Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Anatomy of a Data Breach: What to Do When the Unthinkable Occurs

This is a SmartTraining LLC presentation on data breaches on behalf of the Texas Dental Association.

Shawn Tuma

on 25 October 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Anatomy of a Data Breach: What to Do When the Unthinkable Occurs

Anatomy of a Data Breach:
Why should I care
about data breach?

Shawn E. Tuma
d. 469.635.1335
m. 214.726.2808
Copyright 2013
Anatomy of a Data Breach
What To Do When The Unthinkable Occurs
Brought to you by:
Texas Dental Association
Smart Training LLC
Presented by:
Shawn E. Tuma
What To Do When The Unthinkable Occurs
2011 - The Story of the Year
Data Breach
Identity Theft

Data is the currency of choice for the 21st Century
Everybody wants it
Google, Facebook, $.99 Apps ... seriously?
Big Data, Reward Cards, Surveys, etc.
NSA / Edward Snowden / Julian Assange
Data is more valuable than money
Data is more valuable for both honest and dishonest "business"
Let's focus on dishonest
Fraud 2.0 = computers are the most efficient tools for fraud ("old crimes committed in new ways)
How is the data obtained?
Spear phishing, hacking, data theft, computer worms, key-loggers, Trojan horses, malware, denial of service attacks
The "Dark Net"
The black market of the Internet
what can you find for sale?
military weapons - the real ones like army tanks and rocket launchers
fake identification documents
illegal drugs
stolen money
prostitution and gambling
How does the Dark Net work
for stolen data?
Dark Net uses the "Tor network" which allows for concealed identity (i.e., IP Addresses) and anonymous transfers of money
Stolen data is packaged in bulk and sold in a single "dump" without knowing what it is or how valuable it may be
Like sales of bad debt, written off loans, collection files, etc.
Bulk sales mean all data has some value
Who is doing this?
Chinese, Russia, Former Eastern Bloc Countries (individual and govt agts)

Organized crime - mostly

Hacking groups (Anon, LuzSec)


Kids in their parents' basements
How do they do it?
Why are they doing it?
Why am I telling you all of this?
Every organization -- especially smaller organizations --
think ...
it won't happen to me
my organization is too small to be worth it
the data my organization has it not that important to be valuable
we have anti-virus software and a firewall
we have a good IT staff
data breaches only happen to organizations that are careless
The Third Annual Benchmark Study on Patient Privacy and Data Security reveals that 94 percent of healthcare organizations surveyed suffered at least one data breach during the past two years. (Ponemon Institute, Dec. 2012)
It is
a matter of
Supply and demand means you will be attacked
Cybercrime is one of the fastest growing enterprises -- especially for organized crime
From 2011 to 2012 there was a 42% increase internationally in targeting smaller businesses over larger (Symantec)
relatively, a higher value of data, and
lack of adequate security practices and infrastructure
What are they usually going after?
Financial data
Personal data
Intellectual property
Business information
Customer information
(notice anything missing?)
Protected Health Information
Why Should I Care about data breach?
Your practice's data is valuable to cybercriminals
Your practice will be attacked
Your practice's data will most likely be compromised
You will be required to report the breach under substantial pressure and in a very short time frame
Your practice will come under very intrusive scrutiny for what you did to prepare for and lessen the risk of a breach, how you responded, and what steps you then took to lessen the risk of another breach
Not being proactive is being careless
Planning and preparation can reduce your risk
This means having an understanding of what is required
Industry Standards
2 General Types for Dental Practices
General data breach laws
(i.e., non healthcare specific)

Healthcare privacy laws
Consequences of a data breach
compromise and loss of data
lost productivity, administrative burden, distraction
loss of trust
bad publicity
reporting and notification costs and burdens
credit monitoring and remediation
claims and lawsuits from the data subjects
fines and penalties from governments, agencies, industry groups
increased scrutiny of data security practices
Cybercrime isn't the only cause of data breach
mobile devices, tablets, laptops
thumb drives
stolen servers
improperly decommissioned hardware
staff theft
lack of awareness and training of staff
General Data Breach Laws and Rules
International laws vary

No Federal general breach notification law (yet)

Texas law
Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053)
amended by SB 1610 (eff. 6/14/13)

State laws
46 States have general breach notification laws (not AL, KY, NM, SD)
Massachusetts is an oddball
45 day response (FL, OH, VT, WI) or expeditious without unreasonable delay
Consumers + State Attorney General
TX patient moves to MA = MA law applies

Industry standards (FINRA, PCI)
Healthcare Privacy Laws, Rules, and Regulations
HHS' Final Rule Modifying the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (Omnibus Rule)
(eff. 9/23/13)

Health Insurance Portability and Accountability Act (HIPAA)

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Texas Medical Records Privacy Act
amended by HB 300 (eff. 9/1/12)
amended by SB 1609 (eff. 6/14/13)
Notification Required Following Breach of Security of Computerized Data
applies to most Texas businesses, including healthcare providers and requires use of reasonable procedures to protect "sensitive personal information" (SPI)

a compromise of computerized data that is SPI is a "breach of system security" and requires notification to all consumer data subjects

breach means taking, accessing, or compromising confidentiality or integrity

SPI means
“an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted”
Social Security number, driver’s license number or other government issued identification number, account or card numbers combined with the required access or security codes
Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

The notification must be given to
all individual data subjects
as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (exceptions for restore system integrity and LE)

Penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach

if the SPI is
there is no breach unless the person breaching has the decryption key
Responding to a Breach -- Execute the Response Plan
Contact attorney (privilege)
Assemble the Response Team
Contact forensics
Contact notification vendor
Investigate breach
Remediate responsible vulnerabilities
Reporting and notification
Law enforcement
Individuals, AGs, Sec. of HHS, agencies, indust. groups, credit reporting
Preparation Overview: Non-Omnibus Rule Specific
Breach Response Plan
Goal = execute!
who, what, when, how
attorney > privilege
adopted notification form

Educate staff and Breach Response Team
HIPAA and TMRPA mandatory training
Breach Response Team on response plan and procedures

IT security audit and penetration testing

Compliance audit
HIPAA, PCI, etc.

Cyber insurance
Prevention Overview
Software and systems updates

Remediate vulnerabilities discovered

Implement Omnibus Rule Compliance Steps

Encrypt all PHI and SPI (at rest and in motion)

System and data surveillance and IT alerts
cyber counter-intelligence / counter-espionage
IT alerts
Key Security Issues Under Texas Act and Omnibus Rule
Texas Medical Records Privacy Act
Mandatory employee training (TX Act)

Business Associates expansion and BA Agreements

Safe Harbor / Encryption

The Security Rule Gap Analysis, etc.
Section 181.101 of the Texas Health and Safety Code (as amended by S.B. 1609, eff. 6/14/13):

(a) Each covered entity shall provide training to employees of the covered entity regarding the state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees' duties for the covered entity."

employee must complete training within 90 days of hire

if material change in state or federal law concerning PHI affects employee's duties, employee must complete training on changes (a) within a reasonable time but (b) no later than 1 year after effective date of change

employer must maintain written verification of completion of training for 6 years
Business Associate Expansion and BA Agrmts
A "business associate" is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.
Mandatory Employee Training
Omnibus Rule
What is a Business Associate?
What was the major change with Business Associates in the Omnibus Rule?
The Omnibus Rule now treats as business associates, subcontractors of business associates that create, receive, maintain, or transmit (i.e., have any access to) PHI. "Conduits", however, are not.

Business associates are now directly responsible (and directly liable, in addition to contractually liable) for compliance with the Privacy Rule and Security Rule.

Business associates must have business associate agreements with their subcontractors who, now, are also considered business associates who must have business associate agreements with their subcontractors, ad infinitum.

The business associate agreements must ensure that the down stream business associates will maintain the same protections over the PHI as did the covered entity from which it originated.

Why? To protect the PHI as far as it goes down the chain the information flows.
What Does This Business Associate Change Mean to Your Practice?
On or before September 23, 2013, your practice must:
Review and update all business associate agreements to ensure they reflect the new obligations under the Omnibus Rule and obtain the required "satisfactory assurances" that all downstream will comply.

Ensure all of your business associates are aware of the new Omnibus Rule requirements and understand your obligations and their obligations, as business associates, especially with regard to subcontractors who have access to PHI, from whom they too must obtain "satisfactory assurances" of compliance.
What Should Business Associate Agreement Do?
Establish the permitted and required uses and disclosures of PHI by the BA;

Provide that the BA will not use or further disclose the PHI other than as permitted or required by the contract or as required by law;

Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of the PHI, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;

Require the BA to report to the covered entity any use or disclosure of the PHI not provided for by its contract, including incidents that constitute breaches of unsecured PHI;

Require the BA to disclose PHI as specified in its contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accounting;

To the extent the BA is to carry out a covered entity's obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation;

Require the BA to make available to the HHS its internal practices, books, and records relating to the use and disclosures of PHI received from, or created or received by the BA on behalfof, the covered entity for purposes of HHS determining the covered entity's compliance with the HIPAA Privacy Rule;

At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the covered entity;

Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information; and

Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.
Safe Harbor / Encryption
A breach is an impermissible use or disclosure of
PHI that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Covered entities and business associates are only required to notify of a breach if the PHI was unsecured, i.e., not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of acceptable technology or methodology.

The acceptable technology or methodology is provided in the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (the Guidance) where, in accordance with the specifications set forth in the Guidance:
What is a breach?
encryption of data at rest, where the key is neither compromised nor stored on a devise or at a location as the data they are used to encrypt or decrypt;

encryption of data in motion; or

electronic media upon which PHI was stored has been cleared, purged, or destroyed.
Breach of Unsecured PHI
Where the PHI is not unsecured, a breach is presumed (with all of the notification requirements) and the burden of proof is on the covered entity or business associate to perform a risk analysis to determine whether the PHI has been compromised, requiring notification. The following 4 factors must be considered:

The nature and extent of the PHI involved in the incident (e.g., whether the information is sensitive information like social security numbers or infectious disease test results);

The recipient of the PHI (e.g., whether another physician received the PHI);

Whether the PHI was actually acquired or viewed; and

The extent to which the risk has been mitigated following unauthorized disclosure (e.g., whether it was immediately sequestered and destroyed).
What is a breach where the PHI is not unsecured?
Omnibus Rule Compliance Steps
Risk Analysis.
Conduct a risk analysis to determine what specific risks your practice faces by examining the circumstances that leave it open to unauthorized access and disclosure of ePHI.

Security Analysis.
Conduct a security analysis to determine what security measures are already in place or could reasonably be put into place to minimize the risk of unauthorized access and disclosure of ePHI maintained by your practice.

Gap Analysis.
onduct a gap analysis to determine inadequacies in your privacy, security, and notification response policies and your business associate agreements to determine what policies, procedures, and agreements you need to update or implement in light of the changes mandated by the Omnibus Rule as well as the changes in technology.

Implement and update the security measures, policies, agreements, and procedures that have been identified through the 3 stages of analysis discussed above.

Document Decisions.
The rationale for decisions to implement or not implement certain security measures, policies, agreements, procedures and solutions that have been identified as needed must be documented.
Who Is Liable for Business Associates?
Business associates are now directly responsible for their own noncompliance.

Covered entities and upstream business associates are not responsible for their downstream business associates' noncompliance.

Business associates will be contractually liable to upstream covered entities or business associates for breaches of the business associate agreement.

However, federal common law agency principles will determine whether upstream covered entities or business associates will be responsible for the negligence of downstream business associates (i.e., "deep pockets" will get sued virtually every time)
"An ounce of prevention is cheaper than the first day of litigation [or reporting to individuals, the AGs, the media, and the Secretary of HHS]"
Cost of Data Breach in 2012
$188.00 per lost record
$188.00 x "X" = $$$$$$$
"an ounce of prevention ... "
Small Practices Are Major Targets
Since 9/09, the Office of Civil Rights has received more than
81,000 reports
of breaches of PHI affecting fewer than 500 patients.
Full transcript