HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016

Transcription

1 HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 Brand Barney, Security Assessor

2 Conflict of Interest Has no real or apparent conflicts of interest to report.

3 Agenda Healthcare status HIPAA Misconceptions Real World Examples Why the Gap? Analyze Risks Minimize Risks Questions

4 Learning Objectives Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT, compliance officers, executives, stakeholders, and board members Identify common struggles preventing organizations from completing crucial security improvements to sensitive patient health data. Assess an effective way to fill the communications gap between executives and IT while promoting an organizational culture of data security. Analyze how to minimize organizational data breach probability based on vulnerabilities, threats, and risks.

5 An Introduction of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare still lags behind on securing upgraded technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record.

6 Healthcare Status

7 HIPAA Status Disparity 89% of C-Suite believe they are HIPAA compliant Only 67% of Compliance and Risk Officers believe they are HIPAA compliant

8 Belief vs. Truth Fantasy: Healthcare is doing well in HIPAA security Reality: Most healthcare organizations have vulnerabilities in their security and don t realize it

9 Compromise is Imminent Criminal attacks in the healthcare industry have risen 125% since 2010* 80% healthcare IT leaders say systems have been compromised* *(Ponemon Institute) *2015 KPMG Healthcare Cybersecurity Survey

10 HIPAA Misconceptions

11 Myth: Firewalls are Enough Firewalls need to be updated Firewalls don t take care of all security issues Remote access software Social engineering Physical security

12 Myth: HIPAA Doesn t Apply to Me Many organizations think: They are too small Their organization doesn t have PHI Cloud-stored data is exempt HIPAA Security Rule applies to pretty much all healthcare entities

13 Myth: IT and Attorneys Have Us Covered IT professionals need additional training for security Attorneys don t have technical training

14 Myth: My Data Isn t Valuable Health data more lucrative than credit cards on black market Credit card data sells for $1 2 PHI sells for $ Easy to replace credit cards, impossible to replace social security numbers

15 Myth: Business Associates Take All Liability There s shared liability between businesses and business associates Business associates may have vulnerabilities that endanger your data

16 Myth: We re Already Doing Security HIPAA staff are mostly following Privacy Rule, but not Security Rule Staff aren t trained in security PHI can be accessed everywhere!

17 Myth: Social Engineering Isn t a Threat Social engineering targets weakest link: people! Doesn t require technical talent Hard to recognize

18 Real World Examples

19 Business Associate Target Dynacare

20 Unsecured PHI Two types of data Why your data is walking out the door

21 Social Engineering Janitor IT Service Provider EHR Build Trust

22 Why the Gap?

23 Time HIPAA will eat your time Small organizations: 200 hours annually Large organizations: 800+ hours annually Solutions: Hire outside security consultant Baby steps (prioritize based on risk)

24 Money Staff time Purchase: security tools, policies, training, etc. Solutions: Prioritize (#1 risk? What needs to be protected first?) Work it into your budget Get management support HIPAA packages (training + policies, + audit combo)

25 Training Most staff don t understand proper Security Rule practices Solutions: Train monthly instead of annually Send weekly security tip reminders Incentives!

26 Analyze Risks

27 Analyze HIPAA Risk Assess current controls Determine likelihood of occurrence Determine potential impact Determine level of risk Identify security measure/control/mitigation

28 Document PHI Flow: Data Flow Charts Simple way to identify scope and start documentation Record all devices Interview departments Observe data flow

29 Prioritize Address critical problems first Depends on your individual environment Risk Analysis and Risk Management Plan will help determine these risks

30 Train Staff Properly Monthly training meetings Incorporate HIPAA Security Rule Not just nurses/doctors, but receptionists too! Recognize social engineering

31 Secure PHI Around the Office Eliminate unencrypted PHI Screensavers Passwords after time-out Reception desks Tablets/mobile

32 Strengthen Physical Security Visitor/maintenance log Controls to limit physical access Video cameras to monitor access to sensitive areas Distinguish visitors from on-site personnel

33 Have Individual User Accounts Workforce members are not all created equal All staff should have separate user accounts Role-based access

34 Update Systems and Apps EHR Anti-virus Medical devices Operating systems Firewalls IPS/FIM/DLP

35 A Summary of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite lack of collaboration or ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare has exponentially upgraded its technology in the past five years, but still lags behind on securing that technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record.

36 Questions Securitymetrics.com