5 ways technology vendors put their healthcare customers ... · • you’re trying to service your...
TRANSCRIPT
Chris Bowen, MBA, CISSP, CIPP/US, CIPTFounder, Chief Privacy & Security Officer
AVOIDING THE BREACH5 Common Ways Technology Vendors Put
Their Healthcare Customer's PHI at Risk
2PROPRIETARY & CONFIDENTIAL
The majority of breaches occur as the result of third parties.
http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone
3PROPRIETARY & CONFIDENTIAL
Attacks Increasing
• 42% of serious data breaches in 2014 were in the healthcare sector– 34% in first half of 2015
• Business associates were the culpable party for 118 out of the 458 breaches (OCR Report to Congress)
• (PHI) is worth roughly 50 times more than credit card or Social Security numbers
• Most profitable type of fraud stemming from identity theft is now Medicare fraud
– Particularly attractive targets because of payment data and detailed patient records used to collect reimbursements
• One in 10 Americans has been affected by a large health data breach
4PROPRIETARY & CONFIDENTIAL
What’s in the presentation for me?• You’re trying to service your customers, including protecting their data• Bad guys want to steal your customers’ data• Regulators want to punish you if bad guys steal your customers’ data
• So do lawyers…
• Understand five commonly overlooked mistakes vendors make• View examples of what happens as a result
Key Learnings
Source: https://cybersponse.com/data-breaches-by-the-numbers
Objective Breach Ramifications
Source: https://cybersponse.com/data-breaches-by-the-numbers
Objective Breach Ramifications
Source: https://cybersponse.com/data-breaches-by-the-numbers
Objective Breach Ramifications
8PROPRIETARY & CONFIDENTIAL
Recent Breaches
Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Organization
Records Breached
Anthem 80,000,000
Premera 11,000,000
CHS 4,500,000
UCLA Health 4,500,000
Carefirst 1,100,000
ObjectiveBreach Ramifications
9PROPRIETARY & CONFIDENTIAL
The Aftermath
Identity Theft Espionage
Future AttacksMoney Spent
Reputations Lost
10PROPRIETARY & CONFIDENTIAL
Breaches by Business AssociatesJanuary 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. A laptop was stolen – there was no encryption.
January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. A network server was stolen –there was no encryption.
May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption.
August 2014 - Community Health Pro-Services CorporationUnauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals.
December 2014 - Senior Health PartnersTheft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported.
1
2
3
4
5
11PROPRIETARY & CONFIDENTIAL
Defense in Depth in ITDefense in depth uses multiple layers of defense to address technical, personnel and operational issues.
Data
DevicesServersApplicationsNetworkPhysicalPolicies, Procedures, Awareness
OS/Software FirewallHardware Router / Firewall
Antivirus / Anti-malwareSecurity Patches
User Access Controls
Attack
Healthcare is Depending on YOU!Healthcare IT is depending on you to keep systems secure, private,
available, and untouched by the unauthorized. This includes data exchange, VoIP Phones, Enterprise Wireless, Mobile EMR, Billing, PACS, Patient
Portal, Registration, Prescribing, Lab integrations, X-Ray equipment, Monitoring equipment, Physician Communications and scheduling, online bill-bay, patient scheduling, Medical devices, mobile computing, internal
communications, etc. etc. etc….
13PROPRIETARY & CONFIDENTIAL
Mistake #1: Failure to Assess Risk• 33% of businesses have not commissioned a risk assessment
(1)
• Risk Assessment has been required since adoption of HIPAA Security Rule
• Requirement not taken seriously• HITECH – 2009 – Added Fines Skipping SRA is Not Reasonable – OCR
• This applies to the Business Associate too!
Defense Layer: All
(1) 2014 State of Risk Report. (2015, January). Trustwave, 4-4.
14PROPRIETARY & CONFIDENTIAL
Security Risk Assessment
Inventory Review Safeguards Analysis Deliverables
1 2 3 4
• Inventory ePHI• Identify Safeguards in place
• Inventory critical Apps• Inventory what comprises
the system
• Administrative• Policies & Procedures
• Technical• Access Controls
• Technical Controls• Physical
• Threats• Vulnerabilities
• Risks• Evaluate Policies & Procedures
• Effective, Operational, Applicable
• Data Inventory• Application Criticality Analysis
• Threat Matrix• Risk Matrix
• Remediation Roadmap
Defense Layer: All
15PROPRIETARY & CONFIDENTIAL
Mistake #1: Failure to Assess Risk
• OCR enforcement including civil monetary penalties and resolution agreements
• Increased risk of suffering data breaches• CMS enforcement to recoup EHR incentive payments
• OIG enforcement under the False Claims Act – Liability of up to 3 times the EHR incentive payment
– Exclusion from federally funded healthcare programs
Defense Layer: All
Failure to conduct an SRA can result in:
16PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity
• Not knowing what’s going on in or around your network and systems
• Ineffective System Activity Reviews
Defense Layer: Network, Server, App, Data
17PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity
• 80,000,000 records stolen via Hack• Traced to April 2014• Attackers created a bogus domain name, "we11point.com”
to mimic legitimate domain wellpoint.com.• Used malware to mimic Citrix VPN software• Harvested user credentials• Became aware in December 2014• That’s 9 months of covert activity inside the network!
Defense Layer: Network, Server, App, Data
18PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity Organizations are not able to detect a breach in a timely manner.When was the breach discovered?
Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 10-10.
Defense Layer: Network, Server, App, Data
19PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity Ineffective use Security Information & Event Management Systems (SIEM)
Defense Layer: Network, Server, App, Data
Asset Discovery
Vulnerability Assessment
Threat Detection
Event Collection
Correlation
Event Management
Log Storage~Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 3-3.
SIEMThe #1 technology investment made in response to mega breaches!~
20PROPRIETARY & CONFIDENTIAL
Mistake #3: Patching Fail Defense Layer: Network, Server, App
Failure to keep up to date on patching and firmware
21PROPRIETARY & CONFIDENTIAL
Mistake #3: Patching Fail
• This is a Covered Entity AND a Business Associate• Failed to patch their systems• Continued to run outdated, unsupported software • Led to a malware data breach affecting 2,743 individuals• ACMHS reported the breach to HHS back in March 2012• Fined $150,000 • Lesson learned: security-related patches should be
applied as soon as possible
Defense Layer: Network, Server, App
22PROPRIETARY & CONFIDENTIAL
• ACMHS was negligent but fine issued on the heels of a year of patching woes for most Microsoft customers.
• Patching policies delayed for critical updates– Microsoft had trouble delivering an error-free month
Balancing Act• Deal with fallout of botched patch?• Or wait to patch?
Document decisions. But don’t be negligent.
Mistake #3: Patching Fail Defense Layer: Network, Server, App
More Context
23PROPRIETARY & CONFIDENTIAL
Mistake #4: Training on the Right Stuff Defense Layer: All
Failure to Train Your Users
24PROPRIETARY & CONFIDENTIAL
Mistake #4: Training on the Right Stuff Defense Layer: All
• Security flaw in the vendor database• Vendor exposed 7,000 records to the web• General Security Awareness Training is a HIPAA
requirement• But what about training for secure development
practices?• What about training on a Software Development Lifecycle
(SDLC)?
25PROPRIETARY & CONFIDENTIAL
Mistake #4: Training on the Right Stuff Defense Layer: All
Open Web Application Security Project (OWASP)• www.owasp.org• Open group focused on understanding and improving the security of
web applications and web services
Top Ten Project• Goal is to Raise Awareness
If you create web-enabled appsmake this part of your training!
Web and App Server Misconfiguration
Remote Administration Flaws
Insecure Use of Cryptography
Error Handling Problems
Command Injection Flaws
Buffer Overflows
Cross-Site Scripting Flaws (XSS)
Broken Account & Session Management
Broken Access Control
Un-validated Parameters
26PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes• Change Control: The process of managing change to an organization’s
environment and assessing the potential impact on business
Defense Layer: All
HAVE CHANGE CONTROL COVERING INFORMATION TECHNOLOGY ASSETS AND BUSINESS PROCESSES
54%Fully
39%Partially 7%
Not at All
(1) 2014 State of Risk Report. (2015, January). Trustwave, 13-13.
27PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes• Average cost of downtime is around the $8,000 per minute mark(1)
• 80% of unplanned outages are due to ill-planned changes made by operations staff or developers(2)
• 60% of availability and performance errors are the result of misconfigurations(3)
• Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues(4)
– more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues
Defense Layer: All
(1) www.datacenterknowledge.com/.../study-cost-data-center-downtime-rising/(2) IT Process Institute's Visible Ops Handbook(3) Enterprise Management Association(4) Ronni J. Colville and George Spafford Configuration Management for Virtual and Cloud Infrastructures
28PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes Defense Layer: All
23%
22%
20%
18%
17%
Outage Causes
http://www.channelinsider.com/storage/slideshows/helping-combat-downtime-on-premise-and-in-the-cloud.html
Hardware Failure
Upgrades & Migration
Power Outages
Application Error
Human Error
29PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes
• Reduce access to systems that can be changed– Assign a limited group with access as the only entity that can make changes
• Inventory information assets and detailed information about equipment, backups, etc. (build a RACI)
• Create a repeatable build library
• Continual improvement
Defense Layer: All
Starting ITIL in 4 Practical Steps:
Google: Amazon.com + Visible Ops
30PROPRIETARY & CONFIDENTIAL
Bonus Mistake: Failure to Remediate
High Priority Examples: • Risk Analysis (#1) §164.308(a)(1)(ii)(A) • Information System Activity (ii)(D) • Security Awareness and Training Program (#11) §164.308(a)(5)(i) • Encryption and Decryption (#42) §164.312(a)(2)(iv) • Data Backup Plan - §164.308(a)(7)(ii)(A) • Audit Controls (#43) §164.312(b) • Policy and Procedures (#48) §164.316(a) • More…
Risk Analysis helps identify and prioritize issues.
Defense Layer: All
• Identifying the list of items to fix is just the beginning• You actually have to fix them before the bad guys exploit them
ASAP<30 days
31PROPRIETARY & CONFIDENTIAL
Bonus Mistake: Failure to Remediate Organizations are not able to quickly resolve.When was the breach resolved?
Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 11-11.
Defense Layer: All
32PROPRIETARY & CONFIDENTIAL
Five Common Mistakes & Consequences Defense Layer: All
No Formal Change Management
Downtime,Break Systems,
Failure to Communicate
Unaware of Vulnerabilities
Failure to Conduct a Risk Assessment
Hackers Inside for Months
Ineffective Activity Reviews
Lack of Timely Patches
Vulnerable SystemsData Breaches
Lack of Proper Training
5
4
21
3
Flawed SystemsPromoted to Production
MODERNIZE THE INFRASTRUCTURE • SECURE PATIENT DATA • IMPROVE DATA INTEROPERABILITY
John PeralesNational Channel Sales Director
512.993.5899 [email protected]