overview of hipaa security and breach notification rules · cynergistek, inc. 11410 jollyville...
TRANSCRIPT
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Overview of HIPAA Security and Breach Notification RulesPresented by:David HoltzmanVP, Compliance Strategies
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 2
Agenda
HIPAA & its Security Rule
Key Methods to Securing e-PHI
How to Identify Phishing
Questions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
HIPAA & its Security Rule
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Health Insurance Portability &
Accountability Act of 1996
• Framework for protection
patient confidentiality, security
standards for electronic
systems, standards for
electronic transmission of
health information
• Notification to individuals,
government and media if there
is a breach of protected health
information (added in 2009)
4
What is HIPAA?
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 5
Privacy Rule
Breach Notification
Security Rule
Privacy Rule is Foundation & Floor
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 6
• Covered Entities and Business Associates are required to
comply with the Privacy, Security and Breach
Notification Rules
• Covered Entities (CE) are defined as:
– Health care providers who transmit health
information electronically in connection with a
transaction for which there is a HIPAA standard
– Health plans
– Healthcare clearinghouses
Who is Covered?
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 7
• Agents, contractors, and others hired to do the work of, or to work
for, the CE, and such work requires the use or disclosure of
protected health information (PHI)
• BA’s required to have Privacy Rule policies & procedures regarding
uses & disclosures and minimum necessary
• Assess unauthorized uses & disclosures to determine if a breach
has occurred and to notify the CE of any breach.
• The Privacy and Security Rules require CE’s and BA’s to receive
“satisfactory assurance”
– Assurance usually takes the form of a contract
– BA only use or disclose PHI as permitted by agreement
– Safeguard PHI from unauthorized disclosure
Business Associates
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Confidentiality Only the right people see it
8
The e-PHI is what it is supposed to be: No unauthorized alteration or destruction
The right people can see the e-PHI when needed
Guiding Principles of HIPAA Security
Integrity
Availability
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 9
Scope of HIPAA Security Rule
Applies to e-PHI
Covered Entity or Business Associate
Created
Maintained
Stored
Transmitted
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 10
Protect e-PHI against reasonably anticipated threats or hazards to the security or integrity of information
Goals of HIPAA Security Standards
Protect against reasonably anticipated uses and disclosures not permitted by the Privacy Rule
Establish policies, procedures and training to ensure compliance by workforce
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Through reasonable and appropriate safeguards
11
Standards to assure the confidentiality, integrity,
and availability of PHI
HHS Approach to HIPAA Security
Addressing vulnerabilities identified through risk
analysis & risk management
Technology neutral
Safeguards appropriate to the size and complexity of
the organization
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 12
Access control
Audit controls
Integrity
Person or entity
authentication
Transmission
security
TechnicalSafeguards
Security Rule Safeguards
Facility access
Workstation use
Workstation
security
Device and
media controls
PhysicalSafeguards
Risk analysis
Risk management
Security official
Workforce security
Access management
Security awareness &
training
Incident procedures and
contingency plans
Periodic Risk Evaluation
BA agreements
AdministrativeSafeguards
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 13
• An assessment of threats and vulnerabilities to
information systems that handle e-PHI.
• This provides the starting point for determining what is
‘appropriate’and ‘reasonable’.
• Organizations determine their own technology and
administrative choices to mitigate their risks.
• The risk analysis process should be ongoing and
repeated as needed when the organization experiences
changes in technology or operating environment.
Information Security Risk Assessment
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 14
What is Risk Assessment?
Analyzing threats and
vulnerabilities in a specified environment
Determining the impact or
magnitude
Identifying areas
needing safeguards or
controls
The process of:
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 15
Performing a Risk Analysis
Gather Information
Analyze Information
Develop Remedial
Plans
• Prepare inventory lists of information assets-data, hardware and software.• Determine potential threats to information assets.• Identify organizational and information system vulnerabilities.• Document existing security controls and processes.
• Evaluate and measure risks associated with information assets.• Rank information assets based on asset criticality and business value.• Develop and analyze multiple potential threat scenarios.
• Prioritize potential threats based on importance and criticality.• Develop remedial plans to combat potential threat scenarios.• Repeat risk analysis to evaluate success of remediation and when there are
changes in technology or operating environment.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 16
• Implement reasonable and appropriate safeguards to
ensure the CIA of data on systems that create, transmit
or store PHI
– Encryption at rest
– Encryption during transmission
– Automatic logoff
– Strong authentication
• Ensure that applications and systems are patched and
updated
• Properly configure wireless network access
Security Rule: Key Technical Safeguards
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Password Management
17
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 18
Keep it Secret
Keep it Secure
Change it
Often
Password is the 1st Line of Defense
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 19
• Organizations should adopt a password policy with minimum requirements
– Create a password with a minimum of 8 characters
– Password should contain at least three of the
following four components:
• Uppercase letters (A B C D)
• Lowercase letters (a b c d)
• Number (1 2 3 4)
• A special character (%, ^, *, !, ?)
• Require regular, forced password changes – at least every 90 days.
• Limit the ability to reuse the last 5 generations of a password.
• Educate users to change their password immediately if compromised
Create a Strong Password Policy
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
1 2
3 4
5 6
Don’t write it down anywhere near the device, place it in a
secure location
20
Do choose a strong password
Keys to Password Security
Don’t leave your workstation, laptop or smartphone without logging-off or locking device
Don’t share passwords with anyone else
Don’t embed password in shortcuts or scripts
Don’t use a password for multiple accounts
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Monitoring Log-Ins and
Audit System Activity
21
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 22
• Security Rule requires that organizations collect and
review system activity on any network or device
• Proactive access monitoring and audit using technology
that analyzes access to PHI is authorized and appropriate
• Take action to investigate unusual network activity or
instances of unauthorized use/disclosure
• Apply sanctions against workforce where there is a
violation
• Implement safeguards for network vulnerabilities
Monitoring System Activity & Log-Ins
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Periodic Security
Reminders
23
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 24
Periodic Security Awareness Reminders
• Awareness programs
provide education and
keep information security
fresh in their minds
• Use employee newsletters
• Link to FTC, HHS & DHS
You Tube channels
• Provide alerts in case of an
incident or specific threat
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Protecting Against
Malicious Programs
25
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 26
What Are Malicious s?
Virus - A small program designed with the objective of infecting as many software applications or devices as possible and spread rapidly.
Phishing – A technique using fake emails and web pages designed to trick users to acquire valid usernames and passwords.
Ransomware - is a malicious program (malware) that has the capacity of encrypting either the complete hard drive or specific files on the computer. In order for you to access your files again, a window asks you to pay a ransom to the attacker. Payment is typically made by digital currency such as bitcoin.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 27
Protecting Against Malware
• Employ virus detection and anti-spyware protection on
all your devices
– Microsoft, Apple and Google provide for free
– Set it to scan your device automatically
• Regularly patch and update your OS, browsers and other
software applications
• Be cautious when opening or downloading hyperlinks
from an internet web page or an email message
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
How to Identify a Phish
28
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Attackers can leverage a single account to gain access user’s entire
contact list
Phishermen often target through social media, company websites,
results of previous attacks
Targeted Exposure
Accounts at high risk are often the most public
Attackers develop personalized spear phish with information
available via social media
Users with high volume of email typically don’t spend as much time
to vet legitimacy of email
29
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
1
3
5
2
4
6
30
Review senders’
addresses
Review the
sending domain
Investigate
context clues
Enticing offers are often
too good to be true
Hover over link or
perform a cut and
paste review
Increase suspicion if
the content tries to
invoke urgency
How to Avoid Being Phisherman’s Catch
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 31
Example 1
Clues:• Sender’s address• Sense of urgency• Domain isn’t owned
by the organization
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 32
Example 2
Clues• Sender’s address• Website link doesn’t match intended destination• Version of mail server does not exist
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 33
Example 3
Clues• Sender’s address• Website links don’t
match intended destination
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 34
Example 4
Clues• Sender’s address• Website links do not
match intended destination
• Enticing offer
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 35
• Get to know your organization’s HIPAA Privacy
and Security policies
• Watch the 5 videos on how to secure e-PHI and
mobile devices at
http://www.healthit.gov/providers-
professionals/worried-about-using-mobile-
device-work-heres-what-do-video
• See something? Say something.
HIPAA Homework
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 36
Questions?
David Holtzman
512.405.8550 x.7020
Questions?
?