Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Size: px

Start display at page:

Download "Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016"

Clarence Gordon Russell
5 years ago
Views:

1 Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

2 Agenda Why Breaches Matter to the ITAM group The cost of breaches The cost of non-compliance Preventing a breach and staying compliant ITAM process maturity and risk mitigation Tools Templates, calculators, benchmarks, action plans 2

3 Purpose of this webinar Demonstrate the value IT Asset Management in setting up and managing programs that mitigate the risk of a data breach or being found out of compliance. 3

4 How Breaches Happen Lost devices Stolen devices Hackers Missing patches Anti-virus is out of date / not in place And many other ways 4

How Breaches Happen The Human Perspective Phishing emails PHI posted on social

5 How Breaches Happen The Human Perspective Phishing s PHI posted on social media sites Personal devices used to conduct business Mistakes Intentional breaches 5

Breach Consequences Customer data loss leads to unhappy customers with potential financial and medical issues to settle Potential loss of customers

6 Breach Consequences Customer data loss leads to unhappy customers with potential financial and medical issues to settle Potential loss of customers Organization reputation in jeopardy Resources spent on investigating, stopping, sending notifications, & preventing future events Lost productivity time Money 6

Fines OCR enforcement Civil penalties Criminal penalties

7 Breach Consequences Office for Civil Rights (OCR) investigation Resolution agreement Corrective action plan Fines OCR enforcement Civil penalties Criminal penalties Phase 2 Audits in Covered Entities plus many Business Associates. 7

401 OCR must levy a mandatory minimum penalty whenever there is a finding of willful neglect Help avoid this

8 Willful Neglect The conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated 45 CFR s OCR must levy a mandatory minimum penalty whenever there is a finding of willful neglect Help avoid this by: Writing and implementing HIPAA P&Ps Completing a Security Risk Analysis Address identified risks If have not done what HIPAA requires = willful neglect 8

Reported Breaches Since 2011, 1672 breaches >500 reported to OCR: ~45% involved theft and/or loss ~29% involved unauthorized access/disclosure ~17% involved hacking/it incident Estimated cost to the

9 Reported Breaches Since 2011, 1672 breaches >500 reported to OCR: ~45% involved theft and/or loss ~29% involved unauthorized access/disclosure ~17% involved hacking/it incident Estimated cost to the health care industry in 2012: $7 billion Sources: 10/7/16 Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute 9

a security risk analysis Did not have breach notification P&Ps Did not provide training to workforce

10 Adult & Pediatric Dermatology Stolen unencrypted thumb drive Why? 10 $150,000 settlement Corrective action plan 6 facility organization in Concord, Mass Did not complete a security risk analysis Did not have breach notification P&Ps Did not provide training to workforce members Did not reasonably safeguard the thumb drive Source:

11 Advocate Health Care Reported three separate breaches: 4 stolen desktop computers Unauthorized third party accessed network of billing service vendor Laptop stolen from workforce member s car $5.55m settlement and corrective action plan Why? Did not complete a security risk analysis Did not have P&Ps to limit physical access to electronic information systems Did not have a BAA in place with billing vendor 11 Source: dvocate-health-care-settles-potential-hipaapenalties-555-million.html

Did not complete a security risk analysis Did not have P&Ps to address

12 Hospice of North Idaho Unencrypted laptop stolen 441 patients $50,000 settlement and a corrective action plan Why? Did not complete a security risk analysis Did not have P&Ps to address mobile device security Sources: Art Garcia, OCR 4/12/13 and 12

13 Preventing Breaches Follow HIPAA Implement administrative, physical, and technical safeguards that provide reasonable protections to the confidentiality, integrity, and availability of protected health information (PHI) and electronic protected health information ephi) 13

14 Preventing Breaches OCR HIPAA Hot Buttons Complete a security risk analysis Address risks Write and implement policies and procedures (P&Ps) Training 14

15 HIPAA Security Risk Analysis (SRA) (a)(1)(ii)(A) Risk analysis (Required): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi held by the covered entity or business associate 15

Security Risk Analysis Review what controls your organization has in place to protect the confidentiality, integrity, and availability of ephi Review all HIPAA Security Rule

16 Security Risk Analysis Review what controls your organization has in place to protect the confidentiality, integrity, and availability of ephi Review all HIPAA Security Rule requirements General rules Administrative safeguards Physical safeguards Technical safeguards Organizational requirements Policies and procedures & documentation requirements 16

17 Security Risk Analysis Determine what potential risks and vulnerabilities exist that may impact the confidentiality, integrity, and availability of ephi Threat sources Weaknesses Rank them Prioritize them 17

18 Preventing Breaches Write and implement a comprehensive set of privacy and security policies and procedures Have a privacy and security oversight committee 18

19 Preventing Breaches Strong technical controls Physical security controls Monitor controls Require reporting of potential and known privacy and security incidents and breaches Sanctions 19

20 What is the role of ITAM in preventing data breaches?

21 21 Uncoordinated ITAM is risky

22 Elements of a successful ITAM program Multi-stakeholder involvement Understanding of requirements and goals Comprehensive Policies and Procedures Tools to manage assets throughout their lifecycle Training and accountability of staff to implement processes Integrated solutions with providers Processes to evaluate and continually improve 22

23 Elements of an ITAM program Cost & Value Security & Reputation Convenience & Integration 23

24 How is your ITAM program?

Resource Investment ITAM/ITAD Process Maturity Model Chaotic No control over IT assets. No policies, procedures or tools. Isolated decision-making Individual Reactive Little control over assets.

25 Resource Investment ITAM/ITAD Process Maturity Model Chaotic No control over IT assets. No policies, procedures or tools. Isolated decision-making Individual Reactive Little control over assets. Limited policies and programs. Disparate lists of assets managed independently. Departmental Defined ITAM policies, procedures and repository in place. Data gathered centrally, but not validated. Minimal use of data in decision making. Cross Functional Business Process Maturity Proactive Control of assets. Policies, procedures and repository in place. Comprehensive, reliable and accurate data. Assurance controls work. ITAM improvement driven by audits. Organizational Strategic Fully integrated solution with continual business process improvements in place. ITAM is a strategic organizational element that adds value to organization Fully Integrated

26 Tools for your ITAM program Templates Security Policy Business Associates Agreement Calculators Benchmarks Action plans 26

For more information Neil Peters-Michaud, CEO npm@cascade-assets.com 608-316-6637 (office) Visit our IAITAM website www.

27 For more information Neil Peters-Michaud, CEO (office) Visit our IAITAM website Download toolkit information Healthcare resources Register to win $50 Amazon gift card (enter by December 31 st ) 27

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting