• Save
Red7 Medical Identity Security and Data Protection
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Red7 Medical Identity Security and Data Protection

on

  • 869 views

Growth of medical identity theft, protection requirements, and information security organization

Growth of medical identity theft, protection requirements, and information security organization

Statistics

Views

Total Views
869
Views on SlideShare
869
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • BioRobert Grupe is an experienced international business leader with a background in engineering, sales, marketing, PR, and product support in the software, digital marketing, health care, electro-optic and aerospace industries. From Fortune 100 to start-up companies, Robert has worked for industry leaders including Boeing, McAfee, Text 100 PR, and Express Scripts.  Management experience includes working with and leading local, as well as internationally distributed, teams while implementing best practices to maximum organizational and market performance.  Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Professional Engineer (PE), and Product Management Professional (PMP).
  • Your Medical Records Could be Sold on the Black Market, NBC Bay Area News, http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html, June 19, 2013.http://www.nationwide.com/newsroom/061312-MedicalIDTheft.js

Red7 Medical Identity Security and Data Protection Presentation Transcript

  • 1. 1 robertGrupe, CISSP, CSSLP, PE, PMP tags :|: medical identity, patient data, data protection © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security PATIENT MEDICAL IDENTITY & DATA PROTECTION SECURITY
  • 2. • US Medical Identity Theft and Data Breaches • HIPAA 2013 Omnibus Final Rule Updates • Recommendations © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Agenda
  • 3. © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security US MEDICAL IDENTITY THEFT AND DATA BREACHES
  • 4. • Top Industries Cost • 1. Healthcare $233 per person • 2. Finance $215 • 3. Pharmaceutical $207 • Top Causes • 41% Malicious attack • 33% Human Factor • 26% System glitch Red7 :|: Information Security US Data Breaches 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
  • 5. • 94% health-care organizations have been hit by at least one data breach, • 45% more than five breaches in the past two years • $2.4 million estimated average cost over 2 years • $10,000 - $1+ million per incident • 2,796 average number of records lost per breach • 47% detected by employees • 52% breaches discovered by audits • Black Market Data Value • $50 per medical record (SSNs go for about $1 each) • Criminal Mis-Use • Overseas call centers ordering medical equipment and drugs Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security. Dec 2012 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security US Healthcare Data Breaches
  • 6. • $1.8 million, 19%+ over 2012 • Causes • 30% Member shared identification with a friend/family member • 28% Acquaintance or family member stole • 8% provided in phishing • 7% provider/insurer due to data breach • 5% healthcare worker • Criminal mis-uses • 63% treatments • 60% prescriptions and equipment • 51% obtain government benefits • 12% credit card account applications Red7 :|: Information Security US Medical Identity Theft • Difficulties detecting • 56% Patients don’t check their records for accuracies 2013 Survey on Medical Identity Theft, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
  • 7. • “Medical Identity theft is being called the fastest growing type of fraud. • This contributes to rising cost in health care.” • Unlike financial identity theft, medical identity theft holds life threatening impacts. • For example if you are rushed to the ER with appendicitis but your records already show your appendicitis removed, the consequences can be dangerous.” • Medical Identity Fraud Alliance, Development Coordinator Robin Slade © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Consequences
  • 8. • 50% of victims unaware creates inaccuracies in their records • 15% misdiagnosis • 14% treatment delays • 13% mistreatment • 11% wrong prescription • 23% credit rating • 20% financial identity theft (credit card, banking) • 17% legal fees • Loss of coverage, cost to restore, out-of-pocket costs, increased premiums • 6% employment difficulties • 58% victims lost trust in providers © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Patient Harm
  • 9. • Member, client, provider communications • Member online security monitoring and restoration services • Response and reputation crisis management • Loss of business • Law suites: members, customers, investors © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Enterprise Consequences
  • 10. © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA Breach Notifications
  • 11. © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 OMNIBUS FINAL RULE UPDATES
  • 12. • Defines Business Associates of Covered Entities directly liable for • • • • compliance with certain of the HIPAA Privacy and Security Rules' requirements. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold Violation Penalties • • • • (A) Did Not Know (with reasonable diligence) $100+ (B) Reasonable Cause $1,000+ (C)(i) Willful Neglect-Corrected $10,000+ (C)(ii) Willful Neglect-Not Corrected $50,000 HHS Omnibus http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 Omnibus Final Rule Updates
  • 13. © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security RECOMMENDATIONS
  • 14. • Last patched software maintenance • Install anti-virus and application IDS everywhere • (Yes: Mac OS, iOS, Linux, and Android too) • Strong Credential Management • Strong Passwords and management policies • Network Mapping • Sites, gateways, routers, devices, • then directory details for all devices © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Master the Basics
  • 15. • What security laws and regulations effect your organization • Heath Care: HIPAA, states • Financial: PCI, etc. • Personal: States, EU • Other • Map your external app’s PHI flows • Workflows • Reference lookups • Data backups © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Risk Assessment
  • 16. If it isn’t documented, it doesn’t exist • Use an industry recognized framework • E.g. ISO/IEC 27001:2005 • Living Document: Continual detailing and updating • Don’t use all at once, keep section numbers but only draft and publish active sections • Identify information security best practices • Reference for Minimum acceptable security • Industry (e.g. HIPAA, HITRUST, ARRA) state (Mass.), third party (e.g., PCI and COBIT), government (e.g., NIST, FTC and CMS), appdev (e.g. OWASP) • Application regression test scripts for all policy rules validation • Responsible Program Manager to • prioritize critical success factors and initiatives • ensure document maintenance • champion process improvements • oversee system/application/services updates • ensure compliance validation • provide status reporting © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Document Your Policies & Processes
  • 17. • Don’t Procrastinate - Start Right Now! • With quick list brainstorm • Continuous Process Improvement • What doesn’t get measured, doesn’t get done • Regular Privacy controls and processes Risk Assessment • Security Technology isn’t the (whole) solution • Vulnerability assessment utilities to detect security policy & process vulnerabilities • E.g. Social engineering vulnerabilities • Insider data access • User validation © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Well Begun, Is Half Done
  • 18. • This Presentation & Further Resources • www.red7managementsolutions.com • Questions, suggestions, & requests • Robert Grupe, CISSP, CSSLP, PE, PMP • robert.grupe@red7managementsolutions.com • +1.314.278.7901 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Finis