HIPAA Security Conference 2016 topics included:

• Digital Identities in Health
• Business Associate Liability and Other Issues
• Addressing Healthcare Cybersecurity Challenges through Standards-based Solutions
• Updates from the Office of the National Coordinator for Health Information Technology
• Updates from the Health Care Industry Cybersecurity Task Force
• Best Defense Tactics Against Ransomware
• An Update from the Federal Trade Commission
• Update on OCR’s Compliance and Enforcement Activities
• An Update from the Federal Trade Commission

Speakers from HHS / OCR included

• Jocelyn Samuels – Director
• Deven McGraw, Deputy Director, Health Information Privacy
• Iliana Peters, Senior Advisor, Compliance and Enforcement
• Lucia Savage, Chief Privacy Officer HHS Office of the National Coordinator or Health Information Technology
• Steve Curren, Director, Office of Emergency Management, Division of Resilience HHS Assistant Secretary for Preparedness and Response

NIST Speakers included:

• Phil Lam,National Strategy for Trusted Identities in Cyberspace
• Gavin O’Brien, National Cybersecurity Center of Excellence
• Jeff Cichonski, Applied Cybersecurity Division

ONC and FTC

• Cora Han, FTC Division of Privacy and Identity Protection

Donna’s Session Notes

• More breaches being reviewed and Advocate settlement may not be the largest
• Advocate failed a long list of issues including an unencrypted laptop left in an unlocked car
• Looking for digital ID options like one tough login and then tap cards
• No matter what you use for auth to risk assessments often
• Can’t just give strong IDs to doctors but the staff needs them too
• Docs don’t want to have their face in the computer – eye contact matters
• NIST CSF to HIPAA crosswalk only meeting 19 of 98 elements
  • You’re batting .194
  • Your kid brings home a test score of 19
• Weak passwords account for a large number of major breaches
• We are looking at HIPAA 3.0 coming soon – security guidance definite for 2017
• New guidance being worked on now
  • Social media
  • Text messaging
  • Sharing PHI with friends / family due to Orlando issues
• Breach totals this year will be huge 17K to 24K breaches

Quotes of note from speakers and panel members:

• Trust is essential in healthcare – J Samuels
• Some breaches are like a canary in mine – J Samuels
• Average time in a single patient account is 45 seconds
• HIPAA security enforcement requires a carrot and stick approach
• Cybersecurity prophylaxis = counter measures
• We don’t like being ignored! – several OCR representatives

BAs are big concerns for everyone

• New generation of BAAs coming with vetting and specific responsibilities
• Be sure to vet your high risk BAs
  • Don’t give 100K patient records to “some guy with a computer in his basement”
• Worry more about smaller less established BAs
• Assessment must be done pre-engagement and someone with tech skills to ask or review questions
• Template BAAs will fall by the wayside – too much more required based on relationship
• Evaluate CIA – all of it – Availability matters – no holding PHI hostage for payment
• Often a shared responsibility
• Auditing not required but you will sometimes need to know “what did you know & when did you know it”
• You don’t have to turn over every rock but you also can’t say not my problem.
• Overseas BAs should be well vetted – country laws
• If they are willing to send you their complete RA you should worry – that is supposed to be a highly confidential doc

Lots of ransomware discussions

• Our ransomware and HIPAA episode
• Computer hygiene matters
• Need for a cyber “neighborhood watch” to tell others what is happening
• Malvertising
• Smartphones with lock screen until ransom is paid
• If you pay they know you are vulnerable and may pay more or be attacked again
• Ransomware can also drop off key loggers and back doors – are you sure they are out
• Have a plan or you will be in big trouble

Medical devices are a big issue

• One group’s assessment of med devices
  • 6K devices found
  • 4k attached to network
  • 400 different models
  • by 100 different vendors
• Many med devices have no encryption option – only around 5% do
• Disposal and service of devices require a BAA
• Ask how long they will be supporting devices that you buy – some have XP or 7 still