11th AMC Conference The Privacy Security Partnership in Managing Risk June 22, 2015 Angel Hoffman, Dennis Schmidt, Jay Trinckes

Transcription

1 11th AMC Conference The Privacy Security Partnership in Managing Risk June 22, 2015 Angel Hoffman, Dennis Schmidt, Jay Trinckes 1

2 Session objectives Describe the respective roles and responsibilities of privacy and security, and how they can benefit by working together Explain opportunities for cross-training for enhanced effectiveness Outline a strategy for assessing and managing privacy and security risks through teamwork. 2

3 ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC Angel Hoffman Phone: www. APHCcompliance.com 2014 ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC 3

4 Let s Review: Where are we twelve years later? HIPAA Privacy April 2003 HIPAA EDI October 2003 HIPAA Security 2005 HITECH 2009 HIPAA Omnibus

5 Role of the Privacy Officer HITECH - created a lot of changes and stricter protections along with the Breach Notification Rule which created: Increased responsibility Increased knowledge and skills required Increased hours to handle issues during the work day HIPAA Omnibus Enforcement Rule However, it is not just about the regulations, but much more 5

6 Changes in Tasks and Activities Process development and implementation Training development and implementation Conduct online and live training for: - Board (more emphasis today) - Management (follow-up) - Staff - Others Policy development have the new policies been added to the training? 6

7 Changes in Tasks and Activities (cont.) Managing complaints/breaches have increased; use of technology to track and trend; producing reliable reports Conduct investigations have increased and there are more things to track now (breach notification more recently) Maintaining documentation and keeping all paper and electronic information available Working with other departments communication is increasingly critical and impacts: Human Resources, Quality and Information Security Reporting 7

8 State Attorney General Role External Influences HIEs newer state and federal government activity Impact of Social Media Age of the workforce 8

9 Partnering with the Security Officer managing risks in the medical information realm takes effective teamwork. The Privacy Officer must partner with the Security Officer in order to have a successful program. Sharing of information is not always easy, but when we work collaboratively vs. in silos the organization succeeds and this leads to better outcomes. And as we all know now You cannot not have privacy without security! 9

10 Roles of a Chief Information Security Officer Dennis Schmidt Assistant Dean for Information Technology HIPAA Security Officer 10

11 University of North Carolina Nation s first public university, chartered ,000 students 3,600 faculty Number of servers: Unknown, but it s a lot!!! 5% or campus is protected by firewall Block 87 million unwanted connections weekly IPS blocks 5.1 million malicious threat events 11

12 UNC School of Medicine 1,500+ Faculty 720 Medical Students 700 Graduate Students 3000 Staff ~1,000 servers 98 Server administrators (Self identified) 47 different O/S s (Self reported) 12

13 CISO Job Description Primarily responsible for all ongoing activities related to the availability, integrity and confidentiality of patient, provider, employee, and business information in compliance with the healthcare organization's security policies and procedures, regulations and law. Could report to: CIO Chief Compliance Officer Chief Risk Manager Qualifications: BS/BA, usually in related field Certifications: CISSP, GSEC, PMP.. 13

14 Desired Soft Skills Manager Supervises the security team Author Writes security policies Drafts or edits incident reports Teacher Formal HIPAA Training Security Presentations Security Bytes/Tips of the Week Mentor Leads by Example 14

15 More Soft Skills Collaborator Seeks input from the community while developing policies Protector Develops environment to keep the bad guys out Consultant Advises customers on best practices Enforcer Blocks bad practices Firm but fair Visionary Looks ahead for solutions to new threats 15

16 Undesired Traits Dictator Sets policies without collaborating or consulting with affected users My way or the highway Isolationist Fails to communicate with community Do what I say, not what I do 16

17 Privacy and Security Collaboration HIPAA Training BAAs Investigation support The 4 item test Knowledge sharing 17

18 18

19 New Role: Chief Information Privacy & Security Officer (CIPSO) Privacy/Security are so intertwined Executive Level Position Approved by the Board of Directors with a direct line of communication to BoD Demonstrates the commitment of organization to Privacy/Security As related to HIPAA, would be responsible for all Privacy Rules and Security Rules (which is a subset of the Privacy Rules) 19

20 Build a Culture of Privacy/Security People are weakest link Top Down Approach; emphasize importance of privacy/security Assign CIPSO; Delegate Authority to Carry Out Role 20

21 People Concerns Current Threats Social Engineering art of convincing someone to do something that may not be in their best interest Being too helpful giving more information away than is necessary 21

22 Real World Examples: Physical Breach obtaining unauthorized physical access Targeted Phishing Attacks wire transfer requests that appear to come from CEO Limit information available on-line Malicious Software unaware users clicking on links; opening unsolicited attachments 22

23 Administrative Safeguards Four Tenants of Information Security - CIAP Confidentiality Integrity Availability Privacy 23

24 Policies/Procedures Must be implemented Staff must be aware of existence Must be easy to follow Must be relevant 24

25 Physical Safeguards First Line of Defense Castle Scenario layers of defenses Security Rule: If someone is able to gain physical access to a system, the system no longer belongs to the organization. 25

26 Real World Examples: Cipher Locks on doors numbers worn; view over shoulder Key Logging/USB Devices Boot to CD/USB Drive; BIOS flaws Monitor Locations System Locks password screen savers 26

27 Technical Controls Weak Passwords user controlled No amount of security can prevent against weak passwords Authentication Process limited by application developers Need to consider multi-factor authentication; Stronger authentication methods Encryption not all encryption is the same SSL Encryption flawed (HeartBleed, FREAK, weak pseudo-random generators) 27

28 System Logging Activities There are only two types of companies: those that have been hacked and those that will be. Former FBI Director Robert Mueller And once you are hacked, would you even know? User Activity Logging; Suspicious Activities; Security Incident Event Management (SIEM) Solutions; Intrusion Detection/Intrusion Prevention Solutions 28

29 Group Discussion 29