Post on 22-May-2020
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Behavioral Analytics Role in Assuring Data Security
David Holtzman JD, CIPP Vice President Compliance StrategiesRobert Lord, President & Co-Founder Protenus
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 2
Today’s Presenter
• Vice President of Compliance Strategies, CynergisTek, Inc.
• Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules
• Experienced in developing, implementing and evaluating health information privacy and security compliance programs
• Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights
David HoltzmanCynergisTek, Inc.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 3
Agenda
I. Insider Threat
II. Regulations and Guidance
III. Enforcement Examples
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Insider Threat
4
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 5
• Healthcare industry comparatively worst sector
– internal actors cause more data breaches than external actors [2018 Verizon Data Breach Investigation Report]
• Insiders are 1st or 2nd ranked cause of breaches reported to OCR[2017 Breach Barometer, 2018 1st Qtr Breach Barometer, 2018 2nd Qtr Breach Barometer]
• Employee snooping and wrongdoing expose more patient records
than incidents involving insider errors or mistakes
– In one case hospital employee inappropriately patients’ records
for 14 years undetected until patient complained
Insiders leading Cause of Breaches
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Regulations & GuidanceAccess Auditing & Monitoring
6
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 7
Regulations - HIPAA Security Rule
• 45 CFR 164.308(a)(1)(i) Security management process
– a covered entity or business associate must implement policies and procedures to prevent, detect, contain and correct security violations
– 308(a)(1)(ii)(D) Information system activity review
• Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 8
Regulations – HIPAA Security Rule
• 45 CFR 164.312(b) Audit controls
• Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 9
OCR Guidance Documents
• OCR guidance January 2017 newsletter “Understanding the Importance of Audit Controls”
• https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf
• OCR HIPAA Security Rule Educational Paper Series #2, last updated March 2007
• https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 10
“When determining reasonable and
appropriate audit controls for
information systems containing or using
ePHI, covered entities and business
associates must consider their risk
analysis results and organizational
factors, such as their current technical
infrastructure, hardware, and software
security capabilities.”
OCR 2017 Guidance
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 11
“It is imperative for Covered Entities &
Business Associates to review their audit
trails regularly, both… after security
incidents or breaches, and during real-
time operations. Regular review of
information system activity should
promote awareness of any information
system activity that could suggest a
security incident or breach.”
OCR 2017 Guidance
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 12
OCR 2017 Guidance
• Questions covered entities and business associates should consider:• What audit control mechanisms are reasonable & appropriate to implement
so as to record and examine activity in information systems that contain or use ePHI?
• What are the audit control capabilities of information systems with ePHI?
• Do the audit controls implemented allow the organization to adhere to their audit controls policies and procedures?
• Are changes or upgrades of an information system’s audit capabilities necessary?
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 13
• Key component of network security is monitoring access and activity using tools to warn of accessing
information without authorization
– Deceptive or unfair data security practices arising from inadequate protections against unauthorized
access to data
• Wyndham (2015) required a comprehensive information security program
– Monitor and manage computers connected to company network
– Employ reasonable measures to detect and prevent unauthorized access to the company network and
conduct security investigations
• Ashley-Madison.Com (2016)
– Use readily available security measures to regularly monitor systems and assets to identify data
security events and verify effectiveness of protective measures
• Uber (2017 & 18)
– Monitor access to sensitive personal information
Development of FTC Case Law
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 14
• NYS Cybersecurity Regulations (23NYCRR Part 500)
– Licensees of Department Financial Services
– Implement risk-based policies, procedures and
controls designed to monitor the activity of
authorized users and detect unauthorized access or
use of, or tampering with, nonpublic Information by
authorized users
States Getting Involved
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 15
• Monitoring information system activity of employees is the
processing of user’s personal data that requires valid legal basis
• Data Controllers/Processors have a legitimate interest for the
detection and prevention of loss/misuse of personal data
• Data collection/processing must be proportionate to achieve
intended purpose with least impact on privacy of employee
• Establish policies on data retention, access to collection, and use
• Notice if monitoring, means, purpose, and rights of employee
GDPR: Legitimate Need vs Employee Privacy
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 16
• Clear internal policy, communicated and available to employees
• Describes cases where monitoring and processing of collected
information takes place, for what purposes, by whom, how long
data stored and rights of employees
• Employees actively invited to provide input to internal policy
• Due care is taken to ensure that any monitoring, and processing of
information collected does not restrict EU fundamental right to
privacy any more than necessary for legitimate purpose
Practical Guidelines for Monitoring
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek
Examples of Enforcement
17
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 18
OCR Enforcement Action
Organization failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports for approximately 1.5 years
• Affected at least 80,000 patients
• Resolution Agreement/CAP
– penalty $5.5 million
– 3 year Corrective Action Plan including external monitor
• Failure to monitor and audit information system activity often cited as a contributing factor in OCR enforcement actions
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 19
• Hospital fined $38,750 over incident of hospital
employees driven by curiosity accessed EMR of patient
who went missing & eventually found dead on premises.
• Academic medical center fined $250,000 over incident in
which temporary employee accessed records of 71
patients. Used information to make harassing phone calls
and submit credit card applications.
California Department of Public Health
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 20
Questions
David Holtzman
david.holtzman@cynergistek.com
512.405.8550 x7020
Follow me @HITPrivacy
Questions?
?
UEBA:What Is It and Why Does It Matter?
22
Agenda
• How UEBA technologies can ID anomalous
and potentially risky behavior
• Common use cases of monitoring and audit
involving EHR technologies and other
applications that hold PHI or sensitive data
• The pros and cons of deploying UEBA tools
23
UEBA is a heterogenous, rapidly-evolving and
potentially very beneficial category of
technologies that are underutilized by
healthcare
24
Analytics Perspective
© 2017 Sqrrl Data, Inc. All rights reserved.
25
https://www.skyhighnetworks.com/cloud-security-blog/ueba-is-a-feature-not-a-product/
26
Tracks broad patterns of
human behavior and
looks for anomalies
UBA + non-human entities
like workstations and
devices
UBAUEBA
UEBA platform with an
industry-specific offering
INDUSTRY-SPECIFIC UEBA
HC-specific comprehensive
review for inappropriate
activity
COMPLIANCE ANALYTICS
27
Basic Types of Analytics
• Trend
analysis/baselines
• Rules
• Machine learning
28
Advanced Analytics
• Network analysis
• Orchestration/automation
• Context-aware roles
29
30
Proprietary and Confidential - Do Not Distribute
Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute
31
Ensuring records are not
viewed by neighbors
Making sure sensitive
lists are not shared
EHR PATIENT DATA RESEARCH DATA
Preventing access to
data for internal
retribution
HR DATA
Seeing if devices are
being used as
dangerous vectors
DEVICE DATA
Preventing access to
data for internal
retribution
SCHEDULING/TIMECARD
Seeing if devices are
being used as
dangerous vectors
NETWORK DATA
Data Sources
Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute
32
Assets to Protect
Ensuring records are not
viewed by neighbors
Making sure sensitive
lists are not shared
PATIENT RECORDS RESEARCH DATA
Preventing access to
data for internal
retribution
HR DATA
Seeing if devices are
being used as
dangerous vectors
DEVICES
Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute
33
The hospital admin
Example 1
Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute
34
The “clinical researcher”
Example 2
Proprietary and Confidential - Do Not DistributeProprietary and Confidential - Do Not Distribute
35
The doctor that’s
just not quite right
Example 3
Proprietary and Confidential - Do Not Distribute
Key Considerations
Proprietary and Confidential - Do Not Distribute
36
Information all in
one place
Find threats proactively,
instead of fighting fires
INTEGRATION DETECTION
Aid in fact-gathering and
speed forensics
INVESTIGATION
Demonstrate meeting
and exceeding
regulatory requirements
REPORTING
Proprietary and Confidential - Do Not Distribute
Questions to Ask
Proprietary and Confidential - Do Not Distribute
37
What’s your
cloud strategy?
What protocols and how
real-time?
CLOUD V. ON-PREM DATA ACQUISITION
General solution
vs. specific?
INDUSTRY FOCUS
What data and how
is
it used?
ANALYTICS TYPE
Proprietary and Confidential - Do Not Distribute
Cons of Deployment
Proprietary and Confidential - Do Not Distribute
38
How much signal or you
getting versus noise?
Think long-term TCO
FALSE POSITIVES COST
FTEs in various
scenarios
LABOR
What does success look
like for you?
USE CASES?
Proprietary and Confidential - Do Not Distribute
Pros of Deployment
Proprietary and Confidential - Do Not Distribute
39
Short-term discovery,
long-term change
Savings can be
significant
CULTURE CHANGE LONG-TERM COST
Structures between
privacy, security and
legal
ORGANIZATIONAL CHANGE
Executive and
community awareness
ENTERPRISE TRUST
40
UEBA Context Map
Clinical
Context
Administrative
Context
Type of Clinical
Practice
Patient
Treatment
Patterns
Types of
Information
Viewed
Time Signature
in EHR
Dr. Smith
41
Where is the field going?
42
Actionable Next Steps
• Read HLCU chapter
• Collaborate with security/privacy
• Risk assessment for internal
threats
• Consider above factors
43
Summary of Tech Types
Description A good fit for…
UBA User behavior monitoring [largely phased out]
UEBAUser and beyond “behavior”
monitoringNon-HC industry
Vertical UEBABehavior monitoring plus some
HC focus
“Check the box”-oriented
healthcare facilities
Compliance AnalyticsPurpose-built healthcare
behavioral analyticsMost healthcare institutions
Learn more about what we’re learning at
info@protenus.com or follow us on
Twitter @Protenus