Trend Micro Healthcare Compliance Solutions

Transcription

1 How Trend Micro s innovative security solutions help healthcare organizations address risk and compliance challenges WHITE Worry-Free Business Security Fast, effective, and simple protection against viruses and cybercriminals so you can focus on your patients instead of worrying about Internet security.

2 Overview of Features Worry-Free Business Security is a comprehensive security solution for small organizations and practices, providing anti-virus, anti-spyware, web filtering, and data loss prevention via USB devices and . Worry-Free Business Security is made from the DNA of Trend Micro s large enterprise solutions, scaled and simplified for small organization needs. Worry-Free Business Security leverages Trend Micro s Smart Protection Network which uses global threat sensors and in-depth data analysis to identify and block viruses, spyware, spam, and other web threats before they reach your organization s machines without impacting computing resources. Antivirus, Anti-spyware, and Web Filtering New viruses or variants on viruses are published every second. In 2010, there were on average over 54,000 1 new viruses or variants released every day! While there are many vectors for propagating a virus to infect new machines, generally the most common are via the web or via an attachment in . Both are simple and efficient, spreading the malicious software quickly by relying on the lack of awareness by a user. By leveraging Trend Micro s Smart Protection Network, Worry-Free Business Security can evaluate the reputation of an sender or a webpage URL. This technology, which is the only solution capable of this, can block a webpage that has malicious content on it be it from an or navigating directly to it via a web browser, block the of known spammers, and analyze file attachments to protect against malicious files sent from known individuals a common means of spreading viruses or other malware. Because everything is performed in the cloud, before an even reaches a user s machine, there is negligible impact to the user and the solution is always up-to-date. Desktop URL filtering provides an added layer of protection, allowing an organization to restrict the ability of its employees from gaining unprotected access to personal, web-based like Yahoo or Google, social media sites like Facebook, or generally non-business related and known malicious sites. This not only reduces the likelihood of threats infecting machines, but prevents data leakage through non-company managed communication systems and enables productivity management of employees by limiting web access to only those sites required for an individual s job function. Data Loss Prevention An individual in a healthcare setting who is attempting to send data outside of the organization in an unprotected manner, be it authorized or unauthorized, he/she is likely to first attempt to send the information via company , then personal via the web, and finally via a USB drive. These most common vectors should be protected, either requiring encryption or blocking the transmission medium completely. With Worry-Free Business Security, outbound can be scanned and analyzed to identify and block sensitive information. This could be information like credit cards, social security numbers, member ID, or other specific words or alpha numeric codes setup by the organization. In the case of attached devices, any connections over USB can be blocked or controlled to minimize the risk of data loss on a mobile device. Looking back to the HHS data, nearly 16% of 1 AV-Test s Malware Repository (Collection) Statistics, 2

3 breaches experienced involved removable media like a USB drive. With Worry-Free Business Security, users can be setup in groups to restrict their ability to read or write to a device, or to completely block USB ports all together. Worry-Free Business Security also blocks the auto-run utility of Windows, which automatically searches for and runs an.exe or setup file on a device and is a common means of propagating viruses through laptops. Management Worry-Free Business Security is deployed with a centralized management console. The console provides a simple stoplight dashboard (i.e., red, yellow, green) of the solution, environment, and threats to the organization s environment. With the system, the dashboard provides visibility into patching and whether the system and its security are up-to-date, groups setup for USB management, and policies and keywords for data loss. With threats, the dashboard provides information on if there is an infection, sites and URLs blocked, and s blocked. These kinds of metrics are critical for exhibiting security maturity and meeting common requirements like HIPAA and Meaningful Use. Deployment The Worry-Free Business Security family of products are designed for small organizations and practices. Because of this, a simple, cost-effective way to deploy the solution and a majority of the features discussed above is through a software as a service (SaaS) model hosted by Trend Micro. This includes a web-based management console, virus protection, and web filtering. More robust on-premise solutions are available as well. These require a Windows server. Because the solution is local and more integrated into the machines within the environment, device control and outbound filtering are included. 3

4 Integrating into a Healthcare Environment 4

5 COMPLIANCE MAPPING Product Feature: Antivirus HITRUST CSF 2011 Control Reference HIPAA Security Rule HITECH Breach Notification PCI DSS v (Stage 1) Meaningful Use Stage 1 Measure 01.v Information Access Restriction - Level 2 01.y Teleworking - Level 1 09.j Controls Against Malicious Code - Level 1 / 2 09.k Controls Against Mobile Code - Level 1 / 2 09.s Information Exchange Policies and Procedures - Level 1 (a)(5)(ii)(b) Protection from malicious software (Addressable) Regulation not covered Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs (d)(15)(ii) / (f)(14)(ii) Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP s, eligible hospital s or CAH s risk management process 5

6 COMPLIANCE MAPPING Product Feature: Anti-spam HITRUST CSF 2011 Control Reference HIPAA Security Rule HITECH Breach Notification PCI DSS v (Stage 1) Meaningful Use Stage 1 Measure 09.j Controls Against Malicious Code - Level 2 (a)(5)(ii)(b) Protection from malicious software (Addressable) Regulation not covered Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs (d)(15)(ii) / (f)(14)(ii) Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP s, eligible hospital s or CAH s risk management process 6

7 COMPLIANCE MAPPING Product Feature: Web Filtering HITRUST CSF 2011 Control Reference HIPAA Security Rule HITECH Breach Notification PCI DSS v (Stage 1) Meaningful Use Stage 1 Measure 06.e Prevention of Misuse of Information Assets - Level 1 09.j Controls Against Malicious Code - Level 1 / 2 09.k Controls Against Mobile Code - Level 1 / 2 (a)(5)(ii)(b) Protection from malicious software (Addressable) Regulation not covered Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs (d)(15)(ii) / (f)(14)(ii) Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP s, eligible hospital s or CAH s risk management process 7

8 COMPLIANCE MAPPING Product Feature: Data Loss Prevention HITRUST CSF 2011 Control Reference HIPAA Security Rule HITECH Breach Notification PCI DSS v (Stage 1) Meaningful Use Stage 1 Measure 09.s Information Exchange Policies and Procedures - Level 1 09.v Electronic Messaging - Level 1 (e)(1) Transmission Security Regulation not covered 4.2 Never send unprotected PANs by end-user messaging technologies (for example, , instant messaging, chat, etc.) (d)(15)(ii) / (f)(14)(ii) Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP s, eligible hospital s or CAH s risk management process 8

9 COMPLIANCE MAPPING Product Feature: Device Control HITRUST CSF 2011 Control Reference HIPAA Security Rule HITECH Breach Notification PCI DSS v (Stage 1) Meaningful Use Stage 1 Measure 07.c Acceptable Use of Assets - Level 1 08.k Security of Equipment Off-Premises - Level 1 09.o Management of Removable Media - Level 1 / 2 / 3 09.q Information Handling Procedures - Level 1 / 2 (d)(1) Receipt and Removal Regulation not covered 9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). (d)(15)(ii) / (f)(14)(ii) Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP s, eligible hospital s or CAH s risk management process 9

10 Future Trends Looking forward, Trend Micro has two primary objectives for Worry-Free Business Security: 1. Continue to enhance the simplicity in deployment and management 2. Build upon existing features, enhancing the efficiency in how they protect an environment and the effectiveness of all deployment models Making security fast, effective and simple is a key driver for Trend Micro and with the Worry-Free Business Security family Trend Micro will continue to provide just that. Improving performance is an area they have addressed and will continue to address with future versions. In addition, adding functionality to keep healthcare organizations or practices more secure with less administrative work is on the horizon. 10