HIPAA

Compliance?

What you need to

do to ensure you

have cyber-security

covered…

netwatcher.com

Basic information about HIPAA is located here . For this eBook we are most concerned with the Privacy Rule and the Security Rule.

The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care. (more ). The Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access.

The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the Security Rule. You can find that documentation (here ).

Healthcare organizations are under intense

scrutiny by the US Federal government to

ensure patient data is protected

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. The penalties can be steep at $100 to $50,000 or more per violation with a $1,500,000 calendar year cap.

State and regional governments may also impose separate fines in addition to the federal ones.

To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights.

It is your responsibility to protect your

customer’s Personally Identifiable

Information (PII) data!

DECEMBER 10, 2014 Malware Infection Results in

$150,000 HIPAA Fine Anchorage Community Mental

Health Services (ACMHS) was fined $150,000 for not

preventing malware from infecting its computers. The

malicious programming breached the protected electronic

health information of 2,743 individuals in violation of the

Health Insurance Portability and Accountability Act of 1996

(HIPAA). According to an OCR news release, ACMHS

adopted HHS security rule policies in 2005 but never

followed them. The introduction of the malware into the

ACMHS system was "the direct result of ACMHS failing to

identify and address basic risks, such as not regularly

updating their IT resources with available patches and

running outdated, unsupported software," according to

an HHS/OCR bulletin (.pdf) . In addition to the $150,000

settlement amount, the resolution agreement

(.pdf) between ACMHS and OCR includes a corrective

action plan and requires ACMHS to report on the state of its

compliance to OCR for a 2-year period.

When it goes wrong!

NOVEMBER 12, 2014 Hackers swipe data of 60K in

vendor HIPAA breach A state insurance plan

subcontractor is at the center of a serious security

incident after hackers gained three months of unfettered

access to its computer system, compromising

thousands of members' health records. What's more,

despite discovering the HIPAA breach in April, it took

officials some four months to notify those affected. The

Dallas-based Onsite Health Diagnostics – a medical

testing and screening company, which contracts with

the state of Tennessee's wellness plan – notified 60,582

people that their protected health information was

accessed and stored by an "unknown source." The

breach affected members from the Tennessee's State

Insurance Plan, Local Government Insurance Plan and

Local Education Insurance plan.

This team will be responsible for the ongoing cyber-security of the organization.

Most importantly, ensure this team is led by a senior executive in the organization.

This team may actually be the Audit committee for the organization. Here is a good read on the subject of Audit committees and cyber-security from Deloitte.

#1 Create a committee with players

from IT, compliance, management and

security

“The Framework focuses on using business drivers to guide cyber-security activities and considering cyber-security risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cyber-security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cyber-security activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cyber-security risk.” – NIST framework

#2 Use a framework similar to The NIST

Cyber-security Framework or ISO

27001/27002

“Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tiers 1 and 2, organizations use risk assessments to evaluate, for example, systemic information security-related risks associated with organizational governance and management activities, mission/business processes, enterprise architecture, or the funding of information security programs. At Tier 3, organizations use risk assessments to more effectively support the implementation of the Risk Management Framework (i.e., security categorization; security control selection, implementation, and assessment; information system and common control authorization; and security control monitoring).” - NIST Special Publication 800-39

#3 Conduct a yearly security risk assessment to

identify risks and develop a mitigation plan.

You can use the NIST SP 800-30 as a great guide

post

Penetration testingVulnerability assessmentsWeb application assessmentsSocial engineering testing

Actual attempts by experts to breach your organization’s network…

#4 Schedule a 3rd party security company

to test your organization’s security

Keeping in mind not all “cyber” insurance policies are created equal so you will need to get educated on all the items the policy will need to cover.

Click Here for a good article from Modern Healthcare.

Click Here for information from a DHS sponsored Cyber Insurance Roundtable for Healthcare.

#5 Ensure the organization has cyber

liability insurance

Keep everyone advised of new security

threats and underscore the need for

vigilance, including being watchful for

suspicious emails, texts, hyperlinks, etc.,

as well as social engineering ploys.

Here is an example.

#6 Conduct mandatory security

training

Examples include: Business continuity plan (more info) Disaster recovery plan (more info) Remote access policy (more info) Employee termination policy Password policy (more info) Encryption policy (more info) Data access policy Bring your own device (BYOD) policy

To speed policy development, you can start with open-source templates from SANS found here.

#7 Have, follow and audit all the

necessary plans and policies that

impact the organization’s data security?

In an ideal world, employees would use the

computers and Internet access provided their

employer solely for business use.

However, throughout the work day, organizations

are often exposed by their users misuse of the

system.

The dilemma faced by every organization is what

to do about it and how to start. The creation and

dissemination of an Acceptable Use Policy (AUP)

can offer in helping an organization avoid

unwanted consequences and enabling it to deal

with transgressions in a fair and systematic way

that will survive legal challenges without reducing

employee morale and productivity.

Ensure ALL employees sign the AUP before using

your organization’s IT resources.

#8 Create an Acceptable Use Policy

Ensure someone is formally designated for managing your organization’s incident response. NIST has published a Computer Security Incident Response Guide that can help you develop appropriate policies and procedures.

Practice by running through “exercises” with your incident response team at least once a year, to ensure that your processes are working as expected.

#9 Create an Incident Response Plan

NetWatcher’s Security-as-a-Service platform enables organizations to have a cost-effective 24 x 7 security service monitoring their networks for vulnerabilities and exploits.

Today’s healthcare organizations require the need for continuous monitoring.

NetWatcher enables a healthcare organization to immediately deploy these services and take advantage of a fully-staffed Security Operations Center (SOC). This means superior protection with no capital outlay, resource commitments or additional headcount.

Available for as low as $299/month with a 1 year contract

Contact NetWatcher at information@netwatcher.com

#10 Use a real-time continuous

monitoring solution NetWatcher.com