Medical Records on the Run:Protecting Patient Data with Device Control and Encryption

Today’s Agenda

Protecting Patient Data and HIPAA

Policy-based Device Control and Data Encryption

Device Control at University Health Care System

Conclusion and Q & A

Today’s Speakers

3

Chris MerrittDirector of Solution MarketingLumension

George Ward CISSP, CISM

Manager Information Security, Computer Operations, University Health Care System

Protecting Patient Data and HIPAA

Policy-based Device Control and Data Encryption

Device Control at University Health Care System

Conclusion and Q & A

»

Challenges of Protecting Patient Data

5

Economic and Competitive Pressures

Increased HIPAA and PCI Regulatory Oversight

Increasing Value of Personal Healthcare Information

Data Sharing Outside of the

Four Walls

Consumerizationof IT

Electronic Protected Health

Information (EPHI) Disclosure

Data Sharing Outside of the Four Walls

6

Accessibility to Medical and Billing Records Increases… as Does the Risk

Source: 2008 HIMSS Security Survey

Consumerization of IT

7

8

Health care workers have direct access to sensitive medical records

70% of all serious incidents are sparked by

insiders.IDC Worldwide Security Products and Services

2007 Top 10 Predictions

48% of employees utilize work IT tools for personal reasons

EPHI Disclosure – Accidental or Malicious

Lost Portable Devices

Disgruntled Employees

Data Breaches

9

Risks Incidents Costs

Importance of Device Control

Protecting Electronic Medical Records

USB Drives are the Achilles Heel of Data Protection Due to Size, Transfer Speed, and Ease of Use

» 60% of confidential data resides at the endpoint (IDC)

» 52% of companies surveyed have suffered data loss via USB drives and other removable media (Forrester)

» 53% of organizations would NEVER KNOW what data was on a lost USB device (Ponemon Institute)

» Over 70% of security breaches originate from within the organization (Vista Research)

11

Removable Devices Hold A LOT of Information

40 million USB Devices Sold Within the Last Year

12

What about CD / DVD / Blu-Ray Media?

Storage Capacity for USB Devices

File Type Typical Size (KB)Typical Number of Files Per:

CD Disc DVD Disc (SS SL) Blu-ray Disc (DL)

Text / Email 15 46,500 297,000 3,200,000

Document 100 6,980 44,500 480,000

Spreadsheet 1,485 470 3,000 32,320

10MP JPEG 2,250 310 1,975 21,300

Simple X-Ray 10,000 70 445 4,800

Storage Capacity for CD, DVD and Blu-Ray Discs

File Type Typical Size (KB)Typical Number of Files Per:

512MB USB Drive 2GB USB Drive 32GB USB Drive

Text / Email 15 34,560 139,500 1,984,700

Document 100 5,185 20,920 297,750

Spreadsheet 1,485 350 1,410 20,050

10MP JPEG 2,250 230 930 13,210

Simple X-Ray 10,000 52 209 2,978

A Balanced Approach is Needed

13

HIPAA Security RuleAre You Ready?

HIPAA Security Rule

15

Security• Security Standards: General Rules• Administrative Safeguards• Technical Safeguards• Physical Safeguards• Organizational Requirements• Policy and Procedures and

Documentation Requirements

Enforcement Becoming Real

CVS settlement breaks new ground in HIPAA enforcement

February 2009: CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government $2.25 million and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information.

Also, the company must obtain assessment reports from a third-party organization every two years for the next 20 years to be provided to the Bureau of Consumer Protection at the FTC.

16

Are You Ready for an Audit?

17

Other requests included:1. Please provide a list of all information systems that house ePHI data, as well as

network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.

2. Please provide a list of terminated employees.3. Please provide a list of all new hires. 4. Please provide a list of encryption mechanisms use for ePHI. 5. Please provide a list of authentication methods used to identify users authorized

to access ePHI. 6. Please provide a list of outsourced individuals and contractors with access to

ePHI data, if applicable. Please include a copy of the contract for these individuals.

7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.

8. Please provide organizational charts that include names and titles for the management information system and information system security departments.

9. Please provide entity wide security program plans (e.g., System Security Plan). 10. Please provide a list of all users with access to ePHI data. Please identify each

user's access rights and privileges. 11. Please provide a list of systems administrators, backup operators and users. 12. Please include a list of antivirus servers, installed, including their versions. 13. Please provide a list of software used to manage and control access to the

Internet. 14. Please provide the antivirus software used for desktop and other devices,

including their versions. 15. Please provide a list of users with remote access capabilities.16. Please provide a list of database security requirements and settings. 17. Please provide a list of all Primary Domain Controllers (PDC) and servers

(including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.

18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Provide policies and procedures for: 1.Establishing and terminating users' access to systems housing electronic patient health information (ePHI).2.Emergency access to electronic information systems. 3.Inactive computer sessions (periods of inactivity). 4.Recording and examining activity in information systems that contain or use ePHI. 5.Risk assessments and analyses of relevant information systems that house or process ePHI data. 6.Employee violations (sanctions). 7.Electronically transmitting ePHI. 8.Preventing, detecting, containing and correcting security violations (incident reports). 9.Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.10.Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring. 11.Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.12.Physical access to electronic information systems and the facility in which they are housed. 13.Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).14.Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software. 15.Internet usage. 16.Wireless security (transmission and usage). 17.Firewalls, routers and switches. 18.Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas. 19.Terminating an electronic session and encrypting and decrypting ePHI.20.Transmitting ePHI. 21.Password and server configurations. 22.Anti-virus software. 23.Network remote access. 24.Computer patch management.

Piedmont Hospital was presented with a list of 42 items that HHS officials wanted information on within 10 days:

Protecting Patient Data and HIPAA

Policy-based Device Control and Data Encryption

Device Control at University Health Care System

Conclusion and Q & A

Data Protection at the Endpoint

» Protect Data from Leakage and Theft:Centrally enforce usage policies for all removable devices and media.

» Improve Compliance:Centrally force encryption of data flowing onto removable devices and media to ensure that it cannot be accessed if they are lost or stolen.

» Flexible Exception Management:Make business decisions about policy exceptions and emergency access.

» Continuous Audit Readiness:Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.

19

Policy-Based Device Control and Data Encryption

20

1. Discover all devices that are currently or have ever been connected to every endpoint.

2. Assess device and data usage, including what device, on what machine, by which user, and when.

3. Implement flexible device whitelisting, allowing only approved devices to run.

4. Monitor the effectiveness of device usage policies.

5. Report on data protection policies to prove compliance and conduct forensics.

Practical Data Protection Approach

In-Depth Discovery

Discover all devices that are currently or have ever been connected to every endpoint.

21

• Automatically determine how many and what devices are in use across your organization.

• Easily find devices that you don’t even know about.

21

Device Types: • Biometric devices • COM / Serial Ports • DVD/CD drives • Floppy disk drives • Imaging Devices / Scanners • LPT / Parallel Ports • Modems / Secondary Network Access Devices • Palm Handheld Devices • Portable (Plug and Play) Devices • Printers (USB/Bluetooth) • PS/2 Ports • Removable Storage Devices • RIM BlackBerry Handhelds • Smart Card Readers • Tape Drives • User Defined Devices • Windows CE Handheld Devices • Wireless Network Interface Cards (NICs)

Thorough Assessment

Assess device and data usage, including what device, on what machine, by which user, and when.

22

• Full visibility on usage of all removable devices (e.g., USB flash drives) and media (e.g., CDs/DVDs) by user, machine and time.

• Assess by unique device, device type, device vendor, users and user groups, machines, hours of operation, and more.

• Ensure data is encrypted and secure when on removable devices / media.

22

23

Implement flexible device whitelisting, allowing only approved devices to run.

Implement Security Policy

• Enforce removable device / media and data usage policies to protect sensitive information.

• Define what devices and media can connect to the network and what users or user groups can do with them for flexible exception management.

• Centrally encrypt removable devices and media or force users to encrypt devices / media to ensure that data cannot be accessed if removable devices or media are lost or stolen.

23

24

Monitor the effectiveness of device usage policies.

Continuous Monitoring

24

• Automatically log all network events related to your data protection policy including: » Endpoint status» Device connection» User activity (such as data transfers)» File tracking (including full content shadowing)

• Identify potential threats by logging all device execution attempts and recording all policy changes and administrator activities.

25

Report on data protection policies to prove compliance.

• Provide a detailed audit trail of all device usage attempts.

• Keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.

• Drill down on suspicious behavior for security or legal follow-up.

• Link reporting to Syslog to enable event correlation, automated alerting / reporting, and integrated analysis.

Comprehensive Reporting

25

Device Control Puts You Back in Control

Eliminate a major blindspot at endpoints

» Identify all devices that are currently connected or have ever been connected to network assets

» Use detailed logs of device usage and data transfer (incl. file headers or full content shadowing) for auditing, forensics, etc…

Protect against data loss and theft» Control and manage any removable devices through any ports including USB, Firewire,

WiFi, Bluetooth, etc…

» Enforce encryption policies for data transferred to removable devices / media, including USB flash drives (UFDs), CDs / DVDs, etc…

» Prevent malware introduction via removable devices / media

Policy Management / Control

» Whitelisting / “Default Deny” approach eliminates unwanted / unknown devices

» Granular permissions for devices (class, group, model, ID), users / user groups and machines / machine groups allow for fine exception management

26

Protecting Patient Data and HIPAA

Policy-based Device Control and Data Encryption

Device Control at University Health Care System

Conclusion and Q & A

University Health Care System

581 bed, not-for-profit community hospital in Augusta, GA

» Campus environment

3,000+ employees» 600 independent, private physicians on

active, consulting, courtesy and associate staff

2,500+ Workstations

330+ Servers

120+ Applications (McKesson)

28

Business Driver: Protecting Patient Data and Ensuring Compliance

External audit showed gaps in HIPAA Compliance

Fines for non-compliance with HIPAA now as large as $250,000 per incident

» Covered entities and specified individuals, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.

» Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.

» Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Losing patient data is detrimental to the hospital as a business

29

Health Care Data Loss Incidents in the Headlines

30

Holistic Security

• Understand the threat you need to protect against

• Point security measures are never enough…

31

University Health Care System Objectives

Secure Electronic Protected Health Information (EPHI) and Stay out of the Headlines

Enforce Policy» All USB devices must be encrypted» Unencrypted devices denied by default

Manage by Exception and by Role» Discretionary access model vs. role-based access model

Communicate Policy to Users» Identified every internal communication possible to

leverage (newsletters, memoranda, posters, etc.)» Announced date for policy enforcement in advance» Created awareness around data loss incidents with other

hospitals

32

Discretionary Access Model (Current)

Prov

isio

ning

Serv

ice

Des

k

Chi

ef

Info

rmat

ion

Offi

cer

CIO

Adm

in

Assi

stan

t

Dep

artm

ent

Vice

Pr

esid

ent

Man

ager

Dep

artm

ent

Hea

dU

ser

User requests internet access

Manager Approval

Department Head Approval

Department Vice President

Approval

CIO Admin Assistant

checks that form is

complete

Complete?

CIO Approval

Service Desk creates a call

and sends it to Provisioning

Provisioning grants internet access to user

Access Granted

CIO Admin Assistant

sends request to Service

Desk

Enabling Removable Device Access – Previous Model

33

Centrally Managed Role-Based Access Control Model (Goal)

Pro

vis

ion

ing

Hu

ma

n

Re

so

urc

es

Us

er

New Employee is hired

Orientation List sent to

Provisioning

Users are granted

application access based on

their role

Access Granted

Lumension Device Control – RBAC for USB Devices

34

Justifying Device Control Implementation

35

Compliance » Audit finding remediation

Integrity and Reputation » Incident prevention

Data Protection» Protect our patients» Protect our employees and physicians» Protect financial and intellectual data

Bus

ines

s V

alue

Maturity

SecurityEffectiveness

SecurityEfficiency

BusinessEnablement

Pass audits

Automate controls

Lower Risk

Operational Maturity

Device Control Ensures Security and Enables the Business

36

Measurement of Lumension Device Control

37

Granular Controls Enable Effective Policy

Plan Device Class Device Description

Role-Based Access Control

Removable Storage Devices Memory sticks, Flash drives, ZIP Drives, USB Hard Drives, etc.

DVD/CD Drives CD, CD-R/W, DVD, DVD R/W

Imaging Devices Scanners, webcams, etc.

User Defined Devices Non-standard devices (Generic USB Devices, IPAQ, etc.)

Blocked Portable Devices Digital Cameras, iPhones, MP3 Players, etc.

Modem/Secondary Network Access Devices Modems that do not connect directly through normal channels

Palm Handheld Devices Palm PDAs, Smartphones, etc.

Floppy Disk Drives IDE, parallel, or USB Floppy Drives

RIM Blackberry (Research in Motion) (Research In Motion) Handheld computers/mobile phones

Biometric Devices Fingerprint readers, password managers, etc.

Tape Drives Internal or external tape drives

Windows CE Handheld Devices Windows CE computers using PocketPC OS

Wireless Network Interface Cards Wireless LAN Adaptors

Allowed Printers (USB/Bluetooth) USB and Bluetooth Printers

COM/Serial Port (Serial Communication) Standard modems, phone cradles, etc.

LPT/Parallel Ports (Line Printer Terminal) Standard printers, dongles, etc.

PS/2 Ports (Personal System/2) Keyboards and Mice

Smart Card Readers Readers for smartcards, etokens, or fingerprints

38

Communication Means Message Present Status

Executive Staff Meeting Overview  (this presentation) 3/24/2009 Complete

COO Briefing Overview  3/25/2009 Complete

Security Management Subcommittee Overview  4/8/2009 Complete  

Cancer Committee Meeting Agenda item  4/10/2009 Complete  

E-mail current users Request ‘business need’ justification 4/13/2009 Complete  

Department Chair Meetings Agenda item  4/13 - 6/16/2009 Complete  

Department Directors Meeting Overview  4/15/2009 Complete  

IS Division Meeting Overview  4/15/2009 Complete

F-22 Revision Publish link to Project Website 4/15/2009 Complete  

Internal Posters Devices, contact info, effective date  4/16/2009 Complete  

Housewide Memo 1 Devices, contact info, effective date   4/21/2009 Complete  

Medical Executive Committee Overview 4/21/2009 Complete  

IS Steering Overview  4/22/2009 Complete  

Employee Communiqué Newsletter Devices, contact info, effective date   4/24/2009 Complete  

Housewide Memo 2 Devices, contact info, effective date   4/28/2009 Complete  

Volunteer Executive Committee Meeting Agenda item  4/28/2009 Complete  

Housewide Memo 3 Devices, contact info, effective date   5/1/2009 Complete  

Physician Practice Managers Meeting Agenda item  5/1/2009 Complete  

Medical Staff Monthly Newsletter Devices, contact info, effective date   5/3/2009 Complete  

Nursing Matters Newsletter Devices, contact info, effective date   5/3/2009 Complete  

Foundation Quarterly Newsletter Devices, contact info, effective date   5/15/2009 Complete  

Volunteer Quarterly Newsletter Devices, contact info, effective date   5/27/2009 Complete  

Communication and Rollout Plan

39

Monthly Newsletters and Memos

On May 12, 2009, University Hospital will protect electronic Protected Health Information (ePHI) by restricting USB storage device use to specific, authorized users.

Unauthorized devices such as Universal Serial Bus (USB) drives, external hard drives, and non-encryptable devices such as digital cameras, cell phones, mp3 players, etc., will be blocked.

Visit the "Device Control Project" link on the hospital's intranet homepage, or contact Dewayne Winston at devicecontrolpm@uh.org for more information.

40

Internal Posters Throughout Hospital

- Employee entrance

- Cafeteria exit

- Heart & Vascular Institute

- Business Center

- Human Resources

- Staff elevators

41

42

Current Results - ROI

• Audit finding remediated

• No loss of electronic Protected Health Information

• Enforcement of policy by role with exceptions

• Since May 12, 2009:» Blocked 345 unauthorized users

» Blocked 20,000+ unauthorized access attempts

» Weekly log monitoring

» File shadowing enabled

Security that Ensures Compliance AND Business Productivity

Right People

Right Access

Right Resources

Right Things

Efficiently

Productively

Ensure that the

have the

to the

and are doing the

and

43

Protecting Patient Data and HIPAA

Policy-based Device Control and Data Encryption

Device Control at University Health Care System

Conclusion and Q & A

Additional Resources

• Learn More about Technical Controls to Address HIPAA Compliance Challenges:» http://www.lumension.com/hipaa-compliance » Whitepaper - Achieving HIPAA Security Rule Compliance with Lumension

• Optimal Security Blog – http://blog.lumension.com

• Device Scanner Offer» Discover every removable device, such as USB flash drives, that has ever co

nnected to your network

• Protect Your Vital Information Resource Center» Third party research, videos, tools and case studies» http://www.lumension.com/protect-your-vital-information

45

Global Headquarters15880 N. Greenway-Hayden Loop

Suite 100

Scottsdale, AZ 85260

1.888.725.7828

info@lumension.com