behavioral analytics role in assuring data security · 2018-10-05 · cynergistek, inc. 11410...

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

Behavioral Analytics Role in Assuring Data Security

David Holtzman JD, CIPP Vice President Compliance StrategiesRobert Lord, President & Co-Founder Protenus

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 2

Today’s Presenter

• Vice President of Compliance Strategies, CynergisTek, Inc.

• Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules

• Experienced in developing, implementing and evaluating health information privacy and security compliance programs

• Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights

David HoltzmanCynergisTek, Inc.


Agenda

I. Insider Threat

II. Regulations and Guidance

III. Enforcement Examples


Insider Threat

4


• Healthcare industry comparatively worst sector

– internal actors cause more data breaches than external actors [2018 Verizon Data Breach Investigation Report]

• Insiders are 1st or 2nd ranked cause of breaches reported to OCR[2017 Breach Barometer, 2018 1st Qtr Breach Barometer, 2018 2nd Qtr Breach Barometer]

• Employee snooping and wrongdoing expose more patient records

than incidents involving insider errors or mistakes

– In one case hospital employee inappropriately patients’ records

for 14 years undetected until patient complained

Insiders leading Cause of Breaches


Regulations & GuidanceAccess Auditing & Monitoring

6


Regulations - HIPAA Security Rule

• 45 CFR 164.308(a)(1)(i) Security management process

– a covered entity or business associate must implement policies and procedures to prevent, detect, contain and correct security violations

– 308(a)(1)(ii)(D) Information system activity review

• Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports


Regulations – HIPAA Security Rule

• 45 CFR 164.312(b) Audit controls

• Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information


OCR Guidance Documents

• OCR guidance January 2017 newsletter “Understanding the Importance of Audit Controls”

• https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf

• OCR HIPAA Security Rule Educational Paper Series #2, last updated March 2007

• https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf

https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html


“When determining reasonable and

appropriate audit controls for

information systems containing or using

ePHI, covered entities and business

associates must consider their risk

analysis results and organizational

factors, such as their current technical

infrastructure, hardware, and software

security capabilities.”

OCR 2017 Guidance


“It is imperative for Covered Entities &

Business Associates to review their audit

trails regularly, both… after security

incidents or breaches, and during real-

time operations. Regular review of

information system activity should

promote awareness of any information

system activity that could suggest a

security incident or breach.”

OCR 2017 Guidance


OCR 2017 Guidance

• Questions covered entities and business associates should consider:• What audit control mechanisms are reasonable & appropriate to implement

so as to record and examine activity in information systems that contain or use ePHI?

• What are the audit control capabilities of information systems with ePHI?

• Do the audit controls implemented allow the organization to adhere to their audit controls policies and procedures?

• Are changes or upgrades of an information system’s audit capabilities necessary?


• Key component of network security is monitoring access and activity using tools to warn of accessing

information without authorization

– Deceptive or unfair data security practices arising from inadequate protections against unauthorized

access to data

• Wyndham (2015) required a comprehensive information security program

– Monitor and manage computers connected to company network

– Employ reasonable measures to detect and prevent unauthorized access to the company network and

conduct security investigations

• Ashley-Madison.Com (2016)

– Use readily available security measures to regularly monitor systems and assets to identify data

security events and verify effectiveness of protective measures

• Uber (2017 & 18)

– Monitor access to sensitive personal information

Development of FTC Case Law


• NYS Cybersecurity Regulations (23NYCRR Part 500)

– Licensees of Department Financial Services

– Implement risk-based policies, procedures and

controls designed to monitor the activity of

authorized users and detect unauthorized access or

use of, or tampering with, nonpublic Information by

authorized users

States Getting Involved


• Monitoring information system activity of employees is the

processing of user’s personal data that requires valid legal basis

• Data Controllers/Processors have a legitimate interest for the

detection and prevention of loss/misuse of personal data

• Data collection/processing must be proportionate to achieve

intended purpose with least impact on privacy of employee

• Establish policies on data retention, access to collection, and use

• Notice if monitoring, means, purpose, and rights of employee

GDPR: Legitimate Need vs Employee Privacy


• Clear internal policy, communicated and available to employees

• Describes cases where monitoring and processing of collected

information takes place, for what purposes, by whom, how long

data stored and rights of employees

• Employees actively invited to provide input to internal policy

• Due care is taken to ensure that any monitoring, and processing of

information collected does not restrict EU fundamental right to

privacy any more than necessary for legitimate purpose

Practical Guidelines for Monitoring


Examples of Enforcement

17


OCR Enforcement Action

Organization failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports for approximately 1.5 years

• Affected at least 80,000 patients

• Resolution Agreement/CAP

– penalty $5.5 million

– 3 year Corrective Action Plan including external monitor

• Failure to monitor and audit information system activity often cited as a contributing factor in OCR enforcement actions


• Hospital fined $38,750 over incident of hospital

employees driven by curiosity accessed EMR of patient

who went missing & eventually found dead on premises.

• Academic medical center fined $250,000 over incident in

which temporary employee accessed records of 71

patients. Used information to make harassing phone calls

and submit credit card applications.

California Department of Public Health


Questions

David Holtzman

[email protected]

512.405.8550 x7020

Follow me @HITPrivacy

Questions?

?

UEBA:What Is It and Why Does It Matter?

22

Agenda

• How UEBA technologies can ID anomalous

and potentially risky behavior

• Common use cases of monitoring and audit

involving EHR technologies and other

applications that hold PHI or sensitive data

• The pros and cons of deploying UEBA tools

23

UEBA is a heterogenous, rapidly-evolving and

potentially very beneficial category of

technologies that are underutilized by

healthcare

24

Analytics Perspective

© 2017 Sqrrl Data, Inc. All rights reserved.

25

https://www.skyhighnetworks.com/cloud-security-blog/ueba-is-a-feature-not-a-product/

26

Tracks broad patterns of

human behavior and

looks for anomalies

UBA + non-human entities

like workstations and

devices

UBAUEBA

UEBA platform with an

industry-specific offering

INDUSTRY-SPECIFIC UEBA

HC-specific comprehensive

review for inappropriate

activity

COMPLIANCE ANALYTICS

27

Basic Types of Analytics

• Trend

analysis/baselines

• Rules

• Machine learning

28

Advanced Analytics

• Network analysis

• Orchestration/automation

• Context-aware roles

30

Proprietary and Confidential - Do Not Distribute

Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute

31

Ensuring records are not

viewed by neighbors

Making sure sensitive

lists are not shared

EHR PATIENT DATA RESEARCH DATA

Preventing access to

data for internal

retribution

HR DATA

Seeing if devices are

being used as

dangerous vectors

DEVICE DATA


data for internal

retribution

SCHEDULING/TIMECARD


being used as

dangerous vectors

NETWORK DATA

Data Sources


32

Assets to Protect

Ensuring records are not

viewed by neighbors

Making sure sensitive

lists are not shared

PATIENT RECORDS RESEARCH DATA


data for internal

retribution

HR DATA


being used as

dangerous vectors

DEVICES


33

The hospital admin

Example 1


34

The “clinical researcher”

Example 2


35

The doctor that’s

just not quite right

Example 3


Key Considerations


36

Information all in

one place

Find threats proactively,

instead of fighting fires

INTEGRATION DETECTION

Aid in fact-gathering and

speed forensics

INVESTIGATION

Demonstrate meeting

and exceeding

regulatory requirements

REPORTING


Questions to Ask


37

What’s your

cloud strategy?

What protocols and how

real-time?

CLOUD V. ON-PREM DATA ACQUISITION

General solution

vs. specific?

INDUSTRY FOCUS

What data and how

is

it used?

ANALYTICS TYPE


Cons of Deployment


38

How much signal or you

getting versus noise?

Think long-term TCO

FALSE POSITIVES COST

FTEs in various

scenarios

LABOR

What does success look

like for you?

USE CASES?


Pros of Deployment


39

Short-term discovery,

long-term change

Savings can be

significant

CULTURE CHANGE LONG-TERM COST

Structures between

privacy, security and

legal

ORGANIZATIONAL CHANGE

Executive and

community awareness

ENTERPRISE TRUST

40

UEBA Context Map

Clinical

Context

Administrative

Context

Type of Clinical

Practice

Patient

Treatment

Patterns

Types of

Information

Viewed

Time Signature

in EHR

Dr. Smith

41

Where is the field going?

42

Actionable Next Steps

• Read HLCU chapter

• Collaborate with security/privacy

• Risk assessment for internal

threats

• Consider above factors

43

Summary of Tech Types

Description A good fit for…

UBA User behavior monitoring [largely phased out]

UEBAUser and beyond “behavior”

monitoringNon-HC industry

Vertical UEBABehavior monitoring plus some

HC focus

“Check the box”-oriented

healthcare facilities

Compliance AnalyticsPurpose-built healthcare

behavioral analyticsMost healthcare institutions

Learn more about what we’re learning at

[email protected] or follow us on

Twitter @Protenus