13
Trend Micro Healthcare Compliance Solutions How Trend Micro’s innovative security solutions help healthcare organizations address risk and compliance challenges WHITE PAPER Introduction
Trend Micro Healthcare Compliance Solutions
How Trend Micro’s innovative security solutions help healthcare organizations address risk and compliance challenges W
HIT
E
PA
PE
R
Introduction
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
2Securing Your Journeyto the Cloud
Introduction
The foundation of any good information security program is risk management. Organizations need to understand the following:
• What information is being stored, processed or transmitted• Whataretheconfidentiality,availabilityandintegrityrequirementsoftheinformation• Whatarethecompliancerequirementsoftheinformationandpenaltiesforfailure• Howtoimplementpeople,processandtechnologycontrolstoaddresstherequirements
In a healthcare setting the protected health information (PHI) is the primary focus of information technology(IT)riskmanagementpractices.Traditionally,sensitivehealthinformationhasflowedthroughtheorganizationviapaperrecords.Maintainingandprotectingtheserecordsreliedheavilyonpeopleandprocesses.Riskstotheunauthorizedaccess,modificationordestructionofinformationexistedbuttheimpactwastypicallyonlyoneorahandfulofindividualsonaverage.Withtheincreasedadoptionoftechnologyinhealthcaresuchaselectronicmedicalrecords,healthinformationexchanges,andnetworkedmedicaldevices,therisktoPHIincreasesinbothlikelihoodofunauthorizeddisclosureandimpacttotheorganizationgiventhegreateramount of data accessible. Further, legislation introduced in September 2009 increased the scope and penalties of compliance regulations.
The Importance of Privacy in Healthcare
Securityandprivacyprovidethebasisforenablingtrustinthehealthcareindustry.Securityenablesprivacywhichinturnallowspatientstotrustprovidersofcarewiththeirsensitiveinformation.Infact,theInstituteofMedicine(IOM),arespectednonprofitwhichconductsresearchinthehealthcarespacestressestheimportanceofprivacyanditslinkwithpatientcare:
“breaches of an individual’s privacy and confidentiality may affect a person’s dignity and cause irreparable harm…and [unauthorized disclosures] can result in stigma, embarrassment, and discrimination.”1
Inthisstatement,theIOMdirectlylinkspatientharmtoprivacy.Ifprivacycannotbereasonablymaintained and assured there is an increase in the potential for harm. And unlike breaches ofpersonallyidentifiableorfinancialinformation,individualscannoteasilybemadewholeorprotectedwhenpatientinformationisdisclosedtoanunauthorizedindividual.Thereisnohealthrecordmonitoring;whataneighborofcolleaguediscoversaboutanother’shealthcannotbeundone;restoringahealthrecordafterithasbeenusedforfraudulentactivitiescanbepainstaking and may result in denial of care or medication.
InanotherreportbytheIOM,CrossingtheQualityChasm2,sixaimsforimprovementaredefinedasameansofreducingtheburdenofillness,injury,anddisability,improvingthehealthofindividualsintheU.S.Theseaimsarefocusedonhealthcarebeing:
1IOM:BeyondtheHIPAAPrivacyRule—EnhancingPrivacy,ImprovingHealthThroughResearch,January2009,http://www.iom.edu/Reports/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-Improving-Health-Through-Research.aspx
2CrossingtheQualityChasm:ANewHealthSystemforthe21stCentury,March2001,http://www.iom.edu/Reports/2001/Crossing-the-Quality-Chasm-A-New-Health-System-for-the-21st-Century.aspx
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
3
Asnotedabove,thereisacloselinkwithmanyoftheseaimstothecorepillarsofsecurity:confidentiality,integrity,andavailability(CIA).Confidentialityofinformationenablesequitablecarebyreducingorremovingindividuals’biases.Integrityofinformationenableseffectivecarebykeeping information in its intended state, not being altered without knowledge or authorized intent byacareprovider.Availabilityofinformationenablesclinicianstoaccessinformationwhenandwhere he or she needs it to make decisions about appropriate care needed by a patient.
Whiletheregulationsarenotasexplicitinthelinkagebetweensafetyandcarewithprivacyandsecurity, the intent is the same.
Regulations and Compliance in Healthcare
State of Security in HealthcareWiththevolumeofsecuritycompliancerequirementsandthecostsassociatedwithdisclosureafter a breach, one might expect the industry to be fairly mature with respect to protecting PHI. Unfortunately,breachandbenchmarkdataindicatesotherwise.
Breaches on the RiseSincetheBreachNotificationrulewentintoeffectinSeptember2009,over233breachesarerecorded.In2010,theaveragenumberofbreachespermonthwasalmost20.Andthetotalnumberofrecordsandindividualsaffectedis6.74million3. Of the types of organizations experiencing breaches, physicians practices and hospitals are the biggest targets accounting for25%and37%respectively.HealthinsuranceplanshoweveraccountforthegreatestlossofPHIwithover50%ofbreachedrecordsoriginatingfromtheseorganizations.Over50%ofthebreachesstemfromthetheftoflaptops,removablemediaanddesktops.
LookingatVerizonBusiness’annualdatabreachinvestigationreport,some38%ofbreachesand94%ofrecordsbreachedinvolvedtheuseofmalicioussoftware,withabouthalfofthebreaches
3 As of February 2011
Integrity
Safe:Avoidinginjuriestopatientsfromthecarethatisintendedto help them.
Effective:Providingservicesbasedonscientificknowledgetoallwhocouldbenefit,andrefrainingfromprovidingservicestothosenotlikelytobenefit.
Confidentiality
Patient-centered:Providingcarethatisrespectfulofandresponsivetoindividualpatientpreferences,needs,andvalues,andensuringthatpatientvaluesguideallclinicaldecisions.
Equitable: Providingcarethatdoesnotvaryinqualitybecauseof personal characteristics such as gender, ethnicity, geographic location, and socioeconomic status.
Availability
Timely:Reducingwaitsandsometimesharmfuldelaysforboththosewhoreceiveandthosewhogivecare.
Efficient: Avoidingwaste,includingwasteofequipment,supplies, ideas, and energy.
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
4
involvingviruseswithnocustomization.Theuseofsocialtechniquessuchasemailphishing,whereamaliciouslinkissentinanattempttogathersensitiveinformationlikepasswordsfromunsuspectingusers,occurredinalmost30%ofbreaches.Hackingisalsoasignificantissuethat is steadily increasing since 2005 when Verizon began capturing this data point, and now accountsfor40%ofbreaches.
Cost of a BreachWhat is the effect on organizations that experience a breach? According to a study conducted by the Ponemon Institute4,thecostperrecordofabreachinhealthcareis$204—thisiscomprisedofadirectelement($60)andanindirectelement($144).Thisincludesboththecostoftheactualnotification,sendingoutletters,andassociatedcostslikecreditmonitoring,forensicanalysis,remediationandreputationaldamage.TheOfficeofCivilRights(OCR),whichisresponsibleforenforcingtheHIPAArules,mayalsofineorganizationsforHIPAAviolationsupto$50,000perviolationandupto$1.5millionperyear.Inaddition,stateattorneysgeneralarenowalsoabletoenforcetheHIPAArulesandcanenforceadditionalpenaltiesonorganizationforviolatingtherules.InJuly2010,theConnecticutAttorneyGeneral’sofficeassessedafineof$250,000againstHealthNet.Morerecently,MassachusettsGeneralHospitalreachedasettlementwithOCRfor$1,000,000forabreachin2009involving192patientrecords.Realconsequencesforreal organizations that could, in many cases, be mitigated with fundamental security controls and technologies.
Managing RiskAtenetoftheHIPAASecurityrule—discussedingreaterdetaillaterinthispaper—ismanagingrisk through reasonable and appropriate controls. This too is fundamental to IT risk management, whichdictatesthatorganizationsassessthevulnerabilitiespresentandthethreatstothosevulnerabilitiesandidentifytheappropriatetechniquestomanagethoserisks(e.g.,controls,insurance,acceptance).Bysimplylookingatthebreachdatalistedabove,however,itisfairlyclear what some of the high risks are to organizations in healthcare: malware, unencrypted transmissions,unencryptedstorageonmobiledevices,socialengineering,dataloss,andhacking.Giventhis,whatisreasonableandappropriatefororganizationsistoimplementcontrolstoaddresstheserisks.Consideringthecostofbreachnotificationandtheincreasingpenalties,itis not only sound security and risk management practice but sound business practice.
Addressing ComplianceFromacomplianceperspective,healthcareorganizationsofallsizesandsegmentsmustaddresscertainfederalrequirements,manyofwhichwerejustrecentlyintroducedorhavejustrecentlychanged.Specificallythispaperlooksatthefollowingwithsupportingrationale:
• HIPAA Rules:TheHIPAASecurity,Privacy,PenaltiesandEnforcementrulesareallbeingupdatedaspartoftheHITECHActreleasedin2009.Thesechangesimpactallcoveredentitiesandmoresignificantlyallbusinessassociatesandsubcontractorsworkingwithcoveredentities,astheywillnowbedirectlysubjecttoHIPAA.Allhealthcareorganizations,largeorsmall,arerequiredtobeincompliancewiththecurrentrulesandwith the new rules.
• HITECH Act:Asmentionedabove,theHITECHActimpactedtheHIPAArulesbutalsohadmorewidespreadobjectivesandimpactsonhealthcareasanindustry,intenton
4 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
5
increasing the adoption of health information technologies. This includes establishing healthinformationexchangesatstateandnationallevels,increasingtheuseofelectronichealthrecordssystemswithinhospitalsandphysicianpractices,andprovidingpatientswithmorecontroloverhowtheirinformationisused,amongmanyotherchanges.
• Breach Notification:TheBreachNotificationrequirementsareyetanotherresultoftheHITECHAct.BreachNotificationimposesnewrequirementsonhealthcareorganizationsandbusinessassociatestonotifyaffectedpatients,mediaoutlets,andtheDHHSwhentheyexperienceabreachinvolvingPHI.Notificationmustbeprovidedwithin60daysbutwithoutunreasonabledelay.SinceBreachNotificationwentintoeffectinSeptember2009,wellover200instancesofbreacheshavebeenlogged,witheachbreachaffecting500individualsormore.
• Meaningful Use:UnderHITECH,CMSwaschargedwithestablishinganincentiveprogramaroundthemeaningfuluseofelectronichealthrecords(EHR)systems.Thisincentiveprogramoutlinesrequirementsandthresholdsforboththetechnologyitselfand the organizations adopting the technology to ensure the systems are being used in meaningfulways.WhiletherearedirectincentivesavailableupthroughbothMedicareandMedicaid,therearealsopenaltiesbeginningin2015forthoseorganizationsthathavenotsuccessfullyadoptedEHRtechnology.
• HITRUST:HITRUST,theHealthInformationTrustAlliance,andtheHITRUSTCommonSecurityFramework(CSF)arerecentadditionstothehealthcareinformationsecurityandcompliancelandscape.HITRUSTwasestablishedin2008withtheobjectiveofenablingtrustinthehealthcareindustry.TheCSFisaframeworkdesignedtoprovideprescriptive,comprehensiveguidanceonimplementingreasonableandappropriatesecuritycontrolsbasedonriskandagreedtobythebroaderindustry.Sinceitsinception,HITRUSThasreleasedaCSFAssuranceProgram,whichisameansofassessinghighriskareasoforganizationsasameansofsatisfyingriskmanagementrequirementssuchasthoseinHIPAAandMeaningfulUse.
• PCI:PCI,thePaymentCardIndustry,andthePCIDataSecurityStandard(DSS)areamorebroadlyfocused,internationalindustrygroupandsetofrequirementsforpayment card (e.g., credit card) processors and merchants accepting those cards. Manyhealthcareorganizations,suchashospitalsandphysicianpractices,acceptcreditcardsasaformofpaymentforhealthcareservices.Consideringthis,manyhealthcareorganizationsaresubjecttothisrigidandstrictsetofrequirementswhichrecentlywentthroughanupdateinlate2010toversion2ofthestandard.
Amoredetailedexplanationofeachofthestandardsandregulationsisprovidedinthefollowingsections.
HIPAAHealth Insurance Portability and Accountability Act of 1996
HIPAA,enactedonAugust21,1996,wasdesignedtoimprovethecontinuityofcoverageandcareserviceswhilesimplifyingtheadministrationofhealthcare.HIPAAestablishedasetofnationalprivacyandsecuritystandardsfortheprotectionofcertainhealthinformation.TheHIPAAPrivacyrule,whichwentintoeffectin2003,requiresthatpersonalhealthinformationbeprotectedandkeptconfidential.Accesstopatientinformationmustalsobelimitedtoonlythosewhoareauthorizedandonlyonaneed-to-knowbasis.HIPAAalsorequiredthe
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
6
developmentandadoptionofstandardstosecureprotectedhealthinformation(PHI)whileinthecustodyof‘coveredentities’,aswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.TheserequirementsthatbecametheHIPAASecurityrulewentintoeffectin2005.
TheHIPAAPrivacyrule(§164.530(c)(1)Standard:Safeguards)informstheSecurityrulerequiring“acoveredentitymusthaveinplaceappropriateadministrative,technicalandphysicalsafeguardstoprotecttheprivacyofprotectedhealthinformation.”ThePrivacyrulesetstherequirement;theSecurityruleprovidesrequirementforthesethreesafeguards.
Generally,theSecurityRulerequiresacoveredentityto:
• Ensuretheconfidentiality,integrity,andavailabilityofallePHIthecoveredentitycreates,receives,maintains,ortransmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
• Protect against any reasonably anticipated uses or disclosures of such information that arenotpermittedorrequiredunderthePrivacyRule
• Ensurecompliancebyitsworkforce
Theseprotectionsaresetforthasadministrative,physicalandtechnicalsafeguardsasmentionedintheprivacyruleanddescribedasfollows:
• “Administrative safeguardsareadministrativeactionsandpoliciesandprocedurestomanagetheselection,development,implementation,andmaintenanceofsecuritymeasures to protect electronic protected health information and to manage the conduct ofthecoveredentity’sworkforceinrelationtotheprotectionofthatinformation.”
• “Physical safeguards are physical measures, policies, and procedures to protect a coveredentity’selectronicinformationsystemsandrelatedbuildingsandequipment,fromnaturalandenvironmentalhazards,andunauthorizedintrusion.”
• “Technical safeguards mean the technology and the policy and procedures for its use thatprotectelectronicprotectedhealthinformationandcontrolaccesstoit.”
Toachievetheabovementionedsafeguards,organizationsmuststartwithariskanalysistoidentifythreatstotheconfidentiality,integrityoravailabilityofePHIandimplementsecuritymeasurestoprotectagainstthesethreats.Thesubsequentadministrative,physicalandtechnicalsafeguardslistedwithintheruleprovidethebasisforthesecuritymeasurestoimplement.Manyofthesesafeguards,however,areaddressablemeaningtheorganizationandtheassessment must inform whether the safeguard is reasonable and appropriate to implement. The assessment, decision and rationale must be documented. This documentation along with allotherdocumentationrequiredbythestandard(hardcopyorelectronic)mustberetainedforaminimumofsixyearsfromthedateitwascreatedorthedateitwaslastineffect,whicheverislater.
HITECH ActHealth Information Technology for Economic and Clinical Health Act of 2009
HITECH,enactedin2009aspartoftheAmericanRecoveryandReinvestmentAct(ARRA),includescoverage(COBRAandMedicaid),healthITandprivacyprovisionsdesignedtoimprovethequalityoftheUShealthcaresystemwhileloweringitscosts.Withrespecttothehealth
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
7
ITprovisions,thefederalandstategovernmentsareinvestinginbothanationwideandstateelectronic health information exchanges and encouraging hospitals and physicians to adopt electronicmedicalrecordssystemstoimprovecareandbetterfacilitateinformationexchange.TheActalsostrengthenedfederalprivacyandsecuritylawtoprotecthealthinformationfrommisuseasthehealthcaresectorincreasesuseofhealthIT.ItalsoresultedinthemodificationoftheHIPAAPrivacy,SecurityandEnforcementrulesandcreatedtheBreachNotificationrule.Generallythesechangesinclude:
• Requiringthatanindividualbenotifiedifthereisanunauthorizeddisclosureoruseoftheir health information
• ExpandingthescopeoftheHIPAArulestodirectlyapplytoentitiesthatstore,processortransmitPHIonbehalfofprovidersandinsurers
• Providingtransparencytopatientsbyallowingthemtorequestanaudittrailshowingalldisclosures of their health information made through an electronic record
• Requiringthatprovidersobtainauthorizationfromapatienttousetheirhealthinformationformarketingandfundraisingactivities
• StrengtheningtheenforcementofHIPAAbyincreasingpenaltiesforviolationsandprovidinggreaterresourcesforenforcementandoversightactivities
Breach NotificationRequiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
SubtitleDofDivisionA(entitled‘Privacy’)oftheHITECHActrequiredHHStocreatenewregulationsforbreachnotificationbycoveredentitiesandtheirbusinessassociatesintheeventthereisanunauthorizeddisclosureofunprotectedPHI.TheBreachNotificationInterimFinalRulebecameeffectiveonSeptember23,2009,andremainsineffectuntilafinalruleisissuedbyHHS.
Abreachisdefinedbytheruleas“animpermissibleuseordisclosureunderthePrivacyrulethatcompromisesthesecurityorprivacyoftheprotectedhealthinformationsuchthattheuseordisclosureposesasignificantriskoffinancial,reputational,orotherharmtotheaffectedindividual.”CoveredentitiesandbusinessassociatesneedonlytoprovidenotificationifthebreachinvolvedunsecuredPHI.UnsecuredPHIisdefinedasPHIthatisnotrenderedunusable,unreadable,orindecipherabletounauthorizedindividualsthroughtheuseofanapprovedtechnologyormethodology.CurrentlytheonlyapprovedmeansofsecuringPHIisencryptionordestruction.ThusadequatelyencryptingordestroyingPHImaygrantorganizationssafeharborfromnotificationintheeventofabreach.
Whenabreachoccursandonthefirstdaytheorganizationdiscoversthebreach—orshouldhavediscoveredabreachexercisingreasonableduediligence—theorganizationhas60daystonotifytheindividualswhoseinformationwasinvolvedinthebreach,howevernotificationmustbeprovidedwithoutunreasonabledelay.When500ormoreindividualsareinvolvedbystate,theorganizationisrequiredtonotifymajormediaoutlets,inotherwordsprovidepublicnotification.When500ormoreindividuals,irrespectiveofstateorjurisdiction,areinvolved,noticetotheSecretaryofHHSmustbeprovidedimmediately.Iffewerthan500individualstotalhavebeenaffected by a breach, then the organization must still report to the Secretary, but it may be in the form of a log on an annual basis.
There are certain exceptions to the current rule whereby an organization does not need to providenotificationforabreachofunsecuredPHI,commonlyreferredtoas“safeharbor.”
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
8
Safe harbor is granted when either of the following is true:
• Thepatientinformationisencryptedandsubsequentlyinaccessiblebyanunauthorizedindividual
○ EncryptionsystemsmustmeettheNISTSP800-111standardforstoreddatatobedeemed secure5
• The patient information has been disposed of in a secure manner, such as degaussing harddrivesorshreddingpaperrecords
○ Electronicmediahavebeencleared,purged,ordestroyedconsistentwithNISTSP800-886
Itisimportanttonotethatnotificationisalwaysprovidedbythecoveredentity,evenifabusinessassociatewasinvolvedandexperiencedthebreach.Whiletherulerequiresbusinessassociatestonotifythecoveredentityofthebreach,itisthecoveredentity’sresponsibilitytonotifytheindividuals,mediaandHHSinaccordancewiththerequirementsmentionedabove.
Meaningful UseDemonstrating the use of certified EHR technology in meaningful ways that facilitate the exchange of health information and improve the quality of patient care.
InadditiontotheHIPAArulechanges,HITECHintroducedprogramsandfundsfortheenhancedprivacyandsecurityprotections,standardsdevelopmentandcertificationinfrastructureforEHRs.TheCentersforMedicareandMedicaidServices(CMS)chargedwithprovidingguidanceanddefiningrequirementsforprofessionalsandhospitalsthatwouldadoptthisEHRtechnology,hasestablishedanincentiveprogramalongwithanumberofcategories,objectives,andmeasuresforwhatitmeanstobeameaningfuluserofEHRtechnologyandreceiveincentivepayments.Therequirementstoreceivefundsaredefinedinthreestages,withthefirststagealreadydefinedandtheothertwotobedefinedatafuturedateduringtheprogram—stage2tobeissuedin2011andstage3in2013.
Eligibleprofessionals(EPs)mayseekincentiveunderMedicareorMedicaid(notboth):
• Medicare:Upto$18,000incalendaryear2011or2012,tofiveyearcapof$44,000• Medicaid:Maximumof$63,750oversixyears,$21,250maximuminfirstyear
EligiblehospitalsmayreceivebothMedicareandMedicaidpaymentsbasedonthefollowingformula:
• Baseof$2millionforupto1,149acutecareinpatientdischargesforprior12months• Plus$200foreachadditionaldischargeupto23,000• Maximumof$6,370,200,plustransitionfactors
Ofthestage1criteriaforEPsandeligiblehospitals,acoresetandamenusetaredefined.Thecoresetincludes15objectivesforprovidersand14objectivesforhospitals,allofwhichmustbemet.Themenusetincludes10objectivesforbothEPsandhospitals,fiveofwhichmustbechosen and met.
Eligibleprofessionals(EPs)mayseekincentiveunderMedicareorMedicaid(notboth):
6 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
5 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
9
ThemeasurelistedaboverelatestotheHIPAASecurityrulesrequirementsforriskanalysisandriskmanagement,essentiallyrequiringEPsandhospitalstoconductariskanalysisandimplementupdatestoensuretheconfidentiality,integrity,andavailabilityofePHI,protectingagainst threats and unauthorized disclosures.
HITRUST Common Security Framework (CSF)Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.
TheHealthInformationTrustAlliance(HITRUST)arosefromthebeliefthatinformationsecurityiscriticaltothebroadadoption,utilizationandconfidenceinhealthinformationsystems,medicaltechnologies and electronic exchanges of health information.
HITRUSTiscollaboratingwithhealthcare,business,technologyandinformationsecurityleaders,tobuildthisgreaterleveloftrustbetweenorganizationsthroughacommonsecurityframeworkandprogramforassessingandreportinginformationsecuritycontrols.In2009,HITRUSTdeliveredthefirstCommonSecurityFramework(CSF)totheindustry.TheCSFisnotanewstandard,thisisacommonmisconception.TheCSFisaframeworkwhichnormalizesandcross-referencestherequirementsofexistingstandardsandregulationsincludingfederal(e.g.,HIPAA,HITECH,MeaningfulUse),state(e.g.,Massachusetts,Nevada),thirdpartyandbusiness(e.g.,PCI,ISO,JCAHO)requirements.Additionally,HITRUSThasbeenabletoaddadegreeofprescriptivenessinsecurityrequirementsthathavebeentraditionallylacking,whichmakesadoptionandcompliancemoreconsistentandsimpler.TheCSFisalsoscalablebasedonriskand complexity, accounting for different sizes of organizations and the types of systems used, providingtherightlevelofcontrolbasedonthesefactors.
InconjunctionwiththeCSF,HITRUSTestablishedtheCSFAssuranceProgramwherebyorganizationscanassessandreporttheirriskexposureagainstasubsetofrequiredcontrolsoftheCSF.TheCSFAssuranceProgramprovidesconsistencyinthecurrentlydisparateassessmentand reporting processes utilized by healthcare organizations. Through one program and against oncesetofrequirements,organizationscanstreamlinethenumberofassessmentstheyconducteach year and how they report the results to third parties, while also managing risk. Since the AssuranceProgrambasedontheCSFwhichitselfisbasedonexistingstandardsandregulations,HITRUSTprovidesorganizationswithanexcellentsolutionforconductingriskassessmentsandmanagingriskasrequiredbytheHIPAASecurityruleandMeaningfulUse.TheOfficeofCivilRights(OCR)hasinfactissuedguidance7recognizingHITRUSTandtheCSFasaviableoptionfor conducting a risk analysis under the HIPAA Security rule.
WhiletheCSFandCSFAssuranceProgramaremerelydefactorequirementsnow,bothhaveseencontinuedgrowthinsupportandadoptionsinceHITRUSTinitiallylaunchedeach
Category “[To]ensureadequateprivacyandsecurityprotectionsforpersonalhealthinformation.”
Objective“ProtectelectronichealthinformationcreatedormaintainedbycertifiedEHRtechnologythroughtheimplementationofappropriatetechnicalcapabilities.”
Measure
“Conductorreviewasecurityriskanalysisper45CFR164.308(a)(1)andimplementupdatesasnecessaryandcorrectidentifiedsecuritydeficienciesaspartoftheEP’s,eligiblehospital’sorCAH’sriskmanagementprocess.”
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
10
respectively.HITRUSTitselfissupportedbyexecutive,industryleadershipfromorganizationslikeUnitedHealthGroup,WellPoint,HumanaandExpressScriptsamongothersandhasagrowingnumber of members in its online community.
PCI DSSAn actionable framework for developing a robust payment card data security process to help organizations ensure the safe handling of cardholder information at every step.
ThePaymentCardIndustry(PCI)SecurityStandardsCouncilisanopenglobalforum,launchedin2006,thatisresponsibleforthedevelopment,management,education,andawarenessofthePCISecurityStandardsincludingtheDataSecurityStandard(DSS).TheCouncil’sfivefoundingglobalpaymentbrandsareAmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.EachofthesecompanieshaveagreedtoincorporatethePCIDSSasthetechnicalrequirementsofeachoftheirdatasecuritycomplianceprograms,meaning any organization of any size that wishes to do business with these organizations (i.e., acceptpaymentcards)mustcomplywiththeDSS.
ThePCIDSSprovidesanactionableframeworkfordevelopingarobustpaymentcarddatasecurityprocess,includingprevention,detectionandappropriatereactiontosecurityincidents.TheDSSincludestwelverequirementsforanyorganizationthatstores,processesortransmitspaymentcardholderdata.Theserequirementsspecifytheframeworkforasecurepaymentsenvironment.ForpurposesofPCIcompliance,theiressenceisthreesteps:assess,remediateand report.
ToassessistotakeaninventoryofyourITassetsandprocessesforpaymentcardprocessingandanalyzethemforvulnerabilitiesthatcouldexposecardholderdata.Toremediateistheprocessoffixingthosevulnerabilities.ToreportentailscompilingrecordsrequiredbyPCIDSStovalidateremediationandsubmittingcompliancereportstotheacquiringbankandglobalpaymentbrandsyoudobusinesswith.CarryingoutthesethreestepsisanongoingprocessforcontinuouscompliancewiththePCIDSSrequirements.Thesestepsalsoenablevigilantassuranceofpayment card data safety.
PCIprovidesandmaintainsaSelf-AssessmentQuestionnaire(SAQ)whichisavalidationtoolformerchantsandserviceproviderswhoarenotrequiredtodoon-siteassessmentsforPCIDSScompliance.TherearefourSAQsspecifiedforvarioussituationsdependingonhowthemerchantinteracts with the payment card and its information.
Forthoseorganizationsrequiredtoconducton-siteassessment,theCouncilprovidesprogramsfortwokindsofindependentexperts:QualifiedSecurityAssessor(QSA)andApprovedScanningVendor(ASV).QSAshavetrainedpersonnelandprocessestoassessandprovecompliancewiththePCIDSS.ASVsprovidecommercialsoftwaretoolstoperformvulnerabilityscansforpaymentcard systems.
EachmemberorganizationofPCIdefinesdifferentclassificationsofmerchantsrequiringadifferentlevelofassessmentandreportingbasedontheclassification.Generallyspeaking,largemerchants processing multiple millions of transactions for a particular merchant annually will be classifiedaslevel1,meaningtheorganizationmustconductathirdpartyassessmentandreportannually.Merchantswhichfallinlevels2through4generallyprocesslowmillionstothousandsofrecordsannuallyandtypicallyareonlyrequiredtoconductaself-assessment.Aquarterlynetworkscanisrequiredinalmostallinstances.
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
11
Trend Micro Security Solutions
TrendMicroisaleadingproviderofinformationsecuritytechnologiesdesignedtoprotectorganizationsfromtheincreasingthreatstosensitiveinformationlikePHI.TrendMicro’soverarchingsetofsolutionsscaletosmall,mediumandlargeorganizations,tailoringtheirproducts to the needs of each kind of organization.
TrendMicroisalsomorethanjustavendor;theyhavetrulypositionedthemselvesasatrustedadvisorwhenitcomestomanagingsecurityandcomplianceinhealthcare.WithallofTrendMicro’sproducts,afullsupportteamisavailabletofacilitatethesuccessfulimplementationand deployment of the security solution. In certain circumstances, as is discussed in this paper,TrendMicroevenprovidesateamduringthelifecycleoftheproduct,augmentinganorganization’ssecurityteamandassistinginthemonitoringandmanagementofsecuritywithintheorganization.TrendMicroalsoexhibitsastrongfocusonaddressingemergingtechnologiesandtheassociatedrisks.Virtualizationoforganization’sserverindustryisanattractivemeansofprovidingITresourceswithoutthehighcostofphysicaldevices.TrendMicroembracesthisacrossamajorityoftheirsolutions,providingthesolutionaseitheratraditionalhardwareorsoftwaredeviceorasavirtualapplianceonVMware.Inthisarea,virtualizationalsointroducesnewrisksthatorganizationsarestillstrugglingtoaddress.TrendMicro’ssolutionsprovideprotectionofbothvirtual,physical,andhybridenvironmentseamlessly.Virtualizationisnotjustatechnologyforthedatacentereither;virtualdesktopinfrastructure(VDI)isthepracticeofhostingadesktopoperatingsystemwithinavirtualmachine.VDIishavingamajorimpactinhealthcareasameansofprovidingsharedworkstationswithinaclinicalsetting,allowingphysiciansandnursestomovefrom one terminal to the next accessing the same desktop and applications across the facility. Whilethedesktopsarevirtualthethreatsarereal,requiringprotectionfrommalicioussoftwareforexample.
The cloud is another growing area, often used for lowering the operating costs to organizations. TrendMicroleveragesthecloudinauniquewaywiththeirSmartProtectionNetwork™.TheSmartProtectionNetworkisacloud-basedinfrastructureenablingbetterprotectionoforganizationswhilereducingtheresourceimpact.Thisuniquetechnologyisaglobalnetworkofdevices,sensorsandintelligenceleveragedacrossTrendMicro’ssecuritysolutionsandservicestoenableprotectionbeforethethreatevenreachestheorganization’sfrontdoor.OrganizationsusingSmartProtectionNetwork-awaresolutionscanalsoopt-intoprovidingsmartfeedbacktothenetwork,actingasyetanotherdatasourceofgoodandbadcontent.Thismulti-layeredsolutionusessophisticatedalgorithmsandtechnologiestoidentifyafile’s,website’sorsender’sreputationandblockmaliciouscontent.BecauseitisalldoneinthecloudpoweredbyTrendMicro,organizationsgetimmediateprotectionthatisalwaysup-to-date,withoutthedemandonsystemresources of traditional products.
BecausetheSmartProtectionNetworkaggregatesdataonemails,files,andwebsites,itisabletocorrelatethesethreatvectorstoenhanceprotectionacrossallmediumsversusworkinginsiloslikemostsecuritysolutions.Forexample,spamisoftenasourceofmaliciousURLswherebyaspammer sends a link masked as a known, good website but is truly a malicious website. With emailreputation,theSmartProtectionNetworkwouldflagtheemailasmaliciousspamandblockallfutureinstancesfromthesender.Thewebfilter,however,wouldalsopickuptheURLwithintheemailandanalyzethewebsite’sreputation,visitingthepageanddownloadinganycontent.Ifmaliciouscontentisdiscovered,theURLwilltoobeflaggedandblockedinallfutureinstances.Finally,ifonthewebsiteamaliciousfileisdownloadedanddiscovered,thefilereputationwouldalsobeupdated,againblockingallfutureinstancesofthemaliciousfileviaemail,web,
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
12
orother.ManyofthesolutionsbelowleverageTrendMicro’sSmartProtectionNetworktokeeporganizations secure.
Withtheemergenceofnewencryptionrequirementsitiscrucialthatanysecuritysolutionmeetsthestandardsthathavebeenadopted.Sincethesearebasedonfederalguidance,TrendMicro’sacquisitionofMobileArmorprovidesarobustandsuperiordataencryptionsolution.ThesolutionwillexceedtheNISTspecificationsthathavebeenreferencedinhealthcareregulationsandgenerally enable proper risk management in accordance with HIPAA.
Althoughnotcoveredinthisreview,TrendMicro’snewproductSecureCloudoffersadataencryptionandkeymanagementsolutionfororganizationscurrentlyusingorevaluatingtheuseofthecloud.Whilethereareanumberofbenefitstousingacloudinloweringoperatingcosts, a barrier to entry for many organizations particularly in healthcare is the security of data storedinthecloud.Inmanyinstancesacloudproviderwilloffertoencryptdata,asanadditionalservice,butthereisstillriskbecausetheyalsomanagethekeys.SecureCloudleveragestheintegrityofTrendMicroasaproviderofsecurityanddataprotectionsolutionsandalsoseparateseachorganization’sdutiestobettermanagerisk.ThecloudproviderhoststheencrypteddataandTrendMicromanagestheencryptionandkeymanagementonbehalfofthehealthcareorganization.
Solutions Enabling Compliance
Thesolutionslistedbelowaredesignedforaspecifictypeoforganization:small,medium,orlargeenterprise. The features and functions of each solution are tailored with the organization needs in mind, where small organizational solutions are designed for simplicity, ease of use and limited resources and enterprise grade solutions are designed for centralized, robust management and best-in-classsecurity.Itiscriticaltounderstandthisdistinctionbothfromausabilityperspectiveandfromariskperspective.Eachsolutionenablesorganizationtoaddresscomplianceandtheiroverallrisksbasedontheirenvironment—thethreatsandimpactsforalargeorganizationarenotequitabletothoseofasmallorganizationandsothetechnologiesandcontrolsimplementedshould be adjusted accordingly.
WhatfollowsisanintroductionandoverviewoffiveofTrendMicro’ssecuritysolutions:
1. InterScanMessagingSecurity2. Worry-FreeBusinessSecurity3.OfficeScan4.EndpointEncryption5. DeepSecurity6.ThreatManagementSystem
Foreachsolution,anoverviewofthesecurityfeaturesisdiscussed,adescriptionanddiagramofhowthesolutionintegratesintohealthcareisdetailedandacompliancescorecardisprovided.Thisenablesorganizationstounderstandwhateachproductdoes,howitfitsintotheenvironmentandhowitalignsorganizationswithregulatorycompliancerequirementsinhealthcare.
Securing Your Journeyto the Cloud
WHITE PAPER Trend Micro Healthcare Compliance Solutions
13
Authors
Cliff BakerManagingPartnerMeditology Services
Chris HourihanDirectorMeditology Services
Forthepast16years,Cliffhasworkedwithleadinghealthcarecompaniesacrossallsectorsoftheindustryandservedasanexecutiveadvisorforkeyindustryaffiliationsandcompanies.HeisasoughtaftercontributortovarioushealthITandinformationsecurityforumsincludingthesixteenthnationalHIPAASummitamongothers.Forthepasttwoyears,CliffhasservedastheChiefStrategyOfficerattheHITRUSTAlliance,anindustryconsortiumwhichestablishedthe most widely adopted information security and compliance framework for the healthcare industry.PriortojoiningHITRUST,CliffledthesoutheasternhealthcareadvisorypracticeforPricewaterhouseCoopers.
The views expressed in this article are the authors’ alone, and do not reflect the views of any organizations with which they work. This is a publication of Meditology Services for Trend Micro providing general information about information security, privacy and compliance in healthcare. The content of this publication should not be construed as providing legal advice, legal opinions or consultative direction.
Chrisisseasonedprofessionalinthehealthcareindustrywhoisconsistentlydeliveredqualityresults on time in the projects he leads. These include information security and compliance riskassessments,securityandprivacytraining,andthirdpartysecuritymanagementprogramdevelopment.Hisexperiencehasfocusedalmostexclusivelyinthehealthcareindustryandhehascollaboratedwithawidevarietyoforganizationsfromtheprovider,payer,vendor,exchange,and clearinghouse sectors. His focus has traditionally been on simplifying compliance and evaluatingsecurityrisks,addressingstandardsandregulationsincludingISO27001/2,HIPAA,HITECH,CMS,PCI,FTC,Staterequirements,andMeaningfulUse.Inadditiontotacticaldeploymentandprojectmanagement,Chrishasheldstrategicrolesindefiningservicesandsolutionstodrivelongrangebusinesssuccess.Hiscommitmenttothisindustryandhisowngrowth in knowledge and experience is demonstrated through his presentations and whitepapers onissuesaroundinformationsecuritybreaches,medicaldevicesecurity,andstreamlinedriskassessments for meaningful use.
