Adding VAlue to your HiPAA ComPliAnCe ProgrAm

Commissioned by: Raytheon Company

Partner: Ben Osbrach

Date: February, 2015

SureView® Insider Threat

2

table of Contents

Who are Considered Insider Threats and Why Do They Do What They Do? ................... 3

Customer Pain Points in the Face of HIPAA Compliance .................................................. 3

What You Can and Need to Do About It Today: Deter, Detect, Mitigate ............................ 5

SureView® Insider Threat HIPAA Compliance Solution ...................................................... 6

Conclusion ............................................................................................................................. 8

About Skoda minotti risk Advisory Services Skoda Minotti’s Risk Advisory Services Group is a specialized divisionwithin the firm that provides value-added assurance and compliance servicesfocused on designing solutions for companies seeking to comply, or in theprocess of becoming compliant with various standards and regulations. It isour goal to provide superior customer service while empowering our clientsto understand all elements of compliance. We partner with our clients to meettheir needs and the stringent demands their customers and vendors require.

Delivering Solutions for:

• SSAE 16 (SOC 1)

• SysTrust / WebTrust (SOC 2/3)

• PCI-DSS – Qualified Security Assessor

• Vulnerability Scans

• Penetration Testing

• Sarbanes Oxley (SOX)

© 2015 Skoda Minotti Risk Advisory Services

• HIPAA

• GLBA

• DEA 1311 (EPCS)

• ISO Assessments

• SAP Consulting

3

In Season One of HBO’s hit series Homeland, the vice president is killed when an inside operative breaks into his office and steals critical identifying information about his pacemaker. This traitor delivers the information to a nefarious terrorist entity that is then able to kill the VP remotely through use of a planted cell phone. “That is just a story on TV. That could never happen,” you say. But frighteningly enough, that plot line is entirely feasible in today’s advanced technological environment. Insider threat is rampant and according to Michael Theis of CERT Insider Threat, two of five employees are thought to be downloading files to personal drives, with diverse motives from financial gain to political activism. Although there have always been spies and thieves among us, never before has it been so prevalent, due in part to the ease with which delicate information can so easily be shared, altered, moved and even stolen. When it comes to the Health Insurance Portability and Accountability Act (HIPAA) the challenge to keep health records safe and private is an enormous and ongoing process that organizations must invest in to avoid the consequences of non-compliance or worse.

Who are Considered insider threats and Why do they do What they do?If we understand the answers to these questions and are aware of who might pose a threat and why, then we have taken the first step toward detection. Many insider threats at healthcare organizations are employees who steal information to commit fraud or sell it to criminals. These records can sell for as much as $10 eachI on the underground market. A recent example of this basic form of theft occurred at South Carolina’s Department of Health and Human Services. An employee was caught having sent 228,000 patient Medicare records from his work email address to his personal email address. This employee was fired and is being charged by law enforcement for his crime. In another instance, at Emory Healthcare, 315,000 records were lost when 10 backup discs went missing from a storage facility at Emory University Hospital. While the malicious intent is obvious in the first example, in the second example it is not so clear. It is possible that the discs were misplaced or simply lost due to employee error, with no malfeasance intended.

Another common type of insider theft that is clearly not malicious but can still get providers in serious HIPAA trouble is when employees let their curiosity get the better of them and view or copy information they aren’t authorized to access. At the University Medical Center in Tucson, following the 2011 shootings at a supermarket that killed six and wounded 13 including US Representative Gabrielle Giffords four clinical support staff members were fired for inappropriately accessing medical records associated with this high profile caseII. These employees were fired from their jobs for violating privacy regulations causing HIPAA infractions. This has happened in many instances around the country when it comes to celebrities and their healthcare records, and in most cases the employee meant no harm, but the snooping itself is a violation of HIPAA regulations.

Customer Pain Points in the Face of HiPAA ComplianceAccording to the Ponemon Institute, approximately 94% of medical institutions claim their organizations have been victim to a cyber attackIII.Today, with the push to digitize health records, along with the new Healthcare.gov regulations and more and more electronic protected health information (ePHI) being exchanged online, cyber attack is on the rise and so is the need to be protected from these attacks.

According to Fujitsu’s security arm, PFU Systems, internal network threats and targeted attacks represent the greatest threat to the securityIV of health provider networks and patient record security. In the month of April 2014 alone, three major breaches occurred at Healthcare organizations accounting for nearly 1.1 million records lost.

I www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924II www.privacyandsecuritymatters.com/2011/01/arizona-hospital-workers-fired-for-inappropriately-accessing-shooting-victim-records III www.healthcareitnews.com/news/healthcare-data-breaches-trend-upward-come-potential-7b-price-tagIV www.infosecurity-magazine.com/news/healthcare-under-siege-insider

4

The thread in common through each breach was the role of insiders-both malicious and non-malicious triggering the incidentsV. Numbers from Health and Human Services (HHS) show that more than 60 percent of breaches reported to HHS in response to HIPAA mandates occur due to the loss or theft of portable devices, i.e. laptops, smartphones, external drives, etcVI. Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS) states that, “the problem lies in the HHS numbers telling only part of the story.” Gallagher goes on to say, “the numbers give little indication as to how many of those missing drives are gone due to coordinated theft by data thieves out to mine that data for fraudulent purposes, and how many fell off the back of a truck.”

Faced with the rising threat of insider breach, organizations required to maintain HIPAA compliance face a plethora of rigorous security requirements that have proven to be a continual obstacle with increasing costs for the IT departments at these firms. IT departments are typically not staffed appropriately to manage the processes necessary to maintain compliance, nor are they given the budget for the staff or investment in software solutions.

According to a 2013 publication from the Ponemon InstituteVII the average cost of a US data breach, when having between 1,000 to 100,000 records compromised, from 2012 was $188 per record for all industries and $233 for healthcare entities. The average size of a breach from their study was 28,765 records. This would result in the average data breach cost of $5,407,820 across all industries, and for healthcare, $6,702,245. There is also the damage to organization reputation which can have long term, less defined monetary value tied to it, and do not forget the employee, or CEO, who loses his or her job.

According to InformationWeek’s 2014 Strategic Security SurveyVIII:

• 75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And, in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget.

• “Managing the complexity of security” reclaimed the No. 1 spot among 10 challenges facing the respondents to the security survey, all from organizations with 100 or more employees.

• 58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices.

• 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49%.

• 23% have experienced a security breach or espionage in the past year.

V www.darkreading.com/vulnerabilities---threats/healthcare-unable-to-keep-up-with-insider-threats/d/d-id/1137610 VI www.darkreading.com/vulnerabilities---threats/healthcare-unable-to-keep-up-with-insider-threats/d/d-id/1137610VII www.ponemon.org VIII www.reports.informationweek.com/abstract/21/12509/Security/Research:-2014-Strategic-Security-Survey.html (To download report, registration is required)

THE AVERAGE DATA BREACH COST ACROSS ALL INDUSTRIES

EXCEPT HEALTHCARE $5,407,820

THE AVERAGE COST

FOR HEALTHCARE $6,702,245

5

What you Can and need to do About it today: deter, detect, mitigateMany organizations are opting to simply pay the fines for non-compliance, as it seems easier and possibly cheaper than installing the infrastructure and procedures to maintain compliance. With an ever changing nature to the threat itself, IT departments have had a hard time identifying the right solution to meet their needs and securing budget for the investment. How do you monetize a solution to your HIPAA compliance challenge when the threat itself is invisible and unpredictable? It is easy to understand why many firms have hesitated to choose and invest in a security compliance solution. But hoping that you won’t get breached and planning to just pay fines for non-compliance is not a wise choice because in today’s world of rampant cyber crime it may not be a matter of if, but when. Organizations that continue to keep their heads buried in the sand are due for a rude awakening, and the damage of a breach reaches far beyond simple, albeit significant, fines. The good news for the CSO and IT departments is that security solutions today have made strides in keeping up with current Insider threat. New tools reach beyond traditional Data Loss Prevention (DLP) so that you are not only monitoring for data loss but also for user behavior that misuses or abuses technology as they access the organization’s network. Today you can protect your organization, therefore the better choice is to invest in a strategy to deter, detect and mitigate the insider threat to your organization.

Percentage of Insider Abuse by IndustryIX

IX Ponemon Institute, December 2011

INVEST IN A STRATEGY TO DETER, DETECT AND MITIGATE THE

INSIDER THREAT TO YOUR ORGANIZATION

Other

Cloud Custodian

Application Developer

Data Center Operations

IT Audit Practitioner

IT Security Practitioner

Nework Engineer

System Administrator

Database Administrator16%

16%

20%

10%

12%5%

7%

8%6%

6

SureView® insider threat HiPAA Compliance SolutionRaytheon has partnered with leaders in HIPAA compliance laws to develop a unique policy pack to address requirements for maintaining compliance. The result is the SureView® Insider Threat HIPAA policy pack which makes it possible for employers to trust their employees through verification and monitoring. SureView® Insider Threat serves as a formidable deterrent to any individual that may pose a threat to HIPAA compliance or be capable of other damaging acts. With SureView® Insider Threat, your company’s security posture is strong and will benefit from:

1. Deterrence - with SureView® Insider Threat in place the insider threat will know their actions are being watched and may not take the risk of being caught

2. Detection - SureView® Insider Threat real-time threat monitoring alerts personnel with timely reporting and evidence review

3. Mitigation - SureView® Insider Threat supports quick remediation and appropriate handling of data breaches

The Homeland scenario, while a feasible situation, is pretty sensational. Therefore, let us look at a case straight from the headlines to better understand SureView® Insider Threat’s role in mitigating insider threat. In the aforementioned case at the South Carolina Department of Health and Human Services, employee Christopher Lykes had an opportunity to commit a crime for financial gain. He knew that he had easy access to a buyer out there for patient records. All he had to do was secure these records unnoticed. In January 2013, Lykes compiled the data into a spreadsheet and emailed it to his personal email address and at least one other entity. Not until the following April was the breach discovered during an audit. Lykes was fired the next day and currently he faces up to 25 years in prison for his crimeX. Had a monitoring system such as SureView® Insider Threat been in place, Lykes may have been caught well before the actual theft occurred. SureView® Insider Threat captures human behaviors such as policy violations, compliance incidents or other endpoint activity that serve as warning signs leading up to a breach. The solution provides organizations with the details, insight and context in the form of a DVR-like video replay to immediately view the evidence and assess the severity of the threat. It is possible that with SureView® Insider Threat Christopher Lykes’ behavior leading up to the theft would have raised a red flag with system administrators and the threat could have been detected before any damage was done. Lykes would have been thoroughly investigated in a timely manner and the crime would have been prevented, preserving the privacy of personal information for thousands of individuals.

Raytheon’s SureView® Insider Threat integrated solution can help you monitor your entire enterprise ecosystem and ensure your organization’s HIPAA compliance without disrupting business continuity. SureView® Insider Threat protects against insider threat by providing the tools and context to differentiate malicious from benign actions that can be reviewed and understood by non-technical personnel—all while respecting employee privacy guidelines.

X www.postandcourier.com/article/20120420/PC16/120429945

SureView® Insider Threat is a powerful endpoint audit and investigation solution that detects violations of communication and provides DVR-like incident replay.

7

SureView® Insider Threat helps organizations collect, retain and review terabytes of audit trail log data from workstations to support HIPAA data, access, and configuration monitoring controls. The SureView® Insider Threat’s HIPAA policy pack includes the following policies:

• User Logons: HIPAA requirements state that user access to system resources be recorded and monitored for possible abuse.

• User Logoffs: HIPAA requirements state that user access to systems be recorded and monitored for possible abuse.

• Logon Failures: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

• Audit Logs Access: HIPAA requirements call for procedures to regularly review records of information system activity such as audit logs.

• Object Access: Identify when a given object (file, directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action.

• System Events: Identify local system processes such as system startup and shutdown and changes to the system time or audit log.

• Host Session Status: Indicates that someone reconnected to a disconnected terminal server session. (This is only generated on a machine with terminal services running.)

• Security Log Archiving Utility: Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

• Monitor Account Management Changes: Changes in security configurations, such as adding or removing an administrative access to a user.

• Monitor User Group Changes: Tracking event logs for changes in the security configuration settings such as adding or removing a global or local group, adding or removing members from a global or local group, etc.

• Monitor Audit Policy Changes: SureView® Insider Threat lets organizations monitor event logs for changes in the security audit policy.

• Successful User Account Validation: Identifies successful user account logon events, which are generated when a domain user account is authenticated on a domain controller.

• Unsuccessful User Account Validation: Identifies unsuccessful user account logon events, which are generated when a domain user account is authenticated on a domain controller.

• Monitor Individual User Actions: SureView® Insider Threat lets organizations audit user activity.

• Monitor Application Access: SureView® Insider Threat lets organizations track application access.

• Posting or Transmission of Data: SureView® Insider Threat can monitor users behaviors and detect real-time when certain patient data is posted to a website or used via end-user messaging technologies (i.e. chat, instant messaging, SMS, e-mail, etc.).

Raytheon’s SureView® Insider Threat helps organizations limit exposure to insider threat and breach by helping organizations automate current manual procedures and increase preventative measures. SureView® Insider Threat’s powerful reporting also streamlines audits, providing needed information in a few minutes instead of hours or days.

SureView® Insider Threat comes out of the box to assist organizations with various elements of their compliance requirements and can be further tuned to uniquely address risk imposed by endpoint users and devices.

8

ConclusionIt may be hard to nail down an exact return on investment (ROI) for a security compliance solution, as past events have proven, it is worth the investment. Not only could past breaches have been detected and the damage they incurred avoided with a security compliance solution in place, but with insider threat and data theft on the rise overall, these systems are becoming an invaluable component to a healthcare organization’s security posture.

First, the avoidance of regulatory penalties and costs of data breaches is significant. Fines of up to 1.5 million per instance (see Table 2 - Violations for Non-Compliance) can be enforced by the office for civil rights and data breaches costing an average of $188 per record can add up quickly. A key factor that reduces the cost of a data breach is timely identification and reporting of incidents, allowing the organization to act quickly and reduce the chance of breaches going undetected for extended periods of time. SureView® Insider Threat assists organizations with the implementation of high level, automated, internal and external security threat monitoring processes including real-time identification and evidence gathering. These tools reduce remediation time and in turn reduce the impact and cost of any breach that does occur.

Next, SureView® Insider Threat is easy to use and simplifies the audit process through user-friendly report generation tools. What once took weeks now only takes minutes when it comes to preparing for audit. When time is money, this represents significant savings associated with audit and reporting activity.

Lastly, it is important to note that ROI is tied to much more than fines, no matter how high they may be. The damage that a malicious insider can inflict goes way beyond HIPAA compliance violations and associated fines. Damage to an organization’s reputation, the reputation of their employees and products, can lead to long term financial loss that might not be possible to recover from. Your investment in an insider threat monitoring solution will be worth its weight in gold when it serves to prevent this level of damage and save the reputation of the organization.

About HiPAA The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by Bill Clinton in 1996. Title II of the act helped to establish national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. To fulfill this requirement, the Department of Health and Human Services published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities.

9

Accountability Principle The Principles in the Privacy and Security Framework should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

The Privacy Rule’s administrative requirements provide a management, accountability, and oversight structure for covered entities to ensure that proper safeguards and policies and procedures are in place for PHI. See 45 C.F.R. § 164.530. The Privacy Rule provides covered entities’ considerable flexibility, however, to develop and implement policies and procedures which are appropriate and scalable to their own environment. This flexibility allows covered entities that will be engaging in electronic health information exchange to or through a health information organization (HIO) to consider how best to comply with the Privacy Rule’s administrative standards.

Safeguards Principle Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

The Safeguards Principle emphasizes that trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place. The HIPAA Privacy Rule supports the Safeguards Principle by requiring covered entities to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).

10

INDEX

Table 1 - Citation Requirements

Citation Citation Requirements SureView® Insider Threat Policy Description

164.308(a)(3)(ii)(A) Establish and maintain an identification, authentication, and access rights management plan.

Policies partially meet the requirements by monitoring certain file access.

164.308(a)(4)(ii)(B) Maintain control over access rights and user privileges.

Policies partially meet the requirements by monitoring local, group and file security permissions.

164.308(a)(5)(ii)(C) Establish and maintain procedures to identify and log the different types of events.

The very nature of the system assists with the overall standard. Customization may be required to meet the specific logging requirements of organizations.

164.308(a)(6)(i) Establish and maintain a process to manage the incident response framework.

Policies around the exfiltration, clipboard, postings, etc., all as-sist with incident identification and data evidence requirements which partially assist with an incident response framework.

164.308(a)(6)(ii) Establish and maintain intrusion detection, incident monitoring and Incident Response capabilities.

Policies around the exfiltration, clipboard, postings, etc., all as-sist with incident identification and data evidence requirements which partially assist with an incident response framework.

164.308(a)(8) Ensure a System Security Plan exists and the system operates according to the System Security Plan.

The configuration and implementation of SureView® Insider Threat assists with implementing the Organization’s System Security Plan.

164.308(b)(2) Define a policy for the conditions under which personal data or Personally Identifiable Information may be disclosed by an organization that is provid-ing health care services, other than to business associates or other Covered Entities.

The monitoring of how PHI information is read, posted, sent etc. assists with this requirement.

164.312(b) Establish and maintain logging and monitoring operations.

The configuration and implementation of SureView® Insider Threat assists with implementing the Organization’s System Security Plan.

164.312(c)(1) Establish and maintain an internal control framework. The configuration and implementation of SureView® Insider Threat assists with implementing the Organization’s System Security Plan.

164.312(c)(2) Implement file integrity monitoring to detect unauthorized modifications.

Policies partially assist with identifying file/policy changes, record of change and data retention of those changes.

164.312(e)(1) Establish and maintain information flow policies inside the system and between interconnected systems.

The configuration and implementation of the regex rules on certain types of data and certain communication types partially assists with this requirement.

164.312(e)(2)(i) Establish and maintain information flow and infor-mation exchange policies and procedures.

The configuration and implementation of the regex rules on certain types of data and certain communication types partially assists with this requirement.

164.312(e)(2)(ii) Enable encryption of a protected distributed system if sending restricted data or restricted information.

Monitoring regex rules for sensitive data helps identify areas where policies are not adhered to.

164.410(a)(2) Determine whether or not incident response notifica-tions are necessary during the breach investigation.

Monitoring of data types and related transactions helps determine the date that data breaches occurred.

164.410(b) Notify affected individuals of privacy breaches in a timely way.

Monitoring of data types and related transactions helps determine which persons were affected and assists in the notification to those individuals.

164.414(b) Notify affected parties of the privacy breach that affects their information.

Monitoring of data types and related transactions helps determine which persons were affected and assists in the notification to those individuals.

164.504(e)(2)(ii)(G) Provide accounting of disclosures (audit trails) for all pertinent records.

Logging of transactions partially assists in meeting this requirement.

11

Table 1 - Citation Requirements (continued)

Citation Citation Requirements SureView® Insider Threat Policy Description

164.514(d)(1) Establish and maintain data handling policies and proce-dures to implement privacy-related security safeguards.

Logging of PHI transactions type partially assist in meet-ing this requirement

164.514(d)(2)(i)(A) and (B)

Establish and maintain a security access classification scheme that limits access to confidential data or restrict-ed information to only individuals who need access.

The monitoring of access permissions and changes to these partially assists in meeting this requirement.

164.514(d)(2)(ii) Maintain control over access rights and user privileges.

The monitoring of access permissions and changes to these partially assists in meeting this requirement.

164.514(d)(3)(i) Define a policy for the conditions under which personal data or Personally Identifiable Information may be disclosed by an organization that is provid-ing health care services, other than to business associates or other Covered Entities.

The monitoring of how PHI information is read, posted, sent etc. assists with this requirement.

164.514(d)(3)(ii)(A) Establish and maintain procedures that define privacy-related data use limitations.

Monitoring of PHI data use partially helps meet this requirement.

164.530(c)(2)(ii) Develop organizational measures to limit data leakage.

The configuration and implementation of the regex rules on certain types of data and certain communication types partially assists with this requirement.

164.530(f) Develop organizational measures to limit data leakage.

The configuration and implementation of the regex rules on certain types of data and certain communication types partially assists with this requirement.

164.530(i)(1) Establish and maintain a set of key policies, stan-dards, and procedures to support confidentiality, integrity, availability, and accountability.

The configuration and implementation of the regex rules partially assist with meeting the confidentiality part of this requirement.

164.530(i)(2)(i) Implement and comply with all policies, standards, and procedures.

The configuration and implementation of the regex rules on certain types of data and certain communication types partially assists with the deployment of procedures to meet this requirement.

160.310(a) Log and report to management the periodic reviews of compliance checklists and audit reports.

The configuration, implementation and reporting of SureView® Insider Threat policies partially assist with meeting this requirement.

12

Table 2 - Violations for Non-Compliance

HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by

State Attorneys General regardless of the type of violation)

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000

for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000

for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation, with an annual maximum of $1.5 million

$50,000 per violation, with an annual maximum of $1.5 million

Table 3 - HIPPA Violation Penalties

HIPAA Violation PenaltiesViolation Penalty Max Calendar Year

Did Not Know $100 - $50,000 $1,500,000Reasonable Cause $1,000 - $50,000 $1,500,000Willful Neglect (Corrected) $10,000 - $50,000 $1,500,000Willful Neglect (Not Corrected) $50,000 $1,500,000A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.

A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.