Data Breach

Report
David Ashley, CISA, CISM, CBCP, CRISC, CHP
Office of the Mississippi State Auditor
Director, IT Audit Section
October 2, 2014




Agencies Reporting Responsibilities
Financial – CAFR
Compliance – Federal Funds
Statewide Single Audit
2






Administrative Services Division
Property Audits Division
Technical Assistance Division
Information Management Division
Financial and Compliance Audit Division
Investigative Division
3

Financial and Compliance Audit Division
Information Systems Section – Performs IS audits at both
State Agencies and Counties
 Agency Audit Section – Performs Agency Audits
 County Audit Section – Performs County Audits
 Contract Audit Review Section- Reviews CPA reports for
both School Districts and County Governments


Investigative Division
 Investigative Accounting Section
 Investigative Enforcement Section
4








HIPAA Privacy and Security Rules (as amended by
HITECH Act)
Security Breach Notification Laws (46 States, DC, PR,
and VI)
Payment Card Industry – Data Security Standard
Federal Trade Commission – Red Flags Rule
Federal Trade Commission – Disposal Rule
Federal Information Security Management Act of 2002
Multiple Federal Privacy Bills Introduced Each Year
Whitehouse Consumer Privacy Bill of Rights (February
2012)
5








Family Educational Rights and Privacy Act (FERPA)
Children’s Online Privacy Protection Act (COPPA)
Gramm-Leach-Bliley Act (GLBA)
Health Information Technology for Economic and
Clinical Health (HITECH) Act
Part 2 – Confidentiality of Alcohol and Drug Abuse
Patient Record Regulation (Part 2)
Sarbanes Oxley (SOX)
State Laws and Regulations
Section 5 of FTC Act for companies who store consumer
information on the cloud (Unfair Practices Act)
6

European Union (EU) Directive on Data Protection
of 1995
 Some information of residents of EU cannot be stored
outside the EU


Australia’s Privacy Laws
Canada’s Privacy Laws
7




Electronic Communications Privacy Act (ECPA)
Stored Communications Act (SCA)
USA Patriot Act (including National Security
Letters; FISA warrants)
Warrants and Subpoenas (Generally - eDiscover y)
8

Federal Laws and Regulations:






Healthcare (HIPAA and HITECH)
Educational institutions (FERPA and COPPA)
Financial institutions (GLBA)
Publicly traded companies (SOX)
Entities cannot generally contract away its
obligations to comply with these
Some regulations, however, require an entity to pass
obligations to cloud providers by contract (e.g.,
HIPAA)
9





Protects electronic communications while in transit and
while held in storage
No One Thinking of Cloud Computing When Enacted
(1986)
Problems arise on how to characterize activity involved
in cloud computing
Gives different levels of protection to electronic data
based on “electronic storage” or “remote computing”
For example, information older than 180 days that is
stored on a “remote computing service” is subject to
government search with just an administrative
subpoena
10




Allows FBI to access certain business records with a
court order
Also provides for use of National Security Letters
(form of administrative subpoena) to obtain records
Law limits ability of cloud providers to reveal that
they received an order
Cloud users may not even know about a disclosure
11





Who owns data on the cloud?
Can a cloud provider use the data for its own
purposes? (De-identified or aggregated?)
When and under what circumstances can the
customer obtain a copy of information stored on the
cloud?
What obligations does the provider have to assist in
the transition when the customer leaves the cloud?
What happens when service to the cloud is
interrupted?
12

Major cloud computing privacy concerns:
 Compelled disclosure to the government
 Information stored in the cloud is subject to different
protections than information stored in-house
 Data security and disclosure of breaches
 Generally, how does a cloud provider protect a customer’s
data?
 When the law imposes data security requirements on a
customer, how can the customer ensure its compliance when
storing information on the cloud?
 If the cloud’s security is breached, must the cloud give notice
of the breach?
13

Transfer of, access to, and retention of data
 Will companies and consumers have access to data on the
cloud? Can the cloud confirm the destruction of data or
return it?

Location of data
 The physical location of the server storing the data may
have legal implications

Consumer notice and choice
 For companies who will store consumers’ data on the cloud
14




Federal Rules of Civil Procedure Related to Discovery
and Electronically Stored Information
If lawsuit or think that one might be filed must stop
deleting “electronically stored information” (ESI)
ESI includes emails, logs, cache and temporary Internet
files, digital recordings, voice mails, spreadsheets,
telephone logs (anything electronic)
Data Retention Policy should address backup purge
cycle, when such automatic processes should be put on
hold
15




49 States, DC, Puerto Rico, Guam, and Virgin Islands
States that don’t have include New Mexico, South
Dakota, and Alabama
Mississippi (75-24-29) enacted July 1, 2011
Name or first initial and last name in combination with
any one or more of the following data elements: Social
security number; Driver's license number or state
identification card number; or an account number or
credit or debit card number in combination with any
required security code, access code or password that
would permit access to an individual's financial
accounts
16




Myriad of State Laws Makes Compliance Difficult
Some states like Massachusetts require adherence to
law if you store information of citizen of that state
(This has not been tested in court yet for
government entity)
Florida just passed law that modeled after HIPAA
where fines can be levied by state
Will eventually be a federal law (introduced
multiple times each year)
17



Feb., 2014 – Puerto Rico Levied 6.8M Fine on
Insurer Triple-S Management for HIPAA violatins
Mailing of pamphlet that included Medicare health
claim number
Represents $500 fine per individual (13,336
individuals) plus $100,000 for failure to cooperate
18

Major cloud computing privacy concerns:
 Compelled disclosure to the government
 Information stored in the cloud us subject to different
protections than information stored in-house
 Data security and disclosure of breaches
 Generally, how does a cloud provider protect a customer’s
data?
 When the law imposes data security requirements on a
customer, how can the customer ensure its compliance when
storing information on the cloud?
 If the cloud’s security is breached, must the cloud give notice
of the breach?
19



Was developed to encourage and enhance
cardholder data security and facilitate the broad
adoption of consistent data security measures
globally
Provides a baseline of technical and operational
requirements designed to protect cardholder data
Applies to all entities involved in payment card
processing – including merchants, processors,
acquirers, issuers, and service providers, as well as
all other entities that store, process or transmit
cardholder data
20
21
1. Complete the Report on Compliance (ROC) according to the
section above entitled ―Instructions and Content for Report
on Compliance.
2. Ensure passing vulnerability scan(s) have been completed by
a PCI SSC Approved Scanning Vendor (ASV), and obtain
evidence of passing scan(s) from the ASV.
3. Complete the Attestation of Compliance for Service
Providers or Merchants, as applicable, in its entirety.
Attestations of Compliance are available on the PCI SSC
website (www.pcisecuritystandards.org).
4. Submit the ROC, evidence of a passing scan, and the
Attestation of Compliance, along with any other requested
documentation, to the acquirer (for merchants) or to the
payment brand or other requester (for service providers).
22







Damage to or loss of data
Damage to reputation
Loss of customers
Loss of debit/credit card acceptance privileges
Breach notification costs
Litigation costs
Fines and incarceration
23

Target (40 million payment card numbers and
another 70 million customer records

Russian hackers stole over a billion sets of
credentials (User IDs and passwords)

Home Depot (56 Million payment cards)

Community Health Systems – 2nd Largest Loss of
Data under HIPAA ( 4.5 million)
24





Target was Complaint with PCI DSS
South Carolina was Compliant with IRS Guideline
by not encrypting social security number
Must use common sense
Keep up with the news (Get your head out of the
sand and stop hitting the snooze button)
Get management’s attention (Make them a part of
the education of staff)
25








Iowa Department of Human Services
Illinois Dept. of Healthcare and Family Services
California Correctional Healthcare Services
North Carolina Dept. of Health and Human Svcs.
Indiana Family and Social Services Administration
Wyoming Dept. of Health
South Carolina Health Insurance Pool
New Jersey Dept. of Human Services
26

To Individuals:
 Must notify without unreasonable delay
 No later than 60 calendar days after discovery of a breach

To HHS (500 or more individuals)
 Must notify without unreasonable delay
 No later than 60 calendar days after discovery of a breach

Less than 500 individuals
 Notify no later than 60 days after the end of the calendar year in
which the breaches were “discovered,” not in which the breaches
“occurred”
27
28







Alaska Medicaid – ($1.7M) Possible Patient Data Breach
for Theft of Thumb Drive
Blue Cross, Blue Shield of Tennessee ($1.5M)
Unencrypted Hard Drives Stolen
UCLA Health System ($865,000) – Access to Celebrity
Health Records by Employees
Massachusetts General Hospital ($1M) – Loss of 192
Patient Records
Cignet Health ($4.3M) – Denying Access to Health
Records for 41 patients
CVS Pharmacy ($2.2M) – Dumpster FTC and HHS
Affinity Health Plan ($1.2M) - Photocopier
29

Covered Health Care Providers
 Covered Entities: A healthcare provider that electronically
bills Medicare or other insurance companies, or a payer
(Medicare, Medicaid, private insurance, or self-insurer).
 Business Associates: A person or entity that comes in
contact with protected health information while
performing services for a covered entity.
 Subcontractors: Persons or entities that come in contact
with protected health information while performing
services for a covered entity.


Health Plans
Clearinghouses (Processes Claims)
30




HIPAA allows fines as well as civil action by state
Attorney Generals
Civil action prominent with identity theft and credit
card victims
Credit monitoring standard consequence
Career
 Ask yourself the question – what would a data breach at my
agency under my watch do to my career (We feel like the
Biblical prophets warning Israel about the consequences of
its rebellion – DESTRUCTION))
31







$100 – $50,000: Did not know and would not have
known
$1000 – $50,000: Reasonable cause to know
$10,000 – $50,000 : Willful neglect, timely correction
(30 days)
$50,000 : Willful neglect NOT corrected
$1.5 million: Cap for identical violations during a
calendar year
Reasonable cause – knew, or by exercising reasonable
diligence would have known, the act or omission was a
violation, but did not act with willful neglect
Willful neglect – conscious, intentional failure or
reckless indifference to the obligation to comply
32





Largest HIPAA settlement to date
New York and Presbyterian Hospital and Columbia
University
Disclosure of ePhi of 6800 patients
Physician application developer from CU that
worked for both entities deactivated personallyowned server on network
Resulted in ePHI being accessible to Internet search
33
1. Names;
2. Geographical subdivisions smaller than a state;
3. All elements of dates;
4. Names;
5. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code.
**************Remember the “Minimum Necessary” guidelines***************
34


Application of HIPAA Rules to Business Associates (“BA”) and
Subcontractors
Updated Definition of Business Associate
 Minimum Necessary Rule
 Required to Take Reasonable Steps to Cure Subcontractor Breach or Violation

Updated Business Associate Agreement (“BAA”)
 BA Must Obtain Satisfactory Assurance from Subcontractor
 Report Breach






Application of Compliance and Enforcement Provisions to Business
Associate
Updated Civil Monetary Penalties Provision
Breach Notification Requirements
Disclosures of PHI for Fundraising
Notice of Privacy Practices
Expanded Rights of Individuals
35



Covered Entities are required to obtain "satisfactory
assurances" (i.e., that their PHI will be protected as
required by the rules) from their BAs (SSAE 16, etc.)
Covered Entities are NOT required to obtain
"satisfactory assurances" with a BA that is a
subcontractor, but rather it is the BA that must
obtain these assurances
This "chain of assurances" (and liability) follow the
PHI wherever it leads and has widespread
ramifications including those related to breach
notification
36


As required by the HITECH Act, OCR issued Guidance on Risk Analysis
Requirements under the HIPAA Security Rule on 07/14/2010
No specific methodology was indicated but it did describe 9 elements:











Scope of the Analysis
Data Collection (i.e. an EPHI Inventory)
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Potential Impact of Threat Occurrence
Determine the Level of Risk and List of Mitigating Actions
Finalize Documentation
Periodic Review and Updates to the Risk Assessment
Referenced NIST documents: SP 800-66, An Introductory Resource Guide for
Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule
SP 800-30,Risk Management Guide for IT Systems
37




http://www.ncsl.org/issuesresearch/telecom/security-breach-notificationlaws.aspx - State Data Breach Laws
http://www.cms.gov/Regulations-andGuidance/HIPAA-AdministrativeSimplification/HIPAAGenInfo/index.html - HIPAA
http://www.nist.gov/itl/cloud/upload/NIST_SP500-291_Jul5A.pdf - NIST Cloud Guidelines
https://www.pcisecuritystandards.org/security_stan
dards/index.php - Payment Card Industry Data
Security Standards
38

NIST (National Institute of Standards and
Technology) Cloud Computing Standards Roadmap
by the U.S. Department of Commerce
 NIST Special Publication 500-291, Version 2

Covers areas such as standards, security,
accessibility, auditing, and compliance
39









Become familiar with the applicable laws and regulations
Revise policies and procedures to reflect regulations and
guidelines
Devise a tool for documentation of risk assessment
Schedule Penetration Test / Vulnerability Scan if needed
Security Plan
Disaster Recovery Plan Development and Test
Revise Business Associate Agreements and secure new
agreements
Revise training and train appropriate staff
Understand Applicable Laws and Standards (i.e. State
Security Breach Laws and PCI DSS)
40
David Ashley,
Office of the
Mississippi State Auditor
P.O. Box 956
Jackson, MS 39205
Ph: 601-576-2800
800-321-1275 (statewide)
[email protected]
Web: www.osa.ms.gov
41

similar documents