Healthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches

Similar documents
HIPAA Breaches, Security Risk Analysis, and Audits

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

The Impact of HIPAA and HITECH

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

The CIO s Guide to HIPAA Compliant Text Messaging

HIPAA Security Alert

HIPAA Security & Compliance

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

An Introduc+on to CloudPrime

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

INFORMATION SECURITY FOR YOUR AGENCY

How Do You Secure An Environment Without a Perimeter?

Datto Compliance 101 1

How to Use the NYeC Privacy and Security Toolkit V 1.1

HIPAA Compliance Guide

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

Virginia Commonwealth University School of Medicine Information Security Standard

PCI Compliance for Healthcare

What s New with HIPAA? Policy and Enforcement Update

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

System Security Plan University of Texas Health Science Center School of Public Health

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

The Second National HIPAA Summit

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Information Security Program

Cloud Security and Managing Use Risks

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Practices for Managing Information Protection & Storage

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HITRUST CSF Assurance Program

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Nine Network Considerations in the New HIPAA Landscape

Information Security Policy

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

How To Protect Virtualized Data From Security Threats

Payment Card Industry Data Security Standard

The Value of Vulnerability Management*

Security Controls What Works. Southside Virginia Community College: Security Awareness

Securing Patient Portals

Information Security: A Perspective for Higher Education

Big Data, Big Risk, Big Rewards. Hussein Syed

efolder White Paper: HIPAA Compliance

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Data Management & Protection: Common Definitions

HIPAA Security Education. Updated May 2016

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

How To Get A New Computer For Your Business

HIPAA Privacy and Information Security Management Briefing

CHIS, Inc. Privacy General Guidelines

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Security Is Everyone s Concern:

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Vulnerability Management Policy

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Top Ten Technology Risks Facing Colleges and Universities

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Transcription:

Healthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches Sam Pierre- Louis, CISSP- ISMP - - MDAnderson Cancer Center David Houlding, CISSP, CIPP - - Intel David S. Finn, CISA, CISM, CRISC - - Symantec 1

HITECH is Changing the Landscape HITECH provides significant financial support to adopt Electronic Record system - reimbursement incen<ves for meaningful use. Many significant changes to regulatory and compliance requirements: Data Breach No<fica<on for breach of unencrypted informa<on: penal<es, pa<ent no<fica<on, self- repor<ng to media and State HHS (>500 records). Expansion of HIPAA applicability (e.g. now includes Business Associates) Increased fines for HIPAA viola<ons Increased legal exposure (criminal and civil penal<es, State AG can sue) Meaningful Use Requirements: Maintenance of audit logs Data encryp<on preferred Recording of PHI disclosures Security risk analysis Implement security updates Increasing integra<on with outside par<es (pa<ents, care providers, payors, state registries, health agencies labs, pharmacies) increases risk. 2

Security and IT has changed Security Intelligent devices with embedded and downloadable sowware The Threat Landscape More automa<on, more data, more access Resul<ng in: More dependency on highly complex IT systems and infra- structures Highly valuable data How we deliver IT Mobile Any<me, any where, any device Separa<on between IT infra- structure and consumer devices is fading Infrastructures as well as data are merging Cloud for internal IT service delivery and delivery of IT services Legisla<on & Regula<on are raising the Security & Privacy bar 3

Elements of a Risk Analysis Scope of the Analysis Data Collec<on Iden<fy & Document Poten<al Threats and Vulnerabili<es Assess Current Security measures Determine the Likelihood of Threat Occurrence Determine Poten<al Impact of Threat Occurrence Determine the Level of Risk Finalize Documenta<on Periodic Review and Updates 4

The Informa/on- Centric Model It s about the data. Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery 5

Components of a Comprehensive Security and Risk Management Program Ø Threats & Vulnerability Management Industry Threat Monitoring Vendor patches Ø Identification of PHI in motion and at rest Identification of critical assets Protecting transmission of PHI Ø Security Event Monitoring Infrastructure Application Ø Network Vulnerability Scanning Ø Endpoint Protection and Management Antivirus/Antispam IPS Patch Management Standard Builds Ø Backup and Disaster Recovery Ø Executive Reporting 6

Data Protec/on Extends Beyond the Enterprise Increasing Connectivity and IT Proliferation Accessibility for all Departments and external Care / Service Providers Increasing use of mobile technology / roaming users Patient, Visitor, and Contractor Access Mix of Devices - under IT Control and not under IT Control Removable, high capacity Storage Devices Enterprise 7

Intel Laptop An/- TheT Risk Es/mator Quick assessment of your organizations risk of laptop loss or theft, and breach View estimated costs, and savings from implementing various safeguards Encryption, Anti- Theft, Backup / Recovery Based on research by Ponemon Institute Risk Estimator Website Interactive PDF / PPT reports to share with stakeholders Useful resources 8

Privacy & Security Risk Assessments Challenges Inconsistent risk prioritization Too many risks Only a regulatory checkbox Define threat agents for each risk in assessment Intel Threat Agent Library has 22 threat agents with attributes Approach is also used by the U.S. Dept. of Homeland Security More objective, consistent Focus on real risks, avoiding hypothetical distractions Justification of risks and expense on mitigations Do you know what threats you face? 9

The Value of Healthcare Data Street cost for a stolen record Prescription Fraud Embarrassment Medical:$50 vs SSN:$1 Payout for identity theft Medical:$20,000 vs Regular: $2,000 Medical records can be exploited 4x longer Credit cards can be cancelled, medical records can t Medical Claims Fraud Source: RSA Report on Cybercrime and the Healthcare Industry Medical Record Abuse Financial Fraud Personal Data Resale Blackmail / Extortion Medical records are valuable and versatile to a cybercriminal, who are strongly motivated to steal them 10

Mobile and Cloud Break the Tradi/onal Security Perimeter Many organizations still rely on a traditional perimeter approach Physical eg buildings Logical eg firewalls Hard shell, soft inside approach to security Mobile devices give anytime, anywhere access Sensitive data is moving into the cloud Embracing mobile and cloud safely requires securing the sensitive data directly, at rest and in transit 11

Is Encryp/on Alone Enough Protec/on? Inactive eg due to performance Weak, old, reused, or shared passwords Writing down passwords Users may not logout Key loggers capture passwords Is all sensitive data encrypted, at all points at rest and in transit? Can you prove that encryption was active on a lost / stolen device? Whitepaper: Healthcare Information At Risk Encryption is Not a Panacea Robust security requires a mul/- layered, defense- in- depth approach with encryp/on and other safeguards is required 12

Performance, User Experience and Compliance Challenges Users are motivated to disable or circumvent security controls that get in the way: compliance issues = risk eg breaches Security Controls Security controls are much needed to mitigate risk on mobile devices and in the cloud Security control performance challenges Limited compute power of mobile devices Surging healthcare data in the cloud Hardware Enabled Security protects healthcare data on mobile devices and the cloud, with high performance 13

Healthcare Security & Privacy Context Healthcare Workers Administrative Controls Physical Controls Technical Controls Security Control Solution Services Software Hardware Robust, High- Performance Hardware Enabled Security Security & Privacy Risk Assessment Identification of Security Controls Needed in Healthcare Org. Security & Privacy Policy Security & Privacy Foundation in Healthcare Org. Healthcare Regulations, Privacy Principles, Standards, Business Needs (Data Classification, Usage Models) ephi 14

Symantec PGP WDE & Remote Disable & Destroy with Intel AES- NI and An/- TheT Technology Even if the encryption passphrase is obtained, the data is protected by this second level of lockdown security. 15

Symantec VIP and Intel Iden/ty Protec/on Technology Provide Strong Authen/ca/on The Challenge: Physicians don t want to be burdened with carrying a hardware token or by inputting an additional security token. The VIP and IPT Solution: Add 2-factor authentication to login. After PC registration OTP code appears and user inputs it to allow access to the account. Traditional hardware token Now embedded into your PC The Bottom Line: Strong 2- factor authen<ca<on without usability and support issues of separate hardware tokens 16

University of Texas MD Anderson Cancer Center For seven of the past nine years, including 2010, MD Anderson has ranked No. 1 in cancer care in the America s Best Hospitals survey published by U.S. News & World Report 18,000 employees including 1,500 faculty Over 1,200 hospital based volunteers 7,000 trainees par<cipated in educa<on programs 17

UT- MDACC Technical Complexi/es Pladorm dispari<es Hundreds of applica<ons Thousands of servers Several data centers Centralized IT about 700 employees Distributed IT about 300 employees Ongoing development of new applica<ons Con<nual infrastructure build- out Internal sowware development, e.g. EMR 18

Complexi/es of Informa/on Security Regula/ons Federal Health Insurance Portability & Accountability Act (HIPAA), HITECH, 21 Code of Federal Regula<ons (CFR) Part 11, 21 CFR Part 58 State Texas Administra<ve Code University of Texas Policies UTS Policy 165, University Iden<ty Management Federa<on Payment Card Industry standard (PCI) Sarbanes- Oxley Etc. 19

How to Manage the Chaos? 20

MD Anderson Unified Controls Matrix (Process Before Technology) Mapping of all Informa<on Security regula<ons and some security best prac<ces Enables 1 assessment to sa<sfy applicable regula<ons versus conduc<ng a special assessment for each regula<on Reduces the hundreds upon hundreds of regulatory control points to a smaller set Developed high level Policies for end users Developed Opera<ons Manual for system administrators Developed Security Guidelines Developed System Security Checklist Developed Risk Assessment Ques<onnaires 21 MD Anderson Cancer Center Proprietary Information

Unified Controls Matrix Example HIPAA regulatons TAC 202 regulations 21CFR PART 11 rgulations PCI standards SARBANES OXLEY regulations ISO 17799 standards Policy Operations Manual procedures Guidelines Checklist Risk Assessment Questionnaires a a a a a a a a a a b b b b b b b c c c c c c c c c c c d d d d d d d e e e e e e f f f f f f f f f f Data Classification Guidelines & Ratings 22 MD Anderson Cancer Center Proprietary Information

Risk Assessment Methodology Informa<on Security sets expecta<ons by holding kickoff mee<ngs with Applica<on/System Owner or designee Applica<on Owner completes self assessment Host, web and database self- scans using Informa<on Security s Gold templates Cri<cality Assessment Valida<on by Informa<on Security Risk Analyst and addi<onal technical checks Ac<on Plan Very Formal Excep<on Process Third party real penetra<on tes<ng 23 MD Anderson Cancer Center Proprietary Information

Risk Quan/fica/on Residual Risk Rating Sheet Risk Level Risk Category Risk Item Lowest Highest 0 1 2 3 4 5 Probability of occurrence Factor 1 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Factor 2 Description1 Description 2 Description 3 Description 4 Description 5 Description 6 Factor 3 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Impact Factor 1 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Factor 2 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Factor 3 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Factor 4 Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 Risk Detection Controls Description 1 Description 2 Description 3 Description 4 Description 5 Description 6 24 MD Anderson Cancer Center Proprietary Information

Excep/on Process Flow Request by customers via formal request process Analysis by Risk Analyst Approval Process Director of Informa<on Security CIO or Deputy CIO Internal Audit Taskforce Informa<on Services Execu<ve Team (ISET) Commikee Response Process via formal response process Excep<on Tracking Annual Review 25 MD Anderson Cancer Center Proprietary Information

Dovetail Risk Assessments within Other Programs Change Management Process IT Governance Process IT Standards Work Group Technical Review Work Group Solu<ons Engineering Team Informa<on Security Work Group Infrastructure Steering Commikee Business Con<nuity Execu<ve Steering Commikee Informa<on Security Compliance Commikee Etc. 26

Sampling of Metrics Repor/ng Compliance Reports (HIPAA, TAC 202, etc.) Shows compliance informa<on of each applica<on being risk assessed Service Delivery Risk Assessment cycle <me metrics for each step of the process Opera<ons improvement Reports Change Management Readiness Level for each applica<on going through Change Management Disaster Recovery reports Wall of Shame Reports Non- compliance reports 27

Recap of MDACC Risk Management Program Unified Controls Matrix as the basis of security policies and guidance Risk Assessment Methodology married to Unified Controls Matrix Integrate Vulnerability Assessment into Risk Assessment Process Integrate Disaster Recovery into Risk Assessment Process Integrate Risk Assessment Process into other ins<tu<onal programs, e.g. Ins<tu<onal Change Management, Project Management, etc. Build rela<onships with other departments within the ins<tu<on Effect cultural change within the ins<tu<on 28 MD Anderson Cancer Center Proprietary Information

Strategy for Breach Avoidance 1. Sound Risk Management Processes 2. Sound Risk Management Processes 3. Sound Risk Management Processes 4. Leverage Technology to Facilitate Processes 5. Sound Risk Management Processes 29

Intel Legal Disclaimers Intel Anti-Theft Technology (Intel AT-p) requires the computer system to have an Intel AT-enabled chipset, BIOS, firmware release, software and an Intel AT-capable Service Provider/ISV application and service subscription. The detection (triggers), response (actions), and recovery mechanisms only work after the Intel AT functionality has been activated and configured. No system can provide absolute security under all conditions. Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. For more information, visit http://www.intel.com/go/anti-theft Intel AES-NI requires a computer system with an AES-NI enabled processor, as well as non- Intel software to execute the instructions in the correct sequence. AES-NI is available on Intel Core i5-600 Desktop Processor Series, Intel Core i7-600 Mobile Processor Series, and Intel Core i5-500 Mobile Processor Series. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/ Intel Identity Protection Technology: No system can provide absolute security under all conditions. Requires an enabled chipset, BIOS, firmware and software and a website that uses an Intel IPT Service Provider s Intel IPT solution. Consult your system manufacturer and Service Provider for availability and functionality. Intel assumes no liability for lost or stolen data and/or or any other damages resulting thereof. For more information, visit http://ipt.intel.com/ 30

Thank you! Sam Pierre- Louis, CISSP- ISMP - - MDAnderson Cancer Center spierrelouis@mdanderson.org David Houlding, CISSP, CIPP - - Intel David.houlding@intel.com David S. Finn, CISA, CISM, CRISC - - Symantec David.finn@symantec.com 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information