a new approach to IT security
|
|
- Clementine Baker
- 8 years ago
- Views:
Transcription
1 REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security
2 FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security Information object-level controls have the potential to better protect hospitals from data breaches by building security controls into the information itself. AT A GLANCE > More than 60 percent of healthcare data breaches occur due to the loss, theft, or misuse of portable devices. > Using a common application programming interface across applications and platforms to build and enforce object-level controls in information itself can help providers better protect ephi and other types of digital data. > Information objects can be engineered to be decrypted only when a legitimate user on a known device using an approved application opens them, and to control what the user can do with the information. Historically, protecting electronic personal health information (ephi) in hospitals and health systems has been based on the notion of perimeter security: building a wall around the information so that people who are not supposed to have the information cannot get to it. When people talk about information security, they usually use the phrase protecting our networks, wherein the network is the perimeter. But there are three problems with the perimeter-only approach to managing ephi security: > With the increasing adoption of mobile technologies and applications in health care, the perimeter has become impossible to define, much less protect. > Perimeter-only security ignores the inside threat that exists when a hospital s own staff or others with access to the organization s ephi maliciously or nonmaliciously access or leak protected health information. > IT security tools, which are expensive, are not always designed to prevent ephi from being leaked; rather, some of these tools alert organizations to a potential data breach after the fact or protect only a portion of the perimeter, so that the cost-benefit ratio is less than desired. What we really want is to control the distribution of ephi in hospitals. We want the right information to get to the right users and no further. And we want to be able to control what these users can do with the information they have accessed, so they cannot inadvertently or intentionally deliver it into the wrong hands. And since information has to move from person to person and device to device to be useful, we need persistent distribution control. Information object-level control can enable hospitals to achieve these goals. Defining and Protecting the Perimeter Let s examine why a perimeter-only security approach to protecting ephi is no longer sufficient in today s hospitals and health systems. It used to be that the perimeter of a hospital s IT system was easy to define and protect. The perimeter consisted of a mainframe with directly attached dumb hfma.org FEBRUARY
3 terminals. Unauthorized people were not allowed in the building or given an account to use the system, and access was limited. Now consider what the IT perimeter of hospitals looks like in 2013: What is the perimeter of a desktop computer or a mobile device that is connected to both the hospital network and the Internet? Mobile technologies make perimeter security even harder. As reported in Ponemon s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), 81 percent of healthcare organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure. Another study, released in November 2012, reports that more than 66 percent of nurses use their personal smartphones for clinical communications (Healthcare Without Bounds: Point-of-Care INSIDER NEGLIGENCE CONTINUES TO BE AT THE ROOT OF DATA BREACHES Nature of the Incident (More than One Choice Permitted) Lost or stolen computing device Unintentional employee action Third-party snafu Criminal attack Technical systems glitch Malicious insider Intentional, nonmalicious employee action % 9% 10% 14% 14% 15% 20% 33% 30% 46% 49% 41% 42% 41% 45% 42% 46% 34% 31% 33% 31% Source: Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December Computing for Nursing 2012, Spyglass Consulting Group). However, 95 percent of nurses in the study say that hospital IT departments won t support their use of smartphones, fearing security risks ( Nurses Turning to Unauthorized Smartphones to Meet Data Demands, Network World, Dec. 21, 2012). We buy and use laptops, tablets, and smartphones because they make accessing information from outside the perimeter easy. Almost all constituencies that hospitals serve want their slice of healthcare information and they want it on their mobile devices. The second problem with perimeter-securityonly is the insider threat. We d like to believe that the human nature of healthcare workers mitigates insider risk; however, real-world PHI data breach risks and events reveal a different story ( Top Cause of Data Breaches? Negligent Insiders, Help Net Security, March 22, 2012). The unseen assumption behind perimeter security is that everyone you ve let inside is trustworthy. But honest people with access to hospital networks may not understand or remember information security policies and procedures. They can get conned by an outsider looking for a way in, or they can use computers that are compromised without their knowledge. Worse, not all insiders are honest. We must acknowledge that insider includes anyone (e.g., healthcare workers, contractors, business associates, janitors, patients) with potential access to PHI, regardless of intent. A casual glance at industry surveys and news articles confirms that PHI data breach risks and events originating from insiders are a significant and costly reality within health care. As reported in Ponemon s December 2012 study, the top three causes of a data breach are: > Lost or stolen computing devices (46 percent) > Unintentional employee mistakes (42 percent) > Third-party snafus (42 percent) Moreover, five of the top seven root causes of data breaches are linked to authorized individuals, according to the study. 2 FEBRUARY 2013 healthcare financial management
4 The significance of the insider threat is further validated by a 2011 report that found that 71 percent of healthcare organizations suffered one or more ephi breaches in the course of a year most of which originated from insiders in one form or another (Survey of Patient Privacy Breached, Veriphyr). Employees who snooped at other employees medical records were the most common source of a breach (35 percent), followed by employees who peeked at medical records of friends and relatives (27 percent), loss or theft of physical records (25 percent), and loss or theft of equipment housing patient data (20 percent). Additionally, a May 2012 article by Erica Chickowski notes that more than 60 percent of breaches reported to the U.S. Department of Health and Human Services in response to HIPAA mandates occur due to the loss or theft of portable devices, such as laptops, smartphones, and external drives ( Health Care Unable to Keep Up with Insider Threats, Dark Reading, May 1, 2012). Chickowski cites three major healthcare breaches in April 2012, which alone disclosed nearly 1.1 million healthcare records. The common thread in each was the role of insiders both nonmalicious and malicious in causing the incidents. Human (insider) error was responsible for the loss of 315,000 patient records at one organization when 10 backup disks went missing from a storage facility. In another of the incidents, an employee ed 228,000 Medicaid patient records to himself. These examples underscore the need to acknowledge that anyone with potential access to ephi could pose a threat to the security of this information. The third problem with a perimeter-only security approach is that as the perimeter expands and becomes more complex, so do the number of security tools required to protect the IT perimeter and the cost of acquiring and operating such tools can be high. Additionally, it s often hard to make a financial case for the ever-growing number of security tools because even when they function perfectly, they do not directly secure information; instead, they reinforce some aspect of the perimeter or alert the organization of a breach after the breach has occurred. This is not a call to abandon perimeter security; it is still needed. However, it is not sufficient or economically feasible for providers to rely on a perimeter security approach as the only approach to securing information. That being said, as a practical and legal matter, it is critical for health care to pay attention to the general computing controls emphasized in the Office of Inspector General report Audit of Information Technology Security Included in Health Information Technology Standards. The U.S. Department of Homeland Security also offers a free cyber security evaluation tool for assessing the security posture of cyber systems and networks related to industrial controls and business IT systems ( control_systems/satool.html). How Information Object-Level Controls Can Help Healthcare providers should establish rules to control who can access information and what can be done with the information, regardless of how or where it is distributed or what type of device the information is stored on. Such rules should work across the many applications and edge devices used by providers. Information object-level controls that are built into applications could help providers better protect ephi and other information. An information object encapsulates any form of digital content along with control information about the content. Information objects can include distribution controls designating who can access the information, rules dictating how the information may be used or manipulated, and audit data (e.g., when changes were made to the content, and by whom). This is where today s computing power comes into play. If properly engineered to include the processing power of new edge devices, there is more than enough capacity to protect information in motion and everywhere it is stored. It is critical to include edge-device capacity in any approach hfma.org FEBRUARY
5 QUESTIONS TO ASK IN PROTECTING ephi In addressing ephi security concerns, providers should ask the following questions of their IT vendors: > How will you help our organization retain control of our information, regardless of the platform that the information is located upon? > How will you help our organization prove where information goes, who has used the information, and for what purpose the information was used? > How will you help us interoperate within an industry at the information level to retain control of our information, regardless of the application we are using? > How are you going to help simplify the control of our ephi and make it less expensive to operate? to cybersecurity because increasingly sophisticated edge devices: > Are where most information lives > Have in/out parts for exporting information > Are often portable and easily stolen or captured > Are what users are using and will continue to use Information objects can be separately and distinctly encrypted and kept continually encrypted. They can be engineered so that they are only decrypted when a legitimate user on a known device using an approved application opens them. Contrary to what is sometimes portrayed on television and in the movies, cracking encrypted information is extremely difficult and expensive, especially when there are many information objects, each with a different key. What is the risk of a security breach if all it yields is hundreds or thousands of distinctly encrypted information objects? What is the risk of a stolen laptop, tablet, or phone that contains thousands of distinctly encrypted objects? How much stronger are a provider s ephi controls if applications rather than people are enforcing information security policies, and if access to and use of the information is audited? How much more difficult will it be to inject false information into hospital industrial control systems if the attacker is required to somehow continually replicate distinctly encrypted commands? Making the Transition Moving beyond traditional security controls will require changes in thinking and industry practice. Information security vendors have, for the most part, treated the increase in edge computing power as a problem to be solved rather than an opportunity to be leveraged. Application vendors have, for the most part, assumed that information security was somebody else s problem. The healthcare industry has not invested a great deal of work toward adopting a common information object-level security architecture. That s understandable: Such architecture has only recently become possible. However, this type of information security support is becoming a necessity for healthcare providers. The risks and costs of PHI breaches continue to rise. Healthcare organizations are increasingly being audited for potential and actual security breaches involving ephi. Ninety-four percent of healthcare organizations surveyed for a recent study stated they had recorded at least one data breach from , while 45 percent reported that they had experienced more than five data breaches during this two-year period (Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012). With an estimated annual cost of $7 billion to the healthcare industry, the average economic impact of a breach over a two-year period has increased to $2.4 million, a 20 percent increase since the study was first conducted in 2010, according to researchers. Meanwhile, a 2011 report stating that of the top 10 industry sectors that have experienced data breaches, the healthcare industry ranked first in data breaches recorded, with government education, and finance being the next closest at 14, 13, and 8 percent, respectively (Internet Security Report: 2011 Trends, Symantec). Given the magnitude of risk associated with protecting ephi, regulation will almost certainly require that the healthcare industry shift from passive compliance with security regulations to provable adherence. Perimeter-only security approaches are not enough. About the authors is CEO, Absio Corporation, Denver (dan.kruger@absio.com). is a chief officer, Absio Corporation, Denver (tim.anschutz@absio.com). Reprinted from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL For more information, call HFMA or visit
6 WEB EXTRA The Limitations of Cloud Computing in Controlling Information Security In the beginning, compute power was concentrated in mainframe computers. Edge devices were dumb terminals that couldn t connect to anything but the mainframe. The network era has been a constant process of increasing compute power at the edge. PCs, laptops, tablets, smartphones, diagnostic and monitoring equipment, medical devices, and industrial controls have increased compute capacity in ever-smaller forms. Cloud computing is, in a way, an attempt to return to the mainframe model to centralize compute power in massive server farms and use of software on smart edge devices that act as pretty-but-dumb terminals for accessing information from the cloud. But inherent problems prevent the cloud from being a complete solution for controlling the distribution of information: > Edge devices that are accessing the cloud act as dumb terminals, but they are not dumb. They are tremendously capable computers that host myriad applications that can be used as vehicles to defeat cloud security. > It is not always possible to access the cloud. We are years away, if ever, from bandwidth nirvana. There are far too many situations where work cannot get done because no connection is available, the connection is intermittent, or bandwidth is insufficient. > Cloud computing requires that the hospital pay for all of the compute and connection capacity. The compute power of edge devices is more or less thrown away, and each new edge device increases the requirement for bandwidth and central computing capacity. > The cloud data center defines a secure perimeter, but it does not address securing data when data leave the data center. * How do we harness the power of the cloud and leverage the efficiencies of edge devices without sacrificing security? We do it by locating control in the information itself. Web Extra to A New Approach to IT Security Republished from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL For more information, call HFMA or visit
The Importance of Perimeter Security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationDISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com
DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention symantec.com One of the interesting things we ve found is that a lot of the activity you d expect to be malicious
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationData Security: Fight Insider Threats & Protect Your Sensitive Data
Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand
More information2012 Endpoint Security Best Practices Survey
WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationTrust No One Encrypt Everything!
Trust No One Encrypt Everything! Business Primer March 2014 This white paper explores cloud users requirements for data access and sharing, especially in relation to trends in BYOD and personal cloud storage
More informationPREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.
PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database
More informationHEALTHCARE & SECURITY OF DATA IN THE CLOUD
HEALTHCARE & SECURITY OF DATA IN THE CLOUD August 2014 LYNLEE ESPESETH Marketing Strategy Associate Denver Fargo Minneapolis 701.235.5525 888.9.sundog FAX: 701.235.8941 www.sundoginteractive.com In this
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationGlobal IT Security Risks
Global IT Security Risks June 17, 2011 Kaspersky Lab leverages the leading expertise in IT security risks, malware and vulnerabilities to protect its customers in the best possible way. To ensure the most
More informationFaster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationSpectorSoft 2014 Insider Threat Survey
SpectorSoft 2014 Insider Threat Survey An overview of the insider threat landscape and key strategies for mitigating the threat challenge Executive Summary SpectorSoft recently surveyed 355 IT professionals,
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationA PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK
A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the
More informationMIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING
MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING LACK OF USER ACTIVITY MONITORING EXPOSES COMPANIES TO USER-BASED RISK A lthough every organization wants to believe that all threats are external,
More informationCyber Security Threats: What s Next and How Do We Reduce the Risks?
Cyber Security Threats: What s Next and How Do We Reduce the Risks? Agenda Cyber Security: A necessity! What threats exist today? What does the future hold? How do we reduce the risks? Key for Risk Reduction
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationWhite Paper. HIPAA-Regulated Enterprises. Paper Title Here
White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,
More informationBSHSI Security Awareness Training
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationEHS Privacy and Information Security
EHS Privacy and Information Security Resident Orientation 26 June 2015 Steve Winter CISSP, CNE, MCSE Senior Information Security Engineer Privacy and Information Security Office Erlanger Health System
More informationMapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.
Mapping Your Path to the Cloud A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software. Table of Contents Why the Cloud? Mapping Your Path to the Cloud...4
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationNew privacy and security requirements increase potential legal liability and jeopardize brand reputation.
New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationEnterprise Data Protection
PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationTOP 3. Reasons to Give Insiders a Unified Identity
TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,
More informationSafeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security
Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital
More informationThe problem with privileged users: What you don t know can hurt you
The problem with privileged users: What you don t know can hurt you FOUR STEPS TO Why all the fuss about privileged users? Today s users need easy anytime, anywhere access to information and services so
More informationStatement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the
Testimony Statement for the Record Martin Casado, Senior Vice President Networking and Security Business Unit VMware, Inc. Before the U.S. House of Representatives Committee on Science, Space, and Technology
More informationHot Topics in IT Security PREP#28 May 1, 2014. David Woska, Ph.D. OCIO Security
Hot Topics in IT Security PREP#28 May 1, 2014 David Woska, Ph.D. OCIO Security CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any
More informationWhite. Paper. The SMB Market is Ready for Data Encryption. January, 2011
White Paper The SMB Market is Ready for Data Encryption By Mark Peters January, 2011 This ESG White Paper was commissioned by Tandberg Data and is distributed under license from ESG. 2011, Enterprise Strategy
More informationSecuring Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology
20140115 Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology TABLE OF CONTENTS What s at risk for your organization? 2 Is your business
More informationCyber Threats: Exposures and Breach Costs
Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationCA Enterprise Mobility Management MSO
SERVICES DESCRIPTION CA Enterprise Mobility Management MSO At a Glance Today, your customers are more reliant on mobile technologies than ever. They re also more exposed by mobile technologies than ever.
More information2014: A Year of Mega Breaches
2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A
More information7 Steps to Protect Your Company from a Data Breach
7 Steps to Protect Your Company from a Data Breach August 11, 2015 Michael Pinna and Stuart Nussbaum Millions of government personnel files were recently compromised as part of a malicious hacking of the
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationThe True Story of Data-At-Rest Encryption & the Cloud
The True Story of Data-At-Rest Encryption & the Cloud by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800 500 3167 twitter.com/firehost
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationPractical Storage Security With Key Management. Russ Fellows, Evaluator Group
Practical Storage Security With Key Management Russ Fellows, Evaluator Group SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationNorth Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP
Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Agenda HIPAA/HITECH & Mobile Devices Breaches Federal
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More information7 VITAL FACTS ABOUT HEALTHCARE BREACHES. www.eset.com
7 VITAL FACTS ABOUT HEALTHCARE BREACHES www.eset.com 7 vital facts about healthcare breaches Essential information for protecting your business and your patients Large breaches of Personal Health Information
More informationImpact of Data Breaches
Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationAuditing Security: Lessons Learned From Healthcare Security Breaches
Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:
More informationFourth Annual Benchmark Study on Patient Privacy & Data Security
Fourth Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Ponemon Institute Research Report
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationStrategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
More informationMitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security
Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationA New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager
A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks Alex Leemon, Sr. Manager 1 The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached
More informationAB 1149 Compliance: Data Security Best Practices
AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More informationCONNECTED HEALTHCARE. Trends, Challenges & Solutions
CONNECTED HEALTHCARE Trends, Challenges & Solutions Trend > Remote monitoring and telemedicine are growing Digital technology for healthcare is accelerating. Changes are being driven by the digitization
More information2015 Global Study on IT Security Spending & Investments
2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming
More informationWhite Paper. Data Breach Mitigation in the Healthcare Industry
White Paper Data Breach Mitigation in the Healthcare Industry Thursday, October 08, 2015 Table of contents 1 Executive Summary 3 2 Personally Identifiable Information & Protected Health Information 4 2.1
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationCYBERSECURITY: Is Your Business Ready?
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationWHITE PAPER WHAT HAPPENED?
WHITE PAPER WHAT HAPPENED? ENSURING YOU HAVE THE DATA YOU NEED FOR EFFECTIVE FORENSICS AFTER A DATA BREACH Over the past ten years there have been more than 75 data breaches in which a million or more
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationRETHINKING CYBER SECURITY Changing the Business Conversation
RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.
More informationBOARD OF GOVERNORS MEETING JUNE 25, 2014
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationWhere Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things
Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things aisa.org.a u aisa.org.a u Rebecca Herold, CEO The Privacy Professor 1 rebeccaherold@rebeccaherold.com Agenda Technology
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationOCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information
OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information Part 1: How HIPAA affects electronic transfer of protected health information It is difficult
More informationNational Cyber Security Month 2015: Daily Security Awareness Tips
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More information