IT Risk: Are You Prepared?

Transcription

1 IT Risk: Are You Prepared? Presented by Jennifer Griveas and Michael Gray Who We Are Jennifer Griveas, Esq., is the Chief Human Resources Officer and General Counsel for the Eliza Jennings Senior Care Network, where she has served as a member of the senior management team since She oversees all legal matters for the organization, including regulatory compliance and risk management, labor and employment issues, litigation management, and transactional matters. She is certified in health care compliance by the HCCA, and works extensively with company management on matters of compliance and IT security. Who We Are Michael Gray is Director of Information Technology and Compliance Officer. He has worked for Eliza Jennings for nine years. He is primarily responsible for insuring that the company mission is met through the use of technology on a daily basis, maintaining various compliance requirements, insuring that the department meets and exceeds quality benchmarks, and insuring that the organization is in a position to meet future challenges 1

2 Overview What should scare you? Why should it scare you? How can you mitigate the risk? The Outside is Scary Ransomware Viruses Malware/Adware Hacking External Threats Explained Ransomware Traditional Viruses Malware/Adware Hacking 2

3 Ransomware Demo Ransomware Examples WannaCry UK National Health Service Merck Heritage Valley Health Systems Bayer Medical Devices Mini-Case Study WiFi Pineapple 3

4 The Inside is Even Scarier Inside vs Outside Threats Inside Outside Internal Threats Explained Higher likelihood Defenses are pointed outward Not necessarily malicious Can be boring and seem trivial Mini-Case Study The USB Drop 4

5 Risky Reality >60% of organizations allocate less than 3% of IT funds to security No IT Officer No in-house IT staff No IT Risk Assessment No monitoring/auditing No visibility to Senior Management or Board No operations integration Risky Reality March 2017 survey by CHiME 56% CIO s report that budget is largest constraint to data security 95% concerned about data being compromised 26% unsure how much PHI is being shared unsecurely 41% do not support secure texting 39% say they do a poor or extremely poor job of preparing end-users for new technologies Why should you care? You need a compliance program Strong P&Ps, auditing/monitoring, dedicated resources, and training are all crucial components HIPAA is a major substantive component of any health care provider compliance program Beyond HIPAA, many substantive concerns ethics program, billing integrity, fraud & abuse prevention. 5

6 Why Should You Care? HIPAA HHS OCR reports recurrent noncompliance in following areas: Risk analysis requirement Failure to manage identified risks Lack of transmission security Lack of auditing No patching of software Insufficient data backup/contingency planning Why Should You Care? HIPAA Goal of security measures and monitoring & auditing is twofold: To prevent noncompliance that will compromise PHI To set the stage for best possible outcome in the event of a breach OCR expects 17,000 complaints this year OCR investigates all breaches affecting 500+, investigates a number of small breaches Your risk plan and mitigation will impact outcome Why Should You Care? Other laws & standards COP compliance can you do it without EHR, , access to test results and orders? CMS Emergency Preparedness Do you know your RTO (recovery time objective)? Addressed cyberattack as part of HVA? 6

7 Why Should You Care? Operations Lost Time = Lost $$$ Risk to Residents Financial Impact Your traditional insurance may not cover cyber incidents Benefits of Mitigation Saves you $$$ Keep down time to a minimum Meet compliance and regulatory obligations Integrate IT! Operations Compliance Work Plan Knowledgeable Staff 7

8 Internal/External Perform a Risk Analysis Monitor and Audit Document Sounds Expensive! Mobile Device Management Features (force policies, patching, restrictions, remote wiping, etc.) Texting restrictions and requirements To BYOD or not to BYOD? Encryption Mobile devices (phones/laptops) should be encrypted Easy to do Protects your data Avoid the headaches! 8

9 Encryption Communication A bit more complicated Critical to remain compliant New technologies make it easy Mitigate the Risk Texting the new frontier Texting lacks encryption, texts may be stored by telecom vendor/wireless carrier Encryption technologies emerging, but with caveats If you go through a risk analysis and still approve texting how are you ensuring secure transmissions? How are you training? Access Controls access (internal/external) Password Policies Permissions (PoLP) 9

10 Consistency Strong Policies and Procedures - Essential for Compliance - Enforcement consistent disciplinary practices Retrain based on policy violations Staff Education is KEY Clear and Concise Training Include P&P s Continual Process Go Phishing! Share The Data Shredding Think Low-Tech Printing and Faxing Copies sitting out Secure Print & efax BAA with copier company Electronic Device Memory 10

11 Make Friends Using Simple Fixes! (Just kidding, this is hard) Will be challenging Include Everyone Link to Operations Low-Tech can be effective! Questions? References and Contact Information Jennifer Griveas Chief Human Resources Officer and General Counsel Michael Gray Director of Information Technology and Compliance Officer For References and other helpful resources, please visit: 11