Healthcare and Cyber security

Editor's Notes

• #2: Brian (Do you want to go first since your bio is first) Good afternoon and welcome.
• #3: Brian M Matteson, CISSP, CISA, CAP Manager, Columbus Office Responsible for overall engagement quality and oversight of projects Areas of expertise include information security; risk management; and IT governance, audit, and compliance Works with wide variety of clients and industries across Ohio In-depth knowledge of IT and security frameworks, regulations, and standards, including ISO, NIST, HIPAA, PCI, FISMA
• #4: Melissa M. Meeker, CPA Senior Accountant Specializes in the implementation, conversion, training and troubleshooting of financial accounting software packages and databases. She has an in-depth understanding of healthcare accounting and provides support to practice management in the form of budgeting, benchmarking, software optimization and month end analytics. She assists organization with developing, implementing and improving policies and procedures, including internal controls. She assists clients with various tax issues including tax planning, preparation for federal, state, local and payroll
• #5: Melissa Today we will review the Regulatory and Security frameworks around cybersecurity We will review HIPAA and rules related to security, privacy and breach notification Learn the right questions to be asking your IT team Understand HITECH and how it relates to healthcare providers Review some case studies involving HIPAA violations AND Learn what’s next in healthcare privacy and security by looking at some current topics
• #6: Brian First, let’s talk about a few of the key players in the IT security world. Particularly when it comes to healthcare. Regulatory frameworks => required to comply, carry monetary penalties, some like HIPAA are law, while PCI is industry enforced Security Frameworks => collection of industry best practices, not enforceable, some are more rigid than others
• #7: Brian What is it: Cardholder data consists of any information on the physical payment card (name, card number, expiration date, cvv code, and magnetic stripe) Who does it apply to: Organizations that process, transmit, and/or store cardholder data Who enforces it: card brands that participate are American Express, Discover, JCB International, MasterCard, and Visa/Visa Europe => backed by legal language in card use agreements; NOT LAW; no one goes to jail Organization is proud of saying “no one that is PCI compliant has ever been breached” => they do an after breach assessment then fine you and say you weren’t compliant Can be certified by an external assessor through an audit process; some orgs can conduct a “self-assessment”
• #8: Brian What is it: HIPAA is large legislation, but when we talk about it in a security context, we’re talking about the security and privacy rules specifically. Who does it apply to: The HIPAA Rules apply to ”covered entities” and “business associates” as defined by HHS. Who enforces it: Office of Civil Rights (OCR) We’re probably all very familiar with HIPAA; We’ll go into some more detail later on.
• #9: BRIAN Contrasting the compliance frameworks Huge organization. Offers standards on everything from IT security to manufacturing quality control. IT security standards are the 27,000 series => 27001 is Information Systems Management System; focuses on policy and structure of information security department => 27002 is a recommendation of technical and non-technical controls that can be implemented Can be independently certified through an audit => usually very expensive and time consuming; takes 3-5 years of records for review
• #10: BRIAN NIST publishes a huge arrangement of standards, including information security standards. => most relevant documentation is in the 800 series; 800-53, 800-37 NIST: National Institute of Standards and Technology Non-regulatory agency of the US Department of Commerce NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing FISMA (Federal Information Security Management Act of 2002) Example: FIPS 200: Minimum Security Requirements for Federal Information and Information Systems  Melissa is going to take a little deeper dive into HIPAA as it pertains to IT Security and also talk about HITECH
• #11: Melissa HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) Signed into law to promote the adoption and meaningful use of health information technology.
• #12: Melissa Meaningful use is using certified electronic health record (EHR) technology to Improve quality, safety, efficiency, and reduce health disparities Engage patients and family Improve care coordination, and population and public health Maintain privacy and security of patient health information Ultimately, it is hoped that the meaningful use compliance will result in: Better clinical outcomes Improved population health outcomes Increased transparency and efficiency Empowered individuals More robust research data on health systems
• #13: Melissa HITECH’s objectives – The use of Electronic Health Records Should improve quality, patient safely and lower cost. Extends privacy and security protections of HIPAA Increases penalties for violation - Mandatory penalties for “willful neglect” can extend up to $250,000 with repeat or uncorrected violations extending up to $1.5 million. Offers financial incentives for use of Electronic Health Records (EHR) Requires notification of a PHI breach The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. HHS developed regulations to implement and clarify these changes.
• #14: Melissa Security Rule Security Standards for the Protection of Electronic Protected Health Information Establishes a national set of security standards for protecting important patient health information (PHI) that is being housed or transferred in electronic form. Maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained or transmitted Identify and protect against reasonably anticipated threats to the security or integrity of the information Protect against reasonably anticipated, impermissible uses or disclosures Ensure compliance by their workforce.
• #15: Melissa Privacy Rule The Standards for Privacy of Individually Identifiable Health Information Establishes the first national standards to protect patients' personal health information (PHI). Requires appropriate safeguards to protect the privacy of personal health information Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections
• #16: Melissa Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Individual Notice Must provide this individual notice in written form If contact information for 10 or more individuals is insufficient the covered entity must post on the home page of its web site for at least 90 days or provide notice in major print or broadcast. Media Notice Breach affects more than 500 residents of a state Required to provide notice to prominent media Notice to the Secretary Notify via web site breach report form Must be able to demonstrate that all required notifications have been provided No more than 60 days from the breach
• #17: Melissa Policies - THE WHAT Your policies must be timely and relevant IT security and privacy policies to defend against the current threat landscape. Procedures – THE HOW Must be able to demonstrate that you have procedures in place based on your policies. Practices – THE PROOF Evidence that you practice those procedures
• #18: Melissa As mentioned the OCR (Department of Human and Health Services Office of Civil Rights) The OCR was granted the authority to enforce the HIPAA security Rule in 2013 Impermissible use – Chief Nursing officer has access to ALL data. – Only those who have direct need should have access to data. Research is not always a reason to have access. Lack of safeguards of PHI Encryption Ability to remotely wipe a hard drive Inability of the patient to access their data Use or disclosure of more than the minimum necessary PHI Lack of administrative safeguards Lack of Training – Employee Unfamiliarity with the HIPAA Rule ALL employees who come in contact with PHI are included in the training. This includes any contractors, front desk workers, and volunteers. Sharing PHI between co-workers in a public area or with friends who should not know this information puts you at risk for a HIPAA violation. Be mindful of your environment, restrict those conversations to private places, and don’t share information with friends and family.
• #19: Melissa Unencrypted Devices Email Phishing Malware / Ransomware Third Party Disclosure Employee Dishonesty Improper Disposal Photocopier can cause HIPAA violation if patient information is saved on the hard drive This happened to Affinity Health Plan, Inc., and they were stuck with a $1.2 million dollar fine from HHS. Unauthorized Release Education and Training – Education must be relevant to the times. You can’t take the same HIPAA training year after year and expect it to be sufficient. Must be educated on the most recent threats. Ransomware, Phishing scams.
• #20: MELISSA Advocate Health Care Network, $5.5 million Largest HIPAA settlement as of September 2016 Result of three separate data breaches Affected total of 4 million individuals One incident involved an unencrypted laptop that was stolen from an employee vehicle Another incident involved the theft of four computers OCR noted that Advocate Health Care failed to conduct risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI Risk management plan needs to include not only technical but also physical and administrative measures. In April of 2014, they reported to OCR an unencrypted computer had been stolen from one of their facilities. This incident resulted in an OCR audit of the company's security policies for electronic devices. OCR found insufficient encryption throughout the company on a variety of electronic devices, and ultimately levied a $1.7 million dollar fine against Concentra Health Services. In 2013, the first violation for a case of unencrypted data involving fewer than 500 patients was settled for $50,000. A laptop containing the PHI of 441 patients was stolen from Hospice of North Idaho.
• #21: MELISSA The University of Washington Medicine In December 2015, The University of Washington Medicine was first investigated by the OCR Facility suffered a significant security breach Incident occurred after a staff member inadvertently opened an email that contained malicious software Over 90,000 digital patient health records were accessed and compromised Settlement of $750,000
• #22: MELISSA New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million Fined after 6,800 patient records accidently exposed publicly to search engines Caused by an improperly configured computer server that was personally owned by a physician Server was connected to network with ePHI NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data NYP also didn’t have appropriate policies and procedures for authorizing access to patient databases Both of these violations would have been easy to prevent through administrative processes System Vulnerabilities Use strong passwords – Cracking weak passwords is an easy way to hack a system Use modern firewalls to restrict traffic on your network Routinely update your software – Have a regular schedule to check for system updates
• #23: MELISSA System Vulnerabilities: Use anti-virus/anti-malware software Anchorage Community Mental Health Services (ACMHS), $150,000 Malware infection compromised the records of >2,700 individuals ASMHS did not review its systems for unpatched and unsupported software and did not regularly update its IT resources Underscores importance of running regular updates and patches Simple yet often ignored practice that could have major implications
• #24: MELISSA St. Elizabeth’s Medical Center, $218,400 Stemmed from two incidents, one of which was use of a cloud-based file-sharing application. Specifically, did not evaluate risks of using cloud service, putting ePHI of nearly 500 people at risk The cloud provides scalable, cost-effective and flexible solution for storing and sharing patient data Conduct risk assessment prior to migrating to cloud environment Risk assessment should also include a comprehensive analysis of the security capabilities of prospective vendors
• #25: Brian I’m going to look at a couple of the issues we’re seeing across the healthcare and insurance sector. I’ll be focusing mostly on HIPAA compliance issues, but keep in mind that there are also civil litigation possibilities and PCI-DSS concerns
• #26: Brian Mens rea - is the legal term. Fines range from the low end for “didn’t know” to midway for “reasonable cause” (should have known) to “willful neglect” (max fine if not corrected) Policies – Mass. Eye and ear associates – poor risk analysis, no policies; lost computer 1.5 million Risk Management – Hospice of N. Idaho – No risk analysis; lost laptop 50K Controls – Affinity Health returned copiers with hard drives 1.2 million PLEASE PLEASE PLEASE assess the risk of mobile computing. Loss of unencrypted devices is a leading cause of huge fines => think of how many records are on one spreadsheet, now how many spreadsheets are on your laptop!
• #27: One way to avoid these common errors is to follow a security framework like we discussed before. => CSF is one option. It was developed by NIST for use across industry Show “Due care” An overall solution; If followed will establish appropriate security controls, policies, and risk assessments – leverages 800.53 for controls => requires a risk assessment but doesn’t specify a process Final version released in February 2014 Risk-based approach; not a checklist Allows organizations to: Describe current cybersecurity posture Describe target state for cybersecurity Identify and prioritize opportunities for improvement Assess progress towards target state Communicate using common language among internal and external stakeholders about cybersecurity risk Complements, does not replace, existing risk management processes Organizations without cybersecurity programs can use Framework as reference to establish one Identify risks to resources supporting critical functions Protect these resources and limit the impact of cybersecurity events Detect incidents that have occurred Respond to the detection of events Recover following response procedures
• #28: NIST provides a good example of a management framework for risk. *** note that a required input is EA; you have to start with a knowledge of your environment Advantages of using GOVT frameworks with GOVT regulators The trick is to show that you take IT risk seriously and, even if breached, you were doing what was prudent Also results in better programs and justification for spending in IT Security
• #29: Brian Another option for selecting basic controls is the Center for Internet Security’s – Critical Security Controls Note “boundary defense” is 12 – we often get hung up at the boundary and think we can keep everyone out with a firewall 1, 2, & 3 will give you a very solid start => know your environment and secure your mobile devices => laptop encryption!!!
• #30: Brian Third-party or “inherited risk” How many organizations outsource, co-source, or otherwise use services provided by personnel you don’t directly employ => IT services, billing, hosted websites, marketing firms, research collaborations, universities, partner clinics Keep your hand up if you have a documented risk assessment for each one of those service providers
• #31: Brian SOC2 comes in Type 1 and Type 2… type 2 is more robust with tests of effectiveness AICPA – American institute of certified public accountants SOC2 not perfect – paid for by the client => unlikely that the audit report contains anything major, but shows they are at least looking at their own security Bring someone from the IT Security team in to help evaluate your new and existing contracts; difficult skill to find but crucial for risk assessments OR train your GC on IT Security concerns like responsibility for CIA and security SLAs Always make sure you have the “right to audit” clause in contracts that involve ePHI; and use it => most organizations work on an implicit trust model but this has proven over and over to result in breaches and fines
• #32: Brian I’m going to diverge from HIPAA compliance for a little bit here, but this is an issue that is no less impactful to our community. =>According to one study, health care was the target of 88% of all ransomware attacks last year => thank you Johns Hopkins How does ransomware work? Basically it’s extortion… easy extortion. Email out tool in a phishing scam, wait… user clicks and the tool starts encrypting files with certain extensions. => usually goes after MS office extension, PDFs, photos, can be more targeted for business critical data => most new tools are irreversible, some older ones may have a decrypter from the FBI High volume, low intelligence attach. Adversary sends thousands to hundreds of thousands of phishing emails; only needs one click!!!!!! Some attacks are organized; Cyber crime. Others are retaliatory. Anyone know the average cost of a piece of ransomware malware? $10, another $10 dollars for 1k verified hospital email addresses, and $25 dollars to set up a remote server overseas to command and control everything and collect payment! For $45 dollars anyone with a bitcoin wallet and enough savvy to get on the darkweb can launch a ransomeware attack
• #33: Brian If ransomeware attacks are so easy, how do we stop them. =>Luckily in this case the adversary is getting what they pay for. Most malware uses old vulnerabilities that have been patched through software or operating system updates You should be doing regular vulnerability scans of your networks You have to know where your business critical information is. Invest in good enterprise architecture, will also reap benefits across your whole IT organization Conduct a business impact assessment => know what would happen if you lost certain data; how long til you can’t operate; use this to feed your risk management and control selection Have backups of all your business critical data!!! => even more importantly, have a documented recovery plan for re-installs; who gets called, who authorizes, what do you say to the media if you need to. => test your backups; we all know we should conduct tests, but very few organizations do => time consuming, can be expensive Conduct user training; and not just the required, annual training that we do for compliance. => test your users, conduct your own phishing campaign and see what your click through rate is. Adjust your training Ours are usually above 60% even in regulated industry; remember it only takes one! This last one is an executive business decision, and a hard one at that. => I never recommend you pay the adversaries unless it’s life, limb, or eyesight for your patients; or it could lead to business collapse => no guarantee you’ll get your data back, no guarantee they won’t immediately lock it again after you pay One last point on ransomware; successful attacks are technically reportable as HIPAA violations; the HIPAA security rule requires you to protect C I and Availability of ePHI => There’s some debate on whether or not these need to be reported since it’s not technically a disclosure; though it could be since they’re in your system at this point
• #34: Brian As the adversary becomes more savvy, and more criminal orgs get involved we’re going to see the number of attacks continue to rise Many orgs think they’re too small to be notices => we’re not Anthem, no one is targeting us… Reality is targeting is often random; based on internet sweeps for vulnerabilities Finally, you have to start somewhere. Make sure you have a policy; Do a risk assessment; Put the basic technical controls in place => Remember, most healthcare attacks are not sophisticated… simply identifying where your ePHI is and making sure it’s encrypted could prevent million dollar fines Get help when you need it. A competent third-party gap assessment is a great place to start