PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security

Similar documents
PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

National Cyber Security Month 2015: Daily Security Awareness Tips

Internet threats: steps to security for your small business

An Introduction on How to Better Protect Your Computer and Sensitive Data

PHI- Protected Health Information

NATIONAL CYBER SECURITY AWARENESS MONTH

10 Smart Ideas for. Keeping Data Safe. From Hackers

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Cyber Security An Exercise in Predicting the Future

HIPAA and Health Information Privacy and Security

Know the Risks. Protect Yourself. Protect Your Business.

Security Best Practices for Mobile Devices

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Cyber Security. John Leek Chief Strategist

FACT SHEET: Ransomware and HIPAA

HIPAA Compliance Evaluation Report

General Security Best Practices

How-To Guide: Cyber Security. Content Provided by

Desktop and Laptop Security Policy

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Malware & Botnets. Botnets

Best Practices Guide to Electronic Banking

Top Ten Technology Risks Facing Colleges and Universities

Safety precautions for Internet banking or shopping How to avoid identity theft online

Cyber Self Assessment

How To Protect Your Information From Being Hacked By A Hacker

INFORMATION SECURITY FOR YOUR AGENCY

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

NC DPH: Computer Security Basic Awareness Training

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

HIPAA Security Education. Updated May 2016

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Tips for Banking Online Safely

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

I ve been breached! Now what?

Remote Deposit Quick Start Guide

HIPAA Privacy & Security Rules

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

10 Quick Tips to Mobile Security

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

HIPAA ephi Security Guidance for Researchers

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

Security Practices for Online Collaboration and Social Media

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

An Independent Member of Baker Tilly International

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

BE SAFE ONLINE: Lesson Plan

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Customer Awareness for Security and Fraud Prevention

A practical guide to IT security

HIPAA Requirements and Mobile Apps

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Computer Security at Columbia College. Barak Zahavy April 2010

Why you need. McAfee. Multi Acess PARTNER SERVICES

Information Security It s Everyone s Responsibility

HIPAA Compliance: Efficient Tools to Follow the Rules

Sophistication of attacks will keep improving, especially APT and zero-day exploits

F G F O A A N N U A L C O N F E R E N C E

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Cyber Security Best Practices

Top 10 Tips to Keep Your Small Business Safe

HIPAA Training for Hospice Staff and Volunteers

Corporate Account Take Over (CATO) Guide

Cyber Security Awareness. Internet Safety Intro.

2014 Core Training 1

Cyber Security. Securing Your Mobile and Online Banking Transactions

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

Transcription:

PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security 1

CME Disclosure Statement The Northwell Health adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the Northwell Health for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director and Course Planner, Kevin Tracey, MD and Tina Chuck, MPH have nothing to disclose. Joe Baskin is the speaker and has nothing to disclose. 2

Objectives Discuss hot topics in cyber security and database security. 1.Cyber Security 2.Encryption 3.Social Engineering 4.Cloud Storage 5.Mobile Security 6.Application / Database Security 3

Drivers 4

Cyber Security Agenda What is Cyber Security? Industry Statistics Sources and Types of Cyber Attacks 5 5

Cyber Security What is Cyber Security? Cyber security refers to the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals. A cyber attack is an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, data or electronic communications network. A cyber crime is the illegal use of computer technology and the Internet, e.g. Target credit card breach (~110M records), CA Health System unencrypted laptop loss (~729K records). 6 6

Healthcare Data Breach Statistics Top 2015 Healthcare Breaches Anthem 78.8M Premera Blue Cross 11M Excellus 10M Community Health 4.5M MIE 3.9M CareFirst 1.1M *Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf US Department of Health & Human Services Office for Civil Rights as of December 31, 2015 for Breaches of 500 records or greater 7 7

Cyber Security Patient Records Breached per Day (avg.) Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6). Sources: 1. DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011 2. http://www.welivesecurity.com/2013/08/14/healthcare-it-security-infographic-stats-point-to-big-privacy-holes/ 8 8

Cyber Security Primary Causes of Breaches Source: http://www.backgroundcheck.org 9 9

Cyber Security Sources & Types of Cyber Attacks Malware & Malicious Code (Viruses, Worms, Ransomware) software that is intended to damage or disable computers and computer systems. Botnets a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Phishing Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients Web based attacks means by which malicious code exploits a system's security safeguards. Denial of Service attack on a computer system or website, aimed at disrupting its normal functionality. Malicious insiders malicious threat that comes from people within the organization such as employees, former employees, contractors or business associates. 10 10

Information Security Myths versus Reality Myth: If I have antivirus software installed, I m safe. Reality: Antivirus software may be installed but it might not be up to date with the latest virus definitions. Myth: I don't need to worry; I have no vital documents or PHI on my personal computer, just music, photos, and videos. Reality: Hackers are increasingly focused on personal computers, regardless of their contents. Your pc may have nothing, but it is connected to a network that does. Like real viral infections that spread, malware can too. 11

Information Security Myths versus Reality Myth: Cybercrime isn't any worse now than it s been in the past. Reality: Cybercrime is up sharply in the last year. Experts have noted staggering growth in the number and sophistication of attacks home/work computers are now the weak point. Myth: I would know if I had a virus on my computer. Reality: Most viruses and malware don't slow down or crash your computer. It may surprise you to learn that most people who have a virus or malware have no idea they ve been compromised. 12

IT Safeguards at Northwell Health IT Security Safeguards Perimeter Controls and Firewall Technologies that protect against external threats. Mobile device protection (Encryption) for phones, tablets and portable devices. Antivirus and Anti-spam to protect computers, laptops and servers. Intrusion Detection/Prevention that inspects dataflow sending alerts of potential threats. Security Event Monitoring to proactively detect suspicious activity. Patient Privacy Monitoring and Application Breach Detection to detect suspicious activity on our clinical applications. Segregated Cardholder Data Environment providing an additional layer of security for payment transactions. Employee Training & Awareness Annual Compliance Training throughout the Health System on proper security and privacy practices. Security Awareness and Alerts published on the employee intranet. Periodic security reminders, Email alerts, newsletters and posters. 13 13

Encryption What is Encryption Encryption is a method to keep your personal information secure. Encryption scrambles the information you send over the internet into a code so that it s not accessible to others. How to Tell If a Website is Encrypted To determine if a website is encrypted, look for https at the beginning of the web address (the s is for secure). When completing online transactions, some websites use encryption only on the sign-in page, but if any part of your session isn t encrypted, your entire account could be vulnerable. Therefore, look for https on every page you visit. 14

Laptop and Removable Media Encryption 1. All Laptops must be encrypted 2. Confidential information must not be saved on removable media such as CDs, DVDs, and USB flash drives unless also absolutely necessary and then you must encrypt them! 3. Follow Health System policies for Encryption (900.25 Data Encryption and Integrity) Handling media (900.26 Device and Media Control) Disposal of media (900.29 Equipment Disposal) Handling of PHI (800.02 Release of Protected Health Information for Living Patients) 4. If you need assistance with encryption or disposal, please call the IS Help Desk! 15

Phishing What is Phishing? This is a psychological attack via email designed to trick you into giving up information or taking an action. What does a typical attack look like? An attack begins with a cyber criminal sending a message pretending to be from someone or something that you know, such as a friend, your bank or a well-known store. These messages then entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam. 16

Phishing What is Spear Phishing? Spear phishing is a targeted attack to a few select individuals. Cyber attackers research their intended targets, such as by reading the intended victims LinkedIn or Facebook pages, messages posted on public blogs or published journal articles. Why should I Care? You may not realize it, but you are a target at work and at home. Your data is worth a tremendous amount of money to cyber criminals, and they will do anything they can to hack your devices to get at it. YOU are the most effective way to detect and stop phishing. 17

Phishing A Check email addresses B Generic Salutation Anatomy of a phishing email C Grammar or Spelling Mistakes D Immediate Action E URL Link F Suspicious Attachment 18

North Shore LIJ Phishing Attack Aug 2015 When Access the documents here was clicked, users were presented with the following screen: Recognize Red Flags Never provide personal or sensitive info when requested via email 19

20

Cloud Computing What is Cloud Computing? Information processing residing on remote systems maintained by a third-party vendor, and accessed from the Internet. What is our policy for Cloud Based Storage? Internet/Cloud based storage must not be used to store or disseminate Sensitive and Highly Sensitive information such as PHI or PII without proper approval processes that include IT Contracts, Office of Procurement, OCIO Security, and Research Administration when appropriate. Users must follow proper procedures by saving Sensitive and Highly Sensitive information on a shared drive. 21

Save it to your Network Drive 1. Confidential information should be saved on your network home drive or a shared drive designated for this purpose. Files are physically secured in our corporate data centers Files are backed up regularly and can be restored Limited access 2. Your network home drive can only be accessed by you. 3. Shared drives set up for confidential information allow users to collaborate and share files only with those users specifically granted access Need a shared drive? Call the IS Help Desk or request one on the Employee Intranet 22

Local Drives 1. Confidential information must not be saved on local hard drives except when necessary,. 2. Your C: drive is your local drive which is in your computer 3. Local drives have: Less physical security Are not backed up May be accessible to others that use your computer 4. Shared computers are common throughout the Health System, but you should not save files to your local drive unless absolutely necessary Note where you save the file Delete and empty your recycle bin when done with the file 23

Mobile Devices Risks to Health Information Risks vary based on the mobile device and its use. Risks include: A lost or stolen mobile device Inadvertently downloading viruses or other malware Unintentional disclosure to unauthorized users Encryption is required! 24

Take the Steps to Protect and Secure Health Information When Using a Mobile Device Protect and secure health information when using mobile devices In a public space On site At a remote location Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Securely dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance 25

Mobile Devices & Health Information Sharing your mobile device password or user authentication Allowing unauthorized users on your device Storing or sending unencrypted health information with your mobile device Ignoring mobile device security software updates Downloading applications (apps) without verifying they are from a trusted source Leaving your mobile device unattended Using an unsecured Wi-Fi network Discarding your mobile device without first deleting all stored information Ignoring our mobile device policies and procedures 26

Bring Your Own Device (BYOD) What is BYOD? Any non-northwell Health device owned by a workforce member that is used for business purposes. Examples include personal laptops, smartphones, or handheld devices. Securing Mobile Devices Enable Encryption Use Passcodes Avoid SMS Phishing Update Your Devices Use Mobile Applications Wisely Limit Your Use of Bluetooth 27

Application and Database Security What is Database Security? The practice of providing security controls for applications and databases such as REDCap, BUDDY, and other applications that have been approved by Information Security. Security controls include: Limited access to systems (Role Based Access) Strong password usage Secure central network storage of data Monitoring of database systems and audit logs Isolate Production data to production environments 28

Application and Database Security Limited access to systems (Role Based Access) 1. Define user roles Administrator (full access read, write, delete) Editor (read, write) Reviewer (read only) 2. Access rights should be granted to a group, then place the user in the appropriate group. 29

Application and Database Security Strong Password Usage 30

Application and Database Security Strong Password Usage 1. Avoid "leet speak" equivalents ( Joseph" becomes "J0s3ph") 2. The Northwell standard for application passwords Setting Minimum password length Password complexity Standard 6 characters (8 recommended) Passwords should contain characters from at least three of the following 4 categories: Lower case letter [a z] Upper case letter [A Z] Numeric [0 9] Special character [! @ # $ % ^ & * ( ) _ + ~ - = \ ` { } [ ] : " ; ' < >?,. / space] Password expiration 90 days History (generations) 12 Lockout threshold Five (5) consecutive failed login attempts within 15 minutes result in a user s account being locked. 31

Application and Database Security Physical security for server infrastructure 1. Locked room or cage 2. CCTV 3. Record access to room Log book ID card reader 4. Never allow anyone unattended 5. Backup media must be secured (and encrypted) 32

Application and Database Security Secure central network storage of data 1. Encrypt! Encrypt! Encrypt! Encrypt the storage system Full disk encryption Encrypt the database Build in or 3 rd party tools can provide DB encryption Encrypt tables within the database Encrypt tables that might contain ephi or sensitive or confidential information 33

Application and Database Security Monitoring of systems and audit logs 1. Monitoring and review of audit logs is required to maintain the integrity of the data 34

Application and Database Security Example of a REDCap audit log 35

Application and Database Security Isolate Production data to production environments 1. Development, test and QA environments should not have production data Developers, vendors, other 3 rd parties should not see ephi 2. Use de-identified or dummy data for development work 3. If a vendor or other 3 rd party requires access to production a Business Associates Agreement (BAA) must be in place 36

For More Information Have questions? Call the IS Helpdesk at (718, 516, 631) 470-7272 Research IS questions? ResearchIS@northwell.edu Get IT Security tips: https://nslijhp.northshorelij.com/employees/computersecuritytips/pages/default.aspx See Northwell Health Security Policies: https://nslijhp.northshorelij.com/nslij/departments/is/toolbox/pages/default.aspx Office of Research Compliance guidance on electronic security: http://nslij.com/orc Tools and Guidance Electronic Security Ashish Narayan: Director, Information Systems, FIMR Joe Baskin: Manager, Information Security, OCIO 37

38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information