How HIPAA Compliance helps and hinders true patient data security

[Music]

welcome everyone appreciate the opportunity thanks B side Salt Lake it's good to see some familiar faces in the crowd probably a few different health care's may be represented here not sure anybody work anybody from HCA know about the you okay there you a few people from Intermountain I see right okay Who am I missing Isis Isis what an unfortunate name they have right now okay just kind of taken a poll who I have here anybody else in health care okay okay super all right so we're gonna talk a little bit about HIPAA today all right and why it sort of works and sort of doesn't work I have this fun disclaimer I can't think of anything that's not

covered there but if you can let me know and I'll add to it later okay so this is basically my thoughts and representations so it doesn't represent my employer that's important to know or employers or customers or friends or unknown alien aliens so a little bit about me that I've been doing this stuff for quite a while so how do you how do you get into how do you become a HIPAA security expert I always like to ask my peers how they did it because everyone's got a little bit different story my story is I came from I had a background in the in the US Air Force and eventually found my way into medical realm and ended up consulting at

a lot of different hospitals and so doing big installations and so I had an eye towards security and about that time in the late 90s HIPAA was forming and coming about and and people would ask me well you have a background you know about security what what do you think we should do here what do you think we should do there and so before long I became a HIPAA security expert not because I was certified it's just because I had some thoughts about security I had some training about security and I touched a lot of different hospital systems and business processes in hospitals so today let's talk a little bit about what really happens with HIPAA what's entailed there

security risk assessments the rule enforcement I'm going to get into that what are the important elements of a risk assessment some tips and takeaways I found it a little bit I presented this talk most of this talk at st. Conn so if you if you've seen it before please bear with me because there's some things towards the end that I think you'll find interesting how to depend on yourself for HIPAA Security something I want to talk about okay as I go through this if you have questions or thoughts or you want a heckle please feel free to do that I love all those things it's a lot of fun to come and be able to talk about

something that you're passionate about I've been challenged to see how many times I can drop the f-bomb so as I did my some some work with hockey over the years and some of the training that I've had there they told us a lot that especially at the high level when we were hearing from the NHL coaches you should swear a lot you should drop the f-bomb so so we'll see how that goes I like to hold that back just a bit usually so there's a little bit of confusion and there's all these great numbers right and parentheses and sub parentheses and sub numbers so so the security rule is about the risk analysis the privacy rule

talks about the safeguards the breach notification rule is a separate thing and they kind of all blend into one thing and and so sometimes it's not always apparent which thing is in scope

so I love this this quote security risk assessments are the cornerstone of compliance okay and that was from young Ileana Peters she's that with the HHS actually it's a good cornerstone of any any security program doesn't have to be specific to HIPAA you want you don't want to do a risk assessment and know where you're at but it's a start on the road right you put your foot on the pathway and you know you start to identify things that you can fix or work on so today in the breaches there's only two kinds of companies those that have been breached and those those that don't even yet know they've been breached so we're going to talk about breach a

little bit ninety seven percent of organizations were breached from fire I and Mandy at 2014 that's a pretty bold statement so there's a lot of companies out there that may not know they're breached yet okay so I also love this quote breach gets you on our visit list right and nobody really wants that from the HHS non-compliance gets us to stay and there's probably nothing worse than having them come and hang around and audit you and monitor you and then continue that process and be very costly so cyber attacks are on the rise you all know this okay seventy-five percent of networks are owned I don't know that's a high number that's also 1970 jargon so

the defense defense in depth is something that's worked for a while and if you're a little more secluded like we are in Utah that goes to our advantage and it kind of goes to our disadvantage because never bad happens in Utah right we're all good people there's no hackers here nobody's trying to steal our money but then there's that internet thing and we're connected to it and so now that everybody that you're connected to maybe in Utah so I like this the average goes 229 days without really being detected okay so some of the people I travel around with if you allow them to go undetected in your network for 229 days it's really not going to be a very fun time for you

they're gonna exfiltrate data they're gonna do all kinds of things they're going to create a lot of persistence and backdoors and they're gonna constantly have ways in so that's a long time big cost to take care of this so what's going on so it's trending downward so we're finding things a little bit earlier right I was just an RSA last week visited with a lot of vendors so a lot of the tricks and tools and things that were put into place or the companies do put into place help so defense-in-depth is something you don't just give up on so it helps but still that's a long time I don't have a number for 2015 yet or nothing really

for 2016 I think it's pretty interesting that you're gonna find out from the outside so you're gonna find out from social media you're gonna find out if you're monitoring maybe the dark web all right you're gonna find out you'll get a call from the FBI hey you might want to look at this or we discovered this not really very fun day

do you guys like these things the bubbles and the words okay here spent some of our biggest breaches so far eBay JP JP Morgan right the bigger the book the bigger the bubble the bigger the breach Home Depot we just recently heard Home Depot had set aside some monies for settlement and remediation okay it's happening in health care Jay alluded earlier in his talk to the Hollywood Presbyterian breach boy did that create some fun around my neck of the woods lots of discussion so maturity levels let's talk about that a little bit

basically what you have to decide is how how good do you need to be so do you need to just be better than your neighbor so if my day jobs at Intermountain Healthcare do I just need to be better than the you or iasis or Morningstar but I'm connected to the network maybe I need to be as good or better than most maybe that's where I want to be

so in all of this the thing to know is administrators are probably a real concern we have a lot of effort around making sure that the right people have the right access so access control helps a lot and logging so we do a lot of auditing a lot of logging to make sure that people have the access they're supposed to even on the patient level the right clinicians are looking at the right medical records all this stuff is important to do so what are some of the consequences of non-compliance okay well reputation is a big one so in Hollywood if you're a movie star and you have a choice of where to go may not

choose to go sometimes you don't have a choice in an emergency you're gonna get care where you need it most quickly most urgently but if you have a little choice you might choose somewhere else so we know some folks at cedars-sinai maybe you go there maybe not Hollywood Presbyterian so reputation is a big deal and it's hard to it's hard to fix so a lot of money thousands of hours maybe there's a scapegoat all those things so how do you how do you navigate all this so the anthem breach was pretty interesting 778 million customers PII big dollars spent just think for a moment about the requirement to send out snail mail what's that going to cost

it's at 50 cents these days to send out a piece of mail or maybe you can get a bulk rate maybe can get thirty five cents so what if you have to send out 78 million of them so those monies could probably be spent a little bit better on some security right if you have if you didn't have that breach and and it just goes on and on with the costs going up and up 2015 these were some of the top breeches anthem primeira on down you guys know any of these they're familiar names hopefully this is a lot of this data is off the the HHS website beacon this is what the premiere of breach looked like it's not quite as

many they had a little bit of warning but they weren't really able to react to it right they're still figuring out how much that's one's going to cost so expected losses here are some ranges we love charts and graphs don't we where do you want to find yourself so limiting access to numbers of Records now keeping keeping data on servers versus you know laptops and things that can grow legs and walk out all those things can help those are some predictions pretty big numbers does anybody have that kind of a security budget

hopefully some people do you don't have to spend that much money but you need to have a program and that's really the point of that so from an OCR perspective what what's expected they expect you to have to have heard of HIPPA and you have they want you to have a compliance program in place they want you to be familiar with the rules they want and this fourth one's pretty interesting be able to demonstrate active participation I think I can speak for for my employer there's some active participation really a lot of effort so that's good right

so risk assessment an incident risk assessment we've started practicing that hopefully you are too how do you how do you deal with an incident you're gonna probably have them so are you do you know who your PR person is are your people trained to not to talk to the media do you visit with your lawyers do you have a statement from them and they give you the guidance there's all these things you can do that are not even really technical things things that you need to be thinking about the current trends so from 2008 we're starting to see a little bit more a little bit more settlements a little bit more as time goes on 2015 numbers so here's the

question I ask sometimes but also there's a lot of buzz about it is HIPAA a toothless tiger so if you're famous right and your record gets breached and that might get some news but what if you're not famous what if you're just an everyday Joe or what if you're like me I'm really lucky I'm you know I have pretty good health I hardly ever see the doctor usually my experience in the hospital is stemmed from taking hockey players to the ER to get sewn up so so I have no record or no trail of much of anything so when there's a complaint made that's when the OCR gets involved and that's where the fun that's where the fun

begins so repeat offenders and we'll talk about that a little bit more here's some of the common themes or common things that they're finding transmitting APH I / unauthorized networks storing it on systems that are not secure removal from the organization sharing accounts and passwords no encryption of portable devices ok those kinds of things that's kind of the low-hanging fruit isn't it those are the first things you're gonna find if you walk in and somebody doesn't have much of a security posture or they haven't really thought about it you know you turn over the keyboard and what are you gonna find you're gonna find a sticky with password on the bottom and I've seen in some cases it's going to be

the doctors creds right the person who needs the most access and needs to try and do someone's basically dictation or other signing of things to get drugs so here's the total of investigated resolutions corrective action so they're gonna you're gonna probably have a corrective action plan of some kind and they're looking for change how soon are they going to come back and monitor and check

so here's here's some more common things that are exposed lack of safeguards lack of patient access to the protected data so we all have the ability to get our data right and I'll get into that a little bit more towards the end lack of administrative safeguards use and disclosure so when you go in you're gonna sign a whole bunch of papers don't don't blame that on me all right but that that was the beginning of some of my handiwork we better have people sign that they know what they're they're doing so this this is off the site recently these are some case examples and we're gonna drill down a little bit here's the common ones

access right access control authorization how's your BIA you're gonna have some business associates conditioning and compliance confidential communications disclosure to avert a serious threat we may have actually seen that with the Hollywood Presbyterian that may have been they might have been motivated because they needed some patient data right to pay their pay the ransom minimum necessary some people with too much access or access that accumulates one of my pet peeves and favorite hot topic notices and safeguards those kinds of things so if we look at safeguards and we drill down a little bit the pharmacy chain is what I want to look at so they're going to institute some new safeguards so they're under a protocol they've had a complaint

they're going to go through the steps and this is what I'm going to drill down into a little bit so that's a little bit of an eye chart hopefully you can see it

so basically the the pharmacy was maintaining some log books right and they weren't securing them well and so the result was the OCR wanted them to improve their policies now who cares things that just improving your policies is really going to secure those logs they don't see even one hand and that's really the problem isn't it because security is not really privacy it helps so what's missing what's missing is the actual security so I went down this list these are the ones that have the complaints that have been investigated the grouped by categories but what you don't see because if you're doing anything in HIPAA security and trying to follow a protocol you're going to have

some other things you have a lot more to do about encryption you're gonna have more to do about business continuity disaster recovery one of my things I'm focused on media reuse that sort of thing we've seen nothing yet complained about or reported to the OCR nothing's been investigated by them around these things so they've looked at the low-hanging fruit I'm trying to give you an idea what's next what are they gonna look at next so when I think of business continuity and disaster recovery and I think about the situation at Hollywood Presbyterian if they were doing a good job there they could have just told the hackers you know never mind we're not paying we'll just recover

our systems we've got our data archive we're gonna recover and we we're really not going to do anything so thanks for for doing that you know give us an idea but we're not paying but they decided to pay in times coming I'm predicting there's a nice prediction I like predictions we'll see how long it takes before I'm right I'm predicting that the OCR latches the idea that if you're paying a ransom you're gonna pay a fine to go with that because obviously you haven't done a good job in business continuity and disaster recovery so in 2016 not too much will change we'll see a lot of the same sort of discoveries because we're in the initial learning part of having

the OCR and HHS and the IG from the HHS which I get to visit with we're in the process of them learning how to do this you know what are we going to look at so they're learning how to do it and Jay talked about the FDA they're also learning how to do it so device vendors and the supply chain might be the most significant place where we can find help or where we can find good places to do some solid work so maybe the BJS are helping all right if you've not gone through the contracting process of a VA a discussion I hope you get that opportunity it's it's great it's great fun to watch the

squirming and gnashing of teeth happen so when we hear the recent areas of focus from the OCR are these business continuity disaster recovery risk assessment we've heard a lot about that they want to see that you've done one then you're working at access to control that's something that you know that they've done work around that and that's where they're getting some of their findings privacy audits security awareness and training that's a that's an important component humans always the weakest link human is and the vendor be a relationship management so so along the lines of the relationship management okay if a company does a sSAE 16 and they have whatever level they've got that might give you some comfort but

there's still a need to delve into it and see you know you need to go on site look check make sure that they're actually doing what they say they're going to do so there's value in it but you know you trust but verify that's what I would say so what is the OCR expect so it's not just a paper exercise they expect you to actually be working it right have some findings in your risk assessment and be working it from a consulting perspective I love to hear this because I talk about security risk assessment a lot it really gives us a nice place to start to build a roadmap and help customers and and it's

something they can really hang their hat on they can take that to leadership obtain monies so so it's really an important thing so maybe from that perspective hip is helping write site visits my favorite thing and interviews I can find out more in a person one-on-one interview than a lot of people that's not because I'm going to use waterboarding or other techniques which I aware of how they work I'm not going to say I ever did that before or not but it's just watching people react to a simple question and then letting them know that you're there to help them if you're an auditor and one of their concerns and it's surprising how people will open up to you and really realize

that they don't have to be the one that's bringing that message to leadership so looking for remediation and action plans and some evidence that it's that it's being worked on so you need to keep this stuff around for six years so everybody doing that I hope so keep your documentation some additional things okay some bomb testing and testing is even better I would venture to say that most healthcare is not really ready for advance of pen testing it's always a fun exercise if you get to do that we love pen testing in the consulting world and but a lot of times we take a quick look and say you know you're not really ready for pen testing let's just

start with something a little more simple let's start with a risk assessment and see how we can help you get ready to be able to do a pen test so copiers and fax machines always a fun time those things have a lot of capabilities these days they have a lot of storage and and and you know what happens if you work with any copier guys they're gonna bring their little basically several bags and pieces of equipment and if they can't fix the machine why are they gonna do I'm gonna roll it out of the they're gonna probably roll it out of the enterprise they're gonna roll it out of the office if it's a smaller machine right if it's

not what a big one that requires several men and a truck and all that it's a smaller machine it's gonna have a lot of data and they're gonna have it in you know social engineering opportunity right there employee and contractor background checks so check once when you hire them that are you doing those constantly right most companies don't do that so reach insurance people are people are buying that and then they're one breaches happen they find that they're not covered so they're using all the breaches Sharon's insurance and then and then there's more more money needs to go out encryption is a safe harbor oh man that won just about drives me crazy okay is it really a safe harbor so

if my laptop is encrypted or my desktop is encrypted and I've got patient data it really depends on how do I use this device so does anybody here use hibernate mode I do I'm sure I don't have any patient data but I use hibernate mode and I just close the lid so now the lids closed and when I flip it open it's right there the only thing so it's not encrypted so it doesn't go to encryption when I hibernate it's encrypted if I turn it off right so encryption is a safe harbor is the thing that's allowed people will claim safe harbor right if they have a breach although that device was encrypted so it's it's safe well maybe it wasn't

maybe it's not so if your data if you're the patient and your data is on that device how do you know that it wasn't really accessed

encrypt whatever can sprout legs so lap tie laptops desktops copier machines medical devices write everything that moves or everything that can move there just because it's in voltage of the wall doesn't mean it can't be moved or unbolted or taken so even even big things in fact it's the big things and the social engineering component of having some guys in a moving van but look like they're supposed to be there those are the things to really worry about right strong authentication complex one-time passwords it's always been a fun discussion back when I first got into HIPAA a little bit we were having discussions about well password complexity and what we learned was it's a really hard thing the clinician wants

to they might have one hand gloved and they're gonna want to be able to type their password with one hand that's not gloves and so it needs to be complex but they still need to be able to do their password with one hand I think we're kind of getting away from that they're getting used to you know unloving or whatever and so hopefully we can get a little bit more complexity in the passwords but every time it's always a fight we're always fighting that battle how are we going to how are we gonna get the clinicians and the end-users to really use this administrator credentials so once you get in and you can if you remember the

pyramid right at the top is the administrator so if I can become that administrator okay that's that's where I want to be and another fun thing another fun thing that I like to talk about a lot and we all do this we send out as business processes emails that ask our people to click and at the same time we tell people in security awareness and training don't click why do we do that I don't get it my bank's not sending me emails to click on people from Nigeria are trying to send me stuff that looks like it's from my bank for me to click on not clicking on it but from an internal perspective if your company is

sending things oh it's a business process it's HR oh I need to do this thing for my employee so yep I get the thing and it's a click no no that shouldn't be what's happening what should be happening is I get a notice and email it says your employee Bob is needing a review please go on to the HR system and do the appropriate thing that's the only notice I get not a click on this and make it easy and I'm trying really hard with some companies I'm working with to get that recognized and in knowledge because you can't on the one hand tell people well don't click on anything in their training but then be

sending out stuff that has links in it it just doesn't make sense and if there were ever gonna be an f-bomb dropped that would be the place to drop one because it's just maddening what happens there still didn't drop it so developing trust relationships right you know working with your c-suite having the tone from the top having them realize that they need to apply money's all these things collaborating with external resources hopefully you all while you're all here so that's great you're seeing you're going to industry things there's professional associations InfraGard there's ISACA there's gush a lot of them there st. and we have a lot of those things to belong to you're gonna hear

and collaborate with some great people because you can't know everything right you just can't know everything

so independent reporting kind of a big deal the c-level people you know get worried about this there's usually a couple of them on the hook that might have to you know potentially dawn and orange dude and spend some time in jail but really I haven't seen that happening much I mean it really would take some some some basically it would take some illegal activity and it would take a real you'd have to work hard to be neglecting things enough to to have that happen manager be a relationship risk right so it's not enough just to do get a report from external third party on the sSAE 16 but you need to go there and you see what they're doing you walk

around you need to ask some questions okay these things all take time you have to have your documentation in order so what are some things you can do make sure you don't have bhi on local machines so hopefully you're keeping it in your networks right reporting security incidents okay if you see something say something we get a fair bit of email from people say hey I got this weird-lookin email or there's this email with an attachment or there's or I saw somebody weird driving around the parking lot we really get a lot of weird things breach notification plan okay these need to be timely there's time there's you know set time times that things must happen once once

you've been notified and it goes all up and down the chain so if you have a really long chain of contracted third-party vendors who have contracted out who have contracted out it the clock starts running down at the end of the chain so if they're not good at communicating up the chain you might find out after 45 days have gone by that oh crap there's this thing that happened and I didn't get a whole sixty days right so don't delay in responding here's here's something I learned if you if you get a letter from the OCR and you need to make a response it's okay to ask for more time so I just called up the

OCR and I said I'm just getting this landed on my desk today it looks like it's due in two days and it's bounced around our system for 45 days can I have a little bit more time the response was sure you can have another week nope no problem but it's because I at least asked if I wouldn't have asked I would have been running around all weekend and trying to kill myself and you can't get to the people I need to get to so it's okay to ask for a little bit more time so what kind of evidence oh you know screenshots are huge and they're used a lot data dumps and some auditors are good at going through

data dumps some maybe not so good log files records really looking for two artifacts per control if you can get that and reputation so one of the things that I like to do is have it have someone demonstrate how how they work something that's usually a pretty telltale sign so do we have a program rather than just a project is it true is it is it funded is it treated like it's something serious or is it just a hey let's hurry up and cobble a bunch of stuff together and get some documents to try and answer all of it

what are some of the technologies okay obviously encryption right strong authentication detection tools stuff that goes beyond just the firewall stuff the general stuff having a pen test if you're up to that integrated solutions continuous auditing and monitoring and so when you get some time on the network and you understand what's supposed to be going on then hopefully you can recognize when something looks like it shouldn't be going on tools for instant response continuous auditing that's a huge thing other other tools to automate the GRC process so what are the behaviors that can help the tone from the top I talked about that security awareness and training okay is it just an exercising what I like to call click area or

actually causing people to think a little bit right what's the security posture it's the c-suite engaged you can tell a lot about that how you're funding and supported attitude right attitudes everything everyone is on the security team it's not just the security team or the physical security team it's the whole company and if you see something say something

alright this is one of the funniest discussions in healthcare today apparently you own your data who here has a copy of their medical record one person ok if you were to ask for a copy of your medical record what do you think you're gonna get you're gonna make it you might get some paper you might get a PDF they're probably not going to give you something you can consume electronically so the OCR and organizations will tell you you own your data but do you really own your data possessions nine-tenths of the law we hear that a lot the people who have the data are the people that are the organization they're the people who own

your data right so you don't really own your data but you can ask for it that's probably the most important point you can ask for you data so are there ever errors on medical records of course there are so it happens all the time so if you get your medical record and you look down through and you say wow this this wasn't even me or it doesn't look like the identity tip there's a real concern so you have a chance to verify your data when you get a home of that it'd probably be a good idea to encrypt it and take care of it properly and I say this to this audience but what would

I say to the general public who can't do that for themselves very well or who aren't good at doing that I would say maybe should consider put it on an iPhone even the FBI can't crack that but but we all can right or maybe we can so security self-reliance and I'm getting to the end of the talk here and I just want to talk about that a little bit so take some time monitor your credit report okay there's a lot of Dan Anderson's in the world maybe that's a good thing they're made depending on who you talk to that may not be such a good thing but if you take some time and see and get your baseline

and you know where you're at then you'll be able to recognize for yourself when something's there because identity theft especially for medical and people who are really sick and need medical is going to be more and more of a theme LifeLock anybody here use LifeLock okay I'm the only one interesting that's not the only service out there and you can certainly do it for yourself all right physical security quickly all right your home your car and you your around got you okay I'm gonna get kind of a little bit short on this but I just want to give you some things to think about so get your medical record know what's on your credit report okay what's

your situational awareness you walking around with your head down and texting a you might get ran over or you might encounter the first-person shooter right so there's a time and a place for those things and there's a time of the place to be thinking about what's there so your profile what's in your car okay what are you keeping your car you pack your backpack around because it's got your a really important laptop on most kinds of things what do you have on you can you give it up easily all right so you got your wallet on you you've got a phone on you what are you gonna give up first your wallet or your phone who says wallet phone okay if it's

an apple even the FBI can't get in so you're probably gonna give up your phone first right but is that what the person is holding you up wants no they probably want your wallet because it's gonna be more difficult to deal with the phone so give them both and run right you don't care first-person shooter are you prepared right run hide fight okay get away that's the same thing don't fight unless you have to but if you're gonna fight fight well alright that's that's the end I have a little bit of time for any questions things you want to bring up and if not well in there thanks everyone [Applause]