Managing Healthcare Security & Privacy Risk

Gregory Michaels

April 23, 2014

Introduction

Regulatory Landscape

Business Drivers

Information Security Frameworks

2014 Breach Report – Ponemon Institute

2014 Cyber Threat Report – SANS Institute / Norse

Information Security Management Program

Security and Privacy Strategic Guidelines

Questions

Agenda

2

Proprietary and Confidential — Kroll 3

Regulatory Landscape

HIPAA, HITECH, Omnibus, & Meaningful Use

Office of Civil Rights (OCR)

Centers for Medicare & Medicaid Services (CMS)

Federal Trade Commission (FTC)

Federal Breach Notification Rule

State Breach Notification Rules

Proprietary and Confidential — Kroll 4

Business Drivers

Reputation

Confidentiality

» Protecting confidential information

Availability

» Ensuring the accessibility of patient information

Integrity

» Ensuring the accuracy and reliability of patient information for treatment decision making

Financial

Proprietary and Confidential — Kroll 5

Common Security Framework

Healthcare Security (and Privacy) Framework

» HITRUST (http://www.hitrustalliance.net/csf/hitrust_central_information.php)

» 13 Security Control Categories

» 42 Control Objectives

» 135 Control Specifications

Aligned with HIPAA Security Rule, NIST 800-53, ISO 2700x, COBIT, PCI-DSS and others

Cyber Security Threat Intelligence and Incident Coordination Center (http://www.hitrustalliance.net/c3/)

Proprietary and Confidential — Kroll 6

Other Frameworks

ISO 2700x

PCI-DSS

COBIT

NIST 800-53, 800-30, 800-66

NIST Cyber Security Framework

OCR Audit Protocol

Proprietary and Confidential — Kroll 7

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 8

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 9

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 10

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 11

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 12

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 13

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 14

Breach Report – Ponemon Institute

Proprietary and Confidential — Kroll 15

Cyber Threat Report – SANS / Norse

Proprietary and Confidential — Kroll 16

Cyber Threat Report – SANS / Norse

Proprietary and Confidential — Kroll 17

Cyber Threat Report – SANS / Norse

Proprietary and Confidential — Kroll 18

Information Security Management Program

Security and Privacy Risk Profile

Continuous process for assessment and remediation

» Use a framework for guidance

» Evaluate internal and external risks

Executive Communication

Proactive Monitoring, Audit and Testing

Third Party Risks

Incident Management Program

Proprietary and Confidential — Kroll 19

Security and Privacy Strategic Guidelines

Simplify the program

Integrate and Collaborate with Stakeholders

Make it manageable and measure results

Proactive Partnership

Learn and Understand the organizational risk profile

Educate and Empower

Gregory Michaels

Associate Managing Director

Kroll Cyber Security

gregory.michaels@kroll.com

201-978-1546