Embed Size (px)
Citation preview
HIPAA Reality Check: The Gap Between Execs and IT
March 1, 2016 Brand Barney, Security Assessor
Conflict of Interest
Has no real or apparent conflicts of interest to report.
Agenda
• Healthcare status
• HIPAA Misconceptions
• Real World Examples
• Why the Gap?
• Analyze Risks
• Minimize Risks
• Questions
Learning Objectives
• Discuss prominent HIPAA and data security assumptions
made in the healthcare industry by IT, compliance officers,
executives, stakeholders, and board members
• Identify common struggles preventing organizations from
completing crucial security improvements to sensitive patient
health data.
• Assess an effective way to fill the communications gap
between executives and IT while promoting an organizational
culture of data security.
• Analyze how to minimize organizational data breach
probability based on vulnerabilities, threats, and risks.
An Introduction of How Benefits Were Realized for the Value of Health IT
http://www.himss.org/ValueSuite
• S: 86% of employees and executives cite
ineffective communication for failure in
the workplace.
• T: 54% of patients would switch providers
after a data breach.
• E: Healthcare still lags behind on
securing upgraded technology.
• P: Reaching full HIPAA compliance is a
fantastic thing to bring up with patients.
• S: Remediation costs for crime-linked
data breaches of patient data are $170
per record.
Healthcare Status
HIPAA Status Disparity
• 89% of C-Suite believe they are HIPAA compliant
• Only 67% of Compliance and Risk Officers believe they are HIPAA compliant
Belief vs. Truth
• Fantasy: Healthcare is doing well in HIPAA security
• Reality: Most healthcare organizations have vulnerabilities in their security and don’t realize it
Compromise is Imminent
• Criminal attacks in the healthcare industry have risen 125% since 2010*
• 80% healthcare IT leaders say systems have been compromised*
*(Ponemon Institute)
*2015 KPMG Healthcare Cybersecurity Survey
HIPAA Misconceptions
Myth: Firewalls are Enough
• Firewalls need to be updated
• Firewalls don’t take care of all security issues
– Remote access software
– Social engineering
– Physical security
Myth: HIPAA Doesn’t Apply to Me
• Many organizations think:
– They are too small
– Their organization doesn’t have PHI
– Cloud-stored data is exempt
• HIPAA Security Rule applies to pretty much all healthcare entities
Myth: IT and Attorneys Have Us Covered
• IT professionals need additional training for security
• Attorneys don’t have technical training
Myth: My Data Isn’t Valuable • Health data more
lucrative than credit cards on black market
– Credit card data sells for $1–2
– PHI sells for $20–200
• Easy to replace credit cards, impossible to replace social security numbers
Myth: Business Associates Take All Liability
• There’s shared liability between businesses and business associates
• Business associates may have vulnerabilities that endanger your data
Myth: We’re Already Doing Security
• HIPAA staff are mostly following Privacy Rule, but not Security Rule
– Staff aren’t trained in security
– PHI can be accessed everywhere!
Myth: Social Engineering Isn’t a Threat
• Social engineering targets weakest link: people!
• Doesn’t require technical talent
• Hard to recognize
Real World Examples
Business Associate
• Target
• Dynacare
Unsecured PHI • Two types of data
• Why your data is walking out the door
Social Engineering
• Janitor
• IT
• Service Provider
• EHR
• Build Trust
Why the Gap?
Time
• HIPAA will eat your time
– Small organizations: 200 hours annually
– Large organizations: 800+ hours annually
• Solutions:
– Hire outside security consultant
– Baby steps (prioritize based on risk)
Money
• Staff time
• Purchase: security tools, policies, training, etc.
• Solutions:
– Prioritize (#1 risk? What needs to be protected first?)
– Work it into your budget
– Get management support
– HIPAA packages (training + policies, + audit combo)
Training
• Most staff don’t understand proper Security Rule practices
• Solutions:
– Train monthly instead of annually
– Send weekly security tip reminders
– Incentives!
Analyze Risks
Analyze HIPAA Risk
• Assess current controls
• Determine likelihood of occurrence
• Determine potential impact
• Determine level of risk
• Identify security measure/control/mitigation
Document PHI Flow: Data Flow Charts
• Simple way to identify scope and start documentation
• Record all devices
• Interview departments
• Observe data flow
Prioritize
• Address critical problems first
– Depends on your individual environment
• Risk Analysis and Risk Management Plan will help determine these risks
Train Staff Properly
• Monthly training meetings
• Incorporate HIPAA Security Rule
• Not just nurses/doctors, but receptionists too!
• Recognize social engineering
Secure PHI Around the Office
• Eliminate unencrypted PHI
• Screensavers
• Passwords after time-out
• Reception desks
• Tablets/mobile
Strengthen Physical Security
• Visitor/maintenance log
• Controls to limit physical access
• Video cameras to monitor access to sensitive areas
• Distinguish visitors from on-site personnel
Have Individual User Accounts
• Workforce members are not all created equal
• All staff should have separate user accounts
• Role-based access
Update Systems and Apps
• EHR
• Anti-virus
• Medical devices
• Operating systems
• Firewalls
• IPS/FIM/DLP
A Summary of How Benefits Were Realized for the Value of Health IT
http://www.himss.org/ValueSuite
• S: 86% of employees and executives cite
lack of collaboration or ineffective
communication for failure in the
workplace.
• T: 54% of patients would switch providers
after a data breach.
• E: Healthcare has exponentially upgraded
its technology in the past five years, but
still lags behind on securing that
technology.
• P: Reaching full HIPAA compliance is a
fantastic thing to bring up with patients.
• S: Remediation costs for crime-linked
data breaches of patient data are $170
per record.
