Handwritten Text Recognition for manuscripts and early printed texts
Â
Red7 Medical Identity Security and Data Protection
1. 1
robertGrupe, CISSP, CSSLP, PE, PMP
tags :|: medical identity, patient data, data protection
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
PATIENT
MEDICAL IDENTITY &
DATA PROTECTION
SECURITY
2. ⢠US Medical Identity Theft and Data Breaches
⢠HIPAA 2013 Omnibus Final Rule Updates
⢠Recommendations
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Agenda
3. Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
US MEDICAL IDENTITY THEFT
AND DATA BREACHES
4. ⢠Top Industries Cost
⢠1. Healthcare $233 per person
⢠2. Finance $215
⢠3. Pharmaceutical $207
⢠Top Causes
⢠41% Malicious attack
⢠33% Human Factor
⢠26% System glitch
Red7 :|: Information Security
US Data Breaches
2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute
Š Copyright 2014-01 Robert Grupe. All rights reserved.
5. ⢠94% health-care organizations have been hit by at least
one data breach,
⢠45% more than five breaches in the past two years
⢠$2.4 million estimated average cost over 2 years
⢠$10,000 - $1+ million per incident
⢠2,796 average number of records lost per breach
⢠47% detected by employees
⢠52% breaches discovered by audits
⢠Black Market Data Value
⢠$50 per medical record (SSNs go for about $1 each)
⢠Criminal Mis-Use
⢠Overseas call centers ordering medical equipment and drugs
Ponemon Instituteâs Third Annual Benchmark Study on Patient Privacy & Data Security. Dec 2012
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
US Healthcare Data Breaches
6. ⢠$1.8 million, 19%+ over 2012
⢠Causes
⢠30% Member shared identification with a friend/family member
⢠28% Acquaintance or family member stole
⢠8% provided in phishing
⢠7% provider/insurer due to data breach
⢠5% healthcare worker
⢠Criminal mis-uses
⢠63% treatments
⢠60% prescriptions and equipment
⢠51% obtain government benefits
⢠12% credit card account applications
Red7 :|: Information Security
US Medical Identity Theft
⢠Difficulties detecting
⢠56% Patients donât check their records for accuracies
2013 Survey on Medical Identity Theft, Ponemon Institute
Š Copyright 2014-01 Robert Grupe. All rights reserved.
7. ⢠âMedical Identity theft is being called the fastest growing
type of fraud.
⢠This contributes to rising cost in health care.â
⢠Unlike financial identity theft, medical identity theft holds
life threatening impacts.
⢠For example if you are rushed to the ER with appendicitis but your
records already show your appendicitis removed, the
consequences can be dangerous.â
⢠Medical Identity Fraud Alliance, Development Coordinator Robin Slade
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Consequences
8. ⢠50% of victims unaware creates inaccuracies in their records
⢠15% misdiagnosis
⢠14% treatment delays
⢠13% mistreatment
⢠11% wrong prescription
⢠23% credit rating
⢠20% financial identity theft (credit card, banking)
⢠17% legal fees
⢠Loss of coverage, cost to restore, out-of-pocket costs, increased
premiums
⢠6% employment difficulties
⢠58% victims lost trust in providers
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Patient Harm
9. ⢠Member, client, provider communications
⢠Member online security monitoring and restoration
services
⢠Response and reputation crisis management
⢠Loss of business
⢠Law suites: members, customers, investors
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Enterprise Consequences
10. Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
HIPAA Breach Notifications
11. Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
HIPAA 2013 OMNIBUS
FINAL RULE UPDATES
12. ⢠Defines Business Associates of Covered Entities directly liable for
â˘
â˘
â˘
â˘
compliance with certain of the HIPAA Privacy and Security Rules'
requirements.
Require modifications to, and redistribution of, a Covered Entity's
notice of privacy practices.
Final rule adopting changes to the HIPAA Enforcement Rule to
incorporate the increased and tiered civil money penalty structure
provided by the HITECH Act.
Final rule on Breach Notification for Unsecured Protected Health
Information under the HITECH Act, which replaces the breach
notification rule's "harm" threshold
Violation Penalties
â˘
â˘
â˘
â˘
(A) Did Not Know (with reasonable diligence) $100+
(B) Reasonable Cause $1,000+
(C)(i) Willful Neglect-Corrected $10,000+
(C)(ii) Willful Neglect-Not Corrected $50,000
HHS Omnibus http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
HIPAA 2013 Omnibus Final Rule Updates
13. Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
RECOMMENDATIONS
14. ⢠Last patched software maintenance
⢠Install anti-virus and application IDS everywhere
⢠(Yes: Mac OS, iOS, Linux, and Android too)
⢠Strong Credential Management
⢠Strong Passwords and management policies
⢠Network Mapping
⢠Sites, gateways, routers, devices,
⢠then directory details for all devices
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Master the Basics
15. ⢠What security laws and regulations effect your
organization
⢠Heath Care: HIPAA, states
⢠Financial: PCI, etc.
⢠Personal: States, EU
⢠Other
⢠Map your external appâs PHI flows
⢠Workflows
⢠Reference lookups
⢠Data backups
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Risk Assessment
16. If it isnât documented, it doesnât exist
⢠Use an industry recognized framework
⢠E.g. ISO/IEC 27001:2005
⢠Living Document: Continual detailing and updating
⢠Donât use all at once, keep section numbers but only draft and publish active sections
⢠Identify information security best practices
⢠Reference for Minimum acceptable security
⢠Industry (e.g. HIPAA, HITRUST, ARRA) state (Mass.), third party (e.g., PCI and
COBIT), government (e.g., NIST, FTC and CMS), appdev (e.g. OWASP)
⢠Application regression test scripts for all policy rules validation
⢠Responsible Program Manager to
⢠prioritize critical success factors and initiatives
⢠ensure document maintenance
⢠champion process improvements
⢠oversee system/application/services updates
⢠ensure compliance validation
⢠provide status reporting
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Document Your Policies & Processes
17. ⢠Donât Procrastinate - Start Right Now!
⢠With quick list brainstorm
⢠Continuous Process Improvement
⢠What doesnât get measured, doesnât get done
⢠Regular Privacy controls and processes Risk Assessment
⢠Security Technology isnât the (whole) solution
⢠Vulnerability assessment utilities to detect security policy & process
vulnerabilities
⢠E.g. Social engineering vulnerabilities
⢠Insider data access
⢠User validation
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Well Begun, Is Half Done
18. ⢠This Presentation & Further Resources
⢠www.red7managementsolutions.com
⢠Questions, suggestions, & requests
⢠Robert Grupe, CISSP, CSSLP, PE, PMP
⢠robert.grupe@red7managementsolutions.com
⢠+1.314.278.7901
Š Copyright 2014-01 Robert Grupe. All rights reserved.
Red7 :|: Information Security
Finis
Hinweis der Redaktion
BioRobert Grupe is an experienced international business leader with a background in engineering, sales, marketing, PR, and product support in the software, digital marketing, health care, electro-optic and aerospace industries. From Fortune 100 to start-up companies, Robert has worked for industry leaders including Boeing, McAfee, Text 100 PR, and Express Scripts. Management experience includes working with and leading local, as well as internationally distributed, teams while implementing best practices to maximum organizational and market performance. Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Professional Engineer (PE), and Product Management Professional (PMP).
Your Medical Records Could be Sold on the Black Market, NBC Bay Area News, http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html, June 19, 2013.http://www.nationwide.com/newsroom/061312-MedicalIDTheft.js