SOLUTION BRIEF SEPTEMBER 2014 Healthcare Security Solutions: Protecting your Organization, Patients, and Information
SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT 94% of healthcare organizations have had at least one data breach in the past two years. 45% report having more than five incidents. The average economic cost of a data breach for healthcare organizations is $2.4M, reflecting increased impact over previous studies. Insider negligence or misuse continues Healthcare Security Solutions: to be the primary cause of data breaches. Protecting Your Organization, Patients, And Information
3 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com Security Challenges For Healthcare Organizations Healthcare organizations today are faced with a range of challenges. These are made more difficult by the increased mobility of their user population, as well as the continued adoption of cloud applications. While these trends present opportunities, they also greatly increase the difficulty of ensuring security across key applications and data. The most critical challenges healthcare organizations face today include: Security and privacy of PHI As Meaningful Use incentives drive healthcare providers to increase their reliance on electronic data, there is an urgent need to adequately secure and protect information. In addition, HITECH legislation enhances HIPAA privacy and security rules mandating costly penalties for data breaches and includes new Protected Health Information (PHI) disclosure regulations. Security breaches can have a negative effect on the organization s brand and credibility, usually resulting in reduced patient revenue. The in-depth survey results on this page highlight the continuing financial and reputational impact of healthcare security breaches, as well as their increased occurrence and complexity. Compliance HIPAA/HITECH have very specific demands for security controls in order to protect PHI from disclosure. The HIPAA Omnibus Rule further extends some of these requirements to business associates who process or transmit PHI. Compliance with these requirements has become more complex, but no less mandatory. Agility Healthcare organizations must be able to quickly deploy new applications to their user populations, in order to respond quickly to market events. The rise of mobility has made the ability to have a common security approach across both Web and mobile apps to be a strong requirement. User convenience Doctors and nurses often have very short interactions with apps as they move around the hospital floor. Easy and quick access to patient and treatment information is critical. In addition, they don t have time or patience for long or redundant login processes. The user experience they encounter should support efficient use of their time rather than hinder it. Cost containment As cost pressures mount, healthcare CIOs will need to take innovative approaches to reduce IT expenses such as server and application consolidation, virtualization, sourcing and cloud computing models. Most importantly, automation of key identity-related processes (such as user provisioning and access certification) can help improve efficiencies and reduce costs. Integration with leading healthcare applications Most providers have deployed leading healthcare applications to manage their clinician and client information. Typically, these key applications include Cerner, Epic, and McKesson, among others. Since these applications generally manage an organization s critical information, automated provisioning of users to these systems, and governance of user access, is a requirement for any identity management platform.
4 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com Meeting User Needs Healthcare organizations have a varied user population, each group of which has similar but different needs. This creates a difficult balancing act for healthcare IT security executives. Healthcare executives Healthcare executives need security capabilities that can help support and grow their business, enable its efficient operation, and protect the security and privacy of confidential health information. Specifically, they need to: Quickly roll out new services for their growing user population, across both Web and mobile. Provide physicians with the information they need to provide top-level care. Protect PHI from insider threat, misuse, disclosure, or external attacks. Enhance compliance with HIPAA and HITECH regulations. Physicians In order to provide high-quality patient care and reduce medical errors, physicians and their staff must be able to securely access, share, and update patient information and records. Providing physicians and their staff with role and identity-based access to specific data and content will enhance the control and security of private information and allow physicians to securely collaborate with other physicians to solve complex clinical problems. Physicians need: Quick, secure, reliable, 24X7 access to patient information regardless of location or device Quick provisioning to the clinical apps that they need Quick and easy password changes Strong but convenient online authentication Role-based access control to prevent improper access Single sign-on across clinical apps Patients Patients need to trust that their PHI is securely transported across a healthcare organization, including Health Information Exchange (HIE), and that they or an authorized physician can securely access their health records anytime, anywhere. In addition, enabling patients to become more proactive in their own healthcare by ensuring their access to secure PHI allows both physicians and patients to take a more active role to better manage their health state while improving patient/physician communication and the overall quality, accuracy and timeliness of the care provided. Patients need: Quick, easy access to personal health records and diagnosis information Mobile access to medical records Confidence and trust that their information is protected from unauthorized access and improper use
5 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com CA Technologies Security Solutions Healthcare organizations need to enable their business for growth opportunities, but they also must protect their applications and health information from improper access, insider threat, and attack. They must also adopt emerging models such as cloud and support the increasing mobility of their users in order to improve their patient engagement and improve efficiencies. CA Technologies Security Solutions can help healthcare organizations enable and protect their business, while leveraging key technologies such as cloud, mobile, and virtualization securely. This provides you, the healthcare security executive, with the agility that you need to respond quickly to an evolving healthcare and regulatory landscape. CA Technologies Security Solutions are focused on helping you meet three critical healthcare imperatives: Deploy secure new applications for your providers, healthcare partners, and patients. Organizations need to be able to roll out new services quickly, and securely, across both Web and mobile. CA Technologies enables you to centralize security policy enforcement which helps to simplify management and reduce the development time for new apps. These solutions also help you improve user engagement by providing a convenient user experience through capabilities such as user onboarding through social identity registration, SSO across Web and mobile apps, and self-service processes to empower end users. Secure your extended healthcare organization. Most healthcare organizations have many employees and partners that need to get access to apps and data spread around the distributed IT environment. These users are often highly geographically distributed, and almost always want to use their own devices for this access. CA Technologies Security Solutions enable your employees and partners to securely and more easily collaborate and share medical and patient information to help ensure more effective treatment. In addition, these solutions provide true employee lifecycle management, from hiring to termination. Automated access provisioning enables quick employee on-boarding, and access certification helps to reduce over-privileged users and reduce administrative time spent in validating users access rights. Automation of these processes can also simplify your compliance audits and help increase accountability. Protect your confidential healthcare information from insider threat and attacks. Today s healthcare organizations must defend against significant threats to their infrastructure and data from both within and outside the network perimeter. Insiders, and especially administrators, pose a significant risk due to the damage they can cause through malicious or inadvertent actions. In addition, external attacks are increasing in sophistication and frequency. CA Technologies Security Solutions enable your organization to implement defense in depth, in which controls at multiple levels help protect against unauthorized access to PHI and improper use of that information. Privileged identity management, data controls, identity management and governance, and advanced authentication are areas that have traditionally been looked at in silos, but may now be combined to enable organizations to secure their IT infrastructure from both internal and external threats.
6 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com Figure A. CA Technologies provides a comprehensive, integrated set of security solutions to enable healthcare organizations to both enable and protect their business, and support the needs of providers, clients, and healthcare executives. CA Technologies Security Solutions Patients Healthcare Execs Doctors and Medical Staff Single Sign-On Advanced Authentication Privileged Identity Management CA Secure Cloud IAM-as-a-Service API Management & Security Identity Management & Governance Data Protection On-premises Apps Cloud Apps Identity Management and Governance It is critical that all clinicians be assigned the proper role(s) for their function within the organization, and that they have only the proper access rights for that role. Therefore, ensuring that all users and roles comply with defined policy helps to protect critical electronic health and personal records from improper use. Identity Management and Governance solutions from CA Technologies help you ensure role compliance through automated identity governance processes. These capabilities include entitlements certification, role management and privilege cleanup, all of which help to ensure that each user has only the proper access rights relevant to their role in the healthcare organization. By implementing role compliance, costs can be reduced, while providing users with better service and reducing security exposure. In addition, a user-friendly business app enables users and managers to request, grant, and certify access very easily and in business terms that helps to simplify the process greatly. Web Single Sign-On (SSO) and Access Management Clinicians need quick access to critical data from different devices as they move through their day. Web single sign-on streamlines the log-on processes with one sign-on sequence for fast access to patient data in multiple authorized applications and databases. Centralized Web access management also helps eliminate security silos thereby simplifying and reducing the costs of security administration, as well as reducing the risk of improper access to patient clinical information. Advanced Authentication Because clinicians often need very quick access to information from various devices, a convenient authentication capability is critical. But the threat of improper access is very real, so strong authentication of users is important to protect sensitive data. CA Advanced Authentication provides strong, risk-based authentication so that the full context of a login attempt is used to determine a risk score, which in turn can be used to force stronger authentication methods or rejection of the attempt. This flexible, strong authentication capability is critical for healthcare providers to protect PHI, achieve compliance, and avoid the potentially reputational impacts of breaches of patient records.
7 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com Privileged Identity Management One of the most important areas of IT risk for healthcare organizations relates to privileged users (IT and security administrators). Whether inadvertent or malicious, improper actions by privileged users can have disastrous effects on the overall security and privacy of confidential information. Therefore, it is essential that admins be allowed to perform only those actions that they are authorized for, and only on the appropriate assets. Privileged Identity Management solutions from CA Technologies provides fine-grained control of what your healthcare IT admins can do, and helps ensure that all their actions are tracked for increased accountability. In addition, the use of shared admin accounts (such as root ) can be eliminated through the use of single-use passwords, further improving security and reducing the pain of your HIPAA compliance audits. Data Protection Even though some healthcare workers may have valid need to access certain PHI, their use of that information should be monitored and controlled. For example, a patient s PHI should not be able to be transferred to a USB device, or emailed outside the organization, in most cases. Data Protection solutions from CA Technologies detect and prevent unauthorized use of confidential healthcare data and provides a spectrum of remediation actions so that effective enforcement of information use policies can be achieved. This capability is designed to protect and control data-in-motion on the network and in the messaging system, data-in-use at the endpoint, and data-at-rest on servers and in repositories across the enterprise. It is an effective deterrent to the improper use of confidential patient information. API Management & Security The healthcare industry, like other verticals, has business-to-business (B2B) and business-to-consumer (B2C) components. These areas both require secure access to application APIs in order to provide the necessary level of services to clinicians, partners, and clients. Secure exposure of APIs requires best practices in security and threat protection including encryption, virtualization and guarding against exploits such as SQL injection and Denial of Service (DOS) attacks, among others. Access to the information provided by APIs mandates two critical capabilities: authentication and authorization. Authentication helps ensure that the requesting party is who they claim to be. Authorization helps ensure that the owner of the information has consented to their information being released, and that the requesting party has the proper role to access it. This is managed by several means including, but not limited to, username/password, certificates or token-based authentication such as SAML or OAuth. In many cases, such as mobile applications, the authenticating entity is the application itself. For authentication in the B2B scenario, authorization is usually managed via database information recording previous consent on the part of the patient; for B2C cases, however, the consent is often real-time interactive approval by the patient to allow the application to access their data. CA API management provides for all of these services in a unified, single point of configuration solution. 81% of organizations allow employees to use their own personal devices to access PHI.
8 SOLUTION BRIEF: SECURITY SOLUTIONS ca.com Identity Management as-a-service Healthcare organizations have the same demands for efficiency that are driving cloud adoption in other industries maybe more so. As a result, the ability to seamlessly connect securely to cloud applications, and to adopt identity management as-a-service is a strong driver for most organizations. CA Technologies delivers a set of robust Identity and Access Management capabilities as hosted, cloud services. These services are based on CA Technologies existing portfolio of market-leading IAM security solutions. In addition, the CA Secure Cloud service infrastructure is hosted, monitored and supported by CA Technologies 24x7x365. These solutions provide very high flexibility to healthcare organizations in their identity management deployment options, supporting both on premises, hybrid, and cloud deployment. Benefits to Healthcare Organizations CA Technologies can help your healthcare organization secure information and applications, as well as deliver new applications and services more quickly to your providers, payers, patients, and partners. These applications can provide a personalized and positive user experience; thereby strengthening users satisfaction and helping you meet your organizational mission and goals. Additionally, CA Technologies enables safe access to your on-premises and cloud applications by extending security to the cloud. Our robust on-premises security solutions protect access to applications whether on-premises or in the cloud. This combination of on-premises and cloud-based security services help you protect your applications today, and migrate to cloud applications at your pace. Reduce risks and prevent security breaches. CA Technologies helps make certain that your critical electronic healthcare resources are protected, as well as helping to ensure that only properly authorized users and patients can access them, and only in approved ways. It allows security events to be logged and analyzed quickly to identify and remediate potential security, fraud and compliance issues, including improper disclosure or use of sensitive medical and/or patient information. Deploy new applications more quickly and securely across Web and mobile. Supporting the access needs of your mobile clinicians and patients is an IT imperative for healthcare organizations. But, developing different security models in Web and mobile apps delays the deployment of both types of apps. CA Technologies Security Solutions enable organizations to more easily and quickly bring out new services, and simplifies the security of both mobile and Web apps through a common, consistent security model for both access methods. Improve regulatory compliance. Your healthcare organization will have the tools necessary to support continuous compliance with HIPAA/ HITECH and other federal and state regulations. With automated and centrally managed security capabilities, along with extensive auditing, your healthcare compliance efforts can become much simpler because you can more easily prove and validate the effective operation of your established security controls. Reduce administrative expense and improve efficiency. Automation of security administrative processes, especially those related to managing practitioners, patients and support staff identities and access rights, can enable significant operational efficiencies, reducing your overall IT costs. Automation can also help to improve user and management productivity, since less time has to be spent working with manual processes.
9 SOLUTION BRIEF: SECURITY SOLUTIONS The CA Technologies Advantage CA Technologies has been a leader in IT management for over 30 years with hundreds of healthcare customers globally in payer, provider and pharmaceutical segments. Security Solutions from CA Technologies deliver enhanced protection for your organization, information, and patients by controlling user identities, access, and usage of vital health and medical information. This important capability increases your overall security, and helps prevent inappropriate breaches and use of your Personal Health Record (PHR) and Health Information Systems (HIS) data. And, our ability to support a wide variety of platforms (from distributed to mainframe) and deployment models (including cloud and virtualized environments) provides a consistent and secure platform across your healthcare IT environment, including emerging technologies. CA Technologies Security Solutions are consistently ranked as leaders in all the major identity management market categories by leading industry analysts. In addition, the breadth and level of integration of these solutions enable our customers to deploy a unified, comprehensive identity and access management solution. With CA Technologies, you can confidently and proactively implement a secure environment to help protect sensitive information, avoid security breaches, improve patient confidence, and meet current and future compliance requirements. Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CS200-91947_1014