[NORMAL] DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

(1)

DATA SECURITY

HACKS, HIPAA AND HUMAN RISKS

MSCPA HEALTH CARE SERVICES SEMINAR

Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, H e a l t h c a r e

(2)

AGENDA

•

2015 The Year of the Healthcare Breach

•

The Human Risk

•

Social Engineering Resistance

•

Technical Controls

•

OCR Enforcement - What’s Next?

•

Settlements and Fines – The Rest of the Story

•

Priority Action Steps

(3)

The Year of the Healthcare Breach

•

2015 – The Year of Healthcare Data Breaches

•

Anthem Blue Cross – January – 80 million records

•

Premera Blue Cross – March – 11 million records

•

CareFirst Blue Cross Blue Shield - May - 1.1 million records

•

UCLA Health System – July- 4.5 million records

•

Excellus Blue Cross Blue Shield - September– 10 million records

(4)

The Year of the Healthcare Breach

Why?

Value of medical information is worth 10 to 20 times the value of a stolen credit card. Credit card numbers can be had for a dollar or two, healthcare billing data can go for $10 – some sites even offer records for up to hundreds of dollars.

What’s the difference? – Banks have developed sophisticated anti-fraud technology and credit card life span post theft is limited. A Medicare number may yield more payback before it can be stopped.

(5)

The Year of the Healthcare Breach

How?

“Sophisticated” hacking techniques. This terminology is commonly used in the aftermath of a hack. This seems to imply that resistance was futile. The hackers armed with advanced technology and

persistence would eventually crack any defenses.

(6)

The Human Risk

Many “sophisticated” hacks are not aimed at the network defenses trying to break through firewalls or sneak in open ports.

They are aimed at employees – a perceived soft target.

Sophisticated fake websites and email scams are targeted at employees to steal credentials.

Hackers can research targets on LinkedIn, Facebook – target IT staff with privileged access.

If they take the bait and give up their credentials, the hackers can just log right in.

(7)

The Human Risk

Chinese Hacking Group “Deep Panda” is a suspect group based on prior similar attacks.

Hackers are behind the registration of websites such as:

•

www.we11point.com ( A play on Anthem’s former name Wellpoint)

•

www.prennera.com (A play on Premera)

These websites are then used in social engineering attacks to create fake portals to try and lure employees to give up their network or

(8)

Social Engineering Resistance

What is Phishing?

An attempt to acquire sensitive information such as credit card or bank information or user ID and passwords to systems for malicious reasons by creating the illusion of trust

• May be email • May be website

(9)

(10)

Social Engineering Resistance

What does a phishing email message look like?

Source: Microsoft Safety and Security Center: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

(11)

Social Engineering Resistance

5 most dangerous email subjects:

1. Invitation to connect on LinkedIn

2. Mail delivery failed: returning message to

sender

3. Dear <insert bank name here> Customer

4. Comunicazione importante

(12)

Social Engineering Resistance

What is Baiting?

• An attempt to infiltrate networks by using a person’s curiosity against them by means of a bait device (a USB drive or CD/DVD) that contains malicious software (“malware”). When devices are plugged in they will attempt to load their files onto the PC and network.

Hot Hot Hot

Hacked Celebrity Cellphone Pics

(13)

Social Engineering Resistance

What is Pretexting?

• A scam or hack using a lie as a basis of gaining trust or to be perceived as having authority to influence someone to divulge information or take an action beneficial to the scammer or hacker.

“Hi, this is Bob in IT, we are doing an update and I

need you to authorize a remote session and log in to

this portal using your ID and password…”

(14)

Social Engineering Resistance

What to do?

•

Security Awareness Training

•

Make sure content is thorough

•

Tell workforce what to watch for, who to contact when in doubt

•

Tell workforce what the company will and won’t do

•

Make the workforce a hard target

Accountants – this is not just for your healthcare clients – if you have signed a BAA with a client, HIPAA expects you to have security training, too.

(15)

Technical Controls

• Technical controls for hack resistance

•

Firewalls – have hardware based firewalls that are kept patched with current firmware versions and are currently supported by the vendor.

•

Intrusion Prevention Systems– some firewalls have intrusion prevention features and others do not. Additional tools and appliances may be needed for full protection.

•

Configure alerts and monitoring on the network traffic.

•

Pre-hack – conduct scans and vulnerability reviews and mitigate findings.

(16)

Federal HIPAA Oversight

• Enforcement

•

U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is the enforcement agency for HIPAA .

•

Performs investigations of reported breaches

•

Levies civil money penalties for failures to comply with HIPAA provisions

•

OCR HIPAA Compliance Audit Program – Phase 2

•

It is still coming, has been lingering but 2016 appears to be the year

•

Contracts have been let with audit firm FCi Federal

(17)

Federal HIPAA Oversight

•

More defined scope than Phase 1

•

Business Associates Phase 2 Focus Areas

•

Risk Analysis & Risk Management

•

Breach reporting to covered entities

•

Covered Entity Phase 2 Focus Areas

•

Notice of Privacy Practices, individual access, breaches

•

Risk Analysis & Risk Management

•

Training programs

•

Device and media controls

(18)

Federal HIPAA Oversight

•

Later focus areas mentioned maybe 2017 and beyond…

•

Covered Entity Phase 2 Focus Areas

•

Encryption and decryption

•

Facility access controls

•

Breach notification reports and complaints

•

Policies

•

Poor Audit results could result in referrals for investigations ,which can lead to settlements and penalties, such as…

(19)

$150,000 Dollar Settlement

Anchorage Community Mental Health

Services

Settlement released in December 2014

Incident occurred in 2012

What Happened?

• Malware infiltrated the providers network and compromised the

data of 2,743 patients.

What Were the Findings?

• Failed to implement appropriate technical safeguards to ensure

data security, specifically firewalls and patching of systems

(20)

Settlement released in July 2015

Initial incident occurred in June 2012, another in August 2014 What Happened?

• A complaint in 2012 stated that 498 patients’ data was being stored improperly on internet sharing sites. In 2014 SEMC reported a breach of 595 patients who were on a former employees personal laptop and USB drive.

What Were the Findings?

• Failed to implement appropriate security measures on transmission and storage of PHI

• Failed to properly respond to a known security incident

• SEMC must assess awareness and compliance with policies…that means you cardiology.

$218,400 Settlement

St. Elizabeth Medical Center

(21)

Settlement released in September 2015 Incident occurred in August 2015

What Happened?

• A laptop bag was stolen from an employee’s car. Good news - the laptop did not contain PHI. Bad news – the unencrypted back up of the server that was in the bag had all past and present patients’ PHI, around

55,000 patients.

What Were the Findings?

• Failed to conduct a security risk assessment from 2005 to 2012, no policy for removal of hardware and media

• Disclosed 55,000 patients data to an unauthorized person for an impermissible purpose when it failed to secure the backup media

• CCG must complete a risk assessment, implement a risk management plan and review and revise policies and training program.

$750,000 Settlement

Cancer Care Group, P.C.

(22)

As noted in the OCR large breach database:

• MS has only 7 breaches reported since 2009

• 1 theft of desktop computer – 1,104 patients

• 1 loss of laptop – 500 patients

• 1 hacking or IT Incident – 1,489 patients

• 1 theft of an “other device” – 3,750 patients (X rays stolen for silver content)

• 1 theft of paper/films – 1,797 patients

• 1 improper disposal of paper/films - 19,000 patients

• 1 theft of electronic medical record – 846 patients

Large Breaches to Date

in Mississippi

(23)

(24)

• Conduct and keep current a Security Risk Assessment – covered entities and business associates

• Develop a security risk management program

• Use encryption tools when needed - laptops, email, storage devices

• Develop a Security Training Program that covers social engineering resistance (on top of basic security content – passwords, etc.)

• Conduct technical reviews such as vulnerability scans

• Evaluate current use or need for intrusion prevention tools, data leakage prevention tools as part of technical defenses

(25)

QUESTIONS AND

COMMENTS?

(26)

HORNE can assist with:

• Security Risk Assessments

• HIPAA Program Compliance Gap Analysis (Privacy & Security Rule)

• Policy and Procedure Implementation or Review

• Technical Reviews

For more information on this content, please contact: Ken Miller, CPA, CIA, CRMA, CHC, CISA

HORNE LLP

Telephone: 601.326.1171 [email protected]