Posted 4.22.13
by wpadmin
Blog

2013 HCCA: Cyber Compliance

Online Tech is exhibiting HIPAA hosting solutions at booth #919 at the Health Care Compliance Association (HCCA)’s 17th Annual Compliance Institute Conference April 21-24 in National Harbor, MD. The conference draws in healthcare compliance professionals, risk managers, privacy officers, healthcare CFOs and CEOs, and more.

Cyber Compliance: What Every Compliance Professional Needs to Know about Cyber Risks and Cyber Vigilance
Speakers: David Childers, President and CEO, Compli
Vivek Krishnamurthy, Associate, Foley Hoag LLP

David – Cyber crime is the highest growing economic crime and has become more lucrative than dealing drugs. Historically data breaches and cyber crime was reserved for large organizations and banks, because data was most plentiful there. The scene has changed now.  Mid-level folks with RF scanners are now going into bars stealing identities.  Reputation damage and risk is 5-7 times more impactful to an organization’s base market than an economic crisis. At $194 per record lost, it gets costly if you add up how many records you lose. Brand damage, share price, employee morale and business relations goes down.

Why cyber crime? And why is it a problem? You had to be a criminal and coder originally to really pose as a cyber threat. Malicious intent and ability to code were needed, and that’s not the case anymore. Malware as a service companies exist outside of the company. Espionage exists in corporate and government settings. Some people are going to mess with systems because they believe the companies are doing something they don’t approve of. And finally, terrorists are beginning to use cyber crime more and more.

Vivek– Health records are huge sources of information and personally identifiable info that is important to a cyber criminal. All you need to steal someone’s identity and finances can all be contained within health records.  Cyber terrorists increasingly are targeting critical systems. Healthcare is at risk of being a target in the eyes of those who want to wreak havoc on control systems and network controls. If your IV pump can be controlled remotely, that poses a huge threat. Everyone needs to be attuned to these kinds of motivations and how it could affect them.

David– Activism can come from your own employees. Who is the internal cybercrime risk? Disgruntled employees are a huge risk for any organization. It is important to get them out of your system as quickly as possible.

Major organizations such as CIA, FBI, NASA… all got hacked last year. There is no such thing as complete IT security. It is key to know who your cyber neighbors are when operating in the cloud. Everyone needs to also create a human firewall at this day in age. Educate your team: what, why, how. People are the weakest link to your system. Increase your threat awareness and stay vigilant. Cyber governance, means cyber vigilance. The groups trying to get your information are coming from all over. They are competing with one another. It’s possible that the threat could be coming from a terrorist or even someone disgruntled with your organization.

Vivek– Relevant to data breaches, HIPAA is the main framework and the keystone federal law. What does HIPAA have to do with us? HIPAA Security Rule:

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.

When HIPAA was being drafted by HHS, people were concerned with work stations being left unlock or an employee who left and was possibly disgruntled.

Vivek highlighted the following emerging “Reasonably Anticipated Threats”:

  • Operating system flaws
  • Flaws in EMR system
  • Patient Information Apps
  • Networked medical devices and control systems
  • Mission critical IT systems on the cloud. What happens on a cloudless day?

Lots of people are movie to the cloud. Responding to the threats is key. You need to have someone in your organization who is constantly vigilant and developing and implementing cyber incident response protocols and procedures.

Social engineering attacks are also  on the rise. All of us have several accounts across the internet, whether they be social network accounts, shopping accounts or bank account. All have a lost password recovery feature. One may ask you for the last 4 digits of your credit card and another site may ask you for the first four digits. A savvy hacker will search that out and use it against you.

Once a data breach has occurred, local law enforcement and FBI are who you want to work with, but if you believe you are being hacked, the US Secret Service is who you want to work with. There are over 30 offices of secret service able to help if you believe you are being hacked.

  • This field is for validation purposes and should be left unchanged.