This document discusses cybersecurity threats facing the healthcare industry. It notes that attacks are rising, with various types of vulnerabilities being exploited like phishing and malware. Recent healthcare breaches are described where patient data was compromised. Legislation around data privacy like HIPAA and PCI are changing to increase protections and penalties for noncompliance. Lessons from the troubled Healthcare.gov rollout emphasize the importance of thorough testing. The document advocates that healthcare organizations understand their risks and have plans to securely manage and protect sensitive patient data across different locations and systems. It promotes the use of data masking and de-identification tools to reduce copies of identifiable data.
4. Internal and External Vulnerabilities
Drive By Attacks
Non-Standard
SSL Traffic
Bot Nets
Watering
Hole Attacks
Spear Phishing
Social Engineering
Attacks
4
5. Breaches
South Shore Physicians, P.C. - Dishonest nurse and
three co-conspirators were linked to identity fraud.
NY Office of the Medicaid Inspector General
(OMIG) – Employee sent an email that contained
sensitive records to their own email account
Cedars-Sinai Medical Center - Medical workers
were fired for their hacking effort
Long Beach Memorial Medical Center - Patients
had information exposed an employee.
5
6. Breaches Happen
In the event of a breach, full cost to an organization
can include one or more of the following:
FULL
COST
of a
Breach
Notifying customers / patients,
Investigating and controlling the breach,
Potential litigation and fines,
Intangible costs associated with:
Damage to your brand,
Loss of customers,
Decline in value, and
Reputation Management
6
8. PCI – PCI Data Security Standard
An industry security standard that applies to companies
that process & store credit/debit card data.
12 requirements:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Firewall to protect cardholder data
Do not use vendor-supplied defaults for system passwords
Protect stored cardholder data
Encrypt transmission of cardholder data
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data to those that “need to know”
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an information security policy for all personnel
Larger companies must undergo annual PCI audits. Noncompliance can result in revocation of services and/or
fines up to $100,000 per month.
8
9. PCI – eCommerce Standards
A merchant’s PCI DSS responsibilities remain
regardless of their e-commerce implementation.
If development or processing is outsourced to
third parties, the merchant retains responsibility
for ensuring that payment card data is
protected.
In-house developed applications should use PADSS as a best practice during development.
Minimize the staff who can view account data.
Where a merchant has outsourced cardholder
data to a third party, that data may still be at
risk.
9
10. PCI – Cloud Standards
A merchant’s PCI DSS responsibilities remain regardless of
their cloud implementation.
Are the service being used the one that was validated.
Identify and minimize the payment card data in the cloud.
Identification and authentication is essential
The Cloud
Governance, risk and compliance are shared.
Data ownership and cross-border regulatory laws.
Data present in other cloud systems such as VM images,
backups, monitoring logs, and so on.
When existing, leaving potentially unknown quantities of
encrypted data .
10
11. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA)
Covered entities must implement technical policies and
procedures to allow access only to those persons and business
associates that absolutely require access to Personal Health
Information (“PHI”).
However, it also provides for the uses and disclosures of deidentified information (aka Masked, Obfuscated, Redacted). PHI
that meets the requirements for de-identification is considered
not to be individually identifiable health information.
The Office of Civil Rights ("OCR") is required to impose penalties
if the covered entity or its business associate act with neglect.
11
12. HIPAA – Recent Changes
The changes greatly increase privacy protections for PHI
while also strengthening enforcement.
Penalties are increased for noncompliance with possible
penalties of $1.5 million per occurrence.
The focus of OCR Audits and Assessments will be on whether
PHI has been compromised and then the covered entity must
clearly prove that there is a low probability the information
has been compromised.
The changes expand many of the requirements to business
associates of these entities that receive protected health
information, such as contractors and subcontractors.
12
13. State Laws
46 states have enacted laws requiring
notice of security breaches of personal data.
Some states have reportedly considered
legislation to hold retailers liable for thirdparty companies’ costs arising from data
breaches.
The Massachusetts law is considered to
have one of the most comprehensive sets of
security regulations at the state level.
13
14. State Laws - Texas
When the Texas Breach Notification law
went into effect in September 2012,
breach notification obligations will exist in
all states because Texas will then require
entities doing business within the state to
provide notification of data breaches to
residents of states that have not enacted
their own breach notification law.
14
16. Getting Technology Right
According to the research firm
the Standish Group, 94% of
large federal information
technology projects over the
past 10 years were
unsuccessful
http://www.nytimes.com/2013/10/25/opinion/getting-to-the-bottom-of-healthcaregovs-flop.html?_r=3&
16
21. Issues
Participants can prepare all they want,
but bad data can snarl the exchange.
Normalization of data across multiple
independent organizations leaves data
more vulnerable to contamination,
duplication and mix-ups.
Aggregating, analyzing and managing of
extensive data raises privacy concerns
and costs.
22. Ownership
Each participant must concede a certain amount of ownership of
resources and timelines for projects to the “Greater Good”.
24. Understanding Ourselves
Do we:
Understand where we are?
Where are our risks?
Have compensating controls?
Have a plan?
Enterprise Governance Risk and
Compliance (“eGRC”) is an
enterprise initiative that reaches from
strategy through architecture to the
operations of the organization.
24
25. 25
Review Access to Sensitive Data
Live Data
Firewall
Who has access?
Perform meaningful entitlements
reviews .
Flag entitlements that do not
conform to security policies.
Enterprise Entitlement Solutions
typically include separate
mainframe, application specific
and LDAP based solutions.
1
External
users
2
Internal users 4 Privileged users
File
server
File
server 5
Load
Web
balancer 3 App ERP
server
server
Databases
6
Backups
Firewall
QA Testing
1
External
users
2
Internal users 4 Privileged users
File
server
File
server 5
Load
Web
balancer 3 App ERP
server
server
Databases
6
Backups
Review for Toxic Combinations.
25
26. Data … Data Everywhere
Copies of Data may exist in multiple
locations in your environment.
Each of these locations is a potential
target from external sources and needs to
be protected.
Verizon Data Breach Report suggests
eliminating unnecessary copies of data.
Data De-Identification (aka Data Masking)
eliminates multiple copies of data
Firewall
QA Testing
1
External
users
2
Internal users 4 Privileged users
File
server
File
server 5
Load
Web
balancer 3 App ERP
server
server
Databases
6
Backups
Outsourcers / Business Associates
Test Data in the Cloud
Stratification of Big Data
Taking Data Home
26
28. Compliance is important but expensive…Until Now
The Guard Compliance Tracking Solution
•
•
•
•
•
EASY Self Audit Questionnaires
Gap Identification Reporting
Remediation Management
Policy and Procedure Templates
Unlimited Number of Patients, Employees and
Associates
• Document and Version Control Management
• Highly Secure
• No IT integration - Web Based Solution
Become Compliant in 60 Days!
Attest for HITECH, and Satisfy Meaningful Use Core Measure 15
To find out more or start a FREE 30 Day
evaluation
Visit www.compliancy-group.com
(855) 85 HIPAA or (855) 854-4722
30. Data De-Identification- DMsuiteTM
DMsuite™ - A robust,
proprietary tool that has been
deployed at clients for over
9 years with:
Sensitive Data Discovery,
Data De-Identification and
Auditing functionality.
Applications
Databases
IMS
Big Data
Files
XML, CSV, MultiRecord, etc.
Unstructured
Text: Social,
RSS
QSAM,
VSAM
30