Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HIPAA 101 Compliance Threat Landscape & Best Practices

142 views

Published on

The healthcare IT landscape is changing daily, and trying to keep up with requirements like HIPAA and HITECH can leave you and your clients extremely vulnerable. Register today to hear more about the current HIPAA threat landscape and learn best practices for protection.

Experts from Hostway and Alert Logic will keep you up-to-date on the latest trends in healthcare IT.
You'll learn about the following:
- The current state of the healthcare IT industry and the role of HIPAA
- Threats associated with the healthcare landscape
- How a security breach can impact your organization
- Security best practices for HIPAA compliant cloud hosting and more!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

HIPAA 101 Compliance Threat Landscape & Best Practices

  1. 1. HIPAA 101: COMPLIANCE Threat Landscape and Best Practices
  2. 2. 2 Webinar Administration  Enter questions in the chat box  A recording of the webinar will be available to all attendees  Speaker contact info will be available at the end of the presentation  Giveaway drawing will be held after the Q&A
  3. 3. 3 Speakers Peter Marsh Director of Security Hostway Paul Fletcher Chief Security Evangelist Alert Logic
  4. 4. Reasons to trust our relationship 4 Partnership Overview Millions Of devices secured Petabytes of log data under management Hundreds of Millions of security events correlated per month Thousands of incidents identified and reviewed per month **Locations between partnerships**
  5. 5. Over 3,600 Organizations 5 Alert Logic - Overview Alert Logic has more than a decade of experience pioneering and refining cloud solutions that are secure, flexible and designed to work with hosting and cloud service providers. As one of the nation’s leading managed security providers, Alert Logic has the tools and experience that helps differentiate Hostways Managed Security Offerings apart from other companies. Alert Logic helps Hostway focus on delivering a complete solution
  6. 6. THREAT LANDSCAPE 6
  7. 7. 7 Threats by Customer Environment 48% 23% 21% 2% 6% Cloud Attacks APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 25% 47% 10% 11% 7% Brick & Mortar Attacks APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY Source: Alert Logic CSR 2016
  8. 8. 8 Global Analysis
  9. 9. 9 Industry Analysis Source: Vectra Networks A new report into cyber security trends shows healthcare to be the most frequently targeted industry, with 164 threats detected per 1,000 host devices.
  10. 10. 10 Industry Analysis Root Cause Top 10 Healthcare Breaches: Unintentional Insider – 3 Poor physical security – 3 Compromised systems – 2 Third party vendor – 2
  11. 11. 11 Rite Aid – History of Breaches 2014 2015 2017
  12. 12. 12 Latest ”News”
  13. 13. SECURITY BEST PRACTICES 13
  14. 14. Security Best Practices • Secure your code • Security Management and Monitoring Strategy • Create access management policies • Data classification • Adopt a patch management approach • Build a security toolkit • Stay informed of the latest vulnerabilities that may affect you • Understand your cloud service providers security model • Understand the shared security responsibility • Defense in Depth – 24x7 14
  15. 15. Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps 15
  16. 16. Security Management and Monitoring Strategy • Monitoring for malicious activity • Scanning Services • Forensic investigations • Compliance needs • System performance • All sources of log data is collected • Data types (OS, CMS, DB, Web) • WAF • Correlation logic • IAM behavior • IDS Network traffic • FIM Logs • Focused security research • Security content creation • Review process • Live monitoring 16
  17. 17. Create Access Management Policies •Identify data infrastructure that requires access •Define roles and responsibilities •Simplify access controls (KISS) •Continually audit access •Start with a least privilege access model 17
  18. 18. Data Classification • Identify data repositories and mobile backups • Identify classification levels and requirements • Analyze data to determine classification • Build Access Management policy around classification • Monitor file modifications and users 18
  19. 19. Adopt a Patch Management Approach • Constantly scan all production systems • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • Follow a SDLC 19
  20. 20. Build a Security Toolkit Recommended Security Solutions • Antivirus • IP tables/Firewall • Backups • FIM • Intrusion Detection System • Malware Detection • Web Application Firewalls • Forensic Image of hardware remotely • Future Deep Packet Forensics • Web Filters • Mail Filters • Encryption Solutions • Proxies • Log collection • SIEM Monitoring and Escalation • Penetration Testing 20
  21. 21. Stay Informed of the Latest Vulnerabilities Websites to follow: • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/ • https://www.alertlogic.com/weekly-threat-report/ 21
  22. 22. Understand Your Service Providers Security Model • Understand the security offerings from your provider • Probe into the Security vendors to find their prime service • Hypervisor exploits are patched by the service provider • Questions to use when evaluating cloud service providers 22
  23. 23. Understand the Cloud Shared Security Model 23
  24. 24. Defense in Depth Security Operations – 24x7 24
  25. 25. HOW TO GET STARTED 25
  26. 26. Risk Assessment • Know the threats • Assess • Do nothing • Transfer • Mitigate • Reassess 26
  27. 27. 27 Hidden Risks • New York Presbyterian Hospital and Columbia University • A physician connected an unsecure server to the network, which was used to compromise the network and patient records • $4.8 million settlement • Advocate Health Care • Four unencrypted laptops were stolen compromising 4 million patient records • OCR found that they did not properly assess risks • $5.55 million settlement • Triple-S Management • Five data breaches that impacted fewer than 500 people • OCR found they did not have proper safeguards and an accurate risk assessment was never performed • Fined $3.5 million
  28. 28. 28 Know the top 10 Violations Lost and Stolen Devices1 Hacking 2 Employee Dishonesty3 Improper Disposal 4 3rd Party Disclosure5 Information Leak6 Unencrypted Data 7 Lack of Training8 Unsecure Records 9 Loud Mouths10 Source: http://www.grouponehealthsource.com/blog/top-10-most-common-hipaa- violations
  29. 29. 29 Compliance SafeguardsTechnicalPhysicalAdministrative Access Control Audit Controls Integrity Authentication Transmission Security Facility Access Control Workstation Use Workstation Security Device & Media Controls Security Process Security Responsibilities Workforce Security Data Controls Security Training Security Procedures Contingency Plans Security Evaluations Signed BAA’s
  30. 30. 30 HIPAA Solution Overview Hostway Dedicated Solution Intrusion Detection Anti-Virus/ Malware Daily Log Review Log Review & Management Data Encryption ASV Vulnerability Scans Managed Firewall Managed Support Our Secure Customer •Dell R230 •Quad Core (E3-1250) •32 GB DDR4 •4 x 1TB HDD Platform •ASA 5506-X •Security Sec Plus •None HA Setup Network •Windows 2012 R2 •Windows 2016 Standard •Linux Debian 7 Compute Backed BAA Audited & Approved
  31. 31. Strive to exceed expectations in every interaction Trusted Relationships Bring 19 years of deep experience, across technologies Trusted Expertise Empowers you to run your apps where they run best Trusted Infrastructure • Thousands of customers WW, including the world’s leading brands • Over 40% of Fortune 500 Service Providers’ promote Hostway solutions through our Global Partner channel • All customers work with a Solutions Engineer • In-depth Linux, Microsoft, Cloud and VMware technical expertise and certifications • Microsoft Gold Hosting Partner with 100% of staff Azure, and Office 365 trained • Specialization in building and running secure/compliant cloud hosting solutions • Maniacal focus on speed to resolution - average call response <30 sec, resolution <30 min • Fully Managed Public/Private/Hybrid Virtualized or Traditional Managed Servers • 100% Uptime Guarantee with strong SLAs • Fully Audited and certified HIPAA compliant service provider • SSAE16 SOC1 Type II and ISO certified data centers • 9 Data centers in 4 countries on 3 continents for redundancy 31 Hostway. The Trusted Cloud.
  32. 32. 32 THANK YOU! Q&A Please enter any questions in the chat box.
  33. 33. 33 Contact Us Peter Marsh peter.marsh@hostway.com Paul Fletcher pfletcher@alertlogic.com

×