Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Whose Job Is It?
September 22, 2016
Watch the Replay
Speakers
Robert Mireles, CIPMSr. Healthcare Privacy Specialist for Managed Privacy Services
FairWarning
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
Agenda
• 2016 Enforcement Activity
• 7 Lessons Learned from 2016 OCR Resolution Agreements
• Breakdown of 2016 Breaches
• Insiders and the Emerging High Risk Threat Landscape
• The Why: Gaps in Privacy and Security
• Protecting Patient Data: Whose Job Is It?
• Privacy + Security: How to Close the Gaps
• People-Centric Security
• Q & A
2016: Enforcement Activity
August 18, 2016 - The OCR announced its initiative to investigate breaches affecting fewer than 500 individuals
This Year’s Resolution Agreements to Note:
• Advocate Healthcare Network’s $5.5 million settlement
• Oregon Health and Science University - $2.7 million
• $2.75 million settlement with University of Mississippi
March, 2016 - Commencement of Phase 2 HIPAA audits which included covered entities andbusiness associates
August 1, 2016 - Bulletin citing the negative impact of insider threats on the confidentiality, integrity, and availability of ePHI
Full List of Resolution Agreements Year-to-Date
7 Lessons You Must Learn from OCR Resolution Agreements
1. Perform a Risk Analysis
2. Develop a Risk Management Plan
3. Have required policies and procedures
4. Develop an enhanced Privacy and Security Training Program
5. Review Business Associate Agreements and ensure you have a process in place to ensure they are obtained
6. Review encryption
7. Follow-up and document investigations of employee non-compliance
Breakdown of 2016 Breaches
• The Identity Theft Resource Center reports that Healthcare data breaches make up 36.2% of all reported breaches in 2016 YTD
• Over 11 million healthcare records were exposed in June alone
• That’s 5x the 2.1 million total records exposed from January to May
June Breach Breakdown
• 41.4% Hacking Incidents
• 41.4% Insider Theft and Errors
• Theft or loss of paper copies? 17.2%
Insider Threats and the Emerging PHI High Risk Threat Landscape
According to the 2016 Verizon DBIR, 73% of all healthcare data security incidents can be attributed to:
• Insider and Privilege Misuse (23%)
• Physical Theft and Loss (32%)
• Miscellaneous User Errors (18%)
Ransomware, Insider Abuses, Hacktivists, Espionage, Spear Phishing…
Systems can be compromised within minutes…
So, why does it take days to discover 56% of incidents and months to discover 39% of incidents?
The Why: Gaps in Privacy and Security
1. Lack of monitoring
- 40% are not monitoring applications that contain PHI
2. Lack of encryption
- Only 64% of organizations encrypt data in transit
3. Lack of network monitoring tools
- 46% do not have an intrusion detection system
- 47% do not use network monitoring tools
4. Skills Shortage
- Constrained budgets
- Scarce talent and resources limit cybersecurity readiness
Get more information on the HIMSS 2016 Survey Results
Protecting Patient Data - Whose Job is it?
• Monitor for and detect inappropriate access in patient charts, insider threats, network intrusions, phishing attacks, compromised credentials and ransomware
• Investigate potential incidents
• Report confirmed breaches
• Audit for compliance with federal and state regulations
In the digital age, there is no privacy without security.
Privacy + Security: How to close the gaps
• Provide your workforce with ongoing specialized information security awareness training
• Encourage collaboration between Privacy and Security to develop and implement the necessary Administrative, Physical and Technical Controls
• Implement a security and privacy risk assessment
• Mitigate the risk of breaches through a defense-in-depth approach
• Maximize your security investments
People-Centric Security
• Easy-to-read individual employee risk profiles
• Identify unusual data access behaviors
• Reduce insider threat risks
• Strengthen compliance
• Increase the probability of knowing when an employee might quit
Your biggest asset is your biggest threat. Insider security is all about people.
Questions?For more information, please visit:
www.FairWarning.com
Email:[email protected]
When: October 6, 2016
Time: 2:00 pm EDT/ 11:00 am PDT
Registration Fee: No Charge
How to mobilize best practices to respond to real-world threat scenarios
The What Ifs
Join us for the next FairWarning Executive Series Webinar at 2 pm EDT, October 6, 2016