HIPAA Cybersecurity Best Practices“Cybersecurity is a Journey…not a Destination”

● Physicians who apply cybersecurity best practices have peace of mind.

● We can help you sleep at night.

What Happens?

- Data loss (Resulting in re-work)

- Downtime

- Loss of business

- Fines

- Reputation damage

Not following cybersecurity best practices could lead to:

In the News

Advocate Health slapped with

lawsuit after massive data breach

Advocate "flagrantly disregarded"

privacy of 4 million patients, lawsuit

says…

Advocate Health Care to Pay $5.5M

in HIPAA Penalties

It is the largest fine for a single entity,

stemming from three separate

breaches of the electronic health

records of more than 4 million

patients…

Advocate data breach highlights

lack of encryption, a widespread

issue

Cyber Findings

• Risk Based Security mid-year 2018 Data Breach QuickView Report-2,308 publicly disclosed data compromise events through June 30th (2.6 billion records YTD 2018; 6 billion, 1st half 2017)*

• Approximately 1 million pieces of known malware (computer viruses or malicious software) are released every day

Ponemon 2017 Cost of Data Breach Study: Global Analysis

• $3.62 million is the average total cost of a data breach

• $141 is the average cost per lost or stolen record (healthcare $380)

• 59% of all breaches caused by malicious or criminal attacks

Ponemon 2017 Cost of Data Breach Study: United States

• $7.35 million is the average total cost of a data breach

• $225 is the average cost per lost or stolen record

• $380 (Healthcare) is the average cost per lost or stolen record

• 52% of incidents involved malicious or criminal attacks

• Notification costs average $0.69 million

• Post data breach costs (not including notification costs) average $1.56 million

*Source: breachexchange@lists.riskbasedsecurity.com on behalf of Inga Goddijn, EVA at RSA 8/16/2018

Know the Law

Let’s distill HIPAA law

into what you need to

know and care about.

HIPAA Security Rule In Brief

Take all reasonable measures to protect against risks to the integrity, availability and confidentiality of PHI in all forms, physical or digital.

○ Someone needs to take responsibility and charge.

○ Regular formal risk assessments need to be conducted to define “risks”, and “reasonable measures”.

○ Reasonable controls must be planned and implemented to reduce these risks (Anti-virus, Firewalls, Web Proxy, DLP, etc... )

○ Encryption, access control, access audit should be used to control access to information in accordance to “principles of least privilege”.

*Source: Identity Theft Resource Center Data Breach Report 2009

Protected Health Information (PHI) – HIPAA, HHS/OCR regulations define health information as “any

information, whether oral or recorded in any form or medium” that:

a) “is created or received by a health care provider,

health plan, public health authority, employer,

life insurer, school or university, or health care

clearinghouse” and (Medical Info. Bureau-Quincy)

b) “relates to the past, present or future physical

or mental health or condition of an individual;

the provision of health care to an individual; or

the past, present or future payment for the

provision of health care to an individual.”

Most valuable-PHI never dies-Highest value on Black Market-$100+/record

Can be used for:

Medical treatment (you pay for it)

Obtain prescription drugs (personal use or sell on street)

Co-mingle health info.-misdiagnosis or death

Obtain mortgage, credit, other type loans

Protected Health Information*

*Source: Identity Theft Resource Center Data Breach Report 2009

Personally Identifiable Information (PII) – as used in information security and data privacy laws, refers

to information that can be used to uniquely identify, contact, or locate a single person or can be

used with other sources to uniquely identify a single individual. The types of information normally

associated with PII include: (at least three of the following combined)

a) Name and Address (NAA)

b) Date of Birth (DOB) (not confidential in MA)

c) Social Security Number (SSN)

d) Credit Card Number

e) Account Number/PIN or other Financial

Account Information

f) Emails

g) Telephone numbers

Personally Identifiable Information*

Confidential Business Customer Data

1. Trade secret information

2. Confidential financial data (business customers)

3. Other non-public confidential data of business customers

i. employee personal data (benefit providers, 401k info. and other Plan info.)

ii. payroll data (Example-ADP or other payroll service providers)

iii. billing information (medical billing services, utility companies)

4. Any customer confidential business data subject to a signed Non-Disclosure Agreement (NDA)

5. Intellectual property-i.e. manufacturing processes; marketing strategies

Massachusetts Data Breach/Security Laws**

3 General Laws:

1. G.L.c. 93H-Data Breach Notice Law-requires notification

of state agencies and affected individuals of a data breach

2. MA GL 201 CMR 17.00-Standards for The Protection of

Personal Information (Pl) of Residents of the

Commonwealth of Massachusetts

3. G.L.c. 931-Data Destruction Law-establishes minimum

requirements for securely destroying or deleting Personal

Identifiable Information of MA residents

ENFORCEMENT OF THE MASSACHUSEITS DATA BREACH/SECURITY LAWS IS BY THE

CONSUMER PROTECTION DIVISION OF THE ATTORNEY GENERAL'S OFFICE

PERSONAL IDENTIFIABLE INFORMATION (ELECTRONIC OR PAPER FORM)

Defined as the first name or initial and last name of a MA resident plus one or more of the following:

1. SSN

2. Driver's license number or other state-issued identification card or number; and/or

3. Financial account number or a debit/credit card number (with or without a security code)

Information legally obtained from publicly available sources is not considered

confidential Personal Identifiable Information

Massachusetts Data Breach/Security Laws**

G.L.c. 93H- Data Breach Notification Law

1. Breach of Security-unauthorized acquisition of or use of confidential data whether unencrypted or

encrypted with decryption key that can possibly compromise the security, confidentiality or the integrity of

the Pll held by the entity that creates a risk of ID theft

2. ID Theft/Fraud-the PII was used or acquired by an unauthorized party for an unauthorized purpose-(CC,

loans)

Who Must Be Notified :

1. Attorney General's Office

2. Office of Consumer Affairs and Business Regulation

3. Each affected MA resident

4. Owner or licensor of the Pl (must be notified by 3rd party vendor or out-sourced vendor)

**THE OWNER OR LICENSOR OF THE Pl IS THE REQUIRED PARTY THAT NEEDS TO NOTIFY

Notice to the Attorney General's Office or Office of Consumer Affairs & Business Regulation must include

the following:

1. Nature of the breach

2. Number of residents affected

3. Steps entity has/will take relating to the breach

4. Include a sample copy of the consumer notice

What must the Notice to MA residents disclose:

1. Individual's right to obtain a police report

2. How an individual can request a security freeze

3. Information an individual needs to provide to request a security freeze

4. Complete disclosure of fees for placing, lifting or removing a security freeze

Massachusetts Data Breach/Security Laws**

The Notice cannot disclose:

1. The nature of the breach, unauthorized access or use

2. Number of individuals affected

What is the timing of the Notice?

1. "as soon as reasonably practicable and without unreasonable delay" when the entity

"knows or has reason to know" of the breach

2. The Notice may be delayed "if a law enforcement agency determines that provision of

such notice may impede a criminal investigation and has notified the attorney general in

writing thereof and informs the entity of such determination"

Information and sample notices can be found at:

http://www.mass.gov/ago/consumer-resources/consumer-information/scams-and-identity-

theft/security-breaches.html

Massachusetts Data Breach/Security Laws**

201 CMR 17.00-Standards for The Protection of Personal Information of Residents of the

Commonwealth of Massachusetts

Key Requirements:

1. Develop, implement, maintain and monitor a comprehensive Written Information Security

Program (WISP) establishing safeguards against a data breach

2. Maintain minimum computer security systems such as password management protocols,

firewalls, updated virus definitions and patches

3. Encrypt all records containing Pl transmitted across public networks or wirelessly or stored on

laptops or other portable devices

4. Identify and assess reasonably foreseeable internal and external risks to security, confidentiality

as well as the integrity of Pl in any physical form

5. Monitor service providers and require them by written contract to implement and maintain

safeguards to protect and secure Pl-you warrant to the State service providers meet the MA privacy

law requirements

G.L. c. 931 -Data Disposal and Destruction Law

Minimum Requirements:

1. Paper records are to burned, redacted, pulverized or shredded so the Pl cannot be read or

reconstructed

2. Electronic records and other non-disposable media shall be destroyed or erased so the Pl cannot be

read or reconstructed

Massachusetts Data Breach/Security Laws**

PENALTIES FOR VIOLATING MA DATA BREACH NOTICE LAW/SECURITY

REGULATIONS

1. Civil penalties of $5,000 per violation

2. Restitution to harmed individuals

PENALTIES FOR VIOLATING DATA DESTRUCTION AND DISPOSAL LAW

1. Civil fine of up to $100 per data subject affected

2. Up to $50,000 for each instance of improper disposal

**Overview of Massachusetts Data Breach/Security Laws, Tom Ralph, Asst. AG, Cyber Crime

Division, Office of MA AG Maura Healey

Good news… we can help.

Let’s go over best practices and then talk about some

solutions.

Need Help?

Pick a Security Framework

Cybersecurity frameworks

help you assess and

improve your ability to

prevent, detect, and

respond to cyber attacks.

Where am I vulnerable?

HIPAA requires a risk assessment

§164.308(a)(1)(ii)(A)

Risk analysis (Required). Conduct an

accurate and thorough assessment

of the potential risks and

vulnerabilities to the confidentiality,

integrity, and availability of electronic

protected health information held by

the covered entity or business

associate.

a) Hackers are motivated by greed, anger, and opportunity.

b) They want your money, or your destruction, -basically "cold heart cash".

c) They rely on the weakest link in your organization-your employees-take advantage of human qualities to serve attacker’s purpose

d) Hackers try to get an employee to think they are a customer, senior management or a vendor.

e) They gain access to your system through a phishing attack via email-containing embedded malware, Trojan Horse, Spyware

f) Their goal is to get funds transferred out of the country to places like China, Russia, Nigeria, etc.

g) They are experts at setting up false domain names and email addresses that look like a customer's, vendor's or senior management's email.

h) They use social media to unleash their fraud:

i. spoof senior management

ii. through social media accounts, Outlook calendars and emails they know comings and goings of senior management-sometimes called business email compromise

iii. send email to an unsuspecting employee posing as executive of company requesting funds to be transferred right away for a secret business deal-email looks legitimate and funds are transferred never to be seen again

i) Every organization is a target regardless of size or industry.

j) Federal law enforcement is overwhelmed by these crimes and cannot keep up (1300% increase since 1/2015)

Social Engineering Fraud

I’m Cloud Based…I Should Be Safe

Third party vendor management for

business associates

If you’re a Covered Entity, chances are

you have BAAs in place with one or more

companies. But, do you have a policy

and set of procedures for vetting business

associates?

BYOD – Prudent Steps

Prudent steps employers can take to reduce the risk of a breach through BYOD practices:

1. Have written policies in place governing the types and use of personal devices for business purposes and require every employee to sign off and accept these policies.

2. Written policies should clearly state what these devices can access, store and transmit.

3. If remote access is allowed it should only be through a VPN or other comparable secure network. VPN means Virtual Private Network (across public network or internet)

4. Require devices to be encrypted at all times and subject to random spot checks to confirm encryption software is in place and utilized.

5. Require an employee to report a stolen or lost device to company immediately

6. Policy in place to retrieve information from employee’s device upon termination

7. Ensure corporate data is backed-up in corporation’s network

8. Identify and segregate your corporate “trade secret” information/data, in other words, your “crown jewels”, and limit access to this data

MOST PRUDENT STEP:

Your rules should be carved in stone as you ultimately bear the responsibility

for the actions of your employees. By not establishing and enforcing written

guidelines you run a great risk of loss of customers, revenues, reputational harm

and possible ensuing litigation.

Internet of Things

What does the Internet of Things (IoT) mean?

Devices connected to the Internet for the purpose of information transfer and process automation- real time IoT networks

Examples:

1. Manufacturing & automation systems

2. Heating and air conditioning-remote access

3. Industrial robotics

4. Family car using on-board computers to regulate speed, operate rear-view cameras and "blind spot" alarms,

parallel park and even tint windows, environmental sensing, manufacturing, urban planning and health

monitoring

5. Critical connected healthcare solutions and devices-pacemakers

It is estimated there will be 20.4 billion devices connected via the internet by 2020*

It is estimated every workplace has approximately 16,000 IoT devices connected to its network*

Potential Problems

1. Developers are building interactivity and data storage into hundreds of common products without any security

whatever in mind-security must be implemented at the design stage

2. Devices are not being developed to common standards

3. They increase the vulnerability of a system by creating more avenues for hackers to exploit

4. Hackers are becoming more familiar with how loT devices work

*Source: breachexchange-bounces@lists.riskbasedsecurity.com> on behalf of Audrey McNeil-May 15, 2018

Know Your Controls

Administrative

Deals with the

workforce

Technical

Deals with IT

“stuff” like

encryption and

unique user

identification

Physical

Deals with facilities,

workstations, and

media

HIPAA Security Rule Standards

Passwords Are Not Everything

§164.308(a)(5)(ii)(D)

Password

management:

“Procedures for

creating, changing,

and safeguarding

passwords.”

Protection Tools

Data Loss Prevention (DLP) for Covered

Entities and Business Associates

While DLP isn’t strictly required, protection of

ePHI is… so DLP should at least be considered.

• Endpoint, web, and email

• Data classification (what and where is ePHI?)

• Create simple policy rules in monitor-only

mode

• Tweak the policy rules.

• Deploy to a subset of users

• Go from monitoring to actively blocking

• Expand to other departments

Safeguard Outside the Office

How to store

HIPAA data

§164.312(2)(iv)

Encryption and

decryption:

“Implement a

mechanism to

encrypt and

decrypt electronic

protected health

information.”

Knowledge is Key

§164.308(a)(5)(i)

Security awareness

and training:

“Implement a security

awareness and

training program for all

members of its

workforce (including

management).”

Business Continuity and Disaster Recovery

§164.308(a)(7)(ii)(A)

“Establish and implement procedures

to create and maintain retrievable

exact copies of electronic protected

health information.”

§164.308(a)(7)(ii)(B)

“Establish (and implement as needed)

procedures to restore any loss of

data.”

Sanction Policy

HIPAA requires a sanction policy

§164.308(a)(1)(C)

Sanction policy: “Apply appropriate sanctions against workforce

members who fail to comply with the security policies and

procedures of the covered entity or business associate.”

Example Sanction Clause:

I understand that violations of the information security policies

and standards may lead to:

• Disciplinary Action

• Termination

• Removal from Projects

• Criminal Penalties

I have been breached….Now What?

HIPAA Breach Notification Rule

§§164.400-414 What do I do if I

learn of or suspect a breach?

1. Determine the nature and

extent of PHI involved.

2. Determine whether the PHI was

acquired or viewed.

3. Notify individuals affected by

breach within 60 days.

4. Notify HHS & prominent media

outlets if breach affects more

than 500 individuals.

What could this cost me?

Violation

CategoryEach Violation

Total CMP for Violations of an

Identical Provision in a Calendar

Year

Unknowing $100 – $50,000 $1,500,000

Reasonable

Cause$1,000 – $50,000 $1,500,000

Willful Neglect –

Corrected$10,000 – $50,000 $1,500,000

Willful Neglect –

Not CorrectedAt least $50,000 $1,500,000

HIPAA Omnibus Final Rule - Violations

Steps You Can Take To Minimize Your Exposure To A Data Breach

START HERE:

10 Common Sense Steps:

1. Know where your data is, map it and know who has access to it

2. Identify your information asset-client lists, client/customer data, business strategies, marketing

information-rank from high to low

3. Have an automated back-up process that occurs every day

4. Perform due diligence on all out-sourced/3'' party vendors who store or service your data-be

sure they have strong security protections and protocols in place equal to or greater than yours

5. Implement a strong password management program - change passwords every 45-60 days

6. Limit remote access to your system-Examples: supply chain vendors or other service providers

(Target/HVAC contractor)

7. Maintain a strong firewall-upgrade when necessary or prompted

8. Perform comprehensive background checks on ALL potential hires

9. Employ and enforce a "clean-desk" policy. Secure all "non-electronic" confidential/sensitive

information in locked containers, locked file cabinets or locked rooms with restricted access

10. Encrypt data at rest on servers

Steps You Can Take To Minimize Your Exposure To A Data Breach

NEXT STEPS:

1. Have a system vulnerability assessment done by a qualified outside 3rd party firm

2. Have a Breach Incident Response Plan-internally who is point, privacy attorney, forensic expert,

notification firm, public relations firm-test it at the very least on an annual basis

3. Have a Disaster Recovery Plan-you've had breach-how and when do you get back to operational status

4. Have a written Network Security Plan, Client Notification Plan and Internet Usage Plan

5. Employ anti-virus software on ALL devices/continuously update

6. Install intrusion detection/protection software on all devices and test it regularly

7. Encrypt all hard drives, servers, back-up tapes and portable devices

8. Employ two-factor authentication

9. Employ and enforce continuous employee training in the handling of confidential data-key risk

management

10. Conduct regular scans of your network

11. If you have a POS system ensure it complies with PCI/Data Security Standards (PCI/DSS)

12. Ensure all credit card data is encrypted

13. Separate encrypted data from user data on your network

14. Before disposal, wipe data from all hardware when it is replaced

15. Never have a "universal passcode" for all employees to use to access data

16. Install scanners and filters for email attachments

17. Install remote lock or kill software to shut down all mobile devices that are lost or

stolen and have protected information

Steps You Can Take To Minimize Your Exposure To A Data Breach

NEXT STEPS CONTINUED:18. Purge on line records or decades old records of former customers if not needed or not legally required to

retain

19. Do not allow 3rd party storage devices to be installed on any employee work station

20. Coordinate data breach responses with you HR Department

21. Employ and enforce a duty for all employees to report a potential security incident and cooperate in any

investigations

As per former FBI Director James Comey:

"There are only two kinds of companies left in the world-those that have been hacked

and those that don't know they've been hacked. No one is safe. Unfortunately, there is

no simple fix-it app for that - not even adequate insurance."

Questions?

THANK YOU

Contact Info:

Paul Smith, President

Datasmith Network Solutions

17-2 West Street

Walpole, MA 02081

psmith@datasmithnetworks.com