Post on 14-Jul-2015
transcript
Healthcare Security Checklist
Protect PHI
Mitigate BYOD risks
Apply dual factor authentication
Encrypt PHI data
Develop repeatable processes for compliance
Implement procedures and technologies
Healthcare Security Risks
96% of healthcare providers
had one or more data
breaches in the past 2 years1
1 Dell Secureworks
2 2014 Healthcare Breach Report.
Data Loss
68% of healthcare breaches are due to lost or
stolen mobile devices or files2
Impact of BYOD
BYOD: A Reality for Healthcare Providers
Healthcare IT is already rolling out mobile apps
to improve productivity and patient care
– 2 out of 5 doctors already use mobile devices
during consultations1
Yet mobility also presents a threat…
– 3.1M smartphones were stolen
in the U.S. in 20131
Source: Dell SecureWorks
Top Mobile Risks for Healthcare
Lost mobile devices
Stolen mobile devices
Downloading of viruses and malware
Unintentional disclosure to unauthorized users
Unsecure Wi-fi networks
Source: HealthIT.gov, Mobile Devices: Know the Risks
5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services
Access ControlAudit
Control
TransmissionSecurity
IntegrityPerson or
Entity Authentication
1. Access Control: Limit users rights to business need-to-know – Unique User Identification
– Emergency Access Procedure
– Automatic Logoff
– Encryption and Decryption
Access ControlAudit
Control
2. Audit Control: Implement hardware,
software, or procedural mechanisms that
record and examine access to ePHI
5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services
TransmissionSecurity
IntegrityPerson or
Entity Authentication
5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services
Access ControlAudit
Control
TransmissionSecurity
IntegrityPerson or
Entity Authentication
3. Integrity: Implement policies and
procedures to protect ePHI from
improper alteration or destruction
5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services
Access ControlAudit
Control
TransmissionSecurity
IntegrityPerson or
Entity Authentication
4. Person or Entity Authentication: Verify that
users seeking access to ePHI are who they
say they are
– Biometric, smartcard, pin/passcode, token
5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services
Access ControlAudit
Control
TransmissionSecurity
IntegrityPerson or
Entity Authentication
5. Transmission Security: Prevent unauthorized access to ePHI that is being transmitted over a network.
– Integrity: Prevent modification or tampering of ePHI data in transit
– Encryption: Encrypt ePHI whenever appropriate
BYOD Challenges the 5 Pillars of Security
TransmissionSecurity
Person or Entity
AuthenticationAudit ControlAccess Control Integrity
Difficult to audit mobile activity since doctors may share PHI with patients via email or text messaging apps
Every app may have different authentication methods; they may not support biometric or PIN/passcode methods
Mobile apps may not use stringent SSL ciphers or even encrypt data at all
IT must define distinct policies for different users, mobile apps and devices—a management nightmare
Controls must be applied to prevent accidental deletion or alteration of PHI from mobile devices
Risks of Uncontrolled Devices
Weak Encryption
No support for strong
authentication
Unpatched application
Stores PHI on phone
No auditing of user access
Unpatched phone OS
In violation of HIPAA compliance requirements
IT Management and Training
IT will likely need to help doctors install mobile apps
– They may also need to assist users through upgrades
If apps vary by device, IT will need to provide separate app training for Apple, Android, Microsoft or HTML5 users
Mobile Device Management Not Working
20% of enterprise BYOD programs will fail due
to MDM measures that are too restrictive.1
1 2014 MDM research report by ESG2 2014 Employee BYOD Survey by Zixcorp3 Gartner 2014 Mobility Predictions; original quote spelled out BYOD and MDM.
For IT TeamsFor Employees
43% worry that employers could
access personal data2
30% are concerned their employer
could control their personal device2
30% say MDM is
more difficult to use
than they anticipated1
VDI Isn’t the Solution for BYOD
Expensive
VDI Shortcomings
– Not designed for touch
– No multimedia redirection
– No access to camera, printer, video, GPS
Total cost for Microsoft VDI, Citrix, and hardware is $1,000+ per user1
Not designed for cellular edge, 3G networks
1 Microsoft Desktop OS $187 per user, Citrix $300/user
Requires High Bandwidth
Designed for Windows
Virtual Mobile Infrastructure (VMI)
VMI is a service that hosts mobile apps or full
operating systems on remote servers
Provide remote access to:
Android, Apple iOS and Windows Phone with client apps
Any HTML 5-enabled device
Centralize app management to:
Eliminate need to install and upgrade apps on every device
VMI Benefits for Healthcare Providers
Stop data loss by preventing users from downloading data to
their device
Lower IT costs by eliminating mobile app
management per device
Extend mobile access to all users and devices
with a HTML5 browser
Meet compliance by monitoring data access
SierraVMI Keeps PHI Data Safe
SierraVMI Shields Healthcare Data
4096-bit ECDHE Encryption
Dual factor authentication
SierraVMI:
• Records healthcare app access
• Stores app data securely in the data center
• IT can centrally upgrade mobile apps
Medical professional
SierraVMI Deployment
SierraVMI hosted in Secure Data Center
Authentication Server
Laptop
Tablet
Phone
Databases with PHI data
Mobile App Virtualization Architecture
Android VM Kernel
Multi-User Android RuntimeVMI Security
Gateway
PharmaApp
PatientMessaging
App
PHIApp
Clients
AuthenticationServer
Benefits Very high density
Apps can share resources like CPU
Easy to manage
No need for expensive storage
Firefall containerFirefall containerFirefall container
Monitor User and Application Activity
Dashboard of
system status
Detailed logs
of user activity
Geo-tracking
Prevent Data Loss
Watermarking deters users from photographing screens
– Watermark all content including documents, video, pictures with no additional overhead
Anti-screen capture prevents users from taking screenshots
With VMI, no data is downloaded to the phone
– Users cannot copy and paste text
Strong Authentication
Prevent unauthorized access with:
– Client certificates
– One-time password (sent via text message)
– Restricting access based on geographic location
– Brute force login protection
Ensure only legitimate users access your data
Single Sign-on to Streamline Management
Integrate with LDAP, Active
Directory or SAML
Access email, calendar,
contacts, and business apps
without needing to re-
authenticate
Automate app provisioning
Reduce IT helpdesk calls due
to forgotten passwords
Improve user experience by
eliminating extra login steps
IT Cost ReductionDirectory Services Integration
Centralized data storage
Prevent data loss from device theft
Centralized patch management
Eliminate concerns of devices with vulnerable or unpatched software
Regularly scan Android server for viruses and vulnerabilities
Simplify and Secure Mobile App Management
SierraVMI Benefits for Healthcare
Compliance: Ensure privacy and prevent data loss
Security: Strong authentication, 4096-bit encryption
Scalability: High user density, high performance
www.sierraware.com
Click now to view SierraVMI