hfma washington- alaska spring conference · • cost segregation • individual tax •...

HFMA Washington-Alaska Spring Conference

© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 0

The Balancing Act: Managing Cyber Security Requirements


Utilize the lessons learned to implement proactive strategies at your organization as it pertains to cyber-security and risk management.

Explain the importance of leadership understanding the relationship between compliance & cyber-security & the alignment of these two topics.

Understand how meeting HIPAA regulatory requirements is only one piece of cyber-security.

Today’s Agenda


Our Goal is for participants to walk away understanding the topics presented are an organizational responsibility, not just

Information Technology’s responsibility

• In 2018 alone, 15 million patient records were breached• Breached organizations can spend upwards of $3.62 million per breach

(reputational damage is not measurable.• 81 percent of cybersecurity incidents are rooted in employee

negligence.• The healthcare industry invests less than 6 percent of its budget to

cybersecurity.• Much of this information is resold by hackers on the dark web, is used

for identity theft and tax scams. Pilfered medical record can sell for $50 on the digital black market, compared to $1 for a stolen social security number or credit card.

Why does Cyber Security Deserve More Attention


https://healthitsecurity.com/news/15-million-patient-records-breached-in-2018-hacking-phishing-surges

https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery

http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924


Random info graphics to use

81 major health data breaches that have been added to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website so far this year.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• Hackingo Periodic assessmento Proactive monitoring/detection

• IT Asset Misconfigurationo Configuration standards/periodic assessment

• Ransomwareo Education

• Phishing Attacko Education

• Vendors/Business Associates (20% of health care breaches in 2018*)o Risk management

• Device/Paper Thefto Encryption & Education

• Device/Paper Losso Encryption, physical security & education

*CynergisTek annual 2019 report - Measuring Progress: Expanding the Horizon

Most Common Breaches To Date


In its response to Sen. Mark Warner’s (D-Va.) recent request for input on how the healthcare sector can improve its cybersecurity posture. The American Medical Association emphasized four major points: o Cybersecurity is a patient safety issue.o Cyberattacks are inevitable and increasing.o Physicians are interested in receiving tools and resources to assist

them in their cybersecurity efforts.o The increased focus on electronic health information exchange is

"putting the entire health care ecosystem at risk."

AMA Top Concerns


https://searchlf.ama-assn.org/undefined/documentDownload?uri=/unstructured/binary/letter/LETTERS/2019-3-20-Letter-to-Warner-re-Reponse-to-RFI-on-Cybersecurity.pdf

Confidential Information Is Everywhere


• Cyber Security, IT Security or Information Security• Organizational vs. Technology-Centric• Dedicated Resource• Small vs Large Organizations• Proper Separation of Responsibility• Synergies with Facilities Human Resources, Compliance, Privacy, Audit,

etc.

What does Information Security Mean to You?


• People, process and technology

• Data confidentiality, integrity and availability

• Administrative, physical and technical controls

• Signed into law February 20, 2003 (compliance deadline of April 21, 2005) – Why is this important…….!?!

HIPAA Security Rule


• Technology (i.e. storage, smaller, wearable, wireless, portable)• Social Media• Health care is ground zero for attacks – soft targets• Attacks can come from anywhere around the world• OCR penalties for HIPAA violations average $1.5 million• Civil and criminal penalties can accompany OCR penalties• Outsourcing IT• Shadow IT• Old is sometimes new = ransomware• Insider threat – malicious/deliberate and accidental = 75% of incidents

What has changed since 2003


• The protection of information (paper or electronic) from unauthorized (intentional or unintentional) access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction

• Goes by many different names and often used interchangeably:o Information securityo Computer securityo Information assuranceo Information protectiono Cyber security

• Information Security is defined by core concepts • Information Security vs IT Security

What Is Information Security?


• Formal appointment of responsibility by senior leadershipo Not to be confused with legal or fiduciary responsibility as a corporate officer

Nor the authority to accept risk on behalf of the organizationo Advisor to and representative of senior leadershipo Compliance vs. Privacy vs. Security

• Professional experience/certifiedo Certified Information Systems Security Professional (CISSP)o Certified Information Security Manager (CISM)o Certified in Healthcare Privacy and Security (CHPS)o Certified in Healthcare Security (CHS)

• Be careful of . . . o Technology versus Business focuso Too many hats

• Outsourced management o “YOU” are still responsible

Information Security Officer


Traits of Today’s ISO


• Subject matter expert• Writer• Teacher• Salesman/marketer• Advisor• Speaker/presenter• Leader• Manager• Interpreter• Approachable

• Approved by leadership• Vetted by committee• Applicable, realistic, enforceable and

sustainable• Review and update annually or when

substantial changes occur• Version control – retain old versions for 6 years• Don’t let them become shelfware• BEWARE of templates, kits, etc.

Policies & Procedures – The Foundation


• Risk Management is:o Inclusive of all regulatory/statutory requirementso Inclusive of people, processes, and technologyo Applies to all assets, information and vendors/BAso Not the sole responsibility of ITo Not a checklist or a one-time or annual evento Needs to include the following attributes:

• Management Responsibilities• Risk Identification• Risk Assessment • Risk Mitigation• Risk Acceptance• Continuous Monitoring

o Consider incorporating into other organizational risk management functions

Information Security Risk Management


1. Security risk assessment is optional for small providers.2. Installing a certified EHR fulfills my security risk analysis Meaningful Use requirement.3. My EHR vendor will take care of everything I need to do for security and privacy.4. I have to outsource the security risk assessment (Note: expert knowledge may be needed to

stand up to an audit).5. A checklist will suffice for a risk assessment.6. There is a specific risk assessment method that I must follow.7. My security risk analysis only needs to look at my EHR.8. I only need to do a risk assessment once.9. Before I attest for an EHR incentive program, I must fully mitigate all risks.10. Each year I have to completely redo my security risk assessment.

Reference: https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis

Top 10 Myths of Security Risk Management


https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis

• No Service Level Agreement or formal contract

• Business Associate Agreements not completed, signed or outdated

• No due diligence/risk assessment prior entering into a contractual relationship

• Lack of annual contractual review

• ISO is not included in the contract/procurement process

Third Party Management – Common Pitfalls


• External, Internal, Perimeter Assessments, Penetration Tests

• Configuration Management, Patch Management & Change Control

• Internal Resources vs. External (3rd Party) Resources

• Technical vs. Non-Technical Assessments

• What can be found on the Internet and used against you

Vulnerability Management


• Includes all workforce members• Tailor training to your audience• Orientation (before being given access), should include:

o Intro to security officero Read security governance documentso Compliance expectations – requirement of employmento Documented sign-off of receipt and understanding

• Ongoingo Not a once a year event o Think like a marketing person – be creative

• Annual• Consider Computer-Based Training (CBT)

Workforce Education & Awareness


• Office of Civil Rights (OCR)• Federal Trade Commission (FTC)• Center for Medicare/Medicaid Services (CMS)• State Attorney Generals• Unique statutory requirements• Accreditation Organizations (i.e. URAC, JCAHO, EHNAC, etc.)• Other

o Class Action Lawsuitso Whistleblowero Patient complaints

Regulatory Oversight


• http://www.hhs.gov/hipaa/for-professionals/index.html

• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

• https://www.healthit.gov/

• https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-training/top-20-security-awareness-posters-with-messages-that-stick/

• https://hipaacow.org/resources/

Free Resources


http://www.hhs.gov/hipaa/for-professionals/index.html

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

https://www.healthit.gov/

https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-training/top-20-security-awareness-posters-with-messages-that-stick/

https://hipaacow.org/resources/

• https://www.consumer.ftc.gov/topics/privacy-identity-online-security

• https://www.bbb.org/council/for-businesses/cybersecurity/resources/for-education-awareness-and-further-readings/

• https://www.cdse.edu/toolkits/seta/index.php

• https://www.cybersecurityeducation.org/resources/

• https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

Free Resources


https://www.consumer.ftc.gov/topics/privacy-identity-online-security

https://www.bbb.org/council/for-businesses/cybersecurity/resources/for-education-awareness-and-further-readings/

https://www.cdse.edu/toolkits/seta/index.php

https://www.cybersecurityeducation.org/resources/

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

Who is Wipfli and What Does It Stand For?


Headquarters: Milwaukee, WisconsinFounded: 1930 (firm is 89 years old)FY18 Net Revenue: $316 million Number of associates (headcount -including partners): 2,200+Number of partners: 250+ partnersNumber of CPAs (firm wide): 750Number of offices (firm wide): 47 offices – 45 offices in the U.S. and 2 offices in IndiaNumber of states: 13Number of clients: Over 100,000 businesses and individuals across the country

Ranking: #19 - Inside Public Accounting’s 2018 IPA 100 (July 2018); #20 - Accounting Today’s Top 100 Firms (March 2018)

Who is Wipfli and What Does It Stand For?Areas of Industry Focus• Agriculture• Construction and Real

Estate• Dealerships• Financial Institutions• Health Care• Manufacturing and

Distribution• Nonprofit & Government• Private Equity• Tribal and GamingAudit and Tax Services

• Financial Accounting Outsourcing

• SOC (formerly SAS 70) Reporting

• Cost Segregation• Individual Tax• International Tax• R&D• SALT• Sales and Use Tax• Wealth Management

Consulting Services• Business Advisory Services• Employee Benefits• Human Capital Management• Information Technology Consulting• M&A Support• Org Development and Governance• Outsourcing (Financial and IT)• Process Improvement• Risk Advisory• Valuation, Forensic, Litigation

Support


Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, Director, Health Care Risk Advisory Services – Wipfli

Mr. Rick Ensenbach is a career security professional with over 40 years of experience

with 15 years as a consultant. He has created, implemented and managed security

programs within the health care and financial industries, and state and federal

government. For the last 7 years, his focus has been advising healthcare organizations

on regulatory compliance and program development, in addition to performing risk

assessments. Mr. Ensenbach is an International Information Systems Security

Association Distinguished Fellow, former president of the Upper Midwest Security

Alliance and a United States Air Force veteran with over 21 years of honorable service.

Today’s Presenter


hfma washington- alaska spring conference · • cost segregation • individual tax •...

Documents