HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 Brand Barney, Security Assessor
Conflict of Interest Has no real or apparent conflicts of interest to report.
Agenda Healthcare status HIPAA Misconceptions Real World Examples Why the Gap? Analyze Risks Minimize Risks Questions
Learning Objectives Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT, compliance officers, executives, stakeholders, and board members Identify common struggles preventing organizations from completing crucial security improvements to sensitive patient health data. Assess an effective way to fill the communications gap between executives and IT while promoting an organizational culture of data security. Analyze how to minimize organizational data breach probability based on vulnerabilities, threats, and risks.
An Introduction of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare still lags behind on securing upgraded technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record. http://www.himss.org/valuesuite
Healthcare Status
HIPAA Status Disparity 89% of C-Suite believe they are HIPAA compliant Only 67% of Compliance and Risk Officers believe they are HIPAA compliant
Belief vs. Truth Fantasy: Healthcare is doing well in HIPAA security Reality: Most healthcare organizations have vulnerabilities in their security and don t realize it
Compromise is Imminent Criminal attacks in the healthcare industry have risen 125% since 2010* 80% healthcare IT leaders say systems have been compromised* *(Ponemon Institute) *2015 KPMG Healthcare Cybersecurity Survey
HIPAA Misconceptions
Myth: Firewalls are Enough Firewalls need to be updated Firewalls don t take care of all security issues Remote access software Social engineering Physical security
Myth: HIPAA Doesn t Apply to Me Many organizations think: They are too small Their organization doesn t have PHI Cloud-stored data is exempt HIPAA Security Rule applies to pretty much all healthcare entities
Myth: IT and Attorneys Have Us Covered IT professionals need additional training for security Attorneys don t have technical training
Myth: My Data Isn t Valuable Health data more lucrative than credit cards on black market Credit card data sells for $1 2 PHI sells for $20 200 Easy to replace credit cards, impossible to replace social security numbers
Myth: Business Associates Take All Liability There s shared liability between businesses and business associates Business associates may have vulnerabilities that endanger your data
Myth: We re Already Doing Security HIPAA staff are mostly following Privacy Rule, but not Security Rule Staff aren t trained in security PHI can be accessed everywhere!
Myth: Social Engineering Isn t a Threat Social engineering targets weakest link: people! Doesn t require technical talent Hard to recognize
Real World Examples
Business Associate Target Dynacare
Unsecured PHI Two types of data Why your data is walking out the door
Social Engineering Janitor IT Service Provider EHR Build Trust
Why the Gap?
Time HIPAA will eat your time Small organizations: 200 hours annually Large organizations: 800+ hours annually Solutions: Hire outside security consultant Baby steps (prioritize based on risk)
Money Staff time Purchase: security tools, policies, training, etc. Solutions: Prioritize (#1 risk? What needs to be protected first?) Work it into your budget Get management support HIPAA packages (training + policies, + audit combo)
Training Most staff don t understand proper Security Rule practices Solutions: Train monthly instead of annually Send weekly security tip reminders Incentives!
Analyze Risks
Analyze HIPAA Risk Assess current controls Determine likelihood of occurrence Determine potential impact Determine level of risk Identify security measure/control/mitigation
Document PHI Flow: Data Flow Charts Simple way to identify scope and start documentation Record all devices Interview departments Observe data flow
Prioritize Address critical problems first Depends on your individual environment Risk Analysis and Risk Management Plan will help determine these risks
Train Staff Properly Monthly training meetings Incorporate HIPAA Security Rule Not just nurses/doctors, but receptionists too! Recognize social engineering
Secure PHI Around the Office Eliminate unencrypted PHI Screensavers Passwords after time-out Reception desks Tablets/mobile
Strengthen Physical Security Visitor/maintenance log Controls to limit physical access Video cameras to monitor access to sensitive areas Distinguish visitors from on-site personnel
Have Individual User Accounts Workforce members are not all created equal All staff should have separate user accounts Role-based access
Update Systems and Apps EHR Anti-virus Medical devices Operating systems Firewalls IPS/FIM/DLP
A Summary of How Benefits Were Realized for the Value of Health IT S: 86% of employees and executives cite lack of collaboration or ineffective communication for failure in the workplace. T: 54% of patients would switch providers after a data breach. E: Healthcare has exponentially upgraded its technology in the past five years, but still lags behind on securing that technology. P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. S: Remediation costs for crime-linked data breaches of patient data are $170 per record. http://www.himss.org/valuesuite
Questions brandon@securitymetrics.com Securitymetrics.com