1 A Fortrex Using Encryption and Access Control for HIPAA Compliance
2 Page 1 Introduction On January 25, 2013, the final HIPAA Omnibus Rule was published. It expanded to business associates the obligation to comply with certain administrative, technical and physical security controls found in HIPAA and HITECH. More than ever before, organizations have a heightened sense of responsibility and awareness to focus on securing their data. One of the most current topics being explored is encryption of data, followed by increased exercise of access control, logging and monitoring. Prompting these investigations is an organization s security risk analysis, which is a requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules. 1 As part of its comprehensive risk analysis, the organization must address whether encryption of data at rest, as an addressable implementation specification, (45 CFR (a)(2)(iv)), is reasonable, appropriate, and cost effective. Access controls, as required implementation specifications, must be implemented and must support the overall goal of the legislation to ensure the confidentiality, integrity, and availability of the protected health information. This paper has been prepared to present the complementary features of the Vormetric Data Security Platform to secure Personal Healthcare Information (PHI) data in accordance with the HIPAA implementation requirements. Fortrex s evaluation of the Vormetric Data Security Platform and its various security capabilities has revealed that Vormetric s platform is capable of supporting an organization s goals for achieving the encryption, access control, logging and monitoring technical requirements of HIPAA. Every organization is unique in its implementation of the administrative, technical, and physical security requirements of HIPAA. As such, carefully review the recommendations in this paper within the context of your existing or prospective environment. While this paper does not provide detailed instructions for how to configure Vormetric products within your environment, it provides the reader with product information and a roadmap for compliance to specific HIPAA regulations. Security professionals, covered entities, business associates, clearing houses, service providers, application developers, hardware manufacturers, and converged infrastructure vendors are working to address the increasing demands of privacy and security from the healthcare industry. Virtualization and cloud computing can create additional challenges in achieving compliance with HIPAA and HITECH, but does not inherently prevent compliance.
3 Page 2 HIPAA/HITECH/Omnibus Rule Summary This paper assumes the reader is familiar with HIPAA/HITECH (including relevant guidance publications). The regulation of protected health information began in 1996 with the passage of the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA. Although the regulation envisioned robust protections, the regulatory requirements arguably outpaced the technological capabilities of many organizations at the time. Compliance lagged, as organizations struggled with requirements that were in dire need of clarification and technologies that could not address all of the mandates in the law. In 2009, however, a companion bill was passed that sought to clarify and tighten some of the requirements contained in HIPAA. The Health Information Technology for Economic and Clinical Health Act, or HITECH, provided a much needed update to HIPAA. Creating breach notification laws and a de facto requirement for encryption, the law sought to encourage the adoption of health information technology and to ensure the organizations handling or processing that data were taking appropriate steps to protect that data. HIPAA/HITECH applies to all organizations that store, process, or transmit Protected Healthcare Information (PHI). Under the recent Omnibus Rule, this includes merchants, service providers, payment gateways, data centers, and outsourced service providers. Although this paper specifically addresses HIPAA/HITECH compliance, the similar principles can be applied when implementing systems that comply with other privacy and security regulations, such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes Oxley (SOX), Payment Card Industry (PCI), the Federal Information Security Management Act (FISMA) and so on. On Jan. 25, 2013, a set of final regulations, referred to as HIPAA Omnibus Rule, was published by the Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, and Enforcement Rules to implement various provisions of the HITECH Act. This Omnibus Rule makes it necessary for business associates to comply with the HIPAA Security Rule and most provisions of the HIPAA Privacy Rule, and they are now directly liable for enforcement action and fines imposed by the U.S. Department of Health and Human Services (HHS). Business associates may also be selected for an audit by the Office of Civil Rights. Despite the clarifications contained in the HIPAA Omnibus Rule, many organizations still struggle to define their obligations under the law and to determine how to comply while maintaining fiscal responsibility and IT performance objectives. This paper offers some clarification on the requirements of HIPAA/HITECH with respect to the implementation of the Vormetric data protection platform for the protection of PHI. HIPAA/HITECH Requirements HIPAA is comprised of a set of rules that address the privacy, security, technical, administrative, organizational, and policy and procedure controls and implementation specifications related to PHI. The HITECH Act and Omnibus Rule enhanced enforcement of these rules. While all of these regulations have a variety of requirements, this paper focuses on the relevant portions of the legislation addressed by the Vormetric Data Security Platform. The HIPAA Security Rule implementation specifications are divided between required and addressable components. While required clearly requires the organization to fully implement the particular specification, what addressable means has been misinterpreted. The Department of Health and Human Services has provided guidance for addressable specifications in its HIPAA Administrative Simplification Regulation Text, March 2013: 2 When a standard adopted in , , , , or includes addressable implementation specifications, a covered entity or business associate must: (A) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and as applicable to the covered entity or business associate. The text goes on to state that the organization must either implement the specification if it is reasonable and appropriate, or implement an equivalent alternative measure, and document the security measures or justification accordingly.
4 Page 3 What is reasonable and appropriate? 45 CFR Section requires covered entities to perform an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ephi). Managing these risks and ensuring that the proper security controls are in place are part of a good risk analysis, which is the basis for determining which controls are reasonable and appropriate within a given environment. The HIPAA Security Rule addresses the technical safeguards in 45 CFR Section It begins by requiring access controls for all systems that maintain ephi. It further requires that organizations restrict access to that data based on each user s need to know. The law requires that only those individuals, systems and applications that require the data in order to perform their job functions be provided access to ephi and to the systems that contain ephi. In order to further restrict access to ephi, HIPAA suggests that companies implement encryption and decryption procedures. At the time the law was under consideration, these technologies were considered to be addressable specifications. Combined with the requirement to perform a risk analysis, and implement controls deemed reasonable and appropriate, it is easy to see how the growth in technology was considered in the early writing of the rules. Specifically, the Security Rule required the following technical safeguards: Category Access Controls Audit Controls Integrity Person or Entity Authentication Transmissions Security Technology Unique User ID Emergency Access Procedures Automatic Log-off Encryption and Decryption Authenticate Electronic PHI Integrity Controls Encryption Required or Addressable Required Required Addressable Addressable Required Required Required Addressable Addressable Note that many of the requirements that were deemed addressable at the time, but were categorized that way because the technology was expensive, complex, or not widely available. The HIPAA Security Rule was scalable and allowed for companies to conduct a risk assessment to see if the requirement could be met with an alternative solution. Today, many of those addressable requirements, particularly encryption, are proven, widely available and provide more manageable protection than was the case in the late 1990s.
5 Page 4 Covered Entities and Business Associates - The Omnibus Rule On January 17, 2013, HHS announced changes to HIPAA to strengthen the required privacy and security protections for PHI. The Omnibus Rule expanded many of the requirements to business associates that create, receive, maintain, or transmit PHI, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties for a breach of PHI were substantially increased based on the level of negligence, with a maximum penalty of $1.5 million per violation. The changes also affected the HITECH Breach Notification requirements by clarifying when breaches of unsecured PHI must be reported to HHS. The Omnibus Rule went into effect on March 23, 2013, and compliance with the law was required as of September 23, HITECH Enforcement Provisions For several years after the adoption of HIPAA, enforcement of the law was minimal. The Enforcement Provisions of HITECH directly addressed the resulting lax compliance efforts by strengthening both the civil and criminal penalties associated with a violation of HIPAA. The Enforcement Rule delineates four categories of violations and their corresponding fines. The following table from the HITECH Act Enforcement Interim Final Rule demonstrates how organizations will be fined for failure to comply. HIPAA/HITECH enforcement actions fall under the purview of the Federal Trade Commission (FTC) and the Health and Human Services Office of Civil Rights (HHS OCR). Violation Category Did not know Reasonable Cause Willful Neglect Corrected Willful Neglect Not Corrected Each Violation $100 $50,000 $1,000 $50,000 $10,000 $50,000 $50,000 All Violations of Identical Provisions in a calendar year $1,500,000 $1,500,000 $1,500,000 $1,500,000 The HHS OCR is responsible for enforcing compliance with the Security and Privacy Rules among covered entities. The FTC issued the Health Breach Notification Rule on February 22, 2010 to require certain business not covered by HIPAA to notify customers when a breach of individually identifiable electronic health information has occurred. This rule enforces compliance among vendors or personal health records (PHRs), PHR-related entities, and third party service providers to PHRs. It is worth noting that HHS settled a case with a firm for $150,000 in December 2013 where it had identified that policies and procedures were needed to address breach notification provisions with HITECH.
6 Page 5 Overview of the Vormetric Data Security Platform Vormetric puts control in the health care administrator s hands by encrypting ephi and controlling which users and applications can access and view that data. The Vormetric Data Security Platform is a comprehensive and extensible platform for delivering data at rest security across physical, virtual, big data and cloud environments. It offers centralized policy management and data-centric security for a broad range of solutions. Vormetric Transparent Encryption Vormetric Application Encryption Structured Databases Big Data File and Volume Level Encryption Access Control Unstructured Files Applications Field Level Data Encryption Big Data Vormetric Key Management KMIP Compliant Oracle and SQL Server TDE Certificate Storage Splunk HP ArcSight IBM QRadar LogRhythm Vormetric Data Security Manager Physical Virtual Key and Policy Manager Figure 1: Vormetric Data Security Platform
7 Page 7 Data Security Manager The Vormetric Data Security Manager integrates key management, data security policy management, and audit log collection. This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed physical, virtual and cloud environments. Clustering DSMs provides high availability and scalability to tens-of-thousands of protected servers. Figure 2: Controlling and Securing PII/PHI Data in the Cloud and On Premise In support of HIPAA/HITECH requirements, the DSM can enforce strong separation of duties by requiring the assignment of key and policy management to more than one data security administrator. In this manner, no one person has complete control over the security of data. The DSM is accessed from a secure web-management console, CLI or through APIs The DSM deployment is flexible because it is available as a physical or virtual appliance. The virtual appliance can be deployed on premise or in the cloud. Either deployment model can be used for compliance to the HIPAA/HITECH requirements. It s important to note that the DSM is the key and policy manager and ephi is never passed through it. The DSM is available in the following form factors: A hardware appliance, 2U rack-mountable, with FIPS Level 2 certification A hardware appliance, 2U rack-mountable, with integrated HSM, FIPS Level 3 certification A hardened virtual appliance, which can run on-premise or in the cloud As a service through AWS Marketplace.
8 Page 8 Vormetric Transparent Encryption Vormetric Transparent Encryption (VTE) enables data at rest encryption, privileged user access control and the collection of audit logs without re-engineering applications, databases or infrastructure. Vormetric Transparent Encryption requires file system agents that are installed above the file system logical volume layers. The agents perform the encryption, decryption, access control, and logging. The agents maintain a strong separation of duties on the server by encrypting files while leaving their metadata in the clear. This unique feature limits privileged users (i.e. root, system, cloud or storage administrators) from accessing data while preserving their ability to perform their day-to-day administrative responsibilities. Vormetric agents are installed on each server where data requires protection. The agents are specific to the OS platform and transparent to applications, databases (including but not limited to Oracle, IBM, Microsoft, Sybase, MySQL, and MongoDB), file systems, networks, and storage architecture. Privileged Users - _}?$%- :>> SA root user Approved Processes and Users John Smith 401 Main Street Encrypted Clear Text Vormetric Security Intelligence Logs to SIEM Database User Applica1on Database Allow/Block Encrypt/Decrypt Cloud Provider / Outsource Administrators DSM Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance File Systems Storage Volume Managers Big Data, Databases or Files Encrypted - _}?$%- :>> Figure 3: Vormetric enforcing least privilege policies to privileged users Vormetric also provides security intelligence through its extensive auditing capabilities. These logs can be integrated with popular SIEM tools such as Splunk, HP Arcsight, IBM QRadar and others.
9 Page 9 How Vormetric Contributes to HIPAA Compliance HIPAA states that organizations should protect ephi through the implementation of encryption. Typically, various solutions are deployed to provide protection for different applications, data types and infrastructures this can prove to be very complex. For example, many environments have a variety of applications, file types, and even operating systems. While some types of data, such as credit card data or social security number that are in databases, can be readily located and protected, unstructured data frequently found in EMR s, medical images and other files dispersed across multiple environments can be more difficult to identify and protect. An additional challenge lies in controlling access to ephi, as IT administrators with no-need-to-know about the data have full access. The best way to meet these requirements is through data at rest encryption, access control and audit logs. Vormetric Data Security addresses the requirements in the HIPAA Security Rule while avoiding re-coding applications or cumbersome integration. Vormetric Data Security protects ephi by encrypting the information and controlling access to the data. Using policy-based encryption, Vormetric ensures that only authorized users and services can encrypt and decrypt the data. Encryption was first introduced by HIPAA as an addressable requirement. This meant that organizations were required to perform a risk analysis to determine if encryption was an appropriate control. If the same level of protection could be garnered through a different technology or process, then organizations had the ability to implement that compensating control. However, with the advent of the breach notification provisions in HITECH, deploying encryption is expected to become more critical. In fact, encryption provides a safe harbor to breach notification if, in the event of a compromise of ephi, the organization can state that the information has been rendered unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. 3 Vormetric Data Security also overcomes the challenge of securing heterogeneous data types. Many encryption solutions provide protection only for structured data those that can be found in databases or in other easily identifiable data stores. The very definition of ephi renders many of those solutions moot. PHI is defined by HIPAA/HITECH as any information that is (a) created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse ; and (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 4 This definition could include a vast array of different file types (audio files, graphic files, movies, etc) that reside in varying locations across a widely dispersed network environment. Perhaps most importantly, encrypting ephi offers a safe harbor in the event of a compromise. If the network or system that stores ephi is compromised, companies that have rendered the ephi unreadable, as per the HIPAA statute, are exempt from the notification requirements of HITECH. Restricting Access to ephi Vormetric Data Security enables compliance with HIPAA/HITECH access control requirements by offering organizations the ability to layer additional access control functionality beyond the native file system. Vormetric s access controls follow the least-privilege model, which denies any activity that has not been expressly permitted. Vormetric s access control capabilities allow authorized system level users to perform their intended functions while taking the ability to view cleartext away from these SysAdmins. The meta-data remains in clear text so SysAdmins still have the ability to manage the files as needed. Auditing Access to ephi A critical requirement is the ability to prove compliance to auditors by showing granular audit logs that track successful and failed data access to protected data. Proving compliance to auditors is easy with Vormetric s standards-based syslogs that capture successful and failed user and application data access with granular details. In addition, these logs are easily shared with Security Information and Event Management (SIEM) Systems to accelerate the detection of insider abuse, advanced persistent threats (APT), or the presence of a hacker attempting to access data.
10 Page 10 Vormetric Controls and Support Matrix The following table provides additional details on the specific HIPAA requirements which are met by the Vormetric Data Security Platform and Vormetric Transparent Encryption. The table only lists those requirements that were considered either applicable or supported, and not the entire HIPAA Rule. Unlisted controls were determined to be inapplicable to Vormetric. Health care providers, business associates and any other entities covered by the requirements of HIPAA and the Omnibus Rule should always consult with their own auditors or risk assessors to determine the scope of controls applicable to them. Table 1: Applicability of HIPAA/HITECH Controls to Vormetric Security Platform Risk Management: Good risk management processes include timely and informative reports that are available to the right people at the right time. Reporting should also draw upon data over time in seconds, minutes or months, so that trending of risk events can be managed. Some attacks slowly develop over time and good reporting and analytics are essential. The Vormetric Data Security Platform provides detailed security intelligence on who, what, when and how data was accessed. Vormetric provides logging of access at the File Systems level. All read/write requests to sensitive data are tracked with security compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, policy can be set in the DSM to send alerts associated with activities that require special monitoring. Vormetric audit logs can be stored in the DSM or in an organization s SIEM system or other log collection solutions for trending and correlation. These audit logs can provide visibility and continuously monitor the risk of ephi or PII data being accessed in the environment. When these logs are used with a SIEM, it becomes quicker and easier to identify compromised accounts and malicious insiders (a)(1)(ii) Risk Analysis Risk Management Access Management: Access management should consist of authorization of users, de-registration of users, and strong authentication of the user. It is this point: the human-to-machine bridge that connects the unknown to the known in a technical environment. Encryption and control will not suffice to protect sensitive data unless the architecture includes an operations environment that controls insiders such as privileged users. In order to reduce the risk of a malicious administrator from compromising the protected data, Vormetric creates a management environment with strong separation of duties. A strong separation of management duties assures that no one person has complete control and ability to compromise security policies that are enforced by the Vormetric Data Security Platform.
11 Page 11 Vormetric s Data Security Platform requires administrators of the system to be authenticated using a unique user ID and password. The tasks an administrator can perform are dependent upon their administrator type and provide the necessary segregation of duties. In addition, the Vormetric Management Console can enforce strict password rules and timeout login sessions. Vormetric supports Access Management by adding a layer of access control on top of the native operating system access control. It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing ephi or PII data. The solution enables least privilege access without interfering with normal administrative operations. Vormetric can protect privileged users or any unintended users from viewing and accessing ephi and PII data using its encryption and access control methods. Vormetric provides the ability to create granular policies to control access, like who and what process can apply encryption keys to encrypt and decrypt ephi and PII data. Vormetric not only generates audit information for unintended direct access to ephi/pii data, it also generates audit information on operational functions such as login/logout, policy creation, deletion or edits, backups, and user administration. In addition, policy can be set in the DSM to send alerts associated with activities that require special monitoring. Integration with SIEM tools can also be used to generate alerts for providing integrity monitoring for ephi/pii data under its control (a)(4)(ii)(b,c) (a)(5)(ii)(c) (a)(2)(i) (a)(2),ii) (a)(2)(iii) (c)(1,2) Access Authorization and, Establishment, and Modification Login Monitoring Unique User ID Emergency Access Procedure Automatic Logoff Integrity and authenticity of ephi Encryption, Decryption: Data that has been encrypted is generally accepted as unreadable during that state. While not specifically required by HIPAA, some organizations require that data be encrypted to meet certain standards. Some organizations even go so far as to provide safe harbor to their partners when data remains in the encrypted state. Vormetric supports file level and volume level encryption that expands encryption beyond a single file or a database column. Vormetric manages access to the encrypted data independent from the operating system s access control. While integrated with a customer s LDAP or Active Directory for authentication, access to decrypted data is based upon rules managed and administered within the Vormetric Data Security Manager. Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system. Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key. See the following requirement for Key Management.
12 Page (a)(2)(iv) (e)(2)(ii) (e)(2)(i) (c)(2) Encryption and Decryption Encryption Integrity Mechanism to authenticate electronic health information (not altered or destroyed) Key management: Considered to be the keys to the kingdom, effective key management and protection must be demonstrated to support the encrypted state of data. The user must document the key-management processes used within their organization and ensure that key custodians understand and acknowledge their responsibilities. Vormetric ensures cryptographic keys are centrally generated and stored by the Data Security Manager. The actual keys are never visible to anyone, including key custodians or systems administrators. Vormetric restricts access to keys and key management activities by managing access within the Vormetric Data Security Manager, which decouples access rights from central access managements systems such as Active Directory, thus restricting access by privileged users such as system administrators and root unless explicitly granted within Vormetric s Data Security Manager. The Vormetric s Data Security Manager (DSM) architecture is designed for strong key management using a secure web management console: Cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards. Clear text keys never leave the DSM. When keys are distributed to agents, they are encrypted with a onetime-use AES 256 key and sent over a mutually authenticated TLS connection. Manual clear-text cryptographic key management is not required by Vormetric. Custodians can create keys, but key values are not visible to the custodian. DSM protects keys from any one person having access to key material by following a no knowledge and configurable split knowledge/dual control policies. Access control policies defined within the DSM control access to key creation and other key management activities, restricting access to authorized key custodians only. The Data Security Manager supports an m of n sharing scheme for backing up keys. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager.
13 Page 13 Vormetric encrypts the data encryption keys with an AES 256-bit key. This encrypted key is stored securely on the Data Security Manager (DSM), which is separate from the location where the data encryption key is used. If the option to cache data encryption keys on the local server is selected, in order to eliminate network latency, the local keys are also encrypted with an AES 256-bit key. Vormetric also offers an option that stores the keys within a secure cryptographic device known as a host security module (HSM).) (a)(2)(iv) (e)(2)(i) Encryption and Decryption Integrity Controls Logging Audit Controls: If not encrypted, and/or during the unencrypted state of data where it is human readable, it is required that data that has been read, accessed, or altered by a human must be tracked to create an audit trail. Logging of access to data must be retained. This logging of access can apply to: user access/network program access/application layer database administrator access third party access management review of logs Vormetric provides logging of access at the File Systems level. All read/write requests to sensitive data is tracked with compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, policy can be set in the DSM to send alerts associated with activities that require special monitoring. Vormetric audit logs can be stored in the DSM or in an organization s SIEM system or other log collection solutions. Vormetric provides a detailed auditing at the File System level, by generating audit entries that include: Username and group membership. Type of event. Date and time. Success or failure indication. In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data. Origination of the event. Host and the full path to the file that was the target of the access request.
14 Page 14 Vormetric Security Platform generates log reports for monitoring of daily activity. Vormetric generates audit information for unintended direct access to PHI/PII data and can be configured to generate alerts thus providing integrity monitoring for PHI/PII data under its control. The DSM can be configured to synchronize with an NTP server for accuracy of date/time (b) Audit Controls Monitoring: To support ongoing monitoring of access to PHI/PII, organizations are required to ensure that access to PHI/PII data is appropriate. This access review will include not only the direct access obtained by care givers, but it may also include system-based access. Vormetric provides logging of access at the File Systems level. All read/write requests to sensitive data is tracked with compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, policy can be set in the DSM to send alerts associated with activities that require special monitoring. Vormetric audit logs can be stored in the DSM or in an organization s SIEM system or other log collection solutions (a)(1)(ii)(d) Information System Activity Review Security Incident Management: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Vormetric supports this requirement by providing detailed logging of access at the File Systems level. All read/write requests to sensitive data is tracked with compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, policy can be set in the DSM to send alerts associated with activities that require special monitoring. The audit records contain information to track access back to a host machine, directory, file or resource accessed, specific user, user group, policy invoked, application and time. Vormetric audit logs can be stored in the DSM or in an organization s SIEM system or other log collection solutions.
15 Page (a)(6)(ii) Response and Reporting Disaster Recovery Plan, Data Backup Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ephi. Although the Data Security Manager does not store the ephi/pii data directly on its system, the Vormetric Data Security Platform supports the ability to securely backup the configurations of the DSM for disaster recovery, as well as the ability to configure the solution in a High Availability configuration. High-availability clustering configurations can span across Local Area Networks (LAN) or across geographies over Wide Area Networks (WAN). This clustering capability ensures high availability, fault tolerance, and load balancing across hardware DSMs or virtual machine DSM instances. Back up of data encryption keys, policies, administrator accounts, and agent settings are easily and securely archived offline. For additional security, these archives are encrypted with a Backup Encryption Key that is split into parts and distributed to a configurable number of custodians. This approach ensures the Vormetric Data Security Manager configuration is archived, but no single administrator can make use of the archive to exploit its contents. Since the agents run independently, even loss of connection to the DSM will not take data offline. All encryption and access policies will remain intact and active to assure business continuity until network access is restored. In the case of a DSM hardware failure, the DSM cluster will continue to operate and a bare metal DSM replacement is fast and easy to accomplish. The DSM uses an n of m sharing scheme where a secret is generated in m parts, or shares. A specific number of shares (n) must be provided in order to access the DSM and perform a DSM backup or restore operation. For example, a secret can be divided into six shares (m) and six individuals each receive one share. The required number of shares (n) can be set to three. This requires any combination of three of the six individuals to provide their shares before an administrator can perform a DSM backup or restore operation (a)(7)(i) Contingency Plan Removable media support: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. While Vormetric does not directly apply to the specific tenets of this requirement, data that is copied outside of authorized processes controlled via Vormetric Policies would be encrypted and unusable. While not directly supporting this requirement, Vormetric supplements other controls introduced to render retired hard drives or removable media unreadable. Should data not be adequately cleaned from media, the data will not be viewable unless the Vormetric Data Security Manager is available to authorize the decryption of the data on that media.
16 Page (d)(1) Device and Media Controls Security Reminders: Organizations should receive periodic security updates. Vormetric supports this requirement differently depending on whether a customer wants security reminders directly related to the Vormetric product or to the data that it protects. Vormetric customers can sign up for updates and alerts related to the Vormetric Data Security Platform. The Vormetric solution has the ability to alert on critical events such as unauthorized access to ephi/pii data that is protected by Vormetric Transparent Encryption. The log information can be stored local or integrated with 3rd party SIEM tools for further correlation, analysis and alerting (a)(5)(ii)(a) Security Reminders
17 Page 17 Conclusion With the passage of HITECH in 2009, the requirement to protect ephi became much more than a paper tiger, as HIPAA has sometimes been described. Long on mandates and short on enforcement capability, HIPAA failed to drive compliance in the way that the regulators had envisioned. However, with the notification requirements and the enforcement provisions of HITECH, adoption has become a critical objective for covered entities and business associates. Despite the clear mandate from the regulators, however, compliance is still complex and can be burdensome. Vormetric Data Security, however, allows organizations to meet compliance in a timely, cost-effective manner with little administrative overhead, protecting sensitive patient information while still allowing organizations to meet both their data security and business objectives. About Vormetric Vormetric is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1300 customers, including 17 of the Fortune 25 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable Vormetric Data Security Platform protects any file, any database and any application anywhere it resides with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: About Fortrex Technologies, Inc. Founded in 1997 Fortrex Technologies, Inc. has been a market leader in providing IT Governance, Risk, and Compliance Advisory services and solutions to over 1,000 customers in various industry sectors. Fortrex Technologies corporate mission is to be our clients long-term, trusted security and risk management advisor by ensuring the confidentiality, integrity, and availability of their data and systems through the provision of world-class, enterprise-wide information security services and solutions. At Fortrex, we believe that our unique differentiator is the team of individuals who are committed to a set of corporate values. These values, Integrity, Excellence, Empowerment, Teamwork and Thankfulness, are the foundation of all Fortrex relationships, including those with our employees, customers and vendors. References & Resources 1: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules: 2: The HIPAA Administrative Simplification Regulation Text - March : US Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals 4: Copyright 2014 Fortrex. All rights reserved. Fortrex is a registered trademark of Fortrex Technologies. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Fortrex.
HIPAA and HITECH Compliance Simplification Sol Cates CSO @solcates firstname.lastname@example.org Quick Agenda Why comply? What does Compliance look like? New Cares vs Rental Cars vs Custom Cars Vormetric Q&A Slide
Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls and Auditing Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732
A COALFIRE WHITE PAPER Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Implementing the Vormetric Data Security Platform in a Payment Card Environment running in Amazon Web Service
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) How Financial Institutions Can Comply to Data Security Best Practices Vormetric, Inc. 2545 N. 1st Street,
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Cloud Data Security Sol Cates CSO @solcates firstname.lastname@example.org Agenda The Cloud Securing your data, in someone else s house Explore IT s Dirty Little Secret Why is Data so Vulnerable? A bit about Vormetric
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
Vormetric Data Security Platform Applicability Guide F O R P A Y M E N T C A R D I N D U S T R Y ( P C I ) P A R T N E R A D D E N D U M Vormetric Addendum to VMware Product Applicability Guide FOR PAYMENT
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom:
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
Can You be HIPAA/HITECH Compliant in the Cloud? Background For the first 10 years of its existence, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a toothless tiger. Although
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
HIPAA COMPLIANCE AND DATA PROTECTION email@example.com +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS The Challenges and the Solutions Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom: +44.118.949.7711
Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
V O R M E T R I C W H I T E P A P E R Protecting Data at Rest with Vormetric Data Security Expert Deploying Encryption and Access Control to Protect Stored Data Across the Enterprise Enterprise Information
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Page 1 Securing Sensitive Data within Amazon Web Services EC2 and EBS Challenges and Solutions to Protecting Data within the AWS Cloud Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States:
MAX Insight Whitepaper HIPAA Hardening & Configuration Guide for MSP s Detailed advice and recommendations on how to properly setup and configure the MAXfocus product platform for usage within HIPAA compliancy
Vormetric Data Security Platform Data Sheet The makes it efficient to manage data-at-rest security across an entire organization. The Vormetric Data Security Platform is a broad set of products that share
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least
itrust Medical Records System: Requirements for Technical Safeguards Physicians and healthcare practitioners use Electronic Health Records (EHR) systems to obtain, manage, and share patient information.
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information
How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with
Meeting HIPAA Compliance with EventTracker The importance of consolidation, correlation and detection Enterprise Security Series White Paper 8815 Centre Park Drive Published: September 18, 2009 Columbia
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
Debunking The Myths of Column-level Encryption Vormetric, Inc. 888.267.3732 408.433.6000 firstname.lastname@example.org www.vormetric.com Page 1 Column-level Encryption Overview Enterprises have a variety of options
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s