Healthcare PHI breaches resulting from technology vendor mistakes and misunderstandings have spiked over the past 2-3 years. Litigation, fines, remediation, and restitution can reach into the millions of dollars. This presentation will cover five common, but frequently overlooked, ways that technology vendors put their healthcare customer's PHI at risk. Just as importantly, it provides real world examples and pragmatic recommendations for addressing these issues to significantly reduce risk to you and your customers.
Apidays New York 2024 - The value of a flexible API Management solution for O...
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
1. Chris Bowen, MBA, CISSP, CIPP/US, CIPT
Founder, Chief Privacy & Security Officer
AVOIDING THE BREACH
5 Common Ways Technology Vendors Put
Their Healthcare Customer's PHI at Risk
2. 2PROPRIETARY & CONFIDENTIAL
The majority of breaches occur as the result of third parties.
http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone
3. 3PROPRIETARY & CONFIDENTIAL
Attacks Increasing
• 42% of serious data breaches in 2014 were in the healthcare sector
– 34% in first halfof 2015
• Business associates were the culpable party for 118 out of the 458
breaches (OCR Reportto Congress)
• (PHI) is worth roughly 50 times more than credit card or Social
Security numbers
• Most profitable type of fraud stemming from identity theft is now
Medicare fraud
– Particularly attractive targets because ofpayment data and detailed patientrecords used
to collect reimbursements
• One in 10 Americans has been affected by a large health data breach
4. 4PROPRIETARY & CONFIDENTIAL
What’s in the presentation for me?
• You’re trying to serviceyour customers, including protecting their data
• Bad guys want to steal your customers’ data
• Regulators want to punish you if bad guys steal your customers’ data
• So do lawyers…
• Understand five commonly overlooked mistakes vendors make
• View examples of what happens as a result
Key Learnings
10. 10PROPRIETARY & CONFIDENTIAL
Breaches by Business Associates
January 2014 - Blue Cross Blue Shield of New Jersey
Loss of data affecting 839,711 individuals. Alaptop was stolen – there was
no encryption.
January 2014 - Triple-C, Inc.
Theft of data affecting 398,000 individuals. Anetwork server was stolen –
there was no encryption.
May 2014 - Sutherland Healthcare Solutions, Inc.
Thieves stole eight computers from Sutherland’s Torrance, Calif. Office.
They got away with the medical records of 342,197 individuals. There was
no encryption.
August 2014 - Community Health Pro-Services Corporation
Unauthorized access. In a legal dispute with Texas HHS, Xerox removed
patient records from servers and hard drives and permitted other parties to
view the records of 2,000,000 individuals.
December 2014 - Senior Health Partners
Theft of 2,700 records after laptop and mobile phone belonging to a
registered nurse employed by its business associates were reported.
1
2
3
4
5
11. 11PROPRIETARY & CONFIDENTIAL
Defense in Depth in IT
Defense in depth uses multiple layers of defense to address technical, personnel and
operational issues.
Data
Devices
Servers
Applications
Network
Physical
Policies, Procedures, Awareness
OS/Software Firewall
Hardware Router / Firewall
Antivirus / Anti-malware
Security Patches
User Access Controls
Attack
12. Healthcare is Depending on YOU!
Healthcare IT is depending on you to keep systems secure, private,
available, and untouched by the unauthorized. This includes data
exchange,VoIP Phones,Enterprise Wireless, Mobile EMR, Billing, PACS, Patient
Portal, Registration, Prescribing, Lab integrations, X-Ray equipment, Monitoring equipment, Physician
Communications and scheduling, online bill-bay, patient scheduling, Medical devices, mobile computing, internal
communications, etc. etc. etc….
13. 13PROPRIETARY & CONFIDENTIAL
Mistake #1: Failure to Assess Risk
• 33% of businesses have not commissioned a risk assessment
(1)
• Risk Assessment has been required since adoption of HIPAA Security Rule
• Requirement not taken seriously
• HITECH – 2009 – Added Fines Skipping SRA is Not Reasonable – OCR
• This applies to the Business Associate too!
Defense Layer:All
(1) 2014 State of Risk Report. (2015, January). Trustwave, 4-4.
15. 15PROPRIETARY & CONFIDENTIAL
Mistake #1: Failure to Assess Risk
• OCR enforcement including civil monetary penalties and resolution
agreements
• Increased risk of suffering data breaches
• CMS enforcement to recoup EHR incentive payments
• OIG enforcement under the False Claims Act
– Liability of up to 3 times the EHR incentive payment
– Exclusion from federally funded healthcare programs
Defense Layer:All
Failure to conduct an SRA can result in:
16. 16PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity
• Not knowing what’s going on in or
around your network and systems
• Ineffective System Activity Reviews
Defense Layer: Network, Server, App, Data
17. 17PROPRIETARY & CONFIDENTIAL
Mistake #2: Unaware of System Activity
• 80,000,000 records stolen via Hack
• Traced to April 2014
• Attackers created a bogus domain name, "we11point.com”
to mimic legitimate domain wellpoint.com.
• Used malware to mimic Citrix VPN software
• Harvested user credentials
• Became aware in December 2014
• That’s 9 months of covert activity inside the network!
Defense Layer: Network, Server, App, Data
21. 21PROPRIETARY & CONFIDENTIAL
Mistake #3: Patching Fail
• This is a Covered Entity AND a BusinessAssociate
• Failed to patch their systems
• Continued to run outdated, unsupported software
• Led to a malware data breach affecting 2,743 individuals
• ACMHS reported the breach to HHS back in March 2012
• Fined $150,000
• Lesson learned: security-related patches should be
applied as soon as possible
Defense Layer: Network, Server, App
22. 22PROPRIETARY & CONFIDENTIAL
• ACMHS was negligent but fine issued on the heels of a year of
patching woes for most Microsoft customers.
• Patching policies delayed for critical updates
– Microsoft had trouble delivering an error-free month
Balancing Act
• Deal with fallout of botched patch?
• Or wait to patch?
Document decisions. But don’t be negligent.
Mistake #3: Patching Fail Defense Layer: Network, Server, App
More Context
24. 24PROPRIETARY & CONFIDENTIAL
Mistake #4: Training on the Right Stuff Defense Layer: All
• Security flaw in the vendor database
• Vendor exposed 7,000 records to the web
• General Security Awareness Training is a HIPAA
requirement
• But what about training for secure development
practices?
• What about training on a Software Development Lifecycle
(SDLC)?
25. 25PROPRIETARY & CONFIDENTIAL
Mistake #4: Training on the Right Stuff Defense Layer: All
Open Web Application Security Project (OWASP)
• www.owasp.org
• Open group focused on understanding and improving the security of
web applications and web services
Top Ten Project
• Goal is to Raise Awareness
If you create web-enabled apps
make this part of your training!
Web and App Server Misconfiguration
Remote Administration Flaws
Insecure Use of Cryptography
Error Handling Problems
Command Injection Flaws
Buffer Overflows
Cross-Site Scripting Flaws (XSS)
Broken Account& Session Management
Broken Access Control
Un-validated Parameters
26. 26PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes
• Change Control: The process of managing change to an organization’s
environment and assessing the potential impact on business
Defense Layer:All
HAVE CHANGE CONTROL
COVERING INFORMATION
TECHNOLOGYASSETSAND
BUSINESS PROCESSES
54%
Fully
39%
Partially
7%
Not at All
(1) 2014 State of Risk Report. (2015, January). Trustwave, 13-13.
27. 27PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes
• Average cost of downtime is around the $8,000 per minute mark(1)
• 80% of unplanned outages are due to ill-planned changes made by
operations staff or developers(2)
• 60% of availability and performance errors are the result of misconfigurations(3)
• Through 2015, 80% of outages impacting mission-critical services will be
caused by people and process issues(4)
– more than 50% of those outages will be caused by change/configuration/release integration
and hand-off issues
Defense Layer:All
(1) www.datacenterknowledge.com/.../study-cost-data-center-downtime-rising/
(2) IT Process Institute's Visible Ops Handbook
(3) Enterprise Management Association
(4) Ronni J. Colville and George Spafford Configuration Management for Virtual andCloud Infrastructures
29. 29PROPRIETARY & CONFIDENTIAL
Mistake #5: Failure to Manage Changes
• Reduce access to systems that can be changed
– Assign a limited group with access as the only entity that can make changes
• Inventory information assets and detailed information about
equipment, backups, etc. (build a RACI)
• Create a repeatable build library
• Continual improvement
Defense Layer:All
Starting ITIL in 4 Practical Steps:
Google:Amazon.com + Visible Ops
30. 30PROPRIETARY & CONFIDENTIAL
Bonus Mistake: Failure to Remediate
High Priority Examples: •Risk Analysis (#1) §164.308(a)(1)(ii)(A)
•Information System Activity (ii)(D)
•Security Awareness and Training Program (#11) §164.308(a)(5)(i)
•Encryption and Decryption (#42) §164.312(a)(2)(iv)
•Data Backup Plan - §164.308(a)(7)(ii)(A)
•Audit Controls (#43) §164.312(b)
•Policy and Procedures (#48) §164.316(a)
•More…
Risk Analysis helps identify and prioritize issues.
Defense Layer:All
• Identifying the list of items to fix is just the beginning
• You actually have to fix them before the bad guys exploit them
ASAP
<30 days
32. 32PROPRIETARY & CONFIDENTIAL
Five Common Mistakes & Consequences Defense Layer:All
No Formal Change
Management
Downtime,
Break Systems,
Failure to
Communicate
Unaware of
Vulnerabilities
Failure to Conduct
a Risk Assessment
Hackers Inside
for Months
Ineffective
Activity Reviews
Lack of
Timely Patches
Vulnerable Systems
Data Breaches
Lack of Proper Training
5
4
21
3
Flawed Systems
Promoted to Production
33. MODERNIZE THE INFRASTRUCTURE • SECURE PATIENT DATA • IMPROVE DATA INTEROPERABILITY
John Perales
National Channel Sales Director
512.993.5899
John.Perales@cleardata.com