1 / 52

The Current State of Privacy and Security in Healthcare

Join this informative session to explore the challenges and trends in healthcare privacy and security. Learn about new privacy laws, cybersecurity threats, best practices for medical device security, and real-world examples of recent incidents.

claudem
Download Presentation

The Current State of Privacy and Security in Healthcare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Current State of Privacy and Security in Healthcare Presented By: David W Bailey, CISSP Director Security Services

  2. About CynergisTek Trusted Advisor • Unbiased assessments & development • Not a VAR • No subcontractors • Executive level sponsors • Community-based problem solving Healthcare Focused • Founded in 2004 (HQ in TX) • Over 1,000 hospitals • Payers, Med Device Manufactures, Labs • Vulnerability Assessments on 1.5M devices/year Award Winning • Best in KLAS 2017 Cybersecurity Advisory Services • 10 Best Cybersecurity Companies in 2018-CIOBulletin.com • Top 10 Health Compliance Solution Provider-2017, Healthcare Tech Outlook • Frost & Sullivan “Best Practices Award, 10/10” Experts & Thought Leaders • Unique OCR expertise • Over 600 articles & interviews per year • CHIME & AEHIS Foundation firm • ISACA, ISSA, NH-ISAC, InfraGuard • HIMSS platinum member • Serves on boards of AEHIS, CHIME, ACHE, HIMSS

  3. Today’s Presenter • Director Security Services, CynergisTek, Inc. • Leads the risk assessment practice; NIST Cybersecurity Framework, HIPAA, etc. • Recovering HIPAA Security Officer • Started in cyber in 1999 • CISSP Dave Bailey CynergisTek, Inc.

  4. Today’s Agenda Outlook on Healthcare Issues for 2019 A Deeper Dive: Privacy Today 1 4 ✓ Security 2 5 Open Q&A 3 Privacy

  5. Desired Learning Objectives

  6. Desired Learning Objectives • Privacy, Security, and Compliance Challenges for Healthcare • New Privacy Laws and What They May Mean for You • Cybersecurity Threats and Trends Across the Healthcare Industry • Medical Device and IoT Device Security Best Practices • Real-World Examples of Recent Incidents and Some Key Takeaways from Each

  7. Outlook on Healthcare Issues for 2019

  8. Security

  9. Industry Scorecard 49% up from 45% in 2017 40% up from 35.35% in 2017 72.9% down from 73.69% in 2017 26 categories, in 7 groups, evaluated against industry best practices on how you configure, secure, operate, & maintain your infrastructure 45 Implementation Specifications evaluated in 4 groups: Administrative, Physical, Technical & Organizational 22 Controls evaluated in 5 groups: Identify, Protect, Detect, Respond & Recover

  10. Attacks On Healthcare Increasing • April 2019, worst month for healthcare breaches since HHS started publishing breach reports in October 2009* • 67% higher than avg number of monthly breaches over the past 6 years • May saw a 186% increase in records exposed over April • Increasing attacks since 2015* • Reasons why • Highly valuable data (10x more than credit card number) • Lack of IT investment and thin margins • Highly connected systems with many participants • Push for interdependence and interconnectedness • Outdated software and devices** • Vulnerability management issues** *Rapid7 Quarterly Threat Report **Energy and Commerce Committee Report

  11. Still the Biggest Threat in Healthcare: Insiders • The most frequently targeted types of data in the healthcare industry were*: • Medical (79 percent) • Personal (37 percent) • Payment (4 percent) • In late 2018, cryptojacking replaced ransomware and that trend is continuing so far in 2019 • In healthcare, 56 percent of incidents were attributed to internal threats. • The most common cause of a cyberattack was human error (35 percent), followed by misuse (24 percent). • In 13 percent of incidents related to system misuse, employees attributed the breach to "curiosity" — for example, if a celebrity had recently been a patient.* *Verizon 2018 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/dbir/

  12. Out of Sight Should Never Be Out of Mind* • 20% of cybersecurity incidents and 15% of data breaches originated from people within a breached organization. • The top reasons for these cyberthreats were: • Financial gain (47.8%), • Pure fun (23.4%), and • Espionage (14.4%). • 5 Categories of Threat Actors • The Careless Worker.  • The Inside Agent. • The Disgruntled Employee.  • The Malicious Insider. • The Feckless Third Party.  *Insider Threat Report, Verizon, 2019 https://enterprise.verizon.com/resources/reports/verizon-threat-research-advisory-center/

  13. “The Feckless Third Party” • Use a risk-based approach, not compliance-based • Understand third-party risk management • Know where your data is and who has access • Your data, your responsibility • Treat the disease, not the symptoms (RCA)

  14. Phishing . . . It’s Amazing What You Can Catch • Phishing for payroll is the “attack of the year.” • Both directly and indirectly seen significant impact from these types of attacks • Simple phishing emails, typically well-written, convincing, and able to get past email filters. • The fact that most orgs use a third-party payroll site is why this works so well. • These messages often look legitimate and even appear to come from inside the organization. • Besides educating users to be skeptical of anything they didn’t explicitly request, having payroll print a report on anyone who changed their deposit details since the last payday seems to be the easiest way to avoid this threat.

  15. Benchmark Phish-prone Percentages by Industry

  16. The New Frontier - - Genetic Data Personalized medicine software vulnerability uncovered (7/8/2019) DNA Test Service Exposed Thousands of Client Records Online (7/9/2019) DNA-testing service Vitagene left thousands of health reports exposed online for years Included names alongside dates of birth and gene-based information Dated from when the company was in “beta” testing (2013-2014) https://www.bloomberg.com/news/articles/2019-07-09/dna-testing-service-exposed-thousands-of-customer-records-online • Weakness in open source software • Fixed in current release • Protecting genetic information is more than storage • Security of the systems analyzing the genetic data is crucial https://www.databreachtoday.com/open-source-genomic-analysis-software-flaw-patched-a-12750?rf=2019-07-10_ENEWS_SUB_IR__Banner_ATN_ART12750&mkt_tok=eyJpIjoiTmpoaFl6SmlOMlJoWVRZNSIsInQiOiJNVDdnYnRLN29xb09iWlkzVXZCYWE3Z2FrOTllbW5vNDlBRm5oc0Z3OXIyOUU4SWxiXC81UEpRTUxHQWJFemdUd0FFT1d6TmZuRG1iaXdRQ3AwdSt4TGpPdWxTeWNMTzA2KzlBRUFTRGlaWVFZa0xSVG04QU5kbWtcL0I1WkxOdENXIn0%3D

  17. But Grabbing All the Attention . . . • Medical device security was thrust into the spotlight in 2018, as the Food and Drug Administration continued to bolster its cybersecurity program. • August 2018 MedCrypt report found that since the FDA released its cybersecurity guidance in 2016, medical device vendors reported 400 percent more vulnerabilities per quarter.

  18. Integration of Clinical Engineering and IT Skipping the history . . . • 35 years ago Clinical Engineering was maintenance focused • Management/Consulting services & support for discrete equipment • Today, it is technology management including strategy, quality & safety • Training and HW & SW support, regulatory & compliance, vendor management, asset management, installation & integration • IT historically was focused on the business side of healthcare • Accounting, billing, A/P and P/R, Supply Chain • Today, it is all about the EMR and patient care • Clinical workflows, Clinical Decision Support, Quality & Outcomes measures

  19. So, with Fewer Resources and More Overlap, Why Can’t We Get it Together. Clinical Engineering (CE) • Patient care focus • Action • Reports to Facilities or Maintenance • ”IT won’t let me do what I need to do.” Information Technology (IT) • Technology Focus • Process • Reports to Operations or Finance • “Biomed just does stuff - - they don’t plan or document.” 20

  20. Increasing Commonality – Integrated Medical Technology Systems • Integrated medical systems whose function includes: • Store & permit retrieval of physiological data & images • Permit remote viewing of stored data/images by physicians & clinicians • Chart information to the EMR • Ingest persona data from personal wearables and remote monitor • Examples of these integrated medical systems: • DB servers (physiologic monitoring) • Cardiac Cath lab and Diagnostic Cardia ultrasound • Endoscopy • Pacs/Lab/RX • Alarms • Fitbit 21

  21. Additional Drivers Leading to CE-IT Convergence • Integrating the Healthcare Enterprise (IHE) • Patient Safety and Quality Outcomes Management • Telemedicine • Increasing application of: • RFID, DICOM, Bluetooth, WiFi • Increased Government/Industry Focus • FDA, MDS2, other initiatives • Information Security – integrity, availability, confidentiality • Cybersecurity, Privacy, Disruption (ransomware, DDoS)

  22. How Do the Numbers Stack Up? • 67% of medical device makers • Believe their devices are likely to be attacked in next 12 mo.1 • 17% of device makers • Are taking significant steps to prevent attacks2 • 10 to 15 connected devices • Per bed in US hospitals3 1Synopsys, “medical Device Security: An Industry Under Attack and Unprepared to Defend,” https://www.synopsys.com/software-integrity/resources/analyst-reports/medical-device-security-report.html 2Ibid. 3Newman, L.H.; “Medical Devices Are the Next Security Nightmare,” Wired, 2 March 2017, https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

  23. Management Solutions • Biomedical devices are not just hardware • Treat them as computing end-points • Treat them as if they contain patient data – many do! • Protect them from unauthorized physical and network access • You must presume a breach if lost, stolen, or even out of your control • Addressing biomedical risks is a management problem • Accountability stops w/CEO, but departments share responsibility • The CISO and compliance • Look at newer tools that can passively scan • These also interface with the common CMMS applications • Consider outsourcing the security management to address talent gaps

  24. Add it All Comes Down to . . . . • Good security hygiene and awareness are key… • But, there is no one-size-fits-all answer, this is unique to each org. • Key factors that make the difference: • Leadership style • Leaderships risk tolerance • Corporate/practice culture • The message needs to be delivered in a way the recipient can understand, in their terms • Training materials you find or get from outside need to be customized

  25. What is Good Security Hygiene?

  26. HIPAA Privacy Rule AVERAGE HIPAA PRIVACY RULE CONFORMANCE • Conformance starts well above Security (both NIST CSF and HIPAA) • Privacy will likely be of increasing focus and attention • GDPR • State laws 27 27

  27. Privacy

  28. Current State of Privacy • HIPAA Privacy and Breach Notification Rules set bright line standards for most health care providers, insurers and vendors • GDPR influencer of development of new federal and state privacy schemes but has had limited impact on U.S. healthcare organizations • All states and territories have breach notification requirements to notify consumers when data compromised • 24 states have laws that protect health information and personal information more broadly than HIPAA or other federal standards • California to require businesses to give consumers notice and choice when personal information collected and shared

  29. Costs of Data Breach in Healthcare • Cross-industry average cost of data breach is $148 per record lost • In healthcare, jumps to $408 per record • Highest of any industry, followed by financial services • What are these costs? • Detection and escalation • Notification costs • Post data breach response • Lost business 2018 Cost of Data Breach Study – Ponemon Institute

  30. More Breaches Involve Cybersecurity & BAs

  31. 500+ Breaches Reported to OCR by Type September 23, 2009 through June 30, 2019 January 1, 2019 through June 30, 2019

  32. HIPAA’s Approach to BAs: An Evolution • Privacy Rule: Protect against unauthorized uses & disclosures to protect the privacy of PHI • Security Rule: Risk Analysis and Risk Management Plan • Both: Obtain satisfactory assurances that business associate “will appropriately safeguard” PHI in the form of a business associate agreement • If covered entity knows of a pattern of activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations, the covered entity must take steps to cure the breach or end the violation, and if such steps are unsuccessful, terminate the contract, if feasible • And, as of HITECH, business associates have direct liability for CMPs for certain violations of the Privacy Rule and any violation of the Security Rule

  33. Managing Vendors to Reduce Risk From BAs Conduct initial and ongoing due diligence • Audits and questionnaires • Risk introduced by the vendor • Type and volume of PHI • Criticality of vendor’s functions • Know • How they address risks of subcontractors • Whether they use offshore subcontractors • Require • Written privacy and security policies • Risk analysis and risk mitigation plan • An incident response plan • Business continuity and disaster recovery plan • Training and sanction policy

  34. What to Do When the Inevitable Occurs • Activate your incident response plan – Immediately! • Determine how and when to probe • Who to involve at early stage of investigation (think small) • Legal counsel (in-house and outside counsel) • CISO and IT • Privacy officer and chief compliance officer • Contain and mitigate • Establish cadence of status reports • Review the vendor agreement and BAA • Determine form of vendor reports

  35. Incident Response Requires a Team Approach • Require preservation of evidence for forensic analysis, if necessary • Identify needed documentation, if any, to conduct a root cause analysis • Description of what happened, including the date of the incident and the date of discovery and investigative steps • Inventory of data • Forensic reports • Determine whether law enforcement should be notified • Report cyber threats to information-sharing & analysis orgs

  36. Reporting and Recovery • Determine HIPAA and state reporting obligations, if any • If reporting, determine if PR firm is necessary and potentially establish call center • Document beach risk assessment, even if no reporting • Log improper disclosures, if necessary, for accounting purposes • Re-evaluate relationship with vendor • Take stock of lessons learned from incident

  37. Changing Definition of Health Information States Are Protecting Information not Covered by HIPAA • HIPAA applies to a defined set of information when created or maintained by a limited set of organizations • Covered Entities • Group health plans, insurers and other payers • Healthcare providers that bill Medicare, insurance & health plans electronically • Healthcare clearinghouses • Business associates • Contractors & vendors of CEs who create, maintain or transmit PHI • States broadly defining PII held by data owner or data processor

  38. States Enforcing Data Protection • State attorneys general (AGs) are bringing enforcement actions to protect consumer information from unauthorized disclosure. • AGs in Indiana, Massachusetts, New York, and New Jersey have been extremely aggressive. • Millions of dollars in settlements from healthcare systems and an assortment of IT services vendors for failing to safeguard data containing sensitive personal information. • PA Supreme Court found a Common Law duty to use reasonable safeguards to prevent its theft or unauthorized access.

  39. State Approach is a Blend of Privacy + Security • Trends in new state laws setting standards for data protection of PII • Requires organizations to have in place reasonable security safeguards • No national standard defining reasonable security • Look to recommendations of FTC and NAIC Model Law for Cybersecurity

  40. Develop Processes to Meet State Requirements It’s Crucial to Know the State Law Requirements for Where Your Organization is Operating • There is a patchwork of state breach notification laws that may apply • Reporting deadlines may differ • Content of notice may differ • Notice to state regulatory bodies may be necessary • Many states layer their notification requirements on top of HIPAA

  41. The More You Know… • Identify each of the states in which your organization has a business presence. • This question has both practical and legal implications. • Many states have passed laws to define what it means to be doing business in their state, including by merely having a digital presence. • Seek advice of legal counsel in identifying what activities comprise doing business in a specific state.

  42. 50 Shades of Breach • Research and review the laws in each state in which your organization does business or holds the PII of a state’s residents. • How does that state define PII? • What is a “breach” and when is the breach reportable; who must receive notification; and, when must notifications be made? • What are the applicable state data protection or data disposal standards? • Are there industry specific cybersecurity program requirements (e.g. NY, OH, MI, MS, SC)? • How do state laws and requirements apply third-party vendors when they maintain data PII?

  43. Have Situational Awareness • Identify and inventory what PII is created, transmitted or maintained by, or on behalf, of your organization. • Include data in all forms and from any source (e.g. employees, patients or enrollees, online marketing, or website tracking). • What is the state of residency for each individual that has contributed PII? • It may be necessary to refer to state specific definitions of “what is PII?” to perform a complete inventory.

  44. Deep Dive:

  45. Operational Challenges to Meet State Laws • Data Classification Enhancements/Re-evaluations • Data Inventory and Mapping • Records Retention • Consumer Right of Access and Deletion Requests; Data Portability • Privacy Notice reviews/updates and key decisions associated with them • Technology/tools and other resources necessary to comply ensuring adequate privacy choice mechanisms/consent and preference platforms • Authentication Protocols • Reviewing vendors to ensure sufficient access, deletion and incident response provisions

  46. Iowa Breach Notification Requirements • Breach is the unauthorized acquisition of personal information • Personal information is • First name or initial and last name plus • SSN or • Driver’s license number or other unique ID # created or collected by government body or • Financial account number, credit card number or debit card number in combination with required expiration date, access code, security code, or password that would permit access to the account • Unique electronic identifier or routing code in combination with required access code, security code, or password that would permit access to the account • Unique biometric data or other unique physical representation or digital representation of biometric data

  47. Iowa Breach Notification Requirements • Notification to individuals affected in the most expeditious manner and without unreasonable delay • Notification to Attorney General of breach affecting >500 IA residents within 5 business days of notice to the individuals • Not applicable to entities that must comply with GLBA or who complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements. • Notice delay for law enforcement permitted. • Can use substitute notice if the cost of notice is >$250,000 or required to notify >350,000 consumers or not good contact information

  48. What is the CCPA? • Goes into effect January 1, 2020 • Gives California consumers certain rights with respect to their personal information • A consumer is defined broadly to include employees/families, prospective customers contacting us through their job, applicants for employment • Applies to for-profit businesses with California presence that; • Have gross revenue in excess of $25 million; or, • Buy, receive, sell, or share for commercial purposes the personal information of 50,000+ California consumers, households, or devices; or, • Derive 50% or more of its revenues from selling personal information

  49. 4 Basic Consumer Rights Provided by CCPA • The right to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold • The right to “opt out” of allowing a business to sell their personal information to third parties • The right to have a business delete their personal information • The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

  50. Health Care Exemptions in the CCPA 51

More Related