PREP Course # 20:
HIPAA Security
Presented by: Joe Baskin,
Manager, Information
Security
• The Northwell Health adheres to the ACCME’s new Standards for Commercial
Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the Northwell Health for fair balance and scientific
objectivity and to ensure appropriateness of patient care recommendations.
• Course Director and Course Planner, Kevin Tracey, MD and Tina Chuck, MPH have
nothing to disclose.
• Joe Baskin is the speaker and has nothing to disclose.
CME Disclosure Statement
Objectives
•
Discuss hot topics in cyber security and database
security.
1.Cyber Security
2.Encryption
3.Social Engineering
4.Cloud Storage
5.Mobile Security
6.Application / Database Security
Drivers
5
Cyber Security
Agenda
•
What is Cyber Security?
•
Industry Statistics
•
Sources and Types of “Cyber Attacks”
6
Cyber Security
What is Cyber Security?
“Cyber security” refers to the technologies and processes designed to protect computers, networks and data from
unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals.
A “cyber attack” is an attempt to
damage, disrupt, or gain unauthorized access to a computer, computer
system, data or electronic communications network.
A “cyber crime” is the illegal use of computer technology and the Internet, e.g. Target credit card breach (~110M records), CA Health System unencrypted laptop loss (~729K records).
Healthcare Data Breach Statistics
*Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
US Department of Health & Human Services Office for Civil Rights as of December 31, 2015 for Breaches of 500 records or greater 7
Top 2015 Healthcare Breaches
• Anthem 78.8M • Premera Blue Cross 11M • Excellus 10M • Community Health 4.5M • MIE 3.9M • CareFirst 1.1M
8
Cyber Security
Patient Records Breached per Day (avg.)
Medical record data is worth $50 on the black market.
Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6).
Sources:
1. DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011
2. http://www.welivesecurity.com/2013/08/14/healthcare-it-security-infographic-stats-point-to-big-privacy-holes/
9
Cyber Security
Primary Causes of Breaches
Source: http://www.backgroundcheck.org
10
Cyber Security
Sources & Types of “Cyber Attacks”
• Malware & Malicious Code (Viruses, Worms, Ransomware) – software that is intended to damage or disable computers and computer systems.
• Botnets – a network of private computers infected with malicious software and controlled as a group without the owners' knowledge.
• Phishing – Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients
• Web based attacks – means by which malicious code exploits a system's security safeguards.
• Denial of Service – attack on a computer system or website, aimed at disrupting its normal functionality.
• Malicious insiders – malicious threat that comes from people within the organization such as employees, former employees, contractors or business associates.
Information Security
Myths versus Reality
Myth: If I have antivirus software installed, I’m safe.
Reality: Antivirus software may be installed but it might not be up to date with the latest virus definitions.
Myth: I don't need to worry; I have no vital documents or PHI on my personal computer, just music, photos, and videos.
Reality: Hackers are increasingly focused on personal computers, regardless of their contents. Your pc may have nothing, but it is connected to a network that does. Like real viral infections that spread, malware can too.
Information Security
Myths versus Reality
Myth: Cybercrime isn't any worse now than it’s been in the past.
Reality: Cybercrime is up sharply in the last year. Experts have noted
staggering growth in the number and sophistication of attacks…home/work computers are now the weak point.
Myth: I would know if I had a virus on my computer.
Reality: Most viruses and malware don't slow down or crash your computer. It may surprise you to learn that most people who have a virus or malware have no idea they’ve been compromised.
13
IT Safeguards at Northwell Health
IT Security Safeguards
• Perimeter Controls and Firewall Technologies that protect against external threats. • Mobile device protection (Encryption) for phones, tablets and portable devices. • Antivirus and Anti-spam to protect computers, laptops and servers.
• Intrusion Detection/Prevention that inspects dataflow sending alerts of potential
threats.
• Security Event Monitoring to proactively detect suspicious activity.
• Patient Privacy Monitoring and Application Breach Detection to detect suspicious
activity on our clinical applications.
• Segregated Cardholder Data Environment providing an additional layer of security for
payment transactions.
Employee Training & Awareness
• Annual Compliance Training throughout the Health System on proper security and
privacy practices.
• Security Awareness and Alerts published on the employee intranet. • Periodic security reminders, Email alerts, newsletters and posters.
Encryption
What is Encryption
• Encryption is a method to keep your personal information
secure. Encryption scrambles the information you send over the internet into a code so that it’s not accessible to others.
How to Tell If a Website is Encrypted
• To determine if a website is encrypted, look for https at the
beginning of the web address (the “s” is for secure).
• When completing online transactions, some websites use
encryption only on the sign-in page, but if any part of your session isn’t encrypted, your entire account could be
vulnerable. Therefore, look for https on every page you visit.
Laptop and Removable Media
Encryption
1. All Laptops must be encrypted
2. Confidential information must not be saved on removable media such as CDs, DVDs, and USB flash drives unless also absolutely necessary and then you must encrypt them! 3. Follow Health System policies for
• Encryption (900.25 Data Encryption and Integrity)
• Handling media (900.26 Device and Media Control)
• Disposal of media (900.29 Equipment Disposal)
• Handling of PHI (800.02 Release of Protected Health
Information for Living Patients)
4. If you need assistance with encryption or disposal, please call the IS Help Desk!
Phishing
What is Phishing?
This is a psychological attack via email designed to trick you into giving up information or taking an action.
What does a typical attack look like?
An attack begins with a cyber criminal sending a message
pretending to be from someone or something that you know, such as a friend, your bank or a well-known store. These messages
then entice you into taking an action, such as clicking on a
malicious link, opening an infected attachment, or responding to a scam.
Phishing
What is Spear Phishing?
Spear phishing is a targeted attack to a few select individuals.
Cyber attackers research their intended targets, such as by reading the intended victims’ LinkedIn or Facebook pages, messages
posted on public blogs or published journal articles.
Why should I Care?
You may not realize it, but you are a target at work and at home. Your data is worth a tremendous amount of money to cyber
criminals, and they will do anything they can to hack your devices to get at it. YOU are the most effective way to detect and stop phishing.
Phishing
Anatomy of a phishing email
A
Check email addresses
B Generic Salutation C Grammar or Spelling Mistakes D “Immediate Action” E URL Link F Suspicious Attachment 18
North Shore LIJ Phishing Attack – Aug 2015
19 Never provide personal or sensitive info when requested via email
Recognize Red Flags
When “Access the documents here” was clicked, users were presented with the following screen:
Cloud Computing
What is Cloud Computing?
Information processing residing on remote systems maintained by a third-party vendor, and accessed from the Internet.
What is our policy for Cloud Based Storage?
Internet/Cloud based storage must not be used to store or
disseminate Sensitive and Highly Sensitive information such as PHI or PII without proper approval processes that include IT Contracts, Office of Procurement, OCIO Security, and Research
Administration when appropriate. Users must follow proper
procedures by saving Sensitive and Highly Sensitive information on a shared drive.
Save it to your Network Drive
1. Confidential information should be saved on your network home drive or a shared drive designated for this purpose.
• Files are physically secured in our corporate data centers • Files are backed up regularly and can be restored
• Limited access
2. Your network home drive can only be accessed by you.
3. Shared drives set up for confidential information allow users to collaborate and share files only with those users specifically granted access
• Need a shared drive? Call the IS Help Desk or request one on
the Employee Intranet
Local Drives
1. Confidential information must not be saved on local hard drives except when necessary,.
2. Your “C:” drive is your local drive which is in your computer 3. Local drives have:
• Less physical security
• Are not backed up
• May be accessible to others that use your computer
4. Shared computers are common throughout the Health System, but you should not save files to your local drive unless
absolutely necessary
• Note where you save the file
• Delete and empty your recycle bin when done with the file
Mobile Devices
Risks to Health Information
Risks vary based on the mobile device and its use. Risks include:
• A lost or stolen mobile device
• Inadvertently downloading
viruses or other malware
• Unintentional disclosure to
unauthorized users
Encryption is required!
Protect and secure health information when using mobile devices
• In a public space • On site
• At a remote location
Regardless of whether the mobile device is
• Personally owned, bring your own device (BYOD) • Provided by our organization
Securely dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance
Take the Steps to Protect and Secure
Health Information When Using a Mobile Device
• Sharing your mobile device password or user
authentication
• Allowing unauthorized users on your device
• Storing or sending unencrypted health information
with your mobile device
• Ignoring mobile device security software updates
• Downloading applications (apps) without verifying
they are from a trusted source
• Leaving your mobile device unattended
• Using an unsecured Wi-Fi network
• Discarding your mobile device without first deleting all
stored information
• Ignoring our mobile device policies and procedures
Mobile Devices & Health Information
Bring Your Own Device (BYOD)
What is BYOD?
Any non-Northwell Health device owned by a workforce member that is used for business purposes. Examples include personal
laptops, smartphones, or handheld devices.
Securing Mobile Devices
• Enable Encryption
• Use Passcodes
• Avoid SMS Phishing
• Update Your Devices
• Use Mobile Applications Wisely
• Limit Your Use of Bluetooth
Application and Database Security
What is Database Security?
The practice of providing security controls for applications and databases such as REDCap, BUDDY, and other applications that have been approved by Information Security.
Security controls include:
• Limited access to systems (Role Based Access)
• Strong password usage
• Secure central network storage of data
• Monitoring of database systems and audit logs
• Isolate Production data to production environments
Application and Database Security
Limited access to systems (Role Based Access)
1. Define user roles
• Administrator (full access – read, write, delete) • Editor (read, write)
• Reviewer (read only)
2. Access rights should be granted to a group, then place the user in the appropriate group.
Application and Database Security
Strong Password Usage
Application and Database Security
Strong Password Usage
1. Avoid "leet speak" equivalents (“Joseph" becomes "J0s3ph") 2. The Northwell standard for application passwords
Setting Standard
Minimum password
length 6 characters (8 recommended)
Password complexity Passwords should contain characters from at least three of the following 4 categories:
• Lower case letter [a–z]
• Upper case letter [A–Z]
• Numeric [0–9]
• Special character [! @ # $ % ^ & * ( ) _ + |~ - = \ ` { } [ ]
: " ; ' < > ? , . / space]
Password expiration 90 days
History (generations) 12
Lockout threshold Five (5) consecutive failed login attempts within 15 minutes
result in a user’s account being locked.
Application and Database Security
Physical security for server infrastructure
1. Locked room or cage 2. CCTV
3. Record access to room • Log book
• ID card reader
4. Never allow anyone unattended 5. Backup media must be secured
(and encrypted)
Application and Database Security
Secure central network storage of data
1. Encrypt ! Encrypt! Encrypt! • Encrypt the storage system
• Full disk encryption • Encrypt the database
• Build in or 3rd party tools can provide DB encryption • Encrypt tables within the database
• Encrypt tables that might contain ePHI or sensitive or confidential information
Application and Database Security
Monitoring of systems and audit logs
1. Monitoring and review of audit logs is required to maintain the integrity of the data
Application and Database Security
Example of a REDCap audit log
Application and Database Security
Isolate Production data to production environments
1. Development, test and QA environments should not have production data
• Developers, vendors, other 3rd parties should not see ePHI
2. Use de-identified or “dummy” data for development work 3. If a vendor or other 3rd party requires access to production a
Business Associates Agreement (BAA) must be in place
For More Information
Have questions? Call the IS Helpdesk at (718, 516, 631) 470-7272 Research IS questions ? [email protected]
Get IT Security tips:
https://nslijhp.northshorelij.com/employees/ComputerSecurityTips/Pages/default.aspx
See Northwell Health Security Policies:
https://nslijhp.northshorelij.com/NSLIJ/departments/IS/Toolbox/Pages/default.aspx
Office of Research Compliance guidance on electronic security:
http://nslij.com/orc → Tools and Guidance → Electronic Security
Ashish Narayan: Director, Information Systems, FIMR Joe Baskin: Manager, Information Security, OCIO
