let’s get real: creating a practical data security program · • focus on the basics •...
TRANSCRIPT
1
Let’s Get Real: Creating a Practical Data Security Program
Session # 203, March 8, 2018 8:30 - 9:30 AM
Speakers: Julia R. Hesse, Choate, Hall & Stewart LLP
Sonia Arista, GuidePoint Security
2
Speaker Introductions
Julia R. Hesse, J.D., M. Bioethics
Partner
Choate, Hall & Stewart LLP
Sonia E. Arista, CISM
National Healthcare Lead
GuidePoint Security
3
Agenda
• Conducting and documenting risk assessments
• Developing a data security program among disparate vendors
• Summarizing regulatory guidance on effective security standards
• Discussing legal trends
4
Learning Objectives:
• Identify practical tactics for creating a data security program among disparate vendors
• Discuss practical solutions for legal issues surrounding risk assessment, including documentation and contract drafting
• Analyze regulatory guidance on effective data security standards
5
Agenda
• Conducting and documenting risk assessments
• Developing a data security program among disparate vendors
• Summarizing regulatory guidance on effective security standards
• Discussing legal trends
6
Risk Assessment: Overview
An important part of a health information technology system is having adequate internal and external security controls, as well as generally having a complete overview of the risks facing the system.
Do you have a procedure that periodically evaluates:
o Security
o Availability
o Integrity
7
Risk Assessment: TechnicalFirst define the business environment and scope of the assessment, thenidentify the supporting technology
- Application (EMR)
- Line of business or line of service (Help Desk, Development, Transcription)
- Defined customer environment
- Operational area of the business (HR, Billing, etc.)
- Specific network segment or data center
- Integration Engine *
* Increasingly important with interoperability and leveraged SaaS analytics engines
8
Risk Assessment: TechnicalThen, ensure that the fundamental elements are reviewed
- Network Environment
- Endpoint Asset Hardening
- Access Control and Identity Management
- Application Code Vulnerability Assessment
- If hosted, ask to review risks identified by your partner or service provider
Don’t forget to incorporate risks already identified in your overall corporate risk register that apply!
9
Risk Assessment: Incident Response/Disaster Recovery
• Assume a data breach or cyber-attack will occur
• Any risk assessment must include incident response measures and the ability to recover/resume operations
10
Risk Assessment:Incident Response : Process/Emergency
• Develop and implement an emergency process to respond to an attack
• Assemble and test response team including legal, insurance, PR, senior team
• Consider holding some bitcoin
• Goal is to implement a process that allows the data security professionals to address the incident itself
11
Risk Assessment: Regulatory Guidance
U. S. Department of Health and Human Services Office of Civil Rights
Office of the National Coordinator
Federal Trade Commission
12
Risk Assessment: Regulatory Guidance
U. S. Department of Health and Human Services Office of Civil Rights and Office of the National Coordinator – Developed Security Risk Assessment (SRA) Tool
• www.healthit.gov/providers-professionals/security-risk-assessment-tool
• Available as online application, or downloadable
U. S. Department of Health and Human Services Office of Civil Rights and Office of the National Coordinator – Top 10 Myths of Security Risk Analysis
• Checklists aren’t enough
• It must go beyond EHR
Federal Trade Commission – Process-based approach focused on NIST Cybersecurity Framework
• Annual Data Privacy and Security Updates
13
Risk Assessments: Documentation
One size does NOT fit all – GRC tools and templates are good support tools, but can be inefficient or not optimal for every environment!
Depending on need, scope will most likely vary due to:
- Customer Commitments
- Technology Environment
- Breadth of manual processes within the environment
- Frequency
- Validated vs. Self–Assessment
Tools and methodologies will (…and can…and should) vary!
14
Risk Assessment: M&A/Transactions
• Importance of documented risk assessment in acquisitions
• Use in framing post-acquisition investment
• Baseline security obligations for early stage companies
– Define PI maintained, identify secure hosting provider
– PCI Compliance
– Documented risk assessments becoming baseline expectation
– Why? To make the company more attractive to investment and sale
15
General Recommendations for Risk Assessments
GOAL: Have a comprehensive risk assessment report or set of reports
available upon request of a regulator, with a defined process for implementing recommendations
TACTICS:
• Global risk assessment must include risks of IOT devices
• Define internal process
- Identify data system owners and assign responsibility for risk assessment/
remediation
• Use common vocabulary and report formats
• Determine – and stick to – timeline for review AND remediation
• Focus on the basics
• Remediation plan must include redundant systems to decrease ransomware threat
16
Agenda
• Conducting and documenting risk assessments
• Developing a data security program among disparate vendors
• Summarizing regulatory guidance on effective security standards
• Discussing legal trends
17
Vendor Risk Assessment: Third Party Security Controls
• Practical tactics in vendor risk assessment
• Identify internal and external security measures, particularly focusing on the need to ensure adequate third party security controls
• Self-certification using the HITRUST framework
• Incorporation into governance, risk management and compliance program
18
Vendor Risk Assessment: Legal Strategies
• Using contractual terms and agreements to address security obligations of outside vendors, including:
– How to specifically define security obligations
– How to use contractual language to transfer away risk
19
Agenda
• Conducting and documenting risk assessments
• Developing a data security program among disparate vendors
• Summarizing regulatory guidance on effective security standards
• Discussing legal trends
20
Regulatory Guidance - Effective Security Standards“Ransomware” = Serious Health Issues
• Basically it’s a virus that locks up files and hardware.
• Common definition: “computer malware that installs covertly on a victim's computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it.”
• Ransomware is NOT new…. it’s been around for decades.
• Recently seen a huge spike in ransomware incidents.
• Why? Because of connected devices….
21
• Unsecured medical devices are ripe for ransomware attacks
• These attacks can cripple, even shut down entire operations
• Most medical facility cybersecurity measures are aimed at HIPAA security NOT device security
• The threat will continue so long as devices are insecure and malicious software can move “laterally”
Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities
22
• As of August 2016, 88% of ransomware attacks hit hospitals/medical facilities
• 2017 saw even higher rate of ransomware attacks, with both WannaCry and NotPetya dominating the news
cycle
- Attacks targeting IOT and smaller providers
- Accenture and American Medical Association report that over 83% of physicians surveyed have experienced
a cyber security attack
• Health care facilities seem to be hit regularly:
- Hollywood Presbyterian- USC hospitals- MedStar Health (Washington DC area)- Allscripts ransomware attack in January 2018 - data centers attacked by Samsam virus
• Effects of ransomware attacks:
- Employees cannot log in- Patient appointments had to be cancelled- No electronic records or prescriptions
Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities
23
Ransomware: Regulatory Guidance - HHS Office for Civil Rights “Fact Sheet: Ransomware and HIPAA” (July 11, 2016)
General Requirements:
Conduct a risk analysis and establish a plan to remediate identified risks
Implement procedures to safeguard against malicious software
Train authorized users to detect malicious software and report such detections
o I.e., identify malicious/fake websites, unusual increases in processing activity, suspicious network communications
Limit access to ePHI to only those persons or software programs requiring access, and
Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations
o Consider maintaining backups off-line and unavailable to the primary network
24
Regulatory standard: incident presumed to be a breach unless “low probability of compromise”
Facts and circumstances potentially relevant to determining whether data were compromised:
Identify exact type and variant of malware discovered to determine:
How or if a particular malware variant may laterally propagate throughout an entity’s enterprise
What types of data the malware is searching for
Whether the malware may attempt to exfiltrate data
Whether the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors
Algorithmic steps undertaken by the malware
Communications, including exfiltration attempts between the malware and attackers’ command and control servers
Whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI)
Ransomware: Regulatory Guidance
When does a Ransomware attack constitute a security breach?
25
Ransomware: Key Regulatory Guidance What if the data were encrypted prior to the ransomware
attack?
If data are encrypted consistent with HIPAA standards, it is no longer “unsecured PHI” and no risk assessment or breach notification is required
BUT if data are encrypted via full disk encryption, and decrypted when computer powered on and system is operational, the data may not be encrypted at the time of the ransomware attack
Facts-and-circumstances analysis required
26
Ransomware: Key Regulatory Guidance
Practical implications of OCR’s Ransomware guidance
Treat all ransomware attacks as potential breaches of PHI
Focus on back-ups and redundant systems
IOT and connected devices must be part of risk assessment
Analysis of specific encryption mechanism may be necessary
Contact the FBI or Secret Service field office immediately upon discovery
27
Agenda
• Conducting and documenting risk assessments
• Developing a data security program among disparate vendors
• Summarizing regulatory guidance on effective security standards
• Discussing legal trends
28
OCR Breach Investigations – ePHICause of Breaches (2013 – 2016)
Cause of
Breach /
Deficiency
Issues
Specifically
Cited
Un
ivers
ity o
f M
assach
us
ett
s
Am
he
rst
*
St.
Jo
sep
h H
ealt
h (
CA
,N
M, T
X)
Ad
vo
cate
Healt
h C
are
Netw
ork
Un
ivers
ity o
f M
issis
sip
pi
Med
ical C
en
ter
Ore
go
n H
ealt
h &
Scie
nc
e
Un
ivers
ity
Cath
oli
c H
ealt
h C
are
Serv
ices o
f
the
Arc
hd
ioc
ese o
f P
hil
ad
elp
hia
Fe
ins
tein
In
sti
tute
fo
r
Me
dic
al R
es
ea
rch
Un
ive
rsit
y o
f W
as
hin
gto
n
Tri
ple
-S M
an
ag
em
en
t
Co
rpo
rati
on
La
he
y H
os
pit
al &
Me
dic
al
Cen
ter
Can
ce
r C
are
Gro
up
, P
.C.
St.
Eli
za
be
th M
ed
ica
l C
en
ter
An
ch
ora
ge
Co
mm
un
ity
Me
nta
l H
ea
lth
Se
rvic
es
Co
lum
bia
Un
ive
rsit
yN
Y
&
Pre
sb
yte
ria
n H
os
pit
al
Co
nc
en
tra
Hea
lth
Se
rvic
es
QC
A H
ea
lth
Pla
n, In
c.
Sk
ag
it C
ou
nty
, W
as
hin
gto
n
Ad
ult
& p
ed
iatr
ic
Derm
ato
log
y,
P.C
.
Aff
init
y H
ea
lth
Pla
n
We
llp
oin
tH
ea
lth
Pla
n
Ida
ho
Sta
te U
niv
ers
ity
$650
K
$2.1
4 M
$5.5
5M
$2.7
5M
$2.7
M
$650
K
$3.9
M
$750
K
$3.5M $850K $750
K
$218
K
$150
K
$4.8M $1.725
M
$250
M
$215
K
$150
K
$1.2
M
$1.7
M
$400
K
Internet Risks /
Technical
Safeguards
X X X X X X X X X X X X X X X X X
Improper
Disposal of ePHIX
Stolen Laptop –
Device/Media
Controls
X X X X X X X X X X X X
Failure to Perform
Risk AnalysisX X X X X X X X X X X X X X X X X
* First settlement specifically addressing malware - Hospital - Physician Group - Health Plan - Other
29
OCR Breach Investigations – ePHI
Cause of Breaches (2017)
- Hospital - Physician Group - Health Plan - Other
Cause of Breach / Deficiency
Issues Specifically Cited
21
stC
en
tury
On
co
log
y
St.
Lu
ke’s
Ro
os
evelt
Ho
sp
ital C
en
ter
Mem
ori
al
Herm
an
n H
ealt
h
Syste
m
Card
io N
et
Cen
ter
for
Dig
esti
ve H
ealt
h
Metr
oC
om
mu
nit
y
Healt
h N
etw
ork
of
Ph
ilad
elp
hia
Me
mo
ria
l
Hea
lth
ca
re
Sys
tem
Ch
ild
ren
’s
Me
dic
al C
en
ter
Dall
as
MA
PF
RE
Lif
e
Ins
ura
nc
e
Pre
se
nc
e H
ea
lth
$2.3M $387K $2.4M $2.5M $31K $400K $5.5M $3.2M $2.2M $47K
Internet Risks / Technical Safeguards X
Improper Disposal of ePHI
Stolen Laptop – Device/Media Controls X X X
Failure to Perform Risk Analysis X X X
Lack of Business Associate Agreement X
Lack of Timely Breach Notice X
Improper Audit Controls X X
Improper Disclosure to Public or Employer X X
30
Legal Trends
• Lessons from the eCW Case
• Legal Theories / Class Actions
o Ransomware = threat to uncompromised data
o eCW = Availability and integrity of backup data
• Impact of antiquated systems
• Fines / penalties
31
• Julia Hesse, J.D., M. Bioethics has no real or apparent conflicts of interest to report.
• Sonia Arista, CISM has no real or apparent conflicts of interest to report.
Conflict of Interest
32
Questions
Thank you! Please complete online session evaluation
Julia R. HessePartner, Healthcare GroupChoate, Hall & Stewart LLP
Two International PlaceBoston, MA 02110t (617) 248-5006f (617) 502-5006
Sonia E. AristaManaging Security Consultant
HealthcareGuidePoint Security LLC
w (877) 889-0132 x7253m (617) 921-6614