future proof data privacy
|
|
- Dora Lamb
- 8 years ago
- Views:
Transcription
1 2809 Telegraph Avenue, Suite 206 Berkeley, California leapyear.io future proof data privacy Copyright 2015 LeapYear Technologies, Inc. All rights reserved. This document does not provide you with any legal rights to any intellectual property in any LeapYear product. You may copy and use this document for your internal, reference purposes.
2 Introduction Big data analytics present a well-documented opportunity; organizations can make more profitable and more informed business decisions, and individuals can enjoy higher-quality services and easier, healthier lives. These broad benefits are tempered by complex challenges associated with the usage of personal data. Careless or malicious use of financial information, medical records, location history, and other sensitive information can eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the 1 marketplace, according to a 2014 White House report on big data analytics. However, the amount of personal data collected continues to grow at a breakneck pace, driven by competitive pressures. As a result, privacy protection is a moving target that many corporations and governments fail to hit - with expensive consequences. In 2014, over a billion personal records were breached, an increase of 78% from the previous 2 year. Organizations such as JPMorgan Chase, Home Depot, and ebay suffered high-profile data breaches that compromised the privacy of millions. The business consequences of these breaches have been dramatic. Following a data breach, major retailers have reported experiencing a drop in sales of between 2% and 6%, on top of costs incurred through lawsuits, government fines, IT investments, or rebranding efforts. 3 Consumers have begun dramatically changing their spending habits to ensure that their personal information remains private according to a 2013 report by Radius Global Market Research, more than 75% of internet users surveyed said they would stop doing business with a company if they felt their privacy was violated, and 51% said they d already stopped buying from certain retailers out of concern for the privacy of their 4 data / /1 2
3 To limit potential damages and encourage better management of data, government regulations have been established in every information-driven industry: HIPAA, HITECH, FINRA, GLBA, PCI, FERPA, FACTA, and the EU Data Privacy Act, to name a few. However, these regulations severely burden business operations by restricting the collection, usage, and sharing of data. Healthcare privacy regulations in particular have had a very damaging effect on research and analysis, especially in public health research and genomics. Researchers report that one out of every three dollars budgeted for clinical research is spent on regulatory compliance, and the IDC Digital Universe Report estimates that less than 10% of useful health data is currently utilized for research and 5 6 analysis. The value of data is compromised across industries by privacy concerns, limiting business applications such as market research, quality assessment, and resale of valuable data. The regulatory approach to protecting privacy also fails to account for new advances in data science and computer science. As techniques for drawing insights from limited data become more powerful and prevalent, the category of data that can be used to compromise privacy is expanding at an alarming rate. For instance, in the summer of 2014, the personal information of 83 million households and small businesses was accessed by hackers who breached the databases of JPMorgan Chase, the largest bank in the United States. The bank stated several times that account information was not compromised only phone numbers, addresses, and home addresses were stolen. However, privacy researchers have found that information as common as a zip code can be combined with other data to link anonymized sensitive information to individuals. In the mid-1990s, Latanya Sweeney, a student at MIT, was able to link together two publicly available databases one of voter records and one of 7 anonymized health records and easily match de-identified medical records to names. She simply cross-referenced common traits such as gender, zip code, and date of birth that were present in both databases. Sweeney went on to show through her research that
4 roughly 87% of the U.S. population can be uniquely identified with their gender, zip 8 codes, and dates of birth. Through these clever combinations of data, malicious attackers can re-identify anonymized databases of sensitive information, which they can then use to obtain credit cards, wire money from bank accounts, and receive free medical services. Regulations and self-imposed privacy policies take a brute force approach to this challenge, mandating the removal of information to match the progress of analytical innovations. This approach is insufficient to protect privacy in the long-term. Given the sheer volume of personal information that is already public or poorly protected, a patient and persistent attacker can easily access enough information to re-identify virtually any de-identified database. Further complicating the problem is the fundamental tradeoff between precision and privacy. Research in information theory, a field which focuses on quantifying and identifying properties of data, has shown with mathematical certainty that data cannot be perfectly anonymized without compromising some of the data s usefulness for 9 statistical analysis. Any method of privacy protection must walk the fine line of providing maximum value from data while protecting individual privacy
5 The Current State of Privacy Protection 5
6 Below are standard methods for privacy-preserving analysis and their disadvantages: Method Description Shortcomings Summary statistics Providing only aggregate statistics on the database, such as mean, median, mode, etc. Reconstruction attacks can identify individuals using 10 only summary statistics. Hashing Replacing PII such as names and SSNs with numbers ( hashes ) generated by a hash function. This function cannot be inverted that is, given a value it is simple to find its hash, but given a hash it is hard to find the original value. Hashing can be reversed by having a computer simply check all possibilities to recover the original key Even without reversing the hash, linkage attacks can use outside information for identification Vulnerable to security breaches of the hash function Query auditing Restricting which queries can be asked by certain users based on permissions. Severely limits analytical utility of data. Impossible if the number of potential queries is very large Data masking Restricting which entries in the database can be seen by certain users based on permissions Prone to human error Limits insights for analytics Defeated by linkage attacks k -anonymity Modifying data so that each combination of identifying attributes is shared by k other members of the dataset Only protects against identity disclosure, does not protect against attribute disclosure Even though the values are the same for k individuals, an adversary can learn them for a target individual 10 page 8 6
7 In addition, query auditing and data masking fail to protect privacy in the event of a security breach. The strict protocols they require can easily be violated if the security system implementing them is not robust. Furthermore, these privacy-preserving approaches to analytics requires vigilant enforcement and organization-wide adoption to be effective. Employee education and company policies for the handling of data are expensive, time-consuming, and far from foolproof. Many companies, interested in utilizing their data with minimal inconvenience, employ only the bare minimum of privacy protection. Clearly, current de-identification techniques, privacy policies, and governmental regulations are ineffective and inefficient. They fail to protect individual privacy and restrict the collection and analysis of critical information. Medical research organizations are forced to sacrifice vital scientific progress to ensure HIPAA compliance, while social networks and e-commerce platforms self-impose stringent privacy policies that build user trust but inhibit lucrative analytics. To take full advantage of information, there is a need for a new paradigm of data privacy. Differential Privacy Differential privacy is a recent, mathematically rigorous definition of privacy which has inspired a field of research at the intersection of statistics and computer science. Specifically, if a database has been computed by a differentially private algorithm, then the presence or absence of any one individual in a database makes no significant difference in the likelihood of each possible response to a database query. In practice, differential privacy promises that nobody will be able to learn any significant additional information about an individual by his or her information being included in a database. Frank McSherry, one of the inventors of differential privacy, described this privacy protection as future-proofed. Identifying individuals in a database computed by a differentially private algorithm is effectively impossible, even with unlimited time and 7
8 11 outside information. It is considered the gold standard of privacy by the privacy 12 community. There are several reasons why differential privacy has not yet been widely accepted in industry. Primarily, it is because differential privacy is a definition, and the definition itself provides no methods of achieving it in practice. Furthermore, it does not speak to the utility of the data after it is accessed through differentially private mechanisms. Designing algorithms for achieving differential privacy while maintaining the accuracy of statistical analysis is an active, narrow field of research, with only a few experts advancing the science. One of the first mechanisms for achieving differential privacy was the addition of random noise, or distortions, to the output of queries. The magnitude of the noise added to a particular query is a function of the largest change a single entry could have on the output of that query. This method, known as the Laplace Mechanism, allows one to answer aggregate count queries (e.g. How many people in the database have black or brown hair and live in California? ) with a fair amount of accuracy, but it fails to provide useful results for more sophisticated statistical analysis of the database. In order for differential privacy to be preserved by the Laplace mechanism, a privacy budget is placed on the database. Each query costs a portion of this budget, and once the budget is exhausted, access must be terminated. Moreover, if a security breach allows an attacker to bypass the querying mechanism, the raw data is entirely compromised. These practical shortcomings of the Laplace Mechanism and other early methods for achieving differential privacy have resulted in the standard being viewed as a theoretical ideal, but 13 too strict a requirement for real-world application
9 However, the seminal paper which introduced the Laplace Mechanism motivated a decade of research in the field of differential privacy. This has resulted in the development of differentially private analysis analytical techniques including regressions and machine learning algorithms that achieve differential privacy and an extremely high degree of accuracy. In the past few years, algorithms have emerged for producing synthetic datasets, which are inherently differentially private. These synthetic datasets can be optimized to answer a large number of queries of a client s choosing with extreme accuracy while satisfying the highest standard of privacy. Synthetic data imposes no privacy budget and remains private even in the event of a security breach. The rapid advancements in differential privacy are moving the term from being a theoretical ideal to a precise, practical, and quantifiable definition of data privacy. 9
10 Shroudbase 10
11 Shroudbase is a platform for storing, sharing, and analyzing sensitive data. It provides 14 compliance, analytical flexibility, and the highest standard of data privacy. Shroudbase provides a patent-pending system for creating, managing, updating, and querying differentially private synthetic datasets. These versions are effectively identical in function to the original data, except that they are permanently de-identified. This holds even if the privatized data is analyzed, sold, published, combined with other data, or stolen. While current methods of de-identification can significantly hinder access to insights by removing information from the original data, Shroudbase protects privacy without removing any information from the database, enabling analysis of previously untouchable data. Its algorithms intelligently recompute databases, creating permanently de-identified copies of the original data. Aside from completely anonymizing sensitive data, Shroudbase achieves the strongest standard of data privacy: differential privacy. We have shown with mathematical proof that the presence of any single individual in a differentially private database does not significantly affect the outcome of any analysis on the database. Consequently, the amount of additional information disclosed about an individual by his or her inclusion in a database produced by Shroudbase is negligible. This holds even in the event of a security breach if a database that had been privatized by Shroudbase were illegally accessed and published online, the data would still be differentially private. Unlike other differentially private mechanisms, Shroudbase is practical for a wide range of uses, including business intelligence, research, and open-source applications. Users of the software can ask unlimited queries to their data and update their data without affecting the privacy protection. Shroudbase produces synthetic data that is optimized for accurate analytics, ranging from summary statistics to machine learning. 14 For more technical details on Shroudbase and differential privacy, please visit shroudbase.com/technology 11
12 How it Works 12
13 I. Privatization Privatizing data with Shroudbase is a one step process. The client simply enters the information required to access their database along with an endpoint to store the synthetic data. The platform currently privatizes any structured data, including MySQL, PostgreSQL, Microsoft SQL, sqlite3, Excel spreadsheets, and csv files. The privatization procedure can be run through our cloud cluster or locally by installing the Shroudbase Database Management System on the client's machines. If the client uses a local implementation, then the entire procedure can be executed without Shroudbase ever reading or storing any sensitive information. 13
14 II. Storage Privatized data is stored with the Shroudbase Cloud Database Service. While many online storage systems only protect data in transit, Shroudbase ensures that the only data that enters the cloud is synthetic data with no personally identifiable information. Practically speaking, this means that nobody a hacker, government agency, an employee of Shroudbase can ever access any personal information through Shroudbase, because it simply isn t there. Clients access this service through the Shroudbase administrative control panel or Shroudbase Database Management System, an installable package for controlled data access and administration. 14
15 III. Querying The Shroudbase Query Client provides an easy and intuitive way to use privatized databases. This client interface takes in SQL formatted commands and outputs responses in a format similar to MySQL's client interface. This can be run by calling 'sb' from the commandline with the appropriate hostname and port for the database the user is connected to. Queries with Shroudbase are identical to MySQL queries, and Shroudbase supports most statistical functions found in MySQL. IV. Updating Shroudbase's patent-pending technology supports inserting additional data into the database while preserving privacy. When additional data is added, the Shroudbase system stores the data in an intermediary state until the Shroudbase server detects that an update needs to occur. When an update occurs, the privatization job is off-loaded to Shroudbase's privatization infrastructure to be recomputed in the cloud. 15
16 Results As with any technique that perfectly protects privacy, some accuracy is lost because of the statistical noise introduced to the data itself. However, Shroudbase has been optimized to deliver highly accurate results for aggregate statistical analysis and advanced data mining algorithms. Furthermore, the platform supports analysis of sensitive, high-dimensional data, on the order of terabytes. The table below summarizes the performance of Shroudbase on a variety of databases. The accuracy is defined as the fractional difference between the output of the most erroneous query on the original data as compared to the data produced by Shroudbase. Dataset Entries Number of Attributes Number of Distinct Properties Runtime Query Accuracy National Census State Census Blood Donations Movie Reviews 236, min 50s 99.7% 30, min 21s 98.8% min 14s 99.7% 943 4,000 40,000 2hrs 21min 99.1% Genomics 58 7,000 70,000 2hrs 48min 93.9% Datasets National Census is a dataset of 2010 abridged census data. State Census is a dataset of state and local census data from Blood Donors is a dataset of blood donations and information about the blood donors. Movie Reviewers is a high-dimensional dataset of publicly collected user movie ratings and information about the users. Genomics is a high-dimensional genomics dataset containing around 7,000 genomic markers for 58 cancer patients. 16
17 Compliance Privacy experts agree that databases computed by differentially private algorithms satisfy this requirement. This agreement represents more than a consensus in an industry survey one of the two methods for compliance with the HIPAA Privacy Rule is the Expert Determination Method, which is outlined below. Source: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy Rule At the request of a client, independent statisticians can verify that our process satisfies requirements for de-identified data under HIPAA. 17
18 Conclusion Modern organizations face a daunting challenge utilizing the sensitive data they have collected to gain a competitive advantage while simultaneously protecting the privacy of their customers and patients. Standard methods of privacy protection are no longer acceptable they are costly to implement, time-consuming for large quantities of data, vulnerable to escalating threats, and restrict data utility. Shroudbase is a new paradigm of data management that offers streamlined, mathematically provable privacy by design to everyone. The technology provides analytical accuracy and the highest standard of data privacy while providing tools that work seamlessly with a client s existing infrastructure. 18
19 Frequently Asked Questions 19
20 OVERVIEW What is differential privacy? 15 Differential privacy is a mathematical definition of privacy. It states that the presence or absence of any one individual in a database makes no significant difference in the likelihood of each possible response to a database query. What is Shroudbase? Shroudbase is LeapYear s patent-pending platform for creating, managing, and analyzing privatized copies of quantitative data. These copies are effectively identical to the original data, except that they will never release any information that can be used to identify any individual. This holds even if the privatized data is sold, shared, published, stolen, or submitted to any kind of statistical analysis. What do you mean by mathematically proven privacy? We have shown through rigorous mathematical proof that the chance of learning anything more about any particular individual by their inclusion in a database produced by Shroudbase, through any method, is negligible. This statement holds no matter what outside information is used to augment the analysis, no matter how advanced statistical techniques become and even in the case of a security breach. The databases we produce are differentially private. How do you achieve differential privacy? Our proprietary algorithms recompute your data, modifying it slightly by introducing statistical noise to its contents. This distortion prevents anyone from learning private information about a specific individual, even if the data that was privatized contains personally identifiable information (PII). 15 For more technical details on Shroudbase and differential privacy, please visit LeapYear.io/shroudbase technology 20
21 Does Shroudbase compromise the accuracy of analysis? As with any method of data privacy, some accuracy must be lost. However, the amount of statistical noise is precisely calibrated to conceal information about specific individuals while still answering statistical queries with near-perfect accuracy. What happens if a privatized database is hacked? From the standpoint of individual privacy nothing. Our synthetic databases do not contain any personally identifiable information, so privacy is protected even if the entire contents of the database produced by Shroudbase are revealed. Privatized data produced by Shroudbase is considered de-identified information even if it is stolen and published. USAGE How do I use Shroudbase to privatize data? Privatizing data with Shroudbase is a one step process. Simply enter the information required to access your database along with an endpoint to store the synthetic data, and our algorithms will compute a synthetic, permanently de-identified copy of the original data. How do I use Shroudbase to store data? Privatized data is stored with the Shroudbase Cloud Database Service. The only data that enters the cloud is synthetic data with no personally identifiable information. Clients access this service through the Shroudbase Database Management System, an installable package for controlled data access and administration. How do I use Shroudbase to query data? The Shroudbase Query Client provides an easy and intuitive way to use privatized databases. Queries with Shroudbase are identical to MySQL queries, and Shroudbase supports most statistical functions found in MySQL. 21
22 What kind of data can be privatized? Shroudbase can work with virtually any kind of structured data, including: standard MySQL/Oracle/SQL Server solutions Excel tables cloud and clustered solutions qualitative and text-based data How long does privatization take? The length of the process depends on the size and complexity of the database, but most databases can be privatized in a matter of hours. How do I add data to a privatized database? You can add and remove rows just as you would from a standard database. The Shroudbase management software uses proprietary algorithms to intelligently determine when the dataset requires recomputation to maintain privacy. This procedure will be carried out automatically and asynchronously. PRIVACY What is the difference between differential privacy and standard de-identification? Privacy: Standard de-identification can be reversed to piece together private information, while differential privacy verifies through rigorous mathematical proof that it is effectively impossible to identify an individual regardless of what outside information is used to augment the analysis, no matter how advanced statistical techniques become and even in the case of a security breach. Accuracy: Shroudbase carries out this process without ever removing any information from the database. Instead, we make complete, permanently de-identified copies that are precisely modified to protect privacy. Shroudbase ensures that these modifications have virtually no effect on the analytical utility of the data. Standard de-identification techniques, on the other hand, remove or inefficiently distort information and are incapable of providing any measures of accuracy. 22
23 How is Shroudbase different from most differential privacy techniques? A significant portion of the differential privacy literature is focused on adaptive privacy preserving mechanisms. Adaptive mechanisms provide noisy, or distorted, responses to queries. These techniques provide theoretical guarantees of accuracy and differential privacy in a variety of settings. However, they require that queries have associated privacy costs, and once a privacy budget is exhausted, differential privacy no longer holds. This causes several problems in practice limiting the number of queries is entirely impractical for effective usage of data, and collusion could allow groups to violate privacy without knowledge of the database curator. Our solution is to produce synthetic databases. Synthetic data is an approximation of the true dataset optimized to accurately answer a set of queries. The algorithms which produce this approximation are differentially private and thereby ensure that any analysis of the data is private. There is no need to put any restrictions on data access, and the database remains differentially private even in the event of a security breach. How can you ensure differential privacy without limiting the queries a client can ask the database? Typically, differential privacy is achieved by adding statistical noise to the output of queries, which is vulnerable to collusion. Our method is to recompute a synthetic database which only contains privatized information. This allows us to preserve differential privacy while providing the client unrestricted access to the data. 23
24 Are privatized databases HIPAA compliant? HIPAA requirements for de-identifying information can be met through the Expert 16 Determination Method 45 C.F.R (b) : A covered entity may determine that health information is not individually identifiable health information only if: (1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: (i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination Privacy experts have already agreed that differentially private databases satisfy this requirement, even those that are complete copies of databases with PII. At the request of a client, privacy experts can verify that our software satisfies requirements for de-identified data under HIPAA
Shroudbase Technical Overview
Shroudbase Technical Overview Differential Privacy Differential privacy is a rigorous mathematical definition of database privacy developed for the problem of privacy preserving data analysis. Specifically,
More informationDe-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire
De-identification, defined and explained Dan Stocker, MBA, MS, QSA Professional Services, Coalfire Introduction This perspective paper helps organizations understand why de-identification of protected
More informationDegrees of De-identification of Clinical Research Data
Vol. 7, No. 11, November 2011 Can You Handle the Truth? Degrees of De-identification of Clinical Research Data By Jeanne M. Mattern Two sets of U.S. government regulations govern the protection of personal
More informationPrinciples and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification
Principles and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification Daniel C. Barth-Jones, M.P.H., Ph.D Assistant Professor
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationCS346: Advanced Databases
CS346: Advanced Databases Alexandra I. Cristea A.I.Cristea@warwick.ac.uk Data Security and Privacy Outline Chapter: Database Security in Elmasri and Navathe (chapter 24, 6 th Edition) Brief overview of
More informationWhy Add Data Masking to Your IBM DB2 Application Environment
Why Add Data Masking to Your IBM DB2 Application Environment dataguise inc. 2010. All rights reserved. Dataguise, Inc. 2201 Walnut Ave., #260 Fremont, CA 94538 (510) 824-1036 www.dataguise.com dataguise
More informationAUTOMATED PENETRATION TESTING PRODUCTS
AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate
More informationTop Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America
1 Top Ten Security and Privacy Challenges for Big Data and Smartgrids Arnab Roy Fujitsu Laboratories of America 2 User Roles and Security Concerns [SKCP11] Users and Security Concerns [SKCP10] Utilities:
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationA Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No!
A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No! Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada THE AGE OF
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationTaming Big Data. 1010data ACCELERATES INSIGHT
Taming Big Data 1010data ACCELERATES INSIGHT Lightning-fast and transparent, 1010data analytics gives you instant access to all your data, without technical expertise or expensive infrastructure. TAMING
More informationLi Xiong, Emory University
Healthcare Industry Skills Innovation Award Proposal Hippocratic Database Technology Li Xiong, Emory University I propose to design and develop a course focused on the values and principles of the Hippocratic
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationRespected Chairman and the Members of the Board, thank you for the opportunity to testify today on emerging technologies that are impacting privacy.
Statement of Latanya Sweeney, PhD Associate Professor of Computer Science, Technology and Policy Director, Data Privacy Laboratory Carnegie Mellon University before the Privacy and Integrity Advisory Committee
More informationTHE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE
THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE As demand for data sharing grows, healthcare organizations must move beyond data agreements and masking to achieve
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More information10 Steps to Establishing an Effective Email Retention Policy
WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION
More informationCAGNY Spring 2015 Meeting Fundamentals of Cyber Risk. Brad Gow June 9th, 2015 Endurance
Fundamentals of Cyber Risk Brad Gow June 9th, 2015 Endurance But consider the kickoff chuckle to a speech given to the Wharton School in March 1977 by Sidney Homer of Salomon Brothers, the leading bond
More informationDatabase and Data Mining Security
Database and Data Mining Security 1 Threats/Protections to the System 1. External procedures security clearance of personnel password protection controlling application programs Audit 2. Physical environment
More informationProtecting personally identifiable information: What data is at risk and what you can do about it
Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most
More informationcase study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:
The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationPrivacy Techniques for Big Data
Privacy Techniques for Big Data The Pros and Cons of Syntatic and Differential Privacy Approaches Dr#Roksana#Boreli# SMU,#Singapore,#May#2015# Introductions NICTA Australia s National Centre of Excellence
More informationWebsite Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions
Website Security: How to Avoid a Website Breach Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions www.caretech.com > 877.700.8324 An enterprise s website is now
More informationTools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits
Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer
More informationigrc: Intelligent Governance, Risk, and Compliance White Paper
igrc: Intelligent Governance, Risk, and Compliance White Paper 2013 2013 Edgile, Inc. All Rights Reserved Executive Overview This whitepaper discusses the business needs addressed by Edgile s igrc solution,
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationProtecting What Matters Most. Bartosz Kryński Senior Consultant, Clico
Protecting What Matters Most Bartosz Kryński Senior Consultant, Clico Cyber attacks are bad and getting Leaked films and scripts Employee lawsuit Media field day There are two kinds of big companies in
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More informationBANKING SECURITY and COMPLIANCE
BANKING SECURITY and COMPLIANCE Cashing In On Banking Security and Compliance With awareness of data breaches at an all-time high, banking institutions are working hard to implement policies and solutions
More informationGuidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES
DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationSomansa Data Security and Regulatory Compliance for Healthcare
Somansa White Paper Somansa Data Security and Regulatory Compliance for Healthcare How Somansa can protect ephi- electronic patient health information and meet the requirements for healthcare compliances,
More informationProtecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationHow To Protect Your Computer From Attack
FREQUENTLY ASKED QUESTIONS on C Y B E R S E C U R I T Y By IEEE USA s Committee on Communications Policy December 2011 This Frequently Asked Questions (FAQs) was prepared by IEEE-USA s Committee on Communications
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationChallenges of Data Privacy in the Era of Big Data. Rebecca C. Steorts, Vishesh Karwa Carnegie Mellon University November 18, 2014
Challenges of Data Privacy in the Era of Big Data Rebecca C. Steorts, Vishesh Karwa Carnegie Mellon University November 18, 2014 1 Outline Why should we care? What is privacy? How do achieve privacy? Big
More informationFERPA: Data & Transport Security Best Practices
FERPA: Data & Transport Security Best Practices April 2013 Mike Tassey Privacy Technical Assistance Center FERPA and Data Security Unlike HIPAA and other similar federal regulations, FERPA does not require
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationThe De-identification Maturity Model Authors: Khaled El Emam, PhD Waël Hassan, PhD
A PRIVACY ANALYTICS WHITEPAPER The De-identification Maturity Model Authors: Khaled El Emam, PhD Waël Hassan, PhD De-identification Maturity Assessment Privacy Analytics has developed the De-identification
More informationAdvanced Biometric Technology
INC Internet Biometric Security Systems Internet Biometric Security System,Inc.White Papers Advanced Biometric Technology THE SIMPLE SOLUTION FOR IMPROVING ONLINE SECURITY Biometric Superiority Over Traditional
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationWhite Paper Big Data Without Big Headaches
Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom: +44.118.949.7711 Singapore: +65.6829.2266 info@vormetric.com www.vormetric.com THE NEW WORLD OF DATA IS
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationDe-identification Koans. ICTR Data Managers Darren Lacey January 15, 2013
De-identification Koans ICTR Data Managers Darren Lacey January 15, 2013 Disclaimer There are several efforts addressing this issue in whole or part Over the next year or so, I believe that the conversation
More informationLegal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA
Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant
More informationWhitepapers on Imaging Infrastructure for Research Paper 1. General Workflow Considerations
Whitepapers on Imaging Infrastructure for Research Paper 1. General Workflow Considerations Bradley J Erickson, Tony Pan, Daniel J Marcus, CTSA Imaging Informatics Working Group Introduction The use of
More informationBest Practices for a Healthcare Data Breach: What You Don t Know Will Cost You
Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You By: Emilio Cividanes, Venable LLP Partner and Co-Chair Regulatory Practice Group Paul Luehr, Stroz Friedberg Managing Director
More informationSecured email Enterprise eprivacy Suite
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT Secured email Enterprise eprivacy Suite JANUARY 2007 www.westcoastlabs.org 2 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT CONTENTS Secured email Enterprise eprivacy
More informationThe Twelve Most Common Threats to HIPAA Compliance When Providing Remote Access to Systems and Data March 2010
The Twelve Most Common Threats to HIPAA Compliance When Providing Remote Access to Systems and Data March 2010 www.tridia.com Copyright 2005-2010 Tridia Corporation Backdrop On August 12, 1998, the Department
More informationBrief. The BakerHostetler Data Security Incident Response Report 2015
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
More informationEnabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal
SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom Circle, Suite 800, Santa
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationTHE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 2 EXECUTIVE SUMMARY The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively.
More informationArnab Roy Fujitsu Laboratories of America and CSA Big Data WG
Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG 1 The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems. BDWG s investigation
More informationDispatch: A Unique Email Security Solution
Dispatch: A Unique Email Security Solution 720 836 1222 sales / support sales@absio.com email www.absio.com web 8740 Lucent Boulevard, Ste 101 Highlands Ranch, CO, 80129 1 110-WP005-1 Organizations use
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationTop Five Ways to Protect Your Network. A MainNerve Whitepaper
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
More informationAUTOMATED PENETRATION TESTING PRODUCTS
AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationTest Data Management for Security and Compliance
White Paper Test Data Management for Security and Compliance Reducing Risk in the Era of Big Data WHITE PAPER This document contains Confidential, Proprietary and Trade Secret Information ( Confidential
More informationSAS JOINT DATA MINING CERTIFICATION AT BRYANT UNIVERSITY
SAS JOINT DATA MINING CERTIFICATION AT BRYANT UNIVERSITY Billie Anderson Bryant University, 1150 Douglas Pike, Smithfield, RI 02917 Phone: (401) 232-6089, e-mail: banderson@bryant.edu Phyllis Schumacher
More informationExtracting value from HIPAA Data James Yaple Jackson-Hannah LLC
Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Session Objectives Examine the value of realistic information in research and software testing Explore the challenges of de-identifying health
More informationSafeNet DataSecure vs. Native Oracle Encryption
SafeNet vs. Native Encryption Executive Summary Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an enterprise. Consequently, as enterprises
More informationIntelligent Systems: Unlocking hidden business value with data. 2011 Microsoft Corporation. All Right Reserved
Intelligent Systems: Unlocking hidden business value with data Intelligent Systems 2 Microsoft Corporation September 2011 Applies to: Windows Embedded Summary: An intelligent system enables data to flow
More informationData Security - Trends and Remedies
1 Overvie w of Data Anonymiz ation Points to Ponder What is data anonymization? What are the drivers for data anonymization? Here are some startling statistics on security incidents and private data breaches:
More informationPRIVACY-PRESERVING PUBLIC AUDITING FOR SECURE CLOUD STORAGE
PRIVACY-PRESERVING PUBLIC AUDITING FOR SECURE CLOUD STORAGE Abstract: Using Cloud Storage, users can remotely store their data and enjoy the on-demand high quality applications and services from a shared
More informationThe Challenges of Administering Active Directory
The Challenges of Administering Active Directory As Active Directory s role in the enterprise has drastically increased, so has the need to secure the data it stores and to which it enables access. The
More informationThe Sumo Logic Solution: Security and Compliance
The Sumo Logic Solution: Security and Compliance Introduction With the number of security threats on the rise and the sophistication of attacks evolving, the inability to analyze terabytes of logs using
More informationIntegrated email archiving: streamlining compliance and discovery through content and business process management
Make better decisions, faster March 2008 Integrated email archiving: streamlining compliance and discovery through content and business process management 2 Table of Contents Executive summary.........
More informationThe Promise of Industrial Big Data
The Promise of Industrial Big Data Big Data Real Time Analytics Katherine Butler 1 st Annual Digital Economy Congress San Diego, CA Nov 14 th 15 th, 2013 Individual vs. Ecosystem What Happened When 1B
More informationa new approach to IT security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationMatthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com
WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE
More informationEMAIL AUDITING, LOGGING AND REPORTING
EMAIL AUDITING, LOGGING AND REPORTING June 2007 INTRODUCTION Corporate Governance, Accountability, Regulatory Compliance, Fraud, Fines, Penalties In the last few years, state and federal legislators and
More informationHarnessing the Power of Big Data for Real-Time IT: Sumo Logic Log Management and Analytics Service
Harnessing the Power of Big Data for Real-Time IT: Sumo Logic Log Management and Analytics Service A Sumo Logic White Paper Introduction Managing and analyzing today s huge volume of machine data has never
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationWhite Paper. Document Security and Compliance. April 2013. Enterprise Challenges and Opportunities. Comments or Questions?
White Paper April 2013 Document Security and Compliance Enterprise Challenges and Opportunities Comments or Questions? Table of Contents Introduction... 3 Prevalence of Document-Related Security Breaches...
More informationComments of the World Privacy Forum To: Office of Science and Technology Policy Re: Big Data Request for Information. Via email to bigdata@ostp.
3108 Fifth Avenue Suite B San Diego, CA 92103 Comments of the World Privacy Forum To: Office of Science and Technology Policy Re: Big Data Request for Information Via email to bigdata@ostp.gov Big Data
More informationFusing Vulnerability Data and Actionable User Intelligence
Fusing Vulnerability Data and Actionable User Intelligence Table of Contents A New Threat Paradigm... 3 Vulnerabilities Outside, Privileges Inside... 3 BeyondTrust: Fusing Asset and User Intelligence...
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationAdopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.
Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with
More informationPrivacy Impact Assessment
DECEMBER 20, 2013 Privacy Impact Assessment MARKET ANALYSIS OF ADMINISTRATIVE DATA UNDER RESEARCH AUTHORITIES Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationAppSymphony White Paper
AppSymphony White Paper Secure Self-Service Analytics for Curated Digital Collections Introduction Optensity, Inc. offers a self-service analytic app composition platform, AppSymphony, which enables data
More informationCisco SAFE: A Security Reference Architecture
Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed
More informationEmail security and compliance best practices
E-Guide Email security and compliance best practices Secure and compliant email systems are essential for financial services companies. In this two part series on email security best practices, expert
More informationSolving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction
Solving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction Introduction In today s dynamic business environment, corporation s intangible
More informationPolicy-based Pre-Processing in Hadoop
Policy-based Pre-Processing in Hadoop Yi Cheng, Christian Schaefer Ericsson Research Stockholm, Sweden yi.cheng@ericsson.com, christian.schaefer@ericsson.com Abstract While big data analytics provides
More informationTo the extent the federal government determines that it will directly operate prescription
Prescription Drug Abuse and Diversion: The Role of Prescription Drug Monitoring Programs Bill Number: Hearing Date: September 23, 2004, 2:00 pm Location: SD-430 Witness: Joy L. Pritts, J.D. Health Policy
More informationThe Advantages of Enterprise Historians vs. Relational Databases
GE Intelligent Platforms The Advantages of Enterprise Historians vs. Relational Databases Comparing Two Approaches for Data Collection and Optimized Process Operations The Advantages of Enterprise Historians
More information