experience access - hfma...will be. even that is merging into one category: those that have been...

4/13/2017

1

experience access //

CPAs & ADVISORS

CYBERSECURITY BEST PRACTICES & PRIVACY RULES

Presented by Cindy Boyle and Craig Lair

GOALS FOR THIS SESSION

• Scare the heck out of you!

• Define Cybersecurity and the Threat Landscape

• Review Our Top 10 List of Cost Effective Risk Reduction Strategies

• Explain Data Security and Privacy Rules for Healthcare

• Inspire you to take action now!!!

2 // experience access

4/13/2017

2

“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have been hacked & will be again.”


Robert Mueller

Former FBI Director on Cyber Threat Landscape

DEFINING CYBERSECURITY

Information security deals with protecting information,

regardless of its format: physical documents, digital, intellectual

property in people’s minds & verbal or visual communications

Cybersecurity is concerned with protecting digital assets —

everything from networks to hardware & information processed,

stored or transported by internetworked information systems


4/13/2017

3

CYBERSECURITY OBJECTIVES

The objective of cybersecurity is threefold.


ConfidentialityConfidentiality

IntegrityIntegrity AvailabilityAvailability

DEFINING CYBERSECURITY

National Institute of Standards and Technology (NIST)

The process of managing cyber threats & vulnerabilities & for protecting

information & information systems by:


identifying, defending against, responding to & recovering from attacks.

4/13/2017

4

POTENTIAL BREACH IMPACTS

Negative

publicity

Regulatory

sanctions

Refusal

to share personal

information

Damage

to brand

Regulator

scrutiny

Legal

liability

Fines

Damaged

patient

relationships

Damaged

employee

relationships

Deceptive or

unfair trade

charges

!

Diversion of

resourcesLost productivity

CYBERCRIME ACTORS


4/13/2017

5

2016 CYBERSECURITY STATISTICS

• 93% of breaches it took less minutes to compromise systems

• Most breaches are about money


Source: Verizon


• $7M average total cost of data breach in US (64 US companies)

• 7% increase in total cost of data breach from prior year

• $221 average cost per lost or stolen records

• Healthcare is highest at $402

• Root cause

• 23% human error

• 27% system glitch

• 60% malicious or criminal activity


Source: Ponemon Institute

4/13/2017

6


• 63% confirmed breaches involved weak or stolen passwords

• 95% of breaches fit into nine categories

• Healthcare 73% of incidents fall into three categories

• Physical theft/loss

• Insider misuse

• Miscellaneous errors

Source: Verizon


TOP 10


COST-EFFECTIVE STRATEGIES FOR RISK REDUCTION

4/13/2017

7

#1 – KNOW WHERE YOUR DATA IS STORED

Document and maintain accurate information asset inventories,

including all relevant assets that store or transmit sensitive data

• Data flow analysis

• Consolidate all valuable data into most singular storage

possible


#2 – TAKE ADVANTAGE OF SECURITY CONTROLS

Establish, implement and actively manage security configuration

settings for all hardware and software for servers, workstations,

laptops, mobile devices, firewalls, routers, etc.


System/Device Hardening Strong Password Security

Limit Administrative PrivilegesGrant minimum required access

to perform job functions

Security Controls

4/13/2017

8

#3 – KNOW WHO CAN ACCESS YOUR DATA

Align logical and physical access authorization, establishment,

modification & termination procedures applicable to networks,

operating systems, applications & databases.

• Screen employees prior to employment

• Document additions and modifications

• Timely removal of terminated employees

• Limit vendor remote access


#4 – IMPLEMENT DATA LOSS PREVENTION CONTROLS

Organizations must limit access to removable media, CDs,

portable drives, email & file transfer websites

• Leverage existing policies

• Write clear policies that

encompasses device use &

disposal of information

• Wipe devices no longer in

use & then physically destroyed


4/13/2017

9

#5 – ENSURE ALL CRITICAL DATA IS ENCRYPTED

Adoption of data encryption for data in use, in transit and at rest

provides mitigation against data compromise

• Encrypt all hard drives on all portable devices

• Protect backup information


#6 – EFFECTIVE PATCH MANAGEMENT

Ensure all systems, regardless of function or impact, have recent

operating systems, application patches applied and any business-

critical applications are maintained at the most current feasible

level for your organization

• Evaluate & test critical patches in timely manner

• Apply patches for riskiest vulnerabilities first

• Third-party applications (Java, Adobe, Flash, etc.) must also

be managed


4/13/2017

10

#7 – PERFORM RISK ASSESSMENTS

Perform an information security risk assessment that is flexible

and responds to changes in your environment.

Specific focus should be on all protected information & protected

health information.


#8 – EDUCATE PERSONNEL & HOLD THEM ACCOUNTABLE

Provide staff training on security best practices, internal policies

& new threats. Focus on social engineering, phishing & physical

security concerns.

• Educate all personnel at least annually

• Make sure new hire onboarding process includes this topic

• Accountability includes ALL personnel — especially senior

management — who must lead by example


4/13/2017

11

#9 – AUDIT & ASSESS CONTROLS

Conduct vulnerability scans and penetration tests to identify and

evaluate security vulnerabilities in your environment

• Security controls provide

most value when they are

audited & monitored for

compliance &/or maintenance

• Annual audits provide

necessary insights into

keeping security controls

optimized & properly fitted to environments

employed to protect


#10 – MINIMIZE IMPACT BY TAKING IMMEDIATE

ACTION

Management's ultimate goal should be to minimize damage to

the institution and its customers through containment of the

incident and proper restoration of information systems

• Conduct analysis of past incidents

• Use an incident response team

• Determine who will be responsible


4/13/2017

12

RESOURCES

• NIST www.nist.gov/cyberframework

NIST Framework

• Homeland Security www.dhs.gov/topic/cybersecurity

• Krebs On Security www.krebsonsecurity.com

Security Newsletter

• SANS www.sans.org

SysAdmin, Audit, Networking, and Security

• Security Tools www.sectools.org

Open source security tools, be careful and use at your own risk



PRIVACY RULES FOR HEALTHCARE

4/13/2017

13

BRUTE FORCE ATTACKS

BRUTE FORCE ATTACKS

4/13/2017

14


LEGAL AND REGULATORY GOVERNANCE

• Rules of Professional Conduct

• State Ethics Opinions

• Common Law and Contractual Agreements

• Federal & State Law

• Court Rules

4/13/2017

15

RULES OF PROFESSIONAL CONDUCT

ABA Model Rule of Professional Conduct 1.1

The Duty of Competence

“A lawyer shall provide competent representation to a client. Competent

representation requires the legal knowledge, skill, thoroughness and preparation

reasonably necessary for the representation”

Amended Comment [8]- “To maintain the requisite knowledge and skill, a lawyer

should keep abreast of changes in the law and its practice, including the benefits and

risk associated with relevant technology, engage in continuing study and education

and comply with all continuing legal education requirements to which the lawyer is

subject.”

Eighteen states have or are in the process of adopting amended Comment [8].

Arkansas adopted in 2014.



The Duty to Communicate

“A lawyer shall . . . Keep the client reasonably informed about the status of the

matter.” Requires keeping client reasonably informed so that client can make

informed decisions regarding the representation.

Thus, an information breach is likely information that requires a report to the client.

There is obvious reluctance to report a breach to the client for fear of destroying trust

in the capabilities and aptitudes of the lawyer and/or his firm. Yet, Rule 1.4 likely

requires a report.

4/13/2017

16



The Duty of Confidentiality

Generally, “a lawyer shall not reveal confidential information. . . . A lawyer shall make

reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or

unauthorized access to, information relating to the representation of the client.”

This represents the amended subsection (c) of Rule 1.6, as adopted by Arkansas in

2014. In judging reasonableness, a list of factors are analyzed:

• Sensitivity of the information;

• Likelihood of disclosure if additional safeguards are not used;

• Cost and difficulty of using additional safeguards; and

• Extent to which safeguards hinder the lawyer’s representation



The Duty of Supervision

Law firms must “make reasonable efforts to ensure the firm has in effect measures” to

assure lawyers within the firm are conforming to the Rules.

Implies that measures include governance on how to safeguard client information.

Duty extends responsibility to supervising lawyers over supervised lawyers and non-

lawyers within the firm.

Model and Arkansas Comment [3]: “a lawyer must make reasonable efforts to ensure

[third-party] services are provided in a manner compatible with the lawyer's

professional obligations”

4/13/2017

17

AICPA RULES OF PROFESSIONAL CONDUCT

Application of the Conceptual Framework for Members in Public Practice and Ethical Conflicts

1.700.005

.02 A member may be in violation of the Confidential Client Information

Rule 1.700.001 if the member cannot demonstrate that safeguards were

applied that at least reduced significant threats to an acceptable level.

Conceptual Framework for Members in Public Practice and Ethical Conflicts

1.000.010

.04 An acceptable level is the level at which a reasonable and informed

third party who is aware of the relevant information would be expected to

conclude that a member’s compliance with the rules is not compromised.

.05 Safeguards are actions or other measures that may reduce a threat to

an acceptable level or otherwise eliminate the threat.

.06 A threat is a relationship or circumstance that could compromise a

member’s compliance with the Rules.

AICPA RULES OF PROFESSIONAL CONDUCT

Conceptual Framework for Members in Public Practice

1.000.010

.07 Members should identify threats and evaluate the significance of such threat

(i.e. whether it exists at an acceptable level or compromises compliance with the

Rules).

If the threat is not at an acceptable level, the member should apply safeguards to

reduce it to an acceptable level. Proper safeguards are a matter of circumstance and

professional judgement.

If safeguards cannot reduce the threat, the member may need to decline or

discontinue the representation.

An unauthorized access to data may constitute noncompliance with the Confidential

Client Information Rule.

4/13/2017

18

STATE ETHICS OPINIONS

State ethics opinions generally require that a lawyer must act “reasonably” to

protect client information. Reasonableness is defined differently by the

states, with some considering it to be a fiat target and others considering it to

be an analysis of pre-existing factors listed in Rule 1.6.

In the past few years, Mid-American and Southern States have been grappling

with cloud services and third-party remote storage. Generally acceptable if

the magical “reasonable” measures are taken.

California and New York:

• In addition to cloud computing and third-party remote storage, public access

wireless connections have been addressed.

COMMON LAW AND CONTRACTUAL AGREEMENT

Restatement (Third) § 60- “the lawyer must take steps reasonable in the

circumstances to protect confidential client information against impermissible

use or disclosure by the lawyer’s associates or agents that may adversely affect

a material interest of the client or otherwise than as instructed by the client.”

Legal and accounting clients in various industries such as banking,

government, or healthcare may require specific protocol in the outside

counsel guidelines or when signing an engagement letter.

4/13/2017

19

FEDERAL LAW & REGULATION

Various portions of federal legislation implicate law firms and legal

representation as to privacy concerns and information security:

• Export Administration Regulations

• International Traffic in Arms Regulations

• Healthcare Insurance Portability and Accountability Act

• Consumer Financial Protection Act

• Electronic Communications Privacy Act

• Equal Employment Opportunity Act

• Gramm-Leach-Bliley Act

STATE LAW & REGULATION

Most states have some form of privacy protection with varying degrees of

applicability:

• Arkansas has the “personal information Protection Act.” Broadly defines

personal information and requires “Reasonable procedures” to protect from

unauthorized access or disclosure. Also requires destruction after a period of

time. See Ark. Code Ann. § 4-110-101 et seq.

• Massachusetts has historically had the regime with the largest breadth of

applicability. It has been enforced against out of state companies for failure to

comply with Massachusetts security requirements.

• New York will implement cybersecurity measures beginning in 2017 that

require banking and insurance clients to verify that advisors and vendors

comply with cyber security regulations.

4/13/2017

20

COURT RULES

Various Federal and State courts have promulgated limitation on the use of

personal information that can be filed in documents at the court.

Federal Rule of Civil Procedure 5.2 and Federal Rule of Bankruptcy Procedure

9037 only allow specific portions of individual personally identifying

information.

Several district courts and state courts have implemented similar limitations.

RECENT HIPAA ACTION

Case #1 – Presence Health Network

Issue: Loss of surgery records.

Result: $475,000 settlement with HHS

4/13/2017

21

RECENT HIPAA ACTION

Case #2 – University of Massachusetts - Amherst

Issue: Malware allowed access to 1,670 individual’s records

Result: $650,000 settlement with HHS

RESPONSE TO BREACH

What to do if there is a breach?

• Immediate response is the best plan of action

o All personnel should be required to immediately report a suspected breach

• A preexisting written plan should detail the steps to take in response

• The response team should handle the response

• There is likely a notification requirement as to affected clients

4/13/2017

22

THANK YOU

Cindy Boyle, CPA, CIA, CITP, CISA // Partner, IT Risk Services National Practice Leader

[email protected] // 501.372.1040

Craig S. Lair// Managing Member, Rose Law Firm

[email protected] // 501.377.0328

experience access - hfma...will be. even that is merging into one category: those that have been...

Documents