Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update
Agenda > Introductions > Cybersecurity overview > Cybersecurity trends and recent breaches > Cybersecurity program considerations > Open discussion and questions 2
Cybersecurity overview
Cybersecurity overview What does cybersecurity mean? 4
Cybersecurity overview > Why are we seeing cybersecurity events and breaches almost daily? Even just a few years ago, most of the IT security focus was on the core applications and data that processed information for an organization. Ancillary systems that were not the system of record such as email, voicemail, websites, files sharing and mobile devices did not get significant focus. As threats have evolved, however, it s many of those same ancillary systems that are at the root of breaches. > Are the breaches being seen today truly highly sophisticated? 5
Cybersecurity overview > The expectation gap in managing cyber risk A significant expectation gap often exists between the cybersecurity risk appetite of management and how the IT department is managing security. Executives often times want a quick answer to understand if they are secured. An effective cybersecurity program is multilayered. > What should be an organization s cybersecurity risk appetite? 6
Cybersecurity trends and recent breaches
Cybersecurity trends and recent breaches Ever changing end points Increased cybersecurity risk Lack of legacy core system integration Less in tune with customer demands Incompatibility potential increased Autonomous technology Less control over device management Advances in algorithms Automated decision engines/tools Constant tracking of data and people Connected home/auto Wearables Smart meters Continual monitoring of trends Predictive modeling and rating Context-aware security 8
Cybersecurity trends and recent breaches What drives the cost of breaches? DECREASE INCREASE $ $ $10 Third party error Rush to notify Lost or stolen devices Board-level involvement $29 $13 $12 $12 $19 $24 CISO/cybersecurity director appointed Extensive use of encryption Incident response plan Cost of Data Breach Study, Ponemon Institute LLC 9
Cybersecurity trends in healthcare Stolen health records worth 10 times more than stolen credit card PII leads to spear phishing attacks Go after the wealthier 35 percent of reported data breaches is healthcare data Health data industry is behind banking and tech industries for cyber Estimated one in 13 patients will have data compromised from hack Push towards integrated care increasing data boundaries Data required to be stored longer Regulatory compliance overshadowing cybersecurity Foreign government threat storing healthcare information to target government employees 10
Top 10 biggest healthcare breaches 10) NewKirk Products: 3.47 million affected (August 2016) 9) Banner Health: 3.62 million affected (August 2016) 8) Medical Informatics Engineering: 3.9 million affected (July 2015) 7) Advocate Health Care: 4.03 million affected (August 2013) 6) Community Health Systems: 4.5 million affected (April June 2014) 5) University of California, Los Angeles Health: 4.5 million affected (July 2015) 4) TRICARE: 4.9 million affected (September 2011) 3) Excellus BlueCross BlueShield: 10+ million affected (January 2015) 2) Premera Blue Cross: 11+ million affected (January 2015) 1) Anthem Blue Cross: 78.8 million affected (January 2015) Per U.S. Department of Health and Human Services Office for Civil Right 11
Cybersecurity trends and recent breaches High profile breaches > Anthem > Target > Office of Personnel Management > Hollywood Presbyterian Medical Center 12
Cybersecurity trends and recent breaches Insights from HIPAA-related reported breaches Why does this matter even if I don t have health information? 13
Cybersecurity trends and recent breaches > The HIPAA security rule requires a periodic (typically annual) risk assessment that is thorough and documented. > The US Dept. of Health and Human Services Office for Civil Rights commencing in 2016 have begun actively auditing covered entities and their business associates. > Best practice: All covered entities periodically perform a cyber risk assessment and a separate HIPAA specific risk assessment 14
Cybersecurity program considerations
Cybersecurity program considerations from the NACD: Five principles for directors I Understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. II Understand the legal implications of cyber risks as they relate to your company s specific circumstances. III Gain adequate access to cybersecurity expertise. Discussions about cyber-risk management should be given regularly and at an adequate time. IV Management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. V Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. 16
Cybersecurity program considerations The big ticket items > Patching > Passwords > Administrative rights > Encryption > Monitoring 17
Cybersecurity program considerations > Vendor management Outsourcedc? Data cloud storage more secure? > Board awareness > CISO Under the radar items known risks, but may not garner as much attention as the failure impact can result in > Lack of IT risk assessment > DR and BCP testing 18
Cybersecurity program considerations Under the radar items > Data classification > Security awareness training > Server hardening > Mobile data > Business Impact Analysis 19
Cybersecurity program considerations: Where to start Perform a cybersecurity risk assessment and then plan your cybersecurity management program. > The risk assessment should identify areas of potential exposure without delving into deep details. > It should help to prioritize ongoing projects and priorities for mitigating threats and vulnerabilities. > The next step after the cybersecurity risk assessment is to perform deep dive assessments into the individual areas identified such as: - Mobile data management - Remote access - Laptop and desktop - Incident response - Social media - Security awareness training - Technical security configurations - Disaster recovery - Patch management 20
Open discussion and questions
Baker Tilly contact Rich Sowalsky, CISA Senior Manager, Risk, Internal Audit and Cybersecurity rich.sowalsky@bakertilly.com 215 557 2058 22