Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Medical Records on the Run: Protecting Patient Data with Device Control and Encryption

1,368
views

Published on

Lumension presented alongside United Health Care System on how to protect electronic medical records by enforcing device control and data encryption policies.

Lumension presented alongside United Health Care System on how to protect electronic medical records by enforcing device control and data encryption policies.


3 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,368
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
88
Comments
3
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • © Copyright 2008 - Lumension Security
  • © Copyright 2008 - Lumension Security
  • Source: HIPAA audit: The 42 questions HHS might ask , by Jaikumar Vijayan, Computerworld Security (June 19, 2007) … http://www.computerworld.com/s/article/9025253/HIPAA_audit_The_42_questions_HHS_might_ask
  • © Copyright 2008 - Lumension Security
  • © Copyright 2007 - Lumension Security
  • © Copyright 2007 - Lumension Security
  • © Copyright 2007 - Lumension Security
  • © Copyright 2007 - Lumension Security
  • © Copyright 2007 - Lumension Security
  • © Copyright 2008 - Lumension Security
  • We covered email with iron mail – this was a logical next for us – the audit finding drove the timing Like I said we were already publishing healthcare sector data breaches monthly and encouraging the use of encrypted drives We didn’t want to show up on the list
  • Monitored user USB activity for app. 6 months before activating controls. Identified users and their roles. Able to target communications directly to users requiring USB devices for business needs.
  • In order to protect information such as patient data, personal identification identifiers, authentication credentials, corporate financial data, intellectual property and classified files, USB endpoint security software and hardware needs to be purchased to eliminate the risk of data being lost or stolen from within the organization.
  • Devices that cannot store data are Allowed (USB mice, keyboards, printers, etc.) SEE NEXT SLIDE FOR DETAILS
  • Communication began going out 6+ weeks before implementation.
  • File shadowing records the file names of files transferred to USB devices.
  • Questions?
  • © Copyright 2008 - Lumension Security
  • Transcript

    • 1. Medical Records on the Run: Protecting Patient Data with Device Control and Encryption
    • 2. Today’s Agenda Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
    • 3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension George Ward CISSP, CISM Manager Information Security, Computer Operations, University Health Care System
    • 4. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
    • 5. » Challenges of Protecting Patient Data Economic and Competitive Pressures Increased HIPAA and PCI Regulatory Oversight Increasing Value of Personal Healthcare Information Data Sharing Outside of the Four Walls Consumerization of IT Electronic Protected Health Information (EPHI) Disclosure
    • 6. Data Sharing Outside of the Four Walls Accessibility to Medical and Billing Records Increases… as Does the Risk Source: 2008 HIMSS Security Survey
    • 7. Consumerization of IT
    • 8. Health care workers have direct access to sensitive medical records
          • 70% of all serious incidents are sparked by insiders.
          • IDC Worldwide Security Products and Services 2007 Top 10 Predictions
      48% of employees utilize work IT tools for personal reasons EPHI Disclosure – Accidental or Malicious Lost Portable Devices Disgruntled Employees
    • 9. Data Breaches Risks Incidents Costs
    • 10. Importance of Device Control
    • 11. Protecting Electronic Medical Records
      • USB Drives are the Achilles Heel of Data Protection Due to Size, Transfer Speed, and Ease of Use
        • 60% of confidential data resides at the endpoint (IDC)
        • 52% of companies surveyed have suffered data loss via USB drives and other removable media (Forrester)
        • 53% of organizations would NEVER KNOW what data was on a lost USB device (Ponemon Institute)
        • Over 70% of security breaches originate from within the organization (Vista Research)
    • 12. Removable Devices Hold A LOT of Information
      • 40 million USB Devices Sold Within the Last Year
      What about CD / DVD / Blu-Ray Media? Storage Capacity for USB Devices Storage Capacity for CD, DVD and Blu-Ray Discs File Type Typical Size (KB) Typical Number of Files Per: CD Disc DVD Disc (SS SL) Blu-ray Disc (DL) Text / Email 15 46,500 297,000 3,200,000 Document 100 6,980 44,500 480,000 Spreadsheet 1,485 470 3,000 32,320 10MP JPEG 2,250 310 1,975 21,300 Simple X-Ray 10,000 70 445 4,800 File Type Typical Size (KB) Typical Number of Files Per: 512MB USB Drive 2GB USB Drive 32GB USB Drive Text / Email 15 34,560 139,500 1,984,700 Document 100 5,185 20,920 297,750 Spreadsheet 1,485 350 1,410 20,050 10MP JPEG 2,250 230 930 13,210 Simple X-Ray 10,000 52 209 2,978
    • 13. A Balanced Approach is Needed
    • 14. HIPAA Security Rule Are You Ready?
    • 15. HIPAA Security Rule
      • Security
      • Security Standards: General Rules
      • Administrative Safeguards
      • Technical Safeguards
      • Physical Safeguards
      • Organizational Requirements
      • Policy and Procedures and Documentation Requirements
    • 16. Enforcement Becoming Real
      • CVS settlement breaks new ground in HIPAA enforcement
        • February 2009 : CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government $2.25 million and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information.
        • Also, the company must obtain assessment reports from a third-party organization every two years for the next 20 years to be provided to the Bureau of Consumer Protection at the FTC.
    • 17. Are You Ready for an Audit?
      • Other requests included:
      • Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
      • Please provide a list of terminated employees.
      • Please provide a list of all new hires.
      • Please provide a list of encryption mechanisms use for ePHI.
      • Please provide a list of authentication methods used to identify users authorized to access ePHI.
      • Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
      • Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
      • Please provide organizational charts that include names and titles for the management information system and information system security departments.
      • Please provide entity wide security program plans (e.g., System Security Plan).
      • Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
      • Please provide a list of systems administrators, backup operators and users.
      • Please include a list of antivirus servers, installed, including their versions.
      • Please provide a list of software used to manage and control access to the Internet.
      • Please provide the antivirus software used for desktop and other devices, including their versions.
      • Please provide a list of users with remote access capabilities.
      • Please provide a list of database security requirements and settings.
      • Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
      • Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
      • Provide policies and procedures for:
      • Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
      • Emergency access to electronic information systems.
      • Inactive computer sessions (periods of inactivity).
      • Recording and examining activity in information systems that contain or use ePHI.
      • Risk assessments and analyses of relevant information systems that house or process ePHI data.
      • Employee violations (sanctions).
      • Electronically transmitting ePHI.
      • Preventing, detecting, containing and correcting security violations (incident reports).
      • Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
      • Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
      • Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
      • Physical access to electronic information systems and the facility in which they are housed.
      • Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
      • Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
      • Internet usage.
      • Wireless security (transmission and usage).
      • Firewalls, routers and switches.
      • Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
      • Terminating an electronic session and encrypting and decrypting ePHI.
      • Transmitting ePHI.
      • Password and server configurations.
      • Anti-virus software.
      • Network remote access.
      • Computer patch management.
      Piedmont Hospital was presented with a list of 42 items that HHS officials wanted information on within 10 days:
    • 18. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
    • 19. Data Protection at the Endpoint
        • Protect Data from Leakage and Theft: Centrally enforce usage policies for all removable devices and media.
        • Improve Compliance: Centrally force encryption of data flowing onto removable devices and media to ensure that it cannot be accessed if they are lost or stolen.
        • Flexible Exception Management: Make business decisions about policy exceptions and emergency access.
        • Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.
      Policy-Based Device Control and Data Encryption
    • 20. 1. Discover all devices that are currently or have ever been connected to every endpoint. 2. Assess device and data usage, including what device, on what machine, by which user, and when. 3. Implement flexible device whitelisting, allowing only approved devices to run. 4. Monitor the effectiveness of device usage policies. 5. Report on data protection policies to prove compliance and conduct forensics. Practical Data Protection Approach
    • 21. In-Depth Discovery
      • Discover all devices that are currently or have ever been connected to every endpoint.
      • Automatically determine how many and what devices are in use across your organization.
      • Easily find devices that you don’t even know about.
      • Device Types:
      • Biometric devices
      • COM / Serial Ports
      • DVD/CD drives
      • Floppy disk drives
      • Imaging Devices / Scanners
      • LPT / Parallel Ports
      • Modems / Secondary Network Access Devices
      • Palm Handheld Devices
      • Portable (Plug and Play) Devices
      • Printers (USB/Bluetooth)
      • PS/2 Ports
      • Removable Storage Devices
      • RIM BlackBerry Handhelds
      • Smart Card Readers
      • Tape Drives
      • User Defined Devices
      • Windows CE Handheld Devices
      • Wireless Network Interface Cards (NICs)
    • 22. Thorough Assessment
      • Assess device and data usage, including what device, on what machine, by which user, and when .
      • Full visibility on usage of all removable devices (e.g., USB flash drives) and media (e.g., CDs/DVDs) by user, machine and time.
      • Assess by unique device, device type, device vendor, users and user groups, machines, hours of operation, and more.
      • Ensure data is encrypted and secure when on removable devices / media.
    • 23. Implement flexible device whitelisting, allowing only approved devices to run . Implement Security Policy
      • Enforce removable device / media and data usage policies to protect sensitive information.
      • Define what devices and media can connect to the network and what users or user groups can do with them for flexible exception management.
      • Centrally encrypt removable devices and media or force users to encrypt devices / media to ensure that data cannot be accessed if removable devices or media are lost or stolen.
    • 24. Monitor the effectiveness of device usage policies . Continuous Monitoring
      • Automatically log all network events related to your data protection policy including:
        • Endpoint status
        • Device connection
        • User activity (such as data transfers)
        • File tracking (including full content shadowing)
      • Identify potential threats by logging all device execution attempts and recording all policy changes and administrator activities.
    • 25. Report on data protection policies to prove compliance.
      • Provide a detailed audit trail of all device usage attempts.
      • Keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.
      • Drill down on suspicious behavior for security or legal follow-up.
      • Link reporting to Syslog to enable event correlation, automated alerting / reporting, and integrated analysis.
      Comprehensive Reporting
    • 26. Device Control Puts You Back in Control
      • Eliminate a major blindspot at endpoints
        • Identify all devices that are currently connected or have ever been connected to network assets
        • Use detailed logs of device usage and data transfer (incl. file headers or full content shadowing) for auditing, forensics, etc…
      • Protect against data loss and theft
        • Control and manage any removable devices through any ports including USB, Firewire, WiFi, Bluetooth, etc…
        • Enforce encryption policies for data transferred to removable devices / media, including USB flash drives (UFDs), CDs / DVDs, etc…
        • Prevent malware introduction via removable devices / media
      • Policy Management / Control
        • Whitelisting / “Default Deny” approach eliminates unwanted / unknown devices
        • Granular permissions for devices (class, group, model, ID), users / user groups and machines / machine groups allow for fine exception management
    • 27. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
    • 28. University Health Care System
      • 581 bed, not-for-profit community hospital in Augusta, GA
        • Campus environment
      • 3,000+ employees
        • 600 independent, private physicians on active, consulting, courtesy and associate staff
      • 2,500+ Workstations
      • 330+ Servers
      • 120+ Applications (McKesson)
    • 29. Business Driver: Protecting Patient Data and Ensuring Compliance
      • External audit showed gaps in HIPAA Compliance
      • Fines for non-compliance with HIPAA now as large as $250,000 per incident
        • Covered entities and specified individuals, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
        • Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.
        • Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
      • Losing patient data is detrimental to the hospital as a business
    • 30. Health Care Data Loss Incidents in the Headlines
    • 31. Holistic Security
      • Understand the threat you need to protect against
      • Point security measures are never enough…
    • 32. University Health Care System Objectives
      • Secure Electronic Protected Health Information (EPHI) and Stay out of the Headlines
      • Enforce Policy
        • All USB devices must be encrypted
        • Unencrypted devices denied by default
      • Manage by Exception and by Role
        • Discretionary access model vs. role-based access model
      • Communicate Policy to Users
        • Identified every internal communication possible to leverage (newsletters, memoranda, posters, etc.)
        • Announced date for policy enforcement in advance
        • Created awareness around data loss incidents with other hospitals
    • 33. Enabling Removable Device Access – Previous Model
    • 34. Lumension Device Control – RBAC for USB Devices
    • 35. Justifying Device Control Implementation
      • Compliance
        • Audit finding remediation
      • Integrity and Reputation
        • Incident prevention
      • Data Protection
        • Protect our patients
        • Protect our employees and physicians
        • Protect financial and intellectual data
    • 36. Device Control Ensures Security and Enables the Business Pass audits Automate controls Lower Risk Operational Maturity
    • 37. Measurement of Lumension Device Control
    • 38. Granular Controls Enable Effective Policy Plan Device Class Device Description Role-Based Access Control Removable Storage Devices Memory sticks, Flash drives, ZIP Drives, USB Hard Drives, etc. DVD/CD Drives CD, CD-R/W, DVD, DVD R/W Imaging Devices Scanners, webcams, etc. User Defined Devices Non-standard devices (Generic USB Devices, IPAQ, etc.) Blocked Portable Devices Digital Cameras, iPhones, MP3 Players, etc. Modem/Secondary Network Access Devices Modems that do not connect directly through normal channels Palm Handheld Devices Palm PDAs, Smartphones, etc. Floppy Disk Drives IDE, parallel, or USB Floppy Drives RIM Blackberry (Research in Motion) (Research In Motion) Handheld computers/mobile phones Biometric Devices Fingerprint readers, password managers, etc. Tape Drives Internal or external tape drives Windows CE Handheld Devices Windows CE computers using PocketPC OS Wireless Network Interface Cards Wireless LAN Adaptors Allowed Printers (USB/Bluetooth) USB and Bluetooth Printers COM/Serial Port (Serial Communication) Standard modems, phone cradles, etc. LPT/Parallel Ports (Line Printer Terminal) Standard printers, dongles, etc. PS/2 Ports (Personal System/2) Keyboards and Mice Smart Card Readers Readers for smartcards, etokens, or fingerprints
    • 39. Communication and Rollout Plan Communication Means Message Present Status Executive Staff Meeting Overview  (this presentation) 3/24/2009 Complete COO Briefing Overview  3/25/2009 Complete Security Management Subcommittee Overview  4/8/2009 Complete   Cancer Committee Meeting Agenda item  4/10/2009 Complete   E-mail current users Request ‘business need’ justification 4/13/2009 Complete   Department Chair Meetings Agenda item  4/13 - 6/16/2009 Complete   Department Directors Meeting Overview  4/15/2009 Complete   IS Division Meeting Overview  4/15/2009 Complete F-22 Revision Publish link to Project Website 4/15/2009 Complete   Internal Posters Devices, contact info, effective date  4/16/2009 Complete   Housewide Memo 1 Devices, contact info, effective date   4/21/2009 Complete   Medical Executive Committee Overview 4/21/2009 Complete   IS Steering Overview  4/22/2009 Complete   Employee Communiqué Newsletter Devices, contact info, effective date    4/24/2009 Complete   Housewide Memo 2 Devices, contact info, effective date   4/28/2009 Complete   Volunteer Executive Committee Meeting Agenda item  4/28/2009 Complete   Housewide Memo 3 Devices, contact info, effective date   5/1/2009 Complete   Physician Practice Managers Meeting Agenda item  5/1/2009 Complete   Medical Staff Monthly Newsletter Devices, contact info, effective date    5/3/2009 Complete   Nursing Matters N ewsletter Devices, contact info, effective date    5/3/2009 Complete   Foundation Quarterly Newsletter Devices, contact info, effective date    5/15/2009 Complete   Volunteer Q uarterly Newsletter Devices, contact info, effective date    5/27/2009 Complete  
    • 40. Monthly Newsletters and Memos On May 12, 2009 , University Hospital will protect electronic Protected Health Information (ePHI) by restricting USB storage device use to specific, authorized users. Unauthorized devices such as Universal Serial Bus (USB) drives, external hard drives, and non-encryptable devices such as digital cameras, cell phones, mp3 players, etc., will be blocked. Visit the "Device Control Project" link on the hospital's intranet homepage, or contact Dewayne Winston at [email_address] for more information.
    • 41. Internal Posters Throughout Hospital
      • Employee entrance
      • Cafeteria exit
      • Heart & Vascular Institute
      • Business Center
      • Human Resources
      • Staff elevators
    • 42. Current Results - ROI
      • Audit finding remediated
      • No loss of electronic Protected Health Information
      • Enforcement of policy by role with exceptions
      • Since May 12, 2009:
        • Blocked 345 unauthorized users
        • Blocked 20,000+ unauthorized access attempts
        • Weekly log monitoring
        • File shadowing enabled
    • 43. Security that Ensures Compliance AND Business Productivity
      • Right People
      Right Access Right Resources Right Things Efficiently Productively Ensure that the have the to the and are doing the and
    • 44. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
    • 45. Additional Resources
      • Learn More about Technical Controls to Address HIPAA Compliance Challenges:
        • http://www.lumension.com/hipaa-compliance
        • Whitepaper - Achieving HIPAA Security Rule Compliance with Lumension
      • Optimal Security Blog – http://blog.lumension.com
      • Device Scanner Offer
        • Discover every removable device, such as USB flash drives, that has ever connected to your network
      • Protect Your Vital Information Resource Center
        • Third party research, videos, tools and case studies
        • http://www.lumension.com/protect-your-vital-information
    • 46.
      • Global Headquarters
      • 15880 N. Greenway-Hayden Loop
      • Suite 100
      • Scottsdale, AZ 85260
      • 1.888.725.7828
      • [email_address]