1

HIPAA COW

Keith Fricke, MBA, CISSP, PMP

April 27, 2018

1

Data Security Trends

OCR Audits

Q&A

Copyright © 2017, tw-Security 3

Data breaches

Denial of service attacks

Internet of Things &

medical devices

Malware

2

Copyright © 2017, tw-Security 4

Top 10 healthcare breaches in 2017 ◦ Commonwealth Health Corporation, Bowling Green, KY, 697,800 affected

individuals (Theft) ◦ Airway Oxygen, Inc. (Business Associate) Wyoming MI, 500,000 affected

individuals (Hacking/IT Incident) ◦ Women’s Healthcare Group of PA, Oaks, PA, 300,000 affected individuals

(Hacking/IT Incident) ◦ Urology Austin, PLLC Austin, TX, 300,000 affected individuals (Hacking/IT

Incident) ◦ Pacific Alliance Medical Center, Los Angeles, CA, 266,123 affected individuals

(Hacking/IT Incident) (Note: PAMC closed in December 2017 due to costs to retrofit facilities to meet seismic requirements)

◦ Peachtree Neurological Clinic P.C., Atlanta, GA, 176,295 affected individuals (Hacking/IT Incident)

◦ Arkansas Oral & Facial Surgery Center, Springdale, AZ ,128,000 affected individuals (Hacking/IT Incident)

◦ McLaren Medical Group, Mid-Michigan Physicians Imaging Center, Lansing, MI 106,008 affected individuals (Hacking/IT Incident – 3rd party issue)

◦ Harrisburg Gastroenterology Ltd., Harrisburg, PA, 93,323 affected individuals (Hacking/IT Incident)

◦ VisionQuest Eyecare, Indianapolis, IN, 85,995 affected individuals (Hacking/IT Incident)

•Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

5

•Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

6

3

7

Hacking continues to be the biggest breach event category, even though it is only 19% of the “Number of Incidents”

15% (330 incidents) of all reported breaches due to Business Associates, affecting 29,907,269 patients

Source: www.hhs.gov

8

9

4

Denial of Service (DoS) ◦ Overwhelming computer systems or data networks to disrupt

service

◦ Recent trend: Exploiting some ”Internet of Things” devices on a large scale for DoS attacks

10

Sidebar on Internet of Things:

• Manhole covers

• ODOT

• Losing keys

Increase in networked medical devices

Enhances delivery of patient care

Risks

Cyber insurance news

11

Using the techniques of deception or persuasion to gain access to information

5

13

Phishing is a method of fraud using fake but legitimate-looking electronic communications to trick recipients into

• Providing sensitive information

• Unknowingly download computer viruses

• Sending money somewhere

Statistic: Q4 2004: 1,609 global phishing attacks per month Q4 2016: 92,564 global attacks per month

Source: www.apwg.org

14

The many forms of phishing

• Email

• Spear Phishing – targeting a specific group of individuals

o Finance Department

o Workforce

o Executives

• Smishing – phishing via text message

• Phone calls from fraudsters

15

Ransomware attackers use malware to

encrypt your data and demand payment for the decryption

Attackers can be trusted to provide decryption key. Why?

Ransomware attacks can come with other malware

6

16

Criminals used phishing email to send attachments infected with ransomware Ransomware encrypts data files, preventing access to the data until the hospital paid a ransom fee Encryption means to make data appear scrambled unless you know how to decrypt it Bitcoin is a type of digital currency

Global cyber attack hits hospitals and companies, threat seen fading for now

A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain's health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

17

Stages of incident response ◦ Detect

◦ Identify

◦ Contain

◦ Eradicate

◦ Restore

◦ Post Mortem

7

Each encrypted file has a pair of ransom notes (txt and html)

Triage process ◦ Receive calls from users (PC files and server

share files affected)

◦ Confirm presence of encrypted files (expect 1000s of them)

◦ Look at file metadata on file shares to identify last user or workstation that modified the files

8

Triage process continued ◦ Unplug workstations suspected of causing file

encryption

◦ Inventory files affected

◦ Restore backups

◦ Investigate ransomware infection vector (email, web browsing)

◦ Address email & web browsing threat

◦ Submit malware samples for analysis

◦ Remove malware

◦ Resume operations

Neither could we

until…

● Can you guess

which one is not

like the other?

● Attempt to open

a file

● Now responders

have to look at

file creation date

9

Ransomware variants hamper the response process ◦ File extensions are preserved

◦ “Modified by” metadata is erased

Erasing metadata is bad ◦ No easy way to identify infected computers

◦ Triage means unplugging all computers and manually inspecting them

◦ Hopefully the issue is localized to one department

◦ Cloud storage opens up a whole new dimension to the incident response

26

Hover over a link

WITHOUT clicking it

See if the actual link

displayed matches what

is in the status bar

27

Office for Civil Rights (OCR) issues ransomware guidance in April 2016

• Healthcare organizations expected to conduct risk analysis for each ransomware incident

• Purpose is to determine if low probability of a data breach exists

• Document findings

• Rationale for why OCR considers ransomware a potential data breach

10

28

Preparedness of Network Team in IT

Throttling bandwidth through technology

Relationship with your Internet Service Provider

Workforce awareness – don’t forget the Help Desk

Companies should conduct their own phishing campaigns

People are the weakest

link in security

11

Confirm your data backup plan

Patch Management

Vulnerability Management

Advanced Malware Protection

Network Segmentation

Maintain an inventory of medical devices ◦ Connected to network – wired or wireless?

◦ Operating system

◦ Password settings / authentication / encryption

Know the vendor’s patch & vulnerability management process

Incident Response Plans and Capabilities

12

34

35

167 Desk Audits initiated on July 11, 2016

Desk Audit vs. Compliance Audit

Two areas of focus for Desk Audits

December 2016: 45 Desk Audits of Business Associates

March 2017: OCR issues Desk Audit draft reports

2016 desk audits – 166 CE audits in total ◦ 103 desk audits focused on Privacy & Breach

Notification

◦ 63 desk audits focused on Security Compliance

◦ 41 BA desk audits, focusing on Breach Notification and Security Compliance

◦ Note: OCR presenter stated data does not represent a statistically

significant sample

36

Source: HIMSS Boston September 2017

OCR Presentation

13

Documentation submissions were ranked by OCR on a 1 – 5 scale as defined in the following table:

37

Source: HIMSS Boston September 2017

OCR Presentation

Some findings on CE desk audits ◦ For “Timeliness of Notification” documentation provided

(regarding breach notifications)

67 CEs scored a rating of 1

15 CEs scored a rating of 5

◦ For “Request to Access Records” documentation provided

1 CE scored a rating of 1

11 CEs scored a rating of 5

◦ For “Risk Assessment” documentation provided

1 CE scored a rating of 1

13 CEs scored a rating of 13

◦ For “Risk Management” documentation provided

No CEs scored a rating of 1

38

Source: HIMSS Boston September 2017

OCR Presentation

Some findings on CE desk audits ◦ Common failures regarding Timeliness of Notification

documentation

The letter sent to the patients had no date on it

70% of CEs received a score of 2 – 5 rating because their notification letter was missing key content

83% of CEs received ranking of 3 – 5 for their Notice of Privacy Practices because they copied an NPP from the Internet and never customized it for their organization

39

Source: HIMSS Boston September 2017

OCR Presentation

14

Some findings on CE desk audits For “Right to Access” documentation submitted:

Only 1% received a ranking of 1

Inadequate documentation was common

Some CEs claimed they never asked by patients for access to their record

No policy existed

Some submitted a copy of their Authorization Form as their policy

Lacking compliance in having the Right to Access policy state that the hospital will make efforts to send communication via a method specified by the patient

40

Source: HIMSS Boston September 2017

OCR Presentation

Some findings on CE desk audits Details on Risk Analysis evidence provided

No CEs received a ranking of 1

13% received a ranking of 2

30% received a ranking of 3

36% received a ranking of 4

21% received a ranking of 5

Reasons for failures

CE had no risk analysis

CE did not do a risk analysis on all systems

Risk analysis failed to identify threats and vulnerabilities (a checklist was submitted)

Failure to update risk analysis on a regular basis

41

Source: HIMSS Boston September 2017

OCR Presentation

Some findings on CE desk audits Details on Risk Management

1% of CEs received a ranking of 1

5% received a ranking of 2

21% received a ranking of 3

46% received a ranking of 4

27% received a ranking of 5

Many CEs could not show a plan

Many CEs were not working the plan in accordance with risk findings

42

Source: HIMSS Boston September 2017

OCR Presentation

15

Roger Severino, OCR Director Shifting focus back to investigation of reported

breaches

Desk Audits “Phase 3” is only to document lessons learned/best practices from first two phases

Resulting implication of shift in focus is compliance auditing

https://www.healthcareinfosecurity.com/no-slowdown-for-hipaa-enforcement-but-audits-ending-a-10701

43

44

Keith Fricke

Partner and Principal Consultant, tw-Security

216.280.4430

keith.fricke@tw-security.com