Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

Secure Endpoint Management Presented by Kinette Crain and Brad Lewis

Brad Lewis Brad Lewis - Service Specialist 14 years of IT experience In-House Support Manager Network Administrator Assessing Risk: A Path to Action

Kinette Crain Kinette Crain - Services Analyst Managed IT Sales Manager IT Education Manager IT and Software Installation & Project Management Assessing Risk: A Path to Action

Regulatory Requirements HIPAA - 1996 HITECH - 2009 Omnibus - 2013

EHR Incentive Program http://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms/downloads/stage2_hospitalcore_7_protectelectronichealthinfo.pdf

Compliance Audits Meaningful Use: Pre and post payment audits Maintain supporting documentation, including risk assessments 5-10% can expect audits, including random selection process HIPPA Compliance: There s still a lot of work to be done to ensure compliance Few had conducted complete or accurate risk assessments The reasonableness and appropriateness of encryption must be addressed How are we measuring up? http://www.healthcareinfosecurity.com/whats-ahead-for-hipaa-audits-a-5647/p-2

Business Pressures Consumerization of IT BYOD Initiatives What are your challenges?

Endpoint Protection Definition: Endpoint protection refers to a methodology and strategy of protecting your facility s network to comply with security standards. Endpoints include PCs, laptops, smart phones, or other wireless and mobile devices. What is endpoint protection?

Administrative Safeguards Security Management Data Encryption Secure Risk Assessment Mobile Device Management

Administrative Safeguards Decide Understand the risks to your organization before you decide which endpoint devices will be allowed. Do I have a comprehensive policy?

Administrative Safeguards Decide Understand the risks to your organization before you decide which endpoint devices will be allowed. Access Consider how endpoint devices affect the risks (threats and vulnerabilities) to the health information your organization holds. Do I have a comprehensive policy?

Administrative Safeguards Decide Understand the risks to your organization before you decide which endpoint devices will be allowed. Access Consider how endpoint devices affect the risks (threats and vulnerabilities) to the health information your organization holds. Identify Identify your organization s mobile device risk management strategy, including privacy and security safeguards. Do I have a comprehensive policy?

Administrative Safeguards Decide Understand the risks to your organization before you decide which endpoint devices will be allowed. Access Consider how endpoint devices affect the risks (threats and vulnerabilities) to the health information your organization holds. Identify Identify your organization s mobile device risk management strategy, including privacy and security safeguards. Document Develop, document, and implement the organization s endpoint security policies and procedures to safeguard health information. Do I have a comprehensive policy?

Administrative Safeguards Decide Understand the risks to your organization before you decide which endpoint devices will be allowed. Access Consider how endpoint devices affect the risks (threats and vulnerabilities) to the health information your organization holds. Identify Identify your organization s mobile device risk management strategy, including privacy and security safeguards. Document Develop, document, and implement the organization s endpoint security policies and procedures to safeguard health information. Train Conduct endpoint privacy and security awareness and training for providers and professionals. Do I have a comprehensive policy?

Security Management Strategy and Key benefits: Malicious Software protection Minimal system resources Scans removable storage Central Management Console Is your security centrally managed?

Security Management Strategy and Key benefits: Malicious Software protection Minimal system resources Scans removable storage Central Management Console Patch Management Automated patch deployment Comprehensive reporting Patch compliance Is your security centrally managed?

Security Management Strategy and Key benefits: Malicious Software protection Minimal system resources Scans removable storage Central Management Console Patch Management Automated patch deployment Comprehensive reporting Patch compliance Media Sanitization - Procedure for all endpoint types Is your security centrally managed?

Security Management Strategy and Key benefits: Malicious Software protection Minimal system resources Scans removable storage Central Management Console Media Sanitization - Procedure for all endpoint types Patch Management Automated patch deployment Comprehensive reporting Patch compliance Remote Monitoring & Management (RMM) User defined monitoring & alerts Alert messaging Log monitoring Is your security centrally managed?

Data Encryption Key Benefits: Comprehensive multi-platform coverage Ease of deployment Central Management Console Compliance with privacy mandates AES-NI hardware chipset compatibility Password recovery options Do you have a data encryption strategy?

Meaningful Use Stage 2 The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-phi. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. Is encryption mandatory?

Meaningful Use Stage 2 The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-phi. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. Is encryption mandatory?

Audit Findings Encryption is an addressable implementation specification Most people, once gone through the addressable analysis, do encrypt Those that don t encrypt, didn t go through the analysis How are we measuring up? http://www.healthcareinfosecurity.com/whats-ahead-for-hipaa-audits-a-5647/p-2

Data Encryption Common myths surrounding data encryption: Passwords protect laptops Data encryption is not practical Data encryption solutions are hard to manage Data encryption is too expensive Do these myths exist at your facility?

Mobile Device Management Strategy: Document your policy Consider embracing BYOD Communicate Responsibility Take Access Control seriously Best Practices Are mobile devices managing you?

Mobile Device Management Strategy: Document your policy Consider embracing BYOD Communicate Responsibility Take Access Control seriously Best Practices Are mobile devices managing you?

Establish Administrative Safeguards Conduct a Security Risk Assessment Establish Security Management Data Encryption where appropriate Implement Mobile Device Management platform Are you ready?

Customer Implementation Implementation Percentage Malicious Software Protection Malicious Software Protection 0 20 40 60 80 100

Customer Implementation Implementation Percentage Malicious Software Protection Implementation Percentage 0 20 40 60 80 100

Customer Implementation Implementation Percentage Malicious Software Protection Remote Mgmt System Implementation Percentage 0 20 40 60 80 100

Customer Implementation Implementation Percentage Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage 0 20 40 60 80 100

Customer Implementation Implementation Percentage Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Mobile Device Mgmt 0 20 40 60 80 100

Customer Implementation Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Risk of Loss / Theft Mobile Device Mgmt 0 20 40 60 80 100

Customer Implementation Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Risk of Loss / Theft Mobile Device Mgmt 0 20 40 60 80 100

Customer Implementation Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Risk of Loss / Theft Mobile Device Mgmt 0 20 40 60 80 100

Customer Implementation Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Risk of Loss / Theft Mobile Device Mgmt 0 20 40 60 80 100

Customer Implementation Malicious Software Protection Remote Mgmt System Data Encryption Implementation Percentage Risk of Loss / Theft Mobile Device Mgmt 0 20 40 60 80 100

Implications $,$$$,$$$ Sutter Health $1,200,000 $400,000 $50,000 Affinity Health Plan Idaho State University Hospice of North Idaho What if I do nothing? http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples

10 Largest HIPAA Breaches of 2012 780,000 315,000 228,435 116,506 102,153 66,601 65,750 64,846 42,000 36,609 Utah Department of Health Emory Healthcare South Carolina Department of Health and Human Services Alere Home Monitoring Memorial Healthcare System Howard University Hospital Apria Healthcare The University of Miami Safe Ride Services Integrated Medical Services Could it happen to you? http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0

10 Largest HIPAA Breaches of 2012 780,000 315,000 228,435 116,506 102,153 66,601 65,750 64,846 42,000 36,609 Utah Department of Health Emory Healthcare South Carolina Department of Health and Human Services Alere Home Monitoring Memorial Healthcare System Howard University Hospital Apria Healthcare The University of Miami Safe Ride Services Integrated Medical Services Could it happen to you? http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0

10 Largest HIPAA Breaches of 2012 780,000 315,000 228,435 116,506 102,153 66,601 65,750 64,846 42,000 36,609 Utah Department of Health Emory Healthcare South Carolina Department of Health and Human Services Alere Home Monitoring Memorial Healthcare System Howard University Hospital Apria Healthcare The University of Miami Safe Ride Services Integrated Medical Services Could it happen to you? http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0

10 Largest HIPAA Breaches of 2012 780,000 315,000 228,435 116,506 102,153 66,601 65,750 64,846 42,000 36,609 Utah Department of Health Emory Healthcare South Carolina Department of Health and Human Services Alere Home Monitoring Memorial Healthcare System Howard University Hospital Apria Healthcare The University of Miami Safe Ride Services Integrated Medical Services Could it happen to you? http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0

10 Largest HIPAA Breaches of 2012 780,000 315,000 228,435 116,506 102,153 66,601 65,750 64,846 42,000 36,609 Utah Department of Health Emory Healthcare South Carolina Department of Health and Human Services Alere Home Monitoring Memorial Healthcare System Howard University Hospital Apria Healthcare The University of Miami Safe Ride Services Integrated Medical Services Could it happen to you? http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0

Consumer Backlash Research link 1 in 4 consumers of a data breach become a victim Consumers with stolen SSNs were 5 times more likely to be a victim Advocate Health Care class action lawsuit filed by 4 million patients Massachusetts Medical Group pays $140,000 in privacy suit What will happen next?

Conclusion Business Drivers Regulatory Pressures Consumer Backlash Endpoint Protection

Questions?

Questions? Marty Toland - Managed IT Services Director Oversees the implementation and management for Managed IT Services division CPSI Networking & Internet Services Director Assessing Risk: A Path to Action

info@trubridge.net

Join the Conversation Keyword TruBridge facebook.com/trubridgeservices www.trubridge.net @trubridgesvc

Thank You!