Robert Grupe, CSSLP CISSP PE PMP, profile picture
Uploaded byRobert Grupe, CSSLP CISSP PE PMP
1,505 views

Red7 Medical Identity Security and Data Protection

This document discusses medical identity theft and data protection. It begins by outlining statistics on healthcare data breaches in the US, including their high costs and common causes. It then details types of medical identity theft and consequences for victims. The document also covers updates to HIPAA regulations and provides recommendations for securing patient data, including following security best practices, conducting risk assessments, and documenting policies and processes.

Embed presentation

1 robertGrupe, CISSP, CSSLP, PE, PMP tags :|: medical identity, patient data, data protection © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security PATIENT MEDICAL IDENTITY & DATA PROTECTION SECURITY
• US Medical Identity Theft and Data Breaches • HIPAA 2013 Omnibus Final Rule Updates • Recommendations © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Agenda
© Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security US MEDICAL IDENTITY THEFT AND DATA BREACHES
• Top Industries Cost • 1. Healthcare $233 per person • 2. Finance $215 • 3. Pharmaceutical $207 • Top Causes • 41% Malicious attack • 33% Human Factor • 26% System glitch Red7 :|: Information Security US Data Breaches 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
• 94% health-care organizations have been hit by at least one data breach, • 45% more than five breaches in the past two years • $2.4 million estimated average cost over 2 years • $10,000 - $1+ million per incident • 2,796 average number of records lost per breach • 47% detected by employees • 52% breaches discovered by audits • Black Market Data Value • $50 per medical record (SSNs go for about $1 each) • Criminal Mis-Use • Overseas call centers ordering medical equipment and drugs Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security. Dec 2012 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security US Healthcare Data Breaches
• $1.8 million, 19%+ over 2012 • Causes • 30% Member shared identification with a friend/family member • 28% Acquaintance or family member stole • 8% provided in phishing • 7% provider/insurer due to data breach • 5% healthcare worker • Criminal mis-uses • 63% treatments • 60% prescriptions and equipment • 51% obtain government benefits • 12% credit card account applications Red7 :|: Information Security US Medical Identity Theft • Difficulties detecting • 56% Patients don’t check their records for accuracies 2013 Survey on Medical Identity Theft, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
• “Medical Identity theft is being called the fastest growing type of fraud. • This contributes to rising cost in health care.” • Unlike financial identity theft, medical identity theft holds life threatening impacts. • For example if you are rushed to the ER with appendicitis but your records already show your appendicitis removed, the consequences can be dangerous.” • Medical Identity Fraud Alliance, Development Coordinator Robin Slade © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Consequences
• 50% of victims unaware creates inaccuracies in their records • 15% misdiagnosis • 14% treatment delays • 13% mistreatment • 11% wrong prescription • 23% credit rating • 20% financial identity theft (credit card, banking) • 17% legal fees • Loss of coverage, cost to restore, out-of-pocket costs, increased premiums • 6% employment difficulties • 58% victims lost trust in providers © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Patient Harm
• Member, client, provider communications • Member online security monitoring and restoration services • Response and reputation crisis management • Loss of business • Law suites: members, customers, investors © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Enterprise Consequences
© Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA Breach Notifications
© Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 OMNIBUS FINAL RULE UPDATES
• Defines Business Associates of Covered Entities directly liable for • • • • compliance with certain of the HIPAA Privacy and Security Rules' requirements. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold Violation Penalties • • • • (A) Did Not Know (with reasonable diligence) $100+ (B) Reasonable Cause $1,000+ (C)(i) Willful Neglect-Corrected $10,000+ (C)(ii) Willful Neglect-Not Corrected $50,000 HHS Omnibus http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 Omnibus Final Rule Updates
© Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security RECOMMENDATIONS
• Last patched software maintenance • Install anti-virus and application IDS everywhere • (Yes: Mac OS, iOS, Linux, and Android too) • Strong Credential Management • Strong Passwords and management policies • Network Mapping • Sites, gateways, routers, devices, • then directory details for all devices © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Master the Basics
• What security laws and regulations effect your organization • Heath Care: HIPAA, states • Financial: PCI, etc. • Personal: States, EU • Other • Map your external app’s PHI flows • Workflows • Reference lookups • Data backups © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Risk Assessment
If it isn’t documented, it doesn’t exist • Use an industry recognized framework • E.g. ISO/IEC 27001:2005 • Living Document: Continual detailing and updating • Don’t use all at once, keep section numbers but only draft and publish active sections • Identify information security best practices • Reference for Minimum acceptable security • Industry (e.g. HIPAA, HITRUST, ARRA) state (Mass.), third party (e.g., PCI and COBIT), government (e.g., NIST, FTC and CMS), appdev (e.g. OWASP) • Application regression test scripts for all policy rules validation • Responsible Program Manager to • prioritize critical success factors and initiatives • ensure document maintenance • champion process improvements • oversee system/application/services updates • ensure compliance validation • provide status reporting © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Document Your Policies & Processes
• Don’t Procrastinate - Start Right Now! • With quick list brainstorm • Continuous Process Improvement • What doesn’t get measured, doesn’t get done • Regular Privacy controls and processes Risk Assessment • Security Technology isn’t the (whole) solution • Vulnerability assessment utilities to detect security policy & process vulnerabilities • E.g. Social engineering vulnerabilities • Insider data access • User validation © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Well Begun, Is Half Done
• This Presentation & Further Resources • www.red7managementsolutions.com • Questions, suggestions, & requests • Robert Grupe, CISSP, CSSLP, PE, PMP • robert.grupe@red7managementsolutions.com • +1.314.278.7901 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Finis

More Related Content

PDF
HealthCare Compliance - HIPAA & HITRUST
byKimberly Simon MBA
 
PPTX
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
PPTX
Lessons from Equifax: Open Source Security & Data Privacy Compliance
byBlack Duck by Synopsys
 
PDF
HIPAA Compliance and Security in a Mobile World
byRyan Snell
 
PDF
Redspin PHI Breach Report 2012
byRedspin, Inc.
 
PDF
Tech Refresh - Cybersecurity in Healthcare
byCompTIA
 
PDF
Avior Healthcare Security Compliance Webcast Final1
byjhietala
 
PPTX
HIPAA Security Risk Analysis for Business Associates
byRedspin, Inc.
 
HealthCare Compliance - HIPAA & HITRUST
byKimberly Simon MBA
 
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
byBlack Duck by Synopsys
 
HIPAA Compliance and Security in a Mobile World
byRyan Snell
 
Redspin PHI Breach Report 2012
byRedspin, Inc.
 
Tech Refresh - Cybersecurity in Healthcare
byCompTIA
 
Avior Healthcare Security Compliance Webcast Final1
byjhietala
 
HIPAA Security Risk Analysis for Business Associates
byRedspin, Inc.
 

What's hot

PPTX
Information Security in the eDiscovery Process
byDaegis
 
PPTX
Protecting Healthcare Data from Hackers
byJoshua Spencer
 
PPTX
Web hipaa hitech and privacy
byCarol Buckmann
 
PPTX
Cloud Storage: How to Fight Off Data Security Threats & Stay Compliant
byBlancco
 
PDF
What Covered Entities Need to Know about OCR HIPAA Audit​s
byIatric Systems
 
PPTX
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
byBlancco
 
PPTX
HealthCare Compliance - HIPAA and HITRUST
byKimberly Simon MBA
 
PDF
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
byM2SYS Technology
 
PPTX
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PDF
You and HIPAA - Get the Facts
byresourceone
 
PDF
Cyberinsurance 111006
byJNicholson
 
PDF
Protecting ePHI: What Providers and Business Associates Need to Know
byNetwork 1 Consulting
 
PDF
A brief introduction to hipaa compliance
byPrince George
 
PPTX
HIPAA Access Medical Records by Sainsbury-Wong
byLorianne Sainsbury-Wong
 
PDF
Equifax, the FTC Act, and Vulnerability Scanning
byBlack Duck by Synopsys
 
PDF
Where in the world is your PII and other sensitive data? by @druva inc
byDruva
 
PPTX
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
PDF
Cybersecurity and the Accountability of Elected Officials
byGopal Khanna
 
PPTX
Rightscale webinar-hipaa-public-cloud
byRightScale
 
Information Security in the eDiscovery Process
byDaegis
 
Protecting Healthcare Data from Hackers
byJoshua Spencer
 
Web hipaa hitech and privacy
byCarol Buckmann
 
Cloud Storage: How to Fight Off Data Security Threats & Stay Compliant
byBlancco
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
byIatric Systems
 
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
byBlancco
 
HealthCare Compliance - HIPAA and HITRUST
byKimberly Simon MBA
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
byM2SYS Technology
 
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
You and HIPAA - Get the Facts
byresourceone
 
Cyberinsurance 111006
byJNicholson
 
Protecting ePHI: What Providers and Business Associates Need to Know
byNetwork 1 Consulting
 
A brief introduction to hipaa compliance
byPrince George
 
HIPAA Access Medical Records by Sainsbury-Wong
byLorianne Sainsbury-Wong
 
Equifax, the FTC Act, and Vulnerability Scanning
byBlack Duck by Synopsys
 
Where in the world is your PII and other sensitive data? by @druva inc
byDruva
 
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
Cybersecurity and the Accountability of Elected Officials
byGopal Khanna
 
Rightscale webinar-hipaa-public-cloud
byRightScale
 

Viewers also liked

PPTX
Red7 Software Planning Models
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 Automating UAT Web Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
PPS
Red7 Product Management Software Tools Overview
byRobert Grupe, CSSLP CISSP PE PMP
 
PPT
Boy Scouts STEM Nova Awards
byRobert Grupe, CSSLP CISSP PE PMP
 
PPSX
Red7 NPD and Project Management Life Cycle Models Overview
byRobert Grupe, CSSLP CISSP PE PMP
 
PPSX
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
PPT
Venturing: Extending the Boy Scout Troop
byRobert Grupe, CSSLP CISSP PE PMP
 
PPT
Boy Scout Parents Introduction
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 Developing Product Requirements: Tools and Process
byRobert Grupe, CSSLP CISSP PE PMP
 
PPT
Boy Scouts Introduction
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 Introduction to Product Management
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 Product Portfolio Management
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Product Portfolio Management
byMarina Naccarato
 
Red7 Software Planning Models
byRobert Grupe, CSSLP CISSP PE PMP
 
Web Application Security: Beyond PEN Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Automating UAT Web Testing
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Product Management Software Tools Overview
byRobert Grupe, CSSLP CISSP PE PMP
 
Boy Scouts STEM Nova Awards
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 NPD and Project Management Life Cycle Models Overview
byRobert Grupe, CSSLP CISSP PE PMP
 
Agile AppSec DevOps
byRobert Grupe, CSSLP CISSP PE PMP
 
Venturing: Extending the Boy Scout Troop
byRobert Grupe, CSSLP CISSP PE PMP
 
Boy Scout Parents Introduction
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Developing Product Requirements: Tools and Process
byRobert Grupe, CSSLP CISSP PE PMP
 
Boy Scouts Introduction
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Introduction to Product Management
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Product Portfolio Management
byRobert Grupe, CSSLP CISSP PE PMP
 
Product Portfolio Management
byMarina Naccarato
 

Similar to Red7 Medical Identity Security and Data Protection

PPTX
Information+security rutgers(final)
byAmy Stowers
 
PDF
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bykrichrajub69
 
PDF
Don't let them take a byte
bylgcdcpas
 
PDF
HC-CA Infographic REV_05
byRandy Richey
 
PPTX
Confidentiality – your critical role
byImdone
 
PDF
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
byRightPatient®
 
PDF
The Most Wonderful Time of the Year for Health-IT...NOT
byCompliancy Group
 
PPTX
PathInformatics 8 Cybersecurity slides.pptx
byFelipe Avila
 
PDF
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bytefnadety
 
PDF
Hippa breaches
byViSolve, Inc.
 
PDF
Reasons for the Popularity of Medical Record Theft
byOPSWAT
 
PDF
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
byHealth IT Conference – iHT2
 
PPTX
Hipaa Reality Check
bySecurityMetrics
 
PPTX
Power point project for submission ppt (2)
bymshaner
 
DOCX
Cost of Data Breah in Healthcare_Quinlan, Courtney
bycourtneyquinlan
 
PPTX
C. Gibbs MHA 690 week 1 discussion 2
byCGibbs3121
 
PDF
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
byU.S. News Healthcare of Tomorrow
 
PDF
How to Protect Your Healthcare Facility From Medical Identity Theft
byThe Identity Advocate
 
PPTX
Cyber liability insurance and risk management program
byRebecca Carter
 
PPTX
Power point project for submission.ppt
byMEBYER4954
 
Information+security rutgers(final)
byAmy Stowers
 
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bykrichrajub69
 
Don't let them take a byte
bylgcdcpas
 
HC-CA Infographic REV_05
byRandy Richey
 
Confidentiality – your critical role
byImdone
 
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
byRightPatient®
 
The Most Wonderful Time of the Year for Health-IT...NOT
byCompliancy Group
 
PathInformatics 8 Cybersecurity slides.pptx
byFelipe Avila
 
HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Ex...
bytefnadety
 
Hippa breaches
byViSolve, Inc.
 
Reasons for the Popularity of Medical Record Theft
byOPSWAT
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
byHealth IT Conference – iHT2
 
Hipaa Reality Check
bySecurityMetrics
 
Power point project for submission ppt (2)
bymshaner
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
bycourtneyquinlan
 
C. Gibbs MHA 690 week 1 discussion 2
byCGibbs3121
 
Safeguarding Patient Privacy in a Digital Age (Brian Kalis)
byU.S. News Healthcare of Tomorrow
 
How to Protect Your Healthcare Facility From Medical Identity Theft
byThe Identity Advocate
 
Cyber liability insurance and risk management program
byRebecca Carter
 
Power point project for submission.ppt
byMEBYER4954
 

More from Robert Grupe, CSSLP CISSP PE PMP

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPSX
AI AppSec Threats and Defenses 20250822.ppsx
byRobert Grupe, CSSLP CISSP PE PMP
 
PPSX
Neurodiversity in the Workplace: Navigating the Manager/Employee Relationship
byRobert Grupe, CSSLP CISSP PE PMP
 
PPSX
Application Security: AI LLMs and ML Threats & Defenses
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Red7 Software Application Security Threat Modeling
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Application Security Logging with Splunk using Java
byRobert Grupe, CSSLP CISSP PE PMP
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
AI AppSec Threats and Defenses 20250822.ppsx
byRobert Grupe, CSSLP CISSP PE PMP
 
Neurodiversity in the Workplace: Navigating the Manager/Employee Relationship
byRobert Grupe, CSSLP CISSP PE PMP
 
Application Security: AI LLMs and ML Threats & Defenses
byRobert Grupe, CSSLP CISSP PE PMP
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
byRobert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Application Security Threat Modeling
byRobert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
byRobert Grupe, CSSLP CISSP PE PMP
 

Recently uploaded

PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
AI assisted Software Development - Agentic and Vibe Coding
byAndrei Oros
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
AI assisted Software Development - Agentic and Vibe Coding
byAndrei Oros
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 

Red7 Medical Identity Security and Data Protection

  • 1.
    1 robertGrupe, CISSP, CSSLP,PE, PMP tags :|: medical identity, patient data, data protection © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security PATIENT MEDICAL IDENTITY & DATA PROTECTION SECURITY
  • 2.
    • US MedicalIdentity Theft and Data Breaches • HIPAA 2013 Omnibus Final Rule Updates • Recommendations © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Agenda
  • 3.
    © Copyright 2014-01Robert Grupe. All rights reserved. Red7 :|: Information Security US MEDICAL IDENTITY THEFT AND DATA BREACHES
  • 4.
    • Top IndustriesCost • 1. Healthcare $233 per person • 2. Finance $215 • 3. Pharmaceutical $207 • Top Causes • 41% Malicious attack • 33% Human Factor • 26% System glitch Red7 :|: Information Security US Data Breaches 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
  • 5.
    • 94% health-careorganizations have been hit by at least one data breach, • 45% more than five breaches in the past two years • $2.4 million estimated average cost over 2 years • $10,000 - $1+ million per incident • 2,796 average number of records lost per breach • 47% detected by employees • 52% breaches discovered by audits • Black Market Data Value • $50 per medical record (SSNs go for about $1 each) • Criminal Mis-Use • Overseas call centers ordering medical equipment and drugs Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security. Dec 2012 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security US Healthcare Data Breaches
  • 6.
    • $1.8 million,19%+ over 2012 • Causes • 30% Member shared identification with a friend/family member • 28% Acquaintance or family member stole • 8% provided in phishing • 7% provider/insurer due to data breach • 5% healthcare worker • Criminal mis-uses • 63% treatments • 60% prescriptions and equipment • 51% obtain government benefits • 12% credit card account applications Red7 :|: Information Security US Medical Identity Theft • Difficulties detecting • 56% Patients don’t check their records for accuracies 2013 Survey on Medical Identity Theft, Ponemon Institute © Copyright 2014-01 Robert Grupe. All rights reserved.
  • 7.
    • “Medical Identitytheft is being called the fastest growing type of fraud. • This contributes to rising cost in health care.” • Unlike financial identity theft, medical identity theft holds life threatening impacts. • For example if you are rushed to the ER with appendicitis but your records already show your appendicitis removed, the consequences can be dangerous.” • Medical Identity Fraud Alliance, Development Coordinator Robin Slade © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Consequences
  • 8.
    • 50% ofvictims unaware creates inaccuracies in their records • 15% misdiagnosis • 14% treatment delays • 13% mistreatment • 11% wrong prescription • 23% credit rating • 20% financial identity theft (credit card, banking) • 17% legal fees • Loss of coverage, cost to restore, out-of-pocket costs, increased premiums • 6% employment difficulties • 58% victims lost trust in providers © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Patient Harm
  • 9.
    • Member, client,provider communications • Member online security monitoring and restoration services • Response and reputation crisis management • Loss of business • Law suites: members, customers, investors © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Enterprise Consequences
  • 10.
    © Copyright 2014-01Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA Breach Notifications
  • 11.
    © Copyright 2014-01Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 OMNIBUS FINAL RULE UPDATES
  • 12.
    • Defines BusinessAssociates of Covered Entities directly liable for • • • • compliance with certain of the HIPAA Privacy and Security Rules' requirements. Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold Violation Penalties • • • • (A) Did Not Know (with reasonable diligence) $100+ (B) Reasonable Cause $1,000+ (C)(i) Willful Neglect-Corrected $10,000+ (C)(ii) Willful Neglect-Not Corrected $50,000 HHS Omnibus http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security HIPAA 2013 Omnibus Final Rule Updates
  • 13.
    © Copyright 2014-01Robert Grupe. All rights reserved. Red7 :|: Information Security RECOMMENDATIONS
  • 14.
    • Last patchedsoftware maintenance • Install anti-virus and application IDS everywhere • (Yes: Mac OS, iOS, Linux, and Android too) • Strong Credential Management • Strong Passwords and management policies • Network Mapping • Sites, gateways, routers, devices, • then directory details for all devices © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Master the Basics
  • 15.
    • What securitylaws and regulations effect your organization • Heath Care: HIPAA, states • Financial: PCI, etc. • Personal: States, EU • Other • Map your external app’s PHI flows • Workflows • Reference lookups • Data backups © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Risk Assessment
  • 16.
    If it isn’tdocumented, it doesn’t exist • Use an industry recognized framework • E.g. ISO/IEC 27001:2005 • Living Document: Continual detailing and updating • Don’t use all at once, keep section numbers but only draft and publish active sections • Identify information security best practices • Reference for Minimum acceptable security • Industry (e.g. HIPAA, HITRUST, ARRA) state (Mass.), third party (e.g., PCI and COBIT), government (e.g., NIST, FTC and CMS), appdev (e.g. OWASP) • Application regression test scripts for all policy rules validation • Responsible Program Manager to • prioritize critical success factors and initiatives • ensure document maintenance • champion process improvements • oversee system/application/services updates • ensure compliance validation • provide status reporting © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Document Your Policies & Processes
  • 17.
    • Don’t Procrastinate- Start Right Now! • With quick list brainstorm • Continuous Process Improvement • What doesn’t get measured, doesn’t get done • Regular Privacy controls and processes Risk Assessment • Security Technology isn’t the (whole) solution • Vulnerability assessment utilities to detect security policy & process vulnerabilities • E.g. Social engineering vulnerabilities • Insider data access • User validation © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Well Begun, Is Half Done
  • 18.
    • This Presentation& Further Resources • www.red7managementsolutions.com • Questions, suggestions, & requests • Robert Grupe, CISSP, CSSLP, PE, PMP • robert.grupe@red7managementsolutions.com • +1.314.278.7901 © Copyright 2014-01 Robert Grupe. All rights reserved. Red7 :|: Information Security Finis

Editor's Notes

  • #2 BioRobert Grupe is an experienced international business leader with a background in engineering, sales, marketing, PR, and product support in the software, digital marketing, health care, electro-optic and aerospace industries. From Fortune 100 to start-up companies, Robert has worked for industry leaders including Boeing, McAfee, Text 100 PR, and Express Scripts.  Management experience includes working with and leading local, as well as internationally distributed, teams while implementing best practices to maximum organizational and market performance.  Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Professional Engineer (PE), and Product Management Professional (PMP).
  • #6 Your Medical Records Could be Sold on the Black Market, NBC Bay Area News, http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html, June 19, 2013.http://www.nationwide.com/newsroom/061312-MedicalIDTheft.js