Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance

608 views
432 views

Published on

go to www.compliancy-group.com/webinar to join our webinars
or go to http://compliancy-group.com/past-webinars/ to download these and other past webinar slides!

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
608
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance

  1. 1.   Defending  Data  in  Healthcare:   Securing  Private  Information  to  Ensure  Ironclad  HIPAA  Compliance           © Copyright 2011 Axis Technology, LLC
  2. 2. Agenda  Non-­‐Compliance  -­‐  Potential  Consequences      How  to  Know  Exactly  Where  your  Sensitive  Data  is  and  Identify  Where  the  Real  Risks  Are      Protecting  Data  from  External  Threats      Securing  Data  from  Improper  Internal  Access      Protecting  PHI  When  Business  Associates  Are  Involved      The  Impact  of  Bring  Your  Own  Device  ("BYOD")      
  3. 3. Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  4. 4. NON-­‐COMPLIANCE  -­‐  POTENTIAL  CONSEQUENCES      
  5. 5. Non-­‐Compliance  -­‐  Potential  Consequences     Overview  of  Breach  Reports   Data  breaches  increased  by  32%  in  2011   380  large  breaches  between  September  2009  and   October  2011   Over  30,000  plus  small  breaches  in  the  same  period   Over  18  million  effected  records   Breaches  by  Industry:     Threats  b Industry 2011Ponemon Institute 2011 & Symantec Annual Threat Report 2011
  6. 6. Non-­‐Compliance  -­‐  Potential  Consequences     Large  Breaches   Source of 2of  Breach  (Breaches Cause   Large Count) Sept.   009  to  Dec.  2011 Affected Individuals Cause  of  Breach  (Affected  Individuals  ) Sept.  2009  to  Dec.  2011 Unknown Other 6   1   Improper  Disposal 2% 0% 149,398   1% Improper  Disposal, Other Loss,     20  ,  5% 344,579   7,291,355  ,  40% 2%Hacking/IT  Incident Theft, Hacking/IT  Incident 26   196  ,  52% 750,195   7% 4% Unknown,   Loss,   Unauthorized   1,911,160  ,  11% 55  ,  14% Access/Disclosure,     Theft,     857,939  ,  5% 6,755,205  ,  37% Unauthorized   Access/Disclosure,   75  ,  20% 9            Theft,  Unauthorized  Access  /                77%  of  affected   Disclosure  and  Loss  make  up   individuals  experience   86%  of  the  sources  of  Large   some  type  of  loss  or   Breaches   theft  
  7. 7. Non-­‐Compliance  -­‐  Potential  Consequences    Compliance  is  increasingly  an  issue   The number of HIPAA Privacy Rule compliance and enforcement complaints have continually increased over the years1. Privacy and Security Officer Concerns: What PHI is contained within enterprise? What PHI is provided to other organizations? 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  8. 8. Non-­‐Compliance  -­‐  Potential  Consequences     Is  HIPAA  Compliance  Enough?   In addition to HIPAA, there are also a multitude of other laws enacted to govern data privacy including state laws, such as Massachusetts 201 CMR 17. Core Objectives for Stage 1 of Meaningful Use include utilization of Electronic Health Records Although not a government regulation, the Payment Card PCI specific industry security standard that applies to the use and storage of credit/debit card information. For Multi-Nationals, there are additional concerns such as the proposed European Union Data Privacy Regulation 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  9. 9. Non-­‐Compliance  -­‐  Potential  Consequences     Breaches  Happen   In the event of a breach, costs to your organization will quickly start to mount up and can include one or more of the following: Notifying patients,FULL Investigating and controlling the breach,Cost of a Potential litigation and fines,Breach Intangible costs associated with: Damage to your brand, Loss of customers, Decline in value, and Reputation Management
  10. 10. Non-­‐Compliance  -­‐  Potential  Consequences     Compliance  Requires  Planning  Achieving compliance to HIPAA and other regulations requires acoordinated effort.The first step is to establish an overall outline of risks and controls. This is commonly known as Enterprise Governance, Risk and Compliance Develop a Risk Framework to measure the maturity of risk Control Items. Some examples of Control Item categories include: Sensitive Data Inventory Vulnerability assessment Entitlements Management Data Loss Detection / Prevention Data Governance 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  11. 11. HOW  TO  KNOW  EXACTLY  WHERE  YOUR  SENSITIVE  DATA  IS  &  IDENTIFY  WHERE  THE  REAL  RISKS  ARE      
  12. 12. How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Identifying  Location  of  Sensitive  Data   Which Data Requires Protection ? PHI  Data Employee  Data Company  DataHealthcare  and  Pharmaceutical  -­‐     Healthcare  and   Companies  required  to  follow  Gramm-­‐required  to  secure  PHI  per  HIPAA   Pharmaceutical  -­‐     Leach-­‐Bliley  Financial  Services   Names   Geographic  subdivisions  smaller  than   required  to  secure  PHI   Modernization  Act  (1999)     a  State   per  HIPAA   Companies  required  to  follow  Sarbanes-­‐ All  elements  of  dates  (except  year)  for   dates  directly  related  to  an  individual   All  organizations  must   Oxley  Act  (2002)     Telephone  /  Fax  numbers   follow  their  state  privacy   Multi-­‐nationals  -­‐  face  requirements   Electronic  mail  addresses   Social  security  numbers   laws,  similar  to  Senate  Bill   including:   Medical  record  numbers   CANADA:  Jan  2005    Personal  Information   Health  plan  beneficiary  numbers   No  1386    State  of   Protection  and  Electronic  Documents  Act   Account  numbers   California   JAPAN:  Apr  2005    Personal  Information   Certificate/License  numbers   Employee  or  Corporate   Vehicle  identifiers  and  serial  numbers,   ID   Protection  Law     including  license  plate  numbers   Salary,  Benefits   FRANCE:  Oct  2005    Computing  and    Liberties   Device  identifiers  and  serial  numbers   Universal  Resource  Locators  (URLs)   HR  status   Act          (termination,   Internet  Protocol  (IP)  address   personnel  issues)     Vendor  Data   numbers   Family  data   Security  Identifiers   Biometric  identifiers,  including  finger   Manager  information   CUSIP,  ISIN,  SEDOL   and  voice  prints   Cost  Center  data Full  face  photographic  images  and  any   Other  Identifiers   comparable  images;  and   NAV,  type  of  Security   Any  other  unique  identifying   Name,  Number,  Symbol   information.   Activity  Companies  with  customers  in  MA   Account  balances,      transactions,  trade  date  per  MGL93H   Financials  All  organizations  must  follow  their   Price,  quantity,    state  privacy  laws,  similar  to    legal  fees,  vendor  payments   Assets/holdings  Senate  Bill  No  1386    State  of   Comment  fields  California   Trade  dates
  13. 13. How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Lesson  1: Lesson  1: Major  Threat  Areas  And  more   You  should be  less   And  more   should be  less   You   concerned  with: concerned  with:External Threats concerned  with: Internal Threats concerned  with: Vulnerabilities can exist in many areas of our Environment 2 Privileged users Internal users 4 FileTo be complaint with HIPAA, External servercovered entities must implement users File Firewall servertechnical policies and 1 5procedures to allow access only Loadto those persons and business balancer Web server App Databases Type of threat server ERPassociates that absolutely 1. 2. External users / Hackers Internal users 3 6require access (164.312(a)(1)). 3. 4. Files/web servers Administrators/DBAs/developers Backups 5. Database vulnerability 6. Data backup Insider threats are a concern: Forrester estimates that 75% of threats come from insiders and that 60% of internal breaches are undetected.
  14. 14. PROTECTING  DATA  FROM  EXTERNAL  AND  INTERNAL  THREATS        
  15. 15. Protecting  data  from  threats     Lesson  1: Lesson  1:You  should be  less  concerned  with: And  more   concerned  with: Threat  Deterrence   You  should be  less   concerned  with: And  more   concerned  with:   External  Threats:     Internal  Threats:   Physical  Security     Physical  Security     Encryption   Encryption           Cyber  Attack  Prevention   Entitlements  Management   Reducing  Instances  of  PHI   Restricting  Access  to  PHI          
  16. 16. Lesson  1: Lesson  1: Protecting  data  from  threats    You  should be  less  concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Physical  Security     External  Threats:     Internal  Threats:   Ensuring  access  to  facilities  is   Ensuring  access  to  areas  where   carefully  managed.       PHI  is  handled  by  only  those   The  process  for  destruction  of   who  must  have  access  to  that   documents  should  be  clear  and   data.       workable  within  the  working   Clean  Desk  policies  need  to  be   environment  of  the  staff.         implemented.   Asset  controls  which  include   Clearly  marked  locked  bins  to   documentation  of  asset   house  documents  to  be   retirement  or  destruction   shredded  are  important.     should  be  implemented.            
  17. 17. Lesson  1: Lesson  1: Protecting  data  from  threats    You  should be  less  concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Encryption     Any  devices  housing  sensitive  data  should  utilize  encrypted.           If  the  device  falls  into  the  wrong  hands  or  is  hacked,  this  will  provide  security  from  less       sophisticated  threats  and  buy  time  from  more  sophisticated  ones.           Prevents  unauthorized  access  by  Internal  Staff  and  Business  Associates.       Data  at  Rest     Structured  and  Unstructured  Data   Data  in  Motion   E-­‐mails  and  File  Transfers   Performance  Impacts   From  3%  and  up  to  30%     Key  Management   Administration  and  Operations  Overhead   For  thousands  of  servers   Legacy  Systems   Auditing  and  Reporting  
  18. 18. Lesson  1: Lesson  1: Protecting  data  from  threats    You  should be  less  concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: DLP               oversee  movement  of  data.     Discover  and  monitor  the  location  and  flow  of  sensitive  data     Enforce  controls  to  prevent  loss  of  sensitive  data  through  email,   the  internet  and  devices  that  are  used.   A  central  reporting  engine  for  policy  creation  and  management.   Out  of  the  box  support  for  HIPAA  and  other  regulations.  
  19. 19. Lesson  1: Protecting  data  from  external  threats    You  should be  less  concerned  with: And  more   concerned  with: Cyber  Attack  Prevention   Defending  against  Advanced  Persistent  Threats     Anomaly  detection  and  prevention     Detect  Intruders  in  real  time   Detailed  model  of  network  topology,  access  paths,  and  threats.   What-­‐if  analysis predicts  risk  behavior  and  business  impact   Achieve  compliance  with  cyber  security  regulations  such  as  NIST,  NERC  CIP,   FISMA   Cyber  Security  Audits   Cyber  attack  simulation,  Defenses  against  malware  and  Penetration  tests   Threat  and  vulnerability  analysis,     System  security  integration,  Definition  of  security  measures  and  counter-­‐  measures,   Inventories  of  authorized  and  unauthorized  hardware  and  software,   Secure  configurations  for  hardware,  software,  wireless  and  network  security  devices,   Controlled  access  and  administrative  privileges.   Verifying  the  Security  of  your  Business  Associates  
  20. 20. Lesson  1:Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Entitlements  Management   Understanding  who  has  access  to  what.   Ensuring  that  meaningful  entitlements  reviews  are   conducted  periodically.   Ensuring  that  processes  for  managing  entitlements  are   appropriate.   Significant  privacy  risk  exposure  exists  with  entitlements   that  do  not  conform  to  security  policies,  regulations,  and/or   best  practices  within  and  across  the  environment.   Enterprise  Entitlement  Solutions  typically  include  separate   mainframe,  application  specific  and  LDAP  based  solutions.   Reviewing  for  Toxic  Combinations.    
  21. 21. Lesson  1: Protecting  data  from  external  threats    You  should be  less  concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   PHI  may  exist  in  more  environments  than  you  realize.   Copies  may  exist  for  testing  purposes  as  well  as  sharing   with  third  parties.   So  you  are  really  protecting  an  environment  that  looks  like    
  22. 22. Lesson  1: Protecting  data  from  external  threats    You  should be  less  concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   QA  Testing     2 Privileged users Internal users Live  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Copies  of  PHI  may  exist  in   File server 4 Backups multiple  locations  in  your   External users File environment.   server Firewall Each  of  these  locations  is  a   1 5 potential  target  from  external   Load balancer Web sources  and  needs  to  be   server App server ERP Databases protected.   3 6 De-­‐identification  technology  can   Backups be  used  in  these  environments.  
  23. 23. Lesson  1:Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   For  exchange  of  data  with  business  associates  or  other  third  parties,   all  data  going  to  them  should  be  de-­‐identified  where  permissible.       For  purposes  of  internal  testing  by  our  own  employees  and  contracted   business  associates,  de-­‐identification  is  a  must.     PHI  that  exists  in  review  of  System  and  Database  Logs  should  be  de-­‐ identified.   Aggregation  and  analytics  should  be  good  candidates  for  de-­‐identified   data.   Live  production  reports  and  user  interfaces  should  be  reviewed  to   determine  where  de-­‐identified  data  can  be  substituted.   HIPAA  164.502(d)(2)  provides  for  the  uses  and  disclosures  of  de-­‐ identified  information  (aka  Masked,  Obfuscated,  Redacted).    Health   information  that  meets  the  requirements  for  de-­‐identification  is   considered  not  to  be  individually  identifiable  health  information.    
  24. 24. Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   QA  Testing     2 Privileged users Internal usersLive  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Exchanges  of  Data.   File server 4 Backups External Internal  Testing   users File server Firewall System  and  Database  Logs   1 5 Aggregation  and  analytics       Load balancer Web server App Databases Reports  and  User  Interfaces     server ERP 6 3 De-­‐identification  technology  can   Backups be  used  in  these  situations.  
  25. 25. PROTECTING  PHI  WHEN  BUSINESS  ASSOCIATES  ARE  INVOLVED        
  26. 26. Protecting  PHI  when  business  associates  are  involved     Business  Associates   The HIPAA Privacy Rule places Minnesota Attorney General brought anresponsibility for ensuring that Business enforcement action due to an action by aAssociates maintain privacy on the business associate, Accretive Health, Inc., for anCovered Entity that they are associating alleged violation under HIPAA using authoritywith. under the HITECH Act. It requires that a covered entity obtainsatisfactory assurances from its business Actions to take:associate that the business associate willappropriately safeguard the protected Have Formal Written Agreements withhealth information it receives or creates on Business Associatesbehalf of the covered entity. Minimize PHI that is accessible to Business The Office of Civil Rights ("OCR") is Associatesrequired to impose penalties if the Perform Self-Testing which includes yourcovered entity or its business associate act Business Associates.with neglect, i.e., with "conscious,intentional failure or reckless indifference tothe obligation to comply" with HIPAArequirements.[45 CFR 164.502(e), 164.504(e),164.532(d) and (e)] 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  27. 27. THE  IMPACT  OF  BRING  YOUR  OWN  DEVICE  ("BYOD")    
  28. 28. Protecting  PHI  when  business  associates  are  involved     BYOD   Understand where sensitive data Clearly define the scope of what we are trying to do including:exists in our environment. Protecting sensitive data that exists on a mobile device Develop plans to manage the sensitive Providing Secure channels of communication data that is in our inventory. Minimizing the amount of sensitive data Plan for getting to the appropriate level being sent to mobile devices of maturity to safe-guard data. And doing all this in a cost effective manner The protection requires a multi-layered And who we are doing it for: approach. Any sensitive data that resides on the devices Internal Employees should be encrypted. Business Partners / Associates A DLP solution should be used to manage the communication with endpoints. Clients / Third Parties Implement the ability to remotely disable devices that are impacted Minimize the amount of sensitive data being sent to these devices. 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  29. 29.  
  30. 30. Risk  Based  Solutions   Axis  has  created  a  set  of  eGRC  related   solutions  that  leverage  our  overall   consulting  expertise  as  well  as  our   DMsuiteTM  and  product   implementation  capabilities     Enterprise Governance, Risk and Compliance Strategic Business Processes / Goals Enterprise Architecture Reference Models, Business Architecture, Application Architecture Drives Drives Information Security Architecture Regulatory & Corporate Requirements, Environment Maturity Assessment Data Masking Identity / Access Data Information (De-Identification) Management Management Security Drives Entitlements Data Sensitive Data Drives DMsuiteTM Management Governance Assessment Operational Environment
  31. 31. Data  De-­‐Identification  -­‐  DMsuiteTM  DMsuite  -­  A  robust, proprietary tool that has been deployed at clients for over 8 years with: Sensitive Data Discovery - HIPAA Ready Out of the Box, Data De-Identification and Auditing functionality.
  32. 32. Questions  or  Further  Discussions  Contact: Joe SantangeloEmail: jsantangelo@axistechnologyllc.comPhone: (646) 596-2670Twitter: @DataPrivacyDude
  33. 33. Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  34. 34.  www.AxisTechnologyLLC.com       Thank  You!     185  Devonshire  Street   Boston,  MA  02110     (857)  445-­0110       © Copyright 2011 Axis Technology, LLC

×