Best Practices for protecting patient data Training and education is your best defense! Presented by Jim Bray, Cyber Security Adviser InfoSight, Inc. 2014 InfoSight
Cyber Security starts with education 99% of the cyber breaches can be prevented through education. Employees, outside vendors (BAA) and customers or patients. On going discussions of Best Practices for cyber security by all levels of management.(team meetings). Orientation process of new employs and outside vendors should include Cyber Security Training. Administrative tools need to be in place to measure employee and outside vendor training. Verification of education is critical during an information security breach audit. On going training for IT employees for all security tools is highly important. Security software updates need to be a top priority for ongoing training and certification.
Root cause of cyber breaches Lack of employee and BAA information security training. Lack of consistent compliance with IT change control processes and policy. Lack of urgency of deploying software updates. Lack of test bed for quick analysis of new software updates compatibility and root cause analysis for system issues. Lack of password access policy starting with in-depth background checks. Employees with to much access to sensitive data. Lack of Multi-Factor Authentication (MFA) Login process
Typical MFA scenarios Swiping a card and entering a PIN. Downloading a VPN client with a valid digital certificate and logging into the VPN Logging into a website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the requester's phone or email address. Swiping a card, scanning a fingerprint and answering a security question. A USB hardware token to a desktop or laptop that generates an OTP and using the one-time password to log into a VPN client.
Best Practices for Cyber Security Complex network segmentation of data network. Third party oversight to insure compliance with regulations and company policy are measured and monitored. Expand your cyber security plan to include BAAs and all employees. Retesting of IT environment after changes to validate security levels. Have a security breach response plan. Have the right amount of cyber insurance coverage. Background checks that include misdemeanor identity thief convections. In many states identity thief is a misdemeanor. Employees need to go through information security training at least twice a year.
Best Practices for Cyber Security Password access utilizing token generated pin number. Highly structured company wide change control processes that not only includes IT activity but also BAA and employee business process changes. NO USB drives! Requires sign off by CISO to use one. Off site laptops are only allowed to access smartphone hotspots. All laptops are trackable by GPS. All key security management positions (Risk, Compliance and CISO) must not go unfilled over thirty days. Outside vendors (BAAs) that store patient or employee data need to provide SSAE16 audit certification annualy. All data is encrypted. Air gap between data backups so that malware cannot reach secondary backup.
Healthcare leads in information security breaches.
Most security breaches occur as the result of human intent or error
The top 5 reasons why attacks are
Opportunistic Attacks are the most frequent type of cyber attack
Average cost of breach in 2012.
Sony Déjà vu May 24, 2011 Sony has spent $171 million related to the data breach involving its PlayStation Network, Qriocity and other online properties, but the company is likely to spend a lot more in the quarters ahead if history is any guide. The company previewed its net losses related to the Japan earthquake and tsunami as well as its data breach. Sony said 77 million records were compromised and the company took down the services for weeks. As a result of the breach, which hasn't led to any personal identity theft to date, Sony's known costs for fiscal 2012 is 14 billion yen. That works out to $171 million. That sum goes to: Estimated costs related to identity theft protection; Welcome back program costs; Customer support; Network security enhancement tools; Legal and consulting costs; And the financial hit due to future lost revenue.
The sophistication of cyber threats, attackers and motives is rapidly escalating
Common Threat to Online Channels & Internal Systems: Malware, Phishing
Ramification of a security breach Brand devaluation Decline in stock price / business valuation Decrease in credit rating Trust erosion / Fear factor Lack of funding for employee raises. Increase cyber security insurance cost, if obtainable. Disputation of business equals lost customers and revenue. Loss of business partner revenue such as referrals, canceled contracts do to security violations. Loss of Business Associate services do to high security risk.
Portable Data Access Increases Risk
Theft is the number one cause of information breaches.
Best Practices for Cyber Security Road Map
InfoSight Cyber Security Breach Mitigation Program Review of change control processes and how they insure post change control testing of infrastructure for maximum security. Review of employee certifications and training processes. Develop Disaster Recovery Plan now in advance of a information security breach. Review HR on boarding and off boarding process. Review of business process for assigning user access rights. Review of employee cyber security training program. Review of escalation processes for notification of potential security breach. Business Associate Agreement (BAA) management review: Review process for determining which vendors require SSAE16 certification. Review of all BAA access methods of customer IT networks. Review BAA cyber security training.
InfoSight, Inc. www.infosightinc.com 14100 Palmetto Frontage Rd # 310, Hialeah, FL 33016 Phone:(305) 828-1003 Jim Bray, Cyber Security Adviser InfoSight is an information security and IT company that protects business and their customers from cybercrime and fraud. Our focus is on risk mitigation and enhanced compliance with regulations. 16 years experience managing information security for Banks, Healthcare and Retail customers without a single security breach.