practical cyber security strategies for the compliance officer · practical cyber security...
Post on 23-Jun-2020
2 Views
Preview:
TRANSCRIPT
10/3/2016
1
Practical Cyber Security
Strategies for the Compliance
Officer
Michael Pry MSIA
Member ID: 176473
Background
• MS Computer Science / Information Assurance- University of Maryland
• Director of Continuous Improvement & Enterprise Risk Management-Excela Health and Master Lean Blackbelt
• Assistant Professor, Information Technology- American Inter-Continental University
• Pittsburgh Infra-Gard Health Care Sector Chief & member of the national Infra-Gard cyber security workgroup
• Department of Homeland Security/ Health and Human Services Joint Coordinating Council- cyber security workgroup
10/3/2016
2
My days in compliance
• Sarbanes Oxley Compliance• Design of internal controls over financial reporting-globally
• Implementation of self audit program using cloud based work paper mgmt. system to reduce cost of compliance
• Migrated manual controls to IT controls to reduce cost of audit
• Trade and Export Compliance• Denied and Sanctioned Parties List
• Harmonized Tariff Numbers
• SAP Export Module
Key Points to Discuss
• Lessons leaned from recent HIPAA breach resolutions
• Cost of a cyber security breach
• The role of the compliance officer in cyber security
10/3/2016
3
What is Cyber Risk?
• Risks based on the loss of:
• System availability
• Data integrity
• Confidentiality or privacy
• How should we think about cyber risk?
• Threats
• Vulnerabilities
• Consequences
• Cascading consequences
• Mitigation strategies
The NIPP
What is a HIPAA Breach
• Definition of Breach
• “An impermissible use or disclosure that compromises the security or privacy of the protected health information.”
• Unless it can be demonstrated that there is a low probability that the protected health information has been compromised based on a risk assessment.
Source: HHS.Gov Breach Notification Rule:
http://www.hhs.gov/hipaa/for-professionals/breach-notification/
10/3/2016
4
Examples of Cyber Risks Realized-The Breach
• Top Organizations by Record Loss
• Health Plan
• Anthem, Inc. 78,800,000
• Premera Blue Cross 11,000,000
• Excellus Health Plan, Inc. 10,000,000
• Healthcare Provider
• University of California, LA Health 4,500,000
• Advocate Medical Group 4,029,530
• Banner Health 3,620,000
Source: HHS.Gov Office of Civil Rights Breach Portal
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
What are the most common breaches?
10/3/2016
5
Most Common Breaches
2009-2016
What are the most common
sources of a breach?
10/3/2016
6
Source of Breach by Location of PHI
What are the cost categories of a
data breach?
10/3/2016
7
Loss of Brand Image-Customer Churn
10/3/2016
8
What is the cost of data breach?
Cost of a Data Breach
Source: HIPAA Journal , Ponemon Institute 2016 Data Breach Report
http://www.hipaajournal.com/ponemon-institute-publishes-2016-cost-data-breach-study-3470/
10/3/2016
9
What % of data breach cost is from OCR?
Cost of a HIPAA Complaint
137,770 complaints received by OCR since 2003
85,521 complaint did not present an eligible case
24,331 required changes in privacy practices
14,535
OCR provided technical assistance
without need to investigate
11,055 no violation found
5,510 in process of review
578 referred from OCR to DOJ
37 ($39,989,200 or $ 1,080,789 avg) settled in lieu of civil penalty
Productivity Most Likely Impact
10/3/2016
10
OCR Investigated Resolutions Trend
What is the newest trend in HIPAA Breaches?
10/3/2016
11
Are you aware of the
emerging threat of Ransomware?
Ransomware
• HHS has declared Ransomware is a HIPPA security incident
• 71% of the arrival vectors are spam
Source: 2016 HITRUST Alliance
10/3/2016
12
Source: 2016 HITRUST Alliance
Lessons Learned for the Compliance Manager
• Create an incident response team / response plan
• Improve time to resolve an incident to cut cost of breach (Time to Resolve)
• Risk analysis and risk management
• Existing infrastructure
• Changes to infrastructure
• Cloud and Wireless infrastructure
• Change control procedures and patch management
• Security and control of portable electronic devices
• Proper disposal
• Physical access controls
• Policies on use of network services
• Security Awareness Training
• User password management
• Controls against malicious code
• Backup Systems / Ransomware attacks
• Encryption data at rest and in motion with secure end points
10/3/2016
13
Other ResourcesPPD-41 United States Cyber Incident Coordination (July 26,2016) • Federal Government’s response to any cyber incident
• Shared Responsibility• Risk-Based Response• Respecting affected entities• Unity of Governmental Effort• Enabling Restoration and Recovery
Report cyber intrusions and major cybercrimes that require assessment for action, investigation, and engagement with local field offices of federal law enforcement agencies or the Federal Government.
Report Cyber Crime to NCIJTF CyWatch 24/7 Command Center: (855) 292-3937 or cywatch@ic.fbi.gov
NIST Cyber Security Framework
• September 15, 2016, NIST released the draft Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts
Educational Videos
• Educational Videos:
• Turn the Lights on Ransomware: https://youtu.be/-T8v2Mpl9n8
• Protect Yourself from becoming a RansomwareVictim: https://youtu.be/duSQShJ2098
10/3/2016
14
top related