Post on 14-Jun-2015
description
Defend Your DataBit by Bit
Don’t Let ThemTake a Byte:
Kevin Ricci, CISA, MCSE
Former FBIDirector Mueller:
“There are two typesof companies, those
that have beenhacked and those
that don’t know it”
Why is this important?
• 94% of organizations have had at least one data breach in thepast two years.
• Averages:• Number of breach incidents in the past two years: 4• Number of records compromised per breach – 28,765.• Cost per record lost - $188
• Industry with highest average cost per breach is Healthcare -$233 per record compromised.
• Cause of Breaches:• 37% - Malicious or criminal attack• 35% - Negligent employee• 29% - System glitch
• 94% of organizations have had at least one data breach in thepast two years.
• Averages:• Number of breach incidents in the past two years: 4• Number of records compromised per breach – 28,765.• Cost per record lost - $188
• Industry with highest average cost per breach is Healthcare -$233 per record compromised.
• Cause of Breaches:• 37% - Malicious or criminal attack• 35% - Negligent employee• 29% - System glitch
Key Statistics
Source: Ponemon Institute’s 2013 Cost of DataBreach Study: Global Analysis
Full service Professional Services Firm:
AttestServices
TaxPreparation
andCompliance
IT Audit andSecurity
InternalControl
InternalAudit
Outsourcing
SSAE 16Services
Highly qualifiedin a variety ofspecializations
CPACIA
CFE
CISA
MCSE
ABV
CVAMST
Affiliations:
– AICPA
– PCAOB
– ACFEI
– ISACA
– PCAOB
– TANGO
– CICPAC
– Practicewise
– VACO RiskSolutions
HIPAA Overview• The Health Insurance Portability and
Accountability Act (HIPAA) was passedby Congress in 1996
• Purpose– Ensure the portability of health care
– Prevent fraud and abuse
– Reduce paperwork
– Enforce standards that will improve theefficiency of healthcare delivery, simplifythe exchange of healthcare data, andreduce cost
– Ensure the privacy and security of healthinformation
HIPAA HITECH and Final Omnibus Rule
• In 2009, the American Recovery and Reinvestment Act waspassed and included the Health Information Technologyfor Economic and Clinical Health (HITECH) Act. In 2013,the Final Omnibus Rule was passed.
• HITECH continues the effort of HIPAA to encouragemigration to electronic patient records via financialincentives
• Widens the scope and magnitude of privacy and securityprotections available under HIPAA and clarifies theirprovisions
• Provides stronger enforcement including regular audits• Modifies and clarifies the definition of what constitutes a
reportable privacy breach• Business Associates (BA) are now obligated to comply with
the relevant regulations
HIPAA Overview
Health Insurance Portability and Accountability Act of 1996
Title IInsurancePortability
Title IIPreventingFraud and
Abuse
Title IIITax Related
HealthProvisions
Title IVGroup Health
PlanRequirements
Title VRevenue Offsets
Title IIMedical Liability
Reform
Title IIAdministrativeSimplification
Privacy
Security
EDI
HIPAA Security Rule:• Established in 2003• The Security Rule is
comprised of 22safeguards broken intothree sections– Administrative
Safeguards– Physical Safeguards– Technical Safeguards
HIPAA PHI
• The formal definition of protected health information (PHI):
– Past, current, or future mental or physical health informationor related billing with one of 18 identifiers
– Electronic, Verbal, Written
• Electronic PHI is any identifiable patient data that is eitherstored or transmitted in electronic form.
HIPAAWho Needs to Comply?
• Covered Entities– Health Plans– Healthcare Providers– Healthcare
Clearinghouses
• Business Associates– An entity that creates,
receives, maintains, ortransmits protectedhealth information onbehalf of a coveredentity
Individuals Affected by Breaches
HIPAA Penalties
ViolationAmount Per
Violation
(A) Did Not Know $100 - $50,000
(B) Reasonable Cause $1,000 - $50,000
(C)(i) Willful Neglect-Corrected $10,000 - $50,000
(C)(ii) Willful Neglect-Not Corrected $50,000
HIPAAHHS Website
HIPAATips For Compliance
• Administrative
– Create a thorough HIPAA policy handbook for allemployees
– Require periodic training
– Have all employees sign a confidentiality statement
– Have a comprehensive data breach plan
– Work with your business associates to verify that they arecompliant
HIPAATips For Compliance
• Technical– Complete a security assessment review
– Identify your PHI through data mapping
– Implement the minimum necessary standard – onlyprovide employees access to what they need
– Properly dispose of hardware when it is no longer needed
– Encrypt backup media, portable computers, and mobiledevices containing PHI
– Use business class email
– Enforce strong logical controls
– Maintain a business class firewall and antivirus solution
PCI DSS Overview• American Express,
Discover, MasterCard, Visaand JCB formed thePayment Card IndustrySecurity Standards Councilin 2004
• They are responsible forthe development,management, education,and awareness of thePayment Card IndustryData Security Standard(PCI DSS)
PCI DSSWhere Do I Fit In?
Level 1>2.5m >6m >6m >6m
Level 250k to 2.5m 1m to 6m 1m to 6m 1m to 6m
Level 31 to 50k 20k to 1m 20k to 1m 20k to 1m
Level 4N/A 1 to 20k 1 to 20k 1 to 20k
Required Optional
PCI DSS Compliance
• Identify
• Inventory
• Analyze
• Fix
• Scan
• Compile
• Submit
PCI DSSWhy Should You Comply?
• Inability to accept payment cards
• Legal costs, settlements, judgments
• Higher future costs of compliance
• Fines and penalties
• Lost confidence/sales
• Going out of business
PCI DSSTips For Compliance
• Identify your credit card data through data mapping
• Don’t store credit card data on your network
• If possible, utilize dial-up terminals that do not passthrough your network
• Consult with a PCI DSS specialist to confirm your level,assist with completing the associated requirements, andreview your backupdocumentation
State Data SecurityOverview
• Currently, there is no federal standard, somany states have implemented data breachnotification and data security/privacyregulations of their own
• If you have employees or clients that live inthose states, you may need to comply withtheir requirements
State Data SecurityData Breach Notification
State Data SecurityData Security Regulations
General Security Guidelines• Social media
• Data mapping
• Logical security
• Physical security
• Backups and disaster recovery
• Mobile devices
• New threats
• Spear Phishing
• Non-disclosure agreements
• Cyber insurance
• Education
Social Media
• Implement a social media policy for yourbusiness
• Educate your employees
• Restrict any social media sites that are notused for business purposes
• Consider a post-separation agreement
Data Mapping• Do you know what your sensitive
data is?– Intellectual property– Medical information (PHI)– Personally identifiable information
(PII)– Credit card data
• Do you know where your sensitivedata is?– Human Resources– Bookkeeping– Servers, laptops, desktops, backup
media?
Data Mapping
Logical Security
• User passwords– Minimum of 8 characters– Enforce complexity– Periodic changes– Deny access after so many
invalid attempts
• General– Password protected
screensaver– Coordinate with HR to
immediately be notified ofterminated employees
– Change any hardware defaultpasswords
Logical Security
Physical Security
• General– Educate your receptionist
– Redundant ISP
– Locked to-be-shredded containers
– Guest passes
• Data center– Visitor log
– Security cameras
– Alarm
– Temperature, water, smoke, fire detectors
– Uninterrupted power supplies (UPS)
Backups and Disaster Recovery
• General– Viability testing
– Offsite transport
– Encryption
• Onsite backups– Fireproof safe
– Security
• Cloud backups– Service agreement
– SSAE 16
• Disaster recovery plan
Mobile Devices
• Policies
• Use an antivirus app
• Use a password
• Encryption
• Avoid free Wi-Fi
• Remote wipe
New Threats
• Ransomware
• Heartbleed
• Internet Explorer Vulnerability
Spear Phishing
• Train employees onwhat to look for
• Be careful where youpost personal information
• Beware of unexpected emails
• Keep your software up to date
Non-Disclosure Agreements
Any consultant that can accessyour network should provide you
with a non-disclosure /confidentiality agreement
Cyber Insurance
Work with your legal and insurance contacts tomake sure you have the necessary level of cyber
insurance in the event of an attack or data breach
Education
• Critically important – end users areoften your weakest security link!
• Provide security training during theonboarding process
• Provide your staff with an annualsecurity training
• Provide additional training to anyonewith direct contact with PHI, PII, orother sensitive information
• Have employees sign a document thatthey acknowledge the securitypolicies
Kevin Ricci, Director of ITkricci@lgcd.com(401) 421-4800 x278