CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Similar documents
CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security and Privacy Policies & Procedures

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Policy and Procedure: SDM Guidance for HIPAA Business Associates

The Relationship Between HIPAA Compliance and Business Associates

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Putting It All Together:

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA & Privacy Compliance Update

EXHIBIT A. - HIPAA Security Assessment Template -

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA Federal Security Rule H I P A A

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Healthcare HIPAA and Cybersecurity Update

HIPAA 101: What All Doctors NEED To Know

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Privacy, Security and Breach Notification

The ABCs of HIPAA Security

Cybersecurity Survey Results

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

The simplified guide to. HIPAA compliance

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Cyber Insurance: What is your bank doing to manage risk? presented by

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Information Governance, the Next Evolution of Privacy and Security

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Electronic Communication of Personal Health Information

2015 HFMA What Healthcare Can Learn from the Banking Industry

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Healthcare Privacy and Security:

PULSE TAKING THE PHYSICIAN S

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Cybersecurity and Hospitals: A Board Perspective

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Monthly Cyber Threat Briefing

HIPAA Compliance & Privacy What You Need to Know Now

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

CCISO Blueprint v1. EC-Council

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Physician Office Name Ambulatory EHR Security Risk Analysis

Cybersecurity The Evolving Landscape

What It Takes to be a CISO in 2017

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

The HIPAA Omnibus Rule

DeMystifying Data Breaches and Information Security Compliance

What is Cybersecurity?

Assessing Your Incident Response Capabilities Do You Have What it Takes?

ACM Retreat - Today s Topics:

Integrating HIPAA into Your Managed Care Compliance Program

Security and Privacy Breach Notification

HIPAA COMPLIANCE AND

What s New with HIPAA? Policy and Enforcement Update

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Texas Health Resources

Data Backup and Contingency Planning Procedure

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Overview of Presentation

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Security Audit What Why

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Is Your Compliance Strategy Putting Your Business at Risk?

Social Media and Texting: A Growing Concern

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Managing Cybersecurity Risk

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HIPAA Comes of Age: 21 Years of Privacy and Security

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Cyber Risks in the Boardroom Conference

Transcription:

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities Compliance Metrics

INTRODUCTIONS Amy Brantley Chief Compliance Officer, Reliant Post Acute Care Solutions Background Attorney 25 years experience Healthcare 4 years experience Healthcare Experience Reliant Post Acute Care Solutions (current) Golden Living Arkansas Children s Hospital Positions Chief Compliance Officer & EVP IT Chief Privacy Officer Assistant GC Healthcare & VP Compliance Labor & Employment Counsel INTRODUCTIONS Lisa Spears Privacy and Information Security Officer, Reliant Post Acute Care Solutions Background Healthcare Golden Living 23 years experience Roles at Golden Living Information Systems Security Process Improvement Project Management (PMP) Information Systems Management (CISM) IT Audit (CISA) Positions Chief Information Security Officer VP Enterprise Project Management & Internal Controls Director Process Improvement Manager IT Systems Audit 2

ASSESSING YOUR ORGANIZATION Size and internal expertise Compliance Structure Company Size and internal expertise vs. external IT Structure (large vs small) 3 rd Party Vendors Degree of reliance upon 3 rd party vendors PRIORITIZINGYOUR REVIEW Small Organizations Large Organizations Third Party Vendors Information Technology Internal Resources Information Technology Organization Privacy Program Third Party Vendor/BA 3

PONEMON INSTITUTE BENCHMARK Study Participants: 9 covered entities and 84 business associates $6.2B Cost of breaches to healthcare organizations 90% 45% $2.2M Healthcare organizations in the study having a data breach in past 2 years Healthcare organizations in the study having a more than 5 data breach in past 2 years Average estimated cost of a breach Ponemon Institute LLC, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 206 Centene Announced January 206 EXAMPLES OF 206 BREACHES 2 Centene multi line health care enterprise 950,000 members potentially impacted 6 hard drives lost with PHI Lab services from 2009 to 205 It is not clear if the devices were encrypted 2 st Century Oncology Announced March 206 2st Century Oncology, a Fort Myers, Fla. based cancer care provider 2.2 million patients based across all 50 states and internationally. Hackers broke into a company database in October, accessing personal information of patients, including names, Social Security numbers, physician names, diagnosis, treatment data and insurance information. The company said it had "no indication that the information has been misused in any way." February 206 IRS Data breach exposing information of more than 700,000 individuals Hackers accessed the information, including Social Security numbers and other personal information, through the IRS' "Get Transcript" program The IRS first reported the breach in May 205, saying it affected 4,000 accounts. That number was expanded in February 206 to include as many as 724,000 accounts affected. February 206 2 Sarah Kuranda, The 0 Biggest Data Breaches Of 206 (So Far), www.crn.com, July 28, 206 IRS FBI Nearly 30,000 FBI and Department of Homeland Security workers affected Records included personal information on around 9,000 DHS employees and around 20,000 FBI employees, including names, titles and contact information. 4

COMPLIANCE 0: HIPAA SECURITY RULE RULE: All covered entities and their business associates are required to develop and document a security program to guard against real and potential threats of disclosure or loss, which will include policies, procedures and safeguards to protect Electronic PHI (or ephi). Administrative Physical Technical Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements Facility Access Controls Workstation Use Workstation Security Device and Media Controls Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security COMPLIANCE 0: HIPAA PRIVACY RULE Rule: Protects all PHI (protected health information), which includes just about any piece of information that might possibly identify a person, in any form, including oral information Grants individuals broader rights in their PHI: Access Amendment Disclosure Accounting Restrictions Confidential Communications 5

COMPLIANCE 0: BUSINESS ASSOCIATE Business Associate (BA) Definition Any entity that creates, receives, maintains, or transmits PHI in performing a function, activity, or service on behalf of a covered entity. Examples: billing companies, accountants, insurance agents/brokers, payroll vendors, consultants, law firms, data processing firms Any entity that has access to PHI to do something for a Covered Entity. Requirements Covered Entity (CE) cannot release or disclose PHI to business associates unless both parties have a Business Associates Agreement (BAA) in place. BAA is not a Non Disclosure Agreement (NDA). BAA should minimally include: Confidentiality clause Breach disclosure requirements and process Disposition requirements and process at BAA termination Rights of CE to audit the BA COMPLIANCE 0: BUSINESS ASSOCIATE Best Practices for Business Associates Engagement Select your vendors carefully as they can be jointly or directly liable for security breaches Engage all expertise needed (Legal, Procurement, Operations, Security Officer, Privacy Officer) to create a well rounded and all inclusive agreement Ask for and review vendor privacy and security policies to get a sense of controls in place Make sure basic technical security controls are in place encryption, patching, anti virus, password management, etc. 6

CYBERSECURITY 0: BASIC TERMINOLOGY Cybersecurity The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Threat LAN Local Area Network Firewall Vulnerability Zero Day Viruses Patching Server Patched Demililartized Zone CYBERSECURITY 0: THREATS-VULNERABILITIES-MITIGATIONS Threats Vulnerabilities Socially engineered Trojans Software with known exploits not patched Ransomware Phishing Viruses Zero Day Viruses Advanced Persistent Threats (APT) Risk Un-educated end user Poor password management Poor access controls No check & balance controls Stale virus protection Poor patch management processes Risk Mitigation User Training and Awareness Program Strong password controls Minimal access necessary Good general controls Current virus protection Sound patch management process Encryption Limiting Local Administrators 7

CYBERSECURITY 0: INCIDENT RESPONSE Process People Executive Team Compliance, Privacy, Security Officers HR IT Event Response Team Lead External Parties Legal Communications Law Enforcement CYBERSECURITY 0: RISK ASSESSMENT Conduct Risk Assessment 2 Execute action plan 5 Determine risk tolerance Develop action plan 4 3 Prioritize 8

CYBERSECURITY 0: RISK ASSESSMENT Risk Tolerance Business Decision COMPLIANCE METRICS: EMAIL Weekly Heuristics Total Submissions for analysis week 4,024 Deemed High Risk 9 Submitted to Antivirus vendor for analysis and determined Zero Day 9 of 9 Outbreak of IRS Phishing emails increased the number of emails blocked and number of emails quarantined & subsequently blocked. No infections encountered. 9

COMPLIANCE METRICS: SOFTWAREUPDATES RECEIVED VS. APPLIED Patch Management Trends 2500 2000 500 000 500 0 January February March Vulnerabilities Unable to Eliminate Vulnerabilities Not Eliminated in 30 days Vulnerabilities Eliminated GT 7 and LT 30 days Vulnerabilities Eliminated LT 7 days COMPLIANCE METRICS: SOCIAL ENGINEERING Social Engineering Attacks 60% 24% 2% IRS email Wire Transfer Request Phone Threats Arrest Warrant Bank of America Profile Issue Unpaid Invoices 2% 2% 0

COMPLIANCE METRICS: POLICY REVIEW & ATTESTATIONS Policy Annual Review Status Policy Employee Attestation Status QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback