Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population of mobile devices interacting with the enterprise network Large application portfolios
The Clinical Setting and Information Security And of course the use cases and physical environments are changing..
Compliance vs. Security View HIPAA/HITECH Meaningful Use Payment Card Industry Verizon DBIR 2013 Compliance is the floor of Security Not the ceiling
Information Security Program View Healthcare Security is not a unique snowflake. Managing data security requires a programmatic approach to help ensure that controls are effectively planned, budgeted, designed and managed throughout their lifecycle. Governance Risk Management Compliance & Policy Continuous Monitoring & Audit Identity Management & Access Control Threat & Vulnerability Management Security Architecture and Standards Security Incident Management Security Awareness & Training Business Continuity & Disaster Recovery
Security Services View Anti-Virus will not magically work on its own. Security Architecture Risk Management Services Threat Management Services Vulnerability Management Services Technical Control Allocation Indicators & Warnings Exposure Levels Protection Services Boundary Network Server Application End Point Monitoring & Detection Services Network Monitoring Activity Monitoring Integrity Monitoring Data Loss Monitoring Incident Response Services
Choosing Your Data Security Controls Both of these will get you to their destination at the same time in this context. 1. Select your data security controls wisely. 2. Know your real needs, performance expectations and operational / budget constraints.
End Point Security Architecture Needs to address the following Diversity of the end point. (Medical device, desktop, mobile, laptops, etc ) Bring Your Own Device (BYOD) Interaction with people and process Understand your access boundaries and points of application interaction EHR Telemetry Data Portals Messaging Access Boundary Images
End Point Security Policy Enforcement Points Managed Business Workstation Active Directory Group Policy End Point Encryption AV/Host Intrusion Prevention Host Data Loss Prevention Virtualized Desktops / Applications Managed Clinical Workstation Active Directory Group Policy Virtualized Desktops / Applications End Point Encryption AV/Host Intrusion Prevention Host Data Loss Prevention Unmanaged Medical System Device - System Network Segmentation / Zoning Active Directory Group Policy End Point Encryption AV/Host Intrusion Prevention Unmanaged BYOD Mobile Device Management Virtualized Desktops / Applications Network Segmentation / Zoning
And lets not forget about these.. Control and Encrypt
Identity & Access Control The complexity of managing identities and authentication across the enterprise is becoming more and more complex. It is critical that you create an access control strategy that can adapt to the health care system s evolving application portfolio, organizational structure and business relationships. The more you can automate the better. Entitlements HR Data Credentialing Data Student Data Contractor Data Identity System User Provisioning Role Base Access Controls Health Applications Business Applications Authentication and Access Methods Complex Passwords Tap Badging Single Sign On Two Factor Have an auditing strategy that regularly validates the effectiveness of your user provisioning and de-provisioning activities.
Boundary Security Architecture Needs to address the following Data Flow Ports and Protocols Management Consider the diversity of your end points and how data is accessed Design with the most significant threats in mind Understand boundary security limitations
Boundary Policy Enforcement Points Internet Untrusted Zone DMZ Security Zone Cloud Services- Business Associates Guest Wireless Networks Firewall B2B VPN Client VPN Two Factor Web Application Joint Venture - Affiliates Provider Wireless Networks Network DLP Email DLP Web DLP Data Center Security Zones Staff Wireless Networks Boundary IPS Data Center IPS Entity Hospital Security Zones
Data Center Operations Security Protection Strategy Virtualization Storage Level Encryption Patch Management Secure Media Disposal High Criticality - Sensitivity Identity - Access Control Federation Services Public Key Infrastructure Privileged Access Management Moderate Criticality - Sensitivity Database Security Application Security Server Hardening Low Criticality - Sensitivity Security Monitoring Strategy Network Security Events Privileged - User Activity Monitoring
Security Monitoring Have a plan Where will you store the logs What do you want to see What will you do with the events You will need some talent Build supporting processes
End Point & Network Components Radius Network Intrusion Prevention Firewalls / VPN Authentication Services Identity Services Anti Virus Host Intrusion Prevention Application Monitoring Applications Patient Usage\Activity Applications Internal Usage\Activity Applications Cloud Usage\Activity Vulnerability Assessments Penetration Testing Network Security Event Log Aggregation End Point Policy and Event Aggregation Activity Log Aggregation Security Network Data Loss Prevention Web Gateway At Rest Scanning E-Mail Gateway Monitoring Ensure is aligned with your incident response plan
People Ensure your data security plan addresses people and positive security behaviors. Get beyond the compliance checkbox. Train them to how to use the controls and identify malicious activity. Train them how to protect themselves and the systems they operate. Make sure awareness is continuous. Ref: http://buttersafe.com/2011/01/27/traps/
Policy & Standards Ensure you review your technical focused policies Ensure you have an exception process with teeth Have a solid technology audit & assessment plan Address the people, processes and technology Compliance, Security, Privacy & Controls Corporate Corporate Security Security Policy Corporate Policy Security Standards
Some takeaways Ensure your Data Security Plan covers the blocking and tackling. Prioritize based on the biggest threats and high-risk processes and systems. Embrace the changing environment; it s not going to get less complex or easier. When addressing data security understand that you need to consider the local healthcare ecosystem. What you do has an impact. Solid, well-communicated policy and standards are critical for success. Integrates into IT Management Processes and support models. Ensure your customers know how to use the controls. Maintain traceability to compliance requirements.
# THANK YOU