HIPAA Regulations&

Cyber Security

Are You Protected?

HIPAA Security Rule• Health and Human Services (HHS) requires all Covered

Entities and their Business Associates to follow security procedures to ensure the confidentiality and security of ePHI when that data is…

• Created by your business

• Received by your business

• Stored in your network

• Transmitted from your network, such as an email server, to your business associates’ networks

• The OCR is the enforcement branch of Health and Human Services

• The OCR investigates and audits every Covered Entity and Business Associate that has a data breach

• The OCR investigates patient confidentiality complaints and takes actions to correct problems

Who is the OCR?

• Healthcare data breaches cost $ 5.6 billion annually

• The OCR has collected over $ 72,000,000 in fines from covered entities and business associates for HIPAA violations

• The OCR has required more than 25,000 companies to take corrective actions after investigating complaints, or initiating compliance

reviews

• Clinic employees have been sentenced to jail time, and ordered to pay $ 1000’s in restitution

Security Rule Safeguards

• Administrative - The Company’s Security Policies & Procedures

• Physical – The Building and Workstation Security

• Technical – Computer Network Security

Administrative Safeguards

• Required! Conduct a Security Risk Assessment at least annually to assess the confidentiality of ePHI

• Required! Develop and implement a living, breathing book of Security Policies and Procedures that cover how you comply with all the HIPAA Security Standards

• NO! Your “Notice of Privacy Practices” does not make you HIPAA compliant

• Required! Security Training for all employees and management on an annual basis to raise awareness of the business’s policies that govern access to ePHI . All training must be documented!

• Identifies security risks

• General or industry specific

• On-site visit

• Determines Physical, Technical, and Administrative risk levels

• Detailed findings report with recommendations

Educate Your Employees

• Your biggest risk is probably working at your office right now!

• Implement a security awareness training for your entire workforce, including management

• Teach your employees about Phishing and Ransomware schemes, and how to avoid becoming a victim

• Test your workforce by conducting Social Engineering projects

• Provide Security Reminders in weekly newsletters, or hang security reminders in common areas

Insider Threat Detection

• Two-thirds of total data records compromised in 2018 were the result of insiders

• Three most common types:• Accidental insider (unaware or non-respondent)• Malicious insider (disgruntled, compromised, exiting employee)• Third-party insider (contractor, dwelling hacker, collusion)

• Determine a baseline of normal activities on your network and for your users, then look for deviations

Physical Safeguards

• Required! Facility Access Controls must be implemented where ePHI is stored and to prevent unauthorized physical access, tampering or theft of ePHI

• Required! Policies and procedures must be implemented to restrict access to workstations that have ePHI access, and govern how functions are preformed at these workstations

• Required! Implement policies and procedures that address the disposal and re-use of hardware and software that have contained ePHI, and specify the procedures you use to make ePHI inaccessible

Technical Safeguards• Required! Implement Data Access Controls by assigning a unique user

identification name and/or number in order to be able to track each network user

• Required! Develop procedural mechanisms that record and examine user activity in your information systems that contain or use ePHI

• Required! Establish and test procedures to obtain all necessary ePHI data during an emergency

• Not required, but a real good idea… Create and adhere to an Acceptable Use of IT Resources form and have your employees sign their name to acknowledge these network rules!

Perform Regular Backups• Everyday in the news there are new Ransomware attacks!

• Ransomware is not going away

• According to the FBI, over 60% of small businesses suffering a cyber attack will be out of business within six months of an incident

• Having regular backups of critical systems is often the only means of recovering your data

• Remember to disconnect direct-attached storage (USB drives) after backups, to prevent them from being included in the attack

Use the 3-2-1 Back Up Rule

• Have at least three separate copies of your data

Test Those Backups

• If you’re not going to test your backups, don’t bother doing backups!

• Have well-documented procedures and a schedule for testing your backup and recovery procedures

• Don’t find yourself in a position of desperately needing to recover from backups only to find them also encrypted or completely deleted

Do Not Repurpose Passwords

• Create a unique password for each website/application you use

• Use pass-phrases that incorporate an element of the site:

!LØveCHCAM$

• Password length can make it exponentially harder to crack

• Black Hat Hackers will use your breached data from one website to stuff credentials into your other programs in hopes of gaining access to your systems, data, and networks

• Scans all devices on the network

• Can be done on-site or remotely

• Seeks known vulnerabilities

• Reports identify found vulnerabilities and how to resolve them

• Remediate on your own or TSG can assist

Additional Requirements

• Required! Have Business Associate Contracts with all business partners that create, receive, maintain or transmit ePHI on your behalf

• Required! Have Incident Response Procedures documented and tested because data breaches happen! In fact, the OCR has required more than 25,000 companies to take corrective actions after data breaches

• Required! Have a Sanction Policy in place to use against employees who fail to comply with your Security Policies, and include possible disciplinary actions, such as “up to and including termination”

Don’t Forget the Rest

• Most non-operating systems, such as Adobe and Java, do not automatically update

• If 100 of us were told to do an update: 25% - immediate , 25% -month, 25% - year, 25% - NEVER!

• When prompted, manually install the updates, select automatic updates if possible

• Install software and app updates when available on your phone

• Don’t forget your routers and security cameras, most are set up initially with a common user name and password

Reduce Social Network Sharing

• Avoid the need to share company-sensitive data on professional networks such as LinkedIn

• Hackers use social profiles to gather intelligence to conduct spear phishing attacks on businesses or individuals

• Criminals seeking to infiltrate organizations often use phishing emails and other forms of social engineering to convince valid users to compromise their businesses

• Facebook’s Cambridge Analytica debacle is just the tip of the iceberg

Avoid OOO Message Details

• Out-of-Office messages can help hackers phish your business by obtaining the missing bits of information for a well defined attack

• Avoid messages that specify dates, locations and activities

• “Sorry I am out of the office this week for a sales conference in Las Vegas. If you need help, contact Sally at 601-555-1212.”

• Limit the information you share

• “Your message has been received. However, due to full-day meetings, I may be slow to respond. Thank you for understanding.”

Defense-in-Depth Strategy

• We now live in a mobile-first, cloud-enabled world

• Humans are the new “Perimeter”

• Data is the new “currency,” wherever it lives

• We are now charged with protecting data, devices, networks and the cloud simultaneously

• This requires a defense-in-depth approach

First Layer Defense

• Administrative Controls include security management processes, workforce security, data access management, and contingency plans

• Can include tools such as formal security policies and procedures and IT acknowledgement forms

• Physical Controls include defenses such as facility access controls, workstation use, device and media controls

• Can include tools such as monitored alarms, surveillance equipment, and biometric screening

Second Layer Defense

• Technical Controls include defenses such as audit controls, data access controls and transmission security

• Can include tools such as 3rd generation of firewall technology which are multi-functional and a low cost option to improve security

• Encrypt! Encrypt! Encrypt! Your critical data and devices!

• Make sure you know who is on your network and only allow access to those people or programs that need that data

• Tests network security in place

• TSG plays the role of a hacker

• Can be done internally or externally

• Rules of engagement set in advance of test

• Detailed debriefing and findings report

Know Your Regulations

• Knowing your state, federal and industry regulations is absolutely critical

• MS just passed a bill creating new cyber security requirements

• CCPA, GDPR, HIPAA, …… and more coming are just a few examples

• May include data handling requirements for PII, notification requirements in the event of a data breach, and even a named CISO/CDPO

• Jail time and heavy fines may be imposed for non-compliance, particularly for willful negligence or failure to notify within specified timeframe

• Bryce Hopkins – bhopkins@tsgcybersecure.com

• Alan Callison- acallison@tsgcybersecure.com

• Mark Chmielewski – markc@tsgcybersecure.com