David Ashley, CISA, CISM, CBCP, CRISC, CHP Office of the Mississippi State Auditor Director, IT Audit Section October 2, 2014 Agencies Reporting Responsibilities Financial – CAFR Compliance – Federal Funds Statewide Single Audit 2 Administrative Services Division Property Audits Division Technical Assistance Division Information Management Division Financial and Compliance Audit Division Investigative Division 3 Financial and Compliance Audit Division Information Systems Section – Performs IS audits at both State Agencies and Counties Agency Audit Section – Performs Agency Audits County Audit Section – Performs County Audits Contract Audit Review Section- Reviews CPA reports for both School Districts and County Governments Investigative Division Investigative Accounting Section Investigative Enforcement Section 4 HIPAA Privacy and Security Rules (as amended by HITECH Act) Security Breach Notification Laws (46 States, DC, PR, and VI) Payment Card Industry – Data Security Standard Federal Trade Commission – Red Flags Rule Federal Trade Commission – Disposal Rule Federal Information Security Management Act of 2002 Multiple Federal Privacy Bills Introduced Each Year Whitehouse Consumer Privacy Bill of Rights (February 2012) 5 Family Educational Rights and Privacy Act (FERPA) Children’s Online Privacy Protection Act (COPPA) Gramm-Leach-Bliley Act (GLBA) Health Information Technology for Economic and Clinical Health (HITECH) Act Part 2 – Confidentiality of Alcohol and Drug Abuse Patient Record Regulation (Part 2) Sarbanes Oxley (SOX) State Laws and Regulations Section 5 of FTC Act for companies who store consumer information on the cloud (Unfair Practices Act) 6 European Union (EU) Directive on Data Protection of 1995 Some information of residents of EU cannot be stored outside the EU Australia’s Privacy Laws Canada’s Privacy Laws 7 Electronic Communications Privacy Act (ECPA) Stored Communications Act (SCA) USA Patriot Act (including National Security Letters; FISA warrants) Warrants and Subpoenas (Generally - eDiscover y) 8 Federal Laws and Regulations: Healthcare (HIPAA and HITECH) Educational institutions (FERPA and COPPA) Financial institutions (GLBA) Publicly traded companies (SOX) Entities cannot generally contract away its obligations to comply with these Some regulations, however, require an entity to pass obligations to cloud providers by contract (e.g., HIPAA) 9 Protects electronic communications while in transit and while held in storage No One Thinking of Cloud Computing When Enacted (1986) Problems arise on how to characterize activity involved in cloud computing Gives different levels of protection to electronic data based on “electronic storage” or “remote computing” For example, information older than 180 days that is stored on a “remote computing service” is subject to government search with just an administrative subpoena 10 Allows FBI to access certain business records with a court order Also provides for use of National Security Letters (form of administrative subpoena) to obtain records Law limits ability of cloud providers to reveal that they received an order Cloud users may not even know about a disclosure 11 Who owns data on the cloud? Can a cloud provider use the data for its own purposes? (De-identified or aggregated?) When and under what circumstances can the customer obtain a copy of information stored on the cloud? What obligations does the provider have to assist in the transition when the customer leaves the cloud? What happens when service to the cloud is interrupted? 12 Major cloud computing privacy concerns: Compelled disclosure to the government Information stored in the cloud is subject to different protections than information stored in-house Data security and disclosure of breaches Generally, how does a cloud provider protect a customer’s data? When the law imposes data security requirements on a customer, how can the customer ensure its compliance when storing information on the cloud? If the cloud’s security is breached, must the cloud give notice of the breach? 13 Transfer of, access to, and retention of data Will companies and consumers have access to data on the cloud? Can the cloud confirm the destruction of data or return it? Location of data The physical location of the server storing the data may have legal implications Consumer notice and choice For companies who will store consumers’ data on the cloud 14 Federal Rules of Civil Procedure Related to Discovery and Electronically Stored Information If lawsuit or think that one might be filed must stop deleting “electronically stored information” (ESI) ESI includes emails, logs, cache and temporary Internet files, digital recordings, voice mails, spreadsheets, telephone logs (anything electronic) Data Retention Policy should address backup purge cycle, when such automatic processes should be put on hold 15 49 States, DC, Puerto Rico, Guam, and Virgin Islands States that don’t have include New Mexico, South Dakota, and Alabama Mississippi (75-24-29) enacted July 1, 2011 Name or first initial and last name in combination with any one or more of the following data elements: Social security number; Driver's license number or state identification card number; or an account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial accounts 16 Myriad of State Laws Makes Compliance Difficult Some states like Massachusetts require adherence to law if you store information of citizen of that state (This has not been tested in court yet for government entity) Florida just passed law that modeled after HIPAA where fines can be levied by state Will eventually be a federal law (introduced multiple times each year) 17 Feb., 2014 – Puerto Rico Levied 6.8M Fine on Insurer Triple-S Management for HIPAA violatins Mailing of pamphlet that included Medicare health claim number Represents $500 fine per individual (13,336 individuals) plus $100,000 for failure to cooperate 18 Major cloud computing privacy concerns: Compelled disclosure to the government Information stored in the cloud us subject to different protections than information stored in-house Data security and disclosure of breaches Generally, how does a cloud provider protect a customer’s data? When the law imposes data security requirements on a customer, how can the customer ensure its compliance when storing information on the cloud? If the cloud’s security is breached, must the cloud give notice of the breach? 19 Was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally Provides a baseline of technical and operational requirements designed to protect cardholder data Applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data 20 21 1. Complete the Report on Compliance (ROC) according to the section above entitled ―Instructions and Content for Report on Compliance. 2. Ensure passing vulnerability scan(s) have been completed by a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of passing scan(s) from the ASV. 3. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Compliance are available on the PCI SSC website (www.pcisecuritystandards.org). 4. Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers). 22 Damage to or loss of data Damage to reputation Loss of customers Loss of debit/credit card acceptance privileges Breach notification costs Litigation costs Fines and incarceration 23 Target (40 million payment card numbers and another 70 million customer records Russian hackers stole over a billion sets of credentials (User IDs and passwords) Home Depot (56 Million payment cards) Community Health Systems – 2nd Largest Loss of Data under HIPAA ( 4.5 million) 24 Target was Complaint with PCI DSS South Carolina was Compliant with IRS Guideline by not encrypting social security number Must use common sense Keep up with the news (Get your head out of the sand and stop hitting the snooze button) Get management’s attention (Make them a part of the education of staff) 25 Iowa Department of Human Services Illinois Dept. of Healthcare and Family Services California Correctional Healthcare Services North Carolina Dept. of Health and Human Svcs. Indiana Family and Social Services Administration Wyoming Dept. of Health South Carolina Health Insurance Pool New Jersey Dept. of Human Services 26 To Individuals: Must notify without unreasonable delay No later than 60 calendar days after discovery of a breach To HHS (500 or more individuals) Must notify without unreasonable delay No later than 60 calendar days after discovery of a breach Less than 500 individuals Notify no later than 60 days after the end of the calendar year in which the breaches were “discovered,” not in which the breaches “occurred” 27 28 Alaska Medicaid – ($1.7M) Possible Patient Data Breach for Theft of Thumb Drive Blue Cross, Blue Shield of Tennessee ($1.5M) Unencrypted Hard Drives Stolen UCLA Health System ($865,000) – Access to Celebrity Health Records by Employees Massachusetts General Hospital ($1M) – Loss of 192 Patient Records Cignet Health ($4.3M) – Denying Access to Health Records for 41 patients CVS Pharmacy ($2.2M) – Dumpster FTC and HHS Affinity Health Plan ($1.2M) - Photocopier 29 Covered Health Care Providers Covered Entities: A healthcare provider that electronically bills Medicare or other insurance companies, or a payer (Medicare, Medicaid, private insurance, or self-insurer). Business Associates: A person or entity that comes in contact with protected health information while performing services for a covered entity. Subcontractors: Persons or entities that come in contact with protected health information while performing services for a covered entity. Health Plans Clearinghouses (Processes Claims) 30 HIPAA allows fines as well as civil action by state Attorney Generals Civil action prominent with identity theft and credit card victims Credit monitoring standard consequence Career Ask yourself the question – what would a data breach at my agency under my watch do to my career (We feel like the Biblical prophets warning Israel about the consequences of its rebellion – DESTRUCTION)) 31 $100 – $50,000: Did not know and would not have known $1000 – $50,000: Reasonable cause to know $10,000 – $50,000 : Willful neglect, timely correction (30 days) $50,000 : Willful neglect NOT corrected $1.5 million: Cap for identical violations during a calendar year Reasonable cause – knew, or by exercising reasonable diligence would have known, the act or omission was a violation, but did not act with willful neglect Willful neglect – conscious, intentional failure or reckless indifference to the obligation to comply 32 Largest HIPAA settlement to date New York and Presbyterian Hospital and Columbia University Disclosure of ePhi of 6800 patients Physician application developer from CU that worked for both entities deactivated personallyowned server on network Resulted in ePHI being accessible to Internet search 33 1. Names; 2. Geographical subdivisions smaller than a state; 3. All elements of dates; 4. Names; 5. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code. **************Remember the “Minimum Necessary” guidelines*************** 34 Application of HIPAA Rules to Business Associates (“BA”) and Subcontractors Updated Definition of Business Associate Minimum Necessary Rule Required to Take Reasonable Steps to Cure Subcontractor Breach or Violation Updated Business Associate Agreement (“BAA”) BA Must Obtain Satisfactory Assurance from Subcontractor Report Breach Application of Compliance and Enforcement Provisions to Business Associate Updated Civil Monetary Penalties Provision Breach Notification Requirements Disclosures of PHI for Fundraising Notice of Privacy Practices Expanded Rights of Individuals 35 Covered Entities are required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by the rules) from their BAs (SSAE 16, etc.) Covered Entities are NOT required to obtain "satisfactory assurances" with a BA that is a subcontractor, but rather it is the BA that must obtain these assurances This "chain of assurances" (and liability) follow the PHI wherever it leads and has widespread ramifications including those related to breach notification 36 As required by the HITECH Act, OCR issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule on 07/14/2010 No specific methodology was indicated but it did describe 9 elements: Scope of the Analysis Data Collection (i.e. an EPHI Inventory) Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk and List of Mitigating Actions Finalize Documentation Periodic Review and Updates to the Risk Assessment Referenced NIST documents: SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP 800-30,Risk Management Guide for IT Systems 37 http://www.ncsl.org/issuesresearch/telecom/security-breach-notificationlaws.aspx - State Data Breach Laws http://www.cms.gov/Regulations-andGuidance/HIPAA-AdministrativeSimplification/HIPAAGenInfo/index.html - HIPAA http://www.nist.gov/itl/cloud/upload/NIST_SP500-291_Jul5A.pdf - NIST Cloud Guidelines https://www.pcisecuritystandards.org/security_stan dards/index.php - Payment Card Industry Data Security Standards 38 NIST (National Institute of Standards and Technology) Cloud Computing Standards Roadmap by the U.S. Department of Commerce NIST Special Publication 500-291, Version 2 Covers areas such as standards, security, accessibility, auditing, and compliance 39 Become familiar with the applicable laws and regulations Revise policies and procedures to reflect regulations and guidelines Devise a tool for documentation of risk assessment Schedule Penetration Test / Vulnerability Scan if needed Security Plan Disaster Recovery Plan Development and Test Revise Business Associate Agreements and secure new agreements Revise training and train appropriate staff Understand Applicable Laws and Standards (i.e. State Security Breach Laws and PCI DSS) 40 David Ashley, Office of the Mississippi State Auditor P.O. Box 956 Jackson, MS 39205 Ph: 601-576-2800 800-321-1275 (statewide) david.ashley@osa.ms.gov Web: www.osa.ms.gov 41