hfma washington- alaska spring conference · • cost segregation • individual tax •...
TRANSCRIPT
HFMA Washington-Alaska Spring Conference
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 0
The Balancing Act: Managing Cyber Security Requirements
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 1
Utilize the lessons learned to implement proactive strategies at your organization as it pertains to cyber-security and risk management.
Explain the importance of leadership understanding the relationship between compliance & cyber-security & the alignment of these two topics.
Understand how meeting HIPAA regulatory requirements is only one piece of cyber-security.
Today’s Agenda
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 3
Our Goal is for participants to walk away understanding the topics presented are an organizational responsibility, not just
Information Technology’s responsibility
• In 2018 alone, 15 million patient records were breached• Breached organizations can spend upwards of $3.62 million per breach
(reputational damage is not measurable.• 81 percent of cybersecurity incidents are rooted in employee
negligence.• The healthcare industry invests less than 6 percent of its budget to
cybersecurity.• Much of this information is resold by hackers on the dark web, is used
for identity theft and tax scams. Pilfered medical record can sell for $50 on the digital black market, compared to $1 for a stolen social security number or credit card.
Why does Cyber Security Deserve More Attention
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 4
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 5
Random info graphics to use
81 major health data breaches that have been added to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website so far this year.
• Hackingo Periodic assessmento Proactive monitoring/detection
• IT Asset Misconfigurationo Configuration standards/periodic assessment
• Ransomwareo Education
• Phishing Attacko Education
• Vendors/Business Associates (20% of health care breaches in 2018*)o Risk management
• Device/Paper Thefto Encryption & Education
• Device/Paper Losso Encryption, physical security & education
*CynergisTek annual 2019 report - Measuring Progress: Expanding the Horizon
Most Common Breaches To Date
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 6
In its response to Sen. Mark Warner’s (D-Va.) recent request for input on how the healthcare sector can improve its cybersecurity posture. The American Medical Association emphasized four major points: o Cybersecurity is a patient safety issue.o Cyberattacks are inevitable and increasing.o Physicians are interested in receiving tools and resources to assist
them in their cybersecurity efforts.o The increased focus on electronic health information exchange is
"putting the entire health care ecosystem at risk."
AMA Top Concerns
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 7
Confidential Information Is Everywhere
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 8
• Cyber Security, IT Security or Information Security• Organizational vs. Technology-Centric• Dedicated Resource• Small vs Large Organizations• Proper Separation of Responsibility• Synergies with Facilities Human Resources, Compliance, Privacy, Audit,
etc.
What does Information Security Mean to You?
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 9
• People, process and technology
• Data confidentiality, integrity and availability
• Administrative, physical and technical controls
• Signed into law February 20, 2003 (compliance deadline of April 21, 2005) – Why is this important…….!?!
HIPAA Security Rule
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 10
• Technology (i.e. storage, smaller, wearable, wireless, portable)• Social Media• Health care is ground zero for attacks – soft targets• Attacks can come from anywhere around the world• OCR penalties for HIPAA violations average $1.5 million• Civil and criminal penalties can accompany OCR penalties• Outsourcing IT• Shadow IT• Old is sometimes new = ransomware• Insider threat – malicious/deliberate and accidental = 75% of incidents
What has changed since 2003
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 11
• The protection of information (paper or electronic) from unauthorized (intentional or unintentional) access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction
• Goes by many different names and often used interchangeably:o Information securityo Computer securityo Information assuranceo Information protectiono Cyber security
• Information Security is defined by core concepts • Information Security vs IT Security
What Is Information Security?
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 12
• Formal appointment of responsibility by senior leadershipo Not to be confused with legal or fiduciary responsibility as a corporate officer
Nor the authority to accept risk on behalf of the organizationo Advisor to and representative of senior leadershipo Compliance vs. Privacy vs. Security
• Professional experience/certifiedo Certified Information Systems Security Professional (CISSP)o Certified Information Security Manager (CISM)o Certified in Healthcare Privacy and Security (CHPS)o Certified in Healthcare Security (CHS)
• Be careful of . . . o Technology versus Business focuso Too many hats
• Outsourced management o “YOU” are still responsible
Information Security Officer
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 13
Traits of Today’s ISO
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 6
• Subject matter expert• Writer• Teacher• Salesman/marketer• Advisor• Speaker/presenter• Leader• Manager• Interpreter• Approachable
• Approved by leadership• Vetted by committee• Applicable, realistic, enforceable and
sustainable• Review and update annually or when
substantial changes occur• Version control – retain old versions for 6 years• Don’t let them become shelfware• BEWARE of templates, kits, etc.
Policies & Procedures – The Foundation
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 15
• Risk Management is:o Inclusive of all regulatory/statutory requirementso Inclusive of people, processes, and technologyo Applies to all assets, information and vendors/BAso Not the sole responsibility of ITo Not a checklist or a one-time or annual evento Needs to include the following attributes:
• Management Responsibilities• Risk Identification• Risk Assessment • Risk Mitigation• Risk Acceptance• Continuous Monitoring
o Consider incorporating into other organizational risk management functions
Information Security Risk Management
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 16
1. Security risk assessment is optional for small providers.2. Installing a certified EHR fulfills my security risk analysis Meaningful Use requirement.3. My EHR vendor will take care of everything I need to do for security and privacy.4. I have to outsource the security risk assessment (Note: expert knowledge may be needed to
stand up to an audit).5. A checklist will suffice for a risk assessment.6. There is a specific risk assessment method that I must follow.7. My security risk analysis only needs to look at my EHR.8. I only need to do a risk assessment once.9. Before I attest for an EHR incentive program, I must fully mitigate all risks.10. Each year I have to completely redo my security risk assessment.
Reference: https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis
Top 10 Myths of Security Risk Management
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 17
• No Service Level Agreement or formal contract
• Business Associate Agreements not completed, signed or outdated
• No due diligence/risk assessment prior entering into a contractual relationship
• Lack of annual contractual review
• ISO is not included in the contract/procurement process
Third Party Management – Common Pitfalls
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 18
• External, Internal, Perimeter Assessments, Penetration Tests
• Configuration Management, Patch Management & Change Control
• Internal Resources vs. External (3rd Party) Resources
• Technical vs. Non-Technical Assessments
• What can be found on the Internet and used against you
Vulnerability Management
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 19
• Includes all workforce members• Tailor training to your audience• Orientation (before being given access), should include:
o Intro to security officero Read security governance documentso Compliance expectations – requirement of employmento Documented sign-off of receipt and understanding
• Ongoingo Not a once a year event o Think like a marketing person – be creative
• Annual• Consider Computer-Based Training (CBT)
Workforce Education & Awareness
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 20
• Office of Civil Rights (OCR)• Federal Trade Commission (FTC)• Center for Medicare/Medicaid Services (CMS)• State Attorney Generals• Unique statutory requirements• Accreditation Organizations (i.e. URAC, JCAHO, EHNAC, etc.)• Other
o Class Action Lawsuitso Whistleblowero Patient complaints
Regulatory Oversight
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 21
• http://www.hhs.gov/hipaa/for-professionals/index.html
• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
• https://www.healthit.gov/
• https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-training/top-20-security-awareness-posters-with-messages-that-stick/
• https://hipaacow.org/resources/
Free Resources
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 22
• https://www.consumer.ftc.gov/topics/privacy-identity-online-security
• https://www.bbb.org/council/for-businesses/cybersecurity/resources/for-education-awareness-and-further-readings/
• https://www.cdse.edu/toolkits/seta/index.php
• https://www.cybersecurityeducation.org/resources/
• https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Free Resources
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 23
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 24
Questions?
© Wipfli LLP Critical Access Hospital and Rural Health Clinic Conference 25
Who is Wipfli and What Does It Stand For?
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 10
Headquarters: Milwaukee, WisconsinFounded: 1930 (firm is 89 years old)FY18 Net Revenue: $316 million Number of associates (headcount -including partners): 2,200+Number of partners: 250+ partnersNumber of CPAs (firm wide): 750Number of offices (firm wide): 47 offices – 45 offices in the U.S. and 2 offices in IndiaNumber of states: 13Number of clients: Over 100,000 businesses and individuals across the country
Ranking: #19 - Inside Public Accounting’s 2018 IPA 100 (July 2018); #20 - Accounting Today’s Top 100 Firms (March 2018)
Who is Wipfli and What Does It Stand For?Areas of Industry Focus• Agriculture• Construction and Real
Estate• Dealerships• Financial Institutions• Health Care• Manufacturing and
Distribution• Nonprofit & Government• Private Equity• Tribal and GamingAudit and Tax Services
• Financial Accounting Outsourcing
• SOC (formerly SAS 70) Reporting
• Cost Segregation• Individual Tax• International Tax• R&D• SALT• Sales and Use Tax• Wealth Management
Consulting Services• Business Advisory Services• Employee Benefits• Human Capital Management• Information Technology Consulting• M&A Support• Org Development and Governance• Outsourcing (Financial and IT)• Process Improvement• Risk Advisory• Valuation, Forensic, Litigation
Support
© Wipfli LLP HFMA Washington-Alaska Chapter Spring Conference 10
Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, Director, Health Care Risk Advisory Services – Wipfli
Mr. Rick Ensenbach is a career security professional with over 40 years of experience
with 15 years as a consultant. He has created, implemented and managed security
programs within the health care and financial industries, and state and federal
government. For the last 7 years, his focus has been advising healthcare organizations
on regulatory compliance and program development, in addition to performing risk
assessments. Mr. Ensenbach is an International Information Systems Security
Association Distinguished Fellow, former president of the Upper Midwest Security
Alliance and a United States Air Force veteran with over 21 years of honorable service.
Today’s Presenter
© Wipfli LLP Critical Access Hospital and Rural Health Clinic Conference 28
© Wipfli LLP Critical Access Hospital and Rural Health Clinic Conference 29
wipfli.com/healthcare© Wipfli LLP Critical Access Hospital and Rural Health Clinic Conference 30