Healthcare HIPAA and Cybersecurity Update

Similar documents
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Business continuity management and cyber resiliency

Protecting your next investment: The importance of cybersecurity due diligence

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

DeMystifying Data Breaches and Information Security Compliance

Cyber Risks in the Boardroom Conference

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ACM Retreat - Today s Topics:

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Cybersecurity The Evolving Landscape

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Building a Complete Program around Data Loss Prevention

Managing Cybersecurity Risk

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cybersecurity in Higher Ed

Cybersecurity for Health Care Providers

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Cybersecurity Auditing in an Unsecure World

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Incident Response Table Tops

2015 HFMA What Healthcare Can Learn from the Banking Industry

Understanding IT Audit and Risk Management

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Security Issues

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Rethinking Information Security Risk Management CRM002

Cybersecurity, the Challenges Healthcare Faces AUGUST 17, 2018 BUILDING LEADERS TRANSFORMING HOSPITALS IMPROVING CARE HTS3 2018

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SFC strengthens internet trading regulatory controls

FDIC InTREx What Documentation Are You Expected to Have?

Avanade s Approach to Client Data Protection

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Combating Cyber Risk in the Supply Chain

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Effective Strategies for Managing Cybersecurity Risks

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

The Data Breach: How to Stay Defensible Before, During & After the Incident

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cybersecurity. Securely enabling transformation and change

HITRUST Common Security Framework - Are you prepared?

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Security Audit What Why

How to Prepare a Response to Cyber Attack for a Multinational Company.

You ve Been Hacked Now What? Incident Response Tabletop Exercise

CYBER SECURITY AND MITIGATING RISKS

Effective Cyber Incident Response in Insurance Companies

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

ISACA West Florida Chapter - Cybersecurity Event

Establishing a Credible Cybersecurity Program. September 2016

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Information Technology General Control Review

Preparing for a Breach October 14, 2016

How NOT To Get Hacked

PULSE TAKING THE PHYSICIAN S

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Understanding the Impact of Data Privacy January 2012

Securing Digital Transformation

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Take Risks in Life, Not with Your Security

HIPAA Compliance is not a Cybersecurity Strategy

CCISO Blueprint v1. EC-Council

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity and Hospitals: A Board Perspective

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

NYDFS Cybersecurity Regulations

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Information Governance, the Next Evolution of Privacy and Security

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Building a Security & Compliance Strategy with the Cloud

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

Transcription:

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update

Agenda > Introductions > Cybersecurity overview > Cybersecurity trends and recent breaches > Cybersecurity program considerations > Open discussion and questions 2

Cybersecurity overview

Cybersecurity overview What does cybersecurity mean? 4

Cybersecurity overview > Why are we seeing cybersecurity events and breaches almost daily? Even just a few years ago, most of the IT security focus was on the core applications and data that processed information for an organization. Ancillary systems that were not the system of record such as email, voicemail, websites, files sharing and mobile devices did not get significant focus. As threats have evolved, however, it s many of those same ancillary systems that are at the root of breaches. > Are the breaches being seen today truly highly sophisticated? 5

Cybersecurity overview > The expectation gap in managing cyber risk A significant expectation gap often exists between the cybersecurity risk appetite of management and how the IT department is managing security. Executives often times want a quick answer to understand if they are secured. An effective cybersecurity program is multilayered. > What should be an organization s cybersecurity risk appetite? 6

Cybersecurity trends and recent breaches

Cybersecurity trends and recent breaches Ever changing end points Increased cybersecurity risk Lack of legacy core system integration Less in tune with customer demands Incompatibility potential increased Autonomous technology Less control over device management Advances in algorithms Automated decision engines/tools Constant tracking of data and people Connected home/auto Wearables Smart meters Continual monitoring of trends Predictive modeling and rating Context-aware security 8

Cybersecurity trends and recent breaches What drives the cost of breaches? DECREASE INCREASE $ $ $10 Third party error Rush to notify Lost or stolen devices Board-level involvement $29 $13 $12 $12 $19 $24 CISO/cybersecurity director appointed Extensive use of encryption Incident response plan Cost of Data Breach Study, Ponemon Institute LLC 9

Cybersecurity trends in healthcare Stolen health records worth 10 times more than stolen credit card PII leads to spear phishing attacks Go after the wealthier 35 percent of reported data breaches is healthcare data Health data industry is behind banking and tech industries for cyber Estimated one in 13 patients will have data compromised from hack Push towards integrated care increasing data boundaries Data required to be stored longer Regulatory compliance overshadowing cybersecurity Foreign government threat storing healthcare information to target government employees 10

Top 10 biggest healthcare breaches 10) NewKirk Products: 3.47 million affected (August 2016) 9) Banner Health: 3.62 million affected (August 2016) 8) Medical Informatics Engineering: 3.9 million affected (July 2015) 7) Advocate Health Care: 4.03 million affected (August 2013) 6) Community Health Systems: 4.5 million affected (April June 2014) 5) University of California, Los Angeles Health: 4.5 million affected (July 2015) 4) TRICARE: 4.9 million affected (September 2011) 3) Excellus BlueCross BlueShield: 10+ million affected (January 2015) 2) Premera Blue Cross: 11+ million affected (January 2015) 1) Anthem Blue Cross: 78.8 million affected (January 2015) Per U.S. Department of Health and Human Services Office for Civil Right 11

Cybersecurity trends and recent breaches High profile breaches > Anthem > Target > Office of Personnel Management > Hollywood Presbyterian Medical Center 12

Cybersecurity trends and recent breaches Insights from HIPAA-related reported breaches Why does this matter even if I don t have health information? 13

Cybersecurity trends and recent breaches > The HIPAA security rule requires a periodic (typically annual) risk assessment that is thorough and documented. > The US Dept. of Health and Human Services Office for Civil Rights commencing in 2016 have begun actively auditing covered entities and their business associates. > Best practice: All covered entities periodically perform a cyber risk assessment and a separate HIPAA specific risk assessment 14

Cybersecurity program considerations

Cybersecurity program considerations from the NACD: Five principles for directors I Understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. II Understand the legal implications of cyber risks as they relate to your company s specific circumstances. III Gain adequate access to cybersecurity expertise. Discussions about cyber-risk management should be given regularly and at an adequate time. IV Management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. V Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. 16

Cybersecurity program considerations The big ticket items > Patching > Passwords > Administrative rights > Encryption > Monitoring 17

Cybersecurity program considerations > Vendor management Outsourcedc? Data cloud storage more secure? > Board awareness > CISO Under the radar items known risks, but may not garner as much attention as the failure impact can result in > Lack of IT risk assessment > DR and BCP testing 18

Cybersecurity program considerations Under the radar items > Data classification > Security awareness training > Server hardening > Mobile data > Business Impact Analysis 19

Cybersecurity program considerations: Where to start Perform a cybersecurity risk assessment and then plan your cybersecurity management program. > The risk assessment should identify areas of potential exposure without delving into deep details. > It should help to prioritize ongoing projects and priorities for mitigating threats and vulnerabilities. > The next step after the cybersecurity risk assessment is to perform deep dive assessments into the individual areas identified such as: - Mobile data management - Remote access - Laptop and desktop - Incident response - Social media - Security awareness training - Technical security configurations - Disaster recovery - Patch management 20

Open discussion and questions

Baker Tilly contact Rich Sowalsky, CISA Senior Manager, Risk, Internal Audit and Cybersecurity rich.sowalsky@bakertilly.com 215 557 2058 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback