a new approach to IT security

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "a new approach to IT security"

Transcription

1 REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security

2 FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security Information object-level controls have the potential to better protect hospitals from data breaches by building security controls into the information itself. AT A GLANCE > More than 60 percent of healthcare data breaches occur due to the loss, theft, or misuse of portable devices. > Using a common application programming interface across applications and platforms to build and enforce object-level controls in information itself can help providers better protect ephi and other types of digital data. > Information objects can be engineered to be decrypted only when a legitimate user on a known device using an approved application opens them, and to control what the user can do with the information. Historically, protecting electronic personal health information (ephi) in hospitals and health systems has been based on the notion of perimeter security: building a wall around the information so that people who are not supposed to have the information cannot get to it. When people talk about information security, they usually use the phrase protecting our networks, wherein the network is the perimeter. But there are three problems with the perimeter-only approach to managing ephi security: > With the increasing adoption of mobile technologies and applications in health care, the perimeter has become impossible to define, much less protect. > Perimeter-only security ignores the inside threat that exists when a hospital s own staff or others with access to the organization s ephi maliciously or nonmaliciously access or leak protected health information. > IT security tools, which are expensive, are not always designed to prevent ephi from being leaked; rather, some of these tools alert organizations to a potential data breach after the fact or protect only a portion of the perimeter, so that the cost-benefit ratio is less than desired. What we really want is to control the distribution of ephi in hospitals. We want the right information to get to the right users and no further. And we want to be able to control what these users can do with the information they have accessed, so they cannot inadvertently or intentionally deliver it into the wrong hands. And since information has to move from person to person and device to device to be useful, we need persistent distribution control. Information object-level control can enable hospitals to achieve these goals. Defining and Protecting the Perimeter Let s examine why a perimeter-only security approach to protecting ephi is no longer sufficient in today s hospitals and health systems. It used to be that the perimeter of a hospital s IT system was easy to define and protect. The perimeter consisted of a mainframe with directly attached dumb hfma.org FEBRUARY

3 terminals. Unauthorized people were not allowed in the building or given an account to use the system, and access was limited. Now consider what the IT perimeter of hospitals looks like in 2013: What is the perimeter of a desktop computer or a mobile device that is connected to both the hospital network and the Internet? Mobile technologies make perimeter security even harder. As reported in Ponemon s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), 81 percent of healthcare organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure. Another study, released in November 2012, reports that more than 66 percent of nurses use their personal smartphones for clinical communications (Healthcare Without Bounds: Point-of-Care INSIDER NEGLIGENCE CONTINUES TO BE AT THE ROOT OF DATA BREACHES Nature of the Incident (More than One Choice Permitted) Lost or stolen computing device Unintentional employee action Third-party snafu Criminal attack Technical systems glitch Malicious insider Intentional, nonmalicious employee action % 9% 10% 14% 14% 15% 20% 33% 30% 46% 49% 41% 42% 41% 45% 42% 46% 34% 31% 33% 31% Source: Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December Computing for Nursing 2012, Spyglass Consulting Group). However, 95 percent of nurses in the study say that hospital IT departments won t support their use of smartphones, fearing security risks ( Nurses Turning to Unauthorized Smartphones to Meet Data Demands, Network World, Dec. 21, 2012). We buy and use laptops, tablets, and smartphones because they make accessing information from outside the perimeter easy. Almost all constituencies that hospitals serve want their slice of healthcare information and they want it on their mobile devices. The second problem with perimeter-securityonly is the insider threat. We d like to believe that the human nature of healthcare workers mitigates insider risk; however, real-world PHI data breach risks and events reveal a different story ( Top Cause of Data Breaches? Negligent Insiders, Help Net Security, March 22, 2012). The unseen assumption behind perimeter security is that everyone you ve let inside is trustworthy. But honest people with access to hospital networks may not understand or remember information security policies and procedures. They can get conned by an outsider looking for a way in, or they can use computers that are compromised without their knowledge. Worse, not all insiders are honest. We must acknowledge that insider includes anyone (e.g., healthcare workers, contractors, business associates, janitors, patients) with potential access to PHI, regardless of intent. A casual glance at industry surveys and news articles confirms that PHI data breach risks and events originating from insiders are a significant and costly reality within health care. As reported in Ponemon s December 2012 study, the top three causes of a data breach are: > Lost or stolen computing devices (46 percent) > Unintentional employee mistakes (42 percent) > Third-party snafus (42 percent) Moreover, five of the top seven root causes of data breaches are linked to authorized individuals, according to the study. 2 FEBRUARY 2013 healthcare financial management

4 The significance of the insider threat is further validated by a 2011 report that found that 71 percent of healthcare organizations suffered one or more ephi breaches in the course of a year most of which originated from insiders in one form or another (Survey of Patient Privacy Breached, Veriphyr). Employees who snooped at other employees medical records were the most common source of a breach (35 percent), followed by employees who peeked at medical records of friends and relatives (27 percent), loss or theft of physical records (25 percent), and loss or theft of equipment housing patient data (20 percent). Additionally, a May 2012 article by Erica Chickowski notes that more than 60 percent of breaches reported to the U.S. Department of Health and Human Services in response to HIPAA mandates occur due to the loss or theft of portable devices, such as laptops, smartphones, and external drives ( Health Care Unable to Keep Up with Insider Threats, Dark Reading, May 1, 2012). Chickowski cites three major healthcare breaches in April 2012, which alone disclosed nearly 1.1 million healthcare records. The common thread in each was the role of insiders both nonmalicious and malicious in causing the incidents. Human (insider) error was responsible for the loss of 315,000 patient records at one organization when 10 backup disks went missing from a storage facility. In another of the incidents, an employee ed 228,000 Medicaid patient records to himself. These examples underscore the need to acknowledge that anyone with potential access to ephi could pose a threat to the security of this information. The third problem with a perimeter-only security approach is that as the perimeter expands and becomes more complex, so do the number of security tools required to protect the IT perimeter and the cost of acquiring and operating such tools can be high. Additionally, it s often hard to make a financial case for the ever-growing number of security tools because even when they function perfectly, they do not directly secure information; instead, they reinforce some aspect of the perimeter or alert the organization of a breach after the breach has occurred. This is not a call to abandon perimeter security; it is still needed. However, it is not sufficient or economically feasible for providers to rely on a perimeter security approach as the only approach to securing information. That being said, as a practical and legal matter, it is critical for health care to pay attention to the general computing controls emphasized in the Office of Inspector General report Audit of Information Technology Security Included in Health Information Technology Standards. The U.S. Department of Homeland Security also offers a free cyber security evaluation tool for assessing the security posture of cyber systems and networks related to industrial controls and business IT systems ( control_systems/satool.html). How Information Object-Level Controls Can Help Healthcare providers should establish rules to control who can access information and what can be done with the information, regardless of how or where it is distributed or what type of device the information is stored on. Such rules should work across the many applications and edge devices used by providers. Information object-level controls that are built into applications could help providers better protect ephi and other information. An information object encapsulates any form of digital content along with control information about the content. Information objects can include distribution controls designating who can access the information, rules dictating how the information may be used or manipulated, and audit data (e.g., when changes were made to the content, and by whom). This is where today s computing power comes into play. If properly engineered to include the processing power of new edge devices, there is more than enough capacity to protect information in motion and everywhere it is stored. It is critical to include edge-device capacity in any approach hfma.org FEBRUARY

5 QUESTIONS TO ASK IN PROTECTING ephi In addressing ephi security concerns, providers should ask the following questions of their IT vendors: > How will you help our organization retain control of our information, regardless of the platform that the information is located upon? > How will you help our organization prove where information goes, who has used the information, and for what purpose the information was used? > How will you help us interoperate within an industry at the information level to retain control of our information, regardless of the application we are using? > How are you going to help simplify the control of our ephi and make it less expensive to operate? to cybersecurity because increasingly sophisticated edge devices: > Are where most information lives > Have in/out parts for exporting information > Are often portable and easily stolen or captured > Are what users are using and will continue to use Information objects can be separately and distinctly encrypted and kept continually encrypted. They can be engineered so that they are only decrypted when a legitimate user on a known device using an approved application opens them. Contrary to what is sometimes portrayed on television and in the movies, cracking encrypted information is extremely difficult and expensive, especially when there are many information objects, each with a different key. What is the risk of a security breach if all it yields is hundreds or thousands of distinctly encrypted information objects? What is the risk of a stolen laptop, tablet, or phone that contains thousands of distinctly encrypted objects? How much stronger are a provider s ephi controls if applications rather than people are enforcing information security policies, and if access to and use of the information is audited? How much more difficult will it be to inject false information into hospital industrial control systems if the attacker is required to somehow continually replicate distinctly encrypted commands? Making the Transition Moving beyond traditional security controls will require changes in thinking and industry practice. Information security vendors have, for the most part, treated the increase in edge computing power as a problem to be solved rather than an opportunity to be leveraged. Application vendors have, for the most part, assumed that information security was somebody else s problem. The healthcare industry has not invested a great deal of work toward adopting a common information object-level security architecture. That s understandable: Such architecture has only recently become possible. However, this type of information security support is becoming a necessity for healthcare providers. The risks and costs of PHI breaches continue to rise. Healthcare organizations are increasingly being audited for potential and actual security breaches involving ephi. Ninety-four percent of healthcare organizations surveyed for a recent study stated they had recorded at least one data breach from , while 45 percent reported that they had experienced more than five data breaches during this two-year period (Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012). With an estimated annual cost of $7 billion to the healthcare industry, the average economic impact of a breach over a two-year period has increased to $2.4 million, a 20 percent increase since the study was first conducted in 2010, according to researchers. Meanwhile, a 2011 report stating that of the top 10 industry sectors that have experienced data breaches, the healthcare industry ranked first in data breaches recorded, with government education, and finance being the next closest at 14, 13, and 8 percent, respectively (Internet Security Report: 2011 Trends, Symantec). Given the magnitude of risk associated with protecting ephi, regulation will almost certainly require that the healthcare industry shift from passive compliance with security regulations to provable adherence. Perimeter-only security approaches are not enough. About the authors is CEO, Absio Corporation, Denver is a chief officer, Absio Corporation, Denver Reprinted from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL For more information, call HFMA or visit

6 WEB EXTRA The Limitations of Cloud Computing in Controlling Information Security In the beginning, compute power was concentrated in mainframe computers. Edge devices were dumb terminals that couldn t connect to anything but the mainframe. The network era has been a constant process of increasing compute power at the edge. PCs, laptops, tablets, smartphones, diagnostic and monitoring equipment, medical devices, and industrial controls have increased compute capacity in ever-smaller forms. Cloud computing is, in a way, an attempt to return to the mainframe model to centralize compute power in massive server farms and use of software on smart edge devices that act as pretty-but-dumb terminals for accessing information from the cloud. But inherent problems prevent the cloud from being a complete solution for controlling the distribution of information: > Edge devices that are accessing the cloud act as dumb terminals, but they are not dumb. They are tremendously capable computers that host myriad applications that can be used as vehicles to defeat cloud security. > It is not always possible to access the cloud. We are years away, if ever, from bandwidth nirvana. There are far too many situations where work cannot get done because no connection is available, the connection is intermittent, or bandwidth is insufficient. > Cloud computing requires that the hospital pay for all of the compute and connection capacity. The compute power of edge devices is more or less thrown away, and each new edge device increases the requirement for bandwidth and central computing capacity. > The cloud data center defines a secure perimeter, but it does not address securing data when data leave the data center. * How do we harness the power of the cloud and leverage the efficiencies of edge devices without sacrificing security? We do it by locating control in the information itself. Web Extra to A New Approach to IT Security Republished from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL For more information, call HFMA or visit

a new approach to IT security

a new approach to IT security REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach

More information

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention symantec.com One of the interesting things we ve found is that a lot of the activity you d expect to be malicious

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Healthcare providers attitudes towards HIPAA compliance in 2015

Healthcare providers attitudes towards HIPAA compliance in 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry

More information

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Data Security: Fight Insider Threats & Protect Your Sensitive Data Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand

More information

2012 Endpoint Security Best Practices Survey

2012 Endpoint Security Best Practices Survey WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners

More information

Second Annual Benchmark Study on Patient Privacy & Data Security

Second Annual Benchmark Study on Patient Privacy & Data Security Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

Reducing Cyber Risk in Your Organization

Reducing Cyber Risk in Your Organization Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than

More information

Enterprise Data Protection

Enterprise Data Protection PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION

More information

BSHSI Security Awareness Training

BSHSI Security Awareness Training BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software. Mapping Your Path to the Cloud A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software. Table of Contents Why the Cloud? Mapping Your Path to the Cloud...4

More information

MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING

MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING LACK OF USER ACTIVITY MONITORING EXPOSES COMPANIES TO USER-BASED RISK A lthough every organization wants to believe that all threats are external,

More information

Trust No One Encrypt Everything!

Trust No One Encrypt Everything! Trust No One Encrypt Everything! Business Primer March 2014 This white paper explores cloud users requirements for data access and sharing, especially in relation to trends in BYOD and personal cloud storage

More information

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology 20140115 Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology TABLE OF CONTENTS What s at risk for your organization? 2 Is your business

More information

HEALTHCARE & SECURITY OF DATA IN THE CLOUD

HEALTHCARE & SECURITY OF DATA IN THE CLOUD HEALTHCARE & SECURITY OF DATA IN THE CLOUD August 2014 LYNLEE ESPESETH Marketing Strategy Associate Denver Fargo Minneapolis 701.235.5525 888.9.sundog FAX: 701.235.8941 www.sundoginteractive.com In this

More information

TOP 3. Reasons to Give Insiders a Unified Identity

TOP 3. Reasons to Give Insiders a Unified Identity TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,

More information

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,

More information

Teradata and Protegrity High-Value Protection for High-Value Data

Teradata and Protegrity High-Value Protection for High-Value Data Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:

More information

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the

More information

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs. PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database

More information

SpectorSoft 2014 Insider Threat Survey

SpectorSoft 2014 Insider Threat Survey SpectorSoft 2014 Insider Threat Survey An overview of the insider threat landscape and key strategies for mitigating the threat challenge Executive Summary SpectorSoft recently surveyed 355 IT professionals,

More information

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Agenda HIPAA/HITECH & Mobile Devices Breaches Federal

More information

EHS Privacy and Information Security

EHS Privacy and Information Security EHS Privacy and Information Security Resident Orientation 26 June 2015 Steve Winter CISSP, CNE, MCSE Senior Information Security Engineer Privacy and Information Security Office Erlanger Health System

More information

Managing Cyber & Privacy Risks

Managing Cyber & Privacy Risks Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past

More information

Global IT Security Risks

Global IT Security Risks Global IT Security Risks June 17, 2011 Kaspersky Lab leverages the leading expertise in IT security risks, malware and vulnerabilities to protect its customers in the best possible way. To ensure the most

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Cyber Security Threats: What s Next and How Do We Reduce the Risks?

Cyber Security Threats: What s Next and How Do We Reduce the Risks? Cyber Security Threats: What s Next and How Do We Reduce the Risks? Agenda Cyber Security: A necessity! What threats exist today? What does the future hold? How do we reduce the risks? Key for Risk Reduction

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

CA Enterprise Mobility Management MSO

CA Enterprise Mobility Management MSO SERVICES DESCRIPTION CA Enterprise Mobility Management MSO At a Glance Today, your customers are more reliant on mobile technologies than ever. They re also more exposed by mobile technologies than ever.

More information

Workspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com

Workspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com Workspace-as-a-Service Defining Security and Mobility for Healthcare vertiscale.com Workspace-as-a-Service Defining Security and Mobility for Healthcare Introduction The healthcare industry continues to

More information

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration

More information

7 VITAL FACTS ABOUT HEALTHCARE BREACHES. www.eset.com

7 VITAL FACTS ABOUT HEALTHCARE BREACHES. www.eset.com 7 VITAL FACTS ABOUT HEALTHCARE BREACHES www.eset.com 7 vital facts about healthcare breaches Essential information for protecting your business and your patients Large breaches of Personal Health Information

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11 Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

The problem with privileged users: What you don t know can hurt you

The problem with privileged users: What you don t know can hurt you The problem with privileged users: What you don t know can hurt you FOUR STEPS TO Why all the fuss about privileged users? Today s users need easy anytime, anywhere access to information and services so

More information

Safeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security

Safeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Beyond passwords: Protect the mobile enterprise with smarter security solutions IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive

More information

HIPAA and Health Information Privacy and Security

HIPAA and Health Information Privacy and Security HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient

More information

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016 The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,

More information

White. Paper. The SMB Market is Ready for Data Encryption. January, 2011

White. Paper. The SMB Market is Ready for Data Encryption. January, 2011 White Paper The SMB Market is Ready for Data Encryption By Mark Peters January, 2011 This ESG White Paper was commissioned by Tandberg Data and is distributed under license from ESG. 2011, Enterprise Strategy

More information

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the Testimony Statement for the Record Martin Casado, Senior Vice President Networking and Security Business Unit VMware, Inc. Before the U.S. House of Representatives Committee on Science, Space, and Technology

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Stay ahead of insiderthreats with predictive,intelligent security

Stay ahead of insiderthreats with predictive,intelligent security Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent

More information

Impact of Data Breaches

Impact of Data Breaches Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:

More information

2015 VORMETRIC INSIDER THREAT REPORT

2015 VORMETRIC INSIDER THREAT REPORT Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security HEALTHCARE EDITION #2015InsiderThreat RESEARCH BRIEF U.S. HEALTHCARE SPOTLIGHT ABOUT THIS RESEARCH

More information

7 Myths of Healthcare Cloud Security Debunked

7 Myths of Healthcare Cloud Security Debunked BUSINESS WHITE PAPER 7 Myths of Healthcare Cloud Security Debunked Don t let these common myths stall your healthcare cloud initiative 7 Myths of Cloud Security Debunked Table of Contents 2 The Cloud is

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information

More information

Medical Information Breaches: Are Your Records Safe?

Medical Information Breaches: Are Your Records Safe? Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential

More information

The True Story of Data-At-Rest Encryption & the Cloud

The True Story of Data-At-Rest Encryption & the Cloud The True Story of Data-At-Rest Encryption & the Cloud by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800 500 3167 twitter.com/firehost

More information

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

Hot Topics in IT Security PREP#28 May 1, 2014. David Woska, Ph.D. OCIO Security

Hot Topics in IT Security PREP#28 May 1, 2014. David Woska, Ph.D. OCIO Security Hot Topics in IT Security PREP#28 May 1, 2014 David Woska, Ph.D. OCIO Security CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any

More information

Fourth Annual Benchmark Study on Patient Privacy & Data Security

Fourth Annual Benchmark Study on Patient Privacy & Data Security Fourth Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Ponemon Institute Research Report

More information

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Violations Incur Multi-Million Dollar Penalties HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

CONNECTED HEALTHCARE. Trends, Challenges & Solutions

CONNECTED HEALTHCARE. Trends, Challenges & Solutions CONNECTED HEALTHCARE Trends, Challenges & Solutions Trend > Remote monitoring and telemedicine are growing Digital technology for healthcare is accelerating. Changes are being driven by the digitization

More information

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Secure Data Transmission Solutions for the Management and Control of Big Data

Secure Data Transmission Solutions for the Management and Control of Big Data Secure Data Transmission Solutions for the Management and Control of Big Data Get the security and governance capabilities you need to solve Big Data challenges with Axway and CA Technologies. EXECUTIVE

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Auditing Security: Lessons Learned From Healthcare Security Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:

More information

Internet threats: steps to security for your small business

Internet threats: steps to security for your small business Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

More information

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance.

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Customer Success Story Central Logic Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Page 2 of 6 Central Logic Comprehensive SRA helps healthcare

More information

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org

More information

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.

More information

Business Communications for Healthcare

Business Communications for Healthcare Business Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization

More information

Reducing the Cost and Complexity of Web Vulnerability Management

Reducing the Cost and Complexity of Web Vulnerability Management WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

10 best practice suggestions for common smartphone threats

10 best practice suggestions for common smartphone threats 10 best practice suggestions for common smartphone threats Jeff R Fawcett Dell SecureWorks Security Practice Executive M Brandon Swain Dell SecureWorks Security Practice Executive When using your Bluetooth

More information

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

THE TOP 5 WAYS TODAY S SCHOOLS CAN UPGRADE CYBER SECURITY. Public School Cyber Security is Broken; Here s How to Fix It

THE TOP 5 WAYS TODAY S SCHOOLS CAN UPGRADE CYBER SECURITY. Public School Cyber Security is Broken; Here s How to Fix It THE TOP 5 WAYS TODAY S SCHOOLS CAN UPGRADE CYBER SECURITY Public School Cyber Security is Broken; Here s How to Fix It COPYRIGHT 2015 isheriff, INC. SCHOOLS NEED TO UPGRADE CYBER SECURITY It s become a

More information

RETHINKING CYBER SECURITY Changing the Business Conversation

RETHINKING CYBER SECURITY Changing the Business Conversation RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.

More information

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks Alex Leemon, Sr. Manager 1 The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Who Controls Your Information in the Cloud?

Who Controls Your Information in the Cloud? Who Controls Your Information in the Cloud? threat protection compliance archiving & governance secure communication Contents Who Controls Your Information in the Cloud?...3 How Common Are Information

More information

The 2014 Bitglass Healthcare Breach Report

The 2014 Bitglass Healthcare Breach Report The 2014 Bitglass Healthcare Breach Report Is Your Data Security Due For a Physical? BITGLASS REPORT Executive Summary When hackers break into U.S. hospital health records to steal patient data, it s a

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Assessing the Privacy and Security Risk of your Medical Device Inventory Bridget A. Moorman, MSBME, CCE. AAMI-ACCE, Denver, CO, USA June 2015

Assessing the Privacy and Security Risk of your Medical Device Inventory Bridget A. Moorman, MSBME, CCE. AAMI-ACCE, Denver, CO, USA June 2015 Assessing the Privacy and Security Risk of your Medical Device Inventory Bridget A. Moorman, MSBME, CCE AAMI-ACCE, Denver, CO, USA June 2015 Overview Data Breach and Security Survey Medical Device Data

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

I ve been breached! Now what?

I ve been breached! Now what? I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have

More information

Cyber Threats: Exposures and Breach Costs

Cyber Threats: Exposures and Breach Costs Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

More information

Secure Mobile. Mark Blatt MD Global HealthCare Strategy Intel Corporation January 2011

Secure Mobile. Mark Blatt MD Global HealthCare Strategy Intel Corporation January 2011 Secure Mobile Computing Mark Blatt MD Director Global HealthCare Strategy Intel Corporation January 2011 Breaches Cost the Enterprise Risks are Growing, Costs are Increasing Prevention the Best Solution

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information