HIPAA Best Practices for 2019
In this webinar, George Mateaki (QSA, PA-QSA, CISSP, CISA) covers:
- Current HIPAA compliance trends
- Top healthcare breach trends
- Tips to improve your HIPAA compliance and data security
This webinar was hosted on February 28th, 2019.
0:06 Welcome to HIPAA Best Practices for 2019. My name is Andrew and I work in marketing here at SecurityMetrics. Our presenter today is George Mateaki and as you can see on your screen, he holds the credentials of QSA, PA-QSA, CISSP, and CISA. He has a lot of experience helping organizations with their HIPAA compliance, helping them to secure PHI and helping them follow the HIPAA guidelines. So we're excited to hear from him today and I'm sure he'll have a lot of great information to share with us.
0:50 Just a little bit of background about SecurityMetrics before we dive in here. We've been helping organizations comply with mandates, avoid security breaches and recover from data theft since 2000. So whether it's HIPAA, PCI DSS or GDPR we help businesses meet these compliance requirements and it's our goal to close the gaps in your security and compliance efforts.
1:19 We have a couple of housekeeping items before we get started. Just a reminder, we are recording this presentation today and we will be sending that out to the email you used to register for today's webinar. So keep an eye out for that in the next few days. We will also be sending you a copy of the slide deck for your review.
1:46 And then one other thing, at the end of the webinar today, we will be leaving 10 or 15 minutes for a Q&A session. So throughout the webinar, if you have questions that come up, feel free to chat those in using your gotowebinar control panel and we'll be keeping track of those and try to answer as many as we can. If we don't get to your individual question at the end of the webinar, we will reach out to you via email to make sure you get your question answered. So now I’ll turn the mic over to George and he'll go through our agenda for today and we'll get started. Thanks everyone for being here.
2:30 Thank you. So this morning our agenda will be the following. We're going to take a look at what we learned in HIPAA in 2018. And then we're going to discuss the top five health care breach threats as as reported by HHS. And then finally we're going to get into tips for securing your data and HIPAA compliance in 2019. So as we move through these areas some things might be overwhelming if you're new to HIPAA, but just just focus on the big picture items definitely the top five threats that you as compliance professionals will have to worry about and address in 2019.
Updates in HIPAA
3:19 All right. So, what did we learn from 2018? You'll notice in the slide that we were able to see how organizations were reacting and we observed that they really weren't keeping up with cyber security. So there's definitely a gap in what's happening in security and how healthcare organizations are reacting trying to keep up with all the different vulnerabilities that come up. So much so that we had a report from the Identity Theft Resource Center that showed that healthcare security breaches accounted for 29.2% of all the data breaches last year. And so that's that's a significant amount.
HIPAA Requirement Trends
4:19 As we go to the next slide, you'll note that there are some some statistics there. So what we did last year, we interviewed just over 200 healthcare administrators that have responsibility for HIPAA to get a feel for what people are doing. Now mind you, encryption is a requirement for HIPAA data, for PHI and so notice on this slide, we have 54 percent of the people interviewed encrypting their PHI. That leaves a whopping 46% that aren't. And so the data that we gathered from our interviews is kind of interesting but it reflects that the 29.2% data breaches that occurred in 2018. It reflects that not everyone is doing what they need to do for HIPAA. Notice also you have 40% doing reviews of firewall rule sets. And again that's just a portion of the total interviewed that are actually doing what they need to be doing for HIPAA.
5:31 And so with HIPAA, you'll notice they have requirements that are labeled as required or that you have to do them. And then there are also some that are addressable. And so the ones that are absolutely required, if you don't comply with that requirement, then you are basically in violation of HIPAA. But the ones that are addressable, we just want to make a point that those are definitely not optional. So organizations have actually gotten in trouble with HHS where they were looking at addressable requirements and they decided not to implement them. And in this case it was encryption and they got in trouble for that because, though it's addressable, it allows you some, for some of the technical requirements, it allows you some flexibility in how you address the objective. But It is definitely not optional. So just to make that point.
And we have some more information. 66% were using unique logins, which has to do with shared accounts. Do you share accounts when you're doing administration of these systems? And you know, again a stunning fact that there are a bunch of people not following basic best practices for security. Now, I just want to point out that with many of these health organizations, they have partners. And so not only do they impact their own compliance, but they deal with PHI and they're also impacting the security of PHI for their partners. And so this goes beyond just the entity trying to be compliant.
7:32 And again, you see those numbers. 24% are performing penetration tests and that is a best practice that will help give you a good idea of what your security posture is and of your environment.
Top Organizational Vulnerabilities
But let's move on to the next slide also in 2018. We have a forensics department that does investigations and from their investigations, they discovered what the top organization vulnerabilities are. And I just I just want you to keep this in mind. Stick this in your memory because a lot of these things parallel with what HHS is saying. So you see right at the top there you've got employees. So that that's a huge one in terms of how you secure your environment. Your employees are critical because they touch PHI. Their process has to be secure.
8:34 And so if you're not getting a handle on how your employees are interacting with things you open yourself up for for breaches. And then the next one is insecure coding. Again this is a people thing where you have process and policy that should be around how you do your coding. It should help control insecure code from getting into your environment and opening you up for more breaches. And then the BYOD procedures in many assessments. We find that certain organizations allow their employees to bring their own devices, sometimes for cost savings or for convenience, and when you don't have good procedures around that it’s another area for for breaches.
You know, a doctor could have their iPad and they want to take home some patient information or to work on at home. And then if you don't have a good process around that, let me just re-emphasize this, if you have PHI anywhere on any device it needs to be encrypted. So just to re-emphasize that point. And then third parties. So with regards to third parties and breaches, you have to have a good vetting process in place. You have to have a well-established vendor engagement process. So that you ensure if you're dealing with PHI with a third party, they do have appropriate security in place to protect the privacy of the patients.
10:19 And then finally, insecure remote access. That has been an area for a while now that breaches have occurred. Not configuring remote access to your environment correctly opens you up to all sorts of attacks and hackers are constantly looking for organizations that haven’t configured the remote access correctly. And so these are some of the major areas that our forensics team found are where people are having breaches because of how things are situated in their organization.
Issues with a Compliance Mentality
11:00 So this slide is about issues with a compliance mentality. When we do assessments people react differently. There is one thing that raises an alert for us as we do assessments. It's when someone has a checklist type of approach to security. What this means is that they're basically just trying to check the box. Do you have a security policy? Create one and you check the box and that's where it stays. Security has to be more than that. The focus has to be on being aware that things change and criminals evolve. What was okay last year may not be okay this year, you know the different attacks and so on you have to constantly change to address your environment and to properly secure it.
So having a checkbox or a checklist mentality with compliance is opening yourself up for a breach. That is the wrong approach to security.
Top 5 Healthcare Breach Threats
Okay, moving on to the next slide here. So the top five healthcare breach threats. This is from HHS and this is really interesting. They actually put out a publication that showed these top threats and we're going to get into that in this next slide.
1. Email Phishing Attacks
So the one on top of their list is email phishing. This has been around since you know, you've probably heard of the Nigerian prince that's ready to help you get his money out of some account.
You know that's been around forever and that still works today. Sophos has data on this and they show that eighty thousand victims are hit every day with with these types of scams. In the PHI world there's value in that data. And so with email phishing, it used to be earlier on it was a lot easier to figure out. They had for grammatical errors. They had URLs that were strange and things that didn't look right. The level of sophistication, because there's money in this, has risen to the point where it's not easy to detect.
So what ends up happening is that people fall for them, even though they get a lot of training and they get the reinforcement, “Caution, if you see a link from someone that you don't recognize, don't click on it.” The same with the phone number, you could get some phishing email with a phone number that goes to a call center that sounds very real and very professional and then it disappears in a few days and they have gathered PHI and done whatever they need to do with it.
So with phone numbers and links and such in phishing emails, this is something that people need to be cautious of. And this is on the top of HHS's list of healthcare breach problems. And so this should also rise to your list as well. “Hey, are we doing what we need to with regards to the email phishing? Are our people trained?” So the basic best practice for this is training. You train your employees to not just out of curiosity, click on links that come through and on emails that they don't recognize. And you train them not to just call phone numbers that they don't recognize.
14:52 And that's your basic best practice. There are additional steps you can take. There are email systems and technologies that you can apply here that will help secure and ensure where emails are coming from, some sort of authentication mechanism. Those are definitely additional things you can do. Okay, so that's the email phishing.
2. Ransomware Attacks
We're going to move on to the next item, which is ransomware.
15:25 So ransomware is, relative to how long I've been with computers, it’s kind of a newer thing. But what's interesting is that the healthcare industry is a prime target. They're like the preferred victim to attack because the criminals know that healthcare organizations can't be down for very long. And so if they're able to get something into one of these organizations, they also know that they can pay and so they are a prime target for ransomware. An interesting thing is that people have put in what's referred to as ‘endpoint protection’ and even with systems or solutions that have current updates with endpoint protection, the ransomware is able to still, in 75% of the attacks last year, is still able to get a successful attack.
16:28 Ransomware is very sophisticated these days and it's able to change as it moves itself throughout systems and so avoids detection. So things have really evolved in this space but it is something you need to be worried about. So, what do you do about it? Obviously you can turn to backups if you have some sort of backup system. So now here's here's a situation where you have to be aware of what's what currently is occurring in your industry and you have to situate your backups in a way that you can return to some prior date and that you don't infect your backups with the ransomware.
17:24 And so, people do all sorts of schemes where they'll be able to go back two weeks to any specific day once they're able to determine that ransomware is somewhere. So these are some approaches. The other thing to do is to prevent them from getting that ransomware into your environment. So patching systems is key to this and educating your employees. Again, it's already been mentioned here, phishing, but this is another area. You might get an email that you click on the link and it starts to install ransomware in your system. That's another way you could get infected and get ransomware.
18:09 So, training your employees, ensuring that systems are patched and up-to-date and getting a good backup system that ensures that you won't accidentally get your backups infected are the best practices to combat ransomware. All right, so that’s ransomware.
3. Loss or Theft of Equipment or Data
Now we're on to loss or theft of equipment and data. So in this current age we have mobile devices. We have little thumb drives. We have all these areas where we could possibly have PHI. Again, let me just re-emphasize, if you have PHI anywhere sitting somewhere it needs to be encrypted. So this includes smartphones, tablets, laptops, any of these mobile devices that could possibly be stolen or lost. And so that becomes another critical breach point and that's number 3 on the HHS list. And so best practice is, you should have a policy and procedure around any devices that are allowed in your environment.
19:24 So in the policy you specify how the devices are allowed to be used in your environment and you keep an accurate inventory of the devices. So, you know exactly what's going on and when something gets lost. So these are some best practices that will address the issues with losing devices and this is not a new problem. This has been around for a long time and people have been using encryption for things beyond HIPAA. So it’s a very basic security principal. The other thing around those devices is physical security. Ensure that that you have a process. So for example, if you have thumb drives that are used by the company, make sure there's a process of checking them out and bringing them back. Make sure, if you have PHI on them, that they are being encrypted. So process and policy should be built around these devices.
4. Insider, Accidental or Intentional Data Loss
20:27 Alright the next item. The next slide here is Insider Data Loss, either accidental or intentional. Accidental in the case of phishing emails. That would be an accidental breach of PHI. Or intentional. Let's say an employee, contractor or a third party, someone that has access to the inside systems is mad or wants to try to make some money off of some PHI. This is where that breach occurs and it’s number 4 on our list here. So what do you do with that? Employee training is important to prevent the accidental stuff.
And then there is the intentional data loss. I haven't mentioned this yet but many of you will recognize this, there is what's called ‘the principle of least privilege’ which means you only give people access to what they need for their job. When it comes to someone internal, if they don't have a need for access to something you don't give that to them. In fact, that's actually a HIPAA violation if you do. If there's some sort of internal issue, it limits how far that's going to go by limiting what they have access to.
5. Attacks Against Connected Medical Devices
So the last item number 5 is attack on the medical devices. That's a pretty interesting one in terms of breach threats. You have medical devices these days that are ‘The Internet of Things’ the IoT systems where you have medical devices interfacing with other computer systems and mechanical devices and people as well. These represent another environment where PHI could exist. So what do you do about these things? Some of the other controls that work for the other areas or other threats work here as well. So let me just throw out number one, patching your systems. For people to get access to these devices a lot of times they'll breach some existing system and then work their way to these medical devices. So patching is important. Patching as much as possible. With the medical devices sometimes these devices are proprietary and the patching mechanisms aren't able to be put in place. And so in that case what do you do? Well in those cases, if PHI does not have to be on the device, you basically turn features off that don't need to be there. If there's a wireless feature on the device and that's not in use, turn it off.
23:32 So basically these are attack vectors. You're minimizing the number of ways that this thing can be attacked. And in addition to the technical controls you can put on physical controls. You can control how that device is used in the organization. You monitor where it goes, you monitor who takes it out and then you can also do, I mean this is pretty techy, but you can analyze traffic and look for when traffic changes. So that's a deeper way to protect those devices from being compromised. In my own assessments, I’ve noticed a lot of those devices have little USB ports. And so if you can disable the USB port, anything you can disable that doesn't need to be available will help you minimize the ways people can attack that thing.
24:33 Okay. So there you have it. There's the top 5 HHS threats and vulnerabilities. Let me just give you a little example of what happened with a medical device. There was an incident where an attacker took over a Windows server and this Windows server was hooked up to a heart monitor. And so what the attacker was able to do, he was able to get at other heart monitors and cause them to reboot up and down. And you know, this causes risk for the patients and so it’s not a good situation.
Tips to Improve Your HIPAA Compliance and PHI Security
This is the third item and it’s going to be a little lengthy as we talk about tips to improve HIPAA compliance in 2019.
25:34 And so we have a whole bunch of items will talk about here. The next slide is where you start.
1. Determine Your PHI Needs and Usage
How are You Protecting PHI
How do you protect something? You have to first know what you have. You have to quantify it. Where does it live? Where does it move around in our organization? This slide is indicating, how are you protecting PHI? You need to know where this thing is. Where does it get processed? Who touches it? What systems touch it? How does it come into your network? Does it become a physical file? All these things come into play in trying to figure out how you're going to protect it.
26:24 And so with PHI there are 18 unique identifiers that HIPAA references. Things like, name, date of birth, social security number, people over 89. Things that could uniquely identify a person. A full face photo, things like that and some health information. The past, present, or future state of your health insurance information. So these are the things you're trying to keep private and protected.
PHI Flow Diagram
All right, let's move to the next slide. In the next slide we talk about documenting your PHI. A good way to start is to set up a diagram that tracks the flow.
27:22 Where does PHI come in? How does it get processed? Where does it get stored if it does get stored and then what happens to it? How does it get out of here? And then once you've documented this, the key piece to any of these security measures is that you maintain whatever it is you're doing. You have to make it sustainable. If you create a diagram one year and then you don't update it as things change it, three years later, do you have a diagram of your PHI? Yes we do, but it's useless because it doesn't reflect the current state. All right, so when you're creating your documentation for how PHI is processed or stored in your environment, you need a process to maintain that document. We'll discuss some of that a little bit later but that's important. That's an important part.
Regularly Document Changes
28:17 So that that's the next slide is basically talking about how you should update your document when things change. So for example, let's say your PHI changes location and you're like, “Well, it's still the same process basically, but now we're just sticking it over in that locked room instead of that locked cabinet,” and he's like, “Oh, I don't want to update the document, it's close enough.” So that that approach could possibly lead to a breach. You have to be diligent on this. If something changes, properly document it. The question you ask is, do we have to do anything different to protect PHI? That should be the question when things change. So it used to be in a locked cabinet and now we stick it in that locked closet. The question is, “Who has access to that closet? Is it just the people that need access to that PHI?”
29:17 So those are the process tasks that need to happen when a change occurs. And you need to update your document. That's critical to avoiding breaches, even though it may not seem that important but you have to approach it that way. So another point that we wanted to make here is sometimes when we're auditing an organization they try to do everything right before we come on the audit. This includes changes and updating their documentation and a lot of times this can be inaccurate because you're trying to cram stuff and make changes and trying to figure out what happened throughout the year. So the better way to do it is in increments, right? So every time something changes you have a regular process to update the documentation rather than trying to save it for later because it's not that important.
30:18 This is something very important and it helps you protect your PHI and so let's associate that with patient harm. Because you're not protecting PHI you could possibly cause a problem and you could have patient harm and possible fines. That's what that translates to, neglecting your HIPAA compliance items.
2. Determine and Address Your Vulnerabilities
All right, so the next tip here is making sure you're looking at vulnerabilities. Things that could cause you problems. Things that could cause you harm.
Review and Update Your Risk Analysis on Annual Basis
So the next slide talks about risk. The tip here is that on an annual basis you update your risk analysis. When you're doing a risk analysis, you want to look at everything not just your little system that processes PHI.
31:17 Are there other systems? Are there physical systems? Are there things that deal with people that could affect the security of things? So when you do a risk analysis, are there any controls that need to change or be updated? Meaning, are there HIPAA things that we do that need to be updated because of changes to PHI.
31:43 And so that's all part of your risk analysis. I'm going to get a little deeper into the risk analysis here. But from a HIPAA standpoint that should be performed at least annually so that that you are addressing the things that need the highest priority. We'll talk about that here.
Analyze Your Environment
32:03 So let's go to the next slide and I'm just going to talk about risk analysis here. So with risk analysis, you're looking at vulnerabilities, vulnerabilities being some sort of issue like a flaw in the design or something that could cause you a problem. And then a threat, what is the threat? Can somebody use that vulnerability to do anything? There's a threat that something could happen and then there's the risk. What is the risk if that threat is is acted upon? I'll give you a real life example. It's not HIPAA. So let's say the vulnerability is your door lock broke on your door. And so that's a vulnerability now the the door doesn't lock.
33:01 So what's the threat? Well, If that's the door to the kitchen with utensils and stuff in there, there's a threat that someone could go in there and do stuff, steal stuff. Well, what's the impact? The impact you know, that's where your risk comes in. The impact is, we could lose a bunch of utensils. Well, let's change the scenario. What if that was full of PHI records? A bunch of boxes that people said, “This is old, we’ll store it here for now and we'll figure out what to do with it later.” Well now your impact is huge. You could have a data breach, HIPAA violation, fines, Etc. And now the impact is a lot higher. So the threat is, how likely could this vulnerability be exploited?
34:00 And then the impact has to do with, what could you lose? What's the value of the loss and the risk. You are figuring out the probability times the impact and that equals risk. The higher the probability, the higher the impact, the higher the risk, And so your risk analysis, you're going to come up with vulnerabilities and threats and what the impact would be and that's going to help determine what your risk is. The higher risk items should be addressed first. Sometimes for organizations that haven't really done this it this can seem overkill. They think, “We know what we need to do. We don't need to do this extra step. What's this for?” Well, this extra step helps you prioritize what you need to address.
Determine Risk Levels
34:56 Alright, so the next slide talks about risk levels. And so as you're figuring out all the possible things that could happen and what the impact to your company could be, reputation problems and or financial loss, whatever it might be. You're going to rank these and then you're going to set a plan of what you're going to do and this becomes your mitigation plan. So with the risk analysis the way it should happen is, you should prioritize your risk, know what your mitigation plan is going to be, assign it to a person or group and set a date. I'm recommending that because sometimes when you don't set a date things can kind of get lost. This shouldn't be a nebulous thing, right?
35:52 These are clearly defined action items that to be addressed to mitigate risk, actual real risk to your to your organization.
Don’t Delay Risk Mitigation
This slide is emphasizing the fact that you can't delay this thing. You have to do it immediately and take action on it because it is important. I've observed organizations that delay on mitigating risk and this can cause problems. That's why I suggested setting a date and ensuring that you assign a resource to it and approach it that way. So don't delay because it's easy to lose sight of what needs to be done.
3. Security and Privacy Policies and Procedures
Security and privacy policies and procedures. HIPAA has a lot of required policies and there are some people who offer templates for this. I've seen some of the ones done by lawyers and they are awesome. They address all the requirements of HIPAA. So you do want to take some time to do those correctly so that you ensure you are meeting all the HIPAA requirements.
Place Someone in Charge
This raises a point. We want to emphasize that you have to place someone in charge. The way I think of it, there needs to be somebody that goes to sleep at night and worries about this. Is everything the way it needs to be? What do I need to do to move forward? Assigning someone to to this responsibility, some sort of security official, is going to ensure that these HIPAA requirements get the necessary attention.
37:57 And so that is a requirement. It's a HIPAA requirement. And it is absolutely necessary for successful implementation of HIPAA controls. Another recommendation that we would make is that you involve a security professional. Someone that understands security and that can help with some areas that whoever takes on this responsibility may need some help with. One other point to make here is you don't want the security person to also be the one that actually has to go fix the problems that they detect. It’s kind of like a fox guarding the hen house, right?
38:42 So ensure that there isn't a conflict. The person running vulnerability scans and finding vulnerabilities in the network shouldn't be the one that needs to go and fix it. These need to be separate. So that they can say, “Hey this needs to be fixed,” and they follow up on it. And they say, “Hey, network admin guy you need to address this,” and that gets addressed correctly. If the admin guy is also the security guy then fires may take priority over important security things. And so conflicts can cause breaches of security.
Policies and Procedures
39:29 So policies and procedures, you need to implement these things.There's no getting around all the required policies that HIPAA has. Some important things are, you have to keep these things updated and you have to train your staff. It’s of no use to have a policy that no one knows about. I've seen this happen. I've been on assessments where I say, “Where's your policy?” and they have a policy and then I talked to the people and they have no idea what the policy requires. So it is important that whomever these policies apply to that the people get trained and they understand what their responsibility is. So that is an important point. And there again, it should be regularly updated. It should be reviewed regularly to ensure that any changes are addressed and the policy is updated as needed.
40:25 Okay, just another thing to note if you're creating a policy for your HIPAA compliance that is only two or three pages, it's probably not large enough. That's really inadequate. That will not meet what's required. But if you're having trouble in that area there are people with templates that can definitely help you meet all the requirements for HIPAA on policies.
Example Policies and Procedures
All right some example policies. So here's some things that you're absolutely going to have to do. You can see on this slide here you need to have your Privacy Rule policies, including your Use and Disclosure of PHI policy and your Minimum Necessary Security Rules policy. And then the Physical Security and Log Monitoring Policies. So these are these are policies you'd have in place and these all are helping to ensure that adequate controls are in place. So you’ve got the policy and you’ve got the procedure and the policies are driving the procedure and driving your compliance controls.
Strengthen Physical Security
41:48 Let's move on to the next slide. We're getting into actual physical security. We have a few tips on this. For physical security a big piece of it is ensuring that you have accountability. Can you determine when people are physically in an environment? Things like logging, access badge controls and video. Do you have cameras that are monitoring areas where sensitive data exists? For example, the door to a storage room. You could stick a camera up and monitor who goes in and out of that storage room. You can have some sort of access badge. With physical security, one of the things you want to do is ensure you can tell whether or not someone belongs there.
42:48 Oftentimes people will have a policy that requires visitors to either wear a badge or be escorted. And so these are policies and procedures you put in to help strengthen your physical security. In my assessments of HIPAA, I've been surprised at how many times I find old files sitting in some room that people forgot about. I don't know why but it happens a lot, especially when one company will buy out another company, you'll see basements full of old boxes of PHI sitting somewhere and sometimes it’s not even locked and people forget about them. There's no tracking and people don't know that there's PHI there.
Physical Security Dangers
43:43 This slide emphasizes the point that if you have some off-site storage of files, you need to ensure that there's some documentation. People need to know where they are and make sure it doesn't get forgotten. If not, security deteriorates and then you have a breach. So this is definitely a tip to consider.
I'm going to move on to the next slide. It's about role-based access. This goes back to the principle of least privilege role-based access. I mentioned earlier that if you have access to PHI that you don't need access to that's a HIPAA violation. Role-based access is an approach to managing access that can help you limit access to just the stuff that people need for their job.
44:45 So for example, if the front desk administrative person does not need access to all of the file information, for example x-rays, but they just need access to a small portion, you can create the things they need access to and save that as a role. That role is how access is given to people. This can be applied to a technology system. It can be applied in other ways. But many times this is deployed in some sort of a system environment and you use these roles to ensure that PHI is properly controlled. Oftentimes the folks that are higher up will want a lot more access than they need.
45:35 From a security perspective you're opening up areas that could be attacked that don't need to be there. So limit access to PHI to just what people need for their job. Sometimes people will say, “Hey, I have a medical emergency. I need to make an exception to the security rule because there's a life-or-death situation.” The way you approach this from a policy and procedure standpoint is that you create policies that address medical emergencies.
46:30 For example, let's say a firewall rule had to be opened up to allow access to some important system. If there's no emergency or exception policy, it could be that that firewall rule stays there and people forget about it and then it gets used to create a breach. So you need a procedure for after the emergency is over. There needs to be a post-mortem process that looks at, “Do we need to put things back? Is there any security that was broken that needs to be put back in place?” And so I would suggest that in your policies, as time goes on, you'll need to consider having some sort of policy that addresses things that could happen in your environment and that's just the reality of it. But you want to make sure that whatever you do doesn't create a potential security problem down the road. So moving on here.
Establish Notifications if Processes Change
47:29 You should have some sort of alert process where if things change in terms of your PHI environment you should know about it and build that into your process and your policy.
Regularly Update and Patch Systems
I'm going to go to the next slide here, Updating and Patching Systems. This was mentioned a few times for the medical device attacks and other attacks like ransomware. Patching is critical for your environment.
Configure and Review Logs
48:09 Configure & Review Logs. The review of logs is not meant to be a manual process, right?
You configure your logging to alert you if something happens. My advice is to ensure that it's working as designed. If you're trying to alert on an admin logging in, have an admin login and make sure that the alert gets generated. “Trust but verify,” that's what assessors tend to say.
Other Security Considerations
Encryption. I've emphasized the importance of this. If you store PHI anywhere it needs to be encrypted. There are other things that you can implement including Intrusion Detection, Intrusion Prevention and Remote Access. Let me just reinforce this, you have to configure your remote access securely. You set up some VPN with multi-factor authentication and that is the current way that people set up the remote access. Ensure that it's done in a secure way. That's another attack vector commonly used by criminals.
49:23 Some additional security best practices. We have a little bit of wireless information here. My recommendation is, if you don’t need it don't use it. If you have to use wireless, currently a lot of people will use WPA2 with AES and that tends to do the trick. But if you can avoid using wireless, that's probably a better way to go. Then you won’t have PHI floating around.
Okay, the next slide is about training. I'm just going to be brief on this because I ate up too much time already. Training has to be implemented. You'll remember the phishing email. Phishing is a big issue. You have to train your employees to know what their responsibility is and how to treat PHI. That's critical if you're going to have any hope of being successful with your HIPAA controls. Also social engineering. Make sure they're aware of current attacks. In your training you're going to hit different categories. And then, you need to test your people. Make sure that whatever your training is that it's actually being effective. Are they actually getting what you're trying to train them on? And so, getting some sort of feedback, some kind of test is important.
5. Incident Response
I'm going to talk about Incident Response. Incident response is another important control, being able to react to a breach or suspected breach. You want to test your incident response plan prior to a breach happening so that you can make sure that your plan won't bring down production systems and won't damage things. You should have an incident response plan to figure out what you're going to do if a breach happens and then test it. Make sure that phone numbers work and that your plan is going to do what you intend. And then there should be a feedback loop. You should also be able to document lessons learned and update your plan based on your testing.
51:49 All right. I'm moving on to another training slide. We’re emphasizing the fact that training is so important. NIST has a number of attack vectors that they call out and five of them have to do with employees. So let me just re-emphasize that this is where a lot of breaches are occurring is with issues with the employees.
52:14 Okay, I'm moving on. What are the takeaways from this this little presentation? Number one, you need to figure out what you have. right? Determine where your PHI is and then as part of your HIPAA compliance, you should do an annual risk assessment. That way you can figure out where you need to allocate resources and address any sort of threats. Then train and test your employees. For me, those are big. Let me just put in one more point and then I will turn time for Q&A. This has to be a culture. You have to set a culture that comes from the top and it has to be, “This is the acceptable behavior in our organization.”
53:09 That's how you're going to implement a HIPAA compliance program, security controls that actually work. Otherwise, if it's not the way things are done in an organization people will be resistant to the change. And so again, I re-emphasize this needs to become a behavior or a culture that's pushed down from the top. Hopefully the presentation was helpful to you in understanding what the big items are per the industry and some tips that could help you become compliant. I'm going to go ahead and turn the time back over to our host and I thank you for spending time with me.
All right, great. Thanks George. Some really great information today about HIPAA compliance. We've had a few good questions come in. One thing before we get started. I want to let all of you know that we're in the process of being able to do HITRUST Assessments here at SecurityMetrics.
54:14 We'll be able to do HITRUST Assessments in the near future [and currently able to perform HITRUST Assessments]. So feel free to contact us to find out more information if you're interested in that.
Question and Answer
The first question is, “How do we ensure data security while in transit over a network?” So George, if you could speak to that a little bit. Yes, so my immediate thought is encryption. The same question comes up with with regards to the Cloud. How do you ensure your cloud data is going to be Okay? And for a lot of people they took the approach of, “Well, I'm going to use a cloud service, but I'm going to encrypt my data. So no matter who touches my data out on the cloud, they won't have access to it because I'm encrypting it and I'm controlling how the encryptions occurring.” There are other things that come into play, right? But the basic, “How do you encrypt transmission over a network?” It's going to be encryption.
You also want to prevent people from getting on that network that shouldn't be there. And so ensuring that only people that need to be on that network are on there. Segmentation is the term often used to say, “We're going to cut this little piece out so that it's ultra-secure and only things that need to be on that network are going to be there.” And so you limit who has access to that network. So those are a couple items that people do to secure their networks.
55:50 Great. Alright next question here George. “Do you have any recommendations of applications that provide log monitoring like a FIM IDS and do you have recommendations for a Pen Test?”
56:05 Yes, so OSSEC is used a lot, the ELK stack, some open source tools there. The ELK stack is a common tool used for logging. The other question was about a Pen Test. With penetration testing often times there are offerings that are really more of a vulnerability scan than a Pen Test. A penetration test goes beyond just a vulnerability scan, right? And so I don't know if it's still the case but some years ago people were selling a vulnerability scan as a penetration test and that's not real. I mean that's not a penetration test. A penetration test will go beyond. It'll figure out if there are vulnerabilities and then validate whether or not they are exploitable.
57:04 And that's the difference, can I actually exploit this vulnerability? And penetration tests are usually a lot more involved than just a little scan. They're going to find out what are the current ways that people are breaching systems and will that work in this environment? Do they have anything that could possibly be breached, flaws and design flaws in the network and systems. So a penetration test is much deeper than a scan. So the question about who to recommend, you'll find that the price runs a very wide range. So, my recommendation is to get multiple proposals and compare them. Find out what you are getting for your penetration testing money. That's key, that's important.
58:03 So I wouldn’t endorse any specific product but I would say be careful, don't pay for a vulnerability scan. Make sure you getting a penetration test.
58:14 Great. And while we're talking about recommendations, do you have any recommendations for secure password management? Well, there are a lot of them out there. There's one that never knows your password. You manage the encryption key. I can't remember the name of it.
58:38 I thought that was a good idea. It’s not KeePass but it's one of the guys that compete with KeePass. If you do a search, you'll find the top ten password managers. You always run a risk. What if the password manager code gets compromised? Then somebody could get access to all my passwords. That's always going to be a risk other than with the folks that allow you to manage the encryption. I’m assuming that wouldn't be as much a risk. But yeah, I don't think you get away from the risk. It's happened before with password managers that were around for years.
59:28 And so just because something has been around for a long time does it mean it's secure. So, you have to have some trust. You're sticking your passwords into somebody's manager and there's a number of them out there. I confess that I use one, but I'd be okay if it got compromised. I do multiple things to to secure my passwords. You should have a redundancy plan to just in case it gets compromised.
Well, we just have time for just a few more questions.
One interesting question that came in is, “What about fire protection?” You should get that. That's important. That's definitely a vulnerability. And I'm assuming it's for anything. So oftentimes data centers will have some fire suppression system. Halon used to be something that people used and then it changed to other chemicals. But for fire, many risk analysis type plans do incorporate natural disaster into their, “What do we do from a risk perspective? How big is the risk?” The way you figure that out is you look at how many fires have occurred in an area that you're in. That's one way to calculate it. But the question about fire, typically you have a sprinkler system or or some fire extinguishers and you put process around the fire extinguishers and get them inspected.
1:01:17 That's typically How fire is addressed. You could get crazier than that if you're if you're guarding something really valuable, but that's that's a typical approach to addressing the vulnerability of having a fire.
Another question that came in, “If we have a forum where people talk about their health, are we needing to address HIPAA?” That's a really good question. Yeah, as a healthcare provider, I would not go near that thing. I would be hesitant to... The question is, “Do we have to worry about HIPAA in a forum where people are discussing their health issues from from a HIPAA perspective.” They should do it in some anonymous form, but I don't think that's occurring in forums. But yeah, for the benefit of discussion and helping people learn things. It should be done in a some sort of a way that they can't uniquely identify the health information of the person. That that's what should be done. And so as a healthcare organization, I would be very careful of getting involved in those. The recommendation is to stay away from that because that would be a HIPAA violation if you get involved in that and things get disclosed that shouldn't be. So, yes.
So the last couple of questions, “Would a device such as a Roqos Core be sufficient for firewall monitoring intrusion prevention for a small office?” I'm not I'm not familiar with that device but I suspect it's similar to the FortiGate or SonicWall. Here are some things to consider. I think most firewalls these days have the modern features where they can monitor state on the ports and and they're able to detect an attack. So if you have some sort of IDS or IPS embedded in the device, that would be awesome. I don't know if that's part of it but for a small office that should do the job. Now if you're wanting to incorporate IDS, you may need to add some sort of additional device if the little firewall doesn't have that.
1:04:14 From a HIPAA perspective as long as you're doing all the controls, you're reviewing the ruleset and making sure that you don't expose more than needs to be exposed. If PHI is involved you need to be very careful at that point. Ensure that before PHI does anything it’s getting encrypted. If it's leaving your environment or coming into your environment, make sure you have appropriate protection around it and encryption is a good way to do that.
Awesome and just a follow up going back to the question about if you have a Health Forum where people are discussing their health issues. The question is, “What if you're not a healthcare company? Do you still need to follow HIPAA?”
So usually the issue is financial, right? You could get fines. As long as you're talking about yourself that that would seem okay but as a security professional I would just not do that at all. I would keep myself anonymous. But from a from a liability standpoint I don't know that you would get a fine from HHS for doing that, especially if it's just on yourself. But I personally just do not feel comfortable doing that so I would not engage in that and I would try to keep myself anonymous if possible.
1:05:50 But you know it is a HIPAA concern but it's not one that anybody would get dinged for because it's you sharing info that apparently you're okay with. That would be my thought on that. I think that's a hard question because but I don't think there's any liability there. We just had someone with an interesting comment saying she's wondering, “Does HIPAA apply only to covered entities which are healthcare providers, healthcare clearinghouses and healthcare insurers?” Are you saying and not business associates? In this comment it doesn't list business associates. Business associates are subject to HIPAA because they could interact with PHI and often times they'll have agreements with the covered entity that could also include privacy rules. So the covered entities definitely are subject to HIPAA and business associates that engage in providing services for them, for example billing etcetera, are also subject to HIPAA.
1:07:07 Okay, great. We had someone else chat in with a recommendation for a great password manager. They said they like LastPass. I like LastPass and I've used it. I use something else these days but I like LastPass.
1:07:26 Do you have time George for a few more questions? Yeah. Okay, let's keep cruising through these. We're trying to wrap up but we want to get as many of these answered as possible.
1:07:37 So one question is, “How do you transport backup media to your off-site storage location?” I guess you get tired of hearing about encryption, but that's how you do it. You do not take your backup unencrypted anywhere. In our local area we had an incident where a whole bunch of data was lost and it's because some guy had the backup tapes in the back of his car, stopped at 7-Eleven and somebody stole his briefcase and it wasn’t encrypted. And so there you go. You have a data breach over some guy carrying non-encrypted backup stuff in the back of his car.
1:08:19 So encryption is the answer and that's how you should do backups. So that when you're taking them to an off-site storage, they're safe and it's okay if somebody steals them, they're useless. I think a lot of people are moving away from tapes. They're backing up to disks these days. But yeah, if you're still dealing with tapes and off-site tapes, definitely encrypt.
Also George, we had a question about a recommendation for data access emergency. A recommendation for a policy? It just says a recommendation for data access emergency. Did you have any recommendations? Well, hopefully I understand the question. But what I would do is I would set a policy so that somebody has to prove the emergency. It can't be just, “I have this emergency, I need it now.” It needs to be, we call x y z and you get approval first. Get the approval and then you provide the access, the IT folks or whomever needs to provision access. And then after the emergency you need to do a post-mortem analysis of, “Why did this happen? Why was this exception needed now? What do we need to do to go back to how we were and get things back to secure and do we need to remove access that was provided?” So emergency policy procedure needs to clearly define what's going to happen when the emergency has passed and how do we put things back the way they need to be.
George? Do you know how long encrypted emails need to be stored for HIPAA? And we're talking about emails that have PHI? I want to say nine years, but that may be wrong. We can we can look it up. We're gonna look it up. I'm so sorry. I don't know, I forgot.
And then another question. “Would password requirement be okay for a thumb drive back-up?” So again if we're talking about PHI, often times people figure out a way to break those things. So if we're talking PHI, I would recommend making sure it's encrypted in some way but I would be careful of that because sometimes people figure out how to get around the password on those devices. So I have what's called an IronKey and it is encrypted. My iron key has a password and has things like that. If they break into it somehow would they be able to get the data? I'm okay with it as long as it's keeping things encrypted. I'm not too sure what technology is being used, but I would be careful just because I've seen where different technologies to secure thumb drives have been bypassed. Hopefully it's not one of those and hopefully yours is secure. If everything works as designed and information is encrypted correctly, that's good. That should work. Awesome. And George, Should server hard drives be encrypted?
1:12:23 Should they? I would not personally just because sometimes that can take a performance hit and an often times when there's a breach if a server is running and somebody breaches the system the the drive is accessible and if you steal it and try to get onto it, you can't get access to it. So a lot of times drive encryption, it ticks the box, but sometimes the way that people breach those things, it doesn't protect it. It’s not a bad thing. It is definitely a one more layer of protection. I wouldn't say it's bad but I wouldn't rely solely on that. But I mean if it says I need my PHI encrypted you meet the requirement. But make sure that that system is patched and that it's up to date that somebody can't break into that system. Because when it's up and running and somebody logged in and somebody breaches it, the data is accessible. That's something to consider.
1:13:44 Well, thank you everyone for being here today. We're going to end with one final question. George, do you have any recommendations for risk analysis templates? NIST has one. It's kind of big. I can't remember the darn number but NIST has a risk framework that you can use. It is a bit large though. I've seen them as simple as people listing the vulnerabilities and threats and what the potential risk is in a spreadsheet. I've seen people do that. They document the risks and they rank them based on the impact and the probability and then they assign a resource to it. So I've seen it done that way where your risk analysis is just a little spreadsheet. Or you could go the other way and use the NIST framework. NIST has a risk analysis framework that you can follow. But that may be a bit much for a smaller organization. But it's thorough and it does the job. George, we have someone chatting in that they think it might be the NIST 800-30. Yeah, that sounds like the right one.
1:15:22 Thank you for that. Awesome. Well, we're going to go ahead and wrap up. I know we've gone way over time and we appreciate George for carving out some extra time to answer some questions. I just wanted to end with a story that someone chatted in. They said, “Hey, I just want to let everyone know about a scam that we have been experiencing lately. A company calls us calling themselves the PCI and HIPAA company and say that they need to do a mandated audit on our system. Every time we asked them for their company information they get super dodgy and hang up. Different people with the same scammy script call and we again ask for anything in writing or more info on their company and they always hang up. So I just thought that was funny.” It's just something to be aware of and and George you have probably heard of this as well. But thanks again to everyone for joining us for our webinar today. We will do another HIPAA related webinar soon. Stay tuned and thanks for joining us today, and we'll see you next time.