hipaa reality check: the gap between execs and it march 1, 2016 · 2016. 2. 19. · • discuss...
TRANSCRIPT
![Page 1: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/1.jpg)
HIPAA Reality Check: The Gap Between Execs and IT
March 1, 2016 Brand Barney, Security Assessor
![Page 2: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/2.jpg)
Conflict of Interest
Has no real or apparent conflicts of interest to report.
![Page 3: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/3.jpg)
Agenda
• Healthcare status
• HIPAA Misconceptions
• Real World Examples
• Why the Gap?
• Analyze Risks
• Minimize Risks
• Questions
![Page 4: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/4.jpg)
Learning Objectives
• Discuss prominent HIPAA and data security assumptions
made in the healthcare industry by IT, compliance officers,
executives, stakeholders, and board members
• Identify common struggles preventing organizations from
completing crucial security improvements to sensitive patient
health data.
• Assess an effective way to fill the communications gap
between executives and IT while promoting an organizational
culture of data security.
• Analyze how to minimize organizational data breach
probability based on vulnerabilities, threats, and risks.
![Page 5: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/5.jpg)
An Introduction of How Benefits Were Realized for the Value of Health IT
http://www.himss.org/ValueSuite
• S: 86% of employees and executives cite
ineffective communication for failure in
the workplace.
• T: 54% of patients would switch providers
after a data breach.
• E: Healthcare still lags behind on
securing upgraded technology.
• P: Reaching full HIPAA compliance is a
fantastic thing to bring up with patients.
• S: Remediation costs for crime-linked
data breaches of patient data are $170
per record.
![Page 6: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/6.jpg)
Healthcare Status
![Page 7: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/7.jpg)
HIPAA Status Disparity
• 89% of C-Suite believe they are HIPAA compliant
• Only 67% of Compliance and Risk Officers believe they are HIPAA compliant
![Page 8: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/8.jpg)
Belief vs. Truth
• Fantasy: Healthcare is doing well in HIPAA security
• Reality: Most healthcare organizations have vulnerabilities in their security and don’t realize it
![Page 9: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/9.jpg)
Compromise is Imminent
• Criminal attacks in the healthcare industry have risen 125% since 2010*
• 80% healthcare IT leaders say systems have been compromised*
*(Ponemon Institute)
*2015 KPMG Healthcare Cybersecurity Survey
![Page 10: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/10.jpg)
HIPAA Misconceptions
![Page 11: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/11.jpg)
Myth: Firewalls are Enough
• Firewalls need to be updated
• Firewalls don’t take care of all security issues
– Remote access software
– Social engineering
– Physical security
![Page 12: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/12.jpg)
Myth: HIPAA Doesn’t Apply to Me
• Many organizations think:
– They are too small
– Their organization doesn’t have PHI
– Cloud-stored data is exempt
• HIPAA Security Rule applies to pretty much all healthcare entities
![Page 13: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/13.jpg)
Myth: IT and Attorneys Have Us Covered
• IT professionals need additional training for security
• Attorneys don’t have technical training
![Page 14: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/14.jpg)
Myth: My Data Isn’t Valuable • Health data more
lucrative than credit cards on black market
– Credit card data sells for $1–2
– PHI sells for $20–200
• Easy to replace credit cards, impossible to replace social security numbers
![Page 15: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/15.jpg)
Myth: Business Associates Take All Liability
• There’s shared liability between businesses and business associates
• Business associates may have vulnerabilities that endanger your data
![Page 16: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/16.jpg)
Myth: We’re Already Doing Security
• HIPAA staff are mostly following Privacy Rule, but not Security Rule
– Staff aren’t trained in security
– PHI can be accessed everywhere!
![Page 17: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/17.jpg)
Myth: Social Engineering Isn’t a Threat
• Social engineering targets weakest link: people!
• Doesn’t require technical talent
• Hard to recognize
![Page 18: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/18.jpg)
Real World Examples
![Page 19: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/19.jpg)
Business Associate
• Target
• Dynacare
![Page 20: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/20.jpg)
Unsecured PHI • Two types of data
• Why your data is walking out the door
![Page 21: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/21.jpg)
Social Engineering
• Janitor
• IT
• Service Provider
• EHR
• Build Trust
![Page 22: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/22.jpg)
Why the Gap?
![Page 23: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/23.jpg)
Time
• HIPAA will eat your time
– Small organizations: 200 hours annually
– Large organizations: 800+ hours annually
• Solutions:
– Hire outside security consultant
– Baby steps (prioritize based on risk)
![Page 24: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/24.jpg)
Money
• Staff time
• Purchase: security tools, policies, training, etc.
• Solutions:
– Prioritize (#1 risk? What needs to be protected first?)
– Work it into your budget
– Get management support
– HIPAA packages (training + policies, + audit combo)
![Page 25: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/25.jpg)
Training
• Most staff don’t understand proper Security Rule practices
• Solutions:
– Train monthly instead of annually
– Send weekly security tip reminders
– Incentives!
![Page 26: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/26.jpg)
Analyze Risks
![Page 27: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/27.jpg)
Analyze HIPAA Risk
• Assess current controls
• Determine likelihood of occurrence
• Determine potential impact
• Determine level of risk
• Identify security measure/control/mitigation
![Page 28: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/28.jpg)
Document PHI Flow: Data Flow Charts
• Simple way to identify scope and start documentation
• Record all devices
• Interview departments
• Observe data flow
![Page 29: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/29.jpg)
Prioritize
• Address critical problems first
– Depends on your individual environment
• Risk Analysis and Risk Management Plan will help determine these risks
![Page 30: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/30.jpg)
Train Staff Properly
• Monthly training meetings
• Incorporate HIPAA Security Rule
• Not just nurses/doctors, but receptionists too!
• Recognize social engineering
![Page 31: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/31.jpg)
Secure PHI Around the Office
• Eliminate unencrypted PHI
• Screensavers
• Passwords after time-out
• Reception desks
• Tablets/mobile
![Page 32: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/32.jpg)
Strengthen Physical Security
• Visitor/maintenance log
• Controls to limit physical access
• Video cameras to monitor access to sensitive areas
• Distinguish visitors from on-site personnel
![Page 33: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/33.jpg)
Have Individual User Accounts
• Workforce members are not all created equal
• All staff should have separate user accounts
• Role-based access
![Page 34: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/34.jpg)
Update Systems and Apps
• EHR
• Anti-virus
• Medical devices
• Operating systems
• Firewalls
• IPS/FIM/DLP
![Page 35: HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016 · 2016. 2. 19. · • Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT,](https://reader033.vdocuments.mx/reader033/viewer/2022052021/603539c681e3ed4b550f8e82/html5/thumbnails/35.jpg)
A Summary of How Benefits Were Realized for the Value of Health IT
http://www.himss.org/ValueSuite
• S: 86% of employees and executives cite
lack of collaboration or ineffective
communication for failure in the
workplace.
• T: 54% of patients would switch providers
after a data breach.
• E: Healthcare has exponentially upgraded
its technology in the past five years, but
still lags behind on securing that
technology.
• P: Reaching full HIPAA compliance is a
fantastic thing to bring up with patients.
• S: Remediation costs for crime-linked
data breaches of patient data are $170
per record.