Auditing Security: Lessons Learned From Healthcare Security Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C.

Michael “Mac” McMillan CynergisTek, Inc. Austin, Texas

DISCLAIMER: The vi ews and opinions expressed i n this presentation are those of the author a nd do not necessarily represent official policy or position of HIMSS.

Conflict of Interest Disclosure Adam H. Greene, JD, MPH & Michael “Mac” McMillan

Have no real or apparent conflicts of interest to report.

© 2012 HIMSS

2

Learning Objectives • Discuss the most prevalent data security risks facing healthcare today • Identify lessons learned from 2010 security breaches • Identify best practices and practical strategies for privacy and security management 3

Threats to Healthcare Data • Healthcare entities have data of considerable value • Increased automation and sharing have increased and introduced new risks • Healthcare now has a place at Hacker conferences like DefCon and Black Hat • Patient Safety, not privacy, is the new driver in healthcare data security 4

Threats by Industry 2011

Symantec 2011 Annual Threat Report

5

Outlook for 2012

• Data breaches rose by 32% in 2011

• Widespread use of mobile devices adds risk

• Despite regulations to the contrary, unauthorized access to patient information is still not a priority • Negative productivity effects and financial consequences increase directly with an increase in number of incidents • Number of cases of medical identity theft increased as number of incidents increased Ponemon Institute 2011

6

Overview of Breach Reports • 380 large breaches reported between Sept. 2009 and Oct. 2011 • Over 30,000 plus small breaches reported in same period • Over 18 million individuals affected

7

Lesson 1: You should be less concerned with:

And more concerned with:

Cause of Breach (Count) Sept. 2009 to Dec. 2011 Unknown 6 2%

Other 1 0%

Improper Disposal, 20 , 5% Hacking/IT Incident 26 7%

Theft, 196 , 52%

Loss, 55 , 14% Unauthorized Access/Disclosure, 75 , 20% 9

Cause of Breach (Affected Individuals ) Sept. 2009 to Dec. 2011 Improper Disposal 149,398 1% Other 344,579 2%

Loss, 7,291,355 , 40%

Hacking/IT Incident 750,195 4% Unauthorized Access/Disclosure, 857,939 , 5%

Unknown, 1,911,160 , 11% Theft, 6,755,205 , 37%

10

Lesson 2: The highest number of breaches involve: a) Desktops b) Laptops c) Other portable devices d) Paper

11

Location of Breach (Count) Sept. 2009 to Dec. 2011 Backup Tapes 2 1% CDs Hard 2 Drives 0% 3 Electronic 1% Medical Record E-mail 7 7 2% 2% Other 21 6%

Paper, 100 , 26%

Laptop, 84 , 22% Network Server 39 10% Computer, 55 , 14%

Other Portable Electronic Device 59 16%

12

Location of Breach (Individuals Affected) Sept. 2009 to Dec. 2011 CDs,

E-mail, 9,318, 0% 7,172, 0% Backup Tapes, 12,562, 0% Paper, 601,993, 3% Other Portable Electronic Device, 962,505, 5 % Electronic Medical Record, 1,145,285, 6%

Hard Drives, 1,200,654, 7% Computer, 1,310,6 81, 7% Network Server, 1,525,025, 9%

Other, 9,523,110, 53%

Laptop, 1,761,526, 10% 13

Lesson 3: It isn’t me, it’s you …

• Many large breaches are caused by business associates, not covered entities

14

Involvement of Business Associates in Breaches (Count) Sept. 2009 to Dec. 2011

Business Associates, 83, 22% Covered Entities, 298, 78%

15

Involvement of Business Associates in Breaches (Affected Individuals) Sept. 2009 to Dec. 2011

Covered Entities, 6,843,35 2, 38%

Business Associates, 11,21 6,479, 62%

16

Lesson 4: The number of breach reports remains relatively steady

17

Number of Breach Reports Sept. 2009 to Sept. 2011 30

25

20

15

10

5

0 Sept 09

Oct 09

Nov 09

Dec Jan 10 Feb 09 10

Mar 10

Apr 10

May June July 10 10 10

Aug 10

Sept 10

Oct 10

Nov 10

Dec Jan 11 Feb 10 11

Mar 11

Apr 11

May June July 11 11 11

Aug 11

Sept 11

18

Lesson 5: Breaches have consequences

19

Boston Globe, www.boston.com

20

The Mercury News, www.mercurynews.com

21

HC Pro HIPAA Update, blogs.hcpro.com 22

“So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed.” Nicole Perlroth, Digital Data on Patients Raises Risk of Breaches, N.Y. Times, Dec. 18, 2011 (relating to a stolen laptop containing unencrypted records of about 13,687 patients).

23

• 2010 Annual Study: U.S. Cost of a Data Breach (Ponemon Institute) – For the fifth year in a row, data breach costs continued to rise – The average organizational cost of a data breach increased to $7.2 million – Data breaches in 2010 cost their companies an average of $214 per compromised record

24

Five priorities For Improving Readiness • Conduct thorough risk assessment/use third party for objectivity/due diligence • Adopt industry recognized information security model for measurement • Resource and train IT security personnel/organization for success • Implement robust system and user activity monitoring • Implement appropriate vender security 25

Risk Analysis • Implement regular risk analysis of the IT environment • Assess against all reasonable threats/regulatory requirements • Use third party support to ensure objectivity and due diligence • Follow a doctrinal approach to risk analysis • Develop detailed remediation roadmap/project plan to guide decisions 26

Everyone Wants To Be Headliner! • Since 2009 we have had nearly 350+ major breaches, almost one a day in October 2011, an average of 18 major breaches a month, nearly 50K of all sizes in total, more than 18 Million individual records put at risk… – – – – –

60% 50% 45% 39% 35%

Encrypt encrypt encrypt encrypt encrypt

mobile devices back up tapes media desktops servers/databases HealthcareInfoSecurity.com 2011 27

Information Security Models • Privacy and security requirements in healthcare are complex and evolving • HIPAA/HITECH/Meaningful Use are not information security frameworks • Models such as NIST, ISO, HITRUST, COBIT etc. provide an IT security governance framework for multiple requirements • Ensures recognized framework to measure assurance against and demonstrate compliance • Reduces the risk of breach by reducing the chance of gaps 28

What Are We Waiting For? • HIPAA was passed in 2003, with an effective date of April 2005, roughly seven (7) years ago. Asked how respondents would grade their organization’s ability to comply with HIPAA/HITECH today? – Roughly 40% said their organization was doing a good job – 30% said they viewed their organization’s effort as adequate – 30% said their organization was failing or needed improvement HealthcareInfoSecurity.com 2011 29

Resource & Train • Resource means: budget, tools and people • Understand what is reasonable, inhouse versus external support • Overwhelming majority of breaches involve mistakes by people • Provide tailored training to all workforce members, periodic reminders for everyone 30

Resourcing Still lags • For three years straight (2008-2010) the HIMSS Analytics annual security survey reported that healthcare spending on security lagged behind industry averages • The average spend on security for regulated industries is generally accepted as greater than 6% of the IT budget • This survey unfortunately told a similar story for the fourth straight year: – Nearly 70% reported allocating 3% or less of the IT budget on security HealthcareInfoSecurity.com 2011

31

Monitoring Activity • Recognize different levels of criticality for monitoring: user, system, network, elevated privilege, etc. • Recognize scope of the problem and requirements to do effectively • Consider factors for decisions: staff capability, separation of duties, systems/data requirements, regulatory requirements • Move from being reactive to being proactive 32

What We REALLY Don’t Know! • Managing and tracking access to sensitive data is fundamental to every information security standard. The average healthcare entity has thousands of systems, applications and users…all creating millions of audit logs – More than 70% are still relying on manual audits and the audit functions within applications to accomplish this critical task – Those using audit tools report seeing a 90% drop in work effort, an exponential increase in awareness, and a equal decrease in events HealthcareInfoSecurity.com 201133

Vendor Security • Start with both legal and security review during selection processes • Incorporate appropriate level of security requirements in contracts • Request/conduct third party review of all venders having direct access/retaining ePHI • Detail your expectations for data security and privacy to vendors • Have well defined incident response plans and agreements with vendors 34

Don’t Assume! • A large % of breach activity has been attributed to Business Associates. When asked about Business Associates two glaring facts told the whole story. – 82% ranked respondents confidence in their Business Associates and their subcontractors security controls at a 3 or below on a scale of 1 – 5, 5 being most confident – Yet 77% relied on their Business Associate Agreement alone to compel appropriate performance with no due diligence HealthcareInfoSecurity.com 201135

For more information Adam H. Greene, JD, MPH

[email protected] 202.973.4213

Michael “Mac” McMillan [email protected] 512.402.8555

36

Questions

37