Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Using Data Security to Address HIPAA and
HITECH Regulations
• This webinar is being recorded and an on-demand
version will be available at the same URL at the
conclusion of the webin...
Agenda
• Introduction
• Cloud Security Challenges
• HIPAA/HITECH Compliance Requirements
• Data Security Solutions
• Q&A
Vormetric – Data Security
• Vision
• To Secure the World’s Information
• Industry Leading Data Security Company
• Based in...
March 2014
Security is the leading cloud adoption concern
Need to establish trust and controls in the cloud
Incident
Management Breach
Notifications Post Breach
Lost Business
Costs
$417,000
$509,237
$1,599,996
$3,324,959
Average c...
Healthcare
Education
Biopharma
Financial
Communications
Industrial
Consumer
Services
Energy
Technology
Media
Hospitality
T...
• Notify individuals of breach of unsecured health information
• Information is only secured if it is encrypted or destroy...
• HITECH Act included provisions for increased enforcement of
HIPAA Privacy and Security Rules:
• Requires HHS to formally...
• The security requirements, taken independently of one another, can
prove costly and time-consuming to implement adequate...
• Comprehensive solution for protecting ePHI in any environment
• For example, applications, file types, and even operatin...
FIPS Encryption
Secure Key Management
Meets NIST 800-111
Proven Performance
Encryption + Access Control
Audit
Separation o...
13
HIPAA security rule, which states data at
rest should be encrypted unless it's not
"reasonable and appropriate."
With v...
Tape
Archives
Key
Management
…
Privileged
User Control
Access
Policies
Physical
Security
Full Disk
Encryption
Cloud
Migrat...
HOSTING Cloud Solution
Data-at-rest security enabled by Vormetric
Transparent
Encryption
Key
Management
Transparent
Encryp...
Stored Data Protection for HIPAA/HITECH
Data-at-Rest Encryption and Key Management
Secure VPN
Vormetric Data Security Mana...
Stored Data Protection for HIPAA/HITECH
Data-at-Rest Encryption and Key Management
Secure VPN
Vormetric Data Security Mana...
Access Control for HIPAA/HITECH
Assuring least privileged access
Data
Access Policy #1
User: AccountsPayable
App: ERP
Opp:...
Block access and log attempt
Access Control for HIPAA/HITECH
Assuring least privileged access
Access Policy #1
User: Accou...
Security Intelligence For HIPAA/HITECH
File access audit trail to demonstrate compliance
of breaches took months,
or even ...
Vormetric logs all data
events for security
intelligence and analysis
attempted to read
Access was denied
Amin Dirk Snowman imitated user steve and
a protected file. because he violated a poli...
Data source Analytics
Reports
Dashboards
What if queries
UnstructuredStructuredData
Financial Data
Healthcare Data
Credit ...
Guidance provided in the HIPAA FAQ, published
by HHS, makes it clear that encryption is
essentially mandatory. How? Becaus...
Hosting customer success story
Healthcare example
Implement with Confidence
“It’s very apparent that Vormetric is major steps
in front of the competition.”
– Sabastian High...
28
Q&A
Derek Tumulak | VP Product Management, Vormetric
Tricia Pattee | Product Manager, HOSTING
Using Data Security to address HIPAA and HITECH Regulations
Upcoming SlideShare
Loading in …5
×

Using Data Security to address HIPAA and HITECH Regulations

1,283 views

Published on

Learn how data encryption and encryption key management address compliance for healthcare providers and payers. Join Derek Tumulak, VP Product Management at Vormetric, and Tricia Pattee, HOSTING Product Manager as they discuss how HIPAA/HITECH regulations impact electronic protected health information (PHI) and best practices to safeguard sensitive patient data.

Discover how:
• HIPAA and HITECH regulatory mandates impact data security for healthcare institutions
• Strong encryption and policy-based access controls provide a separation of duties between data security and system administrators
• Secure key management and policy management ensure consistency in applying policies and encryption keys to both structured and unstructured data
• Rapid implementation is achieved because encryption is transparent to users, applications, databases and storage systems
• The HOSTING and Vormetric cloud solution can satisfy HIPAA and HITECH compliance requirements in the cloud

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using Data Security to address HIPAA and HITECH Regulations

  1. 1. 1 Using Data Security to Address HIPAA and HITECH Regulations
  2. 2. • This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom, @Vormetric 2 Housekeeping
  3. 3. Agenda • Introduction • Cloud Security Challenges • HIPAA/HITECH Compliance Requirements • Data Security Solutions • Q&A
  4. 4. Vormetric – Data Security • Vision • To Secure the World’s Information • Industry Leading Data Security Company • Based in San Jose, CA since 2001 • Customers Protected • 17 of Fortune 30 customers • 1500+ customers in 22 countries • 155 petabytes+, 500K+ servers • Cloud Service Providers Partnerships • To enable data security protection with our cloud partners Best Encryption Best Security & Compliance Virtualized Environments
  5. 5. March 2014 Security is the leading cloud adoption concern Need to establish trust and controls in the cloud
  6. 6. Incident Management Breach Notifications Post Breach Lost Business Costs $417,000 $509,237 $1,599,996 $3,324,959 Average costs incurred by American companies after a data breach
  7. 7. Healthcare Education Biopharma Financial Communications Industrial Consumer Services Energy Technology Media Hospitality Transportation Research Retail Public $359 $294 $227 $206 $177 $160 $155 $145 $141 $138 $137 $122 $121 $119 $105 $100 Healthcare has the highest per capita costs following a breach
  8. 8. • Notify individuals of breach of unsecured health information • Information is only secured if it is encrypted or destroyed • Encryption must meet NIST 800-111 encryption requirements • Keys must be kept on a separate device than the data • Only FIPS encryption algorithms can be used • Omnibus Rule - Expands HIPAA requirements to business partners of payers, providers and clearinghouses HIPAA/HITECH Act Key requirements to think about
  9. 9. • HITECH Act included provisions for increased enforcement of HIPAA Privacy and Security Rules: • Requires HHS to formally investigate any complaint of a violation of HIPAA if a preliminary investigation indicates a possible violation due to willful neglect, and to impose civil penalties for these violations. • Allows state Attorneys General to bring civil actions in federal court on behalf of state residents if there is reason to believe that the interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA. 9 Potential Consequences of Non-Compliance Increased enforcement and penalties (fines)
  10. 10. • The security requirements, taken independently of one another, can prove costly and time-consuming to implement adequately. • Typically, various solutions may have to be integrated to provide adequate protection for dispersed data and implementations can prove to be very complex. • Protecting unstructured data. • While some types of data, such as credit card data or social security numbers, can be readily located and protected, unstructured data frequently found in EMRs can be more difficult to protect. • The data may consist of a variety of file types. • Patient record forms, medical imagery files, and other file types that are not easily protected due to being highly distributed environments. • Controlling access to ePHI • While encryption protects data, robust policy and encryption key management is required to prevent unauthorized access or disclosure of PHI. 10 Complying with HIPAA/HITECH Some of the top challenges
  11. 11. • Comprehensive solution for protecting ePHI in any environment • For example, applications, file types, and even operating systems. • Structured and unstructured data, including big data and databases (DB2, Oracle, SQL, Informix etc.) • Private, Public and Hybrid Clouds • Vormetric Transparent Encryption offers: • Strong data security controls, leveraging both encryption and policy-based access controls • Separation of duties • Auditing capabilities • Heterogeneous systems support • Management via a centralized policy and key management console 11 Vormetric Data Security Achieving compliance with ease
  12. 12. FIPS Encryption Secure Key Management Meets NIST 800-111 Proven Performance Encryption + Access Control Audit Separation of Duties Low TCO Rapidly Deployable Vormetric Data Security for HIPAA/HITECH “Vormetric encrypts in a way to minimize performance overhead. It also offers separation of duties, centralized key management and policy management” Noel Yuhanna Forrester Research
  13. 13. 13 HIPAA security rule, which states data at rest should be encrypted unless it's not "reasonable and appropriate." With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. When doing business with the federal government we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. Extensible Controls for Compliance Encryption, access control, and audit logs
  14. 14. Tape Archives Key Management … Privileged User Control Access Policies Physical Security Full Disk Encryption Cloud Migration Cloud Encryption PII Compliance App Encryption Customer Records Database Encryption Expense Reports File Encryption ++++++ Each use case requires individual infrastructure, management consoles and training Complex – Inefficient – Expensive Avoid Encryption Silos A disjointed, expensive collection of point products
  15. 15. HOSTING Cloud Solution Data-at-rest security enabled by Vormetric Transparent Encryption Key Management Transparent Encryption Transparent Encryption
  16. 16. Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or hosted physical appliances) Deployed in cloud example DSM Key management: • Virtual appliance in cloud • Appliance hosted by provider
  17. 17. Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or physical appliances) Deployed on premise example DSM Key management: • Appliance on premise • Virtual appliance on premise
  18. 18. Access Control for HIPAA/HITECH Assuring least privileged access Data Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: AccountsPayable App: ERP What: Read File Time: 2PM 11/14/2013 Where: ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
  19. 19. Block access and log attempt Access Control for HIPAA/HITECH Assuring least privileged access Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: SystemAdmin- Group Process: Cat command What: Read File Time: 2PM 11/14/2013 Where: HR ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
  20. 20. Security Intelligence For HIPAA/HITECH File access audit trail to demonstrate compliance of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
  21. 21. Vormetric logs all data events for security intelligence and analysis
  22. 22. attempted to read Access was denied Amin Dirk Snowman imitated user steve and a protected file. because he violated a policy. Vormetric enables you to identify and track unauthorized attempts at protected data.
  23. 23. Data source Analytics Reports Dashboards What if queries UnstructuredStructuredData Financial Data Healthcare Data Credit cards Logs PII Big Data Error logsDisk cacheConfiguratio n System logs Database Data warehouse ERP CRM Audio video Excel, CSV Social media Logs Vormetric Transparent Encryption or Vormetric Application Encryption Vormetric Transparent Encryption Vormetric Transparent Encryption or Vormetric Application Encryption End to End Big Data Security and Compliance
  24. 24. Guidance provided in the HIPAA FAQ, published by HHS, makes it clear that encryption is essentially mandatory. How? Because it would be difficult to determine that it’s not a “reasonable and appropriate” control based on an assessment of risk regarding protecting the confidentiality of ePHI. Also, because of what encryption does to data, finding a reasonable and appropriate “equivalent alternative measure” is essentially impossible. - Healthcare IT News The Last Thing You Want To Hear… Doctor, is my data safe?
  25. 25. Hosting customer success story Healthcare example
  26. 26. Implement with Confidence “It’s very apparent that Vormetric is major steps in front of the competition.” – Sabastian High, senior manager for Product Development Standards and Innovation, McKesson, Inc. “My concern with encryption was the overhead on user and application performance. With Vormetric, people have no idea it’s even running.” – Karl Mudra, CIO, Delta Dental of Missouri
  27. 27. 28 Q&A Derek Tumulak | VP Product Management, Vormetric Tricia Pattee | Product Manager, HOSTING

×