WIXLIB

Let’s Get Real: Creating a Practical Data Security ProgramSession # 203, March 8, 2018 8:30 - 9:30 AMSpeakers: Julia R. Hesse, Choate, Hall & Stewart LLPSonia Arista, GuidePoint Security1

Speaker IntroductionsJulia R. Hesse, J.D., M. BioethicsPartnerChoate, Hall & Stewart LLPSonia E. Arista, CISMNational Healthcare LeadGuidePoint Security2

Agenda Conducting and documenting risk assessments Developing a data security program among disparatevendors Summarizing regulatory guidance on effective securitystandards Discussing legal trends3

Learning Objectives: Identify practical tactics for creating a data securityprogram among disparate vendors Discuss practical solutions for legal issues surroundingrisk assessment, including documentation and contractdrafting Analyze regulatory guidance on effective data securitystandards4

Agenda Conducting and documenting risk assessments Developing a data security program among disparatevendors Summarizing regulatory guidance on effective securitystandards Discussing legal trends5

Risk Assessment: OverviewAn important part of a health information technologysystem is having adequate internal and external securitycontrols, as well as generally having a complete overviewof the risks facing the system.Do you have a procedure that periodically evaluates:o Securityo Availabilityo Integrity6

Risk Assessment: TechnicalFirst define the business environment and scope of the assessment, thenidentify the supporting technology- Application (EMR)- Line of business or line of service (Help Desk, Development,Transcription)- Defined customer environment- Operational area of the business (HR, Billing, etc.)- Specific network segment or data center- Integration Engine ** Increasingly important with interoperability and leveraged SaaS analytics engines7

Risk Assessment: TechnicalThen, ensure that the fundamental elements are reviewed- Network Environment- Endpoint Asset Hardening- Access Control and Identity Management- Application Code Vulnerability Assessment- If hosted, ask to review risks identified by your partner or service providerDon’t forget to incorporate risks already identified in your overall corporaterisk register that apply!8

Risk Assessment:Incident Response/Disaster Recovery Assume a data breach or cyber-attack will occur Any risk assessment must include incident responsemeasures and the ability to recover/resume operations9

Risk Assessment:Incident Response : Process/Emergency Develop and implement an emergency process torespond to an attack Assemble and test response team including legal,insurance, PR, senior team Consider holding some bitcoin Goal is to implement a process that allows the datasecurity professionals to address the incident itself10

Risk Assessment: Regulatory Guidance U. S. Department of Health and Human ServicesOffice of Civil Rights Office of the National Coordinator Federal Trade Commission11

Risk Assessment: Regulatory Guidance U. S. Department of Health and Human Services Office of Civil Rights and Officeof the National Coordinator – Developed Security Risk Assessment (SRA) Tool risk-assessment-toolAvailable as online application, or downloadable U. S. Department of Health and Human Services Office of Civil Rights and Officeof the National Coordinator – Top 10 Myths of Security Risk Analysis Checklists aren’t enoughIt must go beyond EHR Federal Trade Commission – Process-based approach focused on NISTCybersecurity Framework Annual Data Privacy and Security Updates12

Risk Assessments: DocumentationOne size does NOT fit all – GRC tools and templates are good supporttools, but can be inefficient or not optimal for every environment!Depending on need, scope will most likely vary due to:- Customer Commitments- Technology Environment- Breadth of manual processes within the environment- Frequency- Validated vs. Self–AssessmentTools and methodologies will ( and can and should) vary!13

Risk Assessment: M&A/Transactions Importance of documented risk assessment in acquisitions Use in framing post-acquisition investment Baseline security obligations for early stage companies– Define PI maintained, identify secure hosting provider– PCI Compliance– Documented risk assessments becoming baselineexpectation– Why? To make the company more attractive to investmentand sale14

General Recommendations for Risk AssessmentsGOAL: Have a comprehensive risk assessment report or set of reportsavailable upon request of a regulator, with a defined process forimplementing recommendationsTACTICS: Global risk assessment must include risks of IOT devicesDefine internal process- Identify data system owners and assign responsibility for risk assessment/remediationUse common vocabulary and report formatsDetermine – and stick to – timeline for review AND remediationFocus on the basicsRemediation plan must include redundant systems to decrease ransomware threat15

Agenda Conducting and documenting risk assessments Developing a data security program amongdisparate vendors Summarizing regulatory guidance on effective securitystandards Discussing legal trends16

Vendor Risk Assessment: Third Party Security Controls Practical tactics in vendor risk assessment Identify internal and external security measures, particularlyfocusing on the need to ensure adequate third party securitycontrols Self-certification using the HITRUST framework Incorporation into governance, risk management andcompliance program17

Vendor Risk Assessment: Legal Strategies Using contractual terms and agreements to address securityobligations of outside vendors, including:– How to specifically define security obligations– How to use contractual language to transfer away risk18

Agenda Conducting and documenting risk assessments Developing a data security program among disparatevendors Summarizing regulatory guidance on effectivesecurity standards Discussing legal trends19

Regulatory Guidance - Effective Security Standards“Ransomware” Serious Health Issues Basically it’s a virus that locks up files and hardware. Common definition: “computer malware that installscovertly on a victim's computer, executes a cryptovirologyattack that adversely affects it, and demands a ransompayment to decrypt it or not publish it.” Ransomware is NOT new . it’s been around for decades. Recently seen a huge spike in ransomware incidents. Why? Because of connected devices .20

Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities Unsecured medical devices are ripe for ransomwareattacks These attacks can cripple, even shut down entireoperations Most medical facility cybersecurity measures are aimed atHIPAA security NOT device security The threat will continue so long as devices are insecureand malicious software can move “laterally”21

Regulatory Guidance - Effective Security StandardsRansomware Hits Medical Facilities As of August 2016, 88% of ransomware attacks hit hospitals/medical facilities 2017 saw even higher rate of ransomware attacks, with both WannaCry and NotPetya dominating the newscycle- Attacks targeting IOT and smaller providers- Accenture and American Medical Association report that over 83% of physicians surveyed have experienceda cyber security attack Health care facilities seem to be hit regularly:- Hollywood PresbyterianUSC hospitalsMedStar Health (Washington DC area)Allscripts ransomware attack in January 2018 - data centers attacked by Samsam virusEffects of ransomware attacks:-Employees cannot log inPatient appointments had to be cancelledNo electronic records or prescriptions22

Ransomware: Regulatory Guidance - HHS Office for Civil Rights“Fact Sheet: Ransomware and HIPAA” (July 11, 2016)General Requirements: Conduct a risk analysis and establish a plan to remediate identified risks Implement procedures to safeguard against malicious software Train authorized users to detect malicious software and report such detectionsoI.e., identify malicious/fake websites, unusual increases in processing activity,suspicious network communications Limit access to ePHI to only those persons or software programs requiring access, and Maintain an overall contingency plan that includes disaster recovery, emergencyoperations, frequent data backups, and test restorationsoConsider maintaining backups off-line and unavailable to the primary network23

Ransomware: Regulatory GuidanceWhen does a Ransomware attack constitute a security breach? Regulatory standard: incident presumed to be a breach unless “low probability ofcompromise” Facts and circumstances potentially relevant to determining whether data were compromised: Identify exact type and variant of malware discovered to determine: How or if a particular malware variant may laterally propagate throughout an entity’s enterprise What types of data the malware is searching for Whether the malware may attempt to exfiltrate data Whether the malware deposits hidden malicious software or exploits vulnerabilities to providefuture unauthorized access, among other factors Algorithmic steps undertaken by the malware Communications, including exfiltration attempts between the malware and attackers’ command andcontrol servers Whether or not the malware propagated to other systems, potentially affecting additional sourcesof electronic PHI (ePHI)24

Ransomware: Key Regulatory Guidance What if the data were encrypted prior to the ransomwareattack? If data are encrypted consistent with HIPAA standards, it is nolonger “unsecured PHI” and no risk assessment or breachnotification is required BUT if data are encrypted via full disk encryption, and decryptedwhen computer powered on and system is operational, the datamay not be encrypted at the time of the ransomware attack Facts-and-circumstances analysis required25

Ransomware: Key Regulatory GuidancePractical implications of OCR’s Ransomware guidance Treat all ransomware attacks as potential breaches of PHI Focus on back-ups and redundant systems IOT and connected devices must be part of risk assessment Analysis of specific encryption mechanism may be necessary Contact the FBI or Secret Service field office immediately upondiscovery26

Agenda Conducting and documenting risk assessments Developing a data security program among disparatevendors Summarizing regulatory guidance on effective securitystandards Discussing legal trends27

Failure to PerformRisk Analysis 650K 2.14M 5.55M 2.75M 2.7M 650K 3.9M 750K 3.5MXXXXXXXXXStolen Laptop –Device/MediaControlsXX* First settlement specifically addressing malware- Hospital28 750K 218K 150KXXXXXXXXXXXXXXXXXXXXX- Physician Group 4.8MXXXX- Health Plan 250M 215KXX- OtherImproperDisposal of ePHIXXXX 1.2M 1.7M 400KXXXIdaho State UniversityWellpoint Health Plan 150KAffinity Health PlanAdult & pediatricDermatology, P.C.Skagit County, Washington 1.725MQCA Health Plan, Inc.Concentra Health ServicesColumbia University NY &Presbyterian HospitalAnchorage CommunityMental Health ServicesSt. Elizabeth Medical Center 850KCancer Care Group, P.C.Lahey Hospital & MedicalCenterTriple-S ManagementCorporationUniversity of WashingtonFeinstein Institute forMedical ResearchCatholic Health Care Services ofthe Archdiocese of PhiladelphiaOregon Health & ScienceUniversityUniversity of MississippiMedical CenterAdvocate Health Care NetworkInternet Risks /TechnicalSafeguardsSt. Joseph Health (CA, NM, TX)Cause ofBreach /DeficiencyIssuesSpecificallyCitedUniversity of MassachusettsAmherst *OCR Breach Investigations – ePHICause of Breaches (2013 – 2016)XX