What is Cybersecurity?

Similar documents
Cybersecurity is a Company-Wide Issue

Data Compromise Notice Procedure Summary and Guide

Security Breaches: How to Prepare and Respond

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Security Issues

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Regulation P & GLBA Training

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

2017 RIMS CYBER SURVEY

HIPAA & Privacy Compliance Update

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Mastering Data Privacy, Social Media, & Cyber Law

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Privacy & Information Security Protocol: Breach Notification & Mitigation

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

What to do if your business is the victim of a data or security breach?

PULSE TAKING THE PHYSICIAN S

Legal Considerations and Case Studies

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Summary Comparison of Current Data Security and Breach Notification Bills

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Employee Security Awareness Training

Chapter 12. Information Security Management

Legal Aspects of Cybersecurity

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Putting It All Together:

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Personal Cybersecurity

DeMystifying Data Breaches and Information Security Compliance

HIPAA Federal Security Rule H I P A A

Cyber Risks in the Boardroom Conference

Introduction CHAPTER 1

Navigating Regulatory Impacts of a Financial Services Data Breach

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

The Cyber War on Small Business

The Impact of Cybersecurity, Data Privacy and Social Media

Data Security: Public Contracts and the Cloud

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

COMMENTARY. Information JONES DAY

Security and Privacy Breach Notification

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Operational Network Security

University of North Texas System Administration Identity Theft Prevention Program

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Data Breaches and the Financial Services Industry

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

What To Do When Your Data Winds Up Where It Shouldn t

Electronic Communication of Personal Health Information

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Protecting Health Information

Building a Privacy Management Program

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Employee Security Awareness Training Program

Cybersecurity 2016 Survey Summary Report of Survey Results

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

When the Other Brother Steps Up: State Privacy Enforcement Actions

HIPAA For Assisted Living WALA iii

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Keeping It Under Wraps: Personally Identifiable Information (PII)

Post-Secondary Institution Data-Security Overview and Requirements

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Cybersecurity and Hospitals: A Board Perspective

Red Flags/Identity Theft Prevention Policy: Purpose

Defensible and Beyond

Why you MUST protect your customer data

The HIPAA Omnibus Rule

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

HIPAA and HIPAA Compliance with PHI/PII in Research

Cybersecurity The Evolving Landscape

Cyber Security Updates and Trends Affecting the Real Estate Industry

New Data Protection Laws

Cybersecurity in Higher Ed

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

HIPAA-HITECH: Privacy & Security Updates for 2015

Data Backup and Contingency Planning Procedure

Cybersecurity and Nonprofit

Internet of Things Toolkit for Small and Medium Businesses

PBX Fraud Information

You ve Been Hacked Now What? Incident Response Tabletop Exercise

The Honest Advantage

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Data Privacy & Protection

Transcription:

What is Cybersecurity? Protection against unauthorized access to or use of assets via electronic means Not limited to what we think of as Hacking : Fraud Prevention Misuse of Appropriate Access Important in Personal and Professional Contexts Personal/Professional Distinction May Blur 2

Protection Against What? Phishing using a fraudulent request or website to defraud someone Spearphishing a type of phishing that uses particular information about the individual target Spoofing sending an e-mail that appears to be from one site but is actually from another Hacked e-mails from legitimate addresses Loss or theft due to inside actors (e.g. employees) NOT ALL REQUIRE HACKS JUST HELP! 3

Protection Against What? (cont d) Ransomware a malicious program that encrypts files on a system It may lock a user out of a device or block access to files, requiring a ransom be paid Many variants with different capabilities Some may post files to the internet if ransom not paid More ransoms paid in Bitcoin No guarantee of file decryption if ransom paid From Cybersecurity in the Healthcare Industry: Ransomware 4

What s the Goal? Commercial Value Personal Information Company Information Personal Satisfaction Social Outrage Individual Embarrassment Ashley Madison NOTE: Don t rely solely on firewalls 5

Where s the Value? Personal Information -> Healthcare ~ 20% of US GDP, with approximately 35 million hospital admissions per year; many times that in outpatient encounters Result unprecedented amount of data 10X more valuable than credit card information on black market (~$20@) Patient ID, billing records, clinical information to support billing often targeted From Cybersecurity in the Healthcare Industry: Ransomware Company Information -> Nonpublic Deals August 2015 SEC announced fraud charges re: hackers using nonpublic information to generate >$100 million in trading profits From Sex, Money and Cybersecurity Reminders for Public Companies October 2016 DOJ charged three individuals for hacking into law firms for nonpublic information; ~$4 million in profits generated 6

Environment: Breaches More Common & More Costly Resulting from Automatic and Targeted Attacks Data breaches are occurring with significant costs in terms of responding to a data breach and loss of business and in many forms Yahoo - $350 million reduction in purchase price, GC resigned without severance, no annual bonus/stock award for CEO Walgreens - $1.4 million; 1 patient involved Nationwide Plaintiffs found to standing to sue based on increased risk of harm and expense of mitigating possible future damage 7

Increased Risks = Increased Requirements Before Laws governing data security and privacy are wideranging and exist both on the federal and state levels Federal laws/regulations may apply to a type of information protected and/or industry: Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) State laws may also require Before steps NOTE: Coverage is based upon the state of residency of the individual affected, not where the breached company is 8

Before Examples HIPAA/HITECH Preventive Safeguards Required for Business Associates Administrative, Physical, and Technical Safeguards Risk analysis/assessment, Policies and Procedures, Responsible Individual 2016 - Penalty Levied Against Business Associate Began with the theft of an unencrypted smartphone Lack of policies cited, including no risk analysis/response plan Result - $650,000 penalty Massachusetts Requirements Similar to HIPAA Broader Category of Information of Massachusetts Residents Covered 9

Increased Requirements After There is no federal data breach law Most states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have data security breach laws Various definitions of breach and personal information and different notice requirements Generally enforceable by Attorneys General; may require AG notification Some require notification of credit bureaus Generally no minimum number of records to trigger notice 10

After Example: Oklahoma Data Breach Law Security Breach Notification Act, 24 O.S. 161 et seq. Defines breach of the security system as the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or of personal information maintained as part of a database and that causes or will cause, identity theft or other fraud to any resident of this state (emphasis added). Generally requires notification as soon as practicable following discovery to any resident whose unencrypted/unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person when there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. NOTE: There is no de minimis for exclusion from coverage; Oklahoma has an effects test which not all states do 11

OK Data Breach Law (cont d) Other Requirements: A breach must be disclosed if encrypted information is accessed in an unencrypted form or the breach involves a person with access to the encryption key and there is a reasonable belief that identity theft or other fraud to any resident of the state might occur. Does not require notification if information is encrypted or redacted, unless data acquired in an unencrypted form or the breach involves a person with an encryption key. Defines personal information as first name or initial and last name combined with any one or more of the following: SS#, driver license number, and financial account number, or credit card or debit card, in combination with any security code/access code/ password that would permit access to financial accounts of a resident. NOTE: One of the state-to-state variances Texas includes healthcare information 12

Ways to Address Risks Awareness Implementation Personal Practices 13

Awareness: Realities and Requirements Realities - Know the Flow What kind of information do you have? How does it move (including entry, landing, and exit)? Goals: Security, Integrity, Access Requirements (Internal) How Should It Move? Who should have access to the information? How should information be stored and transmitted? What affirmative protections are required? HIPAA GLBA What happens if those protections fail? How should other parties handle this information? Implement, Don t Idealize 14

Implementation: Awareness In Action Develop Consistent Processes Internal Information Classifications and Required Security May include risk assessment, training, and other safeguards Data Access (Hard vs. Soft Access) Who can get it? Example restrictions on sharing information from secured systems Acceptable Use How are data/systems accessed and used? E-mail/Bring Your Own Device (BYOD) Who can transport data? Provide Training/Verification Training topics General issues/specific requirements Legal/regulatory/policy/contractual Sound practices: computer, mobile device, email or other IT uses Verify through performance reviews/social engineering 15

Implementation (cont d) Establish and Communicate Third Party Responsibilities Contract Provisions Establish Ownership and Limitations on Disclosure/Usage Require Particular Security Elements/Safeguards Breach processes, including communication responsibilities Rights at Termination Information Security Representations e.g. Certifications Know Your Responsibilities Prepare an Incident Response Plan Everyone should know what to do and who to call Centralize communications Don t assume or indicate that something equals a breach Ensure access to and training on disaster recovery plan Involve counsel as soon as possible Know who to tell and how customers, authorities, vendors (insurance) 16

Addressing Risks: Personal Practices Personal Practices can Implement or Undermine Other Efforts Choose strong passwords and keep them secure (i.e., never share passwords or place written passwords on desks) Shut down computers at least once a week to ensure any automatic updates are applied Do not click random links online or in emails, either from unknown individuals, with strange subject lines, or containing errors Do not download software from the internet without review Turn off Wifi unless needed to avoid automatically connecting Do not upload information from external hard drives/thumb drives without first pre-scanning Wipe all sensitive information when no longer needed on devices 17

Personal Practices (cont d) Also Important for Hard Copy Information Do not leave sensitive information out/easily visible Do not leave documents or information visible in vehicles Destroy hard copy documents as soon as they are no longer of use Securely shred all documents with personal or nonpublic information 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback