How to Guard Healthcare Information with Device Control and Data Encryption
Today’s Agenda
Current IT Security Challenges in Healthcare
Answering IT Security Challenges in Healthcare
Top 5 Recommendations: What You Can Do Now
Today’s Experts
3
Eric OgrenFounder & Principal AnalystThe Ogren Group
Chris MerrittDirector of Solution MarketingLumension
Current IT Security Challengesin Healthcare
5
Data Breaches Still Occurring
6
No. of Reported Breaches HHS Breach Database • 435 incidents involving ~20M records• Median impact = 2,184 records• No breaches in Hawaii, Maine, Rhode
Island, and Vermont• Biggest impact on per capita basis:
South Dakota and Virginia
In 2012, 27% of all respondents indicated their organization had a security breach in the past 12 months (up from 19% in 2010 and 13% in 2008); of those who reported a breach, 69 percent experienced more than one.
Data Breaches Still Occurring
7
Encryption Impact• 70% of incidents and 86% of records• $1.48B in “hard costs”
Data Breaches Still Occurring
8
Stepped Up Enforcement
Audit Program On-going• Published protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html • 20 audits complete; 95 remaining audits will occur in 2012 • Audits will continue in 2013• Results to date:
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf
Audit Issues by Area• Conduct Risk Analysis (17)• Grant Modify User Access (17)• Incident Response (11)• Contingency Planning (34)• Media Reuse and Destruction (18)• Encryption (10)• User Activity Monitoring (46)• Authentication / Integrity (19)• Physical Access (9)
Observations• Policies and Procedures• Priority HIPAA Compliance Programs• Conduct of Risk Assessment• Managing third party risks
Next Steps based on the reviews • Conduct a robust review & assessment • Determine LoBs affected by HIPAA • Map PHI flow within your organization, as
well as flows to/from third parties • Find all of your PHI • See guidance available on OCR web site
9
Stepped Up Enforcement
Source: Linda Sanches (OCR), 2012 HIPAA Privacy and Security Audits (June 2012)
10
Stepped Up Enforcement
11
Meaningful Use
Stage 1• Effective Feb-2012• 10 steps to meaningful use by Eligible Practices• Core Objective & Measure 15: Protect electronic
health information created or maintained by the certified EHR technology through the implement-ation of appropriate technical capabilities
• Guidance available at http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Stage 2• Effective Jan-2014• Encryption and Auditable events are two key components of Stage 2 certification
with regards to the security requirements.
Stage 3• Final recommendations published by May-2013
Answering IT Security Challengesin Healthcare
13
Technology: Moving Faster Than HIPAA
An Aug 6, 2012 Google search on “HIPAA compliance virtualization” showed no hhs.gov sources on the first two pages.
DMZ PCIWeb HIPAA
Management
Virtual DatacenterVirtual Datacenter
14
Defense in Depth: Blend Different Approaches
Audit
Vulnerability Management
Reputation/ Behavior
Attack ScanningConfiguration/ Device Control
Data Protection
15
Process: Security for Security Sake Often Fails
16
People: Team Approaches Win
• Involve business early and continually in process– look for “addressable” approaches where standards are evolving
(e.g. BYOD, cloud)– document progress; review results and decisions– train IT staff and users on HIPAA disclosure rules
• Audit everything – ingress and egress– you never know what you are going to need
• Keep up on-going communications– Learn, learn, learn – you’ll be doing this again!
Top 5 RecommendationsWhat You Can Do Now
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Lumension® Endpoint Management and Security Suite
18
Total Endpoint Protection
End
point Security
End
poin
t O
pera
tions Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Disk EncryptionLumension® Power Management
Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent
Endpoint Reporting Services
Lumension® Patch and Remediation
19
End
poin
t O
pera
tions Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Power Management
Endpoint Operations
Comprehensive and Secure Patch Management
» Provides rapid, accurate and secure patch and configuration management for applications and operating systems:• Comprehensive support for multiple OS types
(Windows, *nix, Apple), native applications, and 3rd party applications
• Streamline and centralize management of heterogeneous environments
• Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation
Lumension® Security Configuration Mgmt.
20
End
poin
t O
pera
tions Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Power Management
Endpoint Operations
Prevent Configuration Drift and Ensure Policy Compliance
» Ensure that endpoint operating systems and applications are securely configured and in compliance with industry best practices and regulatory standards:• Security Configuration Management• Out-of-the-box Checklist Templates• NIST Validated Solution • Continuous Policy Assessment and Enforcement• Based on Open Standards for Easy Customization• Security Configuration and Posture Reporting
Lumension® Device Control
21
Policy-Based Data Protection and Encryption
» Protect Data from Loss or Theft: Centrally enforce usage policies of all endpoint ports and for all removable devices / media.
» Increase Data Security: Define forced encryption policy for data flows onto removable devices / media. Flexible exception management.
» Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen.
» Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.
Endpoint S
ecurity
Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Disk Encryption
Endpoint Security
Lumension® Disk Encryption (powered by Sophos)
22
Transparent Full Disk Encryption for PCs
» Secures all data on endpoint hard drives
» Provides single sign-on to Windows
» Enforces secure, user-friendly pre-boot authentication (multi-factor, multi-user options)
» Quickly recovers forgotten passwords and data (local self-help, challenge / response, etc.)
» Automated deployment, management and auditing via L.E.M.S.S. (integrated version)
Endpoint S
ecurity
Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Disk Encryption
Endpoint Security
Defense-in-Depth with Lumension
23
Full DiskEncryption
Fire
wal
l Man
agem
ent
Ant
i-Mal
war
e
Pat
ch a
nd C
onfig
urat
ion
Man
agem
ent
Physical Access
NetworkAccess
Por
t / D
evic
e C
ontr
ol a
nd E
ncry
ptio
n
Risk Management
24
Fragmented
IT Visibility
Increasing
Regulations
Manual & Disparate
Audit Processes
Disjointed
Policies &
Controls HIPAA
PCI
SOX
Password Policy
Character LengthSpecial Characters
Excel
ManualSurveys
Database Business Processes
Compliance
IT Resources
Risk
Disparate Data Collection Functional Silos Non Standardized Processes
More Information
Free Scanner: Discover All Removable Device Connected to Your Endpoints
http://www.lumension.com/resources/security-tools/device-scanner.aspx
Free Evaluation: Lumension® Data Protection
http://www.lumension.com/data-protection/data-protection-software/free-trial.aspx
Healthy Solution for Protecting Patient Data: Guarding Healthcare Information with Device Control and Data Encryption
http://www.lumension.com/Resources/WhitePapers/Healthy-Solutions-for-Protecting-Patient-Data.aspx
IT Pros’ Guide to Data Protection: Top 5 Tips for Securing Data in the Modern Age
http://www.lumension.com/Resources/Whitepapers/Busy-IT-Professionals-Guide-to-Data-Protection.aspx
25
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
http://blog.lumension.com