Watch to learn the five tips to become HIPAA compliant and how to create a security culture.
In this webinar, Brand Barney (HCISPP, CISSP, QSA) discusses what you can do to maximize your HIPAA efforts. View this webinar to learn:
Want more in-depth information about HIPAA compliance? Download our HIPAA Guide here: https://info.securitymetrics.com/hipaa-guide
This webinar was hosted on May 23rd, 2018.
Alright, everyone. We're gonna go ahead and get started. Welcome to today's webinar, how to improve your HIPAA compliance efforts in twenty eighteen. My name is Andrew, and I work in marketing here at Security Metrics.
And our presenter today is Brand Barney, who is the senior HIPAA analyst here at Security Metrics, and he's on his decade now here at at the company. He has a lot of experience.
He travels all over the world at at at different speaking engagements and also working with, small all the way up to large health care organizations, really helping them understand, the the requirements of HIPAA compliance and and what they can do to improve their overall security posture.
So we're we're really excited to have him presenting today, and then he's gonna have a lot of good information for us.
Just a couple of housekeeping items before we get started.
We are recording this presentation today. So, at the conclusion of this webinar, we'll we'll go ahead and, get get that recording put together, and we will send that out to the email that you used to register for today's webinar. So if you'd like to review the slides, if you'd like to send it out to someone else in your organization, you're more than welcome to do that.
Also, another thing I wanted to bring up, at the conclusion of the webinar, we will have a q and a session. So if you have any questions that arise during the webinar, feel free to chat those in using your GoToWebinar control panel, and we will answer as many of those as we can at the conclusion of the webinar. If there's a question that we don't get to in the webinar, we will reach out to you in the next few days on an individual basis to make sure you get the answers that you need.
So just a little bit about security metrics.
So we have been in the data security business for over eighteen years now, helping organizations comply with mandates, avoid security breaches, and recover from data theft.
So we've got a lot of experience, particularly in the HIPAA sphere, and and we're hoping to give you some good information today. And as I mentioned, we will be sending out a recording of the presentation today for your review.
Just a little bit about today's agenda.
So we will be covering, the current health care breach trends, and then Brandon will give us five tips to improve HIPAA compliance in twenty eighteen as well as how to create a security culture at your organization.
And, also, for those of you that are interested at the conclusion of the webinar and and after the q and a session, you're welcome to stay on for for an additional, five minutes or so. And we'll we'll we'll be actually giving you a demo of our new SecurityMetrics PiScan tool, which is actually a tool that will scan for personally identifiable information on your systems.
So you're welcome to stay on for a quick demo of that at the conclusion of the webinar. And and if, if you're storing, you know, sensitive data, patient information, anything like that, this is a tool that can that can really benefit your organization.
Alright, guys. Thank you so much for, ladies and gentlemen, for taking the time today, out of your busy schedules to come and and discuss, HIPAA compliance and what you can be doing to secure your organization. As Andrew mentioned, my name is Brand Barney.
I am the senior HIPAA assessor here at Security Metrics. I've been here about about ten years now. And, I'm also one of our PCI, QSAs as well, so a PCI assessor. Now as exciting as PCI would be to talk about, that's not why we're here today.
We're here to talk about, HIPAA compliance and and some of the things we can do. So I do wanna wanna go through this. There's a lot of information to cover. As we mentioned, the the presentation will be available after, but I do encourage you to ask any questions that you have and and certainly to take notes because this is all very, very important.
So let's first talk about some of the the current health care breach trends or some of the the the health care trends that we see.
Now as as I get an opportunity to travel all over the world, working with entities of all different types, whether they be a business associate, a hybrid, a covered entity, those located in, you know, foreign countries, especially outside of the United States.
We we do get to talk about and see all kinds of different environments. One of the things that we that we're seeing or that I see quite frequently is that organizations and as we look at the breach trends, organizations are not keeping up with the vulnerabilities.
Many people are being breached today, so the breaches have increased in their frequency. And I anticipate when when I have the same conversation next year in twenty twenty, in twenty twenty one, that it it'll have a, an almost, you know, exponential type feel to it. Attackers are wisening up to the the lack of security, the lack of compliance, in the health care space, and they are utilizing that to to attack, the health care or organizations and and really take their data or hurt their systems in some way.
You know, it's an an interesting statistic is that the FBI reports an increased attacks against the health court organizations with eighty eight percent of ransomware attacks were against health care in the United States of America. And I'm sure everybody's heard about ransomware, somebody getting their their data encrypted and holding them ransom for it. And, hey, if you just sign up and and make sure you pay us in, you know, three hundred Bitcoin, we'll give you your data back.
It was really interesting for me to hear that was against, so many people were were having that attack on them in the health care industry.
Now as we as we look forward to this, we wanna make sure that we talk about how those breaches happen, and I'll talk about that in a few slides. Now as we look at HIPAA requirements as a whole, SecurityMetrics had interviewed over fifty health care, professionals. Now these people were responsible for HIPAA compliance, whether they be a privacy official or a security official, about their patient data and data security.
Now the responses were from organizations that are primarily, zero to five hundred employees. So it could be a small mom and pop, organization up to a, a larger firm that's that's working with patients, whether that be a covered entity or a business associate. One of the things that I wanna stress is no matter which entity type you are, if you are dealing with protected health information, attackers want your data. But from that survey, back to the survey, seventy eight percent of those health care professionals that had answered the survey stated that they were encrypting their patient data.
This one really surprised me. Oftentimes, when I'm in an organization, I find that entities have not properly encrypted their data. Two types that really should be considered, both data at rest and data in transit. So if you were saying to yourself, well, we encrypt data or our EHR encrypts data or my IT guys are encrypting my data, the question is, are you encrypting all of your data?
That which is at rest in your database, that which is at rest in possibly, you know, flat files, spreadsheets, etcetera, and data that's being transmitted, both internal connections and externally need to be encrypted as well. Now, interestingly, twenty six percent of those that were interviewed had said they were using some form of multifactor authentication for mode access. This is I would have said this was almost dead on with industry statistics. If you've participated in PCI, you recognize that PCI requirements require you to have some form of, administrative two factor authentication or multi factor authentication.
Attackers are definitely targeting your logins. If they can get into your systems, why not? So this is this is a big statistic and and is accurate.
We start to see that thirty four percent of organizations, and this one surprised me, thirty four percent of organizations state stated that they had tested or trained and tested their employees on HIPAA. I would have thought, initially, that would have been a screaming one hundred percent.
Now trained well, I would if anybody had said they had trained their staff well enough, I would have disagreed.
Realistically, we we we are putting some effort into training our employees, but but when it comes to training them well enough to do their job and to protect your data, unfortunately, that just isn't happening. So some very interesting statistics.
Now as we start to look at, the top organizational vulnerabilities, what what's surprising here, for many organizations is that a lot of these really aren't overly technical.
People would have said, you know, it was the new, heartbleed attack or sweet thirty two that we were losing data in, something that made the news, made the headlines.
These are really quite basic. And interestingly enough, they're the same ones, the same organizational vulnerabilities as we saw last year. So, again, that's not changing.
First, and in real no particular order here, is gonna be insecure remote access.
If you're not securing your remote access into your environment, to your in scope environment, whether that be in the cloud, whether that be your servers, your firewalls, administrative access. We're not just thinking of patients using a portal, which that can be, obtuse and quite burdensome if you're gonna force that on them. Then if you decide to, then that's, organizationally, I would understand that. But but what I'm really concerned about is those administrative users who are making a remote connection to the environment. So they have to have some type of two factor authentication.
We're we're changing two factor authentication to, the verbiage of multi factor authentication now, but, you know, something you know, something you have, or something you are.
Employees, the human element. This is a big one, and I see a lot of people losing data because they haven't trained their staff. I don't think that that employees are going in and losing data intentionally. I certainly don't believe that.
It does happen occasionally, but but employees really are trying their hardest to do the best they can. But if they're not trained, we're gonna see the employees or the the human element can always be, a vulnerability that will cause a data loss. The BYOD procedure, so this is bring your own device. This is employees that are, you know, and we oftentimes think of it as like a privately owned laptop or cell phone that's being brought in and used on the company network.
But that while that is accurate and that is true, it's not just that. We need to also consider the, the devices that are being used at our company, so whether it be a work laptop or work lap, phone that's connected to our sensitive data environment that then goes home with that employee or goes to the airport with that employee as they make connections to to other people's networks and then bring those devices back back to our sensitive data environment.
And lastly, third parties. Now I know some of you guys out there that were that are on the call today that are listening are third parties to a covered entity. So you you're engaging as a business associate.
Associate. You're performing some duty, whether that be development or your, you know, platform as a service, infrastructure as a service, you know, your billing or something like that.
We're we're seeing a lot of vulnerabilities that are coming through third parties that are introducing new risk, and and this will, again, continue to be one. I think next year, this list won't look any different. It really won't. Now as we look at some of the data security updates, this is a little different than than health care industry.
The health care industry really hasn't changed much this year. It you know, there's the industry may have changed, but when we look at HIPAA, that's not gonna change a whole lot. And I don't anticipate that that'll change anytime soon. We did see some password clarifications that were NIST, and and they had published those. So now we're talking about, passphrases.
We're we're talking about clarifications to what is considered strong passwords or passphrases.
We also see, almost ten months ago, about a year ago, I guess you could say, the OWASP, which is the Open Web Application Security Project.
The top ten had been rereleased. Now some of those items that were in the OWASP, they remain the same thing. So as we look at things like, broken access control or injection related attacks, for you developers out there, for those that are using some type of developer, it's important to keep in mind that that has been rereleased, but that data really didn't change much either. Because, again, keeping in mind the attackers, they are using some new methods, but most of it can stay the same because we haven't updated our processes. We haven't matured or secured ourselves in such a way that would constitute any new major major change there. So what I've seen a lot this year in my travels is an issue with compliance mentality. So a lot of people that I deal with are are excited or have a an organizational mandate to get compliant.
But but oftentimes, what I'm seeing is the entity that, that is really check listing or check boxing is what I would call it, their compliance efforts. They're going down a list of requirements saying, are we in compliance with this? Yes or no? Or not applicable even, not in place kind of stuff. That that type of thing is is acceptable, for a portion of your your compliance, for a portion of your security. I don't think we can get away from that. But only being a checklist or a checkbox organization is what will lead us to a data breach, what what will lead us to unauthorized uses and disclosures?
You know, it's it's really easy to think of of a lot of attackers, you know, as these big state sponsored, guys, but but that's not always the case. A lot of these people can be, that could lead to a breach of data. Could be your employees, as I mentioned earlier. And it could also be the patient, that's potentially sitting in your offices or sitting in your hospital, that decides, hey.
I'd like to play some video games on the wireless, and then says, oh my gosh. I can see far more than I should have, or I'm able to access this application that's not encrypted. You know, they're not using HTTPS for their their login credentials, etcetera. So it is gonna continue to be a problem.
Some of the dangers and I I won't spend too long here, but some of the dangers of of that that negligence, leads to, again, unauthorized use and disclosure of protected health information.
And and I think we focus a lot on that. We're all worried about that. As HHS OCR has breach notification, you know, guidelines and rules that they require for us to say, hey. If we've lost that patient's data or it's been inappropriately, disclosed or used, that's a that is a big problem.
And and it'll unfortunately, as I mentioned before and I'll say again and again and again, it's gonna continue to happen until we we make a big shift into real security, not just trying to check boxes. But one of the things that I find really interesting is the patient harm. So it's not just necessarily a loss of data, but to lose somebody's, well, maybe mental health records, to lose, you know, somebody's, records as it pertains to drug use or, you know, any other type of, history that that patient has, that can be a real real harm to them. We also look at, networked medical devices.
I love to talk about this and frankly could spend an entire hour talking about that alone, but but a networked medical device. So something that that could potentially be changed or, the integrity of that device could be could be dampened or harmed and lead to an actual physical harm of that patient. We don't really talk about that a lot in HIPAA, and a lot of people aren't really talking about it, but we do see it. And as we make this leap into our health care space being more technical, more advanced, we will see attacks that that can not just lead to uses, and disclosures of protected health information, loss of that data, but also to to patient harm, whether it be physical or emotional.
Now when when I talk to to industry professionals everywhere, whether you be a covered entity of any size or business associate, I I really find that most people didn't go into this profession to make money. Now certainly, I know some providers out there who are doing quite well for themselves and we certainly nobody faults them for that, But I think a lot of us get into the health care space to help patients, to make a difference in our communities, to to largely impact a patient's life in such a way that it is a positive experience for them, in their own lives.
But, you know, we need to make it we need to recognize that motivation as we consider security and as we consider our compliance. Because if we begin to to to to ruin that experience or to to have attrition, it will lead to a financial loss, absolutely, but it can also harm our patients. Now let's talk about the exciting stuff, the reason you're here. What can you do?
What can your organization be doing to improve your compliance, posture and position this year in twenty eighteen? And I think it's unfortunate that we're having this conversation almost halfway through the year. So, you know, you're you're a little bit behind if if you're in it. But, hopefully, you're doing some of these things.
And if you're not, we're gonna we're gonna talk about how you can do it. Now first, first thing that you need to do to make sure that your position and that your compliance and security is improved is to focus on your policies and procedures. Now I know what you're thinking. Brand, I've done this.
This is one thing that I do well, or one thing that that we have.
What we oftentimes are seeing that I see is that people have have done some portion of the policies and procedures, whether that be, and it's usually privacy that they focused on, but their policies and procedures are just a few pages if they're they're, if they're used at all, if they have anything for their staff. Now not all policies and procedures are gonna apply to every one of your staff members, But certainly, a policy and procedure should never just be two to three pages.
And you really need to make sure that your policies and procedures and I see this a lot as well aren't just paperweights that need to be condensed.
A very large stack of papers. It's not uncommon for me to go to an organization and for them to I say, hey. Let me see your policies and procedures to which they dump, you know, the equivalent of, you know, well, my entire education on the table. I mean, they really dump a lot of papers on me.
And when I ask, tell me what's in there. Show me where to find, your policies and procedures for your firewalls or encryption or uses and disclosures, they don't know because they're not usable. So it it policies and procedures getting these done this year will be really important for you. Not just to mention, this is what HHS and OCR is gonna request to see if you have an investigation, whether that be through a complaint or through a breach.
They're gonna reach out to you and say, send me your policies and procedures. They're one of the first questions they ask. And you need to be prepared for that. If your policies and procedures aren't sufficient or are not currently in place, you don't know how to use them or you don't know where something's located, it can or it may lead to further investigation into your organization, which certainly may be warranted, but but the idea being that we want to avoid that if we can.
So we need to make sure that we first implement those policies and procedures. You need to find out what policies and procedures you currently have and what policies and procedures you need as you move forward. Do you maybe use a cloud vendor to to store some of your data or transmit data? What do you have policies and procedures for that?
Do you have policies and procedures business continuity, business contingency?
Are your staff trained on the policies and procedures that you have? Those policies and procedures that apply to them. If they're not, it's time to start training them. Training will be important.
Now making sure that those policies and procedures, it's not uncommon for me to go into an organization and say, show me what whatever it may be. Show me where that policy is. And the staff member says, I don't know where it was. I I read them when I started my employment.
I signed a document stating that I understood them. I don't know. They're on a a share somewhere. But if they were to try and find it, usually, it's quite painful, for both them and myself to to try to find.
And then lastly, make sure that you're regularly updating your policies and procedures. As your organization changes, your road map, that policy and procedure should adapt and change with it. Now here's a couple examples, and I've I've given a few of these as we've talked. But the privacy rule policies, this certainly is not all of them.
You know, we we do twenty or thirty slides with just all the policies and procedures. I recognize that's painful, guys. But a couple examples might be the uses and disclosures of PHI. You probably already have that.
Your notices of privacy practices, so your NPPs, those will be just a few examples. But remembering, you need to have that. Now if you're a business associate that's listening, you need to make sure that you look through your your your BAA, so your business associate agreement, in determining what, if any, privacy rule policies or privacy rules apply to you, what you have been obligated to follow. Oftentimes, I'll go into an organization that's a business associate and they won't realize that they have have been obligated, contractually obligated, to be following a certain set of the privacy rules and they're not currently doing it because they weren't even aware. So oftentimes, these policies are pretty easy to do. You just have to get it out and do it. The security rule policies, this is an area where most people just have almost nothing.
And the policies and procedures that you have, for other mandates, things like your PCI, may cover some portion. If the environment is identical, they could potentially be covering you and that requirement, but you've gotta pull those policies out to determine. Things like your password policies, your your physical security, firewall and router configuration standards, things like the ingress and egress of traffic.
And I recognize, guys, some of these things may be, a little more technical in nature. And so for that, I do apologize, but the the security rule is, of HIPAA, is going to be far more technical in nature. And just because it's technical and maybe hard for us to understand doesn't mean we can get away with not having a policy, not having proper implementation.
Number two, second thing you can be working on in twenty eighteen, make sure your incident response plan is in place. Now here's the reality.
If you have not already been breached, in the future, it is very likely you know, small incidental breach, something that is is not as impactful or an extremely large breach where, you know, your database has been exfiltrated outside of your network.
That can vary depending on how much, time and money you've invested into actual real security. But the reality is if you don't prepare for a breach, your the liability and your responsibility is gonna be, is gonna be up there, and it's gonna be very painful. So so people say all the time, Brian, what is a breach? What constitutes a breach?
Well, I mean, it's really simple here. It's any unauthorized use and disclosure PHI, so your protected health information or, virtually, electronic protected health information. So if somebody accesses your networks and is viewing anything in there that, could impact the security of or, impact the the the the confidentiality, integrity, availability, again, we we've had a breach of our systems and have a breach of our data. Oftentimes, people will say, well, Brandon, they didn't take anything.
They just viewed it. Again, that that's while their severity, I I get that, is in place, but it is still a breach. Now when we talk about our incident response plan, people say, well, you know, we we don't do that or we we have have one, but we've not tested it. Let's talk about what the purpose is, for for you.
You need to make sure that your your incident response plan, outlines what you will do in the event that an incident is realized, whether you have a rogue wireless access point, whether a laptop has been stolen.
You know, these these incidents can vary. It could also be, you know, data has been has been taken by, you know, malware. So, you know, different types of incidents for different types of organizations. But first, you need to make sure that's documented and you coordinate your response during it.
Second, you wanna make sure that you minimize the impact of it and that you're able to restore operations as quickly as possible. This will help you to reduce your fines and protect your company and and and your customers. So getting back to business quickly. You need to make sure that you're identifying all of the potential risks, threats, and vulnerabilities that an attacker would use to to attack you and it would indicate some type of response strategy.
This will be done through a risk analysis, and we'll talk about that, on on the next point. But ask yourself what equipment would would cause the greatest risk if lost lost or stolen? What process or what data would would constitute, the greatest loss to us?
Now as we do that, back to point, point number one, we need to make sure that we have policies and procedures set up that that create a baseline of normal activity that'll help you to identify a breach. So if you don't have those policies and procedures set up, if you don't have a normal baseline documented, identifying a breach is gonna be very challenging. Now it is not uncommon for most people to engage a third party service provider to to help them with identifying containing a breach and recording information on that breach. So if you're gonna engage somebody, if you say, hey.
We don't have the technical acumen or the ability to to identify or contain that breach, you would engage somebody else. And that that needs to be documented in your policies and procedures. That needs to be documented in your incident response plan. You also wanna make sure that you have in there your notification and communication plan.
A lot of people are missing this one, and a lot of people are getting on the you know, being put on the hook for some fairly serious penalties because they didn't properly notify individuals, within their organization, whether that be a third party, whether it be the covered entity, or the patient themselves. So make sure that is properly done. You know, it's not just calling the police to say we've had a a breach.
And then we make sure, again, that employee training is put into there.
Now what you wanna do is make sure that you set up a response team. Now everybody's organization, I recognize we had people across the across the gamut here for organization size. So your organization may just be a very small, one, two man operation for your security and privacy officials. But no matter what, you want to make sure that you organize a team and that they understand what their responsibilities are in that response team.
So make sure that you have a team leader. Make sure that you have a documentation and timeline leader that if you have human resources or or legal representation, that they're brought into this. What most people are doing is assuming that another group or another person is responsible to take care of these things, and then they leave them out of the the incident response. They don't include them in that.
And that can be extremely detrimental to you guys. Now a part of that is making sure the executive members of your company, they buy into that this plan so that they understand what, what you propose to do in the event that there's an incident. So, you know, the reality is if you don't respond properly, you will be fined at a higher amount and rate. And helping your incident response team communicate that effectively to the executive team, at your organization, again, whether you be a small organization or extremely large, you know, that's gonna be a critical mission point.
Now training employees, I I've said this and I'll say it again. Training your employees is important. Making sure that everybody understand, understands that it imply that security applies to them. Everybody may access data, may access systems, differently.
So to give an example, you may have development team who your development team doesn't have access to production. So they're thinking, what in the heck? What will be what would apply to me? Well, we could go back to those OWASP top ten, making sure that they are trained on how to properly develop, you know, the application or develop systems that integrate in with your your patient data.
So making sure they're trained there. And they understand it does apply. You might also have a a front desk office manager who he or she, has very varying, I guess you might say, access to patient data. Making sure that they're aware of things like phishing attempts or social engineering will be important, and then making sure that your incident response team is properly trained.
Now last and not least for your incident response plan, once you get it set up, once you have that properly documented, you need to test it. So we can't just say again, like, all all of our policies, we can't say we just have it. We need to be able to use that policy. So I recommend that you conduct a tabletop exercise at least once per year, so at least once per year.
This will keep you both in your compliance. So it'll keep you, adhering to compliance for for HIPAA up to including PCI, but it'll also help you to find gaps in your plan to practice each person's role, whether you have a twenty person incident response team or a two person incident response team. They'll understand what they need to be doing. You can then refine any communications that they need to take place between departments.
So the, you know, physicians need to be communicating this to IT, and IT needs to communicate to HR and legal and legal communicates with the courts. And, again, that incident response plan will be important that it's documented and tested.
It'll also help you to to document what you've learned. I have never seen an incident response plan test where somebody didn't learn something new about themselves or their organization. This is an awesome tool to use. So get that one going.
Third, and this one's super important, HHS is is really chasing this one. They wanna see everybody doing this, and that's a risk analysis. If you have not performed a risk analysis, it's time to do one. Get started on it today.
What can you do today to do this? So let's talk a little bit about what a a risk analysis is.
A risk analysis is identification of the risks, threats, and vulnerabilities to your organization, to your systems, to the assets within your systems, whether it be servers, workstations, mobile devices, printers, copiers, fax machines.
You know, I could go on and on and on about the types of data or systems that could be done. But also to the human element, environmental risks, threats, and vulnerabilities, organizational, regulatory.
There's a lot of different types of risk, threats, and vulnerabilities that could be acted upon, and we need to make sure we're doing it.
But if you've done one, you need to make sure that you review it and that you update your risk analysis at least on an annual basis.
I recommend that you do it every time your environment changes. So if you're adding a new computer system or you have a a merger or an acquisition, that would be a really awesome time to perform a risk analysis and make sure sure that that's done.
But but I'm sure I know what you're thinking, and that's, brand, where do I start? How do I do it? The first thing you wanna make sure you do is identify where your PHI and your ePHI is created, received, transmitted, and maintained or stored.
If you don't understand what systems are touching data and how they interact with that data, systems or people or processes, it's gonna be incredibly challenging to properly identify any potential risk, threat, or vulnerability you have. So first thing to do is to get it started, vulnerability you have. So first thing to do is to get it started, by by going through a scoping exercise. I recommend that you review the policies and procedures that you have that involve, systems or processes that touch, protected health information in some way. So make sure those are reviewed. Make sure that you interview and bring your personnel into this, so your employees.
You'll find, and you may be quite surprised, at the way your employees interact with data, the way they interact with systems, and the way that they have introduced new potential risks, threats, and vulnerabilities in your environment. So a scoping exercise, if you will, is a good place to start.
And and that, I always recommend to make sure you do that at least annually. So if you're if you haven't done a scoping exercise or you've gone through one, do it every single year. Ask those questions yearly.
A lot of people that I work with will engage a third party to perform a risk analysis for them due to its technical nature. So they'll say, hey. We want somebody else to help us in the identification of those. And and there's nothing wrong with that either, but it is your responsibility to perform one. Now you'll be asking questions in your environment like what vulnerabilities exist in the system, an application, in my process or the human element? What what types of threats exist that could be exploited, from those vulnerabilities, and and what probability, does each potential exploit or vulnerability carry? So remember that a vulnerability is a flaw and a component, a procedure, maybe your design or implementation.
It could also be, an internal control.
So you may have put something into place that is now introducing new potential vulnerabilities that was supposed to fix other things, and maybe it did, but but keeping that in mind. A threat, a threat actor here would be the potential for a person, a group, or even a thing to trigger that that vulnerability. And then the risk is the probability that a particular threat will exercise that particular vulnerability and have some potential negative impact to you, whether that be, you know, a a low impact or a high impact, a high risk, that those things need to be considered. So determining your risk level.
What I love about determining your risk levels is it kinda helps you create a road map. It helps you create a prioritization of what things you need to fix. So if you find that maybe you have some some very serious vulnerabilities within your firewall, or your network administrators haven't properly, set up ingress and egress, maybe you haven't properly encrypted data to your key management process in the setup. It can also be something really simple as we have a lack of security culture within our organization.
And and and don't go too far. We're gonna talk about that one in just a minute. Now once you've identified the risks, threats, and vulnerabilities, you wanna make sure that you do not delay on risk mitigation or at least creating a plan for risk mitigation.
So remembering that vulnerabilities, you know, and risk, they're not gonna go away. They will exist in your environment. So you need to make sure that those, low hanging fruit, the the low hanging vulnerabilities, the things that are simpler or easy to do, get those things knocked out of the park. Fix them. Get a plan for it. And there will be be some some projects or some vulnerabilities that are discovered, potential vulnerabilities that are discovered, that require more time and more resources to address. So, again, the sooner you start to do fines for your organization as a result of, neglecting data.
Finds for your organization as a result of, neglecting that.
Fourth in training, and I won't spend too much time here because we've I talk about training till I'm flu in the face. But but we need to make sure your staff are trained properly. And I've said that before, but remember that training your staff just at hire is not sufficient. That's not sufficient just for compliance, but but especially for security.
Your staff can be your greatest asset, or they can be your greatest liability. My recommendation is to hold at least monthly trainings for all of your staff. Training them on small exciting bits of the security rule. Get them excited about it, what they can do to to assist in securing your organization and patient data.
Privacy rule and and the breach notification rule. Trainings don't have to be too cumbersome. They really don't. So you might train on things like what are acceptable uses and disclosures of PHI.
As I mentioned before, phishing or social engineering, how to properly physically secure our systems and data, locking doors and making sure that, you know, monitoring systems are turned on and available.
These things will be important for your organization. Make it fun.
If not, the the the patients, the recidivism, rate will will will be pretty high for us, and and that will not be a positive thing. So as we we look at that, one thing I recommend is now that you've trained your staff, if you have trained your staff, that you test your staff so that you don't just leave it to, okay. I told you. I have it documented.
It's in an email or we had you go through, some videos and and checkbox them. You know, you're you should be check testing them. Do they understand what they read? Can they repeat it back to you?
So it could be a discussion based. You might even have them perform a a written test that says, hey. Look. It's a quiz, if you will.
And I know nobody loves quizzes, but but it is a great way for you to to engage and find out was it effective. Will your staff be able to do the things that you've asked them to do? Or you could even do, in some fun ones, or some real life simulations.
So you might send out and engage somebody to do a phishing attempt on your staff and see how many actually click on that, and and and open you up to it after they've been trained.
Fifth, everything else. So all the things. Let's talk about those. Now as we look at bulking up your security and protecting your data, you know, we we sat down.
We talked with our computer forensics team and and asked what were the top ways that attackers are breaking into and compromising systems. And And as we've discussed before, it can be the human element. It can be through insecure remote access. There are a lot of different ways.
But there's other security considerations that we recommend, that I recommend you consider. Are you logging in your systems? Do you have your intrusion detection turned on, intrusion prevention? Do you even have that capability?
What about things like file integrity monitoring?
You know, as we look at our wireless network security, web application security, penetration testing. Have you ever even done one of those? Whether that be, an internal or an external application or network scan, segmentation checks.
Again, there are so many things that need to be done to create this defense in-depth to stop an attacker dead in their tracks.
But how do we create how do we create a security, a rich and ubiquitous security culture in your organization.
This the tips are gonna be paramount for you guys. You gotta make sure that we understand security does not come from the bottom up. It doesn't. And it can't. It doesn't work that way. Security needs to be a top down approach. If it's not a top down approach, it can be very frustrating for your staff members to to try to help you to to get and we'll oftentimes find that that employees will leave an organization that doesn't because, again, people in health care really do care about those patients.
They may not always be the easiest to work with, but we care about them. We want their their health and their safety to be to be first. That includes securing their data.
So nothing else matters if you don't have a security culture. The reason I say that is I've worked with a lot of organizations that that don't have a security culture but are putting in a lot of, time and effort, even money, into some controls. And what I find is that's kind of like Band Aid putting a Band Aid, on a gunshot wound. It really just doesn't work. It's it's it's trying to patch up things, but we really haven't fixed us. We haven't fixed our, cultural problem and that's just that we were trying to get, you know, business done first rather than security.
Security does not have to be overly challenging.
It can be done easily.
Well, easier. I shouldn't say security is ever really easy. Otherwise, it's no longer security, but but you get the idea there. If you focus only on your compliance efforts, if you're checking just boxes and that's all that you do, you will find that you you you probably aren't going to be in compliance.
I I find that often. And and you certainly won't be secure if that's all you're doing. So make sure you focus on both. What I found is those that focus on their security, they focus on security first, securing systems and securing them properly, kinda just naturally flow into a compliance posture.
So it that's not a bad method of doing it. Now don't ignore your compliance and only do security. Both need to be done, but build that security culture. Remember to get your c suite, to get the executives aware and excited about it.
You as the compliance officer, you as the privacy officer at your organization need to be promoting that, need to be making sure that they are aware of the security threats, risks, and vulnerabilities in your organization, and they should be the ones that promote that culture. If they're not aware of the the risks, threats, and vulnerabilities, most of the time, I find that executives will buy into, marketing goodness, and and we love those. We love our products, and we use some really awesome ones in our organizations.
But those those products oftentimes will say they go to a conference and they see secure, they see compliant, they see best in industry, and those things oftentimes can be true if they're used properly. But we have to remember, some of those vulnerabilities were configuration problems. So, you know, we we didn't configure our system properly. We introduced a human using the tool who doesn't matter how awesome your tool is, if you're if the human isn't trained in doing an awesome job, the system can't do its job. So your c suite needs to understand that. Performing that risk assessment, putting that risk assessment in front of them can be a powerful motivator to getting them excited.
Now the security culture really should combine, your IT, your compliance, and your risk, risk officers. I oftentimes find organizations that that I come into that the compliance officers are are really excited, and they're doing a great job. And they're they're they're working working their tails off to make sure everything's set up, done, and done properly. But IT, has has done something that they needed to do for the organization that completely bypasses compliance, completely bypasses your security needs. Needs. So everybody needs to be on board, and they need to have the authority to implement changes as is needed so that you identify something in your risk analysis. They need to have that authority to do it.
We need to make sure that we have more budget, and more emphasis put into security, remembering that your data and your patients are paramount.
Keeping those things safe, keeping your system safe will make sure that those patients, have a good experience, that your organization will thus have a good experience. We wanna protect both. And reminding your staff to follow what they learned in their security training. Boy, I I would just, talk about that all day if I could.
We wanna make sure that we create an environment, and I love to go and do assessments, in in environments where people are excited and they're not afraid to report suspicious behavior. And it it doesn't necessarily just have to be suspicious behavior. It could just be to report a problem and say, hey. I noticed that we don't use two factor authentication.
Should we be using it? They shouldn't be afraid to bring that up. They might say, hey. When I do this thing, it you know, whatever that thing may be, it this this other negative impact is happening.
They want we wanna empower them to bring up security issues.
A a great company culture, a great, security culture will culture will will facilitate that, will will rise them up and empower them. So I I encourage you to do it.
Let's talk briefly about some of the takeaways from today's discussion. You know, the reality is, you know, we're we're only here for just a, you know, a brief less than an hour, really, to talk about compliance and security. Compliance and security is a year long continual process. It's not a one point in time. Now if you have somebody like me come out and visit you when I perform a security assessment on your organization, whether that be for PCI or HIPAA or GDPR, SOC, Oftentimes, those things are point in time. They they state the position, the compliance and the security of your organization at a single point, at a single time. Some requirements are making it so that we can show or demonstrate that we've been doing more, at least a quarterly basis, whether that be through scanning, whether it be through segmentation checks, policy reviews.
But you, you sitting there, wherever you are today, need to make sure that your processes are are in place to make this an ongoing, a daily thing, and that your staff remember that. Because, again, they're running around trying to do their duty, their job, help the patient. And it can be it can happen really quickly that they make a mistake, that the tool isn't configured and leads to a breach of data. So let's make sure that all of your policies and procedures are in place, that they are documented, and that everybody is aware of them.
If you're missing policies and procedures, whether they be in HIPAA or any other security, mandate, you need to make sure that you get those. You can purchase a lot of policies and procedures from vendors, that that can can help you with that so that you're not reinventing the will, if you will. But they it has to be done, and it can't be ignored. It will be cumbersome at first, but it shouldn't be that bad as you move forward in those policies and procedures.
Engaging somebody like a security assessor can help you with that. You need to be prepared for a data breach, recognizing that that a load of people within this the health care profession are being breached today. Patient information is being lost at at a staggering rate, a very staggering rate. So if you're not prepared for it, it it'll be a bad a bad experience for you and your organization. So get that incident response plan prepared.
Make sure that your security is as best as you can get it, and then we we are ready for that. Conduct a risk analysis, an annual risk analysis, and a risk analysis after any significant change to your organization to process. You know, something to give an example there might be, you some of your environment is in a physical space. So you have your servers on premises.
So your servers are on premises, your firewalls. But you know what? You you've now found maybe somebody like Amazon or Armor or something like that. You say, you know what?
We're gonna move some of this. We're gonna save some money on infrastructure, and we're gonna move that to those guys and let them take care of it. And I think I applaud your efforts. Whatever you can make easier for yourselves is awesome.
That should be done. However, you need to make sure that you understand the risks, threats, and vulnerabilities that are now going to be introduced into your environment, to your processes, to your people, to your data.
That those things, they they just inherently will do. So make sure sure a risk analysis is done. I get very excited about that because they are they it's one of the funnest things you can do. You will really I think you'll have a good time when you've done it and and feel a little better knowing what those vulnerabilities were so you can create an action plan.
You might not feel so good when you see the vulnerabilities, but but at least you can create, an action plan for them. Remember to train and test your employees regularly. You don't have to go that alone. There are a load of people that can help you do that.
There's online tools and and things that'll help with things like phishing. Those can be a lot of fun to to to show your your employees, look, these were the types of phishing attacks that we trained you on and you just didn't you didn't follow. It was a it was a you know, they their their brain just kinda gave up for a few minutes and they clicked on a link somewhere. Okay.
Well, then we can retrain them, and make sure that they get excited. Bulk up your security practices. Remember, some of these things that we've talked about we talked about only five. There are hundreds of security, tools and processes that need to be put into place.
That can be an overwhelming statement in and of itself, but you don't have to do that alone either. You can make sure that you bring in your team, get everybody else on board and excited. And if you have to gain engage a a third party to help you with it, please do. People want to make sure.
And there's some really awesome tools and processes out there that can make your processes better. You might just not be aware of them today.
And as I do every moment of the day, remember that your patience are important. Your organization's important. So when you live and breathe security, that process, again, won't be just a point in time. It'll be an every moment of the day. You're you're here. You've engaged in this webinar to make sure that your your data is is secure, that you're compliant.
And these are just a few few points, but make sure this is done. Now I know I have talked about a lot of things. There's a lot of things that I haven't talked about. What I wanna do is is make sure that you guys are able to to to ask any questions that you have. So what we're gonna do is hit hit pause real quick. We're gonna read through some of these questions, and we'll get, some of your questions answered. Give me just one moment, guys, and we'll get to your questions.
Alright, guys. Thanks so much for for engaging and asking some questions. We got some great ones here. So so for for those of you that missed the the beginning of the webinar, we we will be sending out a recorded copy of of this webinar so that you can cover all of the the the details and in including sharing it with anybody in your organization that needs, to be trained on on best security practices and HIPAA compliance. Now one of the great questions, I'm I'm super glad you asked it, is can can I give a breakdown or can we give a breakdown of the difference between an internal and an external breach?
Now that's, one that we see quite frequently. So when we're talking about an an internal breach, it's it's easy to think of the organization as, everybody needs access. I guess maybe that's probably one of the best things to say is that everybody believes that everybody should have the same access, and and that is is almost never true.
So we we need to be thinking about, you know, types of, role based access control. So, again, back to that example that I gave earlier of the the front desk office, personnel, They're not going to need the same access or level, of access that we see, a developer needs or, network administrator or systems administrator. So their access is going to be different. And, you know, it's in HIPAA, we typically hear the word minimum necessary, so only giving those people access between what's necessary.
Now once an attacker, if it's an attacker that that causes the breach or it was a staff member with, access to shares or drives or, access to to to people's folders they shouldn't have had, that's that would certainly constitute an internal breach. But but we oftentimes see an attacker who gets internal to the network, organization. They have got some very escalated privileges that they're able to to to act upon or to to exploit. That once an attacker has got to that point, that's why we that would be a really bad thing.
So that's why we're trying to do that.
Got to that point, that's why we that would be a really bad thing. But that's why we talk about this defense in-depth, so things like logging, file integrity monitoring, intrusion detection, intrusion prevention. Because again, we oftentimes, people will just say, okay, well, I've got my external control set up, my perimeter set up. That'll be my firewall. That protects against what type of ingress, so inbound and egress is set up outbound.
But but, yes, the internal and external breach, is something that we see oftentimes. Most of the time, the the breaches that get publicized is an external. So external to our organization, somebody who, you know, might be sitting in China or in Russia, You you would never see, you would never know, probably never going to be caught, and and is breaching your network. And and those network scans are taking place, all the time.
If your network is publicly available, meaning connected to the Internet, and somebody can obtain an IP address or a a URL, they are scanning your system. It is happening all the time. So make sure we harden against both. And and a security assessor, somebody like myself, would come in and look at the risks, threats, and vulnerabilities, both internal to your organization and external.
It is quite common that we talk about, you know, the the attacker. Right? But but that's not the only risk, threat, and vulnerability. Some things will be environmental. Some things may be regulatory or legal.
So all of those things have to be be kept into. But I love that question. It's a phenomenal thing to be thinking about, and, you're the first person to ask me that in a long time. So I I I'm giving you an air high five from here. Good job.
And, Brand, we have another great question here for you, and then we'll get into our PIScan demo.
But you mentioned file integrity monitoring. Do you have any examples of what that means?
Absolutely. So file integrity monitoring can can really be a a very long, discussion. But but to make it simple or at a very high level, file integrity monitoring is is a tool that is used to monitor sensitive files within your organization.
So you're gonna have files that are stored within your database or or flat files, things that may be system related so that may not necessarily store data or or have data that's being transmitted, but that are are critical system files. And if those files are changed, so somebody or something that doesn't have permission or, well, unfortunately, does get permission and gets a hold of those files, files, and they change whether it be they change the, the integrity of it. So you see a file that maybe is, you know, a couple hundred oh, boy, a heavy one. Let's say a couple hundred megabytes, and it increases in size to a couple hundred gigabytes, or just a few gigabytes, that would be a pretty wild change in the integrity of that file, and you need to be alerted of the presence of that.
You need to know that could be a potential malware, that you have in your system, rootkit, all kinds of things that can cause all kinds of problems for you. But it could also be somebody who's inappropriately accessing a file that they shouldn't have. So certain every file or every system is gonna have permissions that that allows for somebody to connect to it and see it. And if anybody either inadvertently or intentionally accesses those, you will be alerted to that presence.
So at a at a nutshell, file integrity monitoring is there. File integrity monitoring is really an awesome supplement to your antivirus systems. So a lot of people may get them confused, and they have some similarities, some some, baselines that are similar. But, file integrity monitoring is a great supplement.
There's some awesome tools out there. In reality, you guys might already have these tools purchased. I come into organizations all the time where these tools are already being used, but they just didn't turn it on. So make sure you query with your IT professionals what tools do we have and what subscriptions do we have that we just don't use?
File integrity monitoring, intrusion detection, intrusion prevention. These are very common. They're there. You just didn't use them.
You just need to turn them on, turn the switch on. Great question.
Awesome. Well, thanks, Brandon. Thanks everyone for for joining us for today's webinar.
We're actually gonna go ahead and begin with our, PIScan demo now.
And I'm gonna go ahead and turn the time over to Kai Whitaker, who is our PIScan product manager.
So for those of you that would like to stick around, we're gonna jump in. It's just gonna be a a quick four to five minute demo so you can learn about how PIScan can benefit your organization.
Great. Thanks, Andrew.
My name is, Kai Whitaker. I'm the product manager for our data discovery tools, of which today we're gonna talk about PIScan.
The PII in PIScan stands for personally identifiable information.
And what this means is this is any kind of data that you collect from a patient or a customer, that can then be used to identify that customer.
Social Security number.
And, so at Security Metrics, we we are trying to make, your data security easier. So a lot of, requirements such as HIPAA and PCI and GDPR are going to tell you, hey. You need to make sure your data is secure. Well, that's a really large undertaking, and a lot of a lot of people don't even know where to start.
One of the first steps and, that you should do is, well, if I need to protect my data, I need to find out where my data is. So on my network, on my computers, within my within my organization, where are all the places that, my customer and patient information is being stored? Is it on computers? Is it on servers?
Is it, you know, up in the cloud somewhere?
So what we've done is, we've created a tool that will actually scan your computer. It will scan your server. It will scan your end points, and search for this personally identifiable information for you. So instead of having to manually click through every file on your computer, and and read every document to make sure that there isn't some random Excel spreadsheet out there that was saved from three years ago that is a list of email addresses, that is just unprotected and and waiting to be stolen by, by a a hacker or someone attacking your system, you can identify that first, figure out where it is, and then and then adjust it, and adjust your processes so that, it doesn't end up there or so that it is protected.
So what PIScan does and, I'll I'll talk along as as we kind of have this descriptive video going on.
PIScan is a is a data discovery tool, and it's gonna scan these endpoints and locate this unprotected pie for you. So we make it really simple. It's got an easy interface, installs really simply, and it's gonna let you scan your computer, right away. Once your scan is completed, you can review your results in the application itself and be taken directly to the pie in question.
So, as we do have, advanced settings, so people who have networks who are slightly different, you can configure your scan to do what you need it to do. We do use patented scan technology, so it's optimized to reduce false positives. We give you filters so you can, reduce the scope of your scan and increase the reliability of your results.
So really you use this to discover the data, reduce your liability, and protect yourself in the event of a hacker.
So for example, if I am a, single location dentist's office and I have four computers, in my office, I would be able to use PIScan to quickly scan each of those computers and then identify if, oh, the on this computer, this shouldn't be touching any credit card or patient information at all, but we did find some on there. Then I can reach out to a qualified professional or my IT guy and say, why is this here? We need to stop this data from being there. Let's remove it and then adjust our process.
And that that can be a single location. It also works, for, you know, I mean, a larger organization where, hey. I have got, you know, multiple networks and subnets, and I've got a lot of servers, and I'm and, you know, this one is segmented here and there, and we can place Pyscan in these separate locations to really facilitate, your IT team and help them, save a lot of time and and a lot of effort in finding this information, because we're gonna do it for you.
So, that's a a quick quick overview of our PIScan product.
If you have any questions, about PIScan and how that can fit in your organization, please reach out to us. We'd love to, have a a more in-depth conversation about it. Thanks.
Awesome. Well, thanks, Kai, and thank you to Brand for presenting today. Again, if you have any questions, feel free to reach out to us.
You you can connect with us, by emailing events at security metrics dot com.
And we do have a a couple other questions that we were weren't able to get to today, so we'll make sure to reach out to you on an individual basis so you can get that answered. But thanks thanks everyone for joining us today, and, we'll talk to you again soon. Thanks.
.svg)
