2015 HFMA What Healthcare Can Learn from the Banking Industry

Transcription

1 2015 HFMA What Healthcare Can Learn from the Banking Industry

2 Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical Ways To Address Security & Compliance Questions & Answers

3 Introductions SDGblue Smart Technology Security-focused IT firm Founded in 2001 HQ in Lexington, KY Specialize in banking & healthcare Clients from NY to CA, primarily a regional footprint

4 Introductions SDGblue Smart Technology Consulting Services Security Consulting Planning Technical Non-Technical Testing Compliance Consulting Risk Management Regulatory Compliance & Exam/Audit Advisory Services DR Planning & Testing Program & Project Management (CIO & CISO)

5 Healthcare vs Banking The Results Approach For This Presentation Analysis of actual IT security and risk assessment results Compare results to OCR audit results Attempt to explain differences Desired Outcome for You Provide factual information which healthcare institutions can leverage to improve security & simplify compliance

6 Healthcare vs Banking-The Results: Malicious Activity Banking: 36% found to have active malware on their network Only ~1 infection found per infected client Healthcare 85% found to have active malware on network ~3.6 infections per affected client Ponemon Institute 54% of healthcare facilities are worried that they do not even have the detection mechanisms in place to discover a breach if it were to occur

7 Healthcare vs Banking-The Results: Malicious Activity Check Point 2014 Security Report: Every 49 minutes, sensitive data is sent outside an organization Every minute, a host visits a malicious website Every nine minutes, a high-risk application is being used (think BitTorrent) Every 27 minutes, unknown malware is downloaded

8 Healthcare vs Banking-The Results: Wireless Banking: Wireless is not frequently used in production When wireless exists, it is segmented from the internal network Healthcare 72% contained critical issues with wireless environment Critical issues are those which allowed unauthorized access to the internal network where ephi resides

9 Healthcare vs Banking-The Results: Social Engineering Overall: Hardest to control due to the Human OS 99% of sample organizations responded to Phishing Banking: 40% of targets responded to phishing Healthcare 55% of targets responded to phishing

10 Healthcare vs Banking-The Results: Endpoint Vulnerabilities Banking: 35% of clients had ineffective or outdated AV 21% with critical issues (avg of 1 per vuln. host) 49% with high risk issues (avg of 5 per vuln. host) Healthcare 75% of clients had ineffective or outdated AV 35% with critical issues (avg of 2 per vuln. host) 55% with high risk issues (avg of 15 per vuln. host)

11 OCR Audit Results 1 st Round Completed Dec 12 (~115 Covered Entities) OCR audits begin in June using internal resources Vast majority failed to comply with mandatory reqs Most common cause: Lack of awareness of reqs Other causes: Lack of resources (financial and human) Incomplete implementation Complete disregard for requirements Security was overwhelmingly an area of concern Most healthcare providers had not performed a complete and accurate risk assessment

12 OCR Audit Results % Non-Compliance by Safeguard 42%: Administrative safeguards 41%: Technical safeguards 17%: Physical safeguards Biggest security issues involved Authentication/integrity User activity monitoring Contingency planning Media reuse and destruction Risk assessment

13 OCR Audit Results

14 Healthcare vs Banking The Theories Audit Frequency & Impact Banking Regular audits have been the norm for a long time Regular testing = improved security! Bad audit = bad results: Higher FDIC rates = competitive disadvantage Higher risk rating = less likely to be purchased Healthcare: Lack of regular audits Lack of teeth to audits

15 Healthcare vs Banking The Theories Culture Banking Risk of poor information security well understood by business Focused on specific functions allows for a relatively homogenous environment Healthcare: #1 priority is improving patient health and saving lives results in data availability sometimes trumping security Data often legitimately shared with more third parties Complex services supported by multiple vendors, systems and technologies

16 Healthcare vs Banking The Theories Coming Changes to Healthcare Audits to become common Teeth to audits Ties to Medicare & Medicaid reimbursements Fines for violations Penalties for breaches Consolidation of systems/reduction of vendors (see impact of ICD-10 and CMS 10/2015 req.) Specialization of providers to limit complexity of environments Data transfer standards improved & adopted

17 Top 7 Practical Steps to Security & Compliance 7. Document Policies & Procedures Create Written Standardized Policies and Procedures Implement and Document Annual Review, Update, Retain Create Missing Policies and Procedures Category of Policies & Procedures Total Policies and Procedures Administrative Safeguards 29 Physical Safeguards 12 Technical Safeguards 12 Organizational Requirements 04 Supplemental Polices to required policy 11

18 Top 7 Practical Steps to Security & Compliance 6. Incident Response Plans Ponemon Institute, surveyed 80 healthcare organizations in the US and found that 75% don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years (mostly due to staff negligence). 69% of respondent organizations don't secure FDA-approved medical devices such as insulin pumps or wireless heart pumps. The study relies on 324 interviews with 80 healthcare organizations, including hospitals or clinics that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospitals or clinics (18%). 94% of organizations had at least one data breach in the last two years. The average number for each participating organization was four data breach incidents in the past two years.

19 Top 7 Practical Steps to Security & Compliance 6. Incident Response Plans (NIST SP ) Creating an incident response policy and plan Developing procedures for performing incident handling and reporting, based on the incident response policy Setting guidelines for communicating with outside parties regarding incidents Selecting a team structure and staffing model Establishing relationships between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) Determining what services the incident response team should provide Staffing and training the incident response team.

20 Top 7 Practical Steps to Security & Compliance 5. Authentication/Authorization Basics Authentication is the process of verifying the identity of a user by obtaining some sort of credentials and using those credentials to verify the user's identity. This process begins before authorization. Authorization is the process of allowing an authenticated users to access the resources by checking whether the user has access rights to the system.

21 Top 7 Practical Steps to Security & Compliance 5. Authentication/Authorization Basics Implement policies and procedures regarding logon passwords and IDs Create strong passwords (length & Complexity) Users 9+ and Administrators 12+ Characters Don t share IDs and Passwords Implement two-factor authentication Define sanctions for the above violations

22 Top 7 Practical Steps to Security & Compliance 4. User Activity Monitoring Implement a System Information and Event Management (SIEM) solution Have policies and procedures in place for review of log data Include logs for network devices, servers and applications We are looking for anomalies

23 Top 7 Practical Steps to Security & Compliance 3. Contingency Planning Create a Disaster Recovery (BIA, RTO, RPO, MTD). Consists of IT Technical Plans Business Continuity Plan (Where, When, and How do I access systems) Consists of Non-Technical Business Unit Plans Use NIST SP rev.1 as a guide for performing DRP and BCP

24 Top 7 Practical Steps to Security & Compliance 3. Contingency Planning The seven steps in the process of building a DRP are: 1. Develop the DRP planning policy; 2. Conduct the business impact analysis (BIA); 2. Identify preventive controls; 4. Create DRP strategies; 5. Develop an information system DR plan; 6, Ensure plan testing, training, and exercises; and 7. Ensure plan maintenance.

25 Top 7 Practical Steps to Security & Compliance 2. Media Reuse and Destruction Think beyond PC/Laptops - Copiers/USBs/CDs/Hard Drives Implement policies and procedures regarding media reuse and destruction Store securely Erase using DOD/NIST SP requirements Physically destroy - if using a service, request a letter of destruction

26 Top 7 Practical Steps to Security & Compliance 1. Perform/Contract a Risk Analysis Based on NIST SP System Characterization the scope (assets) 2. Threat Identification source, motivation, actions 3. Vulnerability Identification exploit potential 4. Control Analysis current and planned 5. Likelihood Determination threat, vulnerability vs. controls 6. Impact Analysis confidentiality, integrity, and availability 7. Risk Determination level of risk through analysis 8. Control Recommendations minimize, mitigate, eliminate risk 9. Results Documentation input to mitigation efforts and risk management

27 Q&A

28 Contact Information Jim Czerwonka Senior Compliance Specialist