Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Protecting PHI across the organization:Challenges and SolutionsUlf MattssonCTOProtegrity
2
ISSA Article4
New Healthcare Security SIGInformation Systems Security AssociationNew Healthcare Security Special Interest Group5http://w...
6The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
Study on Patient Privacy & Data SecurityThe percentage of healthcare organizations reporting a databreach has increased an...
Type of Data that was Lost or Stolen8The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data S...
9Targeting Medical Info – Not Credit Cardshttp://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/a...
Harms Patients Suffer if Records are Lost or Stolen10The Ponemon Institute study “Third Annual Benchmark Study on Patient ...
IdentityTheft11
12http://news.yahoo.com/woman-gets-prison-time-total-identity-theft-202030353.htmlOn Monday, the real Candida L. Gutierrez...
Why changing your Password won’t help13http://www.pcworld.com/article/2036610/why-changing-your-livingsocial-password-won-...
HIPAA Omnibus - Penalties if PHI isn’t encrypted14http://www.diagnosticimaging.com/physicians-experts-make-case-secure-dat...
15http://healthitsecurity.com/2013/05/03/patients-sue-dorn-va-medical-center-for-data-breach/#comment-23"The suit argues t...
How areData BreachesDetected?16
17Breach Discovery MethodsVerizon 2013 Data-breach-investigations-report
HIPAA & PHI18
HIPAA PHI: List of 18 Identifiers1. Names2. All geographical subdivisionssmaller than a State3. All elements of dates (exc...
Identifiable Sensitive InformationField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street...
De-Identified Sensitive DataField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Plea...
What can We LearnfromFinancial Services?22
Security Effectiveness per Industry Segment23The Ponemon Institute study, 2011
PositioningofSolutions24
Reduction of Pain with New Protection Techniques251970 2000 2005 2010HighLowPain& TCOStrong EncryptionAES, 3DESFormat Pres...
Tokenization with or without Vault26Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Stat...
Research Brief“Tokenization Gets Traction”Aberdeen has seen a steady increase in enterpriseuse of tokenization for protect...
HIPAA Case StudyViolation of HIPAA - $17 millionBlue Cross Blue ShieldTheft of one million unsecured patient recordsViolat...
Summary29
Proactive Data ProtectionKnow your data flow• Protect the data flowProtecting your data now could save big time and $ in r...
About ProtegrityProven enterprise data securitysoftware and innovation leader• Sole focus on the protection ofdata• Patent...
QuestionsUlf.Mattsson@protegrity.com
Protecting phi and pii -  hipaa challenges and solutions - privacy vs cost
Upcoming SlideShare
Loading in …5
×

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost

2,433 views

Published on

In January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI data and steeper penalties for failing to comply. With a final deadline of September 25, 2013, many organizations that create or handle PHI are scrambling to find a solution.

It should not be surprising that there has been an increased focus on PHI regulations, as the percentage of healthcare organizations reporting a data breach is skyrocketing. 94% of healthcare organizations have had at least one data breach in the past two years, and the annual cost to the healthcare industry could soon reach an estimated $7 billion, according to research from the Ponemon Institute.

Healthcare is one of the US’s worst industries in security effectiveness and preventing breaches. Since the PCI industry has instituted sweeping protection requirements of payment card data, it has left unprotected PHI data, including insurance information, prescription details and medical files, prime targets for commoditized insurance fraud. The 2013 Data-breach-investigations-report from Verizon disclosed that over 90% of breaches go unnoticed by internal resources. The Omnibus legislation can institute penalties of up to $1.5 million per breach.
The most effective form of PCI data security, tokenization, is steadily increasing in use over encryption. The high levels of security, flexibility and transparency provided by tokenization have proven results. PCI audit scope and length can be dramatically reduced, applications require few changes to process data, and over the last year, tokenization users had 50% fewer security-related incidents than non-users according a recent Aberdeen study.

Due to its inherent advantages, tokenization has also recently seen a surge in organizations using it for information other than card holder data. Nearly 47% of respondents to a recent Aberdeen study are using tokenization for something other than cardholder data. As tokenization can be applied to any structured data, it follows naturally that organizations looking to protect PHI data could benefit greatly by implementing a tokenization solution. In conjunction with best practices such as file encryption, policy-based access controls, and central monitoring and auditing, the healthcare industry could see the same effective results that the payment card industry is realizing today.
With more stringent data security requirements and regular audits on the horizon, in addition to increasing attacks on PHI data, organizations should act now to protect their data, before it’s too late.

Published in: Technology, Business
  • Be the first to comment

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost

  1. 1. Protecting PHI across the organization:Challenges and SolutionsUlf MattssonCTOProtegrity
  2. 2. 2
  3. 3. ISSA Article4
  4. 4. New Healthcare Security SIGInformation Systems Security AssociationNew Healthcare Security Special Interest Group5http://www.bankinfosecurity.com/interviews/ira-winkler-on-issas-future-i-1685
  5. 5. 6The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  6. 6. Study on Patient Privacy & Data SecurityThe percentage of healthcare organizations reporting a databreach has increased and not declined94 % of healthcare organizations had at least one data breach inthe past two yearsBreaches can have severe consequences and effect patienttreatmentTechnologies that promise greater productivity and conveniencesuch as mobile devices, file-sharing applications and cloud-based services are difficult to secureSophisticated and stealthy attacks by criminals have beensteadily increasingEstimated average annual cost to the healthcare industry couldpotentially be as high as $7 billion7The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  7. 7. Type of Data that was Lost or Stolen8The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  8. 8. 9Targeting Medical Info – Not Credit Cardshttp://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/article/291780/
  9. 9. Harms Patients Suffer if Records are Lost or Stolen10The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
  10. 10. IdentityTheft11
  11. 11. 12http://news.yahoo.com/woman-gets-prison-time-total-identity-theft-202030353.htmlOn Monday, the real Candida L. Gutierrez saw her identity thief, Benita Cardona-Gonzalez, for the first time. Their encounter came inside a federal courtroom inWichita, where Cardona-Gonzalez, a Mexican national, was sentenced to 18 months inprison for possessing fraudulent identification documents.Cardona-Gonzalez assumed Gutierrezs persona completely, using it to get a job, a driverslicense, a mortgage and medical care for her children.Woman gets Prison Time in Identity Theft
  12. 12. Why changing your Password won’t help13http://www.pcworld.com/article/2036610/why-changing-your-livingsocial-password-won-t-save-you.html“The bigger concern is what an attacker can do with your personalsinformation”"Thats enough information to get them started down the path of stealingyour identity”
  13. 13. HIPAA Omnibus - Penalties if PHI isn’t encrypted14http://www.diagnosticimaging.com/physicians-experts-make-case-secure-data-exchange-himss13
  14. 14. 15http://healthitsecurity.com/2013/05/03/patients-sue-dorn-va-medical-center-for-data-breach/#comment-23"The suit argues that the VA failed to implement even the most rudimentary oftechnical safeguards”“How the suit plays out will be interesting because it’s not very often agovernment organization is facing civil and potential Department of Healthand Human Services (HHS) penalties"Lost PHI was Not Protected - Lawsuit
  15. 15. How areData BreachesDetected?16
  16. 16. 17Breach Discovery MethodsVerizon 2013 Data-breach-investigations-report
  17. 17. HIPAA & PHI18
  18. 18. HIPAA PHI: List of 18 Identifiers1. Names2. All geographical subdivisionssmaller than a State3. All elements of dates (exceptyear) related to individual4. Phone numbers5. Fax numbers6. Electronic mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiarynumbers10. Account numbers1911. Certificate/license numbers12. Vehicle identifiers and serialnumbers13. Device identifiers and serialnumbers14. Web Universal Resource Locators(URLs)15. Internet Protocol (IP) addressnumbers16. Biometric identifiers, includingfinger prints17. Full face photographic images18. Any other unique identifyingnumber
  19. 19. Identifiable Sensitive InformationField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 937-28-3390CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint EncryptedPhoto EncryptedX-Ray EncryptedHealthcareData – PrimaryCare DataDr. visits, prescriptions, hospital staysand discharges, clinical, billing, etc.Protection methods can be equallyapplied to the actual healthcare data, butnot needed with de-identification20
  20. 20. De-Identified Sensitive DataField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 076-28-3390CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint EncryptedPhoto EncryptedX-Ray EncryptedHealthcareData – PrimaryCare DataDr. visits, prescriptions, hospital staysand discharges, clinical, billing, etc.Protection methods can be equallyapplied to the actual healthcare data, butnot needed with de-identification21
  21. 21. What can We LearnfromFinancial Services?22
  22. 22. Security Effectiveness per Industry Segment23The Ponemon Institute study, 2011
  23. 23. PositioningofSolutions24
  24. 24. Reduction of Pain with New Protection Techniques251970 2000 2005 2010HighLowPain& TCOStrong EncryptionAES, 3DESFormat Preserving EncryptionDTP, FPEVault-based TokenizationVaultless TokenizationInput Value: 3872 3789 1620 3675!@#$%a^.,mhu7///&*B()_+!@8278 2789 2990 27898278 2789 2990 2789Format PreservingGreatly reduced KeyManagementNo Vault8278 2789 2990 2789
  25. 25. Tokenization with or without Vault26Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.High Availability,Disaster RecoveryComplex, expensivereplication required.No replication required.Distribution Practically impossible todistribute geographically.Easy to deploy at differentgeographically distributed locations.Reliability Prone to collisions. No collisions.Performance,Latency, andScalabilityWill adversely impactperformance & scalability.Little or no latency. Fastest industrytokenization.
  26. 26. Research Brief“Tokenization Gets Traction”Aberdeen has seen a steady increase in enterpriseuse of tokenization for protecting sensitive data overencryptionNearly half of the respondents (47%) are currentlyusing tokenization for something other than cardholderdataOver the last 12 months, tokenization users had 50%fewer security-related incidents than tokenization non-users27 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
  27. 27. HIPAA Case StudyViolation of HIPAA - $17 millionBlue Cross Blue ShieldTheft of one million unsecured patient recordsViolations in the HIPAA Privacy and Security RulesEnforced by the Breach Notification RuleFined $1.5 million dollarsTotal incident cost more than $17 million dollarsNow protecting stored health data28
  28. 28. Summary29
  29. 29. Proactive Data ProtectionKnow your data flow• Protect the data flowProtecting your data now could save big time and $ in retroactivesecurity later• Breaches and audits are on the rise• Organizations that fail to act now risk losing their hard earned investmentsGranular data protection is cost effective• Addressing regulations and data breaches• Data available for analytics and other usage• Provide separation of duties for administrative functionsCatch abnormal access to data• Including (compromised) insider accounts30
  30. 30. About ProtegrityProven enterprise data securitysoftware and innovation leader• Sole focus on the protection ofdata• Patented Technology,Continuing to Drive InnovationCross-industry applicability• Retail, Hospitality, Travel andTransportation• Financial Services, Insurance,Banking• Healthcare• Telecommunications, Media andEntertainment• Manufacturing and Government31
  31. 31. QuestionsUlf.Mattsson@protegrity.com

×