Computer Security and
the “H” word
Glen Klinkhart, CEO
Mike Messick, CTO
• Founded 2005
• Alaskan Owned and Operated
• Information Security Consulting
• Consulting for Compliance and Best Practices
• Information Risk Assessment and Network Testing
• Security Research, Design & Testing
• Incident Response & Investigations
• Forensics & Network Investigations
• Court-proven, Certified Investigators
• Cutting-edge Online Investigative Techniques
THE
WORD
Why should care about
privacy in our business?
“Because it’s the right thing to do. Nobody likes that
feeling of violation when private information about them is
no longer private. No one wants to visit a doctor who blabs
about their health condition. Providers must protect
electronic information as an extension of patient
confidentiality.”
- DigitalSecurus
REDACTED
This slide has been redacted
due to its proprietary or
copyrighted work product.
REDACTED
This slide has been redacted
due to its proprietary or
copyrighted work product.
“PAST practices does not mean
BEST practices”
- Glen Klinkhart
Top 10 Assessment Findings in Alaska
1.
2.
3.
4.
5.
6.
7.
8.
9.
No risk analysis performed to date
No electronic security management plan
No physical security management plan
Insufficient policies for security best practice and compliance
Data at rest not encrypted, no compensating controls
Data not encrypted on high-risk ePHI assets (laptops, etc.)
Backups not encrypted
No security training program
No log collection, monitoring, alerting for appropriate usage
and security events
10. No incident response or data breach reporting procedures
Best Practices is HIPAA (in some
cases it’s better!)
Don’t assume compliance runs
contrary to profitability.
Risk Management
Mitigating risk found in all three roles.
The entire staff also plays a role.
It is the culture of your business.
Practitioner
Manager
Owner
What do we see?
“The EMR was supposed to solve our
problems.”
•
•
•
•
Fragmented implementation
Theft
Security assessments are misperceived
Major implementations facilitated by office
staff with a full time job description
• Misconception that security is at the hands of
your IT Administrator
What do we see?
• No proper policies and procedures in
place
• No security management plan
• No security assessment
• No proper logging
• No log reviews
• No proper encryption
• Security is left up to the IT department
REDACTED
This slide has been redacted
due to its proprietary or
copyrighted work product.
Security must be a culture
It is NOT a check off list
• It is not I.T.’s job
• It is everyone’s responsibility, EVERY DAY
• Training and education must be ongoing
• Assessments must occur yearly
• New equipment/upgrade risks must be mitigated
• Vendors must be held to their “promises”
• Always preparing for the “worse case scenarios”
Bad stuff will happen
You have fire insurance, don’t you?
You have malpractice insurance, don’t you?
How many of you have cyber insurance???
Areas of Planning
•
•
•
•
•
•
•
Policies and procedures
Employee training
Log monitoring, alerting
Proper EMR administration and privileges
Security of hardware, software
Frequency of security assessments
Misconception you are secure because you have
a web based application
• Incident response
It all starts with policies
Policies and procedures are the basis
for EVERYTHING
They are also the “low hanging fruit”
Incident Response
If you think meeting security requirements is
expensive:
•
•
•
•
•
•
Data loss is estimated at $210 per record
Cost of lost patient confidence?
Cost of bad publicity?
Cost of incident response/investigation
Legal costs
Do you or your clients have cyber breach
insurance?
High Level Security Assessment
3 part entry level assessment
•
•
•
250 question assessment
External network scan
Internal network analysis
What about Law firms?
Do you handle medical clients???
•
•
•
•
•
Doctors
Physicians assistants
Nurses
Administrators
Hospitals or clinics
What about Law firms?
•
Do you have any P.I.I. (Personally Identifiable
Information ) at your practice???
•
At least two identifying kinds of
information
•
•
•
•
Name
Address
DOB
SSN
Questions???
Mike Messick
Glen Klinkhart
(907) 334-9090
P.O. Box 242334, Anchorage, Alaska
[email protected]