Auditing Security: Lessons Learned From Healthcare Security Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Conflict of Interest Disclosure Adam H. Greene, JD, MPH & Michael Mac McMillan Have no real or apparent conflicts of interest to report. 2012 HIMSS 2

Learning Objectives Discuss the most prevalent data security risks facing healthcare today Identify lessons learned from 2010 security breaches Identify best practices and practical strategies for privacy and security management 3

Threats to Healthcare Data Healthcare entities have data of considerable value Increased automation and sharing have increased and introduced new risks Healthcare now has a place at Hacker conferences like DefCon and Black Hat Patient Safety, not privacy, is the new driver in healthcare data security 4

Threats by Industry 2011 Symantec 2011 Annual Threat Report 5

Outlook for 2012 Data breaches rose by 32% in 2011 Widespread use of mobile devices adds risk Despite regulations to the contrary, unauthorized access to patient information is still not a priority Negative productivity effects and financial consequences increase directly with an increase in number of incidents Number of cases of medical identity theft increased as number of incidents increased Ponemon Institute 2011 6

Overview of Breach Reports 380 large breaches reported between Sept. 2009 and Oct. 2011 Over 30,000 plus small breaches reported in same period Over 18 million individuals affected 7

Lesson 1: You should be less concerned with: And more concerned with:

Unknown 6 2% Improper Disposal, 20, 5% Hacking/IT Incident 26 7% Other 1 0% Cause of Breach (Count) Sept. 2009 to Dec. 2011 Theft, 196, 52% Loss, 55, 14% Unauthorized Access/Disclosure, 75, 20% 9

Cause of Breach (Affected Individuals ) Sept. 2009 to Dec. 2011 Improper Disposal 149,398 1% Other 344,579 2% Hacking/IT Incident 750,195 4% Unauthorized Access/Disclosure, 857,939, 5% Unknown, 1,911,160, 11% Loss, 7,291,355, 40% Theft, 6,755,205, 37% 10

Lesson 2: The highest number of breaches involve: a) Desktops b) Laptops c) Other portable devices d) Paper 11

Electronic Medical Record 7 2% Backup Tapes 2 1% CDs Hard 2 Drives 0% 3 1% E-mail 7 2% Other 21 6% Location of Breach (Count) Sept. 2009 to Dec. 2011 Paper, 100, 26% Network Server 39 10% Computer, 55, 14% Laptop, 84, 22% Other Portable Electronic Device 59 16% 12

E-mail, 9,318, 0% Backup Tapes, 12,562, 0% Paper, 601,993, 3% Other Portable Electronic Device, 962,505, 5 % Electronic Medical Record, 1,145,285, 6% CDs, 7,172, 0% Hard Drives, 1,200,654, 7% Computer, 1,310,6 81, 7% Network Server, 1,525,025, 9% Location of Breach (Individuals Affected) Sept. 2009 to Dec. 2011 Other, 9,523,110, 53% Laptop, 1,761,526, 10% 13

Lesson 3: It isn t me, it s you Many large breaches are caused by business associates, not covered entities 14

Involvement of Business Associates in Breaches (Count) Sept. 2009 to Dec. 2011 Business Associates, 83, 22% Covered Entities, 298, 78% 15

Involvement of Business Associates in Breaches (Affected Individuals) Sept. 2009 to Dec. 2011 Covered Entities, 6,843,35 2, 38% Business Associates, 11,21 6,479, 62% 16

Lesson 4: The number of breach reports remains relatively steady 17

30 Number of Breach Reports Sept. 2009 to Sept. 2011 25 20 15 10 5 0 Sept 09 Oct 09 Nov 09 Dec 09 Jan 10 Feb 10 Mar 10 Apr 10 May 10 June 10 July 10 Aug 10 Sept 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 June 11 July 11 Aug 11 Sept 11 18

Lesson 5: Breaches have consequences 19

Boston Globe, www.boston.com 20

The Mercury News, www.mercurynews.com 21

HC Pro HIPAA Update, blogs.hcpro.com 22

So began a nightmare that cost Mr. Tripathi s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed. Nicole Perlroth, Digital Data on Patients Raises Risk of Breaches, N.Y. Times, Dec. 18, 2011 (relating to a stolen laptop containing unencrypted records of about 13,687 patients). 23

2010 Annual Study: U.S. Cost of a Data Breach (Ponemon Institute) For the fifth year in a row, data breach costs continued to rise The average organizational cost of a data breach increased to $7.2 million Data breaches in 2010 cost their companies an average of $214 per compromised record 24

Five priorities For Improving Readiness Conduct thorough risk assessment/use third party for objectivity/due diligence Adopt industry recognized information security model for measurement Resource and train IT security personnel/organization for success Implement robust system and user activity monitoring Implement appropriate vender security 25

Risk Analysis Implement regular risk analysis of the IT environment Assess against all reasonable threats/regulatory requirements Use third party support to ensure objectivity and due diligence Follow a doctrinal approach to risk analysis Develop detailed remediation roadmap/project plan to guide decisions 26

Everyone Wants To Be Headliner! Since 2009 we have had nearly 350+ major breaches, almost one a day in October 2011, an average of 18 major breaches a month, nearly 50K of all sizes in total, more than 18 Million individual records put at risk 60% Encrypt mobile devices 50% encrypt back up tapes 45% encrypt media 39% encrypt desktops 35% encrypt servers/databases HealthcareInfoSecurity.com 2011 27

Information Security Models Privacy and security requirements in healthcare are complex and evolving HIPAA/HITECH/Meaningful Use are not information security frameworks Models such as NIST, ISO, HITRUST, COBIT etc. provide an IT security governance framework for multiple requirements Ensures recognized framework to measure assurance against and demonstrate compliance Reduces the risk of breach by reducing the chance of gaps 28

What Are We Waiting For? HIPAA was passed in 2003, with an effective date of April 2005, roughly seven (7) years ago. Asked how respondents would grade their organization s ability to comply with HIPAA/HITECH today? Roughly 40% said their organization was doing a good job 30% said they viewed their organization s effort as adequate 30% said their organization was failing or needed improvement HealthcareInfoSecurity.com 2011 29

Resource & Train Resource means: budget, tools and people Understand what is reasonable, inhouse versus external support Overwhelming majority of breaches involve mistakes by people Provide tailored training to all workforce members, periodic reminders for everyone 30

Resourcing Still lags For three years straight (2008-2010) the HIMSS Analytics annual security survey reported that healthcare spending on security lagged behind industry averages The average spend on security for regulated industries is generally accepted as greater than 6% of the IT budget This survey unfortunately told a similar story for the fourth straight year: Nearly 70% reported allocating 3% or less of the IT budget on security HealthcareInfoSecurity.com 2011 31

Monitoring Activity Recognize different levels of criticality for monitoring: user, system, network, elevated privilege, etc. Recognize scope of the problem and requirements to do effectively Consider factors for decisions: staff capability, separation of duties, systems/data requirements, regulatory requirements Move from being reactive to being proactive 32

What We REALLY Don t Know! Managing and tracking access to sensitive data is fundamental to every information security standard. The average healthcare entity has thousands of systems, applications and users all creating millions of audit logs More than 70% are still relying on manual audits and the audit functions within applications to accomplish this critical task Those using audit tools report seeing a 90% drop in work effort, an exponential increase in awareness, and a equal decrease in events HealthcareInfoSecurity.com 201133

Vendor Security Start with both legal and security review during selection processes Incorporate appropriate level of security requirements in contracts Request/conduct third party review of all venders having direct access/retaining ephi Detail your expectations for data security and privacy to vendors Have well defined incident response plans and agreements with vendors 34

Don t Assume! A large % of breach activity has been attributed to Business Associates. When asked about Business Associates two glaring facts told the whole story. 82% ranked respondents confidence in their Business Associates and their subcontractors security controls at a 3 or below on a scale of 1 5, 5 being most confident Yet 77% relied on their Business Associate Agreement alone to compel appropriate performance with no due diligence HealthcareInfoSecurity.com 201135

For more information Adam H. Greene, JD, MPH adamgreene@dwt.com 202.973.4213 Michael Mac McMillan mac.mcmillan@cynergistek.com 512.402.8555 36

Questions 37