whose job is it? - fairwarning, inc. … · 22/09/2016 · protecting patient data - whose job is...
TRANSCRIPT
![Page 1: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/1.jpg)
Whose Job Is It?
September 22, 2016
Watch the Replay
![Page 2: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/2.jpg)
Speakers
Robert Mireles, CIPMSr. Healthcare Privacy Specialist for Managed Privacy Services
FairWarning
Chuck BurbankCISO and Director of Managed
Privacy ServicesFairWarning
![Page 3: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/3.jpg)
Agenda
• 2016 Enforcement Activity
• 7 Lessons Learned from 2016 OCR Resolution Agreements
• Breakdown of 2016 Breaches
• Insiders and the Emerging High Risk Threat Landscape
• The Why: Gaps in Privacy and Security
• Protecting Patient Data: Whose Job Is It?
• Privacy + Security: How to Close the Gaps
• People-Centric Security
• Q & A
![Page 4: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/4.jpg)
2016: Enforcement Activity
August 18, 2016 - The OCR announced its initiative to investigate breaches affecting fewer than 500 individuals
This Year’s Resolution Agreements to Note:
• Advocate Healthcare Network’s $5.5 million settlement
• Oregon Health and Science University - $2.7 million
• $2.75 million settlement with University of Mississippi
March, 2016 - Commencement of Phase 2 HIPAA audits which included covered entities andbusiness associates
August 1, 2016 - Bulletin citing the negative impact of insider threats on the confidentiality, integrity, and availability of ePHI
Full List of Resolution Agreements Year-to-Date
![Page 5: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/5.jpg)
7 Lessons You Must Learn from OCR Resolution Agreements
1. Perform a Risk Analysis
2. Develop a Risk Management Plan
3. Have required policies and procedures
4. Develop an enhanced Privacy and Security Training Program
5. Review Business Associate Agreements and ensure you have a process in place to ensure they are obtained
6. Review encryption
7. Follow-up and document investigations of employee non-compliance
![Page 6: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/6.jpg)
Breakdown of 2016 Breaches
• The Identity Theft Resource Center reports that Healthcare data breaches make up 36.2% of all reported breaches in 2016 YTD
• Over 11 million healthcare records were exposed in June alone
• That’s 5x the 2.1 million total records exposed from January to May
June Breach Breakdown
• 41.4% Hacking Incidents
• 41.4% Insider Theft and Errors
• Theft or loss of paper copies? 17.2%
![Page 7: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/7.jpg)
Insider Threats and the Emerging PHI High Risk Threat Landscape
According to the 2016 Verizon DBIR, 73% of all healthcare data security incidents can be attributed to:
• Insider and Privilege Misuse (23%)
• Physical Theft and Loss (32%)
• Miscellaneous User Errors (18%)
Ransomware, Insider Abuses, Hacktivists, Espionage, Spear Phishing…
Systems can be compromised within minutes…
So, why does it take days to discover 56% of incidents and months to discover 39% of incidents?
![Page 8: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/8.jpg)
The Why: Gaps in Privacy and Security
1. Lack of monitoring
- 40% are not monitoring applications that contain PHI
2. Lack of encryption
- Only 64% of organizations encrypt data in transit
3. Lack of network monitoring tools
- 46% do not have an intrusion detection system
- 47% do not use network monitoring tools
4. Skills Shortage
- Constrained budgets
- Scarce talent and resources limit cybersecurity readiness
Get more information on the HIMSS 2016 Survey Results
![Page 9: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/9.jpg)
Protecting Patient Data - Whose Job is it?
• Monitor for and detect inappropriate access in patient charts, insider threats, network intrusions, phishing attacks, compromised credentials and ransomware
• Investigate potential incidents
• Report confirmed breaches
• Audit for compliance with federal and state regulations
In the digital age, there is no privacy without security.
![Page 10: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/10.jpg)
Privacy + Security: How to close the gaps
• Provide your workforce with ongoing specialized information security awareness training
• Encourage collaboration between Privacy and Security to develop and implement the necessary Administrative, Physical and Technical Controls
• Implement a security and privacy risk assessment
• Mitigate the risk of breaches through a defense-in-depth approach
• Maximize your security investments
![Page 11: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/11.jpg)
People-Centric Security
• Easy-to-read individual employee risk profiles
• Identify unusual data access behaviors
• Reduce insider threat risks
• Strengthen compliance
• Increase the probability of knowing when an employee might quit
Your biggest asset is your biggest threat. Insider security is all about people.
![Page 12: Whose Job Is It? - FairWarning, Inc. … · 22/09/2016 · Protecting Patient Data - Whose Job is it? • Monitor for and detect inappropriate access in patient charts, insider threats,](https://reader033.vdocuments.site/reader033/viewer/2022050216/5f61fd08f5829e7968257a18/html5/thumbnails/12.jpg)
Questions?For more information, please visit:
www.FairWarning.com
Email:[email protected]
When: October 6, 2016
Time: 2:00 pm EDT/ 11:00 am PDT
Registration Fee: No Charge
How to mobilize best practices to respond to real-world threat scenarios
The What Ifs
Join us for the next FairWarning Executive Series Webinar at 2 pm EDT, October 6, 2016