Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 1
Immediately Address IT Access Compliance Challenges
Using Tools You Already Have
John Vastano, Ph.D., Chief Data Science Officer& Alan Norquist, CEO
Veriphyr
References
For Free Copy of Tools Used in This Talk Email: [email protected]
More on Examples in this Talk See: blog.Veriphyr.com
More on IT Access Compliance by Today’s Speakers Health Care Compliance Association (HCCA) webinar www.hcca-info.org/cv/cgi-bin/msascartdll.dll/ProductInfo?productcd=003_AC082615
www.VERIPHYR.com 2HCCA 2016
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 2
Agenda
Practical approach to access compliance you can use immediately
What is HIPAA IT access compliance
Why it is extremely important to top management
Why violations of access compliance are increasing so rapidly
Why it is a more significant legal issue than traditional IT security
How access compliance stops data thefts traditional IT security can’t
www.VERIPHYR.com 3HCCA 2016
IT Access Compliance Under HIPAA
Insiders only have access required to perform job user access to systems and applications is reviewed on a periodic
basis. §164.312(a)(1)
Insiders only use access as needed to perform job regularly review records of information system activity
§164.308(a)(1)(ii)(D)
Insider = Employee, Contractor, Provider, 3rd Party or Anyone with Valid Credentials (Username and Password)
including hackers with stolen credentials
www.VERIPHYR.com 4HCCA 2016
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 3
You Can Keep Out the Hackers…
HCCA 2016 www.VERIPHYR.com 5
Cartoon by P. Daily
But Not Employees, Contractors, Providers, etc.
HCCA 2016
Employee Entrance
www.VERIPHYR.com 6
Cartoon by P. Daily
#1 Means of Insider Breach
Privilege Abuse
“Misusing privileges grantedby a company to commit
nefarious acts”
aka - Non-compliant user access
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 4
Why Increase in Violations of Access Compliance
Value of patient data for identity theft
Patient data more valuable than credit card Medical Record = $50.00
Credit Card # = $ 1.50
Fraud using stolen patient data is lucrative Stolen Identity Tax Refund Fraud (SIRF)
$21 Billion 2012-2017
$2.1 Million for a Single Refund
34% of All Reported Identity Fraud
www.VERIPHYR.com 7HCCA 2016
Selling Patient Data Instead of Drugs?
Quotes from FBI Press Release
“A confidential source (CS) initially approached [criminal] and inquired about purchasing narcotics.
[Criminal] told the CS that he did not have any narcotics but that he did have personal identity information (PII) that he was willing to sell to the CS….
[Criminal] provided the CS with specific instructions on what information to enter into the web pages of the Internet-based tax services to obtain a tax refund.
An examination of the PII revealed that it was from a medical services provider.”
www.VERIPHYR.com 8HCCA 2016
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 5
Hackers vs. Privilege Abuse by Insiders – “Injury in Fact”
Hacker Steals Patient Data Did customer suffer “injury in fact”?
No clear connection between data theft and identity theft
Employee Steals Patient Data via Privilege Abuse Local Law Enforcement Bust Local Identify Theft Ring
“Among the paperwork were computer screen-shot printouts displaying patients’ personal information from a local hospital” – from actual indictment
Did patient suffer “injury in fact”? Credit card charge slips in name of hospital patients
Screen-shots of patient’s data with hospital’s logo
HCCA 2016 www.VERIPHYR.com 9
Data Theft via Privilege Abuse by Insiders
Months and Years Before Discovered 18.75% - stole for years
31.25% - stole for months (source: Verizon)
No Technical Skills Required Hospital issued logins and passwords
Walk Out of Hospital with Stolen Data on Phone No need to email or upload data to the cloud
Just take a photo on smart phone and walk out of the building
Print out or e-mail stolen data from homewww.VERIPHYR.com 10HCCA 2016
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 6
Insider Thefts via Privileged Abuse by Title (Verizon 2015)
www.VERIPHYR.com 11HCCA 2016
Traditional IT Security is for Outsiders/Hackers
Focus on the network and not designed for insider privilege abuse
www.VERIPHYR.com 12HCCA 2016
InternetApplications
Servers
Networks IT Security Technology• Data Loss Protection (DLP)
• Security Event Mgmt (SEM/SIEM)
• Firewalls
• Intrusion Prevention (IDS/IPS)
• Security Intelligence
• Anti-Phishing
• Anti-Virus
• Anti-Malware
Data
BreakIn
Get Data Out
Hackers
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 7
Access Compliance is for Data Breach by Insiders
Addresses privilege abuse of applications and data
www.VERIPHYR.com 13HCCA 2016
InternetServers
NetworksInsider Privilege Abuse
+ Smartphone w/ Camera= Data Theft
Data +Answer: Access Compliance• Restrict access rights to job needs• Monitor access activity vs. job needs
Applications
Access Compliance Techniques You Can Use NOW!
Using Tools You Probably Already Know and Have
Using Data Your Computer Systems Already Produce
Detailed Instructions and Examples
Enforce Access Compliance
Prevent Data Theft via Privilege Abuse by Insiders
www.veriphyr.com 14SCCE 2015
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 8
Live Demonstration
www.VERIPHYR.com 15HCCA 2016
Questions
www.VERIPHYR.com 16HCCA 2016
IT Access Compliance Challenges HCCA 2016
www.VERIPHYR.com 9
Immediately Address IT Access Compliance Challenges
Using Tools You Already Have
For more information contact usAlan Norquist or John Vastano
[email protected] or [email protected]
Blog.Veriphyr.com
www.Veriphyr.com