1 / 41

Regulatory Environment Concerning State Governmental IT Audits

Regulatory Environment Concerning State Governmental IT Audits. David Ashley, CISA, CISM, CBCP, CRISC, CHP Office of the Mississippi State Auditor Director, IT Audit Section October 2, 2014. Mississippi State Auditor Responsibilities. Agencies Reporting Responsibilities Financial – CAFR

selene
Télécharger la présentation

Regulatory Environment Concerning State Governmental IT Audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Regulatory Environment Concerning State Governmental IT Audits David Ashley, CISA, CISM, CBCP, CRISC, CHP Office of the Mississippi State Auditor Director, IT Audit Section October 2, 2014

  2. Mississippi State Auditor Responsibilities • Agencies Reporting Responsibilities • Financial – CAFR • Compliance – Federal Funds • Statewide Single Audit

  3. Mississippi State Auditor Organization • Administrative Services Division • Property Audits Division • Technical Assistance Division • Information Management Division • Financial and Compliance Audit Division • Investigative Division

  4. Mississippi State Auditor Organization • Financial and Compliance Audit Division • Information Systems Section – Performs IS audits at both State Agencies and Counties • Agency Audit Section – Performs Agency Audits • County Audit Section – Performs County Audits • Contract Audit Review Section- Reviews CPA reports for both School Districts and County Governments • Investigative Division • Investigative Accounting Section • Investigative Enforcement Section

  5. Laws of the Land • HIPAA Privacy and Security Rules (as amended by HITECH Act) • Security Breach Notification Laws (46 States, DC, PR, and VI) • Payment Card Industry – Data Security Standard • Federal Trade Commission – Red Flags Rule • Federal Trade Commission – Disposal Rule • Federal Information Security Management Act of 2002 • Multiple Federal Privacy Bills Introduced Each Year • Whitehouse Consumer Privacy Bill of Rights (February 2012)

  6. Data Security Issues and Data Breach Notification • Family Educational Rights and Privacy Act (FERPA) • Children’s Online Privacy Protection Act (COPPA) • Gramm-Leach-Bliley Act (GLBA) • Health Information Technology for Economic and Clinical Health (HITECH) Act • Part 2 – Confidentiality of Alcohol and Drug Abuse Patient Record Regulation (Part 2) • Sarbanes Oxley (SOX) • State Laws and Regulations • Section 5 of FTC Act for companies who store consumer information on the cloud (Unfair Practices Act)

  7. International Laws • European Union (EU) Directive on Data Protection of 1995 • Some information of residents of EU cannot be stored outside the EU • Australia’s Privacy Laws • Canada’s Privacy Laws

  8. Compelled Disclosure to the Government • Electronic Communications Privacy Act (ECPA) • Stored Communications Act (SCA) • USA Patriot Act (including National Security Letters; FISA warrants) • Warrants and Subpoenas (Generally - eDiscover y)

  9. Data Security Issues – Federal Laws,Regulations and Standards • Federal Laws and Regulations: • Healthcare (HIPAA and HITECH) • Educational institutions (FERPA and COPPA) • Financial institutions (GLBA) • Publicly traded companies (SOX) • Entities cannot generally contract away its obligations to comply with these • Some regulations, however, require an entity to pass obligations to cloud providers by contract (e.g., HIPAA)

  10. Compelled Disclosure to the Government – ECPA (Including SCA) • Protects electronic communications while in transit and while held in storage • No One Thinking of Cloud Computing When Enacted (1986) • Problems arise on how to characterize activity involved in cloud computing • Gives different levels of protection to electronic data based on “electronic storage” or “remote computing” • For example, information older than 180 days that is stored on a “remote computing service” is subject to government search with just an administrative subpoena

  11. Compelled Disclosure to the Government – USA Patriot Act • Allows FBI to access certain business records with a court order • Also provides for use of National Security Letters (form of administrative subpoena) to obtain records • Law limits ability of cloud providers to reveal that they received an order • Cloud users may not even know about a disclosure

  12. Information Ownership and Control Issue • Who owns data on the cloud? • Can a cloud provider use the data for its own purposes? (De-identified or aggregated?) • When and under what circumstances can the customer obtain a copy of information stored on the cloud? • What obligations does the provider have to assist in the transition when the customer leaves the cloud? • What happens when service to the cloud is interrupted?

  13. Privacy and Data Security Concerns • Major cloud computing privacy concerns: • Compelled disclosure to the government • Information stored in the cloud is subject to different protections than information stored in-house • Data security and disclosure of breaches • Generally, how does a cloud provider protect a customer’s data? • When the law imposes data security requirements on a customer, how can the customer ensure its compliance when storing information on the cloud? • If the cloud’s security is breached, must the cloud give notice of the breach?

  14. Privacy and Data Security Concerns • Transfer of, access to, and retention of data • Will companies and consumers have access to data on the cloud? Can the cloud confirm the destruction of data or return it? • Location of data • The physical location of the server storing the data may have legal implications • Consumer notice and choice • For companies who will store consumers’ data on the cloud

  15. eDiscovery • Federal Rules of Civil Procedure Related to Discovery and Electronically Stored Information • If lawsuit or think that one might be filed must stop deleting “electronically stored information” (ESI) • ESI includes emails, logs, cache and temporary Internet files, digital recordings, voice mails, spreadsheets, telephone logs (anything electronic) • Data Retention Policy should address backup purge cycle, when such automatic processes should be put on hold

  16. State Data Breach Laws • 49 States, DC, Puerto Rico, Guam, and Virgin Islands • States that don’t have include New Mexico, South Dakota, and Alabama • Mississippi (75-24-29) enacted July 1, 2011 • Name or first initial and last name in combination with any one or more of the following data elements: Social security number; Driver's license number or state identification card number; or an account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial accounts

  17. State Data Breach Laws • Myriad of State Laws Makes Compliance Difficult • Some states like Massachusetts require adherence to law if you store information of citizen of that state (This has not been tested in court yet for government entity) • Florida just passed law that modeled after HIPAA where fines can be levied by state • Will eventually be a federal law (introduced multiple times each year)

  18. States Now Getting Into HIPAA Action • Feb., 2014 – Puerto Rico Levied 6.8M Fine on Insurer Triple-S Management for HIPAA violatins • Mailing of pamphlet that included Medicare health claim number • Represents $500 fine per individual (13,336 individuals) plus $100,000 for failure to cooperate

  19. Privacy and Data Security Concerns • Major cloud computing privacy concerns: • Compelled disclosure to the government • Information stored in the cloud us subject to different protections than information stored in-house • Data security and disclosure of breaches • Generally, how does a cloud provider protect a customer’s data? • When the law imposes data security requirements on a customer, how can the customer ensure its compliance when storing information on the cloud? • If the cloud’s security is breached, must the cloud give notice of the breach?

  20. Payment Card Industry Data Security Standard (PCI DSS) • Was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally • Provides a baseline of technical and operational requirements designed to protect cardholder data • Applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data

  21. PCI DSS

  22. PCI DSS Compliance – Completion Steps 1. Complete the Report on Compliance (ROC) according to the section above entitled ―Instructions and Content for Report on Compliance. 2. Ensure passing vulnerability scan(s) have been completed by a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of passing scan(s) from the ASV. 3. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Compliance are available on the PCI SSC website (www.pcisecuritystandards.org). 4. Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers).

  23. Penalties for Non-Compliance • Damage to or loss of data • Damage to reputation • Loss of customers • Loss of debit/credit card acceptance privileges • Breach notification costs • Litigation costs • Fines and incarceration

  24. Large Data Breaches • Target (40 million payment card numbers and another 70 million customer records • Russian hackers stole over a billion sets of credentials (User IDs and passwords) • Home Depot (56 Million payment cards) • Community Health Systems – 2nd Largest Loss of Data under HIPAA ( 4.5 million)

  25. Compliance Does Not Equal Security • Target was Complaint with PCI DSS • South Carolina was Compliant with IRS Guideline by not encrypting social security number • Must use common sense • Keep up with the news (Get your head out of the sand and stop hitting the snooze button) • Get management’s attention (Make them a part of the education of staff)

  26. Reportable Breaches in 2013 Involving State Agencies • Iowa Department of Human Services • Illinois Dept. of Healthcare and Family Services • California Correctional Healthcare Services • North Carolina Dept. of Health and Human Svcs. • Indiana Family and Social Services Administration • Wyoming Dept. of Health • South Carolina Health Insurance Pool • New Jersey Dept. of Human Services

  27. Notification of Breach • To Individuals: • Must notify without unreasonable delay • No later than 60 calendar days after discovery of a breach • To HHS (500 or more individuals) • Must notify without unreasonable delay • No later than 60 calendar days after discovery of a breach • Less than 500 individuals • Notify no later than 60 days after the end of the calendar year in which the breaches were “discovered,” not in which the breaches “occurred”

  28. Recent Fines and AwardsHIPAA • Alaska Medicaid – ($1.7M) Possible Patient Data Breach for Theft of Thumb Drive • Blue Cross, Blue Shield of Tennessee ($1.5M) Unencrypted Hard Drives Stolen • UCLA Health System ($865,000) – Access to Celebrity Health Records by Employees • Massachusetts General Hospital ($1M) – Loss of 192 Patient Records • Cignet Health ($4.3M) – Denying Access to Health Records for 41 patients • CVS Pharmacy ($2.2M) – Dumpster FTC and HHS • Affinity Health Plan ($1.2M) - Photocopier

  29. HIPAA - Who Must Comply? • Covered Health Care Providers • Covered Entities: A healthcare provider that electronically bills Medicare or other insurance companies, or a payer (Medicare, Medicaid, private insurance, or self-insurer). • Business Associates: A person or entity that comes in contact with protected health information while performing services for a covered entity. • Subcontractors: Persons or entities that come in contact with protected health information while performing services for a covered entity. • Health Plans • Clearinghouses (Processes Claims)

  30. Consequences From Breaches Other Than Fines • HIPAA allows fines as well as civil action by state Attorney Generals • Civil action prominent with identity theft and credit card victims • Credit monitoring standard consequence • Career • Ask yourself the question – what would a data breach at my agency under my watch do to my career (We feel like the Biblical prophets warning Israel about the consequences of its rebellion – DESTRUCTION))

  31. Civil Money Penalties • $100 – $50,000: Did not know and would not have known • $1000 – $50,000: Reasonable cause to know • $10,000 – $50,000 : Willful neglect, timely correction (30 days) • $50,000 : Willful neglect NOT corrected • $1.5 million: Cap for identical violations during a calendar year • Reasonable cause – knew, or by exercising reasonable diligence would have known, the act or omission was a violation, but did not act with willful neglect • Willful neglect – conscious, intentional failure or reckless indifference to the obligation to comply

  32. Data Breach - $4.8M Fine • Largest HIPAA settlement to date • New York and Presbyterian Hospital and Columbia University • Disclosure of ePhi of 6800 patients • Physician application developer from CU that worked for both entities deactivated personally-owned server on network • Resulted in ePHI being accessible to Internet search

  33. 18 HIPAA Identifiers 1. Names; 2. Geographical subdivisions smaller than a state; 3. All elements of dates; 4. Names; 5. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code. **************Remember the “Minimum Necessary” guidelines***************

  34. Omnibus Rule Changes • Application of HIPAA Rules to Business Associates (“BA”) and Subcontractors • Updated Definition of Business Associate • Minimum Necessary Rule • Required to Take Reasonable Steps to Cure Subcontractor Breach or Violation • Updated Business Associate Agreement (“BAA”) • BA Must Obtain Satisfactory Assurance from Subcontractor • Report Breach • Application of Compliance and Enforcement Provisions to Business Associate • Updated Civil Monetary Penalties Provision • Breach Notification Requirements • Disclosures of PHI for Fundraising • Notice of Privacy Practices • Expanded Rights of Individuals

  35. Liabilities for Business Associates and Subcontractors (Assurance) • Covered Entities are required to obtain "satisfactory assurances" (i.e., that their PHI will be protected as required by the rules) from their BAs (SSAE 16, etc.) • Covered Entities are NOT required to obtain "satisfactory assurances" with a BA that is a subcontractor, but rather it is the BA that must obtain these assurances • This "chain of assurances" (and liability) follow the PHI wherever it leads and has widespread ramifications including those related to breach notification

  36. RISK ANALYSIS MANDATE IN HIPAA • As required by the HITECH Act, OCR issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule on 07/14/2010 • No specific methodology was indicated but it did describe 9 elements: • Scope of the Analysis • Data Collection (i.e. an EPHI Inventory) • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk and List of Mitigating Actions • Finalize Documentation • Periodic Review and Updates to the Risk Assessment • Referenced NIST documents: SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule • SP 800-30,Risk Management Guide for IT Systems

  37. Resources • http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx - State Data Breach Laws • http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html - HIPAA • http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Jul5A.pdf - NIST Cloud Guidelines • https://www.pcisecuritystandards.org/security_standards/index.php - Payment Card Industry Data Security Standards

  38. Cloud Resources • NIST (National Institute of Standards and Technology) Cloud Computing Standards Roadmap by the U.S. Department of Commerce • NIST Special Publication 500-291, Version 2 • Covers areas such as standards, security, accessibility, auditing, and compliance

  39. Things to Do • Become familiar with the applicable laws and regulations • Revise policies and procedures to reflect regulations and guidelines • Devise a tool for documentation of risk assessment • Schedule Penetration Test / Vulnerability Scan if needed • Security Plan • Disaster Recovery Plan Development and Test • Revise Business Associate Agreements and secure new agreements • Revise training and train appropriate staff • Understand Applicable Laws and Standards (i.e. State Security Breach Laws and PCI DSS)

  40. Thank You David Ashley, Office of the Mississippi State Auditor P.O. Box 956 Jackson, MS 39205 Ph: 601-576-2800 800-321-1275 (statewide) david.ashley@osa.ms.gov Web: www.osa.ms.gov

More Related