PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security

Transcription

1 PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security 1

2 CME Disclosure Statement The Northwell Health adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the Northwell Health for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director and Course Planner, Kevin Tracey, MD and Tina Chuck, MPH have nothing to disclose. Joe Baskin is the speaker and has nothing to disclose. 2

3 Objectives Discuss hot topics in cyber security and database security. 1.Cyber Security 2.Encryption 3.Social Engineering 4.Cloud Storage 5.Mobile Security 6.Application / Database Security 3

4 Drivers 4

5 Cyber Security Agenda What is Cyber Security? Industry Statistics Sources and Types of Cyber Attacks 5 5

6 Cyber Security What is Cyber Security? Cyber security refers to the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals. A cyber attack is an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, data or electronic communications network. A cyber crime is the illegal use of computer technology and the Internet, e.g. Target credit card breach (~110M records), CA Health System unencrypted laptop loss (~729K records). 6 6

7 Healthcare Data Breach Statistics Top 2015 Healthcare Breaches Anthem 78.8M Premera Blue Cross 11M Excellus 10M Community Health 4.5M MIE 3.9M CareFirst 1.1M *Source: US Department of Health & Human Services Office for Civil Rights as of December 31, 2015 for Breaches of 500 records or greater 7 7

8 Cyber Security Patient Records Breached per Day (avg.) Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6). Sources: 1. DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/

9 Cyber Security Primary Causes of Breaches Source: 9 9

10 Cyber Security Sources & Types of Cyber Attacks Malware & Malicious Code (Viruses, Worms, Ransomware) software that is intended to damage or disable computers and computer systems. Botnets a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Phishing Phishing is an fraud method in which the perpetrator sends out legitimate-looking in an attempt to gather personal and financial information from recipients Web based attacks means by which malicious code exploits a system's security safeguards. Denial of Service attack on a computer system or website, aimed at disrupting its normal functionality. Malicious insiders malicious threat that comes from people within the organization such as employees, former employees, contractors or business associates

11 Information Security Myths versus Reality Myth: If I have antivirus software installed, I m safe. Reality: Antivirus software may be installed but it might not be up to date with the latest virus definitions. Myth: I don't need to worry; I have no vital documents or PHI on my personal computer, just music, photos, and videos. Reality: Hackers are increasingly focused on personal computers, regardless of their contents. Your pc may have nothing, but it is connected to a network that does. Like real viral infections that spread, malware can too. 11

12 Information Security Myths versus Reality Myth: Cybercrime isn't any worse now than it s been in the past. Reality: Cybercrime is up sharply in the last year. Experts have noted staggering growth in the number and sophistication of attacks home/work computers are now the weak point. Myth: I would know if I had a virus on my computer. Reality: Most viruses and malware don't slow down or crash your computer. It may surprise you to learn that most people who have a virus or malware have no idea they ve been compromised. 12

13 IT Safeguards at Northwell Health IT Security Safeguards Perimeter Controls and Firewall Technologies that protect against external threats. Mobile device protection (Encryption) for phones, tablets and portable devices. Antivirus and Anti-spam to protect computers, laptops and servers. Intrusion Detection/Prevention that inspects dataflow sending alerts of potential threats. Security Event Monitoring to proactively detect suspicious activity. Patient Privacy Monitoring and Application Breach Detection to detect suspicious activity on our clinical applications. Segregated Cardholder Data Environment providing an additional layer of security for payment transactions. Employee Training & Awareness Annual Compliance Training throughout the Health System on proper security and privacy practices. Security Awareness and Alerts published on the employee intranet. Periodic security reminders, alerts, newsletters and posters

14 Encryption What is Encryption Encryption is a method to keep your personal information secure. Encryption scrambles the information you send over the internet into a code so that it s not accessible to others. How to Tell If a Website is Encrypted To determine if a website is encrypted, look for https at the beginning of the web address (the s is for secure). When completing online transactions, some websites use encryption only on the sign-in page, but if any part of your session isn t encrypted, your entire account could be vulnerable. Therefore, look for https on every page you visit. 14

15 Laptop and Removable Media Encryption 1. All Laptops must be encrypted 2. Confidential information must not be saved on removable media such as CDs, DVDs, and USB flash drives unless also absolutely necessary and then you must encrypt them! 3. Follow Health System policies for Encryption ( Data Encryption and Integrity) Handling media ( Device and Media Control) Disposal of media ( Equipment Disposal) Handling of PHI ( Release of Protected Health Information for Living Patients) 4. If you need assistance with encryption or disposal, please call the IS Help Desk! 15

16 Phishing What is Phishing? This is a psychological attack via designed to trick you into giving up information or taking an action. What does a typical attack look like? An attack begins with a cyber criminal sending a message pretending to be from someone or something that you know, such as a friend, your bank or a well-known store. These messages then entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam. 16

17 Phishing What is Spear Phishing? Spear phishing is a targeted attack to a few select individuals. Cyber attackers research their intended targets, such as by reading the intended victims LinkedIn or Facebook pages, messages posted on public blogs or published journal articles. Why should I Care? You may not realize it, but you are a target at work and at home. Your data is worth a tremendous amount of money to cyber criminals, and they will do anything they can to hack your devices to get at it. YOU are the most effective way to detect and stop phishing. 17

18 Phishing A Check addresses B Generic Salutation Anatomy of a phishing C Grammar or Spelling Mistakes D Immediate Action E URL Link F Suspicious Attachment 18

19 North Shore LIJ Phishing Attack Aug 2015 When Access the documents here was clicked, users were presented with the following screen: Recognize Red Flags Never provide personal or sensitive info when requested via 19

20 20

21 Cloud Computing What is Cloud Computing? Information processing residing on remote systems maintained by a third-party vendor, and accessed from the Internet. What is our policy for Cloud Based Storage? Internet/Cloud based storage must not be used to store or disseminate Sensitive and Highly Sensitive information such as PHI or PII without proper approval processes that include IT Contracts, Office of Procurement, OCIO Security, and Research Administration when appropriate. Users must follow proper procedures by saving Sensitive and Highly Sensitive information on a shared drive. 21

22 Save it to your Network Drive 1. Confidential information should be saved on your network home drive or a shared drive designated for this purpose. Files are physically secured in our corporate data centers Files are backed up regularly and can be restored Limited access 2. Your network home drive can only be accessed by you. 3. Shared drives set up for confidential information allow users to collaborate and share files only with those users specifically granted access Need a shared drive? Call the IS Help Desk or request one on the Employee Intranet 22

23 Local Drives 1. Confidential information must not be saved on local hard drives except when necessary,. 2. Your C: drive is your local drive which is in your computer 3. Local drives have: Less physical security Are not backed up May be accessible to others that use your computer 4. Shared computers are common throughout the Health System, but you should not save files to your local drive unless absolutely necessary Note where you save the file Delete and empty your recycle bin when done with the file 23

24 Mobile Devices Risks to Health Information Risks vary based on the mobile device and its use. Risks include: A lost or stolen mobile device Inadvertently downloading viruses or other malware Unintentional disclosure to unauthorized users Encryption is required! 24

25 Take the Steps to Protect and Secure Health Information When Using a Mobile Device Protect and secure health information when using mobile devices In a public space On site At a remote location Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Securely dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance 25

26 Mobile Devices & Health Information Sharing your mobile device password or user authentication Allowing unauthorized users on your device Storing or sending unencrypted health information with your mobile device Ignoring mobile device security software updates Downloading applications (apps) without verifying they are from a trusted source Leaving your mobile device unattended Using an unsecured Wi-Fi network Discarding your mobile device without first deleting all stored information Ignoring our mobile device policies and procedures 26

27 Bring Your Own Device (BYOD) What is BYOD? Any non-northwell Health device owned by a workforce member that is used for business purposes. Examples include personal laptops, smartphones, or handheld devices. Securing Mobile Devices Enable Encryption Use Passcodes Avoid SMS Phishing Update Your Devices Use Mobile Applications Wisely Limit Your Use of Bluetooth 27

28 Application and Database Security What is Database Security? The practice of providing security controls for applications and databases such as REDCap, BUDDY, and other applications that have been approved by Information Security. Security controls include: Limited access to systems (Role Based Access) Strong password usage Secure central network storage of data Monitoring of database systems and audit logs Isolate Production data to production environments 28

29 Application and Database Security Limited access to systems (Role Based Access) 1. Define user roles Administrator (full access read, write, delete) Editor (read, write) Reviewer (read only) 2. Access rights should be granted to a group, then place the user in the appropriate group. 29

30 Application and Database Security Strong Password Usage 30

31 Application and Database Security Strong Password Usage 1. Avoid "leet speak" equivalents ( Joseph" becomes "J0s3ph") 2. The Northwell standard for application passwords Setting Minimum password length Password complexity Standard 6 characters (8 recommended) Passwords should contain characters from at least three of the following 4 categories: Lower case letter [a z] Upper case letter [A Z] Numeric [0 9] Special character # $ % ^ & * ( ) _ + ~ - = \ ` { } [ ] : " ; ' < >?,. / space] Password expiration 90 days History (generations) 12 Lockout threshold Five (5) consecutive failed login attempts within 15 minutes result in a user s account being locked. 31

32 Application and Database Security Physical security for server infrastructure 1. Locked room or cage 2. CCTV 3. Record access to room Log book ID card reader 4. Never allow anyone unattended 5. Backup media must be secured (and encrypted) 32

33 Application and Database Security Secure central network storage of data 1. Encrypt! Encrypt! Encrypt! Encrypt the storage system Full disk encryption Encrypt the database Build in or 3 rd party tools can provide DB encryption Encrypt tables within the database Encrypt tables that might contain ephi or sensitive or confidential information 33

34 Application and Database Security Monitoring of systems and audit logs 1. Monitoring and review of audit logs is required to maintain the integrity of the data 34

35 Application and Database Security Example of a REDCap audit log 35

36 Application and Database Security Isolate Production data to production environments 1. Development, test and QA environments should not have production data Developers, vendors, other 3 rd parties should not see ephi 2. Use de-identified or dummy data for development work 3. If a vendor or other 3 rd party requires access to production a Business Associates Agreement (BAA) must be in place 36

37 For More Information Have questions? Call the IS Helpdesk at (718, 516, 631) Research IS questions? Get IT Security tips: See Northwell Health Security Policies: Office of Research Compliance guidance on electronic security: Tools and Guidance Electronic Security Ashish Narayan: Director, Information Systems, FIMR Joe Baskin: Manager, Information Security, OCIO 37

38 38