Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

Transcription

1 e-book Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

2 HIPAA audits on the way 2012 is shaping up to be a busy year for auditors. Reports indicate that the Department of Health and Human Services Office for Civil Rights will be conducting as many as 150 HIPAA audits throughout the year. Audit targets will vary based on size, business type, and previous violations although it is reported that the latter will be less of a focus. Right now, we don t know how invasive the audits will be, who will be targeted, and when exactly they will begin, but we do know that audits are coming. Is your organization at risk? Are you prepared? To help you make sure you re in shape to face the auditors knock, here are a few tips on how to make passing a HIPAA audit much less painful by using Security Intelligence to your advantage. 2

3 43% Percentage of [healthcare] organizations that grade their ability to counter information security threats as poor, failing or in need of improvement Source: 2011 ismg Healthcare Information Security Survey 3

4 1 Log, store, and correlate events along with network activity to create a baseline Consolidating data, storing logs, and correlating events and network activity will help you gather a baseline of data needed to show compliance. Healthcare data often resides in disparate systems across the organizations. If you have only a month to prepare for a HIPAA audit, will you be ready in time? Think back to the last time you had to search logs for important information. How many people were involved? How many hours, or days, did you waste? If you have a small team, how did this impact your ability to address other issues? 4

5 Recommendations The key to making sure you are able to prepare for an audit in a short amount time lies in the ability to quickly and easily access your data; this is where an intelligent, automated and integrated solution like the QRadar Security Intelligence Platform comes into play. In a recent QRadar deployment, Arkansas Children s Hospital was able to consolidate, filter, and protect their growing silos of log data. Not only were they able to quickly deploy QRadar, the security team found that it immediately integrated with existing log-producing sources and helped them identify potential offenses in real-time. Centralizing log events from sources containing critical patient information and using automated reporting functions enabled them to go beyond compliance, and achieve total security intelligence. Watch this video to hear what other benefits Arkansas Children s Hospital gained from the QRadar Security Intelligence Platform. 5

6 26% Percentage of organizations that have yet to conduct a risk assessment, as mandated under HIPAA Source: 2011 ismg Healthcare Information Security Survey 6

7 2 Use a risk management solution to address network and device vulnerabilities A risk assessment will analyze your network and device configuration for potential vulnerabilities, shifting you from reactive to proactive in the way you manage threats. Demonstrate that you are aware of all activity and configurations across your network; have vulnerabilities properly documented with evidence that they are actively being mitigated. Healthcare organizations are facing more frequent auditing and continuously pressured to comply with various regulations, stages and rules. Risk management is crucial to satisfy compliance regulations, prevent exploits from occurring, and predict potential vulnerabilities. It provides the context needed to determine exact risk levels through device configuration and policy monitoring, and allows you to get in front of threats, before they become a real problem. 7

8 Recommendations The QRadar Security Intelligence Platform includes a comprehensive list of industry specific policy templates various healthcare mandates including HIPAA to help determine risk and prioritize actions. Out of the box, QRadar can help you catch vulnerabilities that otherwise would have gone undetected. Watch this video testimonial from Ohio Health, describing the benefits they saw from QRadar, including the ability to proactively prevent attacks and see threats before they become a problem. 8

9 With the QRadar product, we re able to see a lot of things before they even occur, and prevent them up-front before it becomes a real problem It s a very proactive tool. It helps us get in front of the things that we need to be in front of - Q1 Labs Customer, Ohio Health 9

10 3 Limit mobile devices to viewing data, not storing Use, verify, and document encryption for media and mobile devices. The data on your mobile data device must be encrypted. If you backup the data from your device to another device that is not encrypted the backup data must also be encrypted. I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices. - Roger Baker, CIO of the Department of Veterans Affairs 10

11 Recommendations How do you demonstrate that IT staff and users are adhering to this level of encryption policy? The only way is to monitor actual network activity. The QRadar Security Intelligence Platform s flow capabilities provide an advanced level of packet analysis, enabling recognition of applications and protocols such as VoIP, ERP, database appliances, and more. QRadar has the ability to examine every packet and pull this data together into one location, providing context and actionable information. This helps prevent employees from accessing private patient information, and misconfigured vulnerable systems from exposing the network to threats. Further, being able to demonstrate that you are in compliance with these policies can be easy using the hundreds of pre-built reports that address many of the major compliance regulations including HIPAA. Want to know the top daily security and policy offenses? How about the most targeted IPs for a given week? 11

12 ...ease of use was a big reason [we chose QRadar]. The second was the way it integrates with flow data it just turned out to be an invaluable tool. [We get] visibility into the traffic flowing across our network the information it brings to light sometimes scares you. - Q1 Labs Customer, Arkansas Children s Hospital 12

13 4 Document a plan to achieve compliance and begin acting on it It s important to show a good faith effort to the auditor(s). Even if you don t have every box checked and completed, put together a comprehensive list of goals and steps needed to achieve each of them. For example, if a healthcare organization is in any way responsible for electronic transactions with partners or other organizations, they must comply with HIPAA code. If this organization cannot immediately show compliance, the second best option is to document its good faith efforts to comply with the standards and submit a corrective action plan. Some symbols of good faith in this case might be an increase external testing with payment partners, attempt at testing with partners, and proving any efforts to comply that took place before or after the audit. 13

14 Recommendations Security intelligence can make the discovery, documentation and planning process straight forward. Through a centralized, browser-based console, QRadar offers a consolidated view of an organization s security environment. The console provides role-based access by function and a global view to access real-time analysis, incident management, and reporting. Users across the Information Security, Operations and Auditing teams can customize their own workspaces; drill down into specific events, network flows, or threats. To see a demonstration of how the QRadar Security Intelligence Platform can help you demonstrate compliance with mandates and internal policies, watch this video. A bonus tip - be sure to revise and update your security policies after every risk assessment. 14

15 23% Percentage of organizations that have been breached in the last 12 months Source: 2011 HIMSS Leadership Survey 15

16 5 Protect ephi and PII at all costs Electronic Medical Record (EMR) systems, billing systems, servers, x-ray machines, ultrasound devices, etc can all hold Electronic Protected Health Information (ephi). Make sure that your security intelligence solution includes the correct event sources and network traffic to properly secure and monitor ephi. According to the 2011 HIMSS Leadership Survey, the top concern of senior IT security professionals in the healthcare industry is an internal breach of security. As more organizations move towards ephi, this concern (and threat potential) will increase. To keep records secure, information security teams need real-time access to data showing unauthorized access to systems to keep ephi from being accessed, disseminated, or otherwise compromised, either intentionally or accidentally, from both internal and external sources. 16

17 Recommendations The QRadar Security Intelligence Platform protects ephi and PII by providing visibility across the entire infrastructure to deliver a manageable set of prioritized security threats along with identity information that is critical to rectify the situation. To quickly identify internal misuse, QRadar will display internal threats and integrate with pre-existing Identity and Access Management (IAM) solutions. Combined, these data sources develop a complete picture of an asset s user identity and behavior as well as vulnerability state, which is not available through IAM solutions alone. Daily HIPAA (e)(1) - 2, 3, & 4 Traffic to Trusted Segments from Untrusted Segments Details PCI Protocols to Trusted Network Zones Oct 5, :00:00 AM - Oct 6, :00:00 AM Destination Port Event Name (U Log Source (U Event Co Category (U Source IP (U Destination IP Username (U Count nique Count) nique Count) unt (Sum) nique Count) nique Count) (Unique Count) nique Count) 0 Multiple (3) Multiple (2) Multiple (2) Multiple (4) Multiple (2) Multiple (68)

18 66% Percentage of organizations whose top concern is compliance with HIPAA and preventing a security breach. Source: 2011 HIMSS Leadership Survey 18

19 Protect and comply with Security Intelligence Security Intelligence can help you exceed the technical controls in HIPAA compliance mandates by improving your organization s ability to protect sensitive patient information and related data. This is accomplished by combining log management, SIEM, network behavior analysis, and risk management into a single solution. With real-time network behavior analysis, healthcare organizations have deeper visibility into the behavior profiles of systems, applications and users across their organization s entire network. As a result, product acquisition, deployment, and operational costs are a fraction of alternative point product solutions, thus maximizing return on investment, while minimizing security threats for healthcare organizations protecting critical patient data. To visualize how QRadar can keep you protected before, during and after an attempted breach, watch this video of the Security Intelligence timeline. 19

20 Want more information? Visit: q1labs.com/healthcare Read: Security Intelligence for Healthcare Brochure Watch: Prioritizing Security and Compliance Management for Healthcare Organizations 20

21 Connect and share! blog 21