hacking healthcare: the current state of healthcare data security
TRANSCRIPT
Hacking HealthcareA Hacker’s Paradise
Paradise LostThe Current State of Healthcare Data Security
Presenter – Jeff Franks, vCTO at MapleTronics Computers
Why Healthcare is in the Crosshairs
•Black market medical records are a multi-billion dollar industry• Fraud can take years to
discover• Security is lacking in most
CE environments
Who are the Hackers?
Who are the Hackers?
•Yes, teenagers, but also…•Organized Crime•Nation States (China,
Russia, North Korea, etc.)•Anyone with an agenda
Why You Should Care
Black Market Value of a Credit Card
Black Market Value of a Medical Record
$0.50
$10.00
Size Doesn’t Matter
The Way In Vulnerabilities•Open Firewalls•Unrestricted Web Access•Unpatched Operating
Systems•Out of Date AntiVirus (or
no A/V)• Social Engineering
Your Biggest Vulnerability
Your Own People
• Don’t always follow policies• Can be easily manipulated• Underestimate their
role/impact• Fail to recognize/report
incidents
Because they don’t know!
Your Biggest Vulnerability
Your Own People
Whether they are ignorant, careless or have bad intentions, they have:
•Access•Time•Opportunity
What You Are Facing in 2015•ePHI is a highly valuable asset•ePHI is targeted by numerous people•Your size doesn’t hide you• IT security and risk management has not been a priority •Your own people can break your security• Increased enforcement by HHS & State Gvmnts
So, where do we start?
Beyond ComplianceWinning with the HIPAA Security RulePresenter – Phil Cooper, CIO at MapleTronics
The Stated Purpose of the Security Rule1. Of ePHI, to ensure
a) Confidentialityb) Integrityc) Availability
2. Protect against1. Threats2. Hazards
3. Protect against improper1. Uses2. Disclosures
4. Ensure compliance by workforce
The Real Object of the Security Rule
To create a corporate culture of decision-driven
IT security & risk management
The Real Object of the Security Rule
Your IT can’t be,• An Afterthought• Set & Forget• A one and done checklist
Your IT must be,• Intentional• Decision-Driven• A part of how you do business
The Business CaseA good compliance program will provide:
• Maximum uptime• Customer service/satisfaction• Productivity/efficiency• Employee morale
• Maximum Security• Reduced liability exposure• Marketing opportunity
• Business-wide protection and performance• Not just ePHI should be protected but your
entire business data.
The Business Case
The truth is, many of your IT issues stem from the same root cause:
IT SECURITY AND RISK MANAGEMENT ARE MERELY AN AFTERTHOUGHT.
And you can change that by being intentional with IT.
10 Years and Counting
10 Years and Counting
67%CE’s who have NOT performed an
adequate Risk Analysisand therefore,
“…have not identified the risks and vulnerabilities of their
environment and therefore are failing to adequately safeguard
ePHI.” – OCR, September 2014
10 Years and Counting
~60% The “message” is that these could ALL have been prevented by
encryption (safe harbor).
Theft & Loss
Getting Started or Getting Serious
• Read the Security Rule• Designate and Empower a Security Officer• Establish a HIPAA SR Team• Identify ALL of Your ePHI• Perform a Serious Risk Analysis and Act on it• Document Your Process & Actions• Sell it from the Top…Make it Part of Your Culture
Key Areas to Re-evaluate
• Provide regular security awareness to all workforce members• Craft & enforce an encryption policy• Deploy intrusion detection &
prevention• Perform regular vulnerability
assessments• Apply patching regularly• Control & secure mobile devices or
don’t use them• Use secure texting, or don’t text
• Leverage 3rd party resources & vendors• But don’t abdicate your responsibilities
• Use role-based security• Limit ePHI use by design (minimum
access approach)• Encourage incident reporting by
workforce• Enable proactive auditing• Secure your remote access• Evaluate your WiFi setup
You Can Do This
Questions
DELETED SLIDES
Final Word -- What Did You Attest To?
“Meaningful Use attestation of performing a risk analysis [Core Requirement #15]
equals attesting that you are compliant with the
HIPAA Security Rule.” - Deven McGraw, HHS Tiger Team Chair & Partner at Manat, Phelps & Phillips,
LLP
What’s Next??
Six Things To Do This Week
• Close down RDP from the Internet• Remove BYOD from your business network• Encrypt laptops (if ePHI exists)• Verify your data protection and recovery strategy• Perform/Start a REAL risk analysis• Assess your Security Rule compliance
Why Should You Care?
Your ePHI Health & Human Services