HCCA Compliance Institute 2013 Privacy & Security

Transcription

1 HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich

2 Session Objectivities Identify your data privacy risk factors Recognize what regulatory requirements impact data privacy Understand the key attributes and what it takes to perform a privacy risk assessment Learn how to conduct and leverage the results of a privacy risk assessment Session Highlight We will have Live Voting throughout the session. Participation is optional Can TEXT or submit response at Voting results are anonymous 2

3 Introduction Eric Dieterich, CISA, CRISC, CIPP/US Partner Sunera LLC Sunera is a leading provider of business consulting and technology risk management services throughout the United States and Canada. Responsible for the IT Advisory Services in South Florida and leads the National Data Privacy practice. Over 12 years of IT advisory and governance experience with regulatory and industry standards including GLBA, HIPAA, HITECH, MA 201 CMR and the PCI DSS. 3

4 Introduction Video Short video clip showing how one little event may lead to a much larger issue. 4

5 Why is a Data Privacy Risk Assessment Important? There is a growing body of laws, regulations and legal agreements across the globe that govern how personal information should be: Collected Processed Stored Shared Collected Processed Stored Shared An breach could result in: Regulatory or legal action Direct financial loss Loss of customer or employee confidence Damage to the brand reputation 5

6 POLL QUESTION 6

7 Business Drivers for a Data Privacy Program Its not if, but when! 7

8 Business Drivers for a Data Privacy Program HIPAA Risk Analysis Requirements under the Security Rule The Security Management Process standard in the Security Rule requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations. (45 C.F.R (a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section (a)(1)(ii)(A) states: RISK ANALYSIS (Required) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. A privacy risk assessment can help your organization understand the privacy related risks not just focusing on the Security Rule. 8

9 The Risks! Data privacy risks revolve around the inappropriate or unauthorized collection, use, retention, and disclosure of protected health information, personal information or business sensitive information. The three key risks to be considered when determining the overall data privacy risks include: (1) Legal (2) Reputation (3) Operational Increasing focus on business sensitive information. Digital intruders are increasingly targeting information about high-stakes business deals -- from mergers and acquisitions to joint ventures to long-term supply agreements -- and companies routinely conceal these breaches from the public, say government officials and security companies. Bloomberg, November 4,

10 Recent Data Breaches Wyndham Worldwide Breach Description: June 2012, The U.S. Federal Trade Commission has filed a lawsuit against hotel chain Wyndham Worldwide and three subsidiaries for allegedly storing data in plain text and other security failures that enabled hackers to access more than 600,000 payment card accounts in three data breaches in less than two years. The hackers used the data stolen from Wyndham's data center in Phoenix to make transactions, resulting in fraud losses of more than $10.6 million, the suit says. Impact: The FTC suit alleges that Wyndham's privacy policy misrepresented the security measures the company and its subsidiaries took to protect customer personal information. BlueCross BlueShield Breach Description: March 2012; The insurer today agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to the breach. Under the settlement, BlueCross BlueShield has also agreed to review and revise its privacy and security policies and to regularly train employees on their responsibilities under the HIPAA of The settlement is the first resulting from enforcement action taken by the HHS under Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements. 10

11 POLL QUESTION 11

12 Healthcare Data Breaches on the Rise! Organizations that have experienced data breach involving the loss of patient data in the past two years. Ponemon Institute, Inc., Third Annual Benchmark Study on Patient Privacy & Data Security, December

13 Healthcare Data Breaches on the Rise! Type of data that was lost or stolen. Ponemon Institute, Inc., Third Annual Benchmark Study on Patient Privacy & Data Security, December

14 Breach Related Expenses Notification Public Relations Forensics Legal Creating letter or other notification Advertising & Press Releases Legal Expenses for Outside Attorney Response to Claims or Suits Printing or design Mailing or other transmission Call Center Operations Other Services for Effected Persons: Credit Monitoring Cost of Forensic Examination Cost To Remediate Discovered Vulnerabilities Payment of Judgments or Settlements 14

15 DATA PRIVACY REGULATIONS 15

16 Data Privacy Regulatory Implications Federal, State, and industry specific regulations govern the collection, use, and storage of personal information. HIPAA Security and Privacy Rule / HITECH Act State Privacy/Security Regulations State Breach Notification Requirements GLBA Payment Card Industry (PCI DSS) 16

17 HIPAA Notifications Notice to individuals must be provided in written or electronic format. Notice must be provided to prominent media outlets following the discovery of breaches that involved the information of 500 or more individuals. If the breach affected more than 500 individuals, notice must also be provided immediately to the Secretary of Health and Human Services. HHS will post on website If fewer than 500, keep a log of breaches and submit annually to HHS. Notice must be provided 60 calendar days after discovery Discovery is the first day the breach is known or should reasonably have been known Allows for delay if law enforcement is involved 17

18 State Breach Notification Laws 47 states plus Washington DC have passed breach notification legislation. State breach notification laws often require that a government agency (attorney general or a state appointed privacy commission) and/or credit agencies be notified of the data breach. 18

19 DATA PRIVACY RISK ASSESSMENT METHODOLOGY 19

20 Data Privacy Risk Assessment Understanding the Information Life Cycle Defining Establish a framework for controlling how sensitive data is collected, processed, stored, and shared throughout an organization. Collect Importance Enables the implementation of policies, procedures, and controls that will reduce the complexities, risks, and costs associated with sensitive data. Share Information Life Cycle Process Strategy Understanding of how and where information flows through all business processes. A framework can then be established to ensure sensitive information is protected throughout the information life cycle. Store 20

21 Data Privacy Risk Assessment Understanding the Information Life Cycle Creating detailed process flows of the information life cycle provides many added benefits: Baselines current business operations including data collection and storage practices, Helps identify security and privacy controls, Reduces impact on business operations during future audits and assessments, and When used in combination with a detailed data inventory, it can help identify the scope of a potential breach in an expedient manner. 21

22 POLL QUESTION 22

23 Data Privacy Risk Assessment Framework Design Key Activities Creation of a risk catalog for the processes that collect, process, or store personal information. An overall inherit risk profile is scored for each key process. The identification and evaluation of mitigating factors are evaluated. Overall risk score for each key process is calculated that will help identify areas of data privacy risk across the enterprise Results can drive the definition of a roadmap to mitigate these risks. 23

24 Data Privacy Risk Assessment Defining the Risk Criteria Electronic Privacy Risks 24

25 Data Privacy Risk Assessment Defining the Risk Criteria Paper File Privacy Risks 25

26 Data Privacy Risk Assessment Defining the Risk Criteria Application Privacy Risks Vendor Privacy Risks 26

27 Data Privacy Risk Assessment Evaluate Inherit Risk For each process or sub-process, the inherent risks need to be evaluated. The risk criteria should be defined specific for your organization, ensuring they address all relevant data privacy risks including both paper and electronic files. The matrix below identifies how the inherent risk could be scored for each risk and unique vendor or application specific risks. 27

28 Data Privacy Risk Assessment Evaluate Risk Mitigation Techniques Through the discovery sessions, you should attempt to identify any risk mitigation factors that are in place for each data privacy risk. A risk mitigation score can be assigned including the ability to assign different scores based on the level of certainty that the risk mitigation technique is effective. The matrix below shows how a risk mitigation technique can be used to lower the inherit risk for each privacy risk factor. 28

29 Data Privacy Risk Assessment Evaluate Risk Mitigation Techniques 29

30 Data Privacy Risk Assessment Evaluate Residual Risk Taking into account the inherent risk ranking and risk mitigation techniques, an overall residual risk score can be calculated. The matrix below identifies how the overall data privacy risk score can be calculated. The overall risk score is a key factor in defining a roadmap that helps lowers the data privacy risks identified throughout the enterprise. 30

31 Contact Information Eric Dieterich Partner (786)