How to survive (if not prevent) a breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/how-survive-if-not-prevent-breach?single-page=true

Security breaches are no fun. Your organization's name is splashed all over
the news. Your reputation takes a hit. Your patients' trust is eroded. And
the prospect of a hefty monetary settlement is something few want to think
about. But it's not the end of the world.

At the HIMSS Media/Healthcare IT News Privacy & Security Forum in Boston on
Tuesday, a hospital CIO, a compliance expert and a law enforcement official
offered a primer for preparing for and, hopefully, preventing a security
breach. They also offered some tips for making the most of the situation
should the unwelcome event occur.

In a session titled, "Preparing Now for How to Respond to the Security
Breach You Hope Never Happens," Forest Blanton, senior vice president and
CIO at Hollywood, Fla.-based Memorial Healthcare System; Nicole Keefe,
director of IT at Santa Barbara, Calif.-based compliance consultants
Novacoast; and Steve Morreale, chair of the criminal justice department at
Worcester (Mass.) State University – and a former special agent at U.S.
Department of Health and Human Services' Office for Civil Rights – had some
advice for healthcare organizations: prepare, and don't panic.

The great danger of a security breach, of course, lies in the "the unknown
unknown," as panel moderator Jon Hale, vice president of security practice
at Attachmate, put it.

That's why it's of utmost importance to familiarize yourself with HIPAA and
subject your organization to a rigorous risk assessment. That includes
getting definitive answers to two questions, said Keefe: "Where does the
data lie, and who's touching the data?"

And the key to an effective assessment is to always be assessing, she said:
"We see a lot of people scrambling around to make risk assessments at the
time they need to be compliant – then it falls by the wayside, it's not an
ongoing process."

With employees handling data every day, we can't simply "look at an
assessment just like a checklist," said Blanton – a once-and-done review to
make sure that technology systems are sound and compliant.

Indeed, the most damaging security problems are often "low-tech," he said,
and can happen on any given day – employees stealing copies of face sheets,
for example, or taking pictures with camera phones.

Health organizations "need to be concerned about identifying problems
beforehand" and then being constantly vigilant about new ones that might
crop up, said Morreale. "Know what you don't know."

It's crucial, he said, to recognize "what you have that other people might
find useful." Social security numbers and addresses, especially those of
elderly patients, are like catnip to malefactors.

Know who who has access to data, and train everyone – right down to the
interns – about the critical importance of keeping that data secure, said
Morreale. "I don't care the size of the organization," he said. "Everything
needs to have a risk assessment applied to it."

How do you know you're done? You probably never are.

"I don't think we'll ever be done," said Blanton. "It's like a game of cops
and robbers, and technology is always moving."

He mentioned that audits at his hospitals turned up an almost never-ending
trove of tools, from video cameras to printers, that posed a risk. "We end
up with thousands of listings of things that are vulnerabilities, but that
might not be the most important thing to put your attention on," said
Blanton. "That's where the analysis of the risk, and where the threats are,
becomes key. We could spend our whole lives fixing things that might not be
that important."

When doing gap assessments, it's necessary sometimes to "triage," said
Keefe, making a list on the areas to "focus on first," starting with the
"low-lying fruit" and then planning out "different phases of remediation."

Even then, it's important not to lose sight of the big picture, said
Blanton: "We need to make employees aware of the value of the information
they're collecting."

Should a breach occur and OCR pay a visit, investigators' "simple approach
is something we learned in 5th grade: who, what, when, why and how," said
Morreale.

"I'm always going to ask, 'Tell me how this came about – who knew it? When
did they know it? What did they do about it, and what are we going to do to
prevent it?" he said. "I'm asking those questions to see if you've nipped
it in the bud. If you've put in some steps and processes to ensure this
doesn't happen in the future. That begins to placate me that that you're
responding appropriately to trying to safeguard the information the
government would expect you would take care of."

It's in the post-breach investigatory phase that technology – the right
technology – has a key role to play.

"Who's going to look at thousands or millions of log files?" said Blanton.
"If you don't have technology to go through those files, and spot aberrant
behavior, it's a big problem."

Moreover, by putting in technology for identity and access management, "you
can streamline what you're looking at within those logs," said Keefe.

As they're happening, it's important to remember the reasons for these
investigations, said Morreale – and to realize that a breach does not
necessarily mean criminal behavior.

"OCR will usually send you a letter or make a phone call first; if they're
going to come in they'll usually let you know," he said. " And believe me,
even as gun-toting federal agents, if we would walk in unannounced, I would
tell my agents that not everything everyone does is fraudulent. It's
mistakes, it's human error, it's lack of training, it's inadvertent. We
have to give them the opportunity to explain it first, and then watch the
way they react. Are they covering up? Or are they being reasonable and
meeting our expectations?"

Showing, not telling, is crucial when the government comes knocking, said
Morreale.

"Show me the system. Explain it to me so I can understand. I'm not writing
something you told me, I'm writing what I saw. I do my report that way. You
can get a sense when you're walking around. They might seem nervous – and
that's OK, they might be nervous that we're there – but nervous for a
reason that seems other than they didn't do the job the way they were
supposed to.

Post-breach, it's important to look on the bright side – or at least look
for the lessons that can be learned and put into practice going forward.

"In our case, we looked where we had personally identifiable information
stored and it turned out, quite frankly, to be pervasive throughout our
system," said Blanton. "We spent a long time, six or eight months, figuring
out where that information lies, who needs to have access to it, removing
it entirely from systems if it's not necessary, finding a way to expunge
the historical records.

"We did a lot of upgrades," he said. "We reviewed our password reset
policies – we tightened them up. We put in processes to look at our
affiliated physicians and their activity, to make sure that they're
vouching that their employees legitimately have access to the information –
we do that about every 90 days now."

On the technlogy side, "We're putting in network access control, loss
prevention and identity management, those things that need to be in place.
We continue to enhance the analysis of our usage."

Even though breaches are an unwelcome occurence for any healthcare
organization, "You have to keep your spirits up," said Blanton. "In the
harsh light, things that looked OK don't look so good after all."

That's a hard fact. But it's also an opportunity to learn from one's
mistakes, said Keefe, and then "really buckle down with policies and
procedures."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.