HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016

HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 Brand Barney, Security Assessor

Conflict of Interest Has no real or apparent conflicts of interest to report.

Agenda Healthcare status HIPAA Misconceptions Real World Examples Why the Gap? Analyze Risks Minimize Risks Questions

Learning Objectives Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT, compliance officers, executives, stakeholders, and board members Identify common struggles preventing organizations from completing crucial security improvements to sensitive patient health data. Assess an effective way to fill the communications gap between executives and IT while promoting an organizational culture of data security. Analyze how to minimize organizational data breach probability based on vulnerabilities, threats, and risks.

An Introduction of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare still lags behind on securing upgraded technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record. http://www.himss.org/valuesuite

Healthcare Status

HIPAA Status Disparity 89% of C-Suite believe they are HIPAA compliant Only 67% of Compliance and Risk Officers believe they are HIPAA compliant

Belief vs. Truth Fantasy: Healthcare is doing well in HIPAA security Reality: Most healthcare organizations have vulnerabilities in their security and don t realize it

Compromise is Imminent Criminal attacks in the healthcare industry have risen 125% since 2010* 80% healthcare IT leaders say systems have been compromised* *(Ponemon Institute) *2015 KPMG Healthcare Cybersecurity Survey

HIPAA Misconceptions

Myth: Firewalls are Enough Firewalls need to be updated Firewalls don t take care of all security issues Remote access software Social engineering Physical security

Myth: HIPAA Doesn t Apply to Me Many organizations think: They are too small Their organization doesn t have PHI Cloud-stored data is exempt HIPAA Security Rule applies to pretty much all healthcare entities

Myth: IT and Attorneys Have Us Covered IT professionals need additional training for security Attorneys don t have technical training

Myth: My Data Isn t Valuable Health data more lucrative than credit cards on black market Credit card data sells for $1 2 PHI sells for $20 200 Easy to replace credit cards, impossible to replace social security numbers

Myth: Business Associates Take All Liability There s shared liability between businesses and business associates Business associates may have vulnerabilities that endanger your data

Myth: We re Already Doing Security HIPAA staff are mostly following Privacy Rule, but not Security Rule Staff aren t trained in security PHI can be accessed everywhere!

Myth: Social Engineering Isn t a Threat Social engineering targets weakest link: people! Doesn t require technical talent Hard to recognize

Real World Examples

Business Associate Target Dynacare

Unsecured PHI Two types of data Why your data is walking out the door

Social Engineering Janitor IT Service Provider EHR Build Trust

Why the Gap?

Time HIPAA will eat your time Small organizations: 200 hours annually Large organizations: 800+ hours annually Solutions: Hire outside security consultant Baby steps (prioritize based on risk)

Money Staff time Purchase: security tools, policies, training, etc. Solutions: Prioritize (#1 risk? What needs to be protected first?) Work it into your budget Get management support HIPAA packages (training + policies, + audit combo)

Training Most staff don t understand proper Security Rule practices Solutions: Train monthly instead of annually Send weekly security tip reminders Incentives!

Analyze Risks

Analyze HIPAA Risk Assess current controls Determine likelihood of occurrence Determine potential impact Determine level of risk Identify security measure/control/mitigation

Document PHI Flow: Data Flow Charts Simple way to identify scope and start documentation Record all devices Interview departments Observe data flow

Prioritize Address critical problems first Depends on your individual environment Risk Analysis and Risk Management Plan will help determine these risks

Train Staff Properly Monthly training meetings Incorporate HIPAA Security Rule Not just nurses/doctors, but receptionists too! Recognize social engineering

Secure PHI Around the Office Eliminate unencrypted PHI Screensavers Passwords after time-out Reception desks Tablets/mobile

Strengthen Physical Security Visitor/maintenance log Controls to limit physical access Video cameras to monitor access to sensitive areas Distinguish visitors from on-site personnel

Have Individual User Accounts Workforce members are not all created equal All staff should have separate user accounts Role-based access

Update Systems and Apps EHR Anti-virus Medical devices Operating systems Firewalls IPS/FIM/DLP

A Summary of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite lack of collaboration or ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare has exponentially upgraded its technology in the past five years, but still lags behind on securing that technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record. http://www.himss.org/valuesuite

Questions brandon@securitymetrics.com Securitymetrics.com