Session #: T08 Cybersecurity Threats and HIPAA Safeguards · T08 -Cybersecurity Threats and HIPAA Safeguards 4/30/2019 Anderson & Shoffner 1 Session #: T08 Cybersecurity Threats and

T08 - Cybersecurity Threats and HIPAA Safeguards

4/30/2019

Anderson & Shoffner 1

Session #: T08

Cybersecurity Threats and

HIPAA Safeguards

Michael Shoffner, Senior Manager, Chief Compliance and Security Officer

HW&Co.Email: [email protected]: 216.378.7284

Jacqueline Anderson, Partner

Rolf Goffman Martin Lang LLPEmail: [email protected]: 216.682.2107

Objectives:Identify cybersecurity threats

Have knowledge of relevant HIPAA legal requirements for protecting the privacy and security of PHI and the ‘cost’ of not doing so

Differentiate various cybersecurity risk assessments

Discover practical strategies and safeguards for protecting data, including on mobile devices

Know how to respond to Data Breaches and Security Incidents

1

2

3


4/30/2019


Cybersecurity Trends

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Finance and Insurance

Transportation

Professional Services

Retail

Manufacturing

Media

Government

Healthcare

Education

Energy

Most Frequently Targeted Industries in 2018

Cost of Healthcare Breach

The 2018 Ponemon Cost of a Data Breach study shows the Healthcare Industry has the highest cost per record breached at $408.

This cost is nearly twice the amount of the next-highest industry (Financial Services) and significantly above the average cost of $148.

4

5

6


4/30/2019


Types of Actors Involved in Breaches

Motivation for Breaches

Breach Timelines

7

8

9


4/30/2019


Time to Discovery of a Breach

% of Incidents Turned into Breach Overall %Lost and Stolen Assets 13% : 76% became Breach : 14%Privilege Misuse 18% : 93% became Breach : 24%Cyber-Espionage 3% : 38% became Breach : 2%Crimeware 21% : 9% became Breach : 3%

43%

Errors 24% : 93% became Breach : 32%Malware 22% : 15% became Breach : 5%Misuse 16% : 87% became Breach : 22%Physical 10% : 78% became Breach : 12%Social 12% : 53% became Breach : 10%

81%

Internet Of Things (IOT) Attacks

Top DevicesRouter 75.2%Connected Camera 15.2%Multi Media Device 5.4%

Top Passwords Used123456 24.6%[Blank] 17.0%

Average Attacks Per Month 5,233

10

11

12


4/30/2019


Email Phishing

Email Phishing - continued4% of people will click on a phishing email

78% of people will NOT click

Once you have clicked on one, 15% do it again

Only 17% of phishing emails are reported

First click in a phishing campaign is within 16 minutes

The first click is usually done within an hour

The first report is around 30 min’s, if it is reported

Top Phishing Email DetailsTop Subjects

Bill 15.7%Email delivery failure 13.3%Package delivery 2.4%

Top KeywordsInvoice 13.2%Mail 10.2%Sender 9.2%Payment 8.9%

13

14

15


4/30/2019


Top Phishing Email Details - continuedTop Malicious Attachments

.doc, .dot 37.0%

.exe 19.5%

.rtf 14.0%

1 in 2,995 emails was phishing in 20171 in 3,207 emails was phishing in 2018

Top attachment categoriesScripts / Macros 47.5%Executables 24.7%

Top Phishing Email Details - continued

48% of malicious email attachments are office files.

This is up from 5% in 2017.

Mobile Devices

One in 36 Mobile Devices had high risk APPS installed, or were rooted or jailbroken.

16

17

18


4/30/2019


System Patches, Software Patches

At most, 6% of breaches can be attributed to patching vulnerabilities and 1/3 of those still involved phishing or credential misuse.

Security RuleFramework

Risk Analysis

• Authorization and supervision of workforce

Administrative Safeguards

• Facility access• Removal of electronic media

Physical safeguards

• Access controls• Audit controls

Technical safeguards

19

20

21


4/30/2019


OCR Enforcement in 2018

2018 Breach and Fine - Lack of a Risk Assessment

2018 Breach and Fine - Lack of a Risk Assessment

Failure to conduct accurate and thorough risk

analysis

Failure to encrypt information where it was reasonable

to do so

Failure to implement policies

and procedures

$3.5 million

22

23

24


4/30/2019


Online Risk Assessment Resources

Risk analysis following the template/program located at:

https://www.healthit.gov/topic/privacy‐security‐and‐

hipaa/security‐risk‐assessment‐tool

Disclaimer

The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Online Security Risk Assessment Tool

Sample Risk Assessment Component

ID Question AnswerLikelihood Impact Reason Flagged Notes

Remediation Current Activity Timestamp Risklevel Citation

A01

Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its ePHI? Yes Medium High N/A No

We are currently completing the SRA and contracted an outside resource which completed an evaluation in 2016.

[AC]5/17/2017 9:43:37 am Medium §164.308(a)(1)(i)

ID - A01 Does your practice develop, document and implement policies and procedures for assess and managing risk to its ePHI?

25

26

27


4/30/2019


Risk Assessment

Breaches by Location of PHI

21

27

35

81

122

74

34

27

0 20 40 60 80 100 120 140

Other Portable Electronic Device

Laptop

Other Portable Electronic Device

Paper/Films

Email

Network Server

Desktop Computer

Electronic Medical Record

2018 Healthcare Data Breaches by PHI Location

2019 Healthcare Data Breaches

25

3134

23

33 32

0

5

10

15

20

25

30

35

40

Sep - 18 Oct - 18 Nov - 18 Dec - 18 Jan - 19 Feb - 19

Healthcare Data Breaches by Month

28

29

30


4/30/2019


Cause of Healthcare Breaches

4 4

24

0

5

10

15

20

25

30

Theft UnauthorizedAccess/Disclosure

Hacking/It Incident

Cause of Healthcare Breaches

Breach Notification

Rule

• A breach occurs where there is an acquisition, access, use, or disclosure of unsecured PHI that:– Violates the Privacy RuleAND– Compromises the security or

privacy of the PHI

Breach Notification

Rule

Presumption of breach

Presumption of breach ExceptionsExceptions

• Unintentional access by workforce member or agent

• Inadvertent disclosure amongst authorized persons

• Inability to retain information

• Low probability of compromise based on risk assessment

31

32

33


4/30/2019


Breach Notification

Rule

• Notification requirements– Each individual whose PHI may have

been breached– Department of Health and Human

Services– If breach involves 500 or more

individuals, media

Breach Notification

Rule

• Contents of notice– Brief description of the breach– Types of unsecured PHI involved– Steps individuals can take to protect

themselves– Description of what the covered

entity is doing to investigate, mitigate losses, and prevent future breaches

– Contact information

2018 Fine for Untimely Response

34

35

36


4/30/2019


Breach Discovery

• Indicia of potential breaches

• Unusual computer system activity

• Unusual employee activity

• Loss of equipment

Breach Response

• Regulatory requirements

• Internal requirements

• Leverage internal controls

• Leverage risk assessments

Ohio Safe Harbor Law

• Ohio Revised Code Chapter 1354

• Effective November 2, 2018

• Creates affirmative defense to tort causes of action

brought under Ohio law stemming from breaches of

personal information

• Encourages adoption of cybersecurity programs

37

38

39


4/30/2019


Ohio Safe Harbor LawThree Requirements to Qualify:

1. Create, maintain, and comply with written cybersecurity program that

contains administrative, technical, and physical safeguards

2. Cybersecurity program must:

• Protect the security and confidentiality of the information

• Protect against any anticipated threats or hazards to the security or

integrity of the information

• Protect against unauthorized access to and acquisition of the information

that is likely to result in a material risk of identity theft or other fraud

Ohio Safe Harbor LawThree Requirements to Qualify:

3. The Scale of the program is appropriate based upon:

• The size and complexity of the covered entity;

• The nature and scope of the activities of the covered entity;

• The sensitivity of the information to be protected;

• The cost and availability of tools to improve information security and

reduce vulnerabilities;

• The resources available to the covered entity.


Cybersecurity programs that reasonably conform to any of these industry standards qualify:

• Framework for Improving Critical Infrastructure Cyber Security

developed by NIST and certain other NIST publications

• The Federal Risk and Authorization Management Program

(FedRAMP) Security Assessment Framework

• The Center for Internet Security Critical Security Controls for

Effective Cyber Defense

• The international Organization for

Standardization/International Electro‐technical Commission

27000 Family‐Information Security Management Systems

• Payment Card Industry (PCI) Data Security Standard

40

41

42


4/30/2019



For covered entities regulated by the state or federal government, cybersecurity programs that conform to any of these laws qualify:

• Security Requirements of HIPAA

• Title V of the Gramm‐Leach‐Bliley Act of 1999

• The Federal Information Security

Modernization Act of 2014

• The Health Information Technology for

Economic and Clinical Health Act

NIST Cybersecurity Framework


43

44

45


4/30/2019



Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to

achieve business purposes are identified and managed

consistent with their relative importance to business

objectives and the organization’s risk strategy.

ID.AM‐1: Physical devices and systems within the organization are inventoried

ID.AM‐2: Software platforms and applications within the organization are inventoried

ID.AM‐3: Organizational communication and data flows are mapped

ID.AM‐4: External information systems are catalogued

ID.AM‐5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value

ID.AM‐6: Cybersecurity roles and responsibilities for the entire workforce and third‐party stakeholders (e.g., suppliers, customers, partners) are established

Mobile Devices and Encryption

Mobile Device Breach

The guide – NIST Special Publication 1800‐4 Mobile

Device Security gives practical advice on mobile

device management.

The guide can be viewed or downloaded from

NIST/NCCoe.

46

47

48


4/30/2019


Mobile Device Management,

2nd factor AuthenticationCyber Security -

UsageKey must be controlled

and complexKey must be controlled

and complex

Best get out of jail free card around, but….

Best get out of jail free card around, but….

ENCRYPTION

2nd Factor Authentication

Passwords

“As a rule of thumb, if you can remember it, it isn’t a good password”

“My recommendation for memorability is that it should be

extraordinarily obscene – which also makes it less likely that you will

go and tell anyone.” ‐‐ Lance Cottrell

49

50

51


4/30/2019


Passwords

“You might have a very good password on

your bank or investment account, but if your

gmail account doesn’t have a good password

on it, and they can break into that, and that’s

your password recovery email, they’ll own

you” ‐‐ Lance Cottrell

Passwords

Stolen hash files (password data bases)

are particularly vulnerable because all

the work is done on the attacker’s

computer. There is no need to send a

trial password to a website or

application to see if it works.

PasswordsIf a hacker wants to try and get into bank accounts:

Logging in to the same account several times will trigger alerts, lock‐outs, or other

security measures.

So they take a giant list of known email addresses, take a giant list of known most

common passwords, and proceed to try every single email address with the most

common password. Each account only gets one failure at a time.

They wait a small amount of time and move on to the next common password.

If they have really compromised systems, they can target a website and have a

million compromised computers send attempts that all come from different IP

address to further evade detection.

52

53

54


4/30/2019


Terminating Access

Importance of Business Associate Agreements

Needing a BAA….. ALWAYS

Google Calendar is a “HIPAA compliant”

calendar service, as it is included in Google’s

BAA. However, unless a signed BAA is

obtained by a covered entity PRIOR to using

the service in connection with any ePHI , it

constitutes a HIPAA violation.

55

56

57


4/30/2019


Not everything is / or can be HIPAA Compliant

iCloud terms and conditions…“If you are a covered entity, business associate or representative of a

covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or

transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business

associate.”

PCC Strategies

• User Access / Security Settings / Permissions

• External Provider Access• Remote Users• Exception Reviews• Termination / Deletion /

Disable

Software Strategies

58

59

60


4/30/2019


Software Strategies

Software Strategies

Software Strategies

61

62

63


4/30/2019


Software Strategies

Software Strategies

Session #: T08Cybersecurity Threats and HIPAA Safeguards

Any Questions or Follow Up

64

65

66

Documents

Session #: T08 Cybersecurity Threats and HIPAA Safeguards · T08 -Cybersecurity Threats and HIPAA Safeguards 4/30/2019 Anderson & Shoffner 1 Session #: T08 Cybersecurity Threats and