Strategies for Staying Ahead of the Cybersecurity Avalanche · 2017-10-12 · ©2017 Hancock,...
Transcript of Strategies for Staying Ahead of the Cybersecurity Avalanche · 2017-10-12 · ©2017 Hancock,...
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Strategies for Staying Ahead of the Cybersecurity Avalanche
Mike Gill
Hancock, Daniel, Johnson & Nagle, PC
September 15, 2017
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
2
What are we up against?
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
How Bad is the Avalanche?
3
• 47% of health care organizations hit in the past 2 years.
• $5.6 billion – estimated annual cost to the industry.
• $2.2 million – average cost of a breach
• 4,000 – Number of daily ransomware attacks.
– 300% increase over 2015
– 96% of ransomware targeted medical
treatment centers; 133% increase in 2017.
• January – July 2017:
– 791 total breaches – 29% increase over 2016
– 233 reported breaches (500+) / 3,159,236 patients
– 41% (insiders), 32% (hacking), 18% (loss/theft of records and devices)
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
How Bad is the Avalanche?
4
• Reported Health Care Breaches
– Anthem – 78.8 million records / $115 million settlement
– Presence Health – 836 patients + reported 40 days late
= $425,000 OCR fine
– OCR’s Wall of Shame
http://www.hipaajournal.com
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Who to look out for?
5
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
What are they after?
6
• Health care providers are prime targets
– Value of PHI vs. other information - $380 per record
– Internet of Things (IOT) – 20.8
Billion Devices connected by 2020
– Electronic Health Records (EHR)
One stop shopping for hackers
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
What are our challenges?
7
• Unique health care culture
– 24/7 care help as many patients as possible
– Patients, families, and providers involved in process
– Rotating staff, volunteers, and patients
– Seamless and quick access to PHI
– Tight budgets and legacy equipment
IT Industry 10% vs. Heathcare 4-6%
– Historical view of cybersecurity as an
IT issue until front page news.
• Key Cultural shift from IT to practice-wide approach
coordinating people, processes, and policies.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
What are our challenges?
8
• Health Care Industry Cybersecurity (HCIC) Task Force
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
What are our challenges?
9
• Government regulation and enforcement responses
– The good (getting the industry up to speed)
• Medical Device Cybersecurity Act of 2017, proposed in August 2017.
– The bad (multiple agencies and regulations galore)
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
What are our challenges?
10
• And the ugly . . .
– Over 2,000 healthcare data breaches (500+ individuals)
reported to OCR since 2009. Exposure of over
170,000,000 individuals’ PHI.
– Fines Before 2016, the previous record for total
fines that OCR levied in any year was $7.9 million. In
2016, settlement payments hit $25.6 million.
– Memorial Healthcare Systems - $5.5 million fine levied
in February 2017.
– Presence Health - $425,000 in April 2017.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
11
Enhancing Security and
Preparing for Attacks
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Understand the Risks & Rules
12
• Reality – Only a matter of when, not if . . .
• Identify and protect your “Crown Jewels” - Type of data,
location, people with access and unique threats / vulnerabilities
• Understand federal and state rules and regulations
• Business risks – reputation, front page news, enforcement
efforts
• Employees must understand their role – unintentional employee action as cause of breach.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Establish a
Cybersecurity Culture
13
“All Hands on Deck”
•Everyone who touches a keyboard is an Asset or a Threat.
•Responsibilities and accountability
•Everyone empowered to raise concerns.
•Train Your Team and Test Your Systems
•Always re-evaluating and improving.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Cybersecurity Team
14
• Full team with inside and outside players
– Multidisciplinary team – Management, IT, PR, Compliance
– IT Experts, Legal Counsel, Forensic Experts
• Accountabilty and familiarity prevention and response
measures.
– Know process and entire system.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Establish Robust
Security Measures
15
• HIPAA Risk Analysis Requirement: identify potential risks
and vulnerabilities to the confidentiality, integrity, and
availability of PHI held by the organization.
• HHS suggests the following steps:
– Identify where PHI is stored, received, maintained or transmitted.
– Identify and document potential threats and vulnerabilities.
– Assess current security measures used to safeguard PHI.
– Determine the likelihood of a “reasonably anticipated” threat.
– Determine the potential impact of a breach of PHI.
– Assign risk levels for vulnerability and impact combinations.
– Document the assessment and take action where necessary.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Establish Robust
Security Measures
16
• National Institute of Standards and Technology (NIST)
Cybersecurity Framework (CSF).
– Per OCR – NIST guidelines
"represent the industry standard
for good business practices with
respect to standards for securing
e-PHI.”
Function Category
Identify
AssetManagement
BusinessEnvironment
Governance
RiskAssessment
RiskManagementStrategy
Protect
AccessControl
AwarenessandTraining
DataSecurity
InformationProtectionProcesses&Procedures
Maintenance
ProtectiveTechnology
Detect
AnomaliesandEvents
SecurityContinuousMonitoring
DetectionProcesses
Respond
ResponsePlanning
Communications
Analysis
Mitigation
Improvements
Recover
RecoveryPlanning
Improvements
Communications
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Establish Robust
Security Measures
17
• Insider Threats – Bad Apples & Avoidable Mistakes
– Most significant breach threat!
– Bad Apples
• Control Information Access
• Monitor employee access to critical info.
• “If you see something, say something.”
– Avoidable Mistakes
• Phishing emails
• Lost unencrypted devices
• Improper storage or disposal
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Establish Robust
Security Measures
18
• Written Information Security Program (WISP)
– Documenting Steps Taken – how protecting security
and confidentiality of PHI and sensitive information.
– What to include:
• How PHI is to be stored.
• Who should have access.
• Process for handling incoming threats.
• Types of sensitive information maintained.
• Identities of individuals on management / response team.
• Recordingkeeping plan and who’s responsible for it.
– Establish an Operations Contingency Plan
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Security Training
19
• Employees are the first line of defense
– 91% of cyberattacks start with a phishing email.
– Detecting and preventing Insider threats.
• Keep Advice Practical – actual examples of email
phishing trends and problems.
• Reinforce Cybersecurity Culture – think before you click;
emerging trends and threats.
• Guidance from Cyber Security Team and Outside
Resources - Information Sharing and Analysis
Organizations (ISAOs).
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Security Training
20
• Simulations & Testing System
– Employee-specific scenarios in addition to training
– Response team drills.
• Periodic security updates required for employees – 45
C.F.R. § 164.308(a)(5)(ii)(A).
• Document training provided, newsletters sent, updates,
and participation.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Staying up to date
21
• Legacy Systems
– Budget realities vs. Risks
– Lifecycle awareness
– Other strategies –
• Protected network
• Limit physical access
• Access Control Lists
• Full authentication and encryption
• Update Your Operating Systems
– Email and Exploit Kits (web filtering)
– WannaCry and Petya
Ransomware Attacks
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Protecting Access
22
• Deploy Strong Authentication Requirements
– Practice realities vs. Security
– Require secure passwords and authentication.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
More upfront strategies
23
• Use Gold Standard Backup Systems
• Outside Vendors – Internal Security Is Not
Enough! BAA Considerations:
– Are they secure?
– Who is in charge?
– Timeline for response
– Require cooperation if breach
– Handling of external notices
– Indemnification – does the
vendor owe you for your costs?
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
More upfront strategies
24
• Evaluate Your Insurance Coverage!
– Costs to be covered – IT professionals, lawyers,
forensic experts / backup system failure / operational
halts
– Reassess regularly to meet evolving risks.
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
25
Responding to
Cyberattacks
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Response Team
26
• Preparation and practice makes all the
difference.
• Internal Team
– Identifies issues and takes initial steps
– Determines who needs to know and what needs to be
done
• External Team
– Internal team involves external experts ASAP – stop the
bleeding!
– Initiate Attorney Client Privilege
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Response Steps
27
• Keep Information Confidential
– Involve those who need to be involved
– Execute response plan and
adjust as necessary
• Preserve Evidence
– Critical for establishing what happened /
was there a breach?
– Forensic experts
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Response Steps
28
• Thorough and efficient investigation
– Interview personnel with assistance of counsel
– Follow WISP procedures
• Determine whether to involve law enforcement
• Notify Insurance Carriers
– Be overinclusive
• Carefully Document Response Steps
– Every step taken – who, what, when, where, why
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Reporting Requirements
29
• Is this a HIPAA breach?
Acquisition, access, use, or disclosure of protected health
information in a manner not permitted under the HIPAA
Privacy Rule which compromises the security or privacy of
PHI.
–Unauthorized access / disclosure?
–Was PHI unsecured?
–Exception apply?
–Is there a low probability that the PHI has
compromised?
©2017 Hancock, Daniel, Johnson & Nagle, PC • hdjn.com
Reporting Requirements
30
• Federal and state reporting requirements
• Notifications and Remedial Measures
– Internal and external notification
– Number of disclosed records
– Involve outside PR management where appropriate
– Prepare for inquiries / possible litigation
• Review what happened and how to make us
better
www.hdjn.com | (866) 967-9604
©2017 Hancock, Daniel, Johnson & Nagle, PC
Mike Gill
(804) 934-1961 (Desk)
(804) 248-0797 (Cell)
31