Donna shares information from the NIST/OCR HIPAA Security Conference 2016. It is held each year in Washington DC on Safeguarding Healthcare Information. Sitting in via the webcast Donna enjoyed hearing the nerdy stuff, as always.
Learn what she thought was interesting enough to share with you in this episode of Help Me With HIPAA.
HIPAA For MSPs by David Sims HIPAA Security Conference 2016
00:00:0000:00:00
HIPAA Security Conference 2016 topics included:
Digital Identities in Health
Business Associate Liability and Other Issues
Addressing Healthcare Cybersecurity Challenges through Standards-based Solutions
Updates from the Office of the National Coordinator for Health Information Technology
Updates from the Health Care Industry Cybersecurity Task Force
Best Defense Tactics Against Ransomware
An Update from the Federal Trade Commission
Update on OCR’s Compliance and Enforcement Activities
An Update from the Federal Trade Commission
Speakers from HHS / OCR included
Jocelyn Samuels – Director
Deven McGraw, Deputy Director, Health Information Privacy
Iliana Peters, Senior Advisor, Compliance and Enforcement
Lucia Savage, Chief Privacy Officer HHS Office of the National Coordinator or Health Information Technology
Steve Curren, Director, Office of Emergency Management, Division of Resilience HHS Assistant Secretary for Preparedness and Response
NIST Speakers included:
Phil Lam,National Strategy for Trusted Identities in Cyberspace
Gavin O’Brien, National Cybersecurity Center of Excellence
Jeff Cichonski, Applied Cybersecurity Division
ONC and FTC
Cora Han, FTC Division of Privacy and Identity Protection
Donna’s Session Notes
More breaches being reviewed and Advocate settlement may not be the largest
Advocate failed a long list of issues including an unencrypted laptop left in an unlocked car
Looking for digital ID options like one tough login and then tap cards
No matter what you use for auth to risk assessments often
Can’t just give strong IDs to doctors but the staff needs them too
Docs don’t want to have their face in the computer – eye contact matters
NIST CSF to HIPAA crosswalk only meeting 19 of 98 elements
You’re batting .194
Your kid brings home a test score of 19
Weak passwords account for a large number of major breaches
We are looking at HIPAA 3.0 coming soon – security guidance definite for 2017
New guidance being worked on now
Social media
Text messaging
Sharing PHI with friends / family due to Orlando issues
Breach totals this year will be huge 17K to 24K breaches
Quotes of note from speakers and panel members:
Trust is essential in healthcare – J Samuels
Some breaches are like a canary in mine – J Samuels
Average time in a single patient account is 45 seconds
HIPAA security enforcement requires a carrot and stick approach
Cybersecurity prophylaxis = counter measures
We don’t like being ignored! – several OCR representatives
BAs are big concerns for everyone
New generation of BAAs coming with vetting and specific responsibilities
Be sure to vet your high risk BAs
Don’t give 100K patient records to “some guy with a computer in his basement”
Worry more about smaller less established BAs
Assessment must be done pre-engagement and someone with tech skills to ask or review questions
Template BAAs will fall by the wayside – too much more required based on relationship
Evaluate CIA – all of it – Availability matters – no holding PHI hostage for payment
Often a shared responsibility
Auditing not required but you will sometimes need to know “what did you know & when did you know it”
You don’t have to turn over every rock but you also can’t say not my problem.
Overseas BAs should be well vetted – country laws
If they are willing to send you their complete RA you should worry – that is supposed to be a highly confidential doc
Lots of ransomware discussions
Our ransomware and HIPAA episode
Computer hygiene matters
Need for a cyber “neighborhood watch” to tell others what is happening
Malvertising
Smartphones with lock screen until ransom is paid
If you pay they know you are vulnerable and may pay more or be attacked again
Ransomware can also drop off key loggers and back doors – are you sure they are out
Have a plan or you will be in big trouble
Medical devices are a big issue
One group’s assessment of med devices
6K devices found
4k attached to network
400 different models
by 100 different vendors
Many med devices have no encryption option – only around 5% do
Disposal and service of devices require a BAA
Ask how long they will be supporting devices that you buy – some have XP or 7 still
That is enough for now – we haven’t covered it all. But, the next topics are the status of OCR audits and enforcements activity. Those will have to be in their own episode next week so we will have a HIPAA Security Conference 2016 part 2!
Links to relevant Information or Mentioned Episodes