AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

Transcription

1 Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS USED PHI Protected Health Information ephi Electronic Protected Health Information NIST - National Institute of Standards 1

2 Module 1 Skagit County in May of 2011 Receipts Document Management System Web Synchronization Process Public Web Site 1) Skagit County was scanning receipts into the Document Management System 2) Some receipts were moved to the public web site for citizen view Module 1 Skagit County in May of 2011 Receipts Document Management System Document Management System Features 1) Has capability of defining security by document 2) Full Records Management Functions Web Synchronization Process Public Web Site Web Synchronization Process 1) Looks for and moves documents marked Public 2) Can block a document type Called Template 3) Synchronizes Left to Right Module 1 Skagit County in Summer of 2011 Receipts Document Management System Web Synchronization Process Public Web Site Medical Receipts containing PHI get scanned into system Receipts are tagged with the Correct Security Settings (non- Public) 2

3 Module 1 Skagit County in September of 2011 Receipts Web Synchronization Process Document Management Public Web Site System Performance on document management system degrades significantly Synchronization process assumes Contact Vendor to determine cause that files have been deleted from the System reboots become a common Document Management system and event deletes documents from Public Web It takes weeks to resolve Site Module 1 Skagit County in September of 2011 Receipts Public Web Site Staff Work to move files to Public Web Site and Fix Synchronization Issue But, they did not know there was ephi in system and did not validate document security! Module 1 Skagit County in September of 2011 Receipts Public Web Site Documents are actually copied to an FTP directory on the Public Web Site which displays them through searches Skagit County Wrote In theory, this would not have caused the breach as our search tools would not have displayed the receipts. BUT! 3

4 Module 1 Skagit County in September of 2011 Receipts Google was crawling our FTP Directory with what is known as a spider All Documents in the FTP folder are being indexed by Google search Module 1 September 28 th, 2011 September 28 th, 2011 Module 2 Incident Response 4

5 Module 2 Incident Response Module 2 Incident Response Skagit County establishes an Incident team immediately 1. Senior Management Notified Day of Incident 2. Engages Senior Engineer to review log files of Public Web Server 3. Initiates Eradication of document links from Google Search --- What a log file looks like :22: [ ]sent /records/lfdocs/health/00/01/0b/00010b67.pdf Module 2 Incident Response Management Team meets October 6 th, Establishes a team to work to remove links from Google 2. Team consists of following departments 1. Health 2. Records 3. Civil Attorney 4. Information Services 5. Human Resources 5

6 Module 2 Incident Response The Google Nightmare Google supplies a form to get records removed After about 300 records per day It takes two weeks for Skagit County Employees to clear the Google cache! Module 2 Incident Response Incident Response Team Technical Management Google Document Cache Re-architect FTP Site & Search Stabilize the Document Management System Overall Incident Oversight Letter to Google Legal Public Information Web Breach Notification Letters Module 2 Incident Response 11/8/2011 This is the last date that we actively work the incident. Technology has been addressed Public Notification has been done Breach Letters have been sent 6

7 Module 2 Incident Response We Are DONE! Module 2 Department of Health and Human Services Skagit County gets a call from HHS on 1/12/2012 Letter received May 25 th,

8 Mitigation Brought in contractor Risk Assessment/Mitigation Delivered a Risk Assessment Document Delivered a Risk Mitigation Document Created two Resolutions R Resolution naming a security/privacy official R Declaring Skagit County a Hybrid Organization Working on new Security Policy and Standards Classification of Data Take a look at State of Washington Policies/Standards 8

9 Module 3 Corrective Action Plan Corrective Action Plan C Contract with US Department of Health and Human Services. A. Provide Substitute Breach Notification Complete B. Accounting of Disclosures Complete C. Hybrid Entity and Business Associate Documentation Complete D. Security Management Process Complete E. Complete and Update Policies/Procedures Complete May 15, 2016 F. Training Next Phase G. Reportable Events H. Annual Reports Corrective Action Plan Corrective Action Plan (Contract C ) A. Provide Substitute Breach Notification to Affected Individuals Not Previously Notified. Note: HHS came up with a different number of affected individuals than we did. We had to send breach letters to about 1,500 more individuals. B. Accounting of Disclosures 9

10 Corrective Action Plan Corrective Action Plan (Contract C ) C. Hybrid Entity and Business Associate Documentation Note: Skagit County created and entered into Business Associate Agreements with dozens of our provider and contractors. Corrective Action Plan Corrective Action Plan (Contract C ) D. Security Management Process Notes: We did a risk assessment and analysis prior to the implementation of the Corrective Action Plan. We spent approximately $40K for this analysis. This generated many punch list items. We had to do a NEW risk assessment as part of the CAP. HHS asked that we use their tool for that analysis. I recommend using the NIST standard for risk assessment, it is straight forward and easy to understand, BUT NOT accepted by HHS. Corrective Action Plan Corrective Action Plan (Contract C ) D. Security Management Process - Continued Notes: We had some intense discussions with HHS during this phase: Emergency Operations Encryption 10

11 Corrective Action Plan Corrective Action Plan (Contract C ) E. Create and Update Policies and Procedures Notes: HHS approved all but 5 items in our Policies and Procedures /14/2016 Corrective Action Plan Next Phases F. Training Train Workforce Workforce members certify in writing they receive training (Documentation to HHS) G. Reportable Events Investigate any and all security events Report to HHS H. Annual reports Summary of Security Management Measures Summary of Reportable Events Attestation signed by officer of County Module 4 What We Learned 11

12 Lessons Learned Involve Risk Management There are Costs to breaches What is the cost of a breach? Estimated at $3 per record Plus fines if they apply. Worth having a discussion with your team of the cost of breach versus the cost of implementing security measures. Risk Management is your Friend! 34 Lessons Learned Classify Information Data Classification Classify Data & Service Example Electronic Messaging Services is rated to process Category 2 data and below. Category 2 Sensitive Information Sensitive information may not be specifically protected from disclosure by law and is for official use only. Sensitive information is generally not released to the public unless specifically requested. Lessons Learned Data Classification Approved by HHS 4/14/2016 Category 1 Public Information Public information is information that can be or currently is released to the public. It does not need protection from unauthorized disclosure, but does need integrity and availability protection controls. Category 2 Sensitive Information Sensitive information may not be specifically protected from disclosure by law and is for official use only. Sensitive information is generally not released to the public unless specifically requested. Category 3 Confidential Information Confidential information is information that is specifically protected from disclosure by law. It may include but is not limited to: Personal information about individuals, regardless of how that information is obtained. Information concerning employee personnel records. Information regarding IT infrastructure and security of computer and telecommunications systems. Category 4 Confidential Information Requiring Special Handling Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which: Especially strict handling requirements are dictated, such as by statutes, regulations, or agreements. Serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions. 12

13 Lessons Learned - Sample Policy Automatic Logoff Format [HIPAA] This section complies with 45 CFR a2iii Automatic Logoff [CJIS] Complies with Policy Area 5: Access Control, Section 5.5.5, Session Lock of the CJISSP. (1) Departments are required to make their information systems, inaccessible by any other individual when unattended by cleared employees. Use of a password protected screen saver or logging off the system are acceptable methods to meet this requirement. (2) Employees, contractors and volunteers shall manually lock, logoff or shutdown their computer workstations, when they are leaving their workspace for an extended period of time. (3) Information systems automatically lock user screens after twenty (20) minutes of inactivity, with the following exceptions: (a) Workstations or monitors that are used to provide real-time display of video surveillance, court dockets or other monitoring and are not running Category 2 or higher data do not require a screen lock. (b) In order to ensure effective administration of justice, judicial workstations operated by Judges, Commissioners or Clerk staff in Skagit County courtrooms during court proceedings shall automatically lock after three (3) hour of inactivity. Data Categorization responsibility matrix Item Cat1 Cat2 Cat3 Cat4 Responsible 1 X X X X Departments/IT/Risk 2 X X X X Departments/IT/Risk 3 X X X X Departments/IT/Risk Lessons Learned Administrator Passwords Restrict use of Elevated privileges Since making this change we have NOT seen a virus or malware activate! Lessons Learned Change Management Change Management Change management is about communicating changes that are being made to the environment. 13

14 Lessons Learned Incident Management Since Implementing Incident Management No HIPAA or Criminal Justice Security Incidents Security Incidents 1) Account Compromise on Web Site 2) Alert on Exploit.kit.angler download 3) Attempted Malware archive Download 4) Plain text passwords for security passwords 5) Possible Compromised Accounts 6) Denial of Service on WiFi system Security Incidents 1) Compromise of Account Password 2) Compromise of Account Password 3) Risk or Potential Data Breach in State System 4) Potential Trojan Virus on GIS Workstation Lessons Learned Incident Management Uncovered compromised passwords on Cloud Web sites Intelligence from State Security Operations Center Homeland Security Determined it was an auto parts store site Found unencrypted County Purchase Card information on site Lessons Learned Patch Management Patch Management is a critical element of your security portfolio! Someone needs to be working on this all the time. Patches come out weekly The bad guys exploit unpatched systems Attacks are more sophisticated Bad guys drop a payload that runs through dozens of known vulnerabilities Once one works They have you 14

15 Lessons Learned Vendor Management Recent Security Audit We gave them our soft underbelly Penetration Testing on 7 systems All 7 had vulnerabilities One had 15 distinct vulnerabilities SQL injection Lessons Learned Vendor Management Need to address security up front with vendors Request for Proposals Contract There is no specific standards in place for vendor security application testing Lessons Learned Security Awareness Training People are a weak link in any security program You can not firewall stupid M.K. Hamilton 2015/2016 All employees required to take Security Awareness Training Used SANS Securing the Human (inexpensive) 2017 We plan to do a phishing campaign training 15

16 Other Areas of Mitigation Working several technical initiatives Vulnerability and Assessment scanning Encryption to servers that hold ephi Audit Trails Backup Strategy Questions 16