hipaa crackdown
TRANSCRIPT
intelligent information securityA N I T I AN
Meet the Speakers
Jordan Wiseman• Certified Risk Assessor, QSA, GSEC
• 18+ years experience in Information Technology and Security
• 13+ years in Healthcare and HIPAA compliance
Phil Johnson• Certified Information Systems Security Professional (CISSP),
Certified Information Systems Auditor (CISA)
• 9+ years in Medicaid Management Information Systems (MMIS’s) and Health Exchanges for Texas, New Hampshire, and Hawaii
• 6+ years in IT Audit and Information Security
Vision: Security is essential to growth, innovation, and prosperity. Mission: Build great security leaders.
ANITIAN
Rapid Risk Assessment Compliance Assessment and Audit
Full-Spectrum Security Testing Managed Threat Intelligence
Intelligent Information Security
intelligent information securityA N I T I AN
Overview
Intent
• Help you understand the current HIPAA enforcement landscape
• Increase your awareness of HIPAA-related threats
• Share with you valuable takeaways from Anitian’s HIPAA practice
Outline
1. Office of Civil Rights (OCR) audit program
2. The evolving HIPAA threat landscape
3. Tales from the Anitian front line of HIPAA engagements
intelligent information securityA N I T I AN
Assumptions
• You have a basic understanding of HIPAA
• Privacy Rule
• Security Rule
• Breach Notification Rule
• Awareness of recent public OCR enforcement actions
intelligent information securityA N I T I AN
HIPAA Timeline
HIPAA Act (1996)
HITECH Act (2009)
OCR Phase I Audit (2011)
Final HIPAA Omnibus
Rule (2013)
OCR Phase II Audit (2016)
intelligent information securityA N I T I AN
OCR 2016 Audits
It seems like audits are more extreme this year…
are they?!
intelligent information securityA N I T I AN
OCR 2016 Audits
• In a word: yes.
• Why?
• Findings from the 2011 OCR audit cycle
• Publicity around high profile breaches
• Findings from the Office of the Inspector General (OIG)
intelligent information securityA N I T I AN
OCR Audit Targets and Process
• Who is being audited?
• Individual and organizational healthcare providers
• Health plans (all types/sizes)
• Healthcare clearing houses
• OCR will not audit entities having an open complaint or undergoing a compliance review
• Selection process
• OCR verifies entity contact information
• Entity completes questionnaire informing OCR of business associates
• OCR chooses auditees through random sampling of the ‘audit pool’
intelligent information securityA N I T I AN
Sample of HIPAA-Related Breaches and Findings
Hospital / University OCR Settlement (2016 - $2.7M)
• Over 3,000 unencrypted patient records stored in Google Mail and Google Drive
• Over 4,000 patient records breached when unencrypted laptop and thumb drive stolen
• OCR investigation found that entity’s risk assessment was inadequate
• Key takeaway from OCR Director:
“This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
intelligent information securityA N I T I AN
Sample of HIPAA-Related Breaches and Findings
Large Healthcare System (2016 - $5.55M)
• Largest HIPAA settlement fine to date
• Combined breach of ePHI for over 4 million individuals
• Shortcomings:• Risk assessment lacking in accuracy and thoroughness
• Lack of policy/procedures restricting physical access to data centers where ePHI stored
• Lack of contracts with Business Associates requiring associates to safeguard ePHI
• Key takeaway from OCR Director:
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”
intelligent information securityA N I T I AN
Recent Trends in the PHI Threat Landscape
Accidental, careless, and uninformed actions• Lost or stolen items
• Cell phones
• Laptops
• Backpacks/bags
• Unmanaged cloud service use
• “But, it’s okay, they use AES-256!”
• Advertised with IT-less setup/support
intelligent information securityA N I T I AN
Recent Trends in the PHI Threat Landscape
Insider Threats• Malicious use on the rise
• Identity theft
• Medicare fraud
• Tax fraud
• HHS, Secret Service, and OCR suggest
• Treating external and insider threats equally
intelligent information securityA N I T I AN
Recent Trends in the PHI Threat Landscape
Ransomware• OCR ‘FACT Sheet’ on Ransomware and HIPAA
http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
• Key points:
• Ransomware attacks are security incidents
• Successful ransomware attacks might be breaches
• HIPAA-mandated controls can help
intelligent information securityA N I T I AN
Tales from the Front Lines
The Usual Suspects• Mandatory outdated software
• Windows
• IE
• Adobe
• Data Loss Prevention
• SFTP/FTPS
• Vendor support
• Equipment
• VPN
intelligent information securityA N I T I AN
Tales from the Front Lines
End-user Remote Access
• Valuable business/patient care uses
• Emergent or after-hours EHR access
• Web-based email (OWA) and scheduling
• Direct to own desktops; usual tools
• Control gaps
• Multi-factor authentication
• Successful login monitoring
• LogMeIn, GoToMyPC, etc.
• RDP resource redirection
intelligent information securityA N I T I AN
Tales from the Front Lines
Personal Cell Phones• May contain PHI
• Emails
• Text messages
• Attachments
• Pictures
• Most providers require passcodes to unlock
• But overlook device encryption!
• This is why MDM is important
intelligent information securityA N I T I AN
Tales from the Front Lines
Access Logging Gaps• Reporting and custom databases
• How many copies of live PHI do you have?
• How are they accessed?
• Who is accessing them?
• What about Microsoft Access?
• File shares
• XLS, CSV, or TXT files with PHI
• SACLS, auditd, selinux
intelligent information securityA N I T I AN
Remember…
• The time is now, do not wait for a crisis to setup a plan
• Use third party resources, they are objective
• Take it slow and act rationally
• Risk assessments are a key part of HIPAA and should encompass not only technology but business processes as well
• The PHI you protect is probably YOUR OWN DATA
intelligent information securityA N I T I AN
? ? ?Use the chat feature to ask your questions
Or email [email protected]
Questions
intelligent information securityA N I T I AN
EMAIL: [email protected]
WEB: anitian.com
BLOG: blog.anitian.com
SLIDES: http://bit.ly/anitian
CALL: 888-ANITIAN
THANK YOU