Whose Job Is It?

September 22, 2016

Watch the Replay

Speakers

Robert Mireles, CIPMSr. Healthcare Privacy Specialist for Managed Privacy Services

FairWarning

Chuck BurbankCISO and Director of Managed

Privacy ServicesFairWarning

Agenda

• 2016 Enforcement Activity

• 7 Lessons Learned from 2016 OCR Resolution Agreements

• Breakdown of 2016 Breaches

• Insiders and the Emerging High Risk Threat Landscape

• The Why: Gaps in Privacy and Security

• Protecting Patient Data: Whose Job Is It?

• Privacy + Security: How to Close the Gaps

• People-Centric Security

• Q & A

2016: Enforcement Activity

August 18, 2016 - The OCR announced its initiative to investigate breaches affecting fewer than 500 individuals

This Year’s Resolution Agreements to Note:

• Advocate Healthcare Network’s $5.5 million settlement

• Oregon Health and Science University - $2.7 million

• $2.75 million settlement with University of Mississippi

March, 2016 - Commencement of Phase 2 HIPAA audits which included covered entities andbusiness associates

August 1, 2016 - Bulletin citing the negative impact of insider threats on the confidentiality, integrity, and availability of ePHI

Full List of Resolution Agreements Year-to-Date

7 Lessons You Must Learn from OCR Resolution Agreements

1. Perform a Risk Analysis

2. Develop a Risk Management Plan

3. Have required policies and procedures

4. Develop an enhanced Privacy and Security Training Program

5. Review Business Associate Agreements and ensure you have a process in place to ensure they are obtained

6. Review encryption

7. Follow-up and document investigations of employee non-compliance

Breakdown of 2016 Breaches

• The Identity Theft Resource Center reports that Healthcare data breaches make up 36.2% of all reported breaches in 2016 YTD

• Over 11 million healthcare records were exposed in June alone

• That’s 5x the 2.1 million total records exposed from January to May

June Breach Breakdown

• 41.4% Hacking Incidents

• 41.4% Insider Theft and Errors

• Theft or loss of paper copies? 17.2%

Insider Threats and the Emerging PHI High Risk Threat Landscape

According to the 2016 Verizon DBIR, 73% of all healthcare data security incidents can be attributed to:

• Insider and Privilege Misuse (23%)

• Physical Theft and Loss (32%)

• Miscellaneous User Errors (18%)

Ransomware, Insider Abuses, Hacktivists, Espionage, Spear Phishing…

Systems can be compromised within minutes…

So, why does it take days to discover 56% of incidents and months to discover 39% of incidents?

The Why: Gaps in Privacy and Security

1. Lack of monitoring

- 40% are not monitoring applications that contain PHI

2. Lack of encryption

- Only 64% of organizations encrypt data in transit

3. Lack of network monitoring tools

- 46% do not have an intrusion detection system

- 47% do not use network monitoring tools

4. Skills Shortage

- Constrained budgets

- Scarce talent and resources limit cybersecurity readiness

Get more information on the HIMSS 2016 Survey Results

Protecting Patient Data - Whose Job is it?

• Monitor for and detect inappropriate access in patient charts, insider threats, network intrusions, phishing attacks, compromised credentials and ransomware

• Investigate potential incidents

• Report confirmed breaches

• Audit for compliance with federal and state regulations

In the digital age, there is no privacy without security.

Privacy + Security: How to close the gaps

• Provide your workforce with ongoing specialized information security awareness training

• Encourage collaboration between Privacy and Security to develop and implement the necessary Administrative, Physical and Technical Controls

• Implement a security and privacy risk assessment

• Mitigate the risk of breaches through a defense-in-depth approach

• Maximize your security investments

People-Centric Security

• Easy-to-read individual employee risk profiles

• Identify unusual data access behaviors

• Reduce insider threat risks

• Strengthen compliance

• Increase the probability of knowing when an employee might quit

Your biggest asset is your biggest threat. Insider security is all about people.

Questions?For more information, please visit:

www.FairWarning.com

Email:Solutions@FairWarning.com

When: October 6, 2016

Time: 2:00 pm EDT/ 11:00 am PDT

Registration Fee: No Charge

How to mobilize best practices to respond to real-world threat scenarios

The What Ifs

Join us for the next FairWarning Executive Series Webinar at 2 pm EDT, October 6, 2016