11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective...
Transcript of 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective...
![Page 1: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/1.jpg)
The Privacy – Security Partnership in Managing Risk
June 22, 2015
Angel Hoffman, Dennis Schmidt, Jay Trinckes
11th AMC Conference
1
![Page 2: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/2.jpg)
Session objectives • Describe the respective roles and responsibilities of privacy and
security, and how they can benefit by working together • Explain opportunities for cross-training for enhanced
effectiveness • Outline a strategy for assessing and managing privacy and
security risks through teamwork.
2
![Page 3: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/3.jpg)
Angel Hoffman
Phone: 412-559-6703
Email: [email protected]
www. APHCcompliance.com © 2014 ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC
ADVANCED PARTNERS IN HEALTH CARE COMPLIANCE, LLC
3
![Page 4: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/4.jpg)
Where are we twelve years later?
Let’s Review: HIPAA Privacy – April 2003 HIPAA EDI – October 2003 HIPAA Security – 2005 HITECH – 2009 HIPAA Omnibus – 2013
4
![Page 5: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/5.jpg)
Role of the Privacy Officer
HITECH - created a lot of changes and stricter protections along with the Breach Notification Rule which created: Increased responsibility Increased knowledge and skills required Increased hours to handle issues during the work day
HIPAA Omnibus Enforcement Rule However, it is not just about the regulations, but much more… 5
![Page 6: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/6.jpg)
Changes in Tasks and Activities
Process development and implementation Training development and implementation Conduct online and live training for: - Board (more emphasis today) - Management (follow-up) - Staff - Others Policy development – have the new policies been added to the
training?
6
![Page 7: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/7.jpg)
Changes in Tasks and Activities (cont.)
Managing complaints/breaches – have increased; use of technology to track and trend; producing reliable reports
Conduct investigations – have increased and there are more things to track now (breach notification more recently)
Maintaining documentation and keeping all paper and electronic information available
Working with other departments – communication is increasingly critical and impacts: Human Resources, Quality and Information Security
Reporting
7
![Page 8: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/8.jpg)
External Influences
State Attorney General Role HIEs – newer state and federal government activity Impact of Social Media Age of the workforce
8
![Page 9: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/9.jpg)
Partnering with the Security Officer
“…managing risks in the medical information realm takes effective teamwork.”
The Privacy Officer must partner with the Security Officer in order to have a successful program.
Sharing of information is not always easy, but when we work collaboratively vs. in silos the organization succeeds and this leads to better outcomes. And as we all know now…
You cannot not have privacy without security!
9
![Page 10: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/10.jpg)
Roles of a Chief Information Security Officer
Dennis Schmidt Assistant Dean for Information Technology
HIPAA Security Officer 10
![Page 11: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/11.jpg)
University of North Carolina
• Nation’s first public university, chartered 1789 • 29,000 students • 3,600 faculty • Number of servers: Unknown, but it’s a lot!!! • 5% or campus is protected by firewall
‒Block 87 million unwanted connections weekly • IPS blocks 5.1 million malicious threat events
11
![Page 12: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/12.jpg)
UNC School of Medicine
• 1,500+ Faculty • 720 Medical Students • 700 Graduate Students • 3000 Staff • ~1,000 servers • 98 Server administrators (Self identified) • 47 different O/S’s (Self reported)
12
![Page 13: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/13.jpg)
CISO Job Description • Primarily responsible for all ongoing activities related to the
availability, integrity and confidentiality of patient, provider, employee, and business information in compliance with the healthcare organization's security policies and procedures, regulations and law.
• Could report to: • CIO • Chief Compliance Officer • Chief Risk Manager
• Qualifications: • BS/BA, usually in related field • Certifications: CISSP, GSEC, PMP……..
13
![Page 14: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/14.jpg)
Desired Soft Skills • Manager
• Supervises the security team • Author
• Writes security policies • Drafts or edits incident reports
• Teacher • Formal HIPAA Training • Security Presentations • Security Bytes/Tips of the Week
• Mentor • Leads by Example
14
![Page 15: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/15.jpg)
More Soft Skills
• Collaborator • Seeks input from the community while developing policies
• Protector • Develops environment to keep the bad guys out
• Consultant • Advises customers on best practices
• Enforcer • Blocks bad practices • Firm but fair
• Visionary • Looks ahead for solutions to new threats
15
![Page 16: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/16.jpg)
Undesired Traits
• Dictator • Sets policies without collaborating or consulting with affected users • My way or the highway
• Isolationist • Fails to communicate with community
• Do what I say, not what I do
16
![Page 17: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/17.jpg)
Privacy and Security Collaboration
• HIPAA Training • BAAs • Investigation support
• The 4 item test
• Knowledge sharing
17
![Page 18: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/18.jpg)
18
![Page 19: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/19.jpg)
New Role: Chief Information Privacy & Security Officer (CIPSO) • Privacy/Security are so intertwined • Executive Level Position • Approved by the Board of Directors with a direct line of
communication to BoD • Demonstrates the commitment of organization to Privacy/Security • As related to HIPAA, would be responsible for all Privacy Rules and
Security Rules (which is a subset of the Privacy Rules)
19
![Page 20: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/20.jpg)
Build a Culture of Privacy/Security •People are weakest link •Top Down Approach; emphasize importance of privacy/security
•Assign CIPSO; Delegate Authority to Carry Out Role
20
![Page 21: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/21.jpg)
People Concerns – Current Threats
•Social Engineering – art of convincing someone to do something that may not be in their best interest
•Being too helpful – giving more information away than is necessary
21
![Page 22: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/22.jpg)
Real World Examples:
• Physical Breach – obtaining unauthorized physical access • Targeted Phishing Attacks – wire transfer requests that
appear to come from CEO • Limit information available on-line
• Malicious Software – unaware users clicking on links; opening unsolicited attachments
22
![Page 23: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/23.jpg)
Administrative Safeguards
•Four Tenants of Information Security - CIAP •Confidentiality • Integrity •Availability •Privacy
23
![Page 24: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/24.jpg)
Policies/Procedures –
•Must be implemented •Staff must be aware of existence •Must be ‘easy’ to follow •Must be relevant
24
![Page 25: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/25.jpg)
Physical Safeguards
•First Line of Defense •Castle Scenario – layers of defenses
•Security Rule: If someone is able to gain physical access to a system, the system no longer belongs to the organization.
25
![Page 26: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/26.jpg)
Real World Examples:
•Cipher Locks on doors – numbers worn; ‘view over shoulder’
•Key Logging/USB Devices •Boot to CD/USB Drive; BIOS flaws •Monitor Locations •System Locks – password screen savers
26
![Page 27: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/27.jpg)
Technical Controls • Weak Passwords – user controlled
• No amount of security can prevent against weak passwords
• Authentication Process – limited by application developers • Need to consider multi-factor authentication; • Stronger authentication methods
• Encryption – not all encryption is the same • SSL Encryption flawed – (HeartBleed, FREAK, weak
pseudo-random generators)
27
![Page 28: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/28.jpg)
System Logging Activities • ‘There are only two types of companies: those that
have been hacked and those that will be.’ – Former FBI Director Robert Mueller
• And once you are hacked, would you even know? • User Activity Logging; Suspicious Activities; Security
Incident Event Management (SIEM) Solutions; Intrusion Detection/Intrusion Prevention Solutions
28
![Page 29: 11th AMC Conference - NCHICA...11th AMC Conference 1 Session objectives • Describe the respective roles and responsibilities of privacy and security, and how they can benefit by](https://reader033.fdocuments.net/reader033/viewer/2022060309/5f0a6e7d7e708231d42b9a0c/html5/thumbnails/29.jpg)
Group Discussion
29