Data Security and Healthcare

Similar documents
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Client Security Risk Assessment Questionnaire

Critical Controls for Cyber Security.

Introduction to Cyber Security / Information Security

Payment Card Industry Data Security Standard

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Network and Security Controls

Cisco Advanced Services for Network Security

Information Blue Valley Schools FEBRUARY 2015

Supplier Security Assessment Questionnaire

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Industrial Security for Process Automation

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Telemedicine HIPAA/HITECH Privacy and Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

1B1 SECURITY RESPONSIBILITY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

How to Secure Your Environment

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Designing a security policy to protect your automation solution

Security Controls Technical Memorandum Florida Health Information Exchange, Event Notification Service

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Security Controls What Works. Southside Virginia Community College: Security Awareness

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Commercial Practices in IA Testing Panel

Information Security Policy

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

PCI Requirements Coverage Summary Table

Payment Card Industry Self-Assessment Questionnaire

Security Management. Keeping the IT Security Administrator Busy

The User is Evolving. July 12, 2011

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

How to Practice Safely in an era of Cybercrime and Privacy Fears

Goals. Understanding security testing

Security Controls for the Autodesk 360 Managed Services

System Security Plan University of Texas Health Science Center School of Public Health

Network Security Guidelines. e-governance

IT Networking and Security

PCI Requirements Coverage Summary Table

Supplier Information Security Addendum for GE Restricted Data

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

Overcoming PCI Compliance Challenges

INCIDENT RESPONSE CHECKLIST

ICANWK406A Install, configure and test network security

March

74% 96 Action Items. Compliance

Security Threat Risk Assessment: the final key piece of the PIA puzzle

BYOD Policy & Management Part I

While you are waiting for our webinar to begin, you might be interested in the downloads on the Attachment tab:

HIPAA: Compliance Essentials

Section 12 MUST BE COMPLETED BY: 4/22

Security from a customer s perspective. Halogen s approach to security

Managed Security Services for Data

Building A Secure Microsoft Exchange Continuity Appliance

Mobile Device Strategy

Achieving PCI-Compliance through Cyberoam

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

College of Technology

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

ABB s approach concerning IS Security for Automation Systems

How To Achieve Pca Compliance With Redhat Enterprise Linux

Did you know your security solution can help with PCI compliance too?

Automate PCI Compliance Monitoring, Investigation & Reporting

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

SANS Top 20 Critical Controls for Effective Cyber Defense

PortWise Access Management Suite

CHIS, Inc. Privacy General Guidelines

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Small Business IT Risk Assessment

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

How To Protect Your School From A Breach Of Security

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

The Protection Mission a constant endeavor

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Cybersecurity Health Check At A Glance

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Transcription:

Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population of mobile devices interacting with the enterprise network Large application portfolios

The Clinical Setting and Information Security And of course the use cases and physical environments are changing..

Compliance vs. Security View HIPAA/HITECH Meaningful Use Payment Card Industry Verizon DBIR 2013 Compliance is the floor of Security Not the ceiling

Information Security Program View Healthcare Security is not a unique snowflake. Managing data security requires a programmatic approach to help ensure that controls are effectively planned, budgeted, designed and managed throughout their lifecycle. Governance Risk Management Compliance & Policy Continuous Monitoring & Audit Identity Management & Access Control Threat & Vulnerability Management Security Architecture and Standards Security Incident Management Security Awareness & Training Business Continuity & Disaster Recovery

Security Services View Anti-Virus will not magically work on its own. Security Architecture Risk Management Services Threat Management Services Vulnerability Management Services Technical Control Allocation Indicators & Warnings Exposure Levels Protection Services Boundary Network Server Application End Point Monitoring & Detection Services Network Monitoring Activity Monitoring Integrity Monitoring Data Loss Monitoring Incident Response Services

Choosing Your Data Security Controls Both of these will get you to their destination at the same time in this context. 1. Select your data security controls wisely. 2. Know your real needs, performance expectations and operational / budget constraints.

End Point Security Architecture Needs to address the following Diversity of the end point. (Medical device, desktop, mobile, laptops, etc ) Bring Your Own Device (BYOD) Interaction with people and process Understand your access boundaries and points of application interaction EHR Telemetry Data Portals Messaging Access Boundary Images

End Point Security Policy Enforcement Points Managed Business Workstation Active Directory Group Policy End Point Encryption AV/Host Intrusion Prevention Host Data Loss Prevention Virtualized Desktops / Applications Managed Clinical Workstation Active Directory Group Policy Virtualized Desktops / Applications End Point Encryption AV/Host Intrusion Prevention Host Data Loss Prevention Unmanaged Medical System Device - System Network Segmentation / Zoning Active Directory Group Policy End Point Encryption AV/Host Intrusion Prevention Unmanaged BYOD Mobile Device Management Virtualized Desktops / Applications Network Segmentation / Zoning

And lets not forget about these.. Control and Encrypt

Identity & Access Control The complexity of managing identities and authentication across the enterprise is becoming more and more complex. It is critical that you create an access control strategy that can adapt to the health care system s evolving application portfolio, organizational structure and business relationships. The more you can automate the better. Entitlements HR Data Credentialing Data Student Data Contractor Data Identity System User Provisioning Role Base Access Controls Health Applications Business Applications Authentication and Access Methods Complex Passwords Tap Badging Single Sign On Two Factor Have an auditing strategy that regularly validates the effectiveness of your user provisioning and de-provisioning activities.

Boundary Security Architecture Needs to address the following Data Flow Ports and Protocols Management Consider the diversity of your end points and how data is accessed Design with the most significant threats in mind Understand boundary security limitations

Boundary Policy Enforcement Points Internet Untrusted Zone DMZ Security Zone Cloud Services- Business Associates Guest Wireless Networks Firewall B2B VPN Client VPN Two Factor Web Application Joint Venture - Affiliates Provider Wireless Networks Network DLP Email DLP Web DLP Data Center Security Zones Staff Wireless Networks Boundary IPS Data Center IPS Entity Hospital Security Zones

Data Center Operations Security Protection Strategy Virtualization Storage Level Encryption Patch Management Secure Media Disposal High Criticality - Sensitivity Identity - Access Control Federation Services Public Key Infrastructure Privileged Access Management Moderate Criticality - Sensitivity Database Security Application Security Server Hardening Low Criticality - Sensitivity Security Monitoring Strategy Network Security Events Privileged - User Activity Monitoring

Security Monitoring Have a plan Where will you store the logs What do you want to see What will you do with the events You will need some talent Build supporting processes

End Point & Network Components Radius Network Intrusion Prevention Firewalls / VPN Authentication Services Identity Services Anti Virus Host Intrusion Prevention Application Monitoring Applications Patient Usage\Activity Applications Internal Usage\Activity Applications Cloud Usage\Activity Vulnerability Assessments Penetration Testing Network Security Event Log Aggregation End Point Policy and Event Aggregation Activity Log Aggregation Security Network Data Loss Prevention Web Gateway At Rest Scanning E-Mail Gateway Monitoring Ensure is aligned with your incident response plan

People Ensure your data security plan addresses people and positive security behaviors. Get beyond the compliance checkbox. Train them to how to use the controls and identify malicious activity. Train them how to protect themselves and the systems they operate. Make sure awareness is continuous. Ref: http://buttersafe.com/2011/01/27/traps/

Policy & Standards Ensure you review your technical focused policies Ensure you have an exception process with teeth Have a solid technology audit & assessment plan Address the people, processes and technology Compliance, Security, Privacy & Controls Corporate Corporate Security Security Policy Corporate Policy Security Standards

Some takeaways Ensure your Data Security Plan covers the blocking and tackling. Prioritize based on the biggest threats and high-risk processes and systems. Embrace the changing environment; it s not going to get less complex or easier. When addressing data security understand that you need to consider the local healthcare ecosystem. What you do has an impact. Solid, well-communicated policy and standards are critical for success. Integrates into IT Management Processes and support models. Ensure your customers know how to use the controls. Maintain traceability to compliance requirements.

# THANK YOU

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information