1

Let’s Get Real: Creating a Practical Data Security Program

Session # 203, March 8, 2018 8:30 - 9:30 AM

Speakers: Julia R. Hesse, Choate, Hall & Stewart LLP

Sonia Arista, GuidePoint Security

2

Speaker Introductions

Julia R. Hesse, J.D., M. Bioethics

Partner

Choate, Hall & Stewart LLP

Sonia E. Arista, CISM

National Healthcare Lead

GuidePoint Security

3

Agenda

• Conducting and documenting risk assessments

• Developing a data security program among disparate vendors

• Summarizing regulatory guidance on effective security standards

• Discussing legal trends

4

Learning Objectives:

• Identify practical tactics for creating a data security program among disparate vendors

• Discuss practical solutions for legal issues surrounding risk assessment, including documentation and contract drafting

• Analyze regulatory guidance on effective data security standards

5

Agenda

• Conducting and documenting risk assessments

• Developing a data security program among disparate vendors

• Summarizing regulatory guidance on effective security standards

• Discussing legal trends

6

Risk Assessment: Overview

An important part of a health information technology system is having adequate internal and external security controls, as well as generally having a complete overview of the risks facing the system.

Do you have a procedure that periodically evaluates:

o Security

o Availability

o Integrity

7

Risk Assessment: TechnicalFirst define the business environment and scope of the assessment, thenidentify the supporting technology

- Application (EMR)

- Line of business or line of service (Help Desk, Development, Transcription)

- Defined customer environment

- Operational area of the business (HR, Billing, etc.)

- Specific network segment or data center

- Integration Engine *

* Increasingly important with interoperability and leveraged SaaS analytics engines

8

Risk Assessment: TechnicalThen, ensure that the fundamental elements are reviewed

- Network Environment

- Endpoint Asset Hardening

- Access Control and Identity Management

- Application Code Vulnerability Assessment

- If hosted, ask to review risks identified by your partner or service provider

Don’t forget to incorporate risks already identified in your overall corporate risk register that apply!

9

Risk Assessment: Incident Response/Disaster Recovery

• Assume a data breach or cyber-attack will occur

• Any risk assessment must include incident response measures and the ability to recover/resume operations

10

Risk Assessment:Incident Response : Process/Emergency

• Develop and implement an emergency process to respond to an attack

• Assemble and test response team including legal, insurance, PR, senior team

• Consider holding some bitcoin

• Goal is to implement a process that allows the data security professionals to address the incident itself

11

Risk Assessment: Regulatory Guidance

U. S. Department of Health and Human Services Office of Civil Rights

Office of the National Coordinator

Federal Trade Commission

12

Risk Assessment: Regulatory Guidance

U. S. Department of Health and Human Services Office of Civil Rights and Office of the National Coordinator – Developed Security Risk Assessment (SRA) Tool

• www.healthit.gov/providers-professionals/security-risk-assessment-tool

• Available as online application, or downloadable

U. S. Department of Health and Human Services Office of Civil Rights and Office of the National Coordinator – Top 10 Myths of Security Risk Analysis

• Checklists aren’t enough

• It must go beyond EHR

Federal Trade Commission – Process-based approach focused on NIST Cybersecurity Framework

• Annual Data Privacy and Security Updates

13

Risk Assessments: Documentation

One size does NOT fit all – GRC tools and templates are good support tools, but can be inefficient or not optimal for every environment!

Depending on need, scope will most likely vary due to:

- Customer Commitments

- Technology Environment

- Breadth of manual processes within the environment

- Frequency

- Validated vs. Self–Assessment

Tools and methodologies will (…and can…and should) vary!

14

Risk Assessment: M&A/Transactions

• Importance of documented risk assessment in acquisitions

• Use in framing post-acquisition investment

• Baseline security obligations for early stage companies

– Define PI maintained, identify secure hosting provider

– PCI Compliance

– Documented risk assessments becoming baseline expectation

– Why? To make the company more attractive to investment and sale

15

General Recommendations for Risk Assessments

GOAL: Have a comprehensive risk assessment report or set of reports

available upon request of a regulator, with a defined process for implementing recommendations

TACTICS:

• Global risk assessment must include risks of IOT devices

• Define internal process

- Identify data system owners and assign responsibility for risk assessment/

remediation

• Use common vocabulary and report formats

• Determine – and stick to – timeline for review AND remediation

• Focus on the basics

• Remediation plan must include redundant systems to decrease ransomware threat

16

Agenda

• Conducting and documenting risk assessments

• Developing a data security program among disparate vendors

• Summarizing regulatory guidance on effective security standards

• Discussing legal trends

17

Vendor Risk Assessment: Third Party Security Controls

• Practical tactics in vendor risk assessment

• Identify internal and external security measures, particularly focusing on the need to ensure adequate third party security controls

• Self-certification using the HITRUST framework

• Incorporation into governance, risk management and compliance program

18

Vendor Risk Assessment: Legal Strategies

• Using contractual terms and agreements to address security obligations of outside vendors, including:

– How to specifically define security obligations

– How to use contractual language to transfer away risk

19

Agenda

• Conducting and documenting risk assessments

• Developing a data security program among disparate vendors

• Summarizing regulatory guidance on effective security standards

• Discussing legal trends

20

Regulatory Guidance - Effective Security Standards“Ransomware” = Serious Health Issues

• Basically it’s a virus that locks up files and hardware.

• Common definition: “computer malware that installs covertly on a victim's computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it.”

• Ransomware is NOT new…. it’s been around for decades.

• Recently seen a huge spike in ransomware incidents.

• Why? Because of connected devices….

21

• Unsecured medical devices are ripe for ransomware attacks

• These attacks can cripple, even shut down entire operations

• Most medical facility cybersecurity measures are aimed at HIPAA security NOT device security

• The threat will continue so long as devices are insecure and malicious software can move “laterally”

Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities

22

• As of August 2016, 88% of ransomware attacks hit hospitals/medical facilities

• 2017 saw even higher rate of ransomware attacks, with both WannaCry and NotPetya dominating the news

cycle

- Attacks targeting IOT and smaller providers

- Accenture and American Medical Association report that over 83% of physicians surveyed have experienced

a cyber security attack

• Health care facilities seem to be hit regularly:

- Hollywood Presbyterian- USC hospitals- MedStar Health (Washington DC area)- Allscripts ransomware attack in January 2018 - data centers attacked by Samsam virus

• Effects of ransomware attacks:

- Employees cannot log in- Patient appointments had to be cancelled- No electronic records or prescriptions

Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities

23

Ransomware: Regulatory Guidance - HHS Office for Civil Rights “Fact Sheet: Ransomware and HIPAA” (July 11, 2016)

General Requirements:

Conduct a risk analysis and establish a plan to remediate identified risks

Implement procedures to safeguard against malicious software

Train authorized users to detect malicious software and report such detections

o I.e., identify malicious/fake websites, unusual increases in processing activity, suspicious network communications

Limit access to ePHI to only those persons or software programs requiring access, and

Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations

o Consider maintaining backups off-line and unavailable to the primary network

24

Regulatory standard: incident presumed to be a breach unless “low probability of compromise”

Facts and circumstances potentially relevant to determining whether data were compromised:

Identify exact type and variant of malware discovered to determine:

How or if a particular malware variant may laterally propagate throughout an entity’s enterprise

What types of data the malware is searching for

Whether the malware may attempt to exfiltrate data

Whether the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors

Algorithmic steps undertaken by the malware

Communications, including exfiltration attempts between the malware and attackers’ command and control servers

Whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI)

Ransomware: Regulatory Guidance

When does a Ransomware attack constitute a security breach?

25

Ransomware: Key Regulatory Guidance What if the data were encrypted prior to the ransomware

attack?

If data are encrypted consistent with HIPAA standards, it is no longer “unsecured PHI” and no risk assessment or breach notification is required

BUT if data are encrypted via full disk encryption, and decrypted when computer powered on and system is operational, the data may not be encrypted at the time of the ransomware attack

Facts-and-circumstances analysis required

26

Ransomware: Key Regulatory Guidance

Practical implications of OCR’s Ransomware guidance

Treat all ransomware attacks as potential breaches of PHI

Focus on back-ups and redundant systems

IOT and connected devices must be part of risk assessment

Analysis of specific encryption mechanism may be necessary

Contact the FBI or Secret Service field office immediately upon discovery

27

Agenda

• Conducting and documenting risk assessments

• Developing a data security program among disparate vendors

• Summarizing regulatory guidance on effective security standards

• Discussing legal trends

28

OCR Breach Investigations – ePHICause of Breaches (2013 – 2016)

Cause of

Breach /

Deficiency

Issues

Specifically

Cited

Un

ivers

ity o

f M

assach

us

ett

s

Am

he

rst

*

St.

Jo

sep

h H

ealt

h (

CA

,N

M, T

X)

Ad

vo

cate

Healt

h C

are

Netw

ork

Un

ivers

ity o

f M

issis

sip

pi

Med

ical C

en

ter

Ore

go

n H

ealt

h &

Scie

nc

e

Un

ivers

ity

Cath

oli

c H

ealt

h C

are

Serv

ices o

f

the

Arc

hd

ioc

ese o

f P

hil

ad

elp

hia

Fe

ins

tein

In

sti

tute

fo

r

Me

dic

al R

es

ea

rch

Un

ive

rsit

y o

f W

as

hin

gto

n

Tri

ple

-S M

an

ag

em

en

t

Co

rpo

rati

on

La

he

y H

os

pit

al &

Me

dic

al

Cen

ter

Can

ce

r C

are

Gro

up

, P

.C.

St.

Eli

za

be

th M

ed

ica

l C

en

ter

An

ch

ora

ge

Co

mm

un

ity

Me

nta

l H

ea

lth

Se

rvic

es

Co

lum

bia

Un

ive

rsit

yN

Y

&

Pre

sb

yte

ria

n H

os

pit

al

Co

nc

en

tra

Hea

lth

Se

rvic

es

QC

A H

ea

lth

Pla

n, In

c.

Sk

ag

it C

ou

nty

, W

as

hin

gto

n

Ad

ult

& p

ed

iatr

ic

Derm

ato

log

y,

P.C

.

Aff

init

y H

ea

lth

Pla

n

We

llp

oin

tH

ea

lth

Pla

n

Ida

ho

Sta

te U

niv

ers

ity

$650

K

$2.1

4 M

$5.5

5M

$2.7

5M

$2.7

M

$650

K

$3.9

M

$750

K

$3.5M $850K $750

K

$218

K

$150

K

$4.8M $1.725

M

$250

M

$215

K

$150

K

$1.2

M

$1.7

M

$400

K

Internet Risks /

Technical

Safeguards

X X X X X X X X X X X X X X X X X

Improper

Disposal of ePHIX

Stolen Laptop –

Device/Media

Controls

X X X X X X X X X X X X

Failure to Perform

Risk AnalysisX X X X X X X X X X X X X X X X X

* First settlement specifically addressing malware - Hospital - Physician Group - Health Plan - Other

29

OCR Breach Investigations – ePHI

Cause of Breaches (2017)

- Hospital - Physician Group - Health Plan - Other

Cause of Breach / Deficiency

Issues Specifically Cited

21

stC

en

tury

On

co

log

y

St.

Lu

ke’s

Ro

os

evelt

Ho

sp

ital C

en

ter

Mem

ori

al

Herm

an

n H

ealt

h

Syste

m

Card

io N

et

Cen

ter

for

Dig

esti

ve H

ealt

h

Metr

oC

om

mu

nit

y

Healt

h N

etw

ork

of

Ph

ilad

elp

hia

Me

mo

ria

l

Hea

lth

ca

re

Sys

tem

Ch

ild

ren

’s

Me

dic

al C

en

ter

Dall

as

MA

PF

RE

Lif

e

Ins

ura

nc

e

Pre

se

nc

e H

ea

lth

$2.3M $387K $2.4M $2.5M $31K $400K $5.5M $3.2M $2.2M $47K

Internet Risks / Technical Safeguards X

Improper Disposal of ePHI

Stolen Laptop – Device/Media Controls X X X

Failure to Perform Risk Analysis X X X

Lack of Business Associate Agreement X

Lack of Timely Breach Notice X

Improper Audit Controls X X

Improper Disclosure to Public or Employer X X

30

Legal Trends

• Lessons from the eCW Case

• Legal Theories / Class Actions

o Ransomware = threat to uncompromised data

o eCW = Availability and integrity of backup data

• Impact of antiquated systems

• Fines / penalties

31

• Julia Hesse, J.D., M. Bioethics has no real or apparent conflicts of interest to report.

• Sonia Arista, CISM has no real or apparent conflicts of interest to report.

Conflict of Interest

32

Questions

Thank you! Please complete online session evaluation

Julia R. HessePartner, Healthcare GroupChoate, Hall & Stewart LLP

Two International PlaceBoston, MA 02110t (617) 248-5006f (617) 502-5006

jhesse@choate.comwww.choate.com

Sonia E. AristaManaging Security Consultant

HealthcareGuidePoint Security LLC

w (877) 889-0132 x7253m (617) 921-6614

sonia.arista@guidepointsecurity.comwww.guidepointsecurity.com