best practices for mitigating hipaa breaches in...
TRANSCRIPT
![Page 1: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/1.jpg)
Best Practices for Avoiding &
Mitigating HIPAA Breaches in 2016
June 8, 2016
![Page 2: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/2.jpg)
About Me
• 19 Years IT Consulting Experience
•PMP
•University Med Center Y2K
to HIPAA
to Managing Ethical Hackers
•Managing Partner of FOQUS Partners
![Page 3: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/3.jpg)
WHYs for Incident Response
![Page 4: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/4.jpg)
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
• Fight for good
![Page 5: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/5.jpg)
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
![Page 6: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/6.jpg)
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
![Page 7: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/7.jpg)
WHYs for Incident Response
• Ensure financially viable organization /
reduce risks
• Build patient trust /
protect privacy of patients
• Improve healthy outcomes
• Fight for good
![Page 8: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/8.jpg)
20105,524,176 2011
13,149,792
20122,759,709
20136,930,414
201412,621,826
2015113,255,324
2009 2010 2011 2012 2013 2014 2015
Recap of 2015 Health Data Breach Trends
154,225,324Since 2009
#1: Individuals Affected Skyrocketing
*Data Source: US Dept of Health & Human Services Office for Civil Rights
![Page 9: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/9.jpg)
#2: Rate of Increase for Reported Breaches Slowing
197
195203
270
289
266
100
150
200
250
300
2010 2011 2012 2013 2014 2015
# of Breaches Log. (# of Breaches)
Recap of 2015 Healthcare Data Breaches
Data Source: U.S. Department of Health & Human Services Office for Civil Rights
Recap of 2015 Health Data Breach Trends
![Page 10: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/10.jpg)
# of Patients Affected Skyrocketing+
# of Breaches Consistent=
Average Impact of Breaches Increasing
Recap of 2015 Healthcare Data Breaches
What’s the Data Telling Us?
Recap of 2015 Health Data Breach Trends
![Page 11: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/11.jpg)
![Page 12: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/12.jpg)
13,595 25,668 43,674
425,772
-
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
2012 2013 2014 2015
Average # of Patients Affected Per Breach
![Page 13: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/13.jpg)
0
1
2
3
4
5
6
7
8
2012 2013 2014 2015
Health Breaches Affecting 500k+ Individuals
![Page 14: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/14.jpg)
Ponemon Institute reports average cost of a healthcare data breach is $363 per exposed
personally identifiable record.# of Exposed
Personally
Identifiable Records
Average Cost of
Breach
1,000 $363,000
5,000 $1,815,000
10,000 $3,630,000
50,000 $18,150,000
100,000 $36,300,000
$4
$359 in 2014
So What?
![Page 15: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/15.jpg)
#3: Impact increasing, but organizationsadopting best practices to reduce costs
• Increase in percentage of attacks criminal in nature
Recap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
2014 FBI bulletin black market valuations:
Why is it so valuable?
Health
Record
Valid Credit
Card
$50 $1
Recap of 2015 Healthcare Data Breaches
![Page 16: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/16.jpg)
Consequences of lost revenues increasing
#3: Impact increasing, but organizationsadopting best practices to reduce costs
Recap of 2015 Healthcare Data BreachesRecap of 2015 Healthcare Data Breaches
![Page 17: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/17.jpg)
#3: Impact increasing, but organizationsadopting best practices to reduce costs
• Increase in percentage of attacks criminal in nature
• Consequences of lost business increasing
• Detection & escalation costs increasing
Recap of 2015 Healthcare Data BreachesRecap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
![Page 18: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/18.jpg)
#3: Impact increasing, but organizationsadopting best practices to reduce costs
Recap of 2015 Healthcare Data Breaches
• Incident response team & plan ($12.6)• Extensive use of encryption ($12.0)• Employee training ($8.0)• Business continuity management involved ($7.1)• CISO appointed ($5.6)• Board of directors involvement ($5.5)• Insurance protection ($4.4)
Recap of 2015 Healthcare Data BreachesF
acto
rs D
rivi
ng
Co
sts
Hig
her
![Page 19: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/19.jpg)
Recap
![Page 20: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/20.jpg)
What Is “Reasonable”: 45 CFR 164.306(b): Assess whether each implementation specification is a
reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting ePHI; and as applicable to the covered entity or business associate –
Reasonable Measures for Incident Response
A. Implement the implementation specification if reasonable and appropriate; or
B. If implementing the implementation specification is not reasonable & appropriate
1. Document why it would not be reasonable and appropriate to implement the implementation specification; and
2. Implement an equivalent alternative measure if reasonable and appropriate.
![Page 21: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/21.jpg)
Malicious Attack Human Error
256 Days* 158 Days**Data Source: Ponemon Institute
Average Time to Identify & Contain Breach
![Page 22: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/22.jpg)
Large Breaches Raising The Bar
• Exposure
• Notifications• Public hearings• Investigations• Media
• Lessons learned
Trends in Reasonableness
![Page 23: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/23.jpg)
Organization-wide Response
• Not just an “IT Issue”
• Significant financial impact
• Board of directors• Patient churn
• Employees
• Awareness• Training
Trends in Reasonableness
Human Resources
Public Relations
Legal
Board of Directors
Finance & Accounting
Information Technology
Risk & Compliance
![Page 24: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/24.jpg)
Significant Financial Impact
• Per exposed personally identifiable record*:
• Avg cost of health data breach: $363• Avg savings by involving
Board of Directors: $5.50• Avg savings by having
CISO: $5.50• Breaches impacting
patient decisions
Trends in Reasonableness
*2015 Ponemon Institute Report
![Page 25: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/25.jpg)
Trends in Reasonableness
Human Resources
Public Relations
Legal
Board of Directors
Finance & Accounting
Information Technology
Risk & Compliance
Organization-wide Response
• Not just an “IT Issue”
• Significant financial impact
• Board of directors• Patient churn
• Employees
• Awareness• Training
![Page 26: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/26.jpg)
Employees As Front-Line
• Most likely source of a breach
• Culture of security & privacy
• Employees as front-line defense• Incidents as training input
Trends in Reasonableness
![Page 27: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/27.jpg)
Have An Incident Response Plan
• Regulatory reporting complexity increasing
• Eliminate ongoing threats
• Avg $12.50 per record savings
Trends in Reasonableness
![Page 28: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/28.jpg)
Recap of 2015 Healthcare Data Breaches
![Page 29: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/29.jpg)
Differentiate Incidents and BreachesIncident Response Best Practices
Security Incident Security Breach
What is it? An event in violation of a security policy such as impersonation, denial of service, theft, intrusion, etc.
Incident resulting in release of protected personal or confidential data.
Regulatory Reporting Requirements
None today Local, state & federal requirements
Formats Paper, electronic device, electronicrecords, physical location
Paper or electronic records
OrganizationalTasks
InvestigationRemediationRisk Mitigation
InvestigationRemediationRisk Mitigation+Notifications+Regulatory Reporting
![Page 30: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/30.jpg)
Incident Response Best Practices
*Image courtesy healthylawyers.com
![Page 31: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/31.jpg)
Differentiate Incidents and Breaches
Decision Tree Tools
Definition of Breach: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
Guide to “Securing” PHI:http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Incident Response Best Practices
![Page 32: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/32.jpg)
Differentiate Incident & Breach Types
Incident Response Best Practices
Incident Types Breach Types
Social engineering /
impersonation
Protected Health Information
Unauthorized physical or
electronic access
Mental Health Information
System compromise Personally Identifiable
Information
Account compromise PCI/Credit Card
Denial of service Malicious/Theft
Network/ vulnerability scanning Accidental/Loss
Physical loss/ destruction Internal
Misconfiguration External
Software vulnerability Paper
Licensing violation Electronic
![Page 33: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/33.jpg)
Document Breach Reporting Processes
Regulations, Regulations, Everywhere!
Incident Response Best Practices
Protected Data Types
Patient Health Data
Credit Card Data
Personally Identifiable Data
Education Data
SEC Data
Regulation Types
Federal
State
Local
Contractual
![Page 34: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/34.jpg)
Document Breach Reporting Processes
Document reporting process by regulation
Define reporting teams (Legal, Risk, IT, etc.)
Identify internal reviews & approvals
Timeline requirements
Note: state and local reporting requirements vary
Incident Response Best Practices
![Page 35: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/35.jpg)
Document Breach Reporting Processes HIPAA Example:
Report online at: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf
> 500 individuals: “Without unreasonable delay and in no case later than 60 calendar
days from discovery of breach”
< 500 individuals: 60 days of the end of calendar year in which breach discovered Can submit all on same day, but must be on individual submissions
Incident Response Best Practices
![Page 36: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/36.jpg)
ORC Breach Portal ReportingIncident Response Best Practices
![Page 37: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/37.jpg)
Incident Response Best Practices
![Page 38: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/38.jpg)
Incident Response Best Practices
![Page 39: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/39.jpg)
Incident Response Best Practices
![Page 40: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/40.jpg)
Incident Response Best Practices
![Page 41: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/41.jpg)
Incident Response Best Practices
![Page 42: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/42.jpg)
Engage Employees
Incident Response Best Practices
Train
- Awareness
- Processes
Empower
- Easy reporting
- Routed to action
Reward
- Recognition
- Incentives
![Page 43: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/43.jpg)
A Living Plan
Schedule proactive tasks
Incident Response Best Practices
4Q
• Tabletop Exercises
• Quarterly Lessons Learned
3Q
• Staff Training
• Quarterly Lessons Learned
2Q
• Communicate Changes
• Quarterly Lessons Learned
1Q
• Review & Update
• Quarterly Lessons Learned
![Page 44: Best Practices for Mitigating HIPAA Breaches in 2016csohio.himsschapter.org/sites/himsschapter/files... · 2016-08-01 · Recap of 2015 Healthcare Data Breaches • Incident response](https://reader033.vdocuments.us/reader033/viewer/2022042218/5ec369bd95a42e3323493830/html5/thumbnails/44.jpg)
Q&A