audit ensures that 1 st and 2 nd lines of defense are functioning as designed 40 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

41 Six Questions the Board Should Ask 6. In the event of a serious breach, has management developed a robust response protocol? Incident response program / team / skills / tools Crisis management program Crisis management team and their responsibilities 41 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.

42 Board of Directors Responsibility A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole. -Tom Horton, Directors & Boards 42

43 The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Questions? Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 43

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting. Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013 Greenway Marketplace Hear from GSG Compliance & White Plume November 14, 2013 Marketplace Mission Statement To enhance the Greenway customer user experience by offering innovative, forwardthinking technologies

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,

More information

Medical Information Breaches: Are Your Records Safe?

Medical Information Breaches: Are Your Records Safe? Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential

More information

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA HANS HENRIK BERTHING Married with Louise and dad for Dagmar and Johannes CPA, CRISC, CGEIT, CISA and CIA ISO 9000 Lead Auditor Partner and owner for Verifica

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

Healthcare and IT Working Together. 2013 KY HFMA Spring Institute

Healthcare and IT Working Together. 2013 KY HFMA Spring Institute Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,

More information

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity

More information

AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO

AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO AHLA N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO Anthony J. Munns Brown Smith Wallace LLC Saint Louis, MO

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

Cybersecurity Issues for Community Banks

Cybersecurity Issues for Community Banks Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy

More information

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014 Aalborg Universitet Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication

More information

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security 2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage 2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

White Paper #6. Privacy and Security

White Paper #6. Privacy and Security The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava

More information

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11 Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total

More information

Managing Cyber & Privacy Risks

Managing Cyber & Privacy Risks Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

IIARF Research Report CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK

IIARF Research Report CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK IIARF Research Report CYBERSECURITY WHAT THE BOARD OF DIRECTORS NEEDS TO ASK Copyright 2014 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. Published by The Institute

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches

October 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title

More information

RETHINKING CYBER SECURITY Changing the Business Conversation

RETHINKING CYBER SECURITY Changing the Business Conversation RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

New Privacy Laws Impacting the Health Care Work Place

New Privacy Laws Impacting the Health Care Work Place New Privacy Laws Impacting the Health Care Work Place Presented by Thomas E. Jeffry, Jr., Esq. Arent Fox LLP Washington, DC New York, NY Los Angeles, CA November 12 & 19, 2009 Overview 1. Overview of California

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared

More information

Finding a Cure for Medical Identity Theft

Finding a Cure for Medical Identity Theft Finding a Cure for Medical Identity Theft A look at the rise of medical identity theft and what small healthcare organizations are doing to address threats October 2014 www.csid.com TABLE OF CONTENTS SUMMARY

More information

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015 SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory

More information

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015

Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015 Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

www.pwc.com Cybersecurity and Privacy Hot Topics 2015

www.pwc.com Cybersecurity and Privacy Hot Topics 2015 www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets

More information

The Role of Security Monitoring & SIEM in Risk Management

The Role of Security Monitoring & SIEM in Risk Management The Role of Security Monitoring & SIEM in Risk Management Jeff Kopec, MS, CISSP Cyber Security Architect Oakwood Healthcare Jeff Bell, CISSP, GSLC, CPHIMS, ACHE Director, IT Security & Risk Services CareTech

More information

Patient Privacy and Security. Presented by, Jeffery Daigrepont

Patient Privacy and Security. Presented by, Jeffery Daigrepont Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

Architecting Security to Address Compliance for Healthcare Providers

Architecting Security to Address Compliance for Healthcare Providers Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...

More information

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics

More information

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

The New Normal Healthcare s New Threat Profile. Matthew Sadler National Director, Healthcare Cyber Security KPMG November 2015

The New Normal Healthcare s New Threat Profile. Matthew Sadler National Director, Healthcare Cyber Security KPMG November 2015 The New Normal Healthcare s New Threat Profile Matthew Sadler National Director, Healthcare Cyber Security KPMG November 2015 Recent Events Cybercriminals Today Cyber Threats Why Are We Such a Big Target?

More information

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

Healthcare providers attitudes towards HIPAA compliance in 2015

Healthcare providers attitudes towards HIPAA compliance in 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry

More information

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015 Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key

More information

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

Auditing Security: Lessons Learned From Healthcare Security Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

Law Firm Cyber Security & Compliance Risks

Law Firm Cyber Security & Compliance Risks ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014

More information

Risk Management and Compliance: Healthcare Best Practices Guide

Risk Management and Compliance: Healthcare Best Practices Guide WHITE PAPER: RISK MANAGEMENT AND COMPLIANCE: HEALTHCARE............. BEST.... PRACTICES........... GUIDE............ Risk Management and Compliance: Healthcare Best Practices Guide Who should read this

More information

Cybersecurity@RTD Program Overview and 2015 Outlook

Cybersecurity@RTD Program Overview and 2015 Outlook Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration

More information

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS RRD Donnelley SEC Hot Topics Institute May 21, 2014 1 MANAGING CYBERSECURITY RISK AND DISCLOSURE OBLIGATIONS Patrick J. Schultheis Partner Wilson

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information