10/3/2016

1

Practical Cyber Security

Strategies for the Compliance

Officer

Michael Pry MSIA

Member ID: 176473

Background

• MS Computer Science / Information Assurance- University of Maryland

• Director of Continuous Improvement & Enterprise Risk Management-Excela Health and Master Lean Blackbelt

• Assistant Professor, Information Technology- American Inter-Continental University

• Pittsburgh Infra-Gard Health Care Sector Chief & member of the national Infra-Gard cyber security workgroup

• Department of Homeland Security/ Health and Human Services Joint Coordinating Council- cyber security workgroup

10/3/2016

2

My days in compliance

• Sarbanes Oxley Compliance• Design of internal controls over financial reporting-globally

• Implementation of self audit program using cloud based work paper mgmt. system to reduce cost of compliance

• Migrated manual controls to IT controls to reduce cost of audit

• Trade and Export Compliance• Denied and Sanctioned Parties List

• Harmonized Tariff Numbers

• SAP Export Module

Key Points to Discuss

• Lessons leaned from recent HIPAA breach resolutions

• Cost of a cyber security breach

• The role of the compliance officer in cyber security

10/3/2016

3

What is Cyber Risk?

• Risks based on the loss of:

• System availability

• Data integrity

• Confidentiality or privacy

• How should we think about cyber risk?

• Threats

• Vulnerabilities

• Consequences

• Cascading consequences

• Mitigation strategies

The NIPP

What is a HIPAA Breach

• Definition of Breach

• “An impermissible use or disclosure that compromises the security or privacy of the protected health information.”

• Unless it can be demonstrated that there is a low probability that the protected health information has been compromised based on a risk assessment.

Source: HHS.Gov Breach Notification Rule:

http://www.hhs.gov/hipaa/for-professionals/breach-notification/

10/3/2016

4

Examples of Cyber Risks Realized-The Breach

• Top Organizations by Record Loss

• Health Plan

• Anthem, Inc. 78,800,000

• Premera Blue Cross 11,000,000

• Excellus Health Plan, Inc. 10,000,000

• Healthcare Provider

• University of California, LA Health 4,500,000

• Advocate Medical Group 4,029,530

• Banner Health 3,620,000

Source: HHS.Gov Office of Civil Rights Breach Portal

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

What are the most common breaches?

10/3/2016

5

Most Common Breaches

2009-2016

What are the most common

sources of a breach?

10/3/2016

6

Source of Breach by Location of PHI

What are the cost categories of a

data breach?

10/3/2016

7

Loss of Brand Image-Customer Churn

10/3/2016

8

What is the cost of data breach?

Cost of a Data Breach

Source: HIPAA Journal , Ponemon Institute 2016 Data Breach Report

http://www.hipaajournal.com/ponemon-institute-publishes-2016-cost-data-breach-study-3470/

10/3/2016

9

What % of data breach cost is from OCR?

Cost of a HIPAA Complaint

137,770 complaints received by OCR since 2003

85,521 complaint did not present an eligible case

24,331 required changes in privacy practices

14,535

OCR provided technical assistance

without need to investigate

11,055 no violation found

5,510 in process of review

578 referred from OCR to DOJ

37 ($39,989,200 or $ 1,080,789 avg) settled in lieu of civil penalty

Productivity Most Likely Impact

10/3/2016

10

OCR Investigated Resolutions Trend

What is the newest trend in HIPAA Breaches?

10/3/2016

11

Are you aware of the

emerging threat of Ransomware?

Ransomware

• HHS has declared Ransomware is a HIPPA security incident

• 71% of the arrival vectors are spam

Source: 2016 HITRUST Alliance

10/3/2016

12

Source: 2016 HITRUST Alliance

Lessons Learned for the Compliance Manager

• Create an incident response team / response plan

• Improve time to resolve an incident to cut cost of breach (Time to Resolve)

• Risk analysis and risk management

• Existing infrastructure

• Changes to infrastructure

• Cloud and Wireless infrastructure

• Change control procedures and patch management

• Security and control of portable electronic devices

• Proper disposal

• Physical access controls

• Policies on use of network services

• Security Awareness Training

• User password management

• Controls against malicious code

• Backup Systems / Ransomware attacks

• Encryption data at rest and in motion with secure end points

10/3/2016

13

Other ResourcesPPD-41 United States Cyber Incident Coordination (July 26,2016) • Federal Government’s response to any cyber incident

• Shared Responsibility• Risk-Based Response• Respecting affected entities• Unity of Governmental Effort• Enabling Restoration and Recovery

Report cyber intrusions and major cybercrimes that require assessment for action, investigation, and engagement with local field offices of federal law enforcement agencies or the Federal Government.

Report Cyber Crime to NCIJTF CyWatch 24/7 Command Center: (855) 292-3937 or cywatch@ic.fbi.gov

NIST Cyber Security Framework

• September 15, 2016, NIST released the draft Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts

Educational Videos

• Educational Videos:

• Turn the Lights on Ransomware: https://youtu.be/-T8v2Mpl9n8

• Protect Yourself from becoming a RansomwareVictim: https://youtu.be/duSQShJ2098

10/3/2016

14