The Importance of Perimeter Security
|
|
- Blanche Patterson
- 3 years ago
- Views:
Transcription
1 REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security
2 FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security Information object-level controls have the potential to better protect hospitals from data breaches by building security controls into the information itself. AT A GLANCE > More than 60 percent of healthcare data breaches occur due to the loss, theft, or misuse of portable devices. > Using a common application programming interface across applications and platforms to build and enforce object-level controls in information itself can help providers better protect ephi and other types of digital data. > Information objects can be engineered to be decrypted only when a legitimate user on a known device using an approved application opens them, and to control what the user can do with the information. Historically, protecting electronic personal health information (ephi) in hospitals and health systems has been based on the notion of perimeter security: building a wall around the information so that people who are not supposed to have the information cannot get to it. When people talk about information security, they usually use the phrase protecting our networks, wherein the network is the perimeter. But there are three problems with the perimeter-only approach to managing ephi security: > With the increasing adoption of mobile technologies and applications in health care, the perimeter has become impossible to define, much less protect. > Perimeter-only security ignores the inside threat that exists when a hospital s own staff or others with access to the organization s ephi maliciously or nonmaliciously access or leak protected health information. > IT security tools, which are expensive, are not always designed to prevent ephi from being leaked; rather, some of these tools alert organizations to a potential data breach after the fact or protect only a portion of the perimeter, so that the cost-benefit ratio is less than desired. What we really want is to control the distribution of ephi in hospitals. We want the right information to get to the right users and no further. And we want to be able to control what these users can do with the information they have accessed, so they cannot inadvertently or intentionally deliver it into the wrong hands. And since information has to move from person to person and device to device to be useful, we need persistent distribution control. Information object-level control can enable hospitals to achieve these goals. Defining and Protecting the Perimeter Let s examine why a perimeter-only security approach to protecting ephi is no longer sufficient in today s hospitals and health systems. It used to be that the perimeter of a hospital s IT system was easy to define and protect. The perimeter consisted of a mainframe with directly attached dumb hfma.org FEBRUARY
3 terminals. Unauthorized people were not allowed in the building or given an account to use the system, and access was limited. Now consider what the IT perimeter of hospitals looks like in 2013: What is the perimeter of a desktop computer or a mobile device that is connected to both the hospital network and the Internet? Mobile technologies make perimeter security even harder. As reported in Ponemon s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), 81 percent of healthcare organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure. Another study, released in November 2012, reports that more than 66 percent of nurses use their personal smartphones for clinical communications (Healthcare Without Bounds: Point-of-Care INSIDER NEGLIGENCE CONTINUES TO BE AT THE ROOT OF DATA BREACHES Nature of the Incident (More than One Choice Permitted) Lost or stolen computing device Unintentional employee action Third-party snafu Criminal attack Technical systems glitch Malicious insider Intentional, nonmalicious employee action % 9% 10% 14% 14% 15% 20% 33% 30% 46% 49% 41% 42% 41% 45% 42% 46% 34% 31% 33% 31% Source: Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December Computing for Nursing 2012, Spyglass Consulting Group). However, 95 percent of nurses in the study say that hospital IT departments won t support their use of smartphones, fearing security risks ( Nurses Turning to Unauthorized Smartphones to Meet Data Demands, Network World, Dec. 21, 2012). We buy and use laptops, tablets, and smartphones because they make accessing information from outside the perimeter easy. Almost all constituencies that hospitals serve want their slice of healthcare information and they want it on their mobile devices. The second problem with perimeter-securityonly is the insider threat. We d like to believe that the human nature of healthcare workers mitigates insider risk; however, real-world PHI data breach risks and events reveal a different story ( Top Cause of Data Breaches? Negligent Insiders, Help Net Security, March 22, 2012). The unseen assumption behind perimeter security is that everyone you ve let inside is trustworthy. But honest people with access to hospital networks may not understand or remember information security policies and procedures. They can get conned by an outsider looking for a way in, or they can use computers that are compromised without their knowledge. Worse, not all insiders are honest. We must acknowledge that insider includes anyone (e.g., healthcare workers, contractors, business associates, janitors, patients) with potential access to PHI, regardless of intent. A casual glance at industry surveys and news articles confirms that PHI data breach risks and events originating from insiders are a significant and costly reality within health care. As reported in Ponemon s December 2012 study, the top three causes of a data breach are: > Lost or stolen computing devices (46 percent) > Unintentional employee mistakes (42 percent) > Third-party snafus (42 percent) Moreover, five of the top seven root causes of data breaches are linked to authorized individuals, according to the study. 2 FEBRUARY 2013 healthcare financial management
4 The significance of the insider threat is further validated by a 2011 report that found that 71 percent of healthcare organizations suffered one or more ephi breaches in the course of a year most of which originated from insiders in one form or another (Survey of Patient Privacy Breached, Veriphyr). Employees who snooped at other employees medical records were the most common source of a breach (35 percent), followed by employees who peeked at medical records of friends and relatives (27 percent), loss or theft of physical records (25 percent), and loss or theft of equipment housing patient data (20 percent). Additionally, a May 2012 article by Erica Chickowski notes that more than 60 percent of breaches reported to the U.S. Department of Health and Human Services in response to HIPAA mandates occur due to the loss or theft of portable devices, such as laptops, smartphones, and external drives ( Health Care Unable to Keep Up with Insider Threats, Dark Reading, May 1, 2012). Chickowski cites three major healthcare breaches in April 2012, which alone disclosed nearly 1.1 million healthcare records. The common thread in each was the role of insiders both nonmalicious and malicious in causing the incidents. Human (insider) error was responsible for the loss of 315,000 patient records at one organization when 10 backup disks went missing from a storage facility. In another of the incidents, an employee ed 228,000 Medicaid patient records to himself. These examples underscore the need to acknowledge that anyone with potential access to ephi could pose a threat to the security of this information. The third problem with a perimeter-only security approach is that as the perimeter expands and becomes more complex, so do the number of security tools required to protect the IT perimeter and the cost of acquiring and operating such tools can be high. Additionally, it s often hard to make a financial case for the ever-growing number of security tools because even when they function perfectly, they do not directly secure information; instead, they reinforce some aspect of the perimeter or alert the organization of a breach after the breach has occurred. This is not a call to abandon perimeter security; it is still needed. However, it is not sufficient or economically feasible for providers to rely on a perimeter security approach as the only approach to securing information. That being said, as a practical and legal matter, it is critical for health care to pay attention to the general computing controls emphasized in the Office of Inspector General report Audit of Information Technology Security Included in Health Information Technology Standards. The U.S. Department of Homeland Security also offers a free cyber security evaluation tool for assessing the security posture of cyber systems and networks related to industrial controls and business IT systems ( control_systems/satool.html). How Information Object-Level Controls Can Help Healthcare providers should establish rules to control who can access information and what can be done with the information, regardless of how or where it is distributed or what type of device the information is stored on. Such rules should work across the many applications and edge devices used by providers. Information object-level controls that are built into applications could help providers better protect ephi and other information. An information object encapsulates any form of digital content along with control information about the content. Information objects can include distribution controls designating who can access the information, rules dictating how the information may be used or manipulated, and audit data (e.g., when changes were made to the content, and by whom). This is where today s computing power comes into play. If properly engineered to include the processing power of new edge devices, there is more than enough capacity to protect information in motion and everywhere it is stored. It is critical to include edge-device capacity in any approach hfma.org FEBRUARY
5 QUESTIONS TO ASK IN PROTECTING ephi In addressing ephi security concerns, providers should ask the following questions of their IT vendors: > How will you help our organization retain control of our information, regardless of the platform that the information is located upon? > How will you help our organization prove where information goes, who has used the information, and for what purpose the information was used? > How will you help us interoperate within an industry at the information level to retain control of our information, regardless of the application we are using? > How are you going to help simplify the control of our ephi and make it less expensive to operate? to cybersecurity because increasingly sophisticated edge devices: > Are where most information lives > Have in/out parts for exporting information > Are often portable and easily stolen or captured > Are what users are using and will continue to use Information objects can be separately and distinctly encrypted and kept continually encrypted. They can be engineered so that they are only decrypted when a legitimate user on a known device using an approved application opens them. Contrary to what is sometimes portrayed on television and in the movies, cracking encrypted information is extremely difficult and expensive, especially when there are many information objects, each with a different key. What is the risk of a security breach if all it yields is hundreds or thousands of distinctly encrypted information objects? What is the risk of a stolen laptop, tablet, or phone that contains thousands of distinctly encrypted objects? How much stronger are a provider s ephi controls if applications rather than people are enforcing information security policies, and if access to and use of the information is audited? How much more difficult will it be to inject false information into hospital industrial control systems if the attacker is required to somehow continually replicate distinctly encrypted commands? Making the Transition Moving beyond traditional security controls will require changes in thinking and industry practice. Information security vendors have, for the most part, treated the increase in edge computing power as a problem to be solved rather than an opportunity to be leveraged. Application vendors have, for the most part, assumed that information security was somebody else s problem. The healthcare industry has not invested a great deal of work toward adopting a common information object-level security architecture. That s understandable: Such architecture has only recently become possible. However, this type of information security support is becoming a necessity for healthcare providers. The risks and costs of PHI breaches continue to rise. Healthcare organizations are increasingly being audited for potential and actual security breaches involving ephi. Ninety-four percent of healthcare organizations surveyed for a recent study stated they had recorded at least one data breach from , while 45 percent reported that they had experienced more than five data breaches during this two-year period (Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012). With an estimated annual cost of $7 billion to the healthcare industry, the average economic impact of a breach over a two-year period has increased to $2.4 million, a 20 percent increase since the study was first conducted in 2010, according to researchers. Meanwhile, a 2011 report stating that of the top 10 industry sectors that have experienced data breaches, the healthcare industry ranked first in data breaches recorded, with government education, and finance being the next closest at 14, 13, and 8 percent, respectively (Internet Security Report: 2011 Trends, Symantec). Given the magnitude of risk associated with protecting ephi, regulation will almost certainly require that the healthcare industry shift from passive compliance with security regulations to provable adherence. Perimeter-only security approaches are not enough. About the authors is CEO, Absio Corporation, Denver (dan.kruger@absio.com). is a chief officer, Absio Corporation, Denver (tim.anschutz@absio.com). Reprinted from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL For more information, call HFMA or visit
a new approach to IT security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationDISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com
DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention symantec.com One of the interesting things we ve found is that a lot of the activity you d expect to be malicious
More informationData Security: Fight Insider Threats & Protect Your Sensitive Data
Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationCyber Security Threats: What s Next and How Do We Reduce the Risks?
Cyber Security Threats: What s Next and How Do We Reduce the Risks? Agenda Cyber Security: A necessity! What threats exist today? What does the future hold? How do we reduce the risks? Key for Risk Reduction
More informationNew privacy and security requirements increase potential legal liability and jeopardize brand reputation.
New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,
More informationSpectorSoft 2014 Insider Threat Survey
SpectorSoft 2014 Insider Threat Survey An overview of the insider threat landscape and key strategies for mitigating the threat challenge Executive Summary SpectorSoft recently surveyed 355 IT professionals,
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More information2012 Endpoint Security Best Practices Survey
WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationMIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING
MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING LACK OF USER ACTIVITY MONITORING EXPOSES COMPANIES TO USER-BASED RISK A lthough every organization wants to believe that all threats are external,
More informationA PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK
A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationPREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.
PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationWhite Paper. Data Breach Mitigation in the Healthcare Industry
White Paper Data Breach Mitigation in the Healthcare Industry Thursday, October 08, 2015 Table of contents 1 Executive Summary 3 2 Personally Identifiable Information & Protected Health Information 4 2.1
More informationBSHSI Security Awareness Training
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationWhite Paper. HIPAA-Regulated Enterprises. Paper Title Here
White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationEHS Privacy and Information Security
EHS Privacy and Information Security Resident Orientation 26 June 2015 Steve Winter CISSP, CNE, MCSE Senior Information Security Engineer Privacy and Information Security Office Erlanger Health System
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationChairman Johnson, Ranking Member Carper, and Members of the committee:
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
More informationSafeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security
Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital
More informationFaster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationImpact of Data Breaches
Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:
More informationAuditing Security: Lessons Learned From Healthcare Security Breaches
Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More informationHEALTHCARE & SECURITY OF DATA IN THE CLOUD
HEALTHCARE & SECURITY OF DATA IN THE CLOUD August 2014 LYNLEE ESPESETH Marketing Strategy Associate Denver Fargo Minneapolis 701.235.5525 888.9.sundog FAX: 701.235.8941 www.sundoginteractive.com In this
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationFIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely
More informationEnterprise Data Protection
PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More information2011 Data Breach Notifications Report
2011 Data Breach Notifications Report December 2011 2011 Report on Data Breach Notifications History, Laws and Regulations On October 31, 2007, the Commonwealth s Data Security Breach Law, Mass. Gen. Law
More informationCONNECTED HEALTHCARE. Trends, Challenges & Solutions
CONNECTED HEALTHCARE Trends, Challenges & Solutions Trend > Remote monitoring and telemedicine are growing Digital technology for healthcare is accelerating. Changes are being driven by the digitization
More informationTrust No One Encrypt Everything!
Trust No One Encrypt Everything! Business Primer March 2014 This white paper explores cloud users requirements for data access and sharing, especially in relation to trends in BYOD and personal cloud storage
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationTOP 3. Reasons to Give Insiders a Unified Identity
TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,
More informationWRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, 2014 2:30 PM
WRITTEN TESTIMONY BEFORE THE SENATE COMMITTEE ON COMMERCE, SCIENCE, & TRANSPORTATION HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, 2014 2:30 PM TESTIMONY
More informationPractical Storage Security With Key Management. Russ Fellows, Evaluator Group
Practical Storage Security With Key Management Russ Fellows, Evaluator Group SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationThe problem with privileged users: What you don t know can hurt you
The problem with privileged users: What you don t know can hurt you FOUR STEPS TO Why all the fuss about privileged users? Today s users need easy anytime, anywhere access to information and services so
More informationFourth Annual Benchmark Study on Patient Privacy & Data Security
Fourth Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Ponemon Institute Research Report
More information7 VITAL FACTS ABOUT HEALTHCARE BREACHES. www.eset.com
7 VITAL FACTS ABOUT HEALTHCARE BREACHES www.eset.com 7 vital facts about healthcare breaches Essential information for protecting your business and your patients Large breaches of Personal Health Information
More informationStrategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationBOARD OF GOVERNORS MEETING JUNE 25, 2014
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
More informationCyber Threats: Exposures and Breach Costs
Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationReducing the Cost and Complexity of Web Vulnerability Management
WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationThe HITECH Act: Protect Patients and Your Reputation
The HITECH Act: Protect Patients and Your Reputation By: Donna Maassen Director of Compliance, and Privacy & Security Officer Extendicare Health Services, Inc. Table of Contents Executive Summary...3 The
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationIBM Data Security Services for endpoint data protection endpoint encryption solution
Protecting data on endpoint devices and removable media IBM Data Security Services for endpoint data protection endpoint encryption solution Highlights Secure data on endpoint devices Reap benefits such
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationHIPAA and Leadership. The Importance of Creating a More Compliance Focused Environment
HIPAA and Leadership The Importance of Creating a More Compliance Focused Environment 1 AGENDA HIPAA Basics The Importance of Leadership in RIM and IG Creating a More Compliance Focused Culture Potential
More informationSecuring Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology
20140115 Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology TABLE OF CONTENTS What s at risk for your organization? 2 Is your business
More informationGlobal IT Security Risks
Global IT Security Risks June 17, 2011 Kaspersky Lab leverages the leading expertise in IT security risks, malware and vulnerabilities to protect its customers in the best possible way. To ensure the most
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationAssessing the Privacy and Security Risk of your Medical Device Inventory Bridget A. Moorman, MSBME, CCE. AAMI-ACCE, Denver, CO, USA June 2015
Assessing the Privacy and Security Risk of your Medical Device Inventory Bridget A. Moorman, MSBME, CCE AAMI-ACCE, Denver, CO, USA June 2015 Overview Data Breach and Security Survey Medical Device Data
More informationHot Topics in IT Security PREP#28 May 1, 2014. David Woska, Ph.D. OCIO Security
Hot Topics in IT Security PREP#28 May 1, 2014 David Woska, Ph.D. OCIO Security CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any
More informationEncrypting Personal Health Information on Mobile Devices
Ann Cavoukian, Ph.D. Information and Privacy Commissioner/Ontario Number 12 May 2007 Encrypting Personal Health Information on Mobile Devices Section 12 (1) of the Personal Health Information Protection
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationCollateral Effects of Cyberwar
Your texte here. Collateral Effects of Cyberwar by Ilia Kolochenko for Geneva Information Security Day 9 th of October 2015 Quick Facts and Numbers About Cybersecurity In 2014 the annual cost of global
More informationSecurity and Privacy of Electronic Medical Records
White Paper Security and Privacy of Electronic Medical Records McAfee SIEM and FairWarning team up to deliver a unified solution Table of Contents Executive Overview 3 Healthcare Privacy and Security Drivers
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationDATA SECURITY HACKS, HIPAA AND HUMAN RISKS
DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationHIPAA and Health Information Privacy and Security
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
More information