For healthcare organizations the pressure to protect electronic personally identifiable health information (ePHI) increased significantly throughout 2010. The US Department of Health and Human Services proposed modifications to HIPAA privacy, security and enforcement rules, HITECH Act extended HIPAA requirements to business associates and the number of breaches affecting at least 500 individuals is rapidly increasing. Healthcare organizations are already anxious about what 2011 has in store, with increased negative media attention, increased patient awareness of breaches and more. Unfortunately, the ePHI data protection landscape can be confusing to navigate. So what can healthcare organizations do to protect ePHI and ensure they stay out of the spotlight?
In this webcast, Chris Konrad, Senior VP of Client Services at Fortrex Technologies and Cindy Valladares, Solutions Marketing at Tripwire:
Discuss which factors and forces around ePHI have recently impacted healthcare organizations.
Describe what is different in 2011 and the challenges facing organizations when protecting ePHI
Use real-life examples to demonstrate the effects of data breaches
Provide five strategies you can take to better protect ePHI and avoid the negative fallout of a breach
15. Raw Log Data
Dynamic Policy Testing
Auto-retest to policy
Change Process Analysis
Close breach-to-discovery time gap
Immediate time-to-value
Reconcile toto usual
Business Authorization
Exclusive as Tripwire!
Change windows
User ID
Multiple conditions
Join the conversation:
#hipaa2011
16. Raw Log Data
Normalization
& Correlation
• High Speed Log Archival • Events of Interest
• Google like Index • Structured Data
• Fast Search • Complex Reporting
• Intelligent Reporting • Data visualization
Join the conversation:
#hipaa2011
17. Maintain
Desired State
Non-stop monitoring & collection
Dynamic analysis to find suspicious activities
Assess &
Achieve Alert on impact to policy
Remediate options to speed remedy
Time
Join the conversation:
#hipaa2011
18. Correlate to Correlate to
Bad Changes Suspicious Events
Join the conversation:
#hipaa2011
19. 5 failed logins
Login successful
Windows event log cleared
Logging turned off
Host not generating events
Policy test fails
Join the conversation:
#hipaa2011
32. Questions?
• Chris Konrad • Cindy Valladares
Fortrex Technologies Tripwire, Inc.
Website: www.fortrex.com Website: www.tripwire.com
Email: info@fortrex.com Email: cvalladares@tripwire.com
Phone: 877-FORTREX Twitter: @cindyv & @tripwireinc
LinkedIn: Fortrex SME Club
Twitter: @cjkonrad &
@FORTREXTECH
33. Chris Konrad Cindy Valladares
Fortrex Technologies Tripwire, Inc.
Website: www.fortrex.com www.tripwire.com Email: cvalladares@tripwire.com
Email: info@fortrex.com Twitter: @cindyv and @tripwireinc
Phone: 877-FORTREX
LinkedIn: Fortrex SME Club
Twitter: @cjkonrad @FORTREXTECH
Editor's Notes
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Patient Protection and Affordable Care Act and subsequent Health Care and Education Reconciliation Act of 2010 are passedHITECH Act extends HIPAA Privacy and Security requirement to business associatesHHS proposes HIPAA Privacy, Security and Enforcement Rules modificationsHHS National Coordinator, Office of the National Coordinator for Health IT, Dr. David Blumenthal forms Privacy and Security “tiger team”United States Health Human Services (HHS) publication of breaches of unprotected PHI affecting over 500 individuals totals 3,608,753Connecticut Attorney General, now Senator Richard Blumenthal, issues suit against Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard driveSettled for $250,000Conditional $500,000 to be paid in the event that the breach proves to have lead to the access of personal information2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey 31% of all healthcare providers experienced a breach to patient information Fewer than one in 10 of 600 surveyed could meet most of the meaningful-use requirementsPonemon Institute and security firm ID Expert research released Hospitals are exposed to a loss of $6 billion dollars annually as a result of breaches 70% of respondents indicated that patient data protection is not a priority
Change management is the cornerstone of many regulationsChange management and testingStart with a baseline w/hardened configurationsDynamic policy testingChange process analysisReconcile to authorization
Monitor activity Capture logsAnalyze for high-risk eventsCorrelate change and events
ER: This is really what you want to know. 5 failed logins on it’s own followed by a successful login is probably a medium to low alert. In fact, this is so common it’s contributing to SIEM overload. But, getting an unrelated alert for each one of these every step along the way won’t help. We think you need this context to see all of these happening in concert so you can quickly see these complicated patterns that impact security. TZ (to transition to next slide): so what does Tripwire do to help solve this?