Data Loss Prevention Best Practices for Healthcare

Similar documents
Total Protection for Compliance: Unified IT Policy Auditing

McAfee Server Security

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Managing PHI in the Cloud Best Practices

Intel Security Certified Product Specialist Data Loss Prevention Endpoint (DLPe)

How To Buy Nitro Security

Securing and protecting the organization s most sensitive data

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

McAfee Security Architectures for the Public Sector

Data Protection McAfee s Endpoint and Network Data Loss Prevention

Payment Card Industry Data Security Standard

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

SANS Top 20 Critical Controls for Effective Cyber Defense

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Encryption Made Simple

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Database Security in Virtualization and Cloud Computing Environments

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Securing the Internet of Things OEM capabilities assure trust, integrity, accountability, and privacy.

Vulnerability Management

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

INFORMATION PROTECTED

Websense Data Security Gateway and Citrix NetScaler SDX Platform Overview

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Enterprise Security Solutions

Solutions Brochure. Security that. Security Connected for Financial Services

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Preemptive security solutions for healthcare

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Encryption Made Simple

THE EXECUTIVE GUIDE TO DATA LOSS PREVENTION. Technology Overview, Business Justification, and Resource Requirements

IT Security & Compliance. On Time. On Budget. On Demand.

Extreme Networks Security Analytics G2 Vulnerability Manager

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

A Buyer's Guide to Data Loss Protection Solutions

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Strengthen security with intelligent identity and access management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

V1.4. Spambrella Continuity SaaS. August 2

IBM Security QRadar Risk Manager

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

The Protection Mission a constant endeavor

IBM Security QRadar Risk Manager

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Best Practices for DLP Implementation in Healthcare Organizations

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Reducing the cost and complexity of endpoint management

IBM Endpoint Manager for Core Protection

IBM Security QRadar Vulnerability Manager

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IBM QRadar Security Intelligence April 2013

GOOD PRACTICE GUIDE 13 (GPG13)

Whitepaper. Advanced Threat Hunting with Carbon Black

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

CORE Security and GLBA

Cloud and Data Center Security

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

I D C A N A L Y S T C O N N E C T I O N

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

How To Manage Security On A Networked Computer System

The Impact of HIPAA and HITECH

How To Monitor Your Entire It Environment

Safeguarding the cloud with IBM Dynamic Cloud Security

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

How To Protect Your Data From Attack

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

White Paper: Consensus Audit Guidelines and Symantec RAS

Cloud Security Trust Cisco to Protect Your Data

Proven LANDesk Solutions

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Websense Data Security Solutions

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

Breaking down silos of protection: An integrated approach to managing application security

How To Implement Data Loss Prevention

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

White Paper. Emergency Incident Response: 10 Common Mistakes of Incident Responders

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

IBM Security Intelligence Strategy

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

Information & Asset Protection with SIEM and DLP

CA Technologies Healthcare security solutions:

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Unified Security, ATP and more

Transcription:

Data Loss Prevention Best Practices for Healthcare The perils of data loss

Table of Contents This white paper is co authored with Siemens Healthcare First Steps to Data Loss Prevention....3 You Cannot Protect What You Don t Know....3 Better Visibility Via Monitoring Technology....4 Faster Data Discovery and Remediation Via Classification....4 DLP Is a Program and a Process.................................................................... 4 Data Protection Awareness Program....4 Governance...5 Tailor DLP Policies to Your Environment...5 DLP that Saves You Time....5 Summary...6 McAfee Data Loss Prevention...6 Data Loss Prevention Best Practices for Healthcare 2

By virtue of an ever-changing web of regulations that span federal, state, and local jurisdictions, healthcare organizations are required to safeguard patient data, including ephi (Electronic Protected Health Information). On September 23, 2013, all healthcare organizations were obligated by law to comply with the HITECH Omnibus Final Rule, which outlines requirements for encrypting and protecting ephi data. In addition, healthcare organizations that suffer a security breach, lose ephi data, or fail to recover quickly enough following a disaster may be investigated by the Office of Civil Rights (OCR) and could face fines in the millions of dollars. A monumental challenge for healthcare organizations is support of the accelerating demands placed on healthcare professionals to deliver higher quality care at a faster pace across multiple organizations, while consistently assuring secure data handling. Simply building firewalls at the network perimeters is ineffective against stealthy attacks and advanced persistent threats. Cybercriminals can enter an organization s network, exploit weak points, and breach data for weeks or months before detection. From 2010 to 2013, cybercrime attacks have increased from 20% to 33%.1 Employing sound data loss prevention practices and processes helps ensure the safe handling of data, provides the flexible environment required by clinical staff, and helps organizations pass rigorous OCR audits easily and reliably. Data Types Data-in-Motion Email Web Post Network IM Chat Data-at-Rest File Share Database Desktop/Laptop Wild Wild West Data-in-Use Removable Media Printer Devices Cloud Figure 1. Various ephi data access points that warrant protection. First Steps to Data Loss Prevention You Cannot Protect What You Don t Know Within healthcare organizations, data is constantly being created, replicated, modified, moved around, and disseminated. Internal data sprawl has become an issue because the IT department responsible for security and compliance doesn t fully know what data it really needs to protect or its value to the organization. IT doesn t know where all the ephi data is stored, who owns it, how it s being used, or who has access to it. You cannot protect what you don t know you have, where it s located, or who has access to it. Data Loss Prevention Best Practices for Healthcare 3

Better Visibility Via Monitoring Technology At the early stage of implementing a data loss prevention (DLP) solution, it s critical to implement a monitoring technology that can gather, track, and report on the data in motion across your entire network in real time. Such tools help you learn what and how information travels inside and out of your organizations, and the data gathered will help you identify potential risks and support your planning for a better data security posture. Understanding your data makes all the difference, as it enables you to build the right policies to protect the right data for the right cost without trial and error. Faster Data Discovery and Remediation Via Classification Sensitive data such as ephi can be scattered across thousands of servers, in millions of files, and can be mixed with a significant amount of unknown content. One option is to run an extensive discovery scan, which opens every single file on all the servers. This approach can be extremely time-consuming, and generates a huge list of potential security violations and false positives which take time and money to investigate. A better approach is to classify and categorize files on servers before a full-on discovery scan. For example, a quicker inventory scan can be done based only on the file s metadata (file owner, file type, file size, file owner, share name, count, and other information). The inventory step can be accomplished quickly because only the metadata of the files are being analyzed, not the entire file, which is the computationally expensive part. Once the files are categorized, DLP policies can then be applied to perform analytics on the classified content. As a result, remediation workflow (for example, server 1 has 10 Microsoft Excel files containing ephi data that needs attention) can be more streamlined. It s important to deploy a data discovery and remediation solution with a builtin data classification engine that can provide a scalable and rapid way to classify your data and reduce risk with low false positives. In many hospitals, the IT department is neither aware nor actively engaged in managing niche departmental systems that are often repositories of ephi and/or other sensitive information. A scalable and efficient discovery process can aid the IT department in locating, identifying, and classifying data in isolated ancillary systems. Furthermore, this discovery effort can segue into better platform management, ensuring that critical tasks, such as backup, patching, privacy auditing, and environmental security concerns are adequately addressed. DLP Is a Program and a Process Most organizations think of DLP as purely a technical problem. They assume that if they deploy DLP technology, it will find the issues. The reality is that deploying DLP systems is part of a broader data protection program. Having the best DLP detection technologies in the mix of broken business processes will not prevent sensitive information from finding its way out of the organization in unanticipated and uncontrolled ways. Data Protection Awareness Program While you are implementing a DLP solution, adoption of an employee data protection education and awareness program is recommended. Leverage this program to modify employee behavior when it comes to handling ephi. Generally, a hospital workforce does not maintain heightened security awareness, leading to misuse and potential for breach of ephi. Making it easy for the workforce to do the right thing leads to far greater success than policing unaccustomed activity. For example, prohibiting or requiring attestation when attempting to transfer ephi onto a mobile device or through a web application is not much different than enforcing the closed-loop medication administration to better ensure patient safety. Data Loss Prevention Best Practices for Healthcare 4

Governance It is important that IT maintains the DLP technology platform and its configuration. However, business units should be responsible for deciding the business rules and resolution of data loss (breach) events. Even before deciding or implementing any DLP technology solution, key stakeholders from the business units, compliance, and privacy teams, and the CIO have to come to an agreement on clearly defined roles and responsibilities (who has access and authorization to view and act on incidents, what is the data governance communication plan, and benchmark metrics). Tailor DLP Policies to Your Environment According to the latest Verizon Data Breach Report,2 cybercriminals install malware to collect and exfiltrate (export) data. While many industry experts talk about advanced threat detections and antievasion techniques, such as intrusion prevention systems (IPS) and next-generation firewall, it is not about if the malware gets in, it s more about when the malware gets in. What do you do? DLP is your last inline layer of defense. Any healthcare DLP technology solution should include the following features and functionality tailored to the environment: DLP policy templates specifically designed for healthcare organizations. Customized protocol handlers to identify HL7 v2, HL7 v3, or e-phi transmitted over X12. Specialized connectors with major vendors application portfolios: Siemens, Cerner, EPIC, Meditech, GE Health Systems, and McKesson. Customized reporting based on content sources and violations mapped to the content source for refinement and reduction of false positives relative to healthcare EMR systems. Specific healthcare code sets (HCPCS, ICD-9, ICD-10, LOINC, and NDC) as built-in lexicon dictionaries to prevent patient data from inadvertently leaving the organization. Integration from the endpoints to the network and through the gateway (email/web). A world-class DLP solution should not only be quick to deploy with built-in templates, but also help you understand your data, identify broken business processes, and give you flexible tools to protect ephi and other sensitive files completely and quickly. It can assist you with achieving and maintaining regulatory compliance, give you oversight and control, and help you maintain the trust of your auditors, practitioners, and patients. DLP that Saves You Time You need a DLP technology solution that is quick to deploy with easy day-to-day management. Look for a solution that can offer tightly integrated endpoint and network components to ensure that your sensitive data is protected from the USB drive to the network perimeter and beyond. Having a single console that can set policies and manage incidents and violations with an automated workflow can help save you time and reduce cost. And don t forget the power of your users. Choose a DLP endpoint solution that offers user remediation consoles and user tagging to help alleviate administrative burdens and promote data protection awareness amongst employees. Data Loss Prevention Best Practices for Healthcare 5

Summary The financial, legal, and public relations risks for healthcare organizations that experience ephi breaches continues to mount. Employing a sound DLP strategy is critical in the current healthcare environment. Understanding what data you own and who has access to it is a paramount primary step to better control of ephi. Properly classifying data and utilizing monitoring technology to continuously track data location and movement is essential. McAfee Data Loss Prevention McAfee Data Loss Prevention is quick to deploy, flexible to control, easy to manage, and can help you better understand the data that you are trying to protect. This comprehensive solution safeguards sensitive data and ensures compliance by protecting ephi data wherever it lives: on premises, in the cloud, or on endpoints. Unique, non-invasive technology discovers, tracks, and classifies data no matter where it resides or what format it is in, giving you rich insight and delivering fast, effective protection. About Siemens The Siemens Healthcare Sector is one of the world s largest suppliers to the healthcare industry and a trendsetter in medical imaging, laboratory diagnostics, medical information technology and hearing aids. Siemens offers its customers products and solutions for the entire range of patient care from a single source from prevention and early detection to diagnosis and on to treatment and aftercare. Siemens Healthcare offers healthcare domain expertise and a broad set of services to cover all of a healthcare organization s security and privacy mitigation services needs. About McAfee McAfee, part of Intel Security and a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com 1. Global Threat Trends; [cited 2014 Jan 10]; Available from: http://www.eset.com/us/resources/threat-trends/global_threat_trends_june_2013.pdf. 2. 2014 Data Breach Investigations Report, Verizon, April 2014. McAfee. Part of Intel Security. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright 2014 McAfee, Inc. 61154wp_mcafee-siemens-dlp_0714_fnl_ETMG

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information