DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Transcription

1 DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015

2 AGENDA 2015 The Year of the Healthcare Breach The Human Risk Social Engineering Resistance Technical Controls OCR Enforcement - What s Next? Settlements and Fines The Rest of the Story Priority Action Steps Questions 2

3 The Year of the Healthcare Breach 2015 The Year of Healthcare Data Breaches Anthem Blue Cross January 80 million records Premera Blue Cross March 11 million records CareFirst Blue Cross Blue Shield - May million records UCLA Health System July- 4.5 million records Excellus Blue Cross Blue Shield - September 10 million records Who will be next? 3

4 The Year of the Healthcare Breach Why? Value of medical information is worth 10 to 20 times the value of a stolen credit card. Credit card numbers can be had for a dollar or two, healthcare billing data can go for $10 some sites even offer records for up to hundreds of dollars. What s the difference? Banks have developed sophisticated antifraud technology and credit card life span post theft is limited. A Medicare number may yield more payback before it can be stopped. 4

5 The Year of the Healthcare Breach How? Sophisticated hacking techniques. This terminology is commonly used in the aftermath of a hack. This seems to imply that resistance was futile. The hackers armed with advanced technology and persistence would eventually crack any defenses. Or did they just get the house key out from under the rug? 5

6 The Human Risk Many sophisticated hacks are not aimed at the network defenses trying to break through firewalls or sneak in open ports. They are aimed at employees a perceived soft target. Sophisticated fake websites and scams are targeted at employees to steal credentials. Hackers can research targets on LinkedIn, Facebook target IT staff with privileged access. If they take the bait and give up their credentials, the hackers can just log right in. 6

7 The Human Risk Chinese Hacking Group Deep Panda is a suspect group based on prior similar attacks. Hackers are behind the registration of websites such as: ( A play on Anthem s former name Wellpoint) (A play on Premera) These websites are then used in social engineering attacks to create fake portals to try and lure employees to give up their network or application credentials. 7

8 Social Engineering Resistance What is Phishing? An attempt to acquire sensitive information such as credit card or bank information or user ID and passwords to systems for malicious reasons by creating the illusion of trust May be May be website May be a combination of both 8

9 Social Engineering Resistance 9

10 Social Engineering Resistance What does a phishing message look like? Logos Source: Microsoft Safety and Security Center: 10

11 Social Engineering Resistance 5 most dangerous subjects: 1. Invitation to connect on LinkedIn 2. Mail delivery failed: returning message to sender 3. Dear <insert bank name here> Customer 4. Comunicazione importante 5. Undelivered Mail Returned to Sender Source: McAfee Security: 11

12 Social Engineering Resistance What is Baiting? An attempt to infiltrate networks by using a person s curiosity against them by means of a bait device (a USB drive or CD/DVD) that contains malicious software ( malware ). When devices are plugged in they will attempt to load their files onto the PC and network. Hot Hot Hot Hacked Celebrity Cellphone Pics 12

13 Social Engineering Resistance What is Pretexting? A scam or hack using a lie as a basis of gaining trust or to be perceived as having authority to influence someone to divulge information or take an action beneficial to the scammer or hacker. Hi, this is Bob in IT, we are doing an update and I need you to authorize a remote session and log in to this portal using your ID and password -Spoken in a heavy accent calling from a unknown caller ID 3 13

14 Social Engineering Resistance What to do? Security Awareness Training Make sure content is thorough Tell workforce what to watch for, who to contact when in doubt Tell workforce what the company will and won t do Make the workforce a hard target Accountants this is not just for your healthcare clients if you have signed a BAA with a client, HIPAA expects you to have security training, too. 14

15 Technical Controls Technical controls for hack resistance Firewalls have hardware based firewalls that are kept patched with current firmware versions and are currently supported by the vendor. Intrusion Prevention Systems some firewalls have intrusion prevention features and others do not. Additional tools and appliances may be needed for full protection. Configure alerts and monitoring on the network traffic. Pre-hack conduct scans and vulnerability reviews and mitigate findings. 15

16 Federal HIPAA Oversight Enforcement U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is the enforcement agency for HIPAA. Performs investigations of reported breaches Levies civil money penalties for failures to comply with HIPAA provisions OCR HIPAA Compliance Audit Program Phase 2 It is still coming, has been lingering but 2016 appears to be the year Contracts have been let with audit firm FCi Federal Business Associates will be included in this Phase 16

17 Federal HIPAA Oversight OCR HIPAA Compliance Audit Program Phase 2 More defined scope than Phase 1 Business Associates Phase 2 Focus Areas Risk Analysis & Risk Management Breach reporting to covered entities Covered Entity Phase 2 Focus Areas Notice of Privacy Practices, individual access, breaches Risk Analysis & Risk Management Training programs Device and media controls Transmission security 17

18 Federal HIPAA Oversight OCR HIPAA Compliance Audit Program Phase 2 Later focus areas mentioned maybe 2017 and beyond Covered Entity Phase 2 Focus Areas Encryption and decryption Facility access controls Breach notification reports and complaints Policies Poor Audit results could result in referrals for investigations,which can lead to settlements and penalties, such as 18

19 $150,000 Dollar Settlement Anchorage Community Mental Health Services Settlement released in December 2014 Incident occurred in 2012 What Happened? Malware infiltrated the providers network and compromised the data of 2,743 patients. What Were the Findings? Failed to implement appropriate technical safeguards to ensure data security, specifically firewalls and patching of systems Failed to properly perform a Security Risk Assessment, failed to fully implement sample policy set 19

20 $218,400 Settlement St. Elizabeth Medical Center Settlement released in July 2015 Initial incident occurred in June 2012, another in August 2014 What Happened? A complaint in 2012 stated that 498 patients data was being stored improperly on internet sharing sites. In 2014 SEMC reported a breach of 595 patients who were on a former employees personal laptop and USB drive. What Were the Findings? Failed to implement appropriate security measures on transmission and storage of PHI Failed to properly respond to a known security incident SEMC must assess awareness and compliance with policies that means you cardiology. 20

21 $750,000 Settlement Cancer Care Group, P.C. Settlement released in September 2015 Incident occurred in August 2015 What Happened? A laptop bag was stolen from an employee s car. Good news - the laptop did not contain PHI. Bad news the unencrypted back up of the server that was in the bag had all past and present patients PHI, around 55,000 patients. What Were the Findings? Failed to conduct a security risk assessment from 2005 to 2012, no policy for removal of hardware and media Disclosed 55,000 patients data to an unauthorized person for an impermissible purpose when it failed to secure the backup media CCG must complete a risk assessment, implement a risk management plan and review and revise policies and training program. 21

22 Large Breaches to Date in Mississippi As noted in the OCR large breach database: MS has only 7 breaches reported since theft of desktop computer 1,104 patients 1 loss of laptop 500 patients 1 hacking or IT Incident 1,489 patients 1 theft of an other device 3,750 patients (X rays stolen for silver content) 1 theft of paper/films 1,797 patients 1 improper disposal of paper/films - 19,000 patients 1 theft of electronic medical record 846 patients 22

23 PRIORITY ACTION STEPS

24 Action Steps Conduct and keep current a Security Risk Assessment covered entities and business associates Develop a security risk management program Use encryption tools when needed - laptops, , storage devices Develop a Security Training Program that covers social engineering resistance (on top of basic security content passwords, etc.) Conduct technical reviews such as vulnerability scans Evaluate current use or need for intrusion prevention tools, data leakage prevention tools as part of technical defenses 23

25 QUESTIONS AND COMMENTS?

26 HOW CAN HORNE HELP? HORNE can assist with: Security Risk Assessments HIPAA Program Compliance Gap Analysis (Privacy & Security Rule) Policy and Procedure Implementation or Review Technical Reviews For more information on this content, please contact: Ken Miller, CPA, CIA, CRMA, CHC, CISA HORNE LLP Telephone: