DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Similar documents
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

What s New with HIPAA? Policy and Enforcement Update

Data Breach Response Planning: Laying the Right Foundation

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

What do you need to know?

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

HIPAA Security Alert

Internet threats: steps to security for your small business

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

HIPAA Security & Compliance

OCR UPDATE Breach Notification Rule & Business Associates (BA)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Lessons Learned from HIPAA Audits

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

PHI- Protected Health Information

HIPAA Security Education. Updated May 2016

HIPAA Compliance: Efficient Tools to Follow the Rules

Overview of the HIPAA Security Rule

An Independent Member of Baker Tilly International

INFORMATION SECURITY FOR YOUR AGENCY

What Are The Odds Of a HIPAA Audit?

Healthcare Information Security Today

ITAR Compliance Best Practices Guide

HIPAA Privacy and Information Security Management Briefing

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

I ve been breached! Now what?

Security Is Everyone s Concern:

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Franchise Data Compromise Trends and Cardholder. December, 2010

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

2014 Core Training 1

Security Practices for Online Collaboration and Social Media

Jumpstarting Your Security Awareness Program

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Security Management. Keeping the IT Security Administrator Busy

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Cyber Security An Exercise in Predicting the Future

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Information Security Policy

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Network Security & Privacy Landscape

HIPAA Privacy and Security

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA: Bigger and More Annoying

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

How To Protect Yourself From Cyber Threats

SOOKASA WHITEPAPER HIPAA COMPLIANCE.

Presented by Evan Sylvester, CISSP

PCI Compliance: Protection Against Data Breaches

Security Compliance, Vendor Questions, a Word on Encryption

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Transcription:

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015

AGENDA 2015 The Year of the Healthcare Breach The Human Risk Social Engineering Resistance Technical Controls OCR Enforcement - What s Next? Settlements and Fines The Rest of the Story Priority Action Steps Questions 2

The Year of the Healthcare Breach 2015 The Year of Healthcare Data Breaches Anthem Blue Cross January 80 million records Premera Blue Cross March 11 million records CareFirst Blue Cross Blue Shield - May - 1.1 million records UCLA Health System July- 4.5 million records Excellus Blue Cross Blue Shield - September 10 million records Who will be next? 3

The Year of the Healthcare Breach Why? Value of medical information is worth 10 to 20 times the value of a stolen credit card. Credit card numbers can be had for a dollar or two, healthcare billing data can go for $10 some sites even offer records for up to hundreds of dollars. What s the difference? Banks have developed sophisticated antifraud technology and credit card life span post theft is limited. A Medicare number may yield more payback before it can be stopped. 4

The Year of the Healthcare Breach How? Sophisticated hacking techniques. This terminology is commonly used in the aftermath of a hack. This seems to imply that resistance was futile. The hackers armed with advanced technology and persistence would eventually crack any defenses. Or did they just get the house key out from under the rug? 5

The Human Risk Many sophisticated hacks are not aimed at the network defenses trying to break through firewalls or sneak in open ports. They are aimed at employees a perceived soft target. Sophisticated fake websites and email scams are targeted at employees to steal credentials. Hackers can research targets on LinkedIn, Facebook target IT staff with privileged access. If they take the bait and give up their credentials, the hackers can just log right in. 6

The Human Risk Chinese Hacking Group Deep Panda is a suspect group based on prior similar attacks. Hackers are behind the registration of websites such as: www.we11point.com ( A play on Anthem s former name Wellpoint) www.prennera.com (A play on Premera) These websites are then used in social engineering attacks to create fake portals to try and lure employees to give up their network or application credentials. 7

Social Engineering Resistance What is Phishing? An attempt to acquire sensitive information such as credit card or bank information or user ID and passwords to systems for malicious reasons by creating the illusion of trust May be email May be website May be a combination of both 8

Social Engineering Resistance 9

Social Engineering Resistance What does a phishing email message look like? Logos Source: Microsoft Safety and Security Center: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx 10

Social Engineering Resistance 5 most dangerous email subjects: 1. Invitation to connect on LinkedIn 2. Mail delivery failed: returning message to sender 3. Dear <insert bank name here> Customer 4. Comunicazione importante 5. Undelivered Mail Returned to Sender Source: McAfee Security: https://blogs.mcafee.com/consumer/top-5-dangerous-email-subject-lines/ 11

Social Engineering Resistance What is Baiting? An attempt to infiltrate networks by using a person s curiosity against them by means of a bait device (a USB drive or CD/DVD) that contains malicious software ( malware ). When devices are plugged in they will attempt to load their files onto the PC and network. Hot Hot Hot Hacked Celebrity Cellphone Pics 12

Social Engineering Resistance What is Pretexting? A scam or hack using a lie as a basis of gaining trust or to be perceived as having authority to influence someone to divulge information or take an action beneficial to the scammer or hacker. Hi, this is Bob in IT, we are doing an update and I need you to authorize a remote session and log in to this portal using your ID and password -Spoken in a heavy accent calling from a unknown caller ID 3 13

Social Engineering Resistance What to do? Security Awareness Training Make sure content is thorough Tell workforce what to watch for, who to contact when in doubt Tell workforce what the company will and won t do Make the workforce a hard target Accountants this is not just for your healthcare clients if you have signed a BAA with a client, HIPAA expects you to have security training, too. 14

Technical Controls Technical controls for hack resistance Firewalls have hardware based firewalls that are kept patched with current firmware versions and are currently supported by the vendor. Intrusion Prevention Systems some firewalls have intrusion prevention features and others do not. Additional tools and appliances may be needed for full protection. Configure alerts and monitoring on the network traffic. Pre-hack conduct scans and vulnerability reviews and mitigate findings. 15

Federal HIPAA Oversight Enforcement U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is the enforcement agency for HIPAA. Performs investigations of reported breaches Levies civil money penalties for failures to comply with HIPAA provisions OCR HIPAA Compliance Audit Program Phase 2 It is still coming, has been lingering but 2016 appears to be the year Contracts have been let with audit firm FCi Federal Business Associates will be included in this Phase 16

Federal HIPAA Oversight OCR HIPAA Compliance Audit Program Phase 2 More defined scope than Phase 1 Business Associates Phase 2 Focus Areas Risk Analysis & Risk Management Breach reporting to covered entities Covered Entity Phase 2 Focus Areas Notice of Privacy Practices, individual access, breaches Risk Analysis & Risk Management Training programs Device and media controls Transmission security 17

Federal HIPAA Oversight OCR HIPAA Compliance Audit Program Phase 2 Later focus areas mentioned maybe 2017 and beyond Covered Entity Phase 2 Focus Areas Encryption and decryption Facility access controls Breach notification reports and complaints Policies Poor Audit results could result in referrals for investigations,which can lead to settlements and penalties, such as 18

$150,000 Dollar Settlement Anchorage Community Mental Health Services Settlement released in December 2014 Incident occurred in 2012 What Happened? Malware infiltrated the providers network and compromised the data of 2,743 patients. What Were the Findings? Failed to implement appropriate technical safeguards to ensure data security, specifically firewalls and patching of systems Failed to properly perform a Security Risk Assessment, failed to fully implement sample policy set 19

$218,400 Settlement St. Elizabeth Medical Center Settlement released in July 2015 Initial incident occurred in June 2012, another in August 2014 What Happened? A complaint in 2012 stated that 498 patients data was being stored improperly on internet sharing sites. In 2014 SEMC reported a breach of 595 patients who were on a former employees personal laptop and USB drive. What Were the Findings? Failed to implement appropriate security measures on transmission and storage of PHI Failed to properly respond to a known security incident SEMC must assess awareness and compliance with policies that means you cardiology. 20

$750,000 Settlement Cancer Care Group, P.C. Settlement released in September 2015 Incident occurred in August 2015 What Happened? A laptop bag was stolen from an employee s car. Good news - the laptop did not contain PHI. Bad news the unencrypted back up of the server that was in the bag had all past and present patients PHI, around 55,000 patients. What Were the Findings? Failed to conduct a security risk assessment from 2005 to 2012, no policy for removal of hardware and media Disclosed 55,000 patients data to an unauthorized person for an impermissible purpose when it failed to secure the backup media CCG must complete a risk assessment, implement a risk management plan and review and revise policies and training program. 21

Large Breaches to Date in Mississippi As noted in the OCR large breach database: MS has only 7 breaches reported since 2009 1 theft of desktop computer 1,104 patients 1 loss of laptop 500 patients 1 hacking or IT Incident 1,489 patients 1 theft of an other device 3,750 patients (X rays stolen for silver content) 1 theft of paper/films 1,797 patients 1 improper disposal of paper/films - 19,000 patients 1 theft of electronic medical record 846 patients 22

PRIORITY ACTION STEPS

Action Steps Conduct and keep current a Security Risk Assessment covered entities and business associates Develop a security risk management program Use encryption tools when needed - laptops, email, storage devices Develop a Security Training Program that covers social engineering resistance (on top of basic security content passwords, etc.) Conduct technical reviews such as vulnerability scans Evaluate current use or need for intrusion prevention tools, data leakage prevention tools as part of technical defenses 23

QUESTIONS AND COMMENTS?

HOW CAN HORNE HELP? HORNE can assist with: Security Risk Assessments HIPAA Program Compliance Gap Analysis (Privacy & Security Rule) Policy and Procedure Implementation or Review Technical Reviews For more information on this content, please contact: Ken Miller, CPA, CIA, CRMA, CHC, CISA HORNE LLP Telephone: 601.326.1171 Ken.Miller@hornellp.com 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information