immediately address it access compliance challenges

IT Access Compliance Challenges HCCA 2016

www.VERIPHYR.com 1

Immediately Address IT Access Compliance Challenges

Using Tools You Already Have

John Vastano, Ph.D., Chief Data Science Officer& Alan Norquist, CEO

Veriphyr

References

For Free Copy of Tools Used in This Talk Email: [email protected]

More on Examples in this Talk See: blog.Veriphyr.com

More on IT Access Compliance by Today’s Speakers Health Care Compliance Association (HCCA) webinar www.hcca-info.org/cv/cgi-bin/msascartdll.dll/ProductInfo?productcd=003_AC082615

www.VERIPHYR.com 2HCCA 2016


www.VERIPHYR.com 2

Agenda

Practical approach to access compliance you can use immediately

What is HIPAA IT access compliance

Why it is extremely important to top management

Why violations of access compliance are increasing so rapidly

Why it is a more significant legal issue than traditional IT security

How access compliance stops data thefts traditional IT security can’t


IT Access Compliance Under HIPAA

Insiders only have access required to perform job user access to systems and applications is reviewed on a periodic

basis. §164.312(a)(1)

Insiders only use access as needed to perform job regularly review records of information system activity

§164.308(a)(1)(ii)(D)

Insider = Employee, Contractor, Provider, 3rd Party or Anyone with Valid Credentials (Username and Password)

including hackers with stolen credentials



www.VERIPHYR.com 3

You Can Keep Out the Hackers…

HCCA 2016 www.VERIPHYR.com 5

Cartoon by P. Daily

But Not Employees, Contractors, Providers, etc.

HCCA 2016

Employee Entrance

www.VERIPHYR.com 6

Cartoon by P. Daily

#1 Means of Insider Breach

Privilege Abuse

“Misusing privileges grantedby a company to commit

nefarious acts”

aka - Non-compliant user access


www.VERIPHYR.com 4

Why Increase in Violations of Access Compliance

Value of patient data for identity theft

Patient data more valuable than credit card Medical Record = $50.00

Credit Card # = $ 1.50

Fraud using stolen patient data is lucrative Stolen Identity Tax Refund Fraud (SIRF)

$21 Billion 2012-2017

$2.1 Million for a Single Refund

34% of All Reported Identity Fraud


Selling Patient Data Instead of Drugs?

Quotes from FBI Press Release

“A confidential source (CS) initially approached [criminal] and inquired about purchasing narcotics.

[Criminal] told the CS that he did not have any narcotics but that he did have personal identity information (PII) that he was willing to sell to the CS….

[Criminal] provided the CS with specific instructions on what information to enter into the web pages of the Internet-based tax services to obtain a tax refund.

An examination of the PII revealed that it was from a medical services provider.”



www.VERIPHYR.com 5

Hackers vs. Privilege Abuse by Insiders – “Injury in Fact”

Hacker Steals Patient Data Did customer suffer “injury in fact”?

No clear connection between data theft and identity theft

Employee Steals Patient Data via Privilege Abuse Local Law Enforcement Bust Local Identify Theft Ring

“Among the paperwork were computer screen-shot printouts displaying patients’ personal information from a local hospital” – from actual indictment

Did patient suffer “injury in fact”? Credit card charge slips in name of hospital patients

Screen-shots of patient’s data with hospital’s logo

HCCA 2016 www.VERIPHYR.com 9

Data Theft via Privilege Abuse by Insiders

Months and Years Before Discovered 18.75% - stole for years

31.25% - stole for months (source: Verizon)

No Technical Skills Required Hospital issued logins and passwords

Walk Out of Hospital with Stolen Data on Phone No need to email or upload data to the cloud

Just take a photo on smart phone and walk out of the building

Print out or e-mail stolen data from homewww.VERIPHYR.com 10HCCA 2016


www.VERIPHYR.com 6

Insider Thefts via Privileged Abuse by Title (Verizon 2015)


Traditional IT Security is for Outsiders/Hackers

Focus on the network and not designed for insider privilege abuse


InternetApplications

Servers

Networks IT Security Technology• Data Loss Protection (DLP)

• Security Event Mgmt (SEM/SIEM)

• Firewalls

• Intrusion Prevention (IDS/IPS)

• Security Intelligence

• Anti-Phishing

• Anti-Virus

• Anti-Malware

Data

BreakIn

Get Data Out

Hackers


www.VERIPHYR.com 7

Access Compliance is for Data Breach by Insiders

Addresses privilege abuse of applications and data


InternetServers

NetworksInsider Privilege Abuse

+ Smartphone w/ Camera= Data Theft

Data +Answer: Access Compliance• Restrict access rights to job needs• Monitor access activity vs. job needs

Applications

Access Compliance Techniques You Can Use NOW!

Using Tools You Probably Already Know and Have

Using Data Your Computer Systems Already Produce

Detailed Instructions and Examples

Enforce Access Compliance

Prevent Data Theft via Privilege Abuse by Insiders

www.veriphyr.com 14SCCE 2015


www.VERIPHYR.com 8

Live Demonstration


Questions



www.VERIPHYR.com 9

Immediately Address IT Access Compliance Challenges

Using Tools You Already Have

For more information contact usAlan Norquist or John Vastano

[email protected] or [email protected]

Blog.Veriphyr.com

www.Veriphyr.com

immediately address it access compliance challenges

Documents