Strategies for Staying Ahead of the Cybersecurity Avalanche · 2017-10-12 · ©2017 Hancock,...

©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com

Strategies for Staying Ahead of the Cybersecurity Avalanche

Mike Gill

Hancock, Daniel, Johnson & Nagle, PC

September 15, 2017


2

What are we up against?


How Bad is the Avalanche?

3

• 47% of health care organizations hit in the past 2 years.

• $5.6 billion – estimated annual cost to the industry.

• $2.2 million – average cost of a breach

• 4,000 – Number of daily ransomware attacks.

– 300% increase over 2015

– 96% of ransomware targeted medical

treatment centers; 133% increase in 2017.

• January – July 2017:

– 791 total breaches – 29% increase over 2016

– 233 reported breaches (500+) / 3,159,236 patients

– 41% (insiders), 32% (hacking), 18% (loss/theft of records and devices)


How Bad is the Avalanche?

4

• Reported Health Care Breaches

– Anthem – 78.8 million records / $115 million settlement

– Presence Health – 836 patients + reported 40 days late

= $425,000 OCR fine

– OCR’s Wall of Shame

http://www.hipaajournal.com

http://www.hipaajournal.com/


Who to look out for?

5


What are they after?

6

• Health care providers are prime targets

– Value of PHI vs. other information - $380 per record

– Internet of Things (IOT) – 20.8

Billion Devices connected by 2020

– Electronic Health Records (EHR)

One stop shopping for hackers


What are our challenges?

7

• Unique health care culture

– 24/7 care help as many patients as possible

– Patients, families, and providers involved in process

– Rotating staff, volunteers, and patients

– Seamless and quick access to PHI

– Tight budgets and legacy equipment

IT Industry 10% vs. Heathcare 4-6%

– Historical view of cybersecurity as an

IT issue until front page news.

• Key Cultural shift from IT to practice-wide approach

coordinating people, processes, and policies.



8

• Health Care Industry Cybersecurity (HCIC) Task Force



9

• Government regulation and enforcement responses

– The good (getting the industry up to speed)

• Medical Device Cybersecurity Act of 2017, proposed in August 2017.

– The bad (multiple agencies and regulations galore)



10

• And the ugly . . .

– Over 2,000 healthcare data breaches (500+ individuals)

reported to OCR since 2009. Exposure of over

170,000,000 individuals’ PHI.

– Fines Before 2016, the previous record for total

fines that OCR levied in any year was $7.9 million. In

2016, settlement payments hit $25.6 million.

– Memorial Healthcare Systems - $5.5 million fine levied

in February 2017.

– Presence Health - $425,000 in April 2017.


11

Enhancing Security and

Preparing for Attacks


Understand the Risks & Rules

12

• Reality – Only a matter of when, not if . . .

• Identify and protect your “Crown Jewels” - Type of data,

location, people with access and unique threats / vulnerabilities

• Understand federal and state rules and regulations

• Business risks – reputation, front page news, enforcement

efforts

• Employees must understand their role – unintentional employee action as cause of breach.


Establish a

Cybersecurity Culture

13

“All Hands on Deck”

•Everyone who touches a keyboard is an Asset or a Threat.

•Responsibilities and accountability

•Everyone empowered to raise concerns.

•Train Your Team and Test Your Systems

•Always re-evaluating and improving.


Cybersecurity Team

14

• Full team with inside and outside players

– Multidisciplinary team – Management, IT, PR, Compliance

– IT Experts, Legal Counsel, Forensic Experts

• Accountabilty and familiarity prevention and response

measures.

– Know process and entire system.


Establish Robust

Security Measures

15

• HIPAA Risk Analysis Requirement: identify potential risks

and vulnerabilities to the confidentiality, integrity, and

availability of PHI held by the organization.

• HHS suggests the following steps:

– Identify where PHI is stored, received, maintained or transmitted.

– Identify and document potential threats and vulnerabilities.

– Assess current security measures used to safeguard PHI.

– Determine the likelihood of a “reasonably anticipated” threat.

– Determine the potential impact of a breach of PHI.

– Assign risk levels for vulnerability and impact combinations.

– Document the assessment and take action where necessary.


Establish Robust

Security Measures

16

• National Institute of Standards and Technology (NIST)

Cybersecurity Framework (CSF).

– Per OCR – NIST guidelines

"represent the industry standard

for good business practices with

respect to standards for securing

e-PHI.”

Function Category

Identify

AssetManagement

BusinessEnvironment

Governance

RiskAssessment

RiskManagementStrategy

Protect

AccessControl

AwarenessandTraining

DataSecurity

InformationProtectionProcesses&Procedures

Maintenance

ProtectiveTechnology

Detect

AnomaliesandEvents

SecurityContinuousMonitoring

DetectionProcesses

Respond

ResponsePlanning

Communications

Analysis

Mitigation

Improvements

Recover

RecoveryPlanning

Improvements

Communications


Establish Robust

Security Measures

17

• Insider Threats – Bad Apples & Avoidable Mistakes

– Most significant breach threat!

– Bad Apples

• Control Information Access

• Monitor employee access to critical info.

• “If you see something, say something.”

– Avoidable Mistakes

• Phishing emails

• Lost unencrypted devices

• Improper storage or disposal


Establish Robust

Security Measures

18

• Written Information Security Program (WISP)

– Documenting Steps Taken – how protecting security

and confidentiality of PHI and sensitive information.

– What to include:

• How PHI is to be stored.

• Who should have access.

• Process for handling incoming threats.

• Types of sensitive information maintained.

• Identities of individuals on management / response team.

• Recordingkeeping plan and who’s responsible for it.

– Establish an Operations Contingency Plan


Security Training

19

• Employees are the first line of defense

– 91% of cyberattacks start with a phishing email.

– Detecting and preventing Insider threats.

• Keep Advice Practical – actual examples of email

phishing trends and problems.

• Reinforce Cybersecurity Culture – think before you click;

emerging trends and threats.

• Guidance from Cyber Security Team and Outside

Resources - Information Sharing and Analysis

Organizations (ISAOs).


Security Training

20

• Simulations & Testing System

– Employee-specific scenarios in addition to training

– Response team drills.

• Periodic security updates required for employees – 45

C.F.R. § 164.308(a)(5)(ii)(A).

• Document training provided, newsletters sent, updates,

and participation.


Staying up to date

21

• Legacy Systems

– Budget realities vs. Risks

– Lifecycle awareness

– Other strategies –

• Protected network

• Limit physical access

• Access Control Lists

• Full authentication and encryption

• Update Your Operating Systems

– Email and Exploit Kits (web filtering)

– WannaCry and Petya

Ransomware Attacks


Protecting Access

22

• Deploy Strong Authentication Requirements

– Practice realities vs. Security

– Require secure passwords and authentication.


More upfront strategies

23

• Use Gold Standard Backup Systems

• Outside Vendors – Internal Security Is Not

Enough! BAA Considerations:

– Are they secure?

– Who is in charge?

– Timeline for response

– Require cooperation if breach

– Handling of external notices

– Indemnification – does the

vendor owe you for your costs?


More upfront strategies

24

• Evaluate Your Insurance Coverage!

– Costs to be covered – IT professionals, lawyers,

forensic experts / backup system failure / operational

halts

– Reassess regularly to meet evolving risks.


25

Responding to

Cyberattacks


Response Team

26

• Preparation and practice makes all the

difference.

• Internal Team

– Identifies issues and takes initial steps

– Determines who needs to know and what needs to be

done

• External Team

– Internal team involves external experts ASAP – stop the

bleeding!

– Initiate Attorney Client Privilege


Response Steps

27

• Keep Information Confidential

– Involve those who need to be involved

– Execute response plan and

adjust as necessary

• Preserve Evidence

– Critical for establishing what happened /

was there a breach?

– Forensic experts


Response Steps

28

• Thorough and efficient investigation

– Interview personnel with assistance of counsel

– Follow WISP procedures

• Determine whether to involve law enforcement

• Notify Insurance Carriers

– Be overinclusive

• Carefully Document Response Steps

– Every step taken – who, what, when, where, why


Reporting Requirements

29

• Is this a HIPAA breach?

Acquisition, access, use, or disclosure of protected health

information in a manner not permitted under the HIPAA

Privacy Rule which compromises the security or privacy of

PHI.

–Unauthorized access / disclosure?

–Was PHI unsecured?

–Exception apply?

–Is there a low probability that the PHI has

compromised?


Reporting Requirements

30

• Federal and state reporting requirements

• Notifications and Remedial Measures

– Internal and external notification

– Number of disclosed records

– Involve outside PR management where appropriate

– Prepare for inquiries / possible litigation

• Review what happened and how to make us

better

www.hdjn.com | (866) 967-9604

©2017 Hancock, Daniel, Johnson & Nagle, PC

Mike Gill

(804) 934-1961 (Desk)

(804) 248-0797 (Cell)

[email protected]

31

mailto:[email protected]

Strategies for Staying Ahead of the Cybersecurity Avalanche · 2017-10-12 · ©2017 Hancock,...

Documents

Transcript of Strategies for Staying Ahead of the Cybersecurity Avalanche · 2017-10-12 · ©2017 Hancock,...