Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The Privacy – Security Partnership in Managing Risk
June 22, 2015
Angel Hoffman, Dennis Schmidt, Jay Trinckes
11th AMC Conference
1
Session objectives • Describe the respective roles and responsibilities of privacy and
security, and how they can benefit by working together • Explain opportunities for cross-training for enhanced
effectiveness • Outline a strategy for assessing and managing privacy and
security risks through teamwork.
2
Angel Hoffman
Phone: 412-559-6703
Email: [email protected]
www. APHCcompliance.com © 2014 ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC
ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC
3
Where are we twelve years later?
Let’s Review: HIPAA Privacy – April 2003 HIPAA EDI – October 2003 HIPAA Security – 2005 HITECH – 2009 HIPAA Omnibus – 2013
4
Role of the Privacy Officer
HITECH - created a lot of changes and stricter protections along with the Breach Notification Rule which created: Increased responsibility Increased knowledge and skills required Increased hours to handle issues during the work day
HIPAA Omnibus Enforcement Rule However, it is not just about the regulations, but much more… 5
Changes in Tasks and Activities
Process development and implementation Training development and implementation Conduct online and live training for: - Board (more emphasis today) - Management (follow-up) - Staff - Others Policy development – have the new policies been added to the
training?
6
Changes in Tasks and Activities (cont.)
Managing complaints/breaches – have increased; use of technology to track and trend; producing reliable reports
Conduct investigations – have increased and there are more things to track now (breach notification more recently)
Maintaining documentation and keeping all paper and electronic information available
Working with other departments – communication is increasingly critical and impacts: Human Resources, Quality and Information Security
Reporting
7
External Influences
State Attorney General Role HIEs – newer state and federal government activity Impact of Social Media Age of the workforce
8
Partnering with the Security Officer
“…managing risks in the medical information realm takes effective teamwork.”
The Privacy Officer must partner with the Security Officer in order to have a successful program.
Sharing of information is not always easy, but when we work collaboratively vs. in silos the organization succeeds and this leads to better outcomes. And as we all know now…
You cannot not have privacy without security!
9
Roles of a Chief Information Security Officer
Dennis Schmidt Assistant Dean for Information Technology
HIPAA Security Officer 10
University of North Carolina
• Nation’s first public university, chartered 1789 • 29,000 students • 3,600 faculty • Number of servers: Unknown, but it’s a lot!!! • 5% or campus is protected by firewall
‒Block 87 million unwanted connections weekly • IPS blocks 5.1 million malicious threat events
11
UNC School of Medicine
• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff • ~1,000 servers • 98 Server administrators (Self identified) • 47 different O/S’s (Self reported)
12
CISO Job Description • Primarily responsible for all ongoing activities related to the
availability, integrity and confidentiality of patient, provider, employee, and business information in compliance with the healthcare organization's security policies and procedures, regulations and law.
• Could report to: • CIO • Chief Compliance Officer • Chief Risk Manager
• Qualifications: • BS/BA, usually in related field • Certifications: CISSP, GSEC, PMP……..
13
Desired Soft Skills • Manager
• Supervises the security team • Author
• Writes security policies • Drafts or edits incident reports
• Teacher • Formal HIPAA Training • Security Presentations • Security Bytes/Tips of the Week
• Mentor • Leads by Example
14
More Soft Skills
• Collaborator • Seeks input from the community while developing policies
• Protector • Develops environment to keep the bad guys out
• Consultant • Advises customers on best practices
• Enforcer • Blocks bad practices • Firm but fair
• Visionary • Looks ahead for solutions to new threats
15
Undesired Traits
• Dictator • Sets policies without collaborating or consulting with affected users • My way or the highway
• Isolationist • Fails to communicate with community
• Do what I say, not what I do
16
Privacy and Security Collaboration
• HIPAA Training • BAAs • Investigation support
• The 4 item test
• Knowledge sharing
17
18
New Role: Chief Information Privacy & Security Officer (CIPSO) • Privacy/Security are so intertwined • Executive Level Position • Approved by the Board of Directors with a direct line of
communication to BoD • Demonstrates the commitment of organization to Privacy/Security • As related to HIPAA, would be responsible for all Privacy Rules and
Security Rules (which is a subset of the Privacy Rules)
19
Build a Culture of Privacy/Security •People are weakest link •Top Down Approach; emphasize importance of privacy/security
•Assign CIPSO; Delegate Authority to Carry Out Role
20
People Concerns – Current Threats
•Social Engineering – art of convincing someone to do something that may not be in their best interest
•Being too helpful – giving more information away than is necessary
21
Real World Examples:
• Physical Breach – obtaining unauthorized physical access • Targeted Phishing Attacks – wire transfer requests that
appear to come from CEO • Limit information available on-line
• Malicious Software – unaware users clicking on links; opening unsolicited attachments
22
Administrative Safeguards
•Four Tenants of Information Security - CIAP •Confidentiality • Integrity •Availability •Privacy
23
Policies/Procedures –
•Must be implemented •Staff must be aware of existence •Must be ‘easy’ to follow •Must be relevant
24
Physical Safeguards
•First Line of Defense •Castle Scenario – layers of defenses
•Security Rule: If someone is able to gain physical access to a system, the system no longer belongs to the organization.
25
Real World Examples:
•Cipher Locks on doors – numbers worn; ‘view over shoulder’
•Key Logging/USB Devices •Boot to CD/USB Drive; BIOS flaws •Monitor Locations •System Locks – password screen savers
26
Technical Controls • Weak Passwords – user controlled
• No amount of security can prevent against weak passwords
• Authentication Process – limited by application developers • Need to consider multi-factor authentication; • Stronger authentication methods
• Encryption – not all encryption is the same • SSL Encryption flawed – (HeartBleed, FREAK, weak
pseudo-random generators)
27
System Logging Activities • ‘There are only two types of companies: those that
have been hacked and those that will be.’ – Former FBI Director Robert Mueller
• And once you are hacked, would you even know? • User Activity Logging; Suspicious Activities; Security
Incident Event Management (SIEM) Solutions; Intrusion Detection/Intrusion Prevention Solutions
28
Group Discussion
29