White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations
|
|
- Baldric Gibbs
- 8 years ago
- Views:
Transcription
1 Identifying Network Security and Compliance Challenges in Healthcare Organizations
2 Contents Introduction Increased Demand For Access Mobile devices Medical devices Increased regulatory requirements for achieving compliance Scope of regulations includes medical and mobile devices Protection from malicious software Access, authorization, supervision, termination ephi inventory Documentation as evidence of compliance Provider Practice Acquisitions: Increased Demands On Network Infrastructures Non-standard network acquisitions Multiple hardware vendor platforms Undocumented networks Unknown network endpoints Managed And Unmanaged Devices BYOD Who s in, who s out? Managed/unmanaged Authentication Incident response Conclusion Works Cited Additional Resources About ForeScout
3 Introduction Healthcare IT leaders are facing a growing challenge keeping their networks secure while at the same time opening up access to a myriad of new devices and user populations. Providers, employees, visitors, patients they all demand access to information from their personally owned device of choice. Some healthcare executives have tried to stop the practice by stating, You can only use these approved devices. While dyed-in-the-wool security hawks might like this approach, it is not acceptable in the real world. Consumer devices have become so pervasively accepted that healthcare IT organizations are expected to accommodate them. It is not only people that want more access to data. The decade long trend towards putting medical devices on the IP network contributes to the security and compliance challenge. Regulatory requirements are also increasing. In the United States, regulations such as the ones contained in the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the American Recovery and Reinvestment Act (ARRA) are all becoming more challenging to meet. On top of all of that, IT organizations are struggling to improve efficiency by migrating to cloud environments. This whitepaper will explore these challenges and present ideas for how healthcare IT departments can meet these challenges, including: Increased demand for access Elevated regulatory requirements for achieving compliance Increased demands on network infrastructures Securing the network from both managed and unmanaged devices Increased Demand For Access Mobile devices As discussed in the introduction, mobile device use is exploding. During his opening remarks at the 2012 Mobile Devices Roundtable: Safeguarding health information, in Washington, D.C., Farzad Mostashari, former National Coordinator for Health Information Technology, highlighted the disruptive nature of mobile device access: Ubiquitous, connected platform. And the use of these is skyrocketing, as everybody knows, and one of the interesting things about this is that like many disruptive innovations, it starts in one side of the market, the lower cost side of the market, and then it comes in and takes over the higher cost, and in our case, it s consumer technology coming into institutional technology, medicine. The term disruptive is apt. Providers, employees, patients and visitors are all demanding access. When providers are rounding, their diagnoses and treatment recommendations are being researched by family members. As Mostashari highlights, this is cultural change making its way into the healthcare industry, and it cannot be ignored, postponed, or neglected. It is the new normal. So what are these devices that are attaching to the network, and what do they need? Mobile devices can generally be divided by type, management status, and function. Type Management Status Function Smartphones Managed Connected to ephi network Tablets Unmanaged known/authenticated Connected to network with no ephi Phablets Unmanaged unknown/unauthenticated Internet only connectivity Laptops No network connectivity From the table above, mobile devices will have a wide variety of hardware function and management status. IT is essential, and the healthcare IT departments need the have to appropriate tools in place to effectively manage these devices. 3
4 Medical devices Medical devices need to be evaluated and managed in the same way as any other electronic protected health information (ephi) system or computing device. This point was made clear in June 2013 when the U.S. Food and Drug Administration released a Safety Communication stating: Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations. The vulnerabilities and incidents cited by the FDA include: Network-connected/configured medical devices infected or disabled by malware The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices) Security vulnerabilities in off-the-shelf software that is designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/sql injection Specific recommendations for healthcare facilities include: Restricting unauthorized access to the network and networked medical devices Making certain appropriate antivirus software and firewalls are up-to-date Monitoring network activity for unauthorized use Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services Increased regulatory requirements for achieving compliance Given the increased variety of devices connecting to networks in the healthcare environment, numerous compliance requirements come into play that heretofore have not been necessary. Scope of regulations includes medical and mobile devices HIPAA requires healthcare organizations to implement policies and procedures that specify the proper functions (of computing devices) to be performed, the manner in which those functions are to be performed, and for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism (see (a)(4)(ii)B, and b). What is important to note here is that the term workstation refers to any computing device, including mobile devices, medical devices, and any other device attaching to the network with potential access to ephi. According to Susan McAndrew, Deputy Director for Office for Civil Rights (OCR), healthcare organizations are required to treat mobile devices as they do any other ephi system: With regards to mobile devices, it is clear that these are a part of the electronic systems and enterprise within a doctor s office or a health plan, and, so, they do come within the ambit of the HIPAA Security Rule and are subject to all of those protections, including primarily it is important that entities recognize that and include them as part of their risk assessments as they go forward and that they do take the same kinds of protections with regard to those devices as they would to the main computer systems within the enterprise. 4
5 Protection from malicious software Healthcare organizations have been aware for a long time that anti-virus and anti-malware protection is required for computing devices. These protections have been in place for so long that many organizations have assumed that they protect all devices. This is not the case, particularly with smartphones and medical devices. For examples, smartphones with such a large population of users (source name estimates that in million apps were installed) are ripe for introducing viruses and other malware to healthcare network systems. Access, authorization, supervision, termination HIPAA requires that both users and devices must be properly authorized, granted appropriate access and supervised. HIPPA requires that IT organizations have the ability to quickly terminate a user or device s access when it is no longer appropriate. For example, a physician is hired as temporary staff physician (locum) within the healthcare organizations outpatient center. The physician s access and level of access to ephi must be authorized by someone with authority to do so, such as the CMO. After beginning work, the physician s access should be supervised to ensure it is appropriate, and when the service period is complete, his/her ephi access should be terminated in a timely manner. This sounds simple enough, and in fact, it happens every day in healthcare organizations across the country. What is often missed is that personally-owned devices should be treated in the same manner. OCR Deputy Director McAndrew provided guidance on HIPAA regulations related to access by mobile devices, As Farzad (Farzad Mostashari, National Coordinator for Health Information Technology) mentioned in his opening remarks, these devices (mobile) have many roles and many vulnerabilities, including it s not just the information that is sent to and from these devices, but because of the device, it may present access to other systems and those kinds of controls need to be recognized and protected against should the device fall into unauthorized hands. Healthcare organizations must have tools in place to govern access, authorization, supervision of devices with access to ephi, and terminate such access in a timely manner. Most healthcare organizations do not have the technical capabilities in place to sufficiently achieve these standards. ephi inventory Figure 1: According to the Ponemon Institute study* 81% of healthcare organizations allow the use of personal mobile devices. This figure shows that there is extensive use of mobile devices. This same study shows that 54% of these organizations are not confident these devices are secure, with only 9% very confident the devices are secure. In addition to being a HIPAA requirement (see (a)(1)(i) and (a)(7)(ii)(E)), an inventory of ephi means knowing the location of systems, servers, devices and applications that capture, store, transmit and use PHI. The inventory is then used to perform security risk assessment (SRA). Many healthcare organizations go to great lengths to perform SRAs only to ignore many systems, and even more end user devices. The ephi inventory should include mobile devices, medical devices and the network systems that support network transmission. * Reference to: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute LLC, December
6 The inventory also assists technical security teams in identifying the type, management status and function of devices on their networks while also identifying risks and developing mitigation strategies. It s like the saying; you can t fix what you don t know is broken. Proper risk management cannot be performed if critical components are unknown and/or ignored. Documentation as evidence of compliance Compliance audit requirements may have a lot of differences, but they have some things in common. One key component of any compliance program is documentation evidence, often called documentation as evidence of compliance. One area of particular need is documentation related to security incidents. This is not only a HIPAA requirement (see (a)(6)), but also documentation of incidents is critical to identifying threat and behavior patterns that current systems and controls are not effectively addressing. Much like the needs around ephi inventories undiscovered and/or unknown incidents are of serious concern. Healthcare IT departments need to implement tools and associated procedures, to ensure incidents are known and easily documented so they can be appropriately evaluated. Provider Practice Acquisitions: Increased Demands On Network Infrastructures One of the emerging healthcare trends in the last several is the movement of small practices into large ones, including hospital owned physician groups. There are many drivers for this movement including Accountable Care Organizations, Meaningful Use, ICD-10, and economies of scale. More detailed reasons are beyond the scope of this paper, but this movement of physician groups to larger ones, does present complications to the IT and security departments that support them. As any network/security administrator knows, when a physician s practice is acquired, adding that practice s network to the larger network can be challenging. Issues include: Non-standard network acquisitions Many small practices have no internal IT staff. Often their IT contractor may be someone s brother, or just plain inexperienced. Rarely do smaller physician practices have an experienced and competent IT network resource. This often means the networks in these practices are non-standard. So organizations that have spent millions of dollars implementing state of the art network infrastructures are now being tasked with adding non-standard networks. Multiple hardware vendor platforms When implementing an enterprise network, there are several components that are considered when making a vendor selection, from technical knowledge of the staff, maintenance, TCO, performance, security, interoperability, etc. What happens when suddenly a new platform is added to your environment? With increasing acquisitions and rapidly changing demands, having a preferred or single vendor for networking equipment is becoming less and less practical. To successfully integrate these changes into an existing enterprise network, healthcare IT departments need to quickly identify devices, regardless of hardware platform, and access the status of the network and its endpoints. Undocumented networks Another challenge that is often encountered when acquiring additional infrastructure is the lack of documentation. Not only is there an entirely new network that needs to be integrated into the larger enterprise, but with no documentation there is a significant risk exposure in addition to the increased labor hours required to integrate an undocumented network. Unknown network endpoints The next challenge is a natural outpouring from the others. Undocumented non-standard networks are unlikely to have any documentation, or standards related to the endpoints, or even what devices are attaching. What servers, computers, or other devices are endpoints able to connect to? What is the status of their malicious software connection? How often do they attach? These questions and many like it need to be identified as part of normal security and compliance, but even more so before integrating an acquired network to the larger enterprise. 6
7 Managed And Unmanaged Devices BYOD Who s in, who s out? As discussed previously, demands from both employees and patients to use personal mobile devices to view various types of information also known as Bring-Your-Own-Device or BYOD represents a daunting security challenge. How can you accommodate employee and guest requests to use their smartphones, notebooks and tablets on your network while mitigating security risks? Healthcare organizations need to embrace BYOD while preserving security. To accomplish this, IT departments need real-time visibility and control over personal devices on their network that protect data, regardless of what type of device employees or visitors are trying to use. One of the first challenges is to understand the scope of the demand. Who is currently accessing the network? What type of mobile device is it? How many devices are registering in the Mobile Device Management (MDM) portal? Most healthcare enterprises would not be able to answer these questions. In fact, Gartner estimates that the typical enterprise is aware of only 80 percent of the devices that are active on its network. Managed/unmanaged As discussed previously, all devices that have potential access to ephi must have the same kinds of protections as the main ephi systems within the enterprise. How can this be achieved if devices are unknown, or not owned by the organization? Most medical devices are not members of the backend domain and cannot have agents installed to manage them. These are challenges that must be met and protections implemented to ensure the integrity of the ephi. This includes provisioning, management, security, monitoring and support of mobile and medical devices. Traditionally, healthcare IT departments have purchased management tools that require agents to be installed on endpoint devices. With mobile devices, this means using a mobile device management system (MDM) to install an agent. For corporate owned devices, this may acceptable. But, what assurances are there that all devices have been successfully accounted for and have agents installed? What if the user uninstalls the agent? What about personally owned devices? Other types of tools must be evaluated to ensure that all mobile devices are properly managed and controlled. Figure 2: While desktop & laptops are still the greatest source of compromised devices, there is a significant rise in other types of mobile devices, including smartphones & tablets**. ** Reference to: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute LLC, December
8 Authentication Medical and mobile devices must comply with HIPAA authentication requirements. Specifically, (a)(4)(ii)(B) requires that covered entities Implement Policies and Procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. This means that mobile and medical devices should only have access to ephi after they have been authorized. Additionally, the access privileges of these devices should be in line with their intended use. As per (b), when determining the appropriate use of the devices, covered entities should specify the proper functions to be performed, and the manner in which those functions are to be performed. Once the access level of these devices has been determined (and documented); mechanism for proper access authorization should be implemented. But what is required for mobile and medical device authentication? Healthcare IT departments need real-time visibility of personal and mobile devices on its networks and to limit network access of these devices in line with their proper function. Incident response A proper security incident program should include the following: Ownership Who is/are responsible for responding to the incident? If a team is responsible; they will need to examine risk assessment reports and assist with identification of potential incidents that are unknown. Particular attention should be given to medical and mobile devices, as their activity is generally unmanaged. Definitions Healthcare organizations need to determine what constitutes a security incident, how incidents will be classified (e.g., green, yellow, red) and the criteria for these classifications. Response plans Once a security incident has been evaluated and classified, it needs to be responded to. This should focus on addressing the actual incident and, perhaps more importantly, preventative measures should be recommended to mitigate/avoid future incidents. Many times the preventative measures are both procedural (policy, procedures, education) and technical (network management tools, Intrusion prevention, and monitoring). Reviews After incidents have evaluated and addressed, healthcare organizations need to make sure that recommendations are reviewed and re-evaluated to ensure they achieve compliance. An idea that may make sense in theory may not be realized once implemented. Documentation A HIPAA requirement, security incident reports and activities should be documented and retained for at least six years (see (b)(2)(i)) and potentially longer. Conclusion With these daunting challenges facing healthcare IT professionals, what can they do to balance flexible access to information from a plethora of devices; mobile devices, medical devices, corporate and non-corporate, in such a way that meets the ever-increasing federal and state regulatory standards and that keeps the corporate networks secure. Traditional technology solutions called for deploying agents on every device. These agents, theoretically, would report back, allowing you to create rules that would keep guarantee compliance. But in the real world this approach just doesn t work. It is important to decrease the number of unknown devices while at the same time to better manage those which are known. This starts by discovering every device connecting to corporate networks, and a solution not dependent on deployment of agents. This becomes a critical requirement in the medical environment as many medical devices will not accept the use of agents. And, for corporate devices that can accept agents, deploying them to these personal devices is simply not practical. After discovery, verify that the devices are compliant with established security policies. For example, do they have malicious software protection? Are devices running prohibited applications, i.e. like Angry Birds. And, are devices using encrypted storage? This can be accomplished by the use of next-generation NAC solutions. These solutions offer an automated security control platform that delivers real-time visibility and control of all devices on your network, and provide network access control, endpoint compliance, handheld device security and threat control, all in one automated system, enabling innovative patient care without compromising security. To be truly protected in this difficult security environment, healthcare organizations should look at a pervasive network security solution that can discover devices, enforce policy, and ensure all devices are compliant. 8
9 Works Cited FDA. (20013, June 13). Safety Communications. Retrieved from FDA.gov: HeathIT.gov. (2012, March 03). Retrieved from MOBILE DEVICES ROUNDTABLE: SAFEGUARDING HEALTH : Strategic Road Map for Network Access Control, Gartner, 11 October 2011, Lawrence Orans and John Pescatore. Additional Resources NIST Special Publication (PHI at Rest); NIST Special Publication (PHI in Motion); and NIST Special Publication (PHI Disposed) About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA U.S.A. T (US) T (Intl.) F ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc:
The ForeScout Difference
The ForeScout Difference Mobile Device Management (MDM) can help IT security managers secure mobile and the sensitive corporate data that is frequently stored on such. However, ForeScout delivers a complete
More informationForeScout MDM Enterprise
Highlights Features Automated real-time detection of mobile Seamless enrollment & installation of MDM agents on unmanaged Policy-based blocking of unauthorized Identify corporate vs. personal Identify
More informationAddressing BYOD Challenges with ForeScout and Motorola Solutions
Solution Brief Addressing BYOD Challenges with ForeScout and Motorola Solutions Highlights Automated onboarding Full automation for discovering, profiling, and onboarding devices onto both wired and wireless
More informationTechnical Note. ForeScout CounterACT: Virtual Firewall
ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationForeScout CounterACT. Continuous Monitoring and Mitigation
Brochure ForeScout CounterACT Real-time Visibility Network Access Control Endpoint Compliance Mobile Security Rapid Threat Response Continuous Monitoring and Mitigation Benefits Security Gain real-time
More informationWhitepaper. Securing Visitor Access through Network Access Control Technology
Securing Visitor Access through Contents Introduction 3 The ForeScout Solution for Securing Visitor Access 4 Implementing Security Policies for Visitor Access 4 Providing Secure Visitor Access How it works.
More informationTechnical Note. ForeScout MDM Data Security
Contents Introduction........................................................................................................................................... 3 Data Security Requirements for BYOD..................................................................................................................
More informationWHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Secure Network Access Control Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with
More informationWHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security...
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Adaptive Network Security Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with Adaptive
More informationForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002
ForeScout CounterACT and Compliance An independent assessment on how network access control maps to leading compliance mandates and helps automate GRC operations June 2012 Overview Information security
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More information10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)
10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) CONTENT INTRODUCTION 2 SCOPE OF BEST PRACTICES 2 1. HAVE A POLICY THAT IS REALISTIC 3 2. TAKE STOCK USING A MULTIPLATFORM REPORTING AND INVENTORY TOOL...3
More informationControlFabric Interop Demo Guide
ControlFabric Interop Demo Guide Featuring The ForeScout ControlFabric Interop Demo at It-Sa 2014 showcases integrations with our partners and other leading vendors that can help you achieve continuous
More informationSecuring Healthcare Data on Mobile Devices
Securing Healthcare Data on Mobile Devices Michelle Cook, Healthcare Mobility Specialist Keith Glynn, CISSP, Sr. Technical Solutions Engineer October 31, 2013 Poll Question #1 Has your organization deployed
More informationSECURITY PLATFORM FOR HEALTHCARE PROVIDERS
SECURITY PLATFORM FOR HEALTHCARE PROVIDERS Our next-generation security platform prevents successful cyberattacks for hundreds of hospitals, clinics and healthcare networks across the globe. Palo Alto
More informationTechnical Note. CounterACT: Powerful, Automated Network Protection Inside and Out
CounterACT: Powerful, Contents Introduction...3 Automated Threat Protection against Conficker... 3 How the Conficker Worm Works.... 3 How to Use CounterACT to Protect vs. the Conficker Worm...4 1. Use
More informationHealthcare Cybersecurity Risk Management: Keys To an Effective Plan
Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Anthony J. Coronado and Timothy L. Wong About the Authors Anthony J. Coronado, BS, is a biomedical engineering manager at Renovo Solutions
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationHow To Improve Your Network Security
Matthias Meier VP Engineering, bw digitronik 2013 ForeScout Technologies, Page 1 2014 ForeScout Technologies, Page 1 Inadequate Visibility Inadequate Collaboration Inadequate Automation 2013 ForeScout
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationWhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls
WhatWorks in Blocking Network-based Attacks with Automating Network Access, Endpoint Compliance and Threat Management Controls WhatWorks is a user-to-user program in which security managers who have implemented
More informationSecuring Health Data in a BYOD World
BUSINESS WHITE PAPER Securing Health Data in a BYOD World Five strategies to minimize risk Securing Health Data in a BYOD World Table of Contents 2 Introduction 3 BYOD adoption drivers 4 BYOD security
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationUse Bring-Your-Own-Device Programs Securely
Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out
More informationEmbracing Complete BYOD Security with MDM and NAC
Embracing Complete BYOD Security with MDM and NAC Clint Adams, CISSP, Director, Mobility Solutions Keith Glynn, CISSP, Sr. Technical Solutions Engineer August 22, 2013 Today s Speakers Clint Adams, CISSP
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationForeScout CounterACT Endpoint Compliance
Highlights Benefits Continuous Monitoring: Identify security posture of devices on your network in real-time. Remediation: Ensure ends are properly configured, security agents are updated and running properly,
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationReducing the cost and complexity of endpoint management
IBM Software Thought Leadership White Paper October 2014 Reducing the cost and complexity of endpoint management Discover how midsized organizations can improve endpoint security, patch compliance and
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA DATA SECURITY & PRIVACY COMPLIANCE
HIPAA DATA SECURITY & PRIVACY COMPLIANCE This paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. Learn
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHealthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service
Services > Overview MaaS360 Ensure Technical Safeguards for EPHI are Working Monitor firewalls, anti-virus packages, data encryption solutions, VPN clients and other security applications to ensure that
More informationINSERT COMPANY LOGO HERE
INSERT COMPANY LOGO HERE 2014 Frost & Sullivan 1 We Accelerate Growth Technology Innovation Leadership Award Network Security Global, 2014 Frost & Sullivan s Global Research Platform Frost & Sullivan is
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationAverage annual cost of security incidents
Breaches reported Annual number of data breaches Average annual cost of security incidents Among companies with revenues over $1 billion Regulatory mandates 900 800 700 600 500 400 300 200 100 0 2011 2012
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationHow Technology Executives are Managing the Shift to BYOD
A UBM TECHWEB WHITE PAPER SEPTEMBER 2012 How Technology Executives are Managing the Shift to BYOD An analysis of the benefits and hurdles of enabling employees to use their own consumer devices in the
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version 1.0.1. ForeScout Mobile
CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module Version 1.0.1 ForeScout Mobile Table of Contents About the Integration... 3 ForeScout MDM... 3 Additional Documentation...
More informationEmerging threats for the healthcare industry: The BYOD. By Luca Sambucci www.deepsecurity.us
Emerging threats for the healthcare industry: The BYOD Revolution By Luca Sambucci www.deepsecurity.us Copyright 2013 Emerging threats for the healthcare industry: The BYOD REVOLUTION Copyright 2013 Luca
More information2012 Endpoint Security Best Practices Survey
WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationTechnical Note. CounterACT: 802.1X and Network Access Control
CounterACT: 802.1X and Contents Introduction...3 What is 802.1X?...3 Key Concepts.... 3 Protocol Operation...4 What is NAC?...4 Key Objectives.... 5 NAC Capabilities.... 5 The Role of 802.1X in NAC...6
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationSecuring BYOD With Network Access Control, a Case Study
Securing BYOD With Network Access Control, a Case Study 29 August 2012 ID:G00226207 Analyst(s): Lawrence Orans VIEW SUMMARY This Case Study highlights how an organization utilized NAC and mobile device
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationBYOD Policy & Management Part I
Introduction Many of today s endpoints are neither known nor protected. According to Gartner, enterprises are only aware of 80 percent of the devices on their network. Those 20 percent of unknown devices
More informationData Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement
Comprehensive Endpoint Enforcement Overview is a complete, end-to-end network access control solution that enables organizations to efficiently and securely control access to corporate networks through
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationIf you can't beat them - secure them
If you can't beat them - secure them v1.0 October 2012 Accenture, its logo, and High Performance delivered are trademarks of Accenture. Preface: Mobile adoption New apps deployed in the cloud Allow access
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationARCHITECT S GUIDE: Comply to Connect Using TNC Technology
ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationCA Technologies Healthcare security solutions:
CA Technologies Healthcare security solutions: Protecting your organization, patients, and information agility made possible Healthcare industry imperatives Security, Privacy, and Compliance HITECH/HIPAA
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More information4 Steps to Effective Mobile Application Security
Mobile Application Security Whitepaper 4 Steps to Effective Mobile Application Security Table of Contents Executive Summary 3 Mobile Security Risks in Enterprise Environments 4 The Shortcomings of Traditional
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationWHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...
WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction.... 1 The HIPAA Security
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More information