Cyber Security & Compliance:

Similar documents
China. Ta China. T r a get. Coke et. Cok Wha h t a next? xt? ho?

! Challenge : Learning from:! Shanghai attacks! Target breach! Coke compromised! Checklist : Establishing a credible Program! Plan! Policy!

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

FACT SHEET: Ransomware and HIPAA

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Potential Liability for HIPAA Violations: A Primer

Overview of the HIPAA Security Rule

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Network Security and Data Privacy Insurance for Physician Groups

Why Lawyers? Why Now?

Am I a Business Associate?

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Top Ten Technology Risks Facing Colleges and Universities

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

INFORMATION SECURITY FOR YOUR AGENCY

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

What s New with HIPAA? Policy and Enforcement Update

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Nine Network Considerations in the New HIPAA Landscape

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA Update Focus on Breach Prevention

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Presented by Evan Sylvester, CISSP

plantemoran.com What School Personnel Administrators Need to know

Cybersecurity: Protecting Your Business. March 11, 2015

Lessons Learned from HIPAA Audits

HIPAA Compliance Guide

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

The CIO s Guide to HIPAA Compliant Text Messaging

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

HIPAA Security Alert

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

VMware vcloud Air HIPAA Matrix

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Preparing for the HIPAA Security Rule

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Patient Privacy and Security. Presented by, Jeffery Daigrepont

HIPAA Security & Compliance

New HIPAA regulations require action. Are you in compliance?

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

I ve been breached! Now what?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

COMPLIANCE ALERT 10-12

HIPAA Security Overview of the Regulations

How To Protect Your Data From Being Stolen

How To Protect Yourself From Cyber Threats

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Cyber Security An Exercise in Predicting the Future

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

My Docs Online HIPAA Compliance

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

HIPAA Compliance: Efficient Tools to Follow the Rules

Security Compliance, Vendor Questions, a Word on Encryption

Cyber Self Assessment

Datto Compliance 101 1

Architecting Security to Address Compliance for Healthcare Providers

Business Associate Liability Under HIPAA/HITECH

You Probably Don t Even Know

Healthcare to Go: Securing Mobile Healthcare Data

What do you need to know?

Implementation Business Associates and Breach Notification

Proofpoint HIPAA Breach Report:

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA Compliance Guide

Transcription:

Cyber Security & Compliance: Ali, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Cyber Threats & Compliance IBM Cyber Security Report on the Threat Landscape 1,400 is the average # of attacks on a single organization; weekly 1.7 is the average # of incidents; weekly 2 most common attack forms: Malicious code Sustained probe/scan Breaches bottom-line: ~80% human factor based ecfirst. 1

HIPAA Final Rule: Key Facts Key areas impacted include: Business Associates (BA) Breach Notification HIPAA Privacy Rule Enforcement & Penalties Key Timelines Final Rule Publication: January 25, 2013 Effective Date: This final rule is effective on March 26, 2013 Compliance Date: CE/BA must comply by September 23, 2013 BAA (Contracts): No later than September 22, 2014 Cyber-attacks: Prepared for Unit 61398 in Shanghai? Mandiant, a US-based computer security firm reported on February 19, 2013: APT1, a single organization in China focused on cyber espionage, is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support Traced the hacking activities of APT1 to the site of 12-storey building in the Pudong area of Shanghai It said that Unit 61398 of the People's Liberation Army "is also located in precisely the same area" and that the actors had similar "missions, capabilities and resources" Staffed by hundreds, possibly thousands, of proficient English speakers with advanced computer security and networking skills Hacked into 141 companies across 20 industries, 87% based in English-speaking countries, and is able to steal from dozens of networks simultaneously Stolen hundreds of terabytes of information including blueprints, business plans, pricing documents, user credentials, emails and contact lists Stayed inside hacked networks for an average of 356 days, with the longest lasting 1,764 days ecfirst. 2

Target Breach The Wall Street Journal/The New York Times, Dec 2013-Jan 2014 POS malware compromises cash registers that monitor card authorization process RAM-scrapping malware steals unencrypted data from memory Stolen information copied to a compromised internal system & transmitted outside Before a transaction can be authorized, card data is momentarily decrypted & stored in memory (RAM) 110 million impacted Senior Target executives, including CFO, are witnesses in federal committee hearings Demand for hackers with POS malware expertise fast rising Neiman Marcus Breach The New York Times (Jan 27, 2014) Breach was deeper than previously reported Hackers invaded systems for several months 1.1 million cardholders impacted POS malware installed on NM stores appeared to be same malware that infiltrated Target NM data stolen from July 16 thru Oct 20, 2013 NM not aware of breach until mid-dec 2013 Bottom-line Fact: 50% of Fortune 1000 firms each year experience a breach of 1,000 to 100,000 confidential records, including those of employees Ponemon Institute (The New York Times, Jan 27, 2014) ecfirst. 3

Coke Compromised The New York Times (Jan 27, 2014) PII on 70,000 workforce members compromised (including contractors, vendors) Data not encrypted stolen by a former worker responsible for maintaining & disposing of company equipment Recovered 55 company laptops in Nov/Dec 2013, stolen over 6 years Breach discovered Dec 10, 2013 Senior executive leaves Dec 12, 2013 Breach disclosed Jan 23, 2014 Coke assesses over 200,000 files on recovered computers to determine whose PII had been breached Stolen computers belonged to employees who worked in HR & had access to HR records Insider threats must be within scope of risk analysis Heartbleed Bug Impact on Healthcare Hackers exploit Heartbleed bug - U.S. Govt. warns banks, infrastructure operators & others to be on alert for hackers who may steal data from vulnerable networks. Heartbleed bug allows hackers to steal data without a trace. Hackers are exploiting bug in OpenSSL code by scanning targeted networks. Organizations need to patch & test systems to make sure vulnerability associated with Heartbleed OpenSSL bug is addressed. Heartbleed OpenSSL bug vulnerability went undetected for some time. Hackers may have stolen certificates & keys leaving data vulnerable to spying. OpenSSL software helps encrypt traffic with certificates & keys that keep information secure. Heartbleed bug exploits OpenSSL vulnerability. The developer who reviewed the code failed to notice the Heartbleed bug. Review your patch policy. ecfirst. 4

Compliance Fines A Seven Figure Risk March 7, 2014 Date Entity Breach Description Fine December 20, 2013 August 14, 2013 Skagit County, Washington Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) Affinity Health Plan EPHI of 1,581 individuals were accessed by unknown parties after it had been inadvertently moved to a publicly accessible server. An unencrypted thumb drive containing EPHI of approximately 2,200 individuals was stolen from a vehicle of a staff member. Impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. July 11, 2013 WellPoint Inc. Disclosed the EPHI of 612,402 individuals by allowing access of such individuals maintained in the application database. June 13, 2013 Shasta Regional Sent email to workforce about medical records of patients without Medical Center (SRMC) authorization. Disclosed PHI of a patient to multiple media outlets. May 21, 2013 Idaho State University EPHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. September 17, 2012 MEEI Unencrypted personal laptop containing EPHI of MEEI patients and research subjects was stolen. $215, 000 $150,000 $1,215,78 0 $1.7 million $275,000 $400,000 $1.5 million June 26, 2012 Alaska DHSS USB drive containing EPHI was stolen from the vehicle of a DHHS employee. $1.7 million March 13, 2012 BCBST 57 unencrypted computer hard drives containing PHI of over 1 million individuals was stolen. $1.5 million HIPAA Security Rule Device and Media Controls 164.310(d)(1) STANDARD Implement policies & procedures that govern the receipt & removal of hardware & electronic media that contain EPHI into & out of a facility, and the movement of these items within the facility. Encryption and Decryption (A) 164.312(a)(2)(iv) Implementation Specification Implement a mechanism to encrypt & decrypt EPHI. ecfirst. 5

HIPAA Security Rule Transmission Security 164.312(e)(1) STANDARD Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Encryption (A) 164.312(e)(2) (ii) Implementation Specification Implement a mechanism to encrypt EPHI whenever deemed appropriate. Massachusetts 201 CMR 17.00 Comprehensive Written Information Security Program Required Requires each covered business to develop, implement, maintain and monitor a comprehensive written information security program that applies to records that contain Massachusetts residents personal information Security program must include administrative, technical and physical safeguards to protect such records Designating one or more employees to maintain the comprehensive information security program Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information ecfirst. 6

Massachusetts 201 CMR 17.00 Comprehensive Written Information Security Program Required Regulations also require businesses that store or transmit personal information about Massachusetts residents to (201 CMR 17.04): Restrict access by use of passwords Deploy updated malware protection Encrypt information transmitted across public or wireless networks Monitor all systems to detect unauthorized access Encrypt information stored on laptops Incorporate firewalls Deadline: March 1, 2010 for 201 CMR 17.00 Massachusetts M.G.L. c. 93H Data Breach Notification Law If an entity knows or has reason to know of either a security breach or that personal information of a Massachusetts resident was acquired or used by an unauthorized person for an unauthorized manner, that entity must provide written notice as soon as practicable and without unreasonable delay to: Attorney General (AGO) Director of the Office of Consumer Affairs and Business Regulation (OCABR) Affected Massachusetts resident The notice to the Attorney General must include: Nature of the breach of security or the unauthorized acquisition or use Number of Massachusetts residents affected by such incident at the time of notification, and Any steps the person or agency has taken or plans to take relating to the incident ecfirst. 7

Business Associates The changes announced expand many of the privacy & security requirements to BAs that receive PHI, such as contractors and subcontractors BAs may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million The definition of a BA is expanded to include entities or individuals that maintain PHI on behalf of a CE, even if such entities or individuals never access PHI A key responsibility of a BA is to ensure it completes a comprehensive risk analysis on a regular, pre-defined schedule Breach Notification The Final Rule says a risk assessment for determining the probability that PHI was compromised should consider these four factors: 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed, and 4. The extent to which the risk to the PHI has been mitigated In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised" ecfirst. 8

Results of a Recent HIPAA Audit! 141 High Risk 247 Medium Risk 18 Low Risk HIGH Probability of Successful Attack THREAT Remote Code Execution Unsecured EPHI System configuration issues Buffer Overflow Vulnerability IMPACT Complete Control of the System Breach Loss of Data Denial of Service Attack or Complete Control of the System HIPAA Checklist! Establish an Enterprise Program! ecfirst. 9

Security Controls Implemented What Have You Deployed? Implemented Key Security Controls Missing Firewall (Sonic Firewall TZ210) IDS (Dell SecureWorks) Antivirus protection (Webroot) Data transfer (SFTP, HTTPS) Remote access (VPN, Citrix) Two-factor authentication Data loss prevention solution Secure text messaging USB & portable device encryption MDM Asset management (Dell KACE) Laptop encryption (TrueCrypt at the Bios Level; Windows OS & File Vault on Mac OS) Email encryption (Voltage) s Laws of Information Security Is Your security Kismet or Karma? 1. There is no such thing as a 100% secure environment 2. Security is only as strong as your weakest link 3. Security defenses must be integrated and include robust (passive) and roving (active) controls to ensure a resilient enterprise 4. Security incidents provide the foundation for security intelligence Is Your Enterprise Security Program? Kismet A Reactive Security Framework Karma A Proactive Security Framework China. Target. Coke Who s Next? WSJ Headline Cover Stories ecfirst. 10

Are we excited? For a complimentary HIPAA Checklist PDF please contact John Schelewitz @ +1.480.663.3225 or at John.Schelewitz@ecfirst.com. Denver May 13-14, 2014 Manila, Philippines May 20-21, 2014 Chicago June 17-18, 2014 Washington, D.C. July 22-23, 2014 Las Vegas Nov 18-19, 2014 From this training, you will learn the following about HIPAA: Step through all major sections of HIPAA, HITECH and the Omnibus Final Rule Review of the HITECH Act and how it effects all organizations with access to health information Examine the HIPAA Privacy and Security Rules; HIPAA Transactions Code Sets and Identifiers Review HIPAA compliance challenges; walk through best practices for addressing HIPAA/HITECH mandates Step through how to plan and prepare for HIPAA compliance ecfirst. 11

Denver May 15-16, 2014 Manila, Philippines May 22-23, 2014 Chicago June 19-20, 2014 Washington, D.C. July 24-25, 2014 Las Vegas Nov 20-21, 2014 From this compliance and security training program you will: Examine HITECH & the HIPAA Security Rule, including new Final Rule updates Learn about FISMA, NERC CSS, & GLBA Step through the core requirements of PCI DSS. Analyse the international security standard, ISO's 27001, ISO 27002, ISO 27799 & others. Examine California's SB 1386, SB 541, AB 1950, AB 1298, AB 211 & other U.S. State information security related regulations. Understand NIST security standards ecfirst Compliance & Security Over 2,100 clients served including Microsoft, Cerner, HP, State of Utah, PNC Bank, Kaiser & hundreds of hospitals, government agencies, business associates ecfirst. 12

Ali, MSEE, CISSP (ISSAP, ISSMP) Follow ecfirst for Daily Tips Information Security & Compliance Expert Consults extensively with technology firms, government agencies and business associates Created bizshield tm an ecfirst Signature Methodology - to address compliance and information security priorities Featured speaker at compliance and security conferences worldwide Presented at Microsoft, Kaiser, Intuit, E&Y, Federal & State Government agencies & many others Established the HIPAA Academy and CSCS Program gold standard for HIPAA, HITECH compliance solutions Member InfraGard (FBI) Daily Compliance Tips: www.facebook.com/ecfirst Keep in touch, @ecfirst.com and www.facebook.com/. Did you get information of value from this brief? Like ecfirst on ecfirst. 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information