1 CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible
2 Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA requirements demand safeguarding of PHI or face serious penalties. There will be greater need to have audit, tracking, and reporting capabilities for IT systems capturing PHI. Automation and Agility Industry reforms will require IT departments to respond quickly to changing business needs, operate without service disruptions, and ensure high system and application performance using automated processes, further increasing the need for enhanced information security. Data Availability Clinical applications such as Electronic Health Records (EHRs) and Computerized Physician Order Entry (CPOE) are the lifeblood of health systems they need to be available 24x7, perform according to SLAs and user expectations, and have proper security at all levels to prevent unauthorized user access and data distribution. Cost Containment As cost pressures mount, healthcare CIOs will take innovative approaches to reduce IT expenses such as server and application consolidation, virtualization, sourcing and cloud computing models. Maintaining PHI security and privacy across all environments will be paramount. Are you prepared? Healthcare information breaches are up more than 120% over the previous year and 41% of hospitals now have 10 data breaches annually according to the Spring 2010 National Survey of Hospital Compliance Executives. The recent release of the Ponemon Institute s Benchmark Study on Patient Privacy and Data Security indicates that Federal regulations have not improved the safety of patient records; 58% of organizations have little or no confidence in their ability to appropriately secure patient records. Additionally, 71% of healthcare organizations have inadequate resources and 69% have insufficient processes to prevent and detect patient data loss. As Meaningful Use incentives drive healthcare providers to increase their reliance on electronic data, there is an urgent need to adequately secure and protect information. In addition, HITECH legislation enhances Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules mandating costly penalties for data breaches and includes new Protected Health Information (PHI) disclosure regulations. While the use of technology among healthcare communities can make communication easier, aid the decision-making process, and help elevate the quality of patient care, all of the benefits of automation are offset if the availability and integrity of the patient data are compromised. Security breaches can have a negative effect on the organization s brand, credibility and patient revenue. Patient care and life status can be affected if PHI is compromised or released. In order to realize the benefits of technology and to meet regulatory and compliance mandates, healthcare organizations must proactively plan for and implement strong safeguards to assure information is available when and where it is needed, while protecting it from unauthorized use and distribution. The key questions that must be answered by all security solutions are: Who has access to which systems, applications, services and information? Are they who they claim to be? What can they do with that access? What can they do with the information they obtained? What did they do when accessing the systems/information?
3 Driving the need for increased security Interoperability As healthcare organizations continually enhance the delivery and quality of patient care services, building health information systems that work together within and across organizational boundaries is a major imperative. Creating highly efficient systems that house and protect electronic records and data will enable organizations to accelerate the achievement of Meaningful Use criteria. Implementing a comprehensive information security program is required so organizations can achieve higher levels of interoperability and confidently meet HIPAA security and privacy requirements. Mobility While mobile technologies will have a major impact on patient care, mobility also increases the risk of PHI breaches. As more users rely on mobile devices for health care services, healthcare IT organizations must develop holistic enterprise security strategies and requirements to mitigate the risk of costly data breaches brought on by the consumerization of IT. Connected Health As efforts increase to deliver patient care where and when it is needed and to provide flexible opportunities for consumers to engage with clinicians and better self-manage their care, many readily available networking and mobile technologies will be deployed. As remote care increases, so does the potential for security breaches, enhancing the need for a well-planned security strategy. Meeting user needs Many constituents can benefit from increased interoperability, mobility, and connected healthcare. And while the benefits of storing electronic health records versus physical storage include lower costs, fewer errors, and more readily available medical records, there is an increased need to implement stronger security measures to protect patient information and to enable you to confirm that you are providing only authorized access to those healthcare professionals with a right to know. Healthcare Executives With the growing number of sophisticated and financially-driven security threats, healthcare executives need to proactively detect and prevent costly data breaches that can potentially damage an organization s brand and public image. Providing appropriate and secure access to medical records enables healthcare executives to bolster patient confidence, provide physicians with the information they need to provide top-level care, and enhance compliance with HIPAA and HITECH regulations. Healthcare Executives needs include: Protecting the brand and image of the organization Preventing unauthorized access and malicious use of information Physicians With a keen focus on providing high quality patient care and reducing medical errors, physicians and their staff must be able to securely access, share, and update patient information and records. Providing physicians and their staff with role and identitybased access to specific data and content will enhance the control and security of private information and allow physicians to securely collaborate with other physicians to solve complex clinical problems. The once isolated practitioner can now deliver better, timelier healthcare in a truly integrated fashion with help from a team of clinical partners. Physicians need: Quick, secure, reliable, 24X7 access to patient information regardless of location Strong but convenient online authentication Patients Patients need to trust that their PHI is securely transported throughout the Health Information Exchange (HIE) and that they or a physician or healthcare facility can securely access their health records anytime, anywhere. In addition, enabling patients to become more proactive in their own healthcare by ensuring their access to secure PHI allows both physicians and patients to take a more active role to better manage their health state while improving patient/physician communication and the overall quality, accuracy and timeliness of the care provided. Patients need: Quick, easy access to personal health records and diagnosis information Mobile access to medical records Confidence and trust that information is protected from unauthorized access and that physicians have the abiltiy to access and share PHI with other practitioners
4 Proactively manage and mitigate security risks Control Identities Healthcare organizations must provide online access to resources to ever-increasing numbers and types of users. Managing these user identities, as well as governing what they can access based on their role is a critical challenge from both a security and an efficiency standpoint. Control Access Controlling access to critical applications and systems is required not only for effective compliance, but also to protect shareholder value, customer information, and intellectual property. Without effective user authentication and access policy enforcement, improper access (either intentional or inadvertent) can have disastrous effects. There are three important areas to consider: Controlling access to web-based applications and services Controlling access of privileged users to information, applications, and services, and Advanced authentication Protect your information with security solutions from CA Technologies CA Technologies develops and delivers content-aware identity and access management solutions that help healthcare organizations find, classify and control how information is used based both on user identity and content of the data, across physical, virtual and cloud environments. Traditional Identity and Access Management (IAM) stops at the point of access, so organizations have less control. The CA Content-Aware IAM solution helps you control user identities and their access to key applications and information. But, unlike traditional IAM, it also controls what users can do with the information once they access it. In this way, CA Content-Aware IAM provides improved PHI security and protection compared to other IAM solutions. We enable you to protect critical patient and business information in order to mitigate risks, comply with regulations and enforce information use policies, giving you the ability and confidence to provide secure medical information to authorized users when and where they need it. Our security solutions and support of industry-related technologies helps you ensure all users have only the designated level of access rights to protected medical resources, and those rights are enforced appropriately. Our solutions also help you automate costly and error-prone manual processes so you can lower administration costs and simplify your healthcare compliance audits. With security solutions from CA Technologies, you can: Reduce risks and vulnerabilities with proactive controls for sensitive data Help improve patient, physician and executive confidence by preventing data loss and information breaches Control Information Enforcement of access control over sensitive information is only the first step in a comprehensive approach to information security. Once users have gained legitimate access to this data, many organizations have little or no control over what those users can do with it. These organizations often are not fully aware of all the places their sensitive information is stored, and have no protection against the improper disclosure or theft of this information. business need capabilities Control Identity Manage and govern identities and what they can access based on their role Identity Governance Provisioning/On-boarding User Activity and Complaince reporting Control Access Control access to systems and applications across physical, virtual and cloud environments Privileged User Management Web Access Management Virtualization Security Advanced Authentication Fraud Prevention Control Information Find, classify and control how information is used based on content and identity Discovery & Classification Data Policy Management Content-aware IAM
5 Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs. Dr. Larry Ponemon, chairman and founder, Ponemon Institute November 2010 Across the board, we are not spending enough on data security, and that tells me that IT is not quite an institutional priority There is still a lot of work to do in the industry with regard to security. Mac McMillan, chair of the HIMSS Privacy and Security Committee at the Chicago-based Healthcare Information Management Systems Society March 2011 The role of information technology has never been as important to the restructuring of the U.S. healthcare system as it is today. HITRUST Leadership Roundtable 2011 Technologies supported Identity Management and Governance Identity management and governance controls what healthcare workers and patients can access based on their role. Clinicians with excessive privileges or entitlements can create chaos in a healthcare organization from a security, compliance, and liability standpoint. Identity management and governance not only control what users can access based on their role, but also how they use the data that they access. This capability can reduce excessive administrative resources as well as reduce security risk and simplify compliance. It is critical that all clinicians be assigned the proper role(s) for their function within the organization, and that they have only the proper access rights for that role. Therefore, ensuring that all users and roles comply with defined policy helps to protect critical electronic health and personal records from improper use. Ensuring role compliance through automated identity governance processes helps to protect this critical information. Role compliance includes activities such as entitlements certification, role management and privilege cleanup, all of which helps to ensure that each user has only the proper access rights relevant to their role in the healthcare organization. By implementing role compliance, costs can be reduced, while providing users with better service and reducing security exposure. Strong Authentication It is essential that each user is uniquely authenticated, and that the method used to authenticate each user is appropriate for the sensitivity of the information or application being accessed. For many environments, the traditional username and password do not provide adequate security, and strong (two-factor) authentication will be required. Strong authentication is critical for healthcare providers to protect PHI, achieve compliance, and avoid the potentially reputational impacts of breaches of patient records. Data Loss Prevention (DLP) DLP detects and prevents unauthorized use of confidential healthcare data and provides a spectrum of remediation actions so that effective enforcement of information use policy can be achieved throughout the organization. DLP is designed to protect and control datain-motion on the network and in the messaging system, data-in-use at the endpoint, and data-at-rest on servers and in repositories across the enterprise. Web Single Sign-On (SSO) Web Single Sign-On streamlines the log-on processes with one sign-on sequence for fast access to patient data in multiple authorized applications and databases. This capability allows clinicians to easily access all the applications they need, thus allowing more timely patient care while potentially improving security levels with the elimination of the temptation to write down or share passwords.
6 Enhancing the patient experience Our security solutions enable your organization to enhance the patient experience by providing secure access to key medical information within and across systems and at point of care. Improve patient safety Over the last decade patient safety has been in the spotlight. With secure and accurate records, physicians can administer tests and treatments and medication can be administered accurately and in a timely way. Effective security controls also permits pharmacists to confirm information before dispensing and complying with healthcare regulations; helping to ensure the right doctor is administering the right medication to the right patient regardless of healthcare setting or geographic location based on the secure access of the patient s data. Improve patient satisfaction The healthcare industry is extremely competitive, for organizational success and growth, focus must be placed on improving the patient experience. Secure information and access can impact overall satisfaction for a patient making the choice of future healthcare providers. Patients expect that their personal data is secure and accessible by their providers and healthcare organization. In addition, remote access of personal health information through a secure exchange is essential for a patient who is traveling and requires remote treatment. Business benefits CA Technologies can help your healthcare organization secure information and applications, as well as deliver new applications and services more quickly to your providers, payers, patients, and partners. These applications can provide a personalized and positive user experience; thereby strengthening users satisfaction and helping you meet your organizational mission and goals. Additionally, CA Technologies enables safe access to your on-premise and cloud applications by extending security to the cloud. Our robust on-premise security solutions protect access to applications whether on premises or in the cloud. This combination of on-premise and cloud-based security services help you protect your applications today, and migrate to cloud applications at your pace. Reduce risks and prevent security breaches CA Technologies helps make certain that your critical electronic healthcare resources are protected, as well as helping to ensure that only properly authorized users and patients can access them, and only in approved ways. It allows security events to be logged and analyzed quickly to identify and remediate potential security, fraud and compliance issues, including improper disclosure or use of sensitive medical and/or patient information. Improve regulatory compliance Your healthcare organization will have the tools necessary to support continuous compliance with HIPAA/HITECH and other federal and state regulations. With automated and centrally managed security capabilities, along with extensive auditing, your healthcare compliance efforts can become much simpler because you can more easily prove and validate the effective operation of your established security controls. Reduce administrative expense and improve efficiency Automation of security administrative processes, especially those related to managing practitioners, patients and support staff identities and access rights can enable significant operational efficiencies; reducing your overall IT costs. Automation can also help to improve user and management productivity, since less time has to be spent working with manual processes.
7 Protect your business, patients and information Proactively secure sensitive information Prevent security breaches Control user identities and their access based on roles Reduce risks with strong privileged user management Enable business opportunities with Web access management Improve patient confidence by preventing data loss The CA Technologies advantage CA Technologies has been a leader in IT management for over 30 years with hundreds of healthcare customers globally in payer, provider and pharmaceutical segments. Security solutions from CA Technologies deliver enhanced protection for your organization, information, and patients by controlling user identities, access, and usage of vital health and medical information. This important capability increases your overall security, and helps prevent inappropriate breaches and use of your EHR, Personal Health Record (PHR) and Health Information Systems (HIS) data. And, our ability to support a wide variety of platforms (from distributed to mainframe) and deployment models (including cloud and virtualized environments) provides a consistent and secure platform across your healthcare IT environment, including emerging technologies. With CA Technologies, you can confidently and proactively implement a secure environment to protect sensitive information, avoid security breaches, improve patient confidence, and meet current and future compliance requirements. Safeguard the relationship between provider, payer, patient and partners CA Technologies is actively involved with the Health Information Trust Alliance (HITRUST) and was one of the first organizations involved with the development of the HITRUST Common Security Framework (CSF), the most widely-adopted security framework in the U.S. healthcare industry. The CSF is the first IT security framework developed specifically for healthcare information that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Copyright CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws ) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein.