The Most Wonderful Time
of the Year for
Health IT........ NOT

know your data • protect your data • share your data
© Copy...
Agenda
Attacks are on the Rise
Legislation is Changing
Lessons from Healthcare.gov
Come in from the Cold

… a word fr...
ATTACKS ARE ON THE RISE
Internal and External Vulnerabilities
Drive By Attacks

Non-Standard
SSL Traffic

Bot Nets

Watering
Hole Attacks

Spear P...
Breaches
 South Shore Physicians, P.C. - Dishonest nurse and
three co-conspirators were linked to identity fraud.
 NY Of...
Breaches Happen

In the event of a breach, full cost to an organization
can include one or more of the following:
FULL
COS...
LEGISLATION IS CHANGING
PCI – PCI Data Security Standard
 An industry security standard that applies to companies
that process & store credit/deb...
PCI – eCommerce Standards
 A merchant’s PCI DSS responsibilities remain
regardless of their e-commerce implementation.
 ...
PCI – Cloud Standards
 A merchant’s PCI DSS responsibilities remain regardless of
their cloud implementation.
 Are the s...
HIPAA
 The Health Insurance Portability and Accountability Act (HIPAA)

 Covered entities must implement technical polic...
HIPAA – Recent Changes
 The changes greatly increase privacy protections for PHI
while also strengthening enforcement.
 ...
State Laws
 46 states have enacted laws requiring
notice of security breaches of personal data.
 Some states have report...
State Laws - Texas
 When the Texas Breach Notification law
went into effect in September 2012,
breach notification obliga...
LESSONS FROM HEALTHCARE.GOV
Getting Technology Right

According to the research firm
the Standish Group, 94% of
large federal information
technology ...
Federal Acquisition Regulation

1,800 pages
Companies that win contracts
are those that can navigate the
regulations bes...
Who’s in Charge ?

CGI
QSSI
CMS

18
An Epic

3 Years in the Making…..
2 Weeks of Testing ?????

19
COME IN FROM THE COLD – TEST !
Issues
Participants can prepare all they want,
but bad data can snarl the exchange.
Normalization of data across multipl...
Ownership
 Each participant must concede a certain amount of ownership of
resources and timelines for projects to the “Gr...
Interplay of Changing Technology
Increased Outsourcing

Social Media

The Cloud

23
Understanding Ourselves
Do we:
Understand where we are?
Where are our risks?
Have compensating controls?
Have a plan?...
25

Review Access to Sensitive Data
Live Data
Firewall

 Who has access?
 Perform meaningful entitlements
reviews .
 Fl...
Data … Data Everywhere
 Copies of Data may exist in multiple
locations in your environment.
 Each of these locations is ...
…. A WORD FROM OUR SPONSOR
Compliance is important but expensive…Until Now
The Guard Compliance Tracking Solution
•
•
•
•
•

EASY Self Audit Question...
Clients
Data De-Identification- DMsuiteTM
DMsuite™ - A robust,
proprietary tool that has been
deployed at clients for over
9 years...
Questions or Further Discussions

31
Questions or Further Discussions

Contact:

Joe Santangelo

Email:

jsantangelo@axisdmsuite.com

Phone:

(646) 596-2670

T...
www.AxisTechnologyLLC.com

Thank You!

70 Federal Street
Boston, MA 02110
(646) 596-2670

know your data • protect your da...
Upcoming SlideShare
Loading in …5
×

The Most Wonderful Time of the Year for Health-IT...NOT

3,814 views

Published on

The Compliancy Group offers FREE HIPAA education with industry experts from across the industry. This months webinar with Axis Technology focuses on Health IT and the challenges that come with it. Register for our upcoming webinars at www.compliancy-group.com/webinar

Published in: Health & Medicine, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,814
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Most Wonderful Time of the Year for Health-IT...NOT

  1. 1. The Most Wonderful Time of the Year for Health IT........ NOT know your data • protect your data • share your data © Copyright 2011 Axis Technology, LLC
  2. 2. Agenda Attacks are on the Rise Legislation is Changing Lessons from Healthcare.gov Come in from the Cold … a word from our sponsors 2
  3. 3. ATTACKS ARE ON THE RISE
  4. 4. Internal and External Vulnerabilities Drive By Attacks Non-Standard SSL Traffic Bot Nets Watering Hole Attacks Spear Phishing Social Engineering Attacks 4
  5. 5. Breaches  South Shore Physicians, P.C. - Dishonest nurse and three co-conspirators were linked to identity fraud.  NY Office of the Medicaid Inspector General (OMIG) – Employee sent an email that contained sensitive records to their own email account  Cedars-Sinai Medical Center - Medical workers were fired for their hacking effort  Long Beach Memorial Medical Center - Patients had information exposed an employee. 5
  6. 6. Breaches Happen In the event of a breach, full cost to an organization can include one or more of the following: FULL COST of a Breach Notifying customers / patients, Investigating and controlling the breach, Potential litigation and fines, Intangible costs associated with: Damage to your brand, Loss of customers, Decline in value, and Reputation Management 6
  7. 7. LEGISLATION IS CHANGING
  8. 8. PCI – PCI Data Security Standard  An industry security standard that applies to companies that process & store credit/debit card data.  12 requirements: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Firewall to protect cardholder data Do not use vendor-supplied defaults for system passwords Protect stored cardholder data Encrypt transmission of cardholder data Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to cardholder data to those that “need to know” Assign a unique ID to each person with computer access Restrict physical access to cardholder data Monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an information security policy for all personnel  Larger companies must undergo annual PCI audits. Noncompliance can result in revocation of services and/or fines up to $100,000 per month. 8
  9. 9. PCI – eCommerce Standards  A merchant’s PCI DSS responsibilities remain regardless of their e-commerce implementation.  If development or processing is outsourced to third parties, the merchant retains responsibility for ensuring that payment card data is protected.  In-house developed applications should use PADSS as a best practice during development.  Minimize the staff who can view account data.  Where a merchant has outsourced cardholder data to a third party, that data may still be at risk. 9
  10. 10. PCI – Cloud Standards  A merchant’s PCI DSS responsibilities remain regardless of their cloud implementation.  Are the service being used the one that was validated.  Identify and minimize the payment card data in the cloud.  Identification and authentication is essential The Cloud  Governance, risk and compliance are shared.  Data ownership and cross-border regulatory laws.  Data present in other cloud systems such as VM images, backups, monitoring logs, and so on.  When existing, leaving potentially unknown quantities of encrypted data . 10
  11. 11. HIPAA  The Health Insurance Portability and Accountability Act (HIPAA)  Covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access to Personal Health Information (“PHI”).  However, it also provides for the uses and disclosures of deidentified information (aka Masked, Obfuscated, Redacted). PHI that meets the requirements for de-identification is considered not to be individually identifiable health information.  The Office of Civil Rights ("OCR") is required to impose penalties if the covered entity or its business associate act with neglect. 11
  12. 12. HIPAA – Recent Changes  The changes greatly increase privacy protections for PHI while also strengthening enforcement.  Penalties are increased for noncompliance with possible penalties of $1.5 million per occurrence.  The focus of OCR Audits and Assessments will be on whether PHI has been compromised and then the covered entity must clearly prove that there is a low probability the information has been compromised.  The changes expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. 12
  13. 13. State Laws  46 states have enacted laws requiring notice of security breaches of personal data.  Some states have reportedly considered legislation to hold retailers liable for thirdparty companies’ costs arising from data breaches.  The Massachusetts law is considered to have one of the most comprehensive sets of security regulations at the state level. 13
  14. 14. State Laws - Texas  When the Texas Breach Notification law went into effect in September 2012, breach notification obligations will exist in all states because Texas will then require entities doing business within the state to provide notification of data breaches to residents of states that have not enacted their own breach notification law. 14
  15. 15. LESSONS FROM HEALTHCARE.GOV
  16. 16. Getting Technology Right According to the research firm the Standish Group, 94% of large federal information technology projects over the past 10 years were unsuccessful http://www.nytimes.com/2013/10/25/opinion/getting-to-the-bottom-of-healthcaregovs-flop.html?_r=3& 16
  17. 17. Federal Acquisition Regulation 1,800 pages Companies that win contracts are those that can navigate the regulations best. 17
  18. 18. Who’s in Charge ? CGI QSSI CMS 18
  19. 19. An Epic 3 Years in the Making….. 2 Weeks of Testing ????? 19
  20. 20. COME IN FROM THE COLD – TEST !
  21. 21. Issues Participants can prepare all they want, but bad data can snarl the exchange. Normalization of data across multiple independent organizations leaves data more vulnerable to contamination, duplication and mix-ups. Aggregating, analyzing and managing of extensive data raises privacy concerns and costs.
  22. 22. Ownership  Each participant must concede a certain amount of ownership of resources and timelines for projects to the “Greater Good”.
  23. 23. Interplay of Changing Technology Increased Outsourcing Social Media The Cloud 23
  24. 24. Understanding Ourselves Do we: Understand where we are? Where are our risks? Have compensating controls? Have a plan? Enterprise Governance Risk and Compliance (“eGRC”) is an enterprise initiative that reaches from strategy through architecture to the operations of the organization. 24
  25. 25. 25 Review Access to Sensitive Data Live Data Firewall  Who has access?  Perform meaningful entitlements reviews .  Flag entitlements that do not conform to security policies.  Enterprise Entitlement Solutions typically include separate mainframe, application specific and LDAP based solutions. 1 External users 2 Internal users 4 Privileged users File server File server 5 Load Web balancer 3 App ERP server server Databases 6 Backups Firewall QA Testing 1 External users 2 Internal users 4 Privileged users File server File server 5 Load Web balancer 3 App ERP server server Databases 6 Backups  Review for Toxic Combinations. 25
  26. 26. Data … Data Everywhere  Copies of Data may exist in multiple locations in your environment.  Each of these locations is a potential target from external sources and needs to be protected.  Verizon Data Breach Report suggests eliminating unnecessary copies of data.  Data De-Identification (aka Data Masking) eliminates multiple copies of data     Firewall QA Testing 1 External users 2 Internal users 4 Privileged users File server File server 5 Load Web balancer 3 App ERP server server Databases 6 Backups Outsourcers / Business Associates Test Data in the Cloud Stratification of Big Data Taking Data Home 26
  27. 27. …. A WORD FROM OUR SPONSOR
  28. 28. Compliance is important but expensive…Until Now The Guard Compliance Tracking Solution • • • • • EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates • Document and Version Control Management • Highly Secure • No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15 To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  29. 29. Clients
  30. 30. Data De-Identification- DMsuiteTM DMsuite™ - A robust, proprietary tool that has been deployed at clients for over 9 years with: Sensitive Data Discovery, Data De-Identification and Auditing functionality. Applications Databases IMS Big Data Files XML, CSV, MultiRecord, etc. Unstructured Text: Social, RSS QSAM, VSAM 30
  31. 31. Questions or Further Discussions 31
  32. 32. Questions or Further Discussions Contact: Joe Santangelo Email: jsantangelo@axisdmsuite.com Phone: (646) 596-2670 Twitter: @DataPrivacyDude
  33. 33. www.AxisTechnologyLLC.com Thank You! 70 Federal Street Boston, MA 02110 (646) 596-2670 know your data • protect your data • share your data © Copyright 2011 Axis Technology, LLC

×