MEANINGFUL USE &

RISK ASSESSMENT

Montana HIMSS 2013 Spring Convention

Presented by John Whalen

CISSP, CISA, CRISC

Contents

1. What are we protecting?

2. In what ways are protecting it?

3. What is Meaningful Use asking for?

4. In what ways is Meaningful Use asking?

5. Practically speaking

Key objectives

Understanding CIA

Defining Risk Assessment

Building Governance

ePHI—the crown jewels

• Financial Medical Identity Theft: Someone is getting medical help using your name and/or other information.

• Criminal Medical Identity Theft: You are being held responsible for the actions of another’s criminal behavior.

• Government Benefit Fraud: Your medical benefits are being used by another person.

It’s all about the money

• A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.

2013 breaches from Identity Theft Resource Center

• # of Breaches YTD: 204

• # of Records Exposed YTD: 44 million

2013 Breaches

• # of Breaches Healthcare YTD- 94

• # of Records Exposed YTD: 1.5 million

Healthcare Breaches

2012 Breaches— top 3 causes

• Lost or stolen computing device

• Employee mistakes or unintentional actions

• Third-party snafus

• Fifty-two percent discovered the data breach as a result of an audit or assessment followed by employees detecting the breach

Hacked!

1. Please consider the ramifications.

2. What would this breach cost your hospital/clinic?

2012 Breaches

• Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March.

• Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server.

• The Utah breach stands as the 9th largest data breach ever reported to the HHS.

2012 Breaches

• The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private email account.

2013 Hospital breaches from Identity Theft Resource Center

• South Shore Medical Center

• Wayne Memorial Hospital • St. Mark's Medical Center • Tallahassee Memorial

HealthCare • Upstate University Hospital • John J. Pershing VA Medical

Center • South Miami Hospital • Mount Sinai Medical

Center • Brookdale University

Hospital and Medical Center

• Adventist Health System • Glen Falls Hospital • Saint Francis Hospital • University of Mississippi

Medical Center • Baptist Health - South

Miami Hospital • Samaritan Hospital • Froedtert Hospital • Boca Raton Regional

Hospital

2012 Hospital breaches from Identity Theft Resource Center

• Oregon State Hospital

• Emory University Hospital

• North Shore-Long Island Jewish Health System

• Memorial Healthcare System

• Thomas Jefferson University Hospitals

• University of Arkansas Medical Sciences

• St. Joseph’s Medical Center

• St. Elizabeth’s Medical Center

• Sequoia Hospital

• Ohio State University Medical Center

• Howard University Hospital

• Robley Rex VA Medical Center

• Medical College of Georgia

• Kern Medical Center

• Hackensack University Medical Center

2011 Hospital breaches from Identity Theft Resource Center

• Swedish Medical Center • Boulder Community Hospital • Mount Sinai Hospital • Texas Presbyterian Hospital • Wake Forest Medical Center • Loyola University Medical Center • Provena Covenant Medical Center • Methodist Charlton Medical

Center • Reid Hospital • UMass Memorial Healthcare • Fairview Southdale Hospital • Jacobi Medical Center • Trinity Medical Center • Barnes Jewish Hospital

• Brigham and Women’s Hospital • Nyack Hospital • Gunhill Medical Center • North Central Bronx Hospital • Tremont Health Center • Texas Children’s Hospital • Saint Francis Broken Arrow

Hospital • Henry Ford Health System • Charleston Area Medical Center • VA Medical Centers in Akron, OH,

Portland, OR and Lexington, KY • Beth Israel Deaconess Medical

Center • Dekalb Medical Center • Troy Regional Medical Center

Hospital breaches-types

• Computer hackers through public website

• Lost or stolen paper medical records

• Lost or stolen laptops with ePHI

• Stolen workstations

• Stolen thumb dives

• Stolen hard drives

• Computer hackers through viruses

• PHI stolen by employee

• Lost back up tapes

• Shared workstation breached

• Improper disposal of paper medical records

Increase in data breaches

Increase in mobile devices to conduct business

Outsourcing of data processing to cloud providers

Push to digitize

Paper records to digital—less stable environment

Negative impact of breach

What best describes the negative impact of

breaches you experienced. Check all that

apply.

Brand or reputation diminishment 78%

Time and productivity loss 81%

Loss of patient goodwill 75%

Loss of revenues 41%

Cost of outside consultants and lawyers 40%

Fines and penalties paid to regulators 26%

lawsuits 19%

Poor employee morale 15%

No impact 16%

Per-record cost of healthcare breach

$240

Breach – cost breakdown

• Legal fees

• Consumer notifications

• Credit monitoring services

• Decreased patient retention

• Decreased patient acquisition

Patient churn

4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident.

$113,400 Estimated average lifetime value of one lost patient.

The CIA Triad

Confidentiality—prevents unauthorized disclosure of

sensitive information

Integrity—prevents unauthorized modification

of sensitive information

Availability—prevents disruption of service and

productivity

CIA Triad

Confidentiality

Integrity

Availability

Meaningful Use

HIPAA • Privacy & security of patient info

HITECH • Breach notification, penalties, legal remedies

Meaningful Use

• Protect patient info, conduct security assessment

Risk assessment

• Determine potential risks, document current state, discover vulnerabilities

Baseline & roadmap

• Mitigate. Put controls in place.

164.304 Administrative Safeguards

• Administrative safeguards are administrative actions, and policies and procedures, to:

• manage the selection, development, implementation, and maintenance of security measures to protect ePHI

• to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.

Core Set Objective # 14

“Conduct or review a security risk analysis per 45 CFR (164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”

164.308 Administrative safeguards. • (a) A covered entity must, in accordance with § 164.306: • (1) (i) Standard: Security management process.

Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

164.308 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

For reference—§164.306

§164.306 Security standards: General rules. • (a) General requirements. Covered entities must do the following:

• (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

• (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

• (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

• (4) Ensure compliance with this subpart by its workforce.

• (b) Flexibility of approach. • (1) Covered entities may use any security measures that allow the covered entity to

reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

• (2) In deciding which security measures to use, a covered entity must take into account the following factors: • (i) The size, complexity, and capabilities of the covered entity. • (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. • (iii) The costs of security measures. • (iv) The probability and criticality of potential risks to electronic protected health information.

http://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.phphttp://www.hipaasurvivalguide.com/hipaa-regulations/164-304.php

Beyond technical—Top 4

1. Risk assessment

2. Business continuity and disaster recovery

3. Policies

4. Security awareness training

It’s all about risk!

Is $100,000 expensive?

Is a long password

too much to ask?

Is a security policy too

much trouble?

What’s your appetite for risk?

The Risk Executive Function

The Risk Executive Function

• Provides senior leadership input and oversight

• Integrates security organization-wide

• Risk-based protection strategies beyond single systems

• Visibility into mission/business processes and systems

Risk-Based Protection Strategies

Identifying

Understanding

Mitigating

Explicitly accepting residual risk

Risk Analysis

• Risk analysis is a tool to:

• Identify the company’s assets

• Calculate their values

• Identify vulnerabilities

• Estimate the threats and associated risks

• Assess the impact on the company if threat agents took advantage of current vulnerabilities

Risk assessment

• Gather stakeholders

• Analyze risk

• Hospital assets

• Potential threats

• Likelihood of threats acting against assets

What is a security assessment?

Baseline Roadmap

Think home inspection.

Ethical hackers

Same tools as the

hackers use

An audit perspective

Assessment phases

External vulnerability

testing

Internal testing

Interviews Review of

policies

Wireless, passwords,

physical security

Remote offices visited

Deliverable

Executive summary

Tools and methodology

Rating criteria

Managerial and operational

Technical

Physical

HIPAA-Readiness

Technical reports

Risk matrix

Vulnerability Risk rating Difficulty

rating Description Action plan

Next steps

Risk assessment: an internal effort to determine what is at risk. Gives context

for security costs, disaster recovery and business

continuity.

Security assessment: use an independent team

• Discover vulnerabilities

• Prioritize vulnerabilities according to risk to your hospital / clinic

• Fix the holes in security

• Test again

Ongoing: Submit your hospital to an infosec audit

regime as you do with ongoing financial audits.

BCP—NIST 800-34

Sustaining an organization’s mission/business processes during and after a disruption.

BCP—NIST 800-34

1. Develop the contingency planning policy statement.

2. Conduct the business impact analysis (BIA).

3. Identify preventive controls.

4. Create contingency strategies.

5. Develop an information system contingency plan.

6. Ensure plan testing, training, and exercises.

7. Ensure plan maintenance.

Key Policies

• Internet use

• Remote access

• Removable media

• Encryption

• Data classification

• Vendor management, Business associate agreements

• Termination

Security Awareness Training—NIST 800-50

• A needs assessment has been conducted

• A strategy has been developed

• An awareness and training program plan for implementing that strategy has been completed

• Awareness and training material has been developed.

Success Indicators

• Sufficient funding to implement the agreed-upon strategy.

• Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy.

• Support for broad distribution and posting of security awareness items.

• Executive/senior level messages to staff regarding security

• Use of metrics

Success Indicators • Managers do not use their status in the

organization to avoid security controls that are consistently adhered to by the rank and file.

• Level of attendance at mandatory security forums/briefings.

• Recognition of security contributions

• Motivation demonstrated by those playing key roles in managing/coordinating the security program.

Hack: Hyundai Capital

• South Korea’s largest consumer-finance company

• Hack occurred April 2011

• According to CEO • Biggest mistake: treating the IT department as simply

one of many units that helped the company get its main job done

• Today he treats security as central to everything the company does

• Now the new IT security group reports directly to CEO

—From Wall Street Journal 6/21/11

CEO, Ted Chung—What I learned from the hack: 1. Trust the authorities

2. Stay open and transparent

3. Learn IT and know where the vulnerabilities are

4. Create a philosophy that drives IT decisions

5. Reassess plans for products and services How things look and how they work is now

secondary.

Security is now first. —From Wall Street Journal 6/21/11

Calculate your risk

Multiply the number of

records in the EMR by $240

Thank you!

Have a great conference!