Information confidentiality: business risks and regulations
Upcoming SlideShare
Loading in...5
×
 

Information confidentiality: business risks and regulations

on

  • 856 views

Implementing the right privacy measures isn’t just a good idea, it’s a critical aspect of safeguarding your intellectual property and complying with legal requirements. It’s not enough to ...

Implementing the right privacy measures isn’t just a good idea, it’s a critical aspect of safeguarding your intellectual property and complying with legal requirements. It’s not enough to control access to information at the application or administrative level. Data must also be protected during routine activities such as part replacements, upgrades and asset refreshes. Recent changes in HIPAA regulations drive the issue more than ever before. In this session, we will examine privacy needs and risks and discuss effective measures to prevent the unintended sharing of private information, whichcan compromise intellectual property, expose your company to litigation, or damage your company’s market reputation. We will also discuss the alternatives available and HP’s data privacy offerings in data sanitization, asset recovery and defective media and material retention.

Statistics

Views

Total Views
856
Views on SlideShare
708
Embed Views
148

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 148

http://h30507.www3.hp.com 148

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information confidentiality: business risks and regulations Information confidentiality: business risks and regulations Presentation Transcript

  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Information confidentiality: businessrisksandregulations Mike Ryan Keeley Collins June 10, 2013
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Agenda • Data privacy needs and risks • Recent regulations (HIPAA) • Options and alternatives • HP offers in this area
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Dataprivacyandrisks
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 Risks to data – risk to your business Data privacy more important than ever “Everyone” now needs to protect data from access by unauthorized parties: • Government & financial • Health care • Insurance • Research/universities • Technology • Other Risks and consequences • Regulatory fines & penalties • Litigation • Intellectual property loss • Brand and reputation What data is being protected? • Intellectual property • Client data • Financial data • Research • Networks • PII – Personally Identifiable Info • PHI – Protected Health Info Overview
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 Increasing governance means costs to most companies Data privacy regulations • HIPAA/HITECH • Graham Leach Bliley (GLB) • Family Education Rights and Privacy Act (FERPA & FISMA) • Payment card industry data security standards (PCI- DSS) • Safe Harbor – European Union and the United States • Cookie & web beacon laws “In 2010, 69 percent of the 964 IT and business leaders surveyed said compliance is their primary driver for encryption, an increase of five percentage points from last year. Mitigating data breaches falls to second place, with 63 percent saying it was a top driver for encryption adoption.” Ponemon Institute’s annual U.S. Enterprise Encryption Trends report
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 Recent data privacy updates & news • Cookie & web beacon legislation footprint expanding – UK (2012) – Mexico (effective April 2013) • EU data privacy regulatory updates (expected mid- 2014) • Google fined for privacy violations by German Privacy Commission (Johannes Caspar) • US Dept of Commerce draft privacy legislation • US HIPAA/HITECH final omnibus – January 2013 The only thing constant is… change
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Recentregulation(HIPAA)
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 HIPAA defined HIPAA overview Health Insurance Portability and Accountability Act (HIPAA) passed by congress in 1996: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information on electronic billing and other processes • Requires the protection and confidential handling of protected health information
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 HIPAA – U.S. federal medical privacy law Historical timeline and basic facts 1996 - HIPAA 2009 – HITECH Act 2013 - Omnibus final rule to HIPAA/HITECH Sets baseline for medical privacy: privacy rule, security rule and enforcement rule Covered entities: Health plans, Health care providers Health care clearing houses Business associates are “indirectly regulated” via BAA Designed to encourage electronic recording keeping • Extended HIPAA to business associates • Imposed breach notification requirements to CE and BA • Increased vigilance around PHI • Increased enforcement /penalties Regulations and rules to implement requirements of HITECH Act • Heightened concern of HP customers regarding data privacy • Statutory obligations for BAs • Mandatory flow downs to sub- contractors • Necessitate BAA modifications • Modifies breach notification rules Courtesy Suzanne Miller, HP Senior Legal Counsel
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 Who’s impacted • Health care providers Doctors offices, hospitals, universities, VA • Insurers HMOs • Self-insured companies • Retail (in-store pharmacy) • Health care processors • Health care IT integrators/OEMS • Pharmaceutical An extended group
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 HP ...  Has more than 45 years of experience in the health and life sciences industry  Performs 2.4 billion healthcare transactions annually, including 1 billion in healthcare claims  Serves 13 of the top 15 pharmaceutical companies, ranked by revenue  Provides services to health and human services programs in 35 states and supports Medicaid systems in 20 states  Is the largest provider of Medicaid services in the U.S., supporting programs that administer $140 billion USD in Medicaid benefits annually * Health & Life Sciences Industry overview, HP, April 2013 http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA1-0181ENW&cc=us&lc=en HIPAA/HITECH – who can you trust? HP in healthcare-by the numbers *
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 ”Covered Entities” – Refers to health plans, health care clearinghouses and health care providers who submit electronic transactions or store information electronically. HIPAA overview Privacy The HIPAA privacy rule establishes national standards to protect individuals’ medical records and other personal health information. Applies to “covered entities”. The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization Security The HIPAA security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. HIPAA rules regarding protected health information (PHI)
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “Wehopethehealthcareindustrywill takeacloselookatthisagreementand recognizethatOCRisseriousabout HIPAAenforcement. Itisacovered entity’sresponsibilitytoprotectits patients’healthinformation...” Georgina Verdugo, OCR Director, 2011
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 HIPAA/HITECH front runners in enforcement activities HIPAA/HITECH and enforcement • Covered entities and business associates directly responsible/accountable to HHS & State Attorneys General • Stringent breach notification requirements • Required compliance with privacy and security rule safeguards • Penalties for failing to implement safeguards
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 HIPAA Omnibus – January 2013 updates HHS announced final Omnibus rules amending HIPAA (1996) and HITECH Act (2009) • Effective on March 26, 2013 • Supplement and modify the HIPAA privacy, security, breach reporting and enforcement rules • Significant changes include: – Expanded definitions – business associates, unsecured PHI, breach conditions – Breach notification standards for data-protection are different from the security & privacy rule – Even “secured” PHI – if disclosed impermissibly – can be considered a breach – Breaches no longer have to prove significant risk of harm (financial, reputation, etc.) – Provides assessment specifications
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 Data breach examples Penalty/cost impact Ponemon Institute estimates the cost of a data breach at $214 per compromised record Military hospital/clinic (9/14/2011) 4.9 million military patients may be affected by loss computer tapes containing their health information Commercial health plan (1/21/2011) 1.9 million health plan members notified that hard-drives containing their PHI were missing Health care network (12/23/2010) 1.7 million impacted due to computer back-up tapes stolen from vehicle Hospice (6/1/2010) 441 patients impacted due to stolen laptop Fined $50K by HHS in 2013
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Costs of compliance vs. non-compliance Ponemon Institute, 2011
  • Costs of compliance vs. non-compliance Higher security score = lower costs of non-compliance Security effectiveness score 25 best practices 40 studies Top security attributes: 1. Monitor & enforce security policy 2. Conduct ongoing audits 3. Attract & retain security professionals 4. Ensure minimal system downtime due to security violations 5. Prevent or curtail viruses, malware and spyware infections Ponemon Institute, 2011 Cindy Valladares, Tripwire. “Understanding the Cost of Compliance – Part III. March 28, 2011. URL: http://www.tripwire.com/state-of-security/it-security-data-protection/understanding-the-cost-of- compliance-part-iii/
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 An ounce of prevention is worth a pound of cure Recommendations & next steps Identify PHI and PII touch points – and implement security provisions • Assess your environment including mobile devices, servers and networks against the security rule. • Review your security policies & procedures. Update your training. • Evaluate your data security, destruction and transmission practices. • Implement encryption technology and access control mechanisms (passwords, ACL’s) • Ensure your records meet standards – review new breach and assessment guidelines. Review vendor contracts • Be sure they can protect your information and that you have purchased the right products and services to enable compliance. • Evaluate where vendors have access to PHI, and what scope. Restrict it where feasible. • Update business associate agreements by September 2014.
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 An ounce of prevention is worth a pound of cure Recommendations & next steps, cont’d. Assess your organization’s use and disclosure of PII and PHI • Clearly classify systems and data • Control your use, disclosure and retention to the minimum necessary • Develop a security incident response plan — – Assemble a response team – Review & understand how the Omnibus changed breach notification – Assess using the 4-part assessment criteria – Create breach notification policies and procedures to help guide your organization through identifying and handling breaches
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Options&alternatives
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 Hardware, services options and alternatives Strategies to protect your data Hardware • Invest in encryption technologies • Reduces burden and risk around disk media Media handling • Implement policies and procedures around handling media removed from IT assets • Consider disk retention or processing alternatives Asset lifecycle management • Implement policies around assets retired from service • Sanitize media contained in assets before reuse or resale • Remove other identifying information before disposal Security assessment & governance Governance risk & compliance, operations, applications, endpoint, network & data center
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HPoffers
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Offers from HP Protection within HP products Protect your data at rest • Self Encrypting Drives (SED) for the 3PAR StoreServ 10000 and StoreServ 7000 storage arrays • HP XP P9000 DKA Encryption Software enables controller based encryption of hard drives Optional on P9000 storage arrays • HP Encryption SAN Switch and blades • HP 1/8 G2 Autoloader and ESL/EML/MSL Tape Libraries Erase your data when “done” • HP disk sanitizer – Free tool for HP desktops and towers erases to DOD (D5220 22-M) standards – Located at HP.com (http://www8.hp.com/us/en/support-drivers/privacy-dataprotection/index.html) • HP volume shredder for P9000, XP24000, and XP12000 arrays – Performs repetitive overwrites up to 8 passes (exceeds DOD 5220) – Included with array manager software on P9000/XP24000 (optional on XP12000)
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 Offers from HP Defective media retention Keep your media • All hard drives and eligible SSD/flash drives retained by the customer when replaced as part of a service event • Customer free to handle, process or dispose of media to accommodate policies, procedures, or regulations • Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations • Offered as HP care pack or as support contract as option to all coverage level and agreement durations
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Offers from HP Comprehensive defective material retention Keep all data-retentive parts • Also includes all hard drives and eligible SSD/flash drives retained by the customer when replaced as part of a service event • Extends scope to other parts, such as systems boards containing RAM, controllers, cache, and more • Not a requirement for HIPAA but of high interest to government and financial sectors Assures lower level identifiable information such as contacts, node names, and IP addresses are protected Note: PHI not likely contained in these components • Customer free to handle, process, or dispose of materials to accommodate policies, procedures, or regulations • Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations • Offered as HP care pack or as support contract as option to all coverage level and agreement durations Announcement: June 10, 2013 with availability July 1, 2013
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 Offers from HP HP data sanitization service Remove data from your storage assets • Removes data from most HP and third party storage arrays and enclosures • Allows re-use, sale, or disposal of the asset • Facilitates compliance with policies and regulations • Erases data to DOD (D5220 22-M) and NIST 800-88 “clear” standards • Detailed documentation/confirmation of operations and status provided by serial number • On-site or off-site delivery choices provided; destruction optionally available • Offered as HP care packs or custom scope of work Service brief and datasheet available
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 Offers from HP HP asset recovery service Your retired assets: recover market value and responsible disposal • Turnkey solution to removes retired IT assets from inventory • Recovers value of surplus IT assets Assets with market value processed and sold – proceeds returned to customer less fees • Assets with no value recycled and disposed of responsibly • Available for most HP or non-HP IT assets including arrays, servers, desktops, printers, networks, and mobile devices • De-install, inventory, sorting, and processing of products included • All media sanitized, identification information removed; cleaning/testing if intended for resale • On-site or off-site delivery choices provided; destruction optionally available Service brief and datasheet available
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 Offers from HP HP custom services Flexible management of media removed from service • Provides options in handling media removed as part of a service event • Alternative to Defective Material Retention (DMR) • Eliminates unwanted accumulation of defective media • Options offered: – On-site sanitization of hard drives to DOD or NIST standards Media passing sanitization process returned to HP – On-site destruction of hard drives meeting NIST “purge” and “destroy” standards – Off-site media processing using secure transportation – Responsible recycling of scrap items • Available via custom quote; standardized services under evaluation
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 HP security portfolio: six key areas HP security and risk management Security governance, risk, and compliance: protect your reputation, manage risk, and achieve regulatory compliance by replacing disparate governance functions with an integrated set of services Operations security: integrate information from various security disciplines. Connect your security processes with your business processes Application security: build enterprise security into your applications. Automate detection and response to vulnerabilities, and enable business agility through secure web applications Endpoint security: protect all your endpoint devices and minimize risk inherent in a mobile workforce while centralizing and consolidating management tools to reduce costs Network security: prevent network intrusions while making applications available. Avoid zero-day attacks and automate policy enforcement Data Center Security: embed security holistically across networking, virtualization, mobility, and cloud in your data center
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 For more information Privacy/data protection & disk sanitization website • HP disk sanitizer tool (desktops/towers) • HP’s media handling policy for healthcare customers • HP’s media sanitization policy for returned drives Enterprise security & risk management website: HP products and services for risk management & security HIPAA regulations : • Health & human services, health info & privacy - http://www.hhs.gov/ocr/privacy/index.html • Federal register (final rule) - http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Q&A
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 Learn more about this topic Use HP Autonomy’s Augmented Reality (AR) to access more content 1. Launch the HP Autonomy AR app* 2. View this slide through the app 3. Unlock additional information! *Available on the App Store and Google Play
  • © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thankyou