SlideShare a Scribd company logo
1 of 33
© 2016 SecurityMetrics
HIPAA REALITY CHECK:
THE GAP BETWEEN
EXECS AND IT
Brand Barney, Security Analyst
ABOUT SECURITYMETRICS
• Helping organizations
comply with mandates,
avoid security breaches,
and recover from data theft
since 2000
HEALTHCARE STATUS
HIPAA STATUS DISPARITY
• 89% of C-Suite believe
they are HIPAA
compliant
• Only 67% of
Compliance and Risk
Officers believe they are
HIPAA compliant
BELIEF VS. TRUTH
• Fantasy: Healthcare is
doing well in HIPAA security
• Reality: Most healthcare
organizations have
vulnerabilities in their
security and don’t realize it
COMPROMISE IS IMMINENT
• Criminal attacks in the
healthcare industry
have risen 125% since
2010*
• 80% healthcare IT
leaders say systems
have been
compromised* *(Ponemon Institute)
*2015 KPMG Healthcare Cybersecurity Survey
HIPAA MISCONCEPTIONS
MYTH: FIREWALLS ARE ENOUGH
• Firewalls need to be updated
• Firewalls don’t take care of all security issues
– Remote access software
– Social engineering
– Physical security
MYTH: HIPAA DOESN’T APPLY
• Many organizations think:
– They are too small
– Their organization doesn’t have PHI
– Cloud-stored data is exempt
• HIPAA Security Rule applies to pretty much all
healthcare entities
MYTH: IT & ATTORNEYS COVER US
• IT professionals need
additional training for security
• Attorneys don’t have technical
training
MYTH: MY DATA ISN’T VALUABLE
• Health data more lucrative than credit cards on
black market
– Credit card data sells for $1–2
– PHI sells for $20–200
• Easy to replace credit cards, impossible to
replace social security numbers
MYTH: BA’S TAKE ALL LIABILITY
• There’s shared liability between businesses and
business associates
• Business associates may have vulnerabilities
that endanger your data
MYTH: WE’RE ALREADY SECURE
• HIPAA staff are mostly
following Privacy Rule, but
not Security Rule
– Staff aren’t trained in security
– PHI can be accessed
everywhere!
MYTH: SOCIAL ENGINEERING
• Social engineering targets weakest link: people!
• Doesn’t require technical talent
• Hard to recognize
WHY THE GAP?
TIME
• HIPAA will eat your time
– Small organizations: 200 hours annually
– Large organizations: 800+ hours annually
• Solutions:
– Hire outside security consultant
– Baby steps (prioritize based on risk)
MONEY
• Staff time
• Purchase: security tools, policies, training, etc.
• Solutions:
– Prioritize (#1 risk? What needs to be protected first?)
– Work it into your budget
– Get management support
– HIPAA packages (training + policies, + audit combo)
TRAINING
• Most staff don’t understand
proper Security Rule practices
• Solutions:
– Train monthly instead of annually
– Send weekly security tip reminders
– Incentives!
WHY THE GAP?
ANALYZE HIPAA RISKS
• Assess current controls
• Determine likelihood of occurrence
• Determine potential impact
• Determine level of risk
• Identify security measure/control/mitigation
DOCUMENT PHI FLOW
• Simple way to identify scope
and start documentation
• Record all devices
• Interview departments
• Observe data flow
IDENTIFY & DOCUMENT SYSTEMS
• Examples:
– Servers
– Workstations
– Networked medical devices
– Laptops
– Computers
– Operating systems
– Applications
– Software
– Mobile phones
– EHR/EMR systems
RISK ANALYSIS TOOLS
• Vulnerability scans
– Internal
– External
• Penetration tests
• Nmap scanning
MINIMIZE RISKS
USE A HIPAA EXPERT
• DIY doesn’t work
• Experts make the process smoother
– They’ve seen it all
– Determine your scope
– Prioritize risks
– Creation of a Risk Management Plan
PLACE SOMEONE IN CHARGE
• Involve a trained security
professional
– Security is a separate
discipline from IT
PRIORITIZE
• Address critical problems
first
– Depends on your individual
environment
• Risk Analysis and Risk
Management Plan will help
determine these risks
TRAIN STAFF PROPERLY
• Monthly training meetings
• Incorporate HIPAA Security Rule
• Not just nurses/doctors, but receptionists too!
• Recognize social engineering
SECURE PHI AROUND THE OFFICE
• Eliminate unencrypted PHI
• Screensavers
• Passwords after time-out
• Reception desks
• Tablets/mobile
STRENGTHEN PHYSICAL SECURITY
• Visitor/maintenance log
• Controls to limit physical access
• Video cameras to monitor
access to sensitive areas
• Distinguish visitors from on-site personnel
HAVE INDIVIDUAL USER ACCOUNTS
• Workforce members are not
all created equal
• All staff should have
separate user accounts
• Role-based access
UPDATE SYSTEMS & APPS
• EHR
• Anti-virus
• Medical devices
• Operating systems
• Firewalls
• IPS/FIM/DLP
www.securitymetrics.com
QUESTIONS?

More Related Content

What's hot

Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
Siddharth Janakiram
 

What's hot (20)

Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s Important
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Reduce admin time by 60% - Here is how
Reduce admin time by 60% - Here is how Reduce admin time by 60% - Here is how
Reduce admin time by 60% - Here is how
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Overview
OverviewOverview
Overview
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 

Similar to Hipaa Reality Check

The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
learfield
 

Similar to Hipaa Reality Check (20)

The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Risk Management Approach to Cyber Security
Risk Management  Approach to Cyber Security Risk Management  Approach to Cyber Security
Risk Management Approach to Cyber Security
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Privacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident ResponsePrivacy and Security: Teamwork Required to Tackle Incident Response
Privacy and Security: Teamwork Required to Tackle Incident Response
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations
 

More from SecurityMetrics

The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 

More from SecurityMetrics (20)

Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 

Recently uploaded

INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptxINTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
AnushriSrivastav
 
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdfتقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
د حاتم البيطار
 
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdfTortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
Dr. Afreen Nasir
 

Recently uploaded (20)

Session-3-Promoting-Breastfeeding-During-Pregnancy.ppt
Session-3-Promoting-Breastfeeding-During-Pregnancy.pptSession-3-Promoting-Breastfeeding-During-Pregnancy.ppt
Session-3-Promoting-Breastfeeding-During-Pregnancy.ppt
 
Pulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue WorkshopPulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue Workshop
 
PhRMA Vaccines Deck_05-15_2024_FINAL.pptx
PhRMA Vaccines Deck_05-15_2024_FINAL.pptxPhRMA Vaccines Deck_05-15_2024_FINAL.pptx
PhRMA Vaccines Deck_05-15_2024_FINAL.pptx
 
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.pptSession-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
 
Navigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based ApproachesNavigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based Approaches
 
GENETICS and KIDNEY DISEASES /
GENETICS and KIDNEY DISEASES            /GENETICS and KIDNEY DISEASES            /
GENETICS and KIDNEY DISEASES /
 
Best Way 30-Days Keto Meal Plan For Diet
Best Way 30-Days Keto Meal Plan For DietBest Way 30-Days Keto Meal Plan For Diet
Best Way 30-Days Keto Meal Plan For Diet
 
Importance of Diet on Dental Health.docx
Importance of Diet on Dental Health.docxImportance of Diet on Dental Health.docx
Importance of Diet on Dental Health.docx
 
Giudeline: Adverse event CTCAE version 5.pdf
Giudeline: Adverse event CTCAE version 5.pdfGiudeline: Adverse event CTCAE version 5.pdf
Giudeline: Adverse event CTCAE version 5.pdf
 
An overview of Muir Wood Adolescent and Family Services teen treatment progra...
An overview of Muir Wood Adolescent and Family Services teen treatment progra...An overview of Muir Wood Adolescent and Family Services teen treatment progra...
An overview of Muir Wood Adolescent and Family Services teen treatment progra...
 
INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptxINTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
INTERNATIONAL HEALTH AGENCIES BY ANUSHRI SRIVASTAV.pptx
 
Case Presentation: Severe microcytic hypochromic iron deficiency anemia with ...
Case Presentation: Severe microcytic hypochromic iron deficiency anemia with ...Case Presentation: Severe microcytic hypochromic iron deficiency anemia with ...
Case Presentation: Severe microcytic hypochromic iron deficiency anemia with ...
 
Case Presentation: CRYPTOCOCCAL MENINGITIS & ORAL CANDIDIASIS –Opportunistic ...
Case Presentation: CRYPTOCOCCAL MENINGITIS & ORAL CANDIDIASIS –Opportunistic ...Case Presentation: CRYPTOCOCCAL MENINGITIS & ORAL CANDIDIASIS –Opportunistic ...
Case Presentation: CRYPTOCOCCAL MENINGITIS & ORAL CANDIDIASIS –Opportunistic ...
 
The Best Foot and Ankle Center of Arizona
The Best Foot and Ankle Center of ArizonaThe Best Foot and Ankle Center of Arizona
The Best Foot and Ankle Center of Arizona
 
Adrenal Function Tests-3.pptxwhfbdqbfwwfjgwngnegenhndngssfb
Adrenal Function Tests-3.pptxwhfbdqbfwwfjgwngnegenhndngssfbAdrenal Function Tests-3.pptxwhfbdqbfwwfjgwngnegenhndngssfb
Adrenal Function Tests-3.pptxwhfbdqbfwwfjgwngnegenhndngssfb
 
Leadership Style - Code and Rapid Response Workshop
Leadership Style - Code and Rapid Response WorkshopLeadership Style - Code and Rapid Response Workshop
Leadership Style - Code and Rapid Response Workshop
 
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdfتقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
تقرير منظمة الصحة العالمية الخاص بالغذاء د حاتم البيطار.pdf
 
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdfTortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
Tortora PRINCIPLES OF ANATOMY AND PHYSIOLOGY - Tortora - 14th Ed.pdf
 
GOUT and it's Management with All the catagories like; Defination, Type, Sym...
GOUT and it's Management with All the catagories like;  Defination, Type, Sym...GOUT and it's Management with All the catagories like;  Defination, Type, Sym...
GOUT and it's Management with All the catagories like; Defination, Type, Sym...
 
Lactation Mraining Management Session-2-Comm-Building-Conf.ppt
Lactation Mraining Management  Session-2-Comm-Building-Conf.pptLactation Mraining Management  Session-2-Comm-Building-Conf.ppt
Lactation Mraining Management Session-2-Comm-Building-Conf.ppt
 

Hipaa Reality Check

  • 1. © 2016 SecurityMetrics HIPAA REALITY CHECK: THE GAP BETWEEN EXECS AND IT Brand Barney, Security Analyst
  • 2. ABOUT SECURITYMETRICS • Helping organizations comply with mandates, avoid security breaches, and recover from data theft since 2000
  • 4. HIPAA STATUS DISPARITY • 89% of C-Suite believe they are HIPAA compliant • Only 67% of Compliance and Risk Officers believe they are HIPAA compliant
  • 5. BELIEF VS. TRUTH • Fantasy: Healthcare is doing well in HIPAA security • Reality: Most healthcare organizations have vulnerabilities in their security and don’t realize it
  • 6. COMPROMISE IS IMMINENT • Criminal attacks in the healthcare industry have risen 125% since 2010* • 80% healthcare IT leaders say systems have been compromised* *(Ponemon Institute) *2015 KPMG Healthcare Cybersecurity Survey
  • 8. MYTH: FIREWALLS ARE ENOUGH • Firewalls need to be updated • Firewalls don’t take care of all security issues – Remote access software – Social engineering – Physical security
  • 9. MYTH: HIPAA DOESN’T APPLY • Many organizations think: – They are too small – Their organization doesn’t have PHI – Cloud-stored data is exempt • HIPAA Security Rule applies to pretty much all healthcare entities
  • 10. MYTH: IT & ATTORNEYS COVER US • IT professionals need additional training for security • Attorneys don’t have technical training
  • 11. MYTH: MY DATA ISN’T VALUABLE • Health data more lucrative than credit cards on black market – Credit card data sells for $1–2 – PHI sells for $20–200 • Easy to replace credit cards, impossible to replace social security numbers
  • 12. MYTH: BA’S TAKE ALL LIABILITY • There’s shared liability between businesses and business associates • Business associates may have vulnerabilities that endanger your data
  • 13. MYTH: WE’RE ALREADY SECURE • HIPAA staff are mostly following Privacy Rule, but not Security Rule – Staff aren’t trained in security – PHI can be accessed everywhere!
  • 14. MYTH: SOCIAL ENGINEERING • Social engineering targets weakest link: people! • Doesn’t require technical talent • Hard to recognize
  • 16. TIME • HIPAA will eat your time – Small organizations: 200 hours annually – Large organizations: 800+ hours annually • Solutions: – Hire outside security consultant – Baby steps (prioritize based on risk)
  • 17. MONEY • Staff time • Purchase: security tools, policies, training, etc. • Solutions: – Prioritize (#1 risk? What needs to be protected first?) – Work it into your budget – Get management support – HIPAA packages (training + policies, + audit combo)
  • 18. TRAINING • Most staff don’t understand proper Security Rule practices • Solutions: – Train monthly instead of annually – Send weekly security tip reminders – Incentives!
  • 20. ANALYZE HIPAA RISKS • Assess current controls • Determine likelihood of occurrence • Determine potential impact • Determine level of risk • Identify security measure/control/mitigation
  • 21. DOCUMENT PHI FLOW • Simple way to identify scope and start documentation • Record all devices • Interview departments • Observe data flow
  • 22. IDENTIFY & DOCUMENT SYSTEMS • Examples: – Servers – Workstations – Networked medical devices – Laptops – Computers – Operating systems – Applications – Software – Mobile phones – EHR/EMR systems
  • 23. RISK ANALYSIS TOOLS • Vulnerability scans – Internal – External • Penetration tests • Nmap scanning
  • 25. USE A HIPAA EXPERT • DIY doesn’t work • Experts make the process smoother – They’ve seen it all – Determine your scope – Prioritize risks – Creation of a Risk Management Plan
  • 26. PLACE SOMEONE IN CHARGE • Involve a trained security professional – Security is a separate discipline from IT
  • 27. PRIORITIZE • Address critical problems first – Depends on your individual environment • Risk Analysis and Risk Management Plan will help determine these risks
  • 28. TRAIN STAFF PROPERLY • Monthly training meetings • Incorporate HIPAA Security Rule • Not just nurses/doctors, but receptionists too! • Recognize social engineering
  • 29. SECURE PHI AROUND THE OFFICE • Eliminate unencrypted PHI • Screensavers • Passwords after time-out • Reception desks • Tablets/mobile
  • 30. STRENGTHEN PHYSICAL SECURITY • Visitor/maintenance log • Controls to limit physical access • Video cameras to monitor access to sensitive areas • Distinguish visitors from on-site personnel
  • 31. HAVE INDIVIDUAL USER ACCOUNTS • Workforce members are not all created equal • All staff should have separate user accounts • Role-based access
  • 32. UPDATE SYSTEMS & APPS • EHR • Anti-virus • Medical devices • Operating systems • Firewalls • IPS/FIM/DLP