© Copyright 2011 Axis Technology, LLC
The Most Wonderful Time of the Year for
Health IT........ NOT
know your data • protect your data • share your data
Agenda
Attacks are on the Rise
Legislation is Changing
Lessons from Healthcare.gov
Come in from the Cold
… a word from our sponsors
2
Internal and External Vulnerabilities
Non-Standard
SSL Traffic
4
Drive By Attacks
Watering
Hole Attacks
Bot Nets
Social Engineering
Attacks
Spear Phishing
Breaches South Shore Physicians, P.C. - Dishonest nurse and
three co-conspirators were linked to identity fraud.
NY Office of the Medicaid Inspector General (OMIG) – Employee sent an email that contained sensitive records to their own email account
Cedars-Sinai Medical Center - Medical workers were fired for their hacking effort
Long Beach Memorial Medical Center - Patients had information exposed an employee.
5
Breaches Happen
In the event of a breach, full cost to an organization
can include one or more of the following: Notifying customers / patients,
Investigating and controlling the breach,
Potential litigation and fines,
Intangible costs associated with:
Damage to your brand,
Loss of customers,
Decline in value, and
Reputation Management
FULL
COST
of a
Breach
6
PCI – PCI Data Security Standard An industry security standard that applies to companies
that process & store credit/debit card data.
12 requirements: 1. Firewall to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data to those that “need to know” 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain an information security policy for all personnel
Larger companies must undergo annual PCI audits. Non-compliance can result in revocation of services and/or fines up to $100,000 per month. 8
PCI – eCommerce Standards
A merchant’s PCI DSS responsibilities remain regardless of their e-commerce implementation.
If development or processing is outsourced to third parties, the merchant retains responsibility for ensuring that payment card data is protected.
In-house developed applications should use PA-DSS as a best practice during development.
Minimize the staff who can view account data.
Where a merchant has outsourced cardholder data to a third party, that data may still be at risk.
9
PCI – Cloud Standards
A merchant’s PCI DSS responsibilities remain regardless of their cloud implementation.
Are the service being used the one that was validated.
Identify and minimize the payment card data in the cloud.
Identification and authentication is essential
Governance, risk and compliance are shared.
Data ownership and cross-border regulatory laws.
Data present in other cloud systems such as VM images, backups, monitoring logs, and so on.
When existing, leaving potentially unknown quantities of encrypted data .
10
The Cloud
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA)
Covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access to Personal Health Information (“PHI”).
However, it also provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). PHI that meets the requirements for de-identification is considered not to be individually identifiable health information.
The Office of Civil Rights ("OCR") is required to impose penalties if the covered entity or its business associate act with neglect.
11
HIPAA – Recent Changes
The changes greatly increase privacy protections for PHI while also strengthening enforcement.
Penalties are increased for noncompliance with possible penalties of $1.5 million per occurrence.
The focus of OCR Audits and Assessments will be on whether PHI has been compromised and then the covered entity must clearly prove that there is a low probability the information has been compromised.
The changes expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors.
12
State Laws
46 states have enacted laws requiring notice of security breaches of personal data.
Some states have reportedly considered legislation to hold retailers liable for third-party companies’ costs arising from data breaches.
The Massachusetts law is considered to have one of the most comprehensive sets of security regulations at the state level.
13
State Laws - Texas
When the Texas Breach Notification law went into effect in September 2012, breach notification obligations will exist in all states because Texas will then require entities doing business within the state to provide notification of data breaches to residents of states that have not enacted their own breach notification law.
14
According to the research firm
the Standish Group, 94% of
large federal information
technology projects over the
past 10 years were
unsuccessful
Getting Technology Right
16 http://www.nytimes.com/2013/10/25/opinion/getting-to-the-bottom-of-healthcaregovs-flop.html?_r=3&
1,800 pages
Companies that win contracts
are those that can navigate the
regulations best.
Federal Acquisition Regulation
17
Issues
Participants can prepare all they want, but bad data can snarl the exchange.
Normalization of data across multiple independent organizations leaves data more vulnerable to contamination, duplication and mix-ups.
Aggregating, analyzing and managing of
extensive data raises privacy concerns and costs.
Ownership
Each participant must concede a certain amount of ownership of resources and timelines for projects to the “Greater Good”.
Understanding Ourselves
24
Do we:
Understand where we are?
Where are our risks?
Have compensating controls?
Have a plan?
Enterprise Governance Risk and
Compliance (“eGRC”) is an
enterprise initiative that reaches from
strategy through architecture to the
operations of the organization.
Review Access to Sensitive Data
Who has access?
Perform meaningful entitlements reviews .
Flag entitlements that do not conform to security policies.
Enterprise Entitlement Solutions typically include separate mainframe, application specific and LDAP based solutions. Review for Toxic Combinations.
25
25
Internal users Privileged users
ERP Web
server
Backups
App
server
Load
balancer Databases
File
server Fir
ew
all
File
server
External
users 1
2
4
3
5
6
QA Testing
Internal users Privileged users
ERP Web
server
Backups
App
server
Load
balancer Databases
File
server Fir
ew
all
File
server
External
users 1
2
4
3
5
6
Live Data
Data … Data Everywhere
Copies of Data may exist in multiple locations in your environment.
Each of these locations is a potential target from external sources and needs to be protected.
Verizon Data Breach Report suggests eliminating unnecessary copies of data.
Data De-Identification (aka Data Masking) eliminates multiple copies of data Outsourcers / Business Associates
Test Data in the Cloud
Stratification of Big Data
Taking Data Home
Internal users Privileged users
ERP Web
server
Backups
App
server
Load
balancer Databases
File
server Fir
ew
all
File
server
External
users 1
2
4
3
5
6
QA Testing
26
To find out more or start a FREE 30 Day
evaluation
Visit www.compliancy-group.com
(855) 85 HIPAA or (855) 854-4722
Compliance is important but expensive…Until Now
The Guard Compliance Tracking Solution
• EASY Self Audit Questionnaires
• Gap Identification Reporting
• Remediation Management
• Policy and Procedure Templates
• Unlimited Number of Patients, Employees and
Associates
• Document and Version Control Management
• Highly Secure
• No IT integration - Web Based Solution Become Compliant in 60 Days!
Attest for HITECH, and Satisfy Meaningful Use Core Measure 15
Data De-Identification- DMsuiteTM
DMsuite™ - A robust,
proprietary tool that has been
deployed at clients for over
9 years with:
Sensitive Data Discovery,
Data De-Identification and
Auditing functionality.
30
Applications
XML, CSV, Multi-
Record, etc.
QSAM,
VSAM
Databases
Big Data
Files
Unstructured
Text: Social,
RSS
IMS
Questions or Further Discussions
Contact: Joe Santangelo
Email: [email protected]
Phone: (646) 596-2670
Twitter: @DataPrivacyDude
© Copyright 2011 Axis Technology, LLC
www.AxisTechnologyLLC.com
Thank You!
70 Federal Street
Boston, MA 02110
(646) 596-2670
know your data • protect your data • share your data