How HIPAA Compliance helps and hinders true patient data security

[Music]

Welcome everyone. Appreciate the opportunity. Thanks BSides Salt Lake, it's good to see some familiar faces in the crowd. Probably a few different healthcares may be represented here. Not sure, anybody work — anybody from HCA? Know about the U, okay? You, a few people from Intermountain, I see, right? Okay, who am I missing? IASIS. IASIS, what an unfortunate name they have right now. Okay, just taking a poll who I have here. Anybody else in healthcare? Okay, super.

All right, so we're gonna talk a little bit about HIPAA today, all right, and why it sort of works and sort of doesn't work. I have this fun disclaimer. I can't think of anything that's not covered there, but if you can, let me know and I'll add to it later. Okay, so this is basically my thoughts and representations, so it doesn't represent my employer — that's important to know — or employers or customers or friends or unknown alien aliens.

So a little bit about me: I've been doing this stuff for quite a while. So how do you become a HIPAA security expert? I always like to ask my peers how they did it, because everyone's got a little bit different story. My story is, I had a background in the US Air Force and eventually found my way into the medical realm and ended up consulting at a lot of different hospitals, doing big installations. I had an eye towards security, and about that time in the late 90s, HIPAA was forming and coming about, and people would ask me, well, you have a background, you know about security, what do you think we should do here, what do you think we should do there? And so before long I became a HIPAA security expert, not because I was certified, it's just because I had some thoughts about security, I had some training about security, and I touched a lot of different hospital systems and business processes in hospitals.

So today let's talk a little bit about what really happens with HIPAA, what's entailed there: security risk assessments, the rule enforcement — I'm going to get into that — what are the important elements of a risk assessment, some tips and takeaways. I presented this talk, most of this talk, at SaintCon, so if you've seen it before, please bear with me, because there's some things towards the end that I think you'll find interesting. How to depend on yourself for HIPAA security — something I want to talk about.

Okay, as I go through this, if you have questions or thoughts or you want to heckle, please feel free to do that. I love all those things. It's a lot of fun to come and be able to talk about something that you're passionate about. I've been challenged to see how many times I can drop the f-bomb. So as I did some work with hockey over the years and some of the training that I've had there, they told us a lot, especially at the high level when we were hearing from the NHL coaches, you should swear a lot, you should drop the f-bomb. So we'll see how that goes. I like to hold that back just a bit usually.

So there's a little bit of confusion, and there's all these great numbers, right, and parentheses and sub-parentheses and sub-numbers. So the security rule is about the risk analysis, the privacy rule talks about the safeguards, the breach notification rule is a separate thing, and they kind of all blend into one thing, and so sometimes it's not always apparent which thing is in scope.

So I love this quote: security risk assessments are the cornerstone of compliance. Okay, and that was from Iliana Peters, she's with the HHS. Actually, it's a good cornerstone of any security program, doesn't have to be specific to HIPAA. You don't want to do a risk assessment and know where you're at, but it's a start on the road, right? You put your foot on the pathway, and you start to identify things that you can fix or work on.

So today in the breaches, there's only two kinds of companies: those that have been breached and those that don't even yet know they've been breached. So we're going to talk about breach a little bit. Ninety-seven percent of organizations were breached, from FireEye and Mandiant, 2014. That's a pretty bold statement. So there's a lot of companies out there that may not know they're breached yet.

Okay, so I also love this quote: breach gets you on our visit list, right? And nobody really wants that from the HHS. Non-compliance gets us to stay. And there's probably nothing worse than having them come and hang around and audit you and monitor you and then continue that process and be very costly.

So cyber attacks are on the rise, you all know this. Okay, seventy-five percent of networks are owned. I don't know, that's a high number. That's also 1970 jargon. So defense in depth is something that's worked for a while, and if you're a little more secluded like we are in Utah, that goes to our advantage, and it kind of goes to our disadvantage, because never bad happens in Utah, right? We're all good people, there's no hackers here, nobody's trying to steal our money. But then there's that internet thing, and we're connected to it, and so now everybody that you're connected to maybe in Utah.

So I like this: the average goes 229 days without really being detected. Okay, so some of the people I travel around with, if you allow them to go undetected in your network for 229 days, it's really not going to be a very fun time for you. They're gonna exfiltrate data, they're gonna do all kinds of things, they're going to create a lot of persistence and backdoors, and they're gonna constantly have ways in. So that's a long time, big cost to take care of this.

So what's going on? It's trending downward, so we're finding things a little bit earlier, right? I was just at RSA last week, visited with a lot of vendors. So a lot of the tricks and tools and things that the companies do put into place help. So defense in depth is something you don't just give up on. It helps, but still, that's a long time. I don't have a number for 2015 yet, or nothing really for 2016. I think it's pretty interesting that you're gonna find out from the outside. So you're gonna find out from social media, you're gonna find out if you're monitoring maybe the dark web. All right, you'll get a call from the FBI: hey, you might want to look at this, or we discovered this. Not really a very fun day.

Do you guys like these things, the bubbles and the words? Okay, here's some of our biggest breaches so far: eBay, JP Morgan, right? The bigger the book, the bigger the bubble, the bigger the breach. Home Depot — we just recently heard Home Depot had set aside some monies for settlement and remediation. Okay, it's happening in healthcare. J alluded earlier in his talk to the Hollywood Presbyterian breach. Boy, did that create some fun around my neck of the woods. Lots of discussion.

So maturity levels, let's talk about that a little bit. Basically what you have to decide is how good do you need to be. So do you need to just be better than your neighbor? So if my day job's at Intermountain Healthcare, do I just need to be better than the U or IASIS or Morningstar? But I'm connected to the network, maybe I need to be as good or better than most. Maybe that's where I want to be.

So in all of this, the thing to know is administrators are probably a real concern. We have a lot of effort around making sure that the right people have the right access, so access control helps a lot, and logging. We do a lot of auditing, a lot of logging to make sure that people have the access they're supposed to, even on the patient level — the right clinicians are looking at the right medical records. All this stuff is important to do.

So what are some of the consequences of non-compliance? Reputation is a big one. In Hollywood, if you're a movie star and you have a choice of where to go, may not choose to go. Sometimes you don't have a choice; in an emergency, you're gonna get care where you need it most quickly, most urgently. But if you have a little choice, you might choose somewhere else. So we know some folks at Cedars-Sinai — maybe you go there, maybe not. Hollywood Presbyterian. Reputation is a big deal, and it's hard to fix. A lot of money, thousands of hours, maybe there's a scapegoat — all those things. So how do you navigate all this?

The Anthem breach was pretty interesting: 778 million customers, PII, big dollars spent. Just think for a moment about the requirement to send out snail mail. What's that going to cost? It's at 50 cents these days to send out a piece of mail, or maybe you can get a bulk rate, maybe can get 35 cents. So what if you have to send out 78 million of them? Those monies could probably be spent a little bit better on some security, right? If you didn't have that breach. And it just goes on and on with the costs going up and up.

2015 — these were some of the top breaches: Anthem, Premera, on down. You guys know any of these? They're familiar names, hopefully. A lot of this data is off the HHS website. Beacon. This is what the Premera breach looked like. It's not quite as many; they had a little bit of warning, but they weren't really able to react to it, right? They're still figuring out how much that one's going to cost.

So expected losses, here are some ranges. We love charts and graphs, don't we? Where do you want to find yourself? Limiting access to numbers of records, keeping data on servers versus laptops and things that can grow legs and walk out — all those things can help. Those are some predictions, pretty big numbers. Does anybody have that kind of a security budget? Hopefully some people do. You don't have to spend that much money, but you need to have a program, and that's really the point of that.

So from an OCR perspective, what's expected? They expect you to have heard of HIPAA. They want you to have a compliance program in place, they want you to be familiar with the rules, and this fourth one's pretty interesting: be able to demonstrate active participation. I think I can speak for my employer — there's some active participation, really a lot of effort. So that's good, right?

So risk assessment, an incident risk assessment. We've started practicing that; hopefully you are too. How do you deal with an incident? You're gonna probably have them. So do you know who your PR person is? Are your people trained not to talk to the media? Do you visit with your lawyers? Do you have a statement from them, and they give you the guidance? There's all these things you can do that are not even really technical things, things that you need to be thinking about.

The current trends: so from 2008, we're starting to see a little bit more settlements, a little bit more as time goes on. 2015 numbers. So here's the question I ask sometimes, but also there's a lot of buzz about it: is HIPAA a toothless tiger? If you're famous, right, and your record gets breached, that might get some news. But what if you're not famous? What if you're just an everyday Joe? Or what if you're like me? I'm really lucky, I have pretty good health, I hardly ever see the doctor. Usually my experience in the hospital is stemmed from taking hockey players to the ER to get sewn up. So I have no record or no trail of much of anything. So when there's a complaint made, that's when the OCR gets involved, and that's where the fun begins.

So repeat offenders, and we'll talk about that a little bit more. Here's some of the common themes or common things that they're finding: transmitting ePHI over unauthorized networks, storing it on systems that are not secure, removal from the organization, sharing accounts and passwords, no encryption of portable devices. Those kinds of things — that's the low-hanging fruit, isn't it? Those are the first things you're gonna find if you walk in and somebody doesn't have much of a security posture, or they haven't really thought about it. You turn over the keyboard and what are you gonna find? You're gonna find a sticky with password on the bottom. And I've seen, in some cases, it's going to be the doctor's creds, right? The person who needs the most access and needs to try and do someone's basically dictation or other signing of things to get drugs.

So here's the total of investigated resolutions, corrective action. So you're gonna probably have a corrective action plan of some kind, and they're looking for change. How soon are they going to come back and monitor and check?

So here's some more common things that are exposed: lack of safeguards, lack of patient access to the protected data. So we all have the ability to get our data, right? And I'll get into that a little bit more towards the end. Lack of administrative safeguards, use and disclosure. So when you go in, you're gonna sign a whole bunch of papers. Don't blame that on me, all right? But that was the beginning of some of my handiwork. We better have people sign that they know what they're doing.

So this is off the site recently. These are some case examples, and we're gonna drill down a little bit. Here's the common ones: access right, access control, authorization. How's your BIA? You're gonna have some business associates. Conditioning and compliance, confidential communications, disclosure to avert a serious threat. We may have actually seen that with the Hollywood Presbyterian — that may have been, they might have been motivated because they needed some patient data, right, to pay the ransom. Minimum necessary — some people with too much access or access that accumulates, one of my pet peeves and favorite hot topic. Notices and safeguards, those kinds of things.

So if we look at safeguards and we drill down a little bit, the pharmacy chain is what I want to look at. So they're going to institute some new safeguards. They're under a protocol, they've had a complaint, they're going to go through the steps, and this is what I'm going to drill down into a little bit. So that's a little bit of an eye chart, hopefully you can see it.

Basically, the pharmacy was maintaining some log books, right, and they weren't securing them well. The result was the OCR wanted them to improve their policies. Now, who cares? Just improving your policies is really going to secure those logs? They don't, see even one hand. And that's really the problem, isn't it? Because security is not really privacy. It helps. So what's missing? What's missing is the actual security.

So I went down this list. These are the ones that have the complaints that have been investigated, grouped by categories. But what you don't see, because if you're doing anything in HIPAA security and trying to follow a protocol, you're going to have some other things. You have a lot more to do about encryption, you're going to have more to do about business continuity, disaster recovery. One of my things I'm focused on, media reuse, that sort of thing. We've seen nothing yet complained about or reported to the OCR. Nothing's been investigated by them around these things. So they've looked at the low-hanging fruit. I'm trying to give you an idea what's next, what are they going to look at next?

So when I think of business continuity and disaster recovery, and I think about the situation at Hollywood Presbyterian, if they were doing a good job there, they could have just told the hackers, never mind, we're not paying, we'll just recover our systems. We've got our data archived, we're going to recover, and we're really not going to do anything. So thanks for doing that, give us an idea, but we're not paying. But they decided to pay. In times coming, I'm predicting — there's a nice prediction, I like predictions, we'll see how long it takes before I'm right — I'm predicting that the OCR latches the idea that if you're paying a ransom, you're going to pay a fine to go with that, because obviously you haven't done a good job in business continuity and disaster recovery.

So in 2016, not too much will change. We'll see a lot of the same sort of discoveries because we're in the initial learning part of having the OCR and HHS and the IG from the HHS, which I get to visit with. We're in the process of them learning how to do this. What are we going to look at? So they're learning how to do it. And Jay talked about the FDA, they're also learning how to do it. So device vendors and the supply chain might be the most significant place where we can find help, or where we can find good places to do some solid work. So maybe the BJS are helping. All right, if you've not gone through the contracting process of a VA discussion, I hope you get that opportunity. It's great fun to watch the squirming and gnashing of teeth happen.

So when we hear the recent areas of focus from the OCR are these: business continuity, disaster recovery, risk assessment. We've heard a lot about that. They want to see that you've done one, then you're working at access to control. That's something that they've done work around, and that's where they're getting some of their findings. Privacy audits, security awareness, and training — that's an important component. Humans always the weakest link, human is. And the vendor BA relationship management.

So along the lines of the relationship management: okay, if a company does a SSAE 16 and they have whatever level they've got, that might give you some comfort, but there's still a need to delve into it and see. You need to go on site, look, check, make sure that they're actually doing what they say they're going to do. So there's value in it, but trust but verify, that's what I would say.

So what is the OCR expect? So it's not just a paper exercise. They expect you to actually be working it, right? Have some findings in your risk assessment and be working it. From a consulting perspective, I love to hear this because I talk about security risk assessment a lot. It really gives us a nice place to start, to build a roadmap and help customers, and it's something they can really hang their hat on. They can take that to leadership, obtain monies. So it's really an important thing. So maybe from that perspective, HIPAA is helping.

Right, site visits — my favorite thing — and interviews. I can find out more in a one-on-one interview than a lot of people. That's not because I'm going to use waterboarding or other techniques, which I'm aware of how they work. I'm not going to say I ever did that before or not. But it's just watching people react to a simple question, and then letting them know that you're there to help them if you're an auditor, and one of their concerns. It's surprising how people will open up to you and really realize that they don't have to be the one that's bringing that message to leadership. So looking for remediation and action plans and some evidence that it's being worked on. So you need to keep this stuff around for six years. So everybody doing that? I hope so. Keep your documentation.

Some additional things: okay, some bomb testing, and pen testing is even better. I would venture to say that most healthcare is not really ready for advanced pen testing. It's always a fun exercise if you get to do that. We love pen testing in the consulting world. But a lot of times we take a quick look and say, you're not really ready for pen testing. Let's just start with something a little more simple. Let's start with a risk assessment and see how we can help you get ready to be able to do a pen test.

So copiers and fax machines, always a fun time. Those things have a lot of capabilities these days. They have a lot of storage. And you know what happens, if you work with any copier guys, they're going to bring their little, basically, several bags and pieces of equipment. And if they can't fix the machine, what are they going to do? They're going to roll it out of the — they're going to probably roll it out of the enterprise, they're going to roll it out of the office, if it's a smaller machine, right? If it's not one of the big ones that requires several men and a truck and all that, if it's a smaller machine, it's going to have a lot of data, and they're going to have it. Social engineering opportunity right there.

Employee and contractor background checks: so check once when you hire them. Are you doing those constantly, right? Most companies don't do that. So breach insurance — people are buying that, and then when breaches happen, they find that they're not covered. So they're using all the breaches, sharing insurance, and then there's more money needs to go out.

Encryption is a safe harbor. Oh man, that one just about drives me crazy. Okay, is it really a safe harbor? So if my laptop is encrypted or my desktop is encrypted, and I've got patient data, it really depends on how do I use this device. So does anybody here use hibernate mode? I do. I'm sure I don't have any patient data, but I use hibernate mode, and I just close the lid. So now the lid's closed, and when I flip it open, it's right there. So it's not encrypted, so it doesn't go to encryption when I hibernate. It's encrypted if I turn it off, right? So encryption is a safe harbor, is the thing that — people will claim safe harbor, right, if they have a breach, although that device was encrypted, so it's safe. Well, maybe it wasn't, maybe it's not. So if your data — if you're the patient and your data is on that device — how do you know that it wasn't really accessed?

Encrypt whatever can sprout legs, so laptops, desktops, copier machines, medical devices. Write everything that moves, or everything that can move. Just because it's in voltage of the wall doesn't mean it can't be moved or unbolted or taken. So even big things — in fact, it's the big things and the social engineering component of having some guys in a moving van, but look like they're supposed to be there. Those are the things to really worry about, right?

Strong authentication, complex one-time passwords. It's always been a fun discussion. Back when I first got into HIPAA a little bit, we were having discussions about password complexity, and what we learned was it's a really hard thing. The clinician wants to — they might have one hand gloved, and they're gonna want to be able to type their password with one hand that's not gloved. And so it needs to be complex, but they still need to be able to do their password with one hand. I think we're getting away from that. They're getting used to ungloving or whatever, and so hopefully we can get a little bit more complexity in the passwords. But every time, it's always a fight. We're always fighting that battle: how are we gonna get the clinicians and the end-users to really use this?

Administrator credentials. So once you get in, and if you remember the pyramid, right, at the top is the administrator. So if I can become that administrator, okay, that's where I want to be.

And another fun thing that I like to talk about a lot — and we all do this — we send out, as business processes, emails that ask our people to click. And at the same time, we tell people in security awareness and training, don't click. Why do we do that? I don't get it. My bank's not sending me emails to click on. People from Nigeria are trying to send me stuff that looks like it's from my bank for me to click on. Not clicking on it. But from an internal perspective, if your company is sending things — oh, it's a business process, it's HR, oh, I need to do this thing for my employee — so yep, I get the thing and it's a click. No, no, that shouldn't be what's happening. What should be happening is I get a notice in email that says your employee Bob is needing a review, please go on to the HR system and do the appropriate thing. That's the only notice I get. Not a click on this and make it easy. And I'm trying really hard with some companies I'm working with to get that recognized and in knowledge, because you can't on the one hand tell people don't click on anything in their training, but then be sending out stuff that has links in it. It just doesn't make sense. And if there were ever gonna be an f-bomb dropped, that would be the place to drop one, because it's just maddening what happens there. Still didn't drop it.

So developing trust relationships, right? Working with your C-suite, having the tone from the top, having them realize that they need to apply moneys, all these things. Collaborating with external resources — hopefully you all, while you're all here, so that's great. You're going to industry things. There's professional associations: InfraGard, there's ISACA, there's GuSHA, a lot of them. And we have a lot of those things to belong to. You're gonna hear and collaborate with some great people, because you can't know everything, right? You just can't know everything.

So independent reporting, kind of a big deal. The C-level people get worried about this. There's usually a couple of them on the hook that might have to potentially don an orange dude and spend some time in jail. But really, I haven't seen that happening much. I mean, it really would take some illegal activity, and it would take — you'd have to work hard to be neglecting things enough to have that happen.

Manage a relationship risk, right? So it's not enough just to get a report from external third party on the SSAE 16, but you need to go there and see what they're doing. You walk around, you need to ask some questions. Okay, these things all take time. You have to have your documentation in order.

So what are some things you can do? Make sure you don't have PHI on local machines, so hopefully you're keeping it in your networks, right? Reporting security incidents — okay, if you see something, say something. We get a fair bit of email from people saying, hey, I got this weird-looking email, or there's this email with an attachment, or I saw somebody weird driving around the parking lot. We really get a lot of weird things.

Breach notification plan. Okay, these need to be timely. There's set times that things must happen once you've been notified, and it goes all up and down the chain. So if you have a really long chain of contracted third-party vendors who have contracted out, who have contracted out, the clock starts running down at the end of the chain. So if they're not good at communicating up the chain, you might find out after 45 days have gone by that, oh crap, there's this thing that happened, and I didn't get a whole sixty days, right? So don't delay in responding.

Here's something I learned: if you get a letter from the OCR and you need to make a response, it's okay to ask for more time. So I just called up the OCR and I said, I'm just getting this landed on my desk today, it looks like it's due in two days, and it's bounced around our system for 45 days. Can I have a little bit more time? The response was: sure, you can have another week, no problem. But it's because I at least asked. If I wouldn't have asked, I would have been running around all weekend and trying to kill myself, and you can't get to the people I need to get to. So it's okay to ask for a little bit more time.

So what kind of evidence? Screenshots are huge, and they're used a lot. Data dumps — and some auditors are good at going through data dumps, some maybe not so good. Log files, records. Really looking for two artifacts per control if you can get that. And reputation. So one of the things that I like to do is have someone demonstrate how they work something. That's usually a pretty telltale sign. So do we have a program rather than just a project? Is it true, is it funded, is it treated like it's something serious? Or is it just a, hey, let's hurry up and cobble a bunch of stuff together and get some documents to try and answer all of it?

What are some of the technologies? Okay, obviously encryption, right? Strong authentication, detection tools, stuff that goes beyond just the firewall stuff, the general stuff. Having a pen test, if you're up to that. Integrated solutions, continuous auditing and monitoring. And so when you get some time on the network and you understand what's supposed to be going on, then hopefully you can recognize when something looks like it shouldn't be going on. Tools for incident response, continuous auditing — that's a huge thing. Other tools to automate the GRC process.

So what are the behaviors that can help? The tone from the top, I talked about that. Security awareness and training. Okay, is it just an exercise in what I like to call click area, or

Actually causing people to think a little bit, right? What's the security posture? Is the C-suite engaged? You can tell a lot about that, how you're funding and supported. Attitude, right? Attitude is everything. Everyone is on the security team. It's not just the security team or the physical security team, it's the whole company. And if you see something, say something.

Alright, this is one of the funniest discussions in healthcare today. Apparently you own your data. Who here has a copy of their medical record? One person. Okay, if you were to ask for a copy of your medical record, what do you think you're gonna get? You might get some paper, you might get a PDF. They're probably not going to give you something you can consume electronically. So the OCR and organizations will tell you you own your data, but do you really own your data? Possession is nine-tenths of the law, we hear that a lot. The people who have the data are the organization, they're the people who own your data, right? So you don't really own your data, but you can ask for it. That's probably the most important point: you can ask for your data.

So are there ever errors on medical records? Of course there are. It happens all the time. So if you get your medical record and you look down through and you say, wow, this wasn't even me, or it doesn't look like the identity, there's a real concern. So you have a chance to verify your data. When you get a hold of that, it'd probably be a good idea to encrypt it and take care of it properly. And I say this to this audience, but what would I say to the general public who can't do that for themselves very well, or who aren't good at doing that? I would say maybe should consider put it on an iPhone. Even the FBI can't crack that. But we all can, right? Or maybe we can.

So security self-reliance — and I'm getting to the end of the talk here, and I just want to talk about that a little bit. So take some time, monitor your credit report. Okay, there's a lot of Dan Andersons in the world. Maybe that's a good thing, depending on who you talk to. That may not be such a good thing. But if you take some time and get your baseline and you know where you're at, then you'll be able to recognize for yourself when something's there. Because identity theft, especially for medical and people who are really sick and need medical, is going to be more and more of a theme. LifeLock, anybody here use LifeLock? Okay, I'm the only one. Interesting. That's not the only service out there, and you can certainly do it for yourself.

Alright, physical security quickly. Alright, your home, your car, and you, you're around. Got you. Okay, I'm gonna get a little bit short on this, but I just want to give you some things to think about. So get your medical record, know what's on your credit report. Okay, what's your situational awareness? You walking around with your head down and texting? You might get ran over, or you might encounter the first-person shooter, right? So there's a time and a place for those things, and there's a time and a place to be thinking about what's there.

So your profile: what's in your car? Okay, what are you keeping in your car? You pack your backpack around because it's got your really important laptop and most kinds of things. What do you have on you? Can you give it up easily? Alright, so you got your wallet on you, you've got a phone on you. What are you gonna give up first, your wallet or your phone? Who says wallet? Phone? Okay, if it's an Apple, even the FBI can't get in, so you're probably gonna give up your phone first, right? But is that what the person is holding you up wants? No, they probably want your wallet, because it's gonna be more difficult to deal with the phone. So give them both and run, right? You don't care.

First-person shooter, are you prepared? Right, run, hide, fight. Okay, get away, that's the same thing. Don't fight unless you have to, but if you're gonna fight, fight well. Alright, that's the end. I have a little bit of time for any questions, things you want to bring up, and if not, well, in there. Thanks everyone. [Applause]