MEANINGFUL USE & RISK ASSESSMENT Montana HIMSS 2013 Spring Convention Presented by John Whalen CISSP, CISA, CRISC
Contents 1. What are we protecting? 2. In what ways are protecting it? 3. What is Meaningful Use asking for? 4. In what ways is Meaningful Use asking? 5. Practically speaking
Key objectives Understanding CIA Defining Risk Assessment Building Governance
ephi the crown jewels Financial Medical Identity Theft: Someone is getting medical help using your name and/or other information. Criminal Medical Identity Theft: You are being held responsible for the actions of another s criminal behavior. Government Benefit Fraud: Your medical benefits are being used by another person.
It s all about the money A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.
2013 breaches from Identity Theft Resource Center # of Breaches YTD: 204 # of Records Exposed YTD: 44 million 2013 Breaches # of Breaches Healthcare YTD- 94 # of Records Exposed YTD: 1.5 million Healthcare Breaches
2012 Breaches top 3 causes Lost or stolen computing device Employee mistakes or unintentional actions Third-party snafus Fifty-two percent discovered the data breach as a result of an audit or assessment followed by employees detecting the breach
Hacked! 1. Please consider the ramifications. 2. What would this breach cost your hospital/clinic?
2012 Breaches Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah breach stands as the 9th largest data breach ever reported to the HHS.
2012 Breaches The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private email account.
2013 Hospital breaches from Identity Theft Resource Center South Shore Medical Center Wayne Memorial Hospital St. Mark's Medical Center Tallahassee Memorial HealthCare Upstate University Hospital John J. Pershing VA Medical Center South Miami Hospital Mount Sinai Medical Center Brookdale University Hospital and Medical Center Adventist Health System Glen Falls Hospital Saint Francis Hospital University of Mississippi Medical Center Baptist Health - South Miami Hospital Samaritan Hospital Froedtert Hospital Boca Raton Regional Hospital
2012 Hospital breaches from Identity Theft Resource Center Oregon State Hospital Emory University Hospital North Shore-Long Island Jewish Health System Memorial Healthcare System Thomas Jefferson University Hospitals University of Arkansas Medical Sciences St. Joseph s Medical Center St. Elizabeth s Medical Center Sequoia Hospital Ohio State University Medical Center Howard University Hospital Robley Rex VA Medical Center Medical College of Georgia Kern Medical Center Hackensack University Medical Center
2011 Hospital breaches from Identity Theft Resource Center Swedish Medical Center Boulder Community Hospital Mount Sinai Hospital Texas Presbyterian Hospital Wake Forest Medical Center Loyola University Medical Center Provena Covenant Medical Center Methodist Charlton Medical Center Reid Hospital UMass Memorial Healthcare Fairview Southdale Hospital Jacobi Medical Center Trinity Medical Center Barnes Jewish Hospital Brigham and Women s Hospital Nyack Hospital Gunhill Medical Center North Central Bronx Hospital Tremont Health Center Texas Children s Hospital Saint Francis Broken Arrow Hospital Henry Ford Health System Charleston Area Medical Center VA Medical Centers in Akron, OH, Portland, OR and Lexington, KY Beth Israel Deaconess Medical Center Dekalb Medical Center Troy Regional Medical Center
Hospital breaches-types Computer hackers through public website Lost or stolen paper medical records Lost or stolen laptops with ephi Stolen workstations Stolen thumb dives Stolen hard drives Computer hackers through viruses PHI stolen by employee Lost back up tapes Shared workstation breached Improper disposal of paper medical records
Increase in data breaches Paper records to digital less stable environment Push to digitize Outsourcing of data processing to cloud providers Increase in mobile devices to conduct business
Negative impact of breach What best describes the negative impact of breaches you experienced. Check all that apply. Brand or reputation diminishment 78% Time and productivity loss 81% Loss of patient goodwill 75% Loss of revenues 41% Cost of outside consultants and lawyers 40% Fines and penalties paid to regulators 26% lawsuits 19% Poor employee morale 15% No impact 16%
Per-record cost of healthcare breach $240
Breach cost breakdown Legal fees Consumer notifications Credit monitoring services Decreased patient retention Decreased patient acquisition
Patient churn 4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident. $113,400 Estimated average lifetime value of one lost patient.
The CIA Triad Confidentiality prevents unauthorized disclosure of sensitive information Integrity prevents unauthorized modification of sensitive information Availability prevents disruption of service and productivity
CIA Triad Confidentiality Integrity Availability
Meaningful Use HIPAA Privacy & security of patient info HITECH Breach notification, penalties, legal remedies Meaningful Use Protect patient info, conduct security assessment Risk assessment Determine potential risks, document current state, discover vulnerabilities Baseline & roadmap Mitigate. Put controls in place.
164.304 Administrative Safeguards Administrative safeguards are administrative actions, and policies and procedures, to: manage the selection, development, implementation, and maintenance of security measures to protect ephi to manage the conduct of the covered entity s or business associate s workforce in relation to the protection of that information.
Core Set Objective # 14 Conduct or review a security risk analysis per 45 CFR (164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
164.308 Administrative safeguards. (a) A covered entity must, in accordance with 164.306: (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
164.308 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
For reference 164.306 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.
Beyond technical Top 4 1. Risk assessment 2. Business continuity and disaster recovery 3. Policies 4. Security awareness training
It s all about risk! Is $100,000 expensive? Is a long password too much to ask? Is a security policy too much trouble?
What s your appetite for risk?
The Risk Executive Function
The Risk Executive Function Provides senior leadership input and oversight Integrates security organization-wide Risk-based protection strategies beyond single systems Visibility into mission/business processes and systems
Risk-Based Protection Strategies Identifying Understanding Mitigating Explicitly accepting residual risk
Risk Analysis Risk analysis is a tool to: Identify the company s assets Calculate their values Identify vulnerabilities Estimate the threats and associated risks Assess the impact on the company if threat agents took advantage of current vulnerabilities
Risk assessment Gather stakeholders Analyze risk Hospital assets Potential threats Likelihood of threats acting against assets
What is a security assessment? Baseline Roadmap
Think home inspection.
Ethical hackers Same tools as the hackers use An audit perspective
Assessment phases External vulnerability testing Internal testing Interviews Review of policies Wireless, passwords, physical security Remote offices visited
Deliverable Executive summary Tools and methodology Rating criteria Managerial and operational Technical Physical HIPAA-Readiness Technical reports
Risk matrix Vulnerability Risk rating Difficulty rating Description Action plan
Next steps Risk assessment: an internal effort to determine what is at risk. Gives context for security costs, disaster recovery and business continuity. Security assessment: use an independent team Discover vulnerabilities Prioritize vulnerabilities according to risk to your hospital / clinic Fix the holes in security Test again Ongoing: Submit your hospital to an infosec audit regime as you do with ongoing financial audits.
BCP NIST 800-34 Sustaining an organization s mission/business processes during and after a disruption.
BCP NIST 800-34 1. Develop the contingency planning policy statement. 2. Conduct the business impact analysis (BIA). 3. Identify preventive controls. 4. Create contingency strategies. 5. Develop an information system contingency plan. 6. Ensure plan testing, training, and exercises. 7. Ensure plan maintenance.
Key Policies Internet use Remote access Removable media Encryption Data classification Vendor management, Business associate agreements Termination
Security Awareness Training NIST 800-50 A needs assessment has been conducted A strategy has been developed An awareness and training program plan for implementing that strategy has been completed Awareness and training material has been developed.
Success Indicators Sufficient funding to implement the agreed-upon strategy. Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy. Support for broad distribution and posting of security awareness items. Executive/senior level messages to staff regarding security Use of metrics
Success Indicators Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file. Level of attendance at mandatory security forums/briefings. Recognition of security contributions Motivation demonstrated by those playing key roles in managing/coordinating the security program.
Hack: Hyundai Capital South Korea s largest consumer-finance company Hack occurred April 2011 According to CEO Biggest mistake: treating the IT department as simply one of many units that helped the company get its main job done Today he treats security as central to everything the company does Now the new IT security group reports directly to CEO From Wall Street Journal 6/21/11
CEO, Ted Chung What I learned from the hack: 1. Trust the authorities 2. Stay open and transparent 3. Learn IT and know where the vulnerabilities are 4. Create a philosophy that drives IT decisions 5. Reassess plans for products and services How things look and how they work is now secondary. Security is now first. From Wall Street Journal 6/21/11
Calculate your risk Multiply the number of records in the EMR by $240
Thank you! Have a great conference!