session #: t08 cybersecurity threats and hipaa safeguards · t08 -cybersecurity threats and hipaa...
TRANSCRIPT
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 1
Session #: T08
Cybersecurity Threats and
HIPAA Safeguards
Michael Shoffner, Senior Manager, Chief Compliance and Security Officer
HW&Co.Email: [email protected]: 216.378.7284
Jacqueline Anderson, Partner
Rolf Goffman Martin Lang LLPEmail: [email protected]: 216.682.2107
Objectives:Identify cybersecurity threats
Have knowledge of relevant HIPAA legal requirements for protecting the privacy and security of PHI and the ‘cost’ of not doing so
Differentiate various cybersecurity risk assessments
Discover practical strategies and safeguards for protecting data, including on mobile devices
Know how to respond to Data Breaches and Security Incidents
1
2
3
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 2
Cybersecurity Trends
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Finance and Insurance
Transportation
Professional Services
Retail
Manufacturing
Media
Government
Healthcare
Education
Energy
Most Frequently Targeted Industries in 2018
Cost of Healthcare Breach
The 2018 Ponemon Cost of a Data Breach study shows the Healthcare Industry has the highest cost per record breached at $408.
This cost is nearly twice the amount of the next-highest industry (Financial Services) and significantly above the average cost of $148.
4
5
6
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 3
Types of Actors Involved in Breaches
Motivation for Breaches
Breach Timelines
7
8
9
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 4
Time to Discovery of a Breach
% of Incidents Turned into Breach Overall %Lost and Stolen Assets 13% : 76% became Breach : 14%Privilege Misuse 18% : 93% became Breach : 24%Cyber-Espionage 3% : 38% became Breach : 2%Crimeware 21% : 9% became Breach : 3%
43%
Errors 24% : 93% became Breach : 32%Malware 22% : 15% became Breach : 5%Misuse 16% : 87% became Breach : 22%Physical 10% : 78% became Breach : 12%Social 12% : 53% became Breach : 10%
81%
Internet Of Things (IOT) Attacks
Top DevicesRouter 75.2%Connected Camera 15.2%Multi Media Device 5.4%
Top Passwords Used123456 24.6%[Blank] 17.0%
Average Attacks Per Month 5,233
10
11
12
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 5
Email Phishing
Email Phishing - continued4% of people will click on a phishing email
78% of people will NOT click
Once you have clicked on one, 15% do it again
Only 17% of phishing emails are reported
First click in a phishing campaign is within 16 minutes
The first click is usually done within an hour
The first report is around 30 min’s, if it is reported
Top Phishing Email DetailsTop Subjects
Bill 15.7%Email delivery failure 13.3%Package delivery 2.4%
Top KeywordsInvoice 13.2%Mail 10.2%Sender 9.2%Payment 8.9%
13
14
15
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 6
Top Phishing Email Details - continuedTop Malicious Attachments
.doc, .dot 37.0%
.exe 19.5%
.rtf 14.0%
1 in 2,995 emails was phishing in 20171 in 3,207 emails was phishing in 2018
Top attachment categoriesScripts / Macros 47.5%Executables 24.7%
Top Phishing Email Details - continued
48% of malicious email attachments are office files.
This is up from 5% in 2017.
Mobile Devices
One in 36 Mobile Devices had high risk APPS installed, or were rooted or jailbroken.
16
17
18
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 7
System Patches, Software Patches
At most, 6% of breaches can be attributed to patching vulnerabilities and 1/3 of those still involved phishing or credential misuse.
Security RuleFramework
Risk Analysis
• Authorization and supervision of workforce
Administrative Safeguards
• Facility access• Removal of electronic media
Physical safeguards
• Access controls• Audit controls
Technical safeguards
19
20
21
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 8
OCR Enforcement in 2018
2018 Breach and Fine - Lack of a Risk Assessment
2018 Breach and Fine - Lack of a Risk Assessment
Failure to conduct accurate and thorough risk
analysis
Failure to encrypt information where it was reasonable
to do so
Failure to implement policies
and procedures
$3.5 million
22
23
24
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 9
Online Risk Assessment Resources
Risk analysis following the template/program located at:
https://www.healthit.gov/topic/privacy‐security‐and‐
hipaa/security‐risk‐assessment‐tool
Disclaimer
The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.
Online Security Risk Assessment Tool
Sample Risk Assessment Component
ID Question AnswerLikelihood Impact Reason Flagged Notes
Remediation Current Activity Timestamp Risklevel Citation
A01
Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its ePHI? Yes Medium High N/A No
We are currently completing the SRA and contracted an outside resource which completed an evaluation in 2016.
[AC]5/17/2017 9:43:37 am Medium §164.308(a)(1)(i)
ID - A01 Does your practice develop, document and implement policies and procedures for assess and managing risk to its ePHI?
25
26
27
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 10
Risk Assessment
Breaches by Location of PHI
21
27
35
81
122
74
34
27
0 20 40 60 80 100 120 140
Other Portable Electronic Device
Laptop
Other Portable Electronic Device
Paper/Films
Network Server
Desktop Computer
Electronic Medical Record
2018 Healthcare Data Breaches by PHI Location
2019 Healthcare Data Breaches
25
3134
23
33 32
0
5
10
15
20
25
30
35
40
Sep - 18 Oct - 18 Nov - 18 Dec - 18 Jan - 19 Feb - 19
Healthcare Data Breaches by Month
28
29
30
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 11
Cause of Healthcare Breaches
4 4
24
0
5
10
15
20
25
30
Theft UnauthorizedAccess/Disclosure
Hacking/It Incident
Cause of Healthcare Breaches
Breach Notification
Rule
• A breach occurs where there is an acquisition, access, use, or disclosure of unsecured PHI that:– Violates the Privacy RuleAND– Compromises the security or
privacy of the PHI
Breach Notification
Rule
Presumption of breach
Presumption of breach ExceptionsExceptions
• Unintentional access by workforce member or agent
• Inadvertent disclosure amongst authorized persons
• Inability to retain information
• Low probability of compromise based on risk assessment
31
32
33
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 12
Breach Notification
Rule
• Notification requirements– Each individual whose PHI may have
been breached– Department of Health and Human
Services– If breach involves 500 or more
individuals, media
Breach Notification
Rule
• Contents of notice– Brief description of the breach– Types of unsecured PHI involved– Steps individuals can take to protect
themselves– Description of what the covered
entity is doing to investigate, mitigate losses, and prevent future breaches
– Contact information
2018 Fine for Untimely Response
34
35
36
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 13
Breach Discovery
• Indicia of potential breaches
• Unusual computer system activity
• Unusual employee activity
• Loss of equipment
Breach Response
• Regulatory requirements
• Internal requirements
• Leverage internal controls
• Leverage risk assessments
Ohio Safe Harbor Law
• Ohio Revised Code Chapter 1354
• Effective November 2, 2018
• Creates affirmative defense to tort causes of action
brought under Ohio law stemming from breaches of
personal information
• Encourages adoption of cybersecurity programs
37
38
39
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 14
Ohio Safe Harbor LawThree Requirements to Qualify:
1. Create, maintain, and comply with written cybersecurity program that
contains administrative, technical, and physical safeguards
2. Cybersecurity program must:
• Protect the security and confidentiality of the information
• Protect against any anticipated threats or hazards to the security or
integrity of the information
• Protect against unauthorized access to and acquisition of the information
that is likely to result in a material risk of identity theft or other fraud
Ohio Safe Harbor LawThree Requirements to Qualify:
3. The Scale of the program is appropriate based upon:
• The size and complexity of the covered entity;
• The nature and scope of the activities of the covered entity;
• The sensitivity of the information to be protected;
• The cost and availability of tools to improve information security and
reduce vulnerabilities;
• The resources available to the covered entity.
Ohio Safe Harbor Law
Cybersecurity programs that reasonably conform to any of these industry standards qualify:
• Framework for Improving Critical Infrastructure Cyber Security
developed by NIST and certain other NIST publications
• The Federal Risk and Authorization Management Program
(FedRAMP) Security Assessment Framework
• The Center for Internet Security Critical Security Controls for
Effective Cyber Defense
• The international Organization for
Standardization/International Electro‐technical Commission
27000 Family‐Information Security Management Systems
• Payment Card Industry (PCI) Data Security Standard
40
41
42
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 15
Ohio Safe Harbor Law
For covered entities regulated by the state or federal government, cybersecurity programs that conform to any of these laws qualify:
• Security Requirements of HIPAA
• Title V of the Gramm‐Leach‐Bliley Act of 1999
• The Federal Information Security
Modernization Act of 2014
• The Health Information Technology for
Economic and Clinical Health Act
NIST Cybersecurity Framework
NIST Cybersecurity Framework
43
44
45
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 16
NIST Cybersecurity Framework
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to
achieve business purposes are identified and managed
consistent with their relative importance to business
objectives and the organization’s risk strategy.
ID.AM‐1: Physical devices and systems within the organization are inventoried
ID.AM‐2: Software platforms and applications within the organization are inventoried
ID.AM‐3: Organizational communication and data flows are mapped
ID.AM‐4: External information systems are catalogued
ID.AM‐5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
ID.AM‐6: Cybersecurity roles and responsibilities for the entire workforce and third‐party stakeholders (e.g., suppliers, customers, partners) are established
Mobile Devices and Encryption
Mobile Device Breach
The guide – NIST Special Publication 1800‐4 Mobile
Device Security gives practical advice on mobile
device management.
The guide can be viewed or downloaded from
NIST/NCCoe.
46
47
48
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 17
Mobile Device Management,
2nd factor AuthenticationCyber Security -
UsageKey must be controlled
and complexKey must be controlled
and complex
Best get out of jail free card around, but….
Best get out of jail free card around, but….
ENCRYPTION
2nd Factor Authentication
Passwords
“As a rule of thumb, if you can remember it, it isn’t a good password”
“My recommendation for memorability is that it should be
extraordinarily obscene – which also makes it less likely that you will
go and tell anyone.” ‐‐ Lance Cottrell
49
50
51
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 18
Passwords
“You might have a very good password on
your bank or investment account, but if your
gmail account doesn’t have a good password
on it, and they can break into that, and that’s
your password recovery email, they’ll own
you” ‐‐ Lance Cottrell
Passwords
Stolen hash files (password data bases)
are particularly vulnerable because all
the work is done on the attacker’s
computer. There is no need to send a
trial password to a website or
application to see if it works.
PasswordsIf a hacker wants to try and get into bank accounts:
Logging in to the same account several times will trigger alerts, lock‐outs, or other
security measures.
So they take a giant list of known email addresses, take a giant list of known most
common passwords, and proceed to try every single email address with the most
common password. Each account only gets one failure at a time.
They wait a small amount of time and move on to the next common password.
If they have really compromised systems, they can target a website and have a
million compromised computers send attempts that all come from different IP
address to further evade detection.
52
53
54
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 19
Terminating Access
Importance of Business Associate Agreements
Needing a BAA….. ALWAYS
Google Calendar is a “HIPAA compliant”
calendar service, as it is included in Google’s
BAA. However, unless a signed BAA is
obtained by a covered entity PRIOR to using
the service in connection with any ePHI , it
constitutes a HIPAA violation.
55
56
57
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 20
Not everything is / or can be HIPAA Compliant
iCloud terms and conditions…“If you are a covered entity, business associate or representative of a
covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or
transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business
associate.”
PCC Strategies
• User Access / Security Settings / Permissions
• External Provider Access• Remote Users• Exception Reviews• Termination / Deletion /
Disable
Software Strategies
58
59
60
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 21
Software Strategies
Software Strategies
Software Strategies
61
62
63
T08 - Cybersecurity Threats and HIPAA Safeguards
4/30/2019
Anderson & Shoffner 22
Software Strategies
Software Strategies
Session #: T08Cybersecurity Threats and HIPAA Safeguards
Any Questions or Follow Up
64
65
66