Protecting phi and pii -  hipaa challenges and solutions - privacy vs cost
Upcoming SlideShare
Loading in...5
×
 

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost

on

  • 1,429 views

In January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI data and steeper penalties for failing to comply. With a final deadline ...

In January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI data and steeper penalties for failing to comply. With a final deadline of September 25, 2013, many organizations that create or handle PHI are scrambling to find a solution.

It should not be surprising that there has been an increased focus on PHI regulations, as the percentage of healthcare organizations reporting a data breach is skyrocketing. 94% of healthcare organizations have had at least one data breach in the past two years, and the annual cost to the healthcare industry could soon reach an estimated $7 billion, according to research from the Ponemon Institute.

Healthcare is one of the US’s worst industries in security effectiveness and preventing breaches. Since the PCI industry has instituted sweeping protection requirements of payment card data, it has left unprotected PHI data, including insurance information, prescription details and medical files, prime targets for commoditized insurance fraud. The 2013 Data-breach-investigations-report from Verizon disclosed that over 90% of breaches go unnoticed by internal resources. The Omnibus legislation can institute penalties of up to $1.5 million per breach.
The most effective form of PCI data security, tokenization, is steadily increasing in use over encryption. The high levels of security, flexibility and transparency provided by tokenization have proven results. PCI audit scope and length can be dramatically reduced, applications require few changes to process data, and over the last year, tokenization users had 50% fewer security-related incidents than non-users according a recent Aberdeen study.

Due to its inherent advantages, tokenization has also recently seen a surge in organizations using it for information other than card holder data. Nearly 47% of respondents to a recent Aberdeen study are using tokenization for something other than cardholder data. As tokenization can be applied to any structured data, it follows naturally that organizations looking to protect PHI data could benefit greatly by implementing a tokenization solution. In conjunction with best practices such as file encryption, policy-based access controls, and central monitoring and auditing, the healthcare industry could see the same effective results that the payment card industry is realizing today.
With more stringent data security requirements and regular audits on the horizon, in addition to increasing attacks on PHI data, organizations should act now to protect their data, before it’s too late.

Statistics

Views

Total Views
1,429
Views on SlideShare
1,424
Embed Views
5

Actions

Likes
1
Downloads
16
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I added material fromMy article in ISACA JournalPresentation at the NA CACS in Orlando next weekeSymposium presentationMy view isTo address emerging and evolving IT Risk is to look atYour Data FlowChoosing the most appropriate data security solutions for an organization Understanding your options and strategies86 000 members in 160 countries

Protecting phi and pii -  hipaa challenges and solutions - privacy vs cost Protecting phi and pii - hipaa challenges and solutions - privacy vs cost Presentation Transcript

  • Protecting PHI across the organization:Challenges and SolutionsUlf MattssonCTOProtegrity
  • 2
  • ISSA Article4
  • New Healthcare Security SIGInformation Systems Security AssociationNew Healthcare Security Special Interest Group5http://www.bankinfosecurity.com/interviews/ira-winkler-on-issas-future-i-1685
  • 6The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  • Study on Patient Privacy & Data SecurityThe percentage of healthcare organizations reporting a databreach has increased and not declined94 % of healthcare organizations had at least one data breach inthe past two yearsBreaches can have severe consequences and effect patienttreatmentTechnologies that promise greater productivity and conveniencesuch as mobile devices, file-sharing applications and cloud-based services are difficult to secureSophisticated and stealthy attacks by criminals have beensteadily increasingEstimated average annual cost to the healthcare industry couldpotentially be as high as $7 billion7The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  • Type of Data that was Lost or Stolen8The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  • 9Targeting Medical Info – Not Credit Cardshttp://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/article/291780/
  • Harms Patients Suffer if Records are Lost or Stolen10The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  • IdentityTheft11
  • 12http://news.yahoo.com/woman-gets-prison-time-total-identity-theft-202030353.htmlOn Monday, the real Candida L. Gutierrez saw her identity thief, Benita Cardona-Gonzalez, for the first time. Their encounter came inside a federal courtroom inWichita, where Cardona-Gonzalez, a Mexican national, was sentenced to 18 months inprison for possessing fraudulent identification documents.Cardona-Gonzalez assumed Gutierrezs persona completely, using it to get a job, a driverslicense, a mortgage and medical care for her children.Woman gets Prison Time in Identity Theft
  • Why changing your Password won’t help13http://www.pcworld.com/article/2036610/why-changing-your-livingsocial-password-won-t-save-you.html“The bigger concern is what an attacker can do with your personalsinformation”"Thats enough information to get them started down the path of stealingyour identity”
  • HIPAA Omnibus - Penalties if PHI isn’t encrypted14http://www.diagnosticimaging.com/physicians-experts-make-case-secure-data-exchange-himss13
  • 15http://healthitsecurity.com/2013/05/03/patients-sue-dorn-va-medical-center-for-data-breach/#comment-23"The suit argues that the VA failed to implement even the most rudimentary oftechnical safeguards”“How the suit plays out will be interesting because it’s not very often agovernment organization is facing civil and potential Department of Healthand Human Services (HHS) penalties"Lost PHI was Not Protected - Lawsuit
  • How areData BreachesDetected?16
  • 17Breach Discovery MethodsVerizon 2013 Data-breach-investigations-report
  • HIPAA & PHI18
  • HIPAA PHI: List of 18 Identifiers1. Names2. All geographical subdivisionssmaller than a State3. All elements of dates (exceptyear) related to individual4. Phone numbers5. Fax numbers6. Electronic mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiarynumbers10. Account numbers1911. Certificate/license numbers12. Vehicle identifiers and serialnumbers13. Device identifiers and serialnumbers14. Web Universal Resource Locators(URLs)15. Internet Protocol (IP) addressnumbers16. Biometric identifiers, includingfinger prints17. Full face photographic images18. Any other unique identifyingnumber
  • Identifiable Sensitive InformationField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 937-28-3390CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint EncryptedPhoto EncryptedX-Ray EncryptedHealthcareData – PrimaryCare DataDr. visits, prescriptions, hospital staysand discharges, clinical, billing, etc.Protection methods can be equallyapplied to the actual healthcare data, butnot needed with de-identification20
  • De-Identified Sensitive DataField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 076-28-3390CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint EncryptedPhoto EncryptedX-Ray EncryptedHealthcareData – PrimaryCare DataDr. visits, prescriptions, hospital staysand discharges, clinical, billing, etc.Protection methods can be equallyapplied to the actual healthcare data, butnot needed with de-identification21
  • What can We LearnfromFinancial Services?22
  • Security Effectiveness per Industry Segment23The Ponemon Institute study, 2011
  • PositioningofSolutions24
  • Reduction of Pain with New Protection Techniques251970 2000 2005 2010HighLowPain& TCOStrong EncryptionAES, 3DESFormat Preserving EncryptionDTP, FPEVault-based TokenizationVaultless TokenizationInput Value: 3872 3789 1620 3675!@#$%a^.,mhu7///&*B()_+!@8278 2789 2990 27898278 2789 2990 2789Format PreservingGreatly reduced KeyManagementNo Vault8278 2789 2990 2789
  • Tokenization with or without Vault26Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.High Availability,Disaster RecoveryComplex, expensivereplication required.No replication required.Distribution Practically impossible todistribute geographically.Easy to deploy at differentgeographically distributed locations.Reliability Prone to collisions. No collisions.Performance,Latency, andScalabilityWill adversely impactperformance & scalability.Little or no latency. Fastest industrytokenization.
  • Research Brief“Tokenization Gets Traction”Aberdeen has seen a steady increase in enterpriseuse of tokenization for protecting sensitive data overencryptionNearly half of the respondents (47%) are currentlyusing tokenization for something other than cardholderdataOver the last 12 months, tokenization users had 50%fewer security-related incidents than tokenization non-users27 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
  • HIPAA Case StudyViolation of HIPAA - $17 millionBlue Cross Blue ShieldTheft of one million unsecured patient recordsViolations in the HIPAA Privacy and Security RulesEnforced by the Breach Notification RuleFined $1.5 million dollarsTotal incident cost more than $17 million dollarsNow protecting stored health data28
  • Summary29
  • Proactive Data ProtectionKnow your data flow• Protect the data flowProtecting your data now could save big time and $ in retroactivesecurity later• Breaches and audits are on the rise• Organizations that fail to act now risk losing their hard earned investmentsGranular data protection is cost effective• Addressing regulations and data breaches• Data available for analytics and other usage• Provide separation of duties for administrative functionsCatch abnormal access to data• Including (compromised) insider accounts30
  • About ProtegrityProven enterprise data securitysoftware and innovation leader• Sole focus on the protection ofdata• Patented Technology,Continuing to Drive InnovationCross-industry applicability• Retail, Hospitality, Travel andTransportation• Financial Services, Insurance,Banking• Healthcare• Telecommunications, Media andEntertainment• Manufacturing and Government31
  • QuestionsUlf.Mattsson@protegrity.com