a new approach to IT security



Similar documents
The Importance of Perimeter Security

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Security Is Everyone s Concern:

Second Annual Benchmark Study on Patient Privacy & Data Security

How To Find Out What People Think About Hipaa Compliance

Data Security: Fight Insider Threats & Protect Your Sensitive Data

2012 Endpoint Security Best Practices Survey

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

HIPAA Compliance: Efficient Tools to Follow the Rules

Trust No One Encrypt Everything!

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

HEALTHCARE & SECURITY OF DATA IN THE CLOUD

ITAR Compliance Best Practices Guide

Global IT Security Risks

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

SpectorSoft 2014 Insider Threat Survey

Reducing Cyber Risk in Your Organization

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

MIND THE GAP INFRASTRUCTURE VS. USER-BASED MONITORING

Cyber Security Threats: What s Next and How Do We Reduce the Risks?

Big Data, Big Risk, Big Rewards. Hussein Syed

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

BSHSI Security Awareness Training

10 Smart Ideas for. Keeping Data Safe. From Hackers

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

EHS Privacy and Information Security

Mapping Your Path to the Cloud. A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software.

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Nine Network Considerations in the New HIPAA Landscape

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

Managing Cyber & Privacy Risks

Medical Information Breaches: Are Your Records Safe?

Security Compliance, Vendor Questions, a Word on Encryption

Enterprise Data Protection

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Chairman Johnson, Ranking Member Carper, and Members of the committee:

TOP 3. Reasons to Give Insiders a Unified Identity

Safeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security

The problem with privileged users: What you don t know can hurt you

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

White. Paper. The SMB Market is Ready for Data Encryption. January, 2011

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Cyber Threats: Exposures and Breach Costs

Privacy Rights Clearing House

CA Enterprise Mobility Management MSO

2014: A Year of Mega Breaches

7 Steps to Protect Your Company from a Data Breach

Teradata and Protegrity High-Value Protection for High-Value Data

Internet threats: steps to security for your small business

The True Story of Data-At-Rest Encryption & the Cloud

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Practical Storage Security With Key Management. Russ Fellows, Evaluator Group

How To Protect Decd Information From Harm

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

HIPAA Violations Incur Multi-Million Dollar Penalties

Cyber Security An Exercise in Predicting the Future

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Impact of Data Breaches

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Compromises in Healthcare Privacy due to Data Breaches

Auditing Security: Lessons Learned From Healthcare Security Breaches

Fourth Annual Benchmark Study on Patient Privacy & Data Security

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

AB 1149 Compliance: Data Security Best Practices

Architecting Security to Address Compliance for Healthcare Providers

CONNECTED HEALTHCARE. Trends, Challenges & Solutions

2015 Global Study on IT Security Spending & Investments

White Paper. Data Breach Mitigation in the Healthcare Industry

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

CYBERSECURITY: Is Your Business Ready?

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Compliance Evaluation Report

WHITE PAPER WHAT HAPPENED?

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Beyond passwords: Protect the mobile enterprise with smarter security solutions

RETHINKING CYBER SECURITY Changing the Business Conversation

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Why Lawyers? Why Now?

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Stay ahead of insiderthreats with predictive,intelligent security

Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

National Cyber Security Month 2015: Daily Security Awareness Tips

Cyber Security. John Leek Chief Strategist

HIPAA Security Alert

Transcription:

REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security

FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security Information object-level controls have the potential to better protect hospitals from data breaches by building security controls into the information itself. AT A GLANCE > More than 60 percent of healthcare data breaches occur due to the loss, theft, or misuse of portable devices. > Using a common application programming interface across applications and platforms to build and enforce object-level controls in information itself can help providers better protect ephi and other types of digital data. > Information objects can be engineered to be decrypted only when a legitimate user on a known device using an approved application opens them, and to control what the user can do with the information. Historically, protecting electronic personal health information (ephi) in hospitals and health systems has been based on the notion of perimeter security: building a wall around the information so that people who are not supposed to have the information cannot get to it. When people talk about information security, they usually use the phrase protecting our networks, wherein the network is the perimeter. But there are three problems with the perimeter-only approach to managing ephi security: > With the increasing adoption of mobile technologies and applications in health care, the perimeter has become impossible to define, much less protect. > Perimeter-only security ignores the inside threat that exists when a hospital s own staff or others with access to the organization s ephi maliciously or nonmaliciously access or leak protected health information. > IT security tools, which are expensive, are not always designed to prevent ephi from being leaked; rather, some of these tools alert organizations to a potential data breach after the fact or protect only a portion of the perimeter, so that the cost-benefit ratio is less than desired. What we really want is to control the distribution of ephi in hospitals. We want the right information to get to the right users and no further. And we want to be able to control what these users can do with the information they have accessed, so they cannot inadvertently or intentionally deliver it into the wrong hands. And since information has to move from person to person and device to device to be useful, we need persistent distribution control. Information object-level control can enable hospitals to achieve these goals. Defining and Protecting the Perimeter Let s examine why a perimeter-only security approach to protecting ephi is no longer sufficient in today s hospitals and health systems. It used to be that the perimeter of a hospital s IT system was easy to define and protect. The perimeter consisted of a mainframe with directly attached dumb hfma.org FEBRUARY 2013 1

terminals. Unauthorized people were not allowed in the building or given an account to use the system, and access was limited. Now consider what the IT perimeter of hospitals looks like in 2013: What is the perimeter of a desktop computer or a mobile device that is connected to both the hospital network and the Internet? Mobile technologies make perimeter security even harder. As reported in Ponemon s Third Annual Benchmark Study on Patient Privacy and Data Security (December 2012), 81 percent of healthcare organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems. However, 54 percent of respondents say they are not confident that these personally owned mobile devices are secure. Another study, released in November 2012, reports that more than 66 percent of nurses use their personal smartphones for clinical communications (Healthcare Without Bounds: Point-of-Care INSIDER NEGLIGENCE CONTINUES TO BE AT THE ROOT OF DATA BREACHES Nature of the Incident (More than One Choice Permitted) Lost or stolen computing device Unintentional employee action Third-party snafu Criminal attack Technical systems glitch Malicious insider Intentional, nonmalicious employee action 2012 2011 2010 8% 9% 10% 14% 14% 15% 20% 33% 30% 46% 49% 41% 42% 41% 45% 42% 46% 34% 31% 33% 31% Source: Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012. Computing for Nursing 2012, Spyglass Consulting Group). However, 95 percent of nurses in the study say that hospital IT departments won t support their use of smartphones, fearing security risks ( Nurses Turning to Unauthorized Smartphones to Meet Data Demands, Network World, Dec. 21, 2012). We buy and use laptops, tablets, and smartphones because they make accessing information from outside the perimeter easy. Almost all constituencies that hospitals serve want their slice of healthcare information and they want it on their mobile devices. The second problem with perimeter-securityonly is the insider threat. We d like to believe that the human nature of healthcare workers mitigates insider risk; however, real-world PHI data breach risks and events reveal a different story ( Top Cause of Data Breaches? Negligent Insiders, Help Net Security, March 22, 2012). The unseen assumption behind perimeter security is that everyone you ve let inside is trustworthy. But honest people with access to hospital networks may not understand or remember information security policies and procedures. They can get conned by an outsider looking for a way in, or they can use computers that are compromised without their knowledge. Worse, not all insiders are honest. We must acknowledge that insider includes anyone (e.g., healthcare workers, contractors, business associates, janitors, patients) with potential access to PHI, regardless of intent. A casual glance at industry surveys and news articles confirms that PHI data breach risks and events originating from insiders are a significant and costly reality within health care. As reported in Ponemon s December 2012 study, the top three causes of a data breach are: > Lost or stolen computing devices (46 percent) > Unintentional employee mistakes (42 percent) > Third-party snafus (42 percent) Moreover, five of the top seven root causes of data breaches are linked to authorized individuals, according to the study. 2 FEBRUARY 2013 healthcare financial management

The significance of the insider threat is further validated by a 2011 report that found that 71 percent of healthcare organizations suffered one or more ephi breaches in the course of a year most of which originated from insiders in one form or another (Survey of Patient Privacy Breached, Veriphyr). Employees who snooped at other employees medical records were the most common source of a breach (35 percent), followed by employees who peeked at medical records of friends and relatives (27 percent), loss or theft of physical records (25 percent), and loss or theft of equipment housing patient data (20 percent). Additionally, a May 2012 article by Erica Chickowski notes that more than 60 percent of breaches reported to the U.S. Department of Health and Human Services in response to HIPAA mandates occur due to the loss or theft of portable devices, such as laptops, smartphones, and external drives ( Health Care Unable to Keep Up with Insider Threats, Dark Reading, May 1, 2012). Chickowski cites three major healthcare breaches in April 2012, which alone disclosed nearly 1.1 million healthcare records. The common thread in each was the role of insiders both nonmalicious and malicious in causing the incidents. Human (insider) error was responsible for the loss of 315,000 patient records at one organization when 10 backup disks went missing from a storage facility. In another of the incidents, an employee emailed 228,000 Medicaid patient records to himself. These examples underscore the need to acknowledge that anyone with potential access to ephi could pose a threat to the security of this information. The third problem with a perimeter-only security approach is that as the perimeter expands and becomes more complex, so do the number of security tools required to protect the IT perimeter and the cost of acquiring and operating such tools can be high. Additionally, it s often hard to make a financial case for the ever-growing number of security tools because even when they function perfectly, they do not directly secure information; instead, they reinforce some aspect of the perimeter or alert the organization of a breach after the breach has occurred. This is not a call to abandon perimeter security; it is still needed. However, it is not sufficient or economically feasible for providers to rely on a perimeter security approach as the only approach to securing information. That being said, as a practical and legal matter, it is critical for health care to pay attention to the general computing controls emphasized in the Office of Inspector General report Audit of Information Technology Security Included in Health Information Technology Standards. The U.S. Department of Homeland Security also offers a free cyber security evaluation tool for assessing the security posture of cyber systems and networks related to industrial controls and business IT systems (www.us-cert.gov/ control_systems/satool.html). How Information Object-Level Controls Can Help Healthcare providers should establish rules to control who can access information and what can be done with the information, regardless of how or where it is distributed or what type of device the information is stored on. Such rules should work across the many applications and edge devices used by providers. Information object-level controls that are built into applications could help providers better protect ephi and other information. An information object encapsulates any form of digital content along with control information about the content. Information objects can include distribution controls designating who can access the information, rules dictating how the information may be used or manipulated, and audit data (e.g., when changes were made to the content, and by whom). This is where today s computing power comes into play. If properly engineered to include the processing power of new edge devices, there is more than enough capacity to protect information in motion and everywhere it is stored. It is critical to include edge-device capacity in any approach hfma.org FEBRUARY 2013 3

QUESTIONS TO ASK IN PROTECTING ephi In addressing ephi security concerns, providers should ask the following questions of their IT vendors: > How will you help our organization retain control of our information, regardless of the platform that the information is located upon? > How will you help our organization prove where information goes, who has used the information, and for what purpose the information was used? > How will you help us interoperate within an industry at the information level to retain control of our information, regardless of the application we are using? > How are you going to help simplify the control of our ephi and make it less expensive to operate? to cybersecurity because increasingly sophisticated edge devices: > Are where most information lives > Have in/out parts for exporting information > Are often portable and easily stolen or captured > Are what users are using and will continue to use Information objects can be separately and distinctly encrypted and kept continually encrypted. They can be engineered so that they are only decrypted when a legitimate user on a known device using an approved application opens them. Contrary to what is sometimes portrayed on television and in the movies, cracking encrypted information is extremely difficult and expensive, especially when there are many information objects, each with a different key. What is the risk of a security breach if all it yields is hundreds or thousands of distinctly encrypted information objects? What is the risk of a stolen laptop, tablet, or phone that contains thousands of distinctly encrypted objects? How much stronger are a provider s ephi controls if applications rather than people are enforcing information security policies, and if access to and use of the information is audited? How much more difficult will it be to inject false information into hospital industrial control systems if the attacker is required to somehow continually replicate distinctly encrypted commands? Making the Transition Moving beyond traditional security controls will require changes in thinking and industry practice. Information security vendors have, for the most part, treated the increase in edge computing power as a problem to be solved rather than an opportunity to be leveraged. Application vendors have, for the most part, assumed that information security was somebody else s problem. The healthcare industry has not invested a great deal of work toward adopting a common information object-level security architecture. That s understandable: Such architecture has only recently become possible. However, this type of information security support is becoming a necessity for healthcare providers. The risks and costs of PHI breaches continue to rise. Healthcare organizations are increasingly being audited for potential and actual security breaches involving ephi. Ninety-four percent of healthcare organizations surveyed for a recent study stated they had recorded at least one data breach from 2010-12, while 45 percent reported that they had experienced more than five data breaches during this two-year period (Third Annual Benchmark Study on Patient Privacy and Data Security, Ponemon, December 2012). With an estimated annual cost of $7 billion to the healthcare industry, the average economic impact of a breach over a two-year period has increased to $2.4 million, a 20 percent increase since the study was first conducted in 2010, according to researchers. Meanwhile, a 2011 report stating that of the top 10 industry sectors that have experienced data breaches, the healthcare industry ranked first in data breaches recorded, with government education, and finance being the next closest at 14, 13, and 8 percent, respectively (Internet Security Report: 2011 Trends, Symantec). Given the magnitude of risk associated with protecting ephi, regulation will almost certainly require that the healthcare industry shift from passive compliance with security regulations to provable adherence. Perimeter-only security approaches are not enough. About the authors is CEO, Absio Corporation, Denver (dan.kruger@absio.com). is a chief officer, Absio Corporation, Denver (tim.anschutz@absio.com). Reprinted from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL 60154-5732. For more information, call 1-800 -252-HFMA or visit www.hfma.org.

WEB EXTRA The Limitations of Cloud Computing in Controlling Information Security In the beginning, compute power was concentrated in mainframe computers. Edge devices were dumb terminals that couldn t connect to anything but the mainframe. The network era has been a constant process of increasing compute power at the edge. PCs, laptops, tablets, smartphones, diagnostic and monitoring equipment, medical devices, and industrial controls have increased compute capacity in ever-smaller forms. Cloud computing is, in a way, an attempt to return to the mainframe model to centralize compute power in massive server farms and use of software on smart edge devices that act as pretty-but-dumb terminals for accessing information from the cloud. But inherent problems prevent the cloud from being a complete solution for controlling the distribution of information: > Edge devices that are accessing the cloud act as dumb terminals, but they are not dumb. They are tremendously capable computers that host myriad applications that can be used as vehicles to defeat cloud security. > It is not always possible to access the cloud. We are years away, if ever, from bandwidth nirvana. There are far too many situations where work cannot get done because no connection is available, the connection is intermittent, or bandwidth is insufficient. > Cloud computing requires that the hospital pay for all of the compute and connection capacity. The compute power of edge devices is more or less thrown away, and each new edge device increases the requirement for bandwidth and central computing capacity. > The cloud data center defines a secure perimeter, but it does not address securing data when data leave the data center. * How do we harness the power of the cloud and leverage the efficiencies of edge devices without sacrificing security? We do it by locating control in the information itself. Web Extra to A New Approach to IT Security Republished from the February 2013 issue of hfm magazine. Copyright 2013 by Healthcare Financial Management Association, Three Westbrook Corporate Center, Suite 600, Westchester, IL 60154-5732. For more information, call 1-800-252-HFMA or visit www.hfma.org.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information