Data Security in a Mobile, Cloud-Based World

Transcription

1 Data Security in a Mobile, Cloud-Based World Jacob Buckley-Fortin CEO ehana What we ll cover Trends Risks Recommendations 1

2 Trends Mobile Has Taken Over Trend #1 2

3 3

4 450 million users worldwide Adopted primarily outside of the U.S. More messages sent than SMS worldwide More photos sent than Facebook $19,000,000,000 Acquisition price by Facebook 2/19/2014 4

5 5

6 6

7 7

8 8

9 The Cloud is Taking Over Trend #2 What is the Cloud? 9

10 Services Delivered Over the Internet Three Key Service Models Infrastructure as a Service (IaaS) Platforms as a Service (PaaS) Software as a Service (SaaS) 10

11 Infrastructure as a Service Replaces physical devices you would normally host Virtual Servers Virtual Storage Virtual Network Equipment Platform as a Service Hosted Application Program Interfaces (APIs) Development environments Mapping APIs Telephony APIs 11

12 Software as a Service Hosted software delivered over the Internet Productivity Software Electronic Health Records Customer Relationship Management Helpdesk Human Resources General Ledger Enterprise Resource Planning Appointment Reminders Other things Benefits of the Cloud Speed Cost (expense vs. asset) Scale Updates Security (reduced on-device storage) 12

13 Google Apps for Nonprofits Google Vault 13

14 SaaS vs. Legacy Stock Performance 14

15 Software is Eating the World Marc Andreessen Today every company is, in some form, a software company. 15

16 Industrial Economy HQ-Oriented, processcentric workplace Analog products, onesize-fits-all System-centric backoffice IT Information Economy Distributed, mobile, dynamic, agile workplace Digital, smart, predictive products User-centric, simple frontoffice IT Compliance Trend #3 16

17 Security Laws HIPAA (and HITECH/HIPAA) FTC Act section 5 (unfair and deceptive practice) State breach laws State information security laws (201 CMR 17 is the strictest in the country) State-specific laws for specific medical conditions Protected Health Information 1. Names; 2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code; 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) 17

18 State Standards MA P.I.I. A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) Driver's license number or state-issued identification card number; or (c) Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account HIPAA BAAs all the way down 18

19 Big vendors will now sign BAAs Beware of service limitations 19

20 Risks Reviewed mandatory breach reporting data breaches > 500 individuals` 20

21 21

22 Theft + Loss = 82% of records Electronic Media = 96% of records 22

23 23

24 Breach Notification U.S. states have 47 breach notice laws HIPAA is the only federal breach notice law, and it only applies to HIPAA CEs and BAs HIPAA breach standard was tightened in 2013 Risk analysis required if not reporting Breach Notification Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the PHI Breach response often involves staggering cost and distraction Breach notices often trigger penalties and lawsuits 24

25 Breach Notification Requires immediate notification of Federal Gov t > 500 individuals affected Annual notification < 500 individuals Notification to a major media outlet Listed on public website ( public shaming ) Individual notification to patients Penalties range from $10,000 - $1.5M De-identification of PHI/PII 25

26 Recommendations DLP: Data Loss Prevention 26

27 Safe Harbor - Algorithmic Process The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key 45 CFR

28 ENCRY - PTION FULL 28

29 DISK ENCRY - PTION 29

30 FULL DISK 30

31 ENCRY - PTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION FULL DISK ENCRYPTION 31

32 HIPAA Safe Harbor No breach reporting 32

33 Supported by all 4 major Operating Systems Control Panel > System and Security Microsoft Bitlocker Windows Vista, 7, 8 (Pro) Transparent operation TPM, USB, PIN 33

34 OS X FileVault OS X Transparent operation Preferences > Security & Privacy Android Encrypt Phone Android 3.0+ Transparent operation Requires PIN Settings > Security 34

35 iphone + ipad ios 3.0+ Just use a PIN Settings > General > Passcode Lock Touch ID Same as a PIN, even more secure 35

36 Unless you have 3 rd party software Windows XP, 2000 laptops OS X before 10.3 Panther Android 2.X Phones/Tablets Original iphones may be at risk! So, about Windows XP Security updates, support have ended Windows XP machines storing PHI are likely not HIPAA compliant It is strongly suggested that you have a migration plan at least don t use Internet Explorer 36

37 Required by 201 CMR (5) Encryption of all personal information stored on laptops or other portable devices Require Full Disk Encryption Recommendation #1 37

38 Create BYOD Policies Recommendation #2 Bring Your Own Device (BYOD) 68% CIOs support BYOD in some form 46% enforce device security Concerns: Lost & stolen devices (78%), corporate information on personal cloud storage (36%) Company information on personal devices is a done deal InformationWeek Mobile Security Survey, 4/

39 When strong winds blow, don t build walls but rather windmills. Nassim Taleb 39

40 Bring Your Own Device (BYOD) Technical Approach (MDM) Roles & Responsibilities Users Purchasing Helpdesk Training Privacy of user data Security Transmission At-rest Plans & Carriers Apps Asset Tracking Incentives BYOD Agreements Determines eligibility Defines reimbursement levels Explains security considerations Defines acceptable use Sets support expectations Notifies of remote wipe policy 40

41 Implement Mobile Device Management (MDM) Recommendation #3 Mobile Device Management (MDM) Management tools for mobile devices On-Premises or SaaS 41

42 MDM Enrollment Text message Web address MDM Security Require device encryption Require passcodes & enforce policies Install VPN 42

43 MDM Workflow Install apps Add Wifi Passwords Install accounts Limit sharing of corporate resources Add bookmarks MDM Device Management Remove corporate assets when employee leaves Wipe device if stolen/lost 43

44 Two-Factor Authentication 44

45 Unified Threat Management (UTM) Recommendation #4 45

46 Components of UTM Firewall Intrusion Prevention Antivirus / Antispam VPN Content Filtering DLP strategies Examples Prevent use of USB sticks Implement web filtering Dropbox, Google Drive, etc. Review Instant Messaging, filters, secure Use VPN, Citrix, remote access to EHR Automate Patch management/malware/spyware scanning Deploy OpenDNS, etc. 46

47 Remember: Mobile & Cloud Security is Just Security Develop written infosec plan Assign Security & Privacy officer Lock out terminated employees Manage 3 rd -parties Restrict physical access to PHI Document incidents & breaches Use Single Sign-On Password complexity & resets Block after multiple attempts Encrypt data in transit (especially over wifi) Monitor systems Use firewalls Educate and train employees on computer security 47

48 HHS Resources healthit.gov/mobiledevices Q&A Jacob Buckley-Fortin ehana 48