Information Security: Why is it important for the Healthcare Industry?

Similar documents
Cloud Security: The Grand Challenge

CLOUD SECURITY: THE GRAND CHALLENGE

Securing the Cloud through Comprehensive Identity Management Solution

Security and Cloud Computing

Cloud Security - Risiken und Chancen

Strengthen security with intelligent identity and access management

Cloud computing White paper November IBM Point of View: Security and Cloud Computing

Extending Identity and Access Management

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Provide access control with innovative solutions from IBM.

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

When millions need access: Identity management in an increasingly connected world

Security management solutions White paper. Extend business reach with a robust security infrastructure.

The Benefits of an Integrated Approach to Security in the Cloud

Identity Access Management: Beyond Convenience

Healthcare: La sicurezza nel Cloud October 18, IBM Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Cloud computing is a new consumption and delivery model. Yesterday Today

White paper. Four Best Practices for Secure Web Access

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Safeguarding the cloud with IBM Security solutions

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Anypoint Platform Cloud Security and Compliance. Whitepaper

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

Safeguarding the cloud with IBM Dynamic Cloud Security

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Preemptive security solutions for healthcare

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

IBM Security & Privacy Services

Cloud Security Who do you trust?

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security as Architecture A fine grained multi-tiered containment strategy

Virtualization with VMware and IBM: Enjoy the Ride, but Don t Forget to Buckle Up!

The Education Fellowship Finance Centralisation IT Security Strategy

White paper September Realizing business value with mainframe security management

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

PortWise Access Management Suite

Media Shuttle s Defense-in- Depth Security Strategy

PROTECT YOUR WORLD. Identity Management Solutions and Services

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Cloud Security Who do you trust?

Identity: The Key to the Future of Healthcare

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

What keep the CIO up at Night Managing Security Nightmares

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Intel Enhanced Data Security Assessment Form

How To Write An Architecture For An Bm Security Framework

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

CHIS, Inc. Privacy General Guidelines

Security and Privacy Aspects in Cloud Computing

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.

Clavister InSight TM. Protecting Values

RSA Identity and Access Management 2014

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Service Definition Document

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Choosing an SSO Solution Ten Smart Questions

IBM Tivoli Access Manager and VeriSign Managed Strong Authentication Services. Combine resources for one complete online business security solution.

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Cloud Security Introduction and Overview

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

FMCS SECURE HOSTING GUIDE

Security Issues in Cloud Computing

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Ragy Magdy Regional Channel Manager MEA IBM Security Systems

Enterprise Security. Moving from Chaos to Control with Integrated Security Management. Yanet Manzano. Florida State University.

Telemedicine HIPAA/HITECH Privacy and Security

SERENA SOFTWARE Serena Service Manager Security

VMware vcloud Air Security TECHNICAL WHITE PAPER

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Compliance

Business-Driven, Compliant Identity Management

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Intelligent Security Design, Development and Acquisition

AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

IBM Connections Cloud Security

Identity Management and Single Sign-On

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Endpoint Virtualization for Healthcare Providers

Dell Mobile Clinical Computing

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

Security Controls for the Autodesk 360 Managed Services

WHITEPAPER. Identity Access Management: Beyond Convenience

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Top Ten Technology Risks Facing Colleges and Universities

Cloud Security and Managing Use Risks

How Microsoft runs IT. Ludwig Wilhelm CIO Central & Eastern Europe Microsoft IT

PortWise Access Management Suite

IBM Security in the Cloud

Microsoft Enterprise Mobility Suite

CA Technologies Solutions for Criminal Justice Information Security Compliance

RSA Identity Management & Governance (Aveksa)

NCSU SSO. Case Study

Authentication: Password Madness

White paper December Addressing single sign-on inside, outside, and between organizations

Cloud Security Trust Cisco to Protect Your Data

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Transcription:

IBM and Security in the Healthcare Industry Information Security: Why is it important for the Healthcare Industry? Glen Gooding IBM Security Leader ggooding@au1.ibm.com May 25 2010

Baseline definitions Security For purposes in the context of IT security, a number of points need to be addressed Confidentiality - Integrity Availability - Authentication Authorisation - Audit CIA - AAA Privacy - Privacy means an individual's interest in limiting who has access to personal health care information. 2

How much security is enough (but not too much) From a security perspective, all IT solutions must balance three conflicting factors: The risk to the organisation of operating the IT solution The cost of implementing and operating the security controls in general, the tighter the controls the lower the risk The usability of the solution in general, the tighter the controls, the greater the impact on the users of the system RISK High Low High Low COST Low Security Environment USABILITY The resulting set of controls must be, as far as possible necessary and sufficient. Hig h Later will hear COST COMPLEXITY COMPLIANCE 3

IT Security is about CIA Confidentiality Integrity Availability 4

Data confidentiality Definition To protect against an unauthorised disclosure of the message. Technically Think encryption, SSL, the lock on your browser Health Care Specific Secure Messaging 5

Data integrity Definition Guarantee that the content of the data has not been tampered with. Technically Think Data signatures and the signing of data Health Care Specific Secure Messaging 6

Authentication Determines or proves that you are who you say you are Authentication based upon something you: know (e.g. password, PIN) Too many to remember Too easily guessed Can be sniffed/captured Can be cracked have (e.g. smart card, token) more expensive to deploy less portable are (e.g. biometrics) even more expensive to deploy may be considered invasive error-prone (false pos / neg) Health Care Specific HI, NASH 7

Authorisation Authorisation determines what an entity is allowed to do. Access control is a means of enforcing this authorisation model: data not disclosed data not modified users remain accountable. Health Care Specific Clinical applications, HR systems, Financials, Patient Administration 8

Audit Companies need to audit their IT infrastructure Determine whether or not business can continue to grow and mature based on current IT infrastructure Audit logs are often the only record that suspicious behaviour is taking place Can be fed real-time directly into intrusion detection or log management systems. Logs can provide individual accountability by tracking a user's actions. Logs are useful in reconstructing events after a problem has occurred, security related or not 9

Why is security important? Never fly in a plane designed by an optimist. 10

IBM Security Framework Built to meet four key requirements: Provide Assurance Enable Intelligence Automate Process Improve Resilience Introducing the IBM Security Framework and IBM Security Blueprint to Realise Business-Driven Security; IBM RedGuide REDP-4528-00, July 2009 11

Typical Client Security Requirements People and Identity Privileged user monitoring, including logging activities, physical monitoring and background checking Federated identity / on-boarding: Coordinating authentication and authorisation with enterprise or third party systems Standards-based SSO Data and Information Data segregation Client control over geographic location of data Government: Cloud-wide data classification Network, Server, Endpoint Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention Vulnerability Management Protect machine images from corruption and abuse Government: MILS-type separation Governance, Risk Management, Compliance 3rd-party audit (SAS 70(2), ISO27001, PCI, HIPAA) Client access to tenant-specific log and audit data Effective incident reporting for tenants Visibility into change, incident, image management, etc. SLA s, option to transfer risk from tenant to provider Support for forensics Support for e-discovery Application and Process Application security requirements are phrased in terms of image security Compliance with secure development best practices Physical Monitoring and control of physical access Based on interviews with clients and various analyst reports 12

Security governance, risk management and compliance IBM Security Framework Customers require visibility into the security posture of their environment. Implement a governance and audit management program Establish 3rd-party audits (ISO27001, PCI) 13 Provide access to log and audit data Create effective incident reporting Visibility into change, incident, image management, etc. Create policies for PII and for data crossing International boundaries Understand applicable regional, national and international laws Support for forensics and e-discovery

People and Identity IBM Security Framework Customers require proper authentication of all users. Implement strong identity and access management Implement least privilege model for user s access Strong Identity lifecycle management All administrative access over secure channels Privileged user monitoring, including logging activities, physical monitoring and background checking Utilise federated identity to coordinate authentication and authorization with enterprise or third party systems A standards-based, single sign-on capability 14

Data and Information IBM Security Framework Customers cite data protection as their most important concern. Ensure confidential data protection Protect PII and Intellectual Property Implement a secure key management program Use a secure network protocol when connecting to a secure information store Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall Sensitive information not essential to the business should be securely destroyed 15

Application and Process IBM Security Framework Customers require secure applications and provider processes. Establish application and environment provisioning Implement a program for application and image provisioning. Ensure provisioning management is strictly controlled Protect machine images from corruption and abuse Ensure all changes to virtual images and applications are logged. Ensure provisioned images apply appropriate access rights Ensure destruction of outdated images 16

Network, Server and End Point IBM Security Framework Customers expect a secure cloud operating environment.. Maintain environment testing and vulnerability/intrusion management Implement vulnerability scanning, anti-virus, intrusion detection and prevention on all appropriate images IBM Cloud Security Guidance Document 17 Ensure isolation exists between tenant domains Trusted virtual domains: policy-based security zones A secure application testing program should be implemented. Develop all Web based applications using secure coding guidelines. Ensure external facing Web applications are black box tested

Physical Security IBM Security Framework Customers expect health based data centers to be physically secure.. Implement a physical environment security plan Ensure the facility has appropriate controls to monitor access Prevent unauthorised entrance to critical areas within facilities e.g. servers, routers, storage, power supplies Biometric access of employees Ensure that all employees with direct access to systems have full background checks Provide adequate protection against natural disasters 18

The IBM Health Integration Framework Architectural blueprints for provider and payer transformation Pre-built healthcare accelerators Built on a Smart SOA TM foundation Keep up with open standards Leverage an ecosystem of key business partners Leverage existing healthcare applications, systems and business processes Healthcare Provider Solutions Rapid Development & Integration Lowered Risk and Cost Business Partner Ecosystem Health Integration Framework Process Flexibility Interoperability Infrastructure and Governance Intelligence Reduced Manual Intervention Speed accelerate delivery and integration Flexibility grow and add new capabilities incrementally Choice multiple solution on-ramps and business partners 19

Healthcare Identity, Access and Audit Management IBM's approach is to strategically manage risk end-to end across all risk areas within an organisation. Identity Manager Identity Management User Compliance Auditing Security Info and Event Mgr Access Management Unified Single Sign-On Enables visibility into user activity, control over access to PHI, and automation of the sign-on process in order to improve quality of care, clinician productivity, and overall compliance 20

I promised earlier that you would hear... COST High High Low Low Low Security Environment Hig h RISK USABILITY COST COMPLEXITY COMPLIANCE COST High High Low Low Low Security Environment Hig h RISK USABILITY 21

Reduce Complexity Scenario: Improve service by expanding reach via role based portals to services and applications Quickly roll out new applications and services to authorised users Enable single sign on for authentication Issue and manage user credentials Users role will determine the information and services they are authorised to access Monitor, audit and report on user activity Physician Portals Patient Portals Hospital Website/ Portals 22 Payer Portals

Reduce Cost Scenario: Reduce costs with self service and service management integration Offering user self-service to manage profile, passwords and access can reduce help desk, IT administration and user productivity costs By enabling users to manage passwords via challenge/response questions Rapid access to applications By accelerating time to access applications and sharing of workstations and kiosks By reducing labor required to manage and audit application-specific password policies via single sign-on Fast user switching Integrating identity management with incident management can reduce IT costs Offload service desk workload with selfservice password, profile management and access request Automate incident resolution within Tivoli Service Request Manager Tivoli Service Request Catalog Tivoli Identity Manager Self-Service 23

Manage Compliance Scenario: Manage risk of insider threat and support audit requirements with access recertification, user activity monitoring and reporting Monitor user access Do user access rights match responsibilities? Are rights consistently certified? Are there separation of duty violations? Monitor user activity Volume of activity Type & location of activity Timing of activity Privileged user activity Compliance Reporting Pre-built reporting modules on common regulatory mandates (SOX, PCI, Basel II, HIPAA, etc.) Flexible report design to match company-specific audit requirements 24

Understanding the needs of Healthcare Providers We understand your needs Improved quality of patient care and patient safety. Risk management & the protection of patient information. Improved productivity of care givers. Centralised management of information access. Easy integration & fast deployment. Regulatory compliance. and IBM delivers. Access workflow automation with context management for HIT applications. Choice of second factor authentication with user-centric access tracking. Fast user switching for clinical environments, and combined physical & information access. Centralised identity and policy management. No modifications to existing infrastructure. Out-of-box compliance enablement and reporting. 25

IBM and Security in the Health Care Industry Thank you! For more information, please visit: ibm.com/security 26

Solving Challenges with IBM Service Management in healthcare Key Healthcare Challenges Improve patient care IBM Service Management Solutions For Healthcare Healthcare Application Performance Management ITM, OMNIBus ITNM ITCAM Omegamon Reduce costs Manage Compliance ehealth Service Management TSRM, TPM TPC, TSM TKLM, TSIEM Prevent security breaches Availability & reliability of Assets Healthcare Asset Management Healthcare Access Management Maximo Asset Management TAMIT TIM, TAM, TFIM, TDI, TAM ESSO 27

Hospitals can see significant benefits from implementing Identity and Access Assurance for Healthcare. Simplify user experience deliver the right information quickly and securely. Secure access to applications, information and data while still allowing easy access for those with need and authority. Consistently enforce and audit corporate security and compliance policy. Streamline provisioning processes to facilitate quick access to clinical systems for staff. Reduce operational expenses through automation of common administrative tasks and providing service catalog components for those that make business sense. 28 Enable remote physician Web portal access to key data securely. 28

IAA for Healthcare - Business Case Summary Business Need Healthcare IT facilitates access to patient confidential data that is used to enable clinical care. Many Providers are faced with no central control of Identity provisioning. Security audits are central to local regulations Joint Commission compliance. Client Value Proposition Identity and Access Assurance allows the provider tighter control over their HIT infrastructure Know who is accessing which systems Know when their staff is accessing the systems Implement measures to assure a consistent audit trail procedure over security access. The business can depend on Identity and Access Assurance for Healthcare Providers Content exists to enable HIPAA compliance reporting in the solution. HIT ISV are partnering with IBM to develop provisioning adapters to their application suites. Enterprise Single Sign on with multifactor authentication can be deployed. Services Delivery and Deployment Strategy IBM Business Partners with Service Management experience can be engaged. Gold Coast Security Lab Services can be engaged for architectural guidance 29

IBM is the Trusted Partner of Choice 2008: Most trusted IT company Ponemon Institute and TRUSTe study Thought leadership Commitment and customer insight Cloud Computing Quotes IBM is an international company. It has a good brand and status in the industry. We will be comfortable with IBM in terms of data security Industries/sectors expertise Comprehensive capabilities, products, services and research SC Security Company of the year 2010 RSA Security IBM is a trusted supplier of information security Yes I think they can offer secured services Source: Oliver Wyman Interviews 30

Identity and Access Assurance within Hospitals Visualisation in Identity and Access Management Provides a single view into Identity Management across the entire business (Tivoli Identity Manager [TIM], Tivoli Security Information and Event Manager [TSIEM].) Enables access audit trail reporting (TSIEM.) Control in Identity and Access Management Brings seamless, secure and auditable access to web services (Tivoli Access Manager [TAM] and Web SSO.) Supports integration of customer and partner services (Tivoli Federated Identity Manager [TFIM] solutions.) Simplifies administration with single sign on to multiple services (TAM for Enterprise SSO [TAMESSO].) Provides a single point of control for Identity Management (TIM.) Automation in Identity and Access Management 31 Business policy can be enforced through implemented rules (TSIEM.) Security Events can generate incident reports (Tivoli Service Request Manager [TSRM] and TSIEM.) Automate common Identity tasks to reduce costs of Identity Management (TIM, TPM, TSRM.) Customers Web Application External Provider Carrier Portal Secure Identity Federation Employees Web Services Provider External Provider

Gartner quadrant Including ESB 32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information