experience access - hfma...will be. even that is merging into one category: those that have been...
TRANSCRIPT
4/13/2017
1
experience access //
CPAs & ADVISORS
CYBERSECURITY BEST PRACTICES & PRIVACY RULES
Presented by Cindy Boyle and Craig Lair
GOALS FOR THIS SESSION
• Scare the heck out of you!
• Define Cybersecurity and the Threat Landscape
• Review Our Top 10 List of Cost Effective Risk Reduction Strategies
• Explain Data Security and Privacy Rules for Healthcare
• Inspire you to take action now!!!
2 // experience access
4/13/2017
2
“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have been hacked & will be again.”
3 // experience access
Robert Mueller
Former FBI Director on Cyber Threat Landscape
DEFINING CYBERSECURITY
Information security deals with protecting information,
regardless of its format: physical documents, digital, intellectual
property in people’s minds & verbal or visual communications
Cybersecurity is concerned with protecting digital assets —
everything from networks to hardware & information processed,
stored or transported by internetworked information systems
4 // experience access
4/13/2017
3
CYBERSECURITY OBJECTIVES
The objective of cybersecurity is threefold.
5 // experience access
ConfidentialityConfidentiality
IntegrityIntegrity AvailabilityAvailability
DEFINING CYBERSECURITY
National Institute of Standards and Technology (NIST)
The process of managing cyber threats & vulnerabilities & for protecting
information & information systems by:
6 // experience access
identifying, defending against, responding to & recovering from attacks.
4/13/2017
4
POTENTIAL BREACH IMPACTS
Negative
publicity
Regulatory
sanctions
Refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Fines
Damaged
patient
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
Diversion of
resourcesLost productivity
CYBERCRIME ACTORS
8 // experience access
4/13/2017
5
2016 CYBERSECURITY STATISTICS
• 93% of breaches it took less minutes to compromise systems
• Most breaches are about money
9 // experience access
Source: Verizon
2016 CYBERSECURITY STATISTICS
• $7M average total cost of data breach in US (64 US companies)
• 7% increase in total cost of data breach from prior year
• $221 average cost per lost or stolen records
• Healthcare is highest at $402
• Root cause
• 23% human error
• 27% system glitch
• 60% malicious or criminal activity
10 // experience access
Source: Ponemon Institute
4/13/2017
6
2016 CYBERSECURITY STATISTICS
• 63% confirmed breaches involved weak or stolen passwords
• 95% of breaches fit into nine categories
• Healthcare 73% of incidents fall into three categories
• Physical theft/loss
• Insider misuse
• Miscellaneous errors
Source: Verizon
11 // experience access
TOP 10
12 // experience access
COST-EFFECTIVE STRATEGIES FOR RISK REDUCTION
4/13/2017
7
#1 – KNOW WHERE YOUR DATA IS STORED
Document and maintain accurate information asset inventories,
including all relevant assets that store or transmit sensitive data
• Data flow analysis
• Consolidate all valuable data into most singular storage
possible
13 // experience access
#2 – TAKE ADVANTAGE OF SECURITY CONTROLS
Establish, implement and actively manage security configuration
settings for all hardware and software for servers, workstations,
laptops, mobile devices, firewalls, routers, etc.
14 // experience access
System/Device Hardening Strong Password Security
Limit Administrative PrivilegesGrant minimum required access
to perform job functions
Security Controls
4/13/2017
8
#3 – KNOW WHO CAN ACCESS YOUR DATA
Align logical and physical access authorization, establishment,
modification & termination procedures applicable to networks,
operating systems, applications & databases.
• Screen employees prior to employment
• Document additions and modifications
• Timely removal of terminated employees
• Limit vendor remote access
15 // experience access
#4 – IMPLEMENT DATA LOSS PREVENTION CONTROLS
Organizations must limit access to removable media, CDs,
portable drives, email & file transfer websites
• Leverage existing policies
• Write clear policies that
encompasses device use &
disposal of information
• Wipe devices no longer in
use & then physically destroyed
16 // experience access
4/13/2017
9
#5 – ENSURE ALL CRITICAL DATA IS ENCRYPTED
Adoption of data encryption for data in use, in transit and at rest
provides mitigation against data compromise
• Encrypt all hard drives on all portable devices
• Protect backup information
17 // experience access
#6 – EFFECTIVE PATCH MANAGEMENT
Ensure all systems, regardless of function or impact, have recent
operating systems, application patches applied and any business-
critical applications are maintained at the most current feasible
level for your organization
• Evaluate & test critical patches in timely manner
• Apply patches for riskiest vulnerabilities first
• Third-party applications (Java, Adobe, Flash, etc.) must also
be managed
18 // experience access
4/13/2017
10
#7 – PERFORM RISK ASSESSMENTS
Perform an information security risk assessment that is flexible
and responds to changes in your environment.
Specific focus should be on all protected information & protected
health information.
19 // experience access
#8 – EDUCATE PERSONNEL & HOLD THEM ACCOUNTABLE
Provide staff training on security best practices, internal policies
& new threats. Focus on social engineering, phishing & physical
security concerns.
• Educate all personnel at least annually
• Make sure new hire onboarding process includes this topic
• Accountability includes ALL personnel — especially senior
management — who must lead by example
20 // experience access
4/13/2017
11
#9 – AUDIT & ASSESS CONTROLS
Conduct vulnerability scans and penetration tests to identify and
evaluate security vulnerabilities in your environment
• Security controls provide
most value when they are
audited & monitored for
compliance &/or maintenance
• Annual audits provide
necessary insights into
keeping security controls
optimized & properly fitted to environments
employed to protect
21 // experience access
#10 – MINIMIZE IMPACT BY TAKING IMMEDIATE
ACTION
Management's ultimate goal should be to minimize damage to
the institution and its customers through containment of the
incident and proper restoration of information systems
• Conduct analysis of past incidents
• Use an incident response team
• Determine who will be responsible
22 // experience access
4/13/2017
12
RESOURCES
• NIST www.nist.gov/cyberframework
NIST Framework
• Homeland Security www.dhs.gov/topic/cybersecurity
• Krebs On Security www.krebsonsecurity.com
Security Newsletter
• SANS www.sans.org
SysAdmin, Audit, Networking, and Security
• Security Tools www.sectools.org
Open source security tools, be careful and use at your own risk
23 // experience access
24 // experience access
PRIVACY RULES FOR HEALTHCARE
4/13/2017
13
BRUTE FORCE ATTACKS
BRUTE FORCE ATTACKS
4/13/2017
14
27 // experience access
LEGAL AND REGULATORY GOVERNANCE
• Rules of Professional Conduct
• State Ethics Opinions
• Common Law and Contractual Agreements
• Federal & State Law
• Court Rules
4/13/2017
15
RULES OF PROFESSIONAL CONDUCT
ABA Model Rule of Professional Conduct 1.1
The Duty of Competence
“A lawyer shall provide competent representation to a client. Competent
representation requires the legal knowledge, skill, thoroughness and preparation
reasonably necessary for the representation”
Amended Comment [8]- “To maintain the requisite knowledge and skill, a lawyer
should keep abreast of changes in the law and its practice, including the benefits and
risk associated with relevant technology, engage in continuing study and education
and comply with all continuing legal education requirements to which the lawyer is
subject.”
Eighteen states have or are in the process of adopting amended Comment [8].
Arkansas adopted in 2014.
RULES OF PROFESSIONAL CONDUCT
ABA Model Rule of Professional Conduct 1.4
The Duty to Communicate
“A lawyer shall . . . Keep the client reasonably informed about the status of the
matter.” Requires keeping client reasonably informed so that client can make
informed decisions regarding the representation.
Thus, an information breach is likely information that requires a report to the client.
There is obvious reluctance to report a breach to the client for fear of destroying trust
in the capabilities and aptitudes of the lawyer and/or his firm. Yet, Rule 1.4 likely
requires a report.
4/13/2017
16
RULES OF PROFESSIONAL CONDUCT
ABA Model Rule of Professional Conduct 1.6
The Duty of Confidentiality
Generally, “a lawyer shall not reveal confidential information. . . . A lawyer shall make
reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of the client.”
This represents the amended subsection (c) of Rule 1.6, as adopted by Arkansas in
2014. In judging reasonableness, a list of factors are analyzed:
• Sensitivity of the information;
• Likelihood of disclosure if additional safeguards are not used;
• Cost and difficulty of using additional safeguards; and
• Extent to which safeguards hinder the lawyer’s representation
RULES OF PROFESSIONAL CONDUCT
ABA Model Rule of Professional Conduct 5.3
The Duty of Supervision
Law firms must “make reasonable efforts to ensure the firm has in effect measures” to
assure lawyers within the firm are conforming to the Rules.
Implies that measures include governance on how to safeguard client information.
Duty extends responsibility to supervising lawyers over supervised lawyers and non-
lawyers within the firm.
Model and Arkansas Comment [3]: “a lawyer must make reasonable efforts to ensure
[third-party] services are provided in a manner compatible with the lawyer's
professional obligations”
4/13/2017
17
AICPA RULES OF PROFESSIONAL CONDUCT
Application of the Conceptual Framework for Members in Public Practice and Ethical Conflicts
1.700.005
.02 A member may be in violation of the Confidential Client Information
Rule 1.700.001 if the member cannot demonstrate that safeguards were
applied that at least reduced significant threats to an acceptable level.
Conceptual Framework for Members in Public Practice and Ethical Conflicts
1.000.010
.04 An acceptable level is the level at which a reasonable and informed
third party who is aware of the relevant information would be expected to
conclude that a member’s compliance with the rules is not compromised.
.05 Safeguards are actions or other measures that may reduce a threat to
an acceptable level or otherwise eliminate the threat.
.06 A threat is a relationship or circumstance that could compromise a
member’s compliance with the Rules.
AICPA RULES OF PROFESSIONAL CONDUCT
Conceptual Framework for Members in Public Practice
1.000.010
.07 Members should identify threats and evaluate the significance of such threat
(i.e. whether it exists at an acceptable level or compromises compliance with the
Rules).
If the threat is not at an acceptable level, the member should apply safeguards to
reduce it to an acceptable level. Proper safeguards are a matter of circumstance and
professional judgement.
If safeguards cannot reduce the threat, the member may need to decline or
discontinue the representation.
An unauthorized access to data may constitute noncompliance with the Confidential
Client Information Rule.
4/13/2017
18
STATE ETHICS OPINIONS
State ethics opinions generally require that a lawyer must act “reasonably” to
protect client information. Reasonableness is defined differently by the
states, with some considering it to be a fiat target and others considering it to
be an analysis of pre-existing factors listed in Rule 1.6.
In the past few years, Mid-American and Southern States have been grappling
with cloud services and third-party remote storage. Generally acceptable if
the magical “reasonable” measures are taken.
California and New York:
• In addition to cloud computing and third-party remote storage, public access
wireless connections have been addressed.
COMMON LAW AND CONTRACTUAL AGREEMENT
Restatement (Third) § 60- “the lawyer must take steps reasonable in the
circumstances to protect confidential client information against impermissible
use or disclosure by the lawyer’s associates or agents that may adversely affect
a material interest of the client or otherwise than as instructed by the client.”
Legal and accounting clients in various industries such as banking,
government, or healthcare may require specific protocol in the outside
counsel guidelines or when signing an engagement letter.
4/13/2017
19
FEDERAL LAW & REGULATION
Various portions of federal legislation implicate law firms and legal
representation as to privacy concerns and information security:
• Export Administration Regulations
• International Traffic in Arms Regulations
• Healthcare Insurance Portability and Accountability Act
• Consumer Financial Protection Act
• Electronic Communications Privacy Act
• Equal Employment Opportunity Act
• Gramm-Leach-Bliley Act
STATE LAW & REGULATION
Most states have some form of privacy protection with varying degrees of
applicability:
• Arkansas has the “personal information Protection Act.” Broadly defines
personal information and requires “Reasonable procedures” to protect from
unauthorized access or disclosure. Also requires destruction after a period of
time. See Ark. Code Ann. § 4-110-101 et seq.
• Massachusetts has historically had the regime with the largest breadth of
applicability. It has been enforced against out of state companies for failure to
comply with Massachusetts security requirements.
• New York will implement cybersecurity measures beginning in 2017 that
require banking and insurance clients to verify that advisors and vendors
comply with cyber security regulations.
4/13/2017
20
COURT RULES
Various Federal and State courts have promulgated limitation on the use of
personal information that can be filed in documents at the court.
Federal Rule of Civil Procedure 5.2 and Federal Rule of Bankruptcy Procedure
9037 only allow specific portions of individual personally identifying
information.
Several district courts and state courts have implemented similar limitations.
RECENT HIPAA ACTION
Case #1 – Presence Health Network
Issue: Loss of surgery records.
Result: $475,000 settlement with HHS
4/13/2017
21
RECENT HIPAA ACTION
Case #2 – University of Massachusetts - Amherst
Issue: Malware allowed access to 1,670 individual’s records
Result: $650,000 settlement with HHS
RESPONSE TO BREACH
What to do if there is a breach?
• Immediate response is the best plan of action
o All personnel should be required to immediately report a suspected breach
• A preexisting written plan should detail the steps to take in response
• The response team should handle the response
• There is likely a notification requirement as to affected clients
4/13/2017
22
THANK YOU
Cindy Boyle, CPA, CIA, CITP, CISA // Partner, IT Risk Services National Practice Leader
[email protected] // 501.372.1040
Craig S. Lair// Managing Member, Rose Law Firm
[email protected] // 501.377.0328