The need to protect digitized health information is a top priority in the healthcare industry. HIPAA and the HITECH Act put pressure on your organization to maintain the privacy and security of patient data, with the potential legal liability for non-compliance. So how does your healthcare organization meet or exceed industry best practices in guarding healthcare information?
Join this webcast as Eric Ogren, President of The Ogren Group, and Chris Merritt, Solution Marketing Director at Lumension come together to take you through:
• What PHI breaches are currently documented by the US Department of Health and Human Resources (HHS) and why these breaches are occurring
• How a healthcare organization can mitigate costs with encryption technologies
• What to look for in device control and full disc encryption solutions
2. Today’s Agenda
Current IT Security Challenges in Healthcare
Answering IT Security Challenges in Healthcare
Top 5 Recommendations: What You Can Do Now
3. Today’s Experts
Eric Ogren Chris Merritt
Founder & Principal Analyst Director of Solution Marketing
The Ogren Group Lumension
3
6. Data Breaches Still Occurring
No. of Reported Breaches HHS Breach Database
• 435 incidents involving ~20M records
• Median impact = 2,184 records
• No breaches in Hawaii, Maine, Rhode
Island, and Vermont
• Biggest impact on per capita basis:
South Dakota and Virginia
In 2012, 27% of all respondents
indicated their organization had a
security breach in the past 12 months
(up from 19% in 2010 and 13% in
2008); of those who reported a breach,
69 percent experienced more than one.
6
7. Data Breaches Still Occurring
Encryption Impact
• 70% of incidents and 86% of records
• $1.48B in “hard costs”
7
8. Stepped Up Enforcement
Audit Program On-going
• Published protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
• 20 audits complete; 95 remaining audits will occur in 2012
• Audits will continue in 2013
• Results to date:
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf
Audit Issues by Area Observations
• Conduct Risk Analysis (17) • Policies and Procedures
• Grant Modify User Access (17) • Priority HIPAA Compliance Programs
• Incident Response (11) • Conduct of Risk Assessment
• Contingency Planning (34) • Managing third party risks
• Media Reuse and Destruction (18)
• Encryption (10) Next Steps based on the reviews
• User Activity Monitoring (46) • Conduct a robust review & assessment
• Authentication / Integrity (19) • Determine LoBs affected by HIPAA
• Physical Access (9) • Map PHI flow within your organization, as
well as flows to/from third parties
• Find all of your PHI
• See guidance available on OCR web site
8
9. Stepped Up Enforcement
Source: Linda Sanches (OCR), 2012 HIPAA Privacy and Security Audits (June 2012)
9
11. Meaningful Use
Stage 1
• Effective Feb-2012
• 10 steps to meaningful use by Eligible Practices
• Core Objective & Measure 15: Protect electronic
health information created or maintained by the
certified EHR technology through the implement-
ation of appropriate technical capabilities
• Guidance available at http://www.healthit.gov/sites/
default/files/pdf/privacy/privacy-and-security-guide.pdf
Stage 2
• Effective Jan-2014
• Encryption and Auditable events are two key components of Stage 2 certification
with regards to the security requirements.
Stage 3
• Final recommendations published by May-2013
11
13. Technology: Moving Faster Than HIPAA
An Aug 6, 2012 Google search on “HIPAA compliance
virtualization” showed no hhs.gov sources on the first two
pages.
Virtual Datacenter Virtual Datacenter
DMZ Web PCI HIPAA
Management
13
14. Defense in Depth: Blend Different Approaches
Vulnerability
Management
Data Reputation/
Protection Behavior
Audit
Configuration/
Device Attack
Control Scanning
14
16. People: Team Approaches Win
• Involve business early and continually in process
– look for “addressable” approaches where standards are evolving
(e.g. BYOD, cloud)
– document progress; review results and decisions
– train IT staff and users on HIPAA disclosure rules
• Audit everything – ingress and egress
– you never know what you are going to need
• Keep up on-going communications
– Learn, learn, learn – you’ll be doing this again!
16
18. Lumension® Endpoint Management and Security Suite
Total Endpoint Protection
Endpoint Reporting Services
Lumension® Patch and Remediation Lumension® AntiVirus
Endpoint Operations
Endpoint Security
Lumension® Content Wizard Lumension® Application Control
Lumension® Configuration Mgmt. Lumension® Device Control
Lumension® Power Management Lumension® Disk Encryption
Lumension® Endpoint Management Platform
Single Server | Single Console | Scalable Architecture | Single, Modular Agent
18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
19. Lumension® Patch and Remediation
Comprehensive and Secure Patch Management
Endpoint Operations » Provides rapid, accurate and secure patch and
configuration management for applications and
Endpoint Operations
Lumension® Patch and Remediation
operating systems:
Lumension® Content Wizard • Comprehensive support for multiple OS types
Lumension® Configuration Mgmt.
(Windows, *nix, Apple), native applications, and
3rd party applications
Lumension® Power Management • Streamline and centralize management of
heterogeneous environments
• Visibility and control of all online or offline endpoints
• Elevate security posture and proactively reduce risk
• Save time and cost through automation
19
20. Lumension® Security Configuration Mgmt.
Prevent Configuration Drift and Ensure Policy Compliance
Endpoint Operations » Ensure that endpoint operating systems and
applications are securely configured and in
Endpoint Operations
Lumension® Patch and Remediation
compliance with industry best practices and
Lumension® Content Wizard regulatory standards:
Lumension® Configuration Mgmt. • Security Configuration Management
• Out-of-the-box Checklist Templates
Lumension® Power Management
• NIST Validated Solution
• Continuous Policy Assessment and Enforcement
• Based on Open Standards for Easy Customization
• Security Configuration and Posture Reporting
20
21. Lumension® Device Control
Policy-Based Data Protection and Encryption
» Protect Data from Loss or Theft: Centrally Endpoint Security
enforce usage policies of all endpoint ports and
Lumension® AntiVirus
for all removable devices / media.
Endpoint Security
Lumension® Application Control
» Increase Data Security: Define forced
encryption policy for data flows onto removable Lumension® Device Control
devices / media. Flexible exception Lumension® Disk Encryption
management.
» Improve Compliance: Centrally encrypt
removable devices / media to ensure data
cannot be accessed if they are lost or stolen.
» Continuous Audit Readiness: Monitor all
device usage and data transfers. Track all
transferred files and content. Report on all
data policy compliance and violations.
21
22. Lumension® Disk Encryption (powered by Sophos)
Transparent Full Disk Encryption for PCs
» Secures all data on endpoint hard drives Endpoint Security
» Provides single sign-on to Windows Lumension® AntiVirus
Endpoint Security
» Enforces secure, user-friendly pre-boot Lumension® Application Control
authentication (multi-factor, multi-user options)
Lumension® Device Control
» Quickly recovers forgotten passwords and data
(local self-help, challenge / response, etc.) Lumension® Disk Encryption
» Automated deployment, management and
auditing via L.E.M.S.S. (integrated version)
22
23. 23
Access
Firewall Management Network
Anti-Malware
Patch and Configuration Management
Full Disk
Encryption
Defense-in-Depth with Lumension
Port / Device Control and Encryption
Access
Physical
24. Risk Management
Disparate Data Collection Functional Silos Non Standardized Processes
HIPAA Excel
SOX Database Business
Password Processes
Policy
PCI Manual IT
Surveys Resources
Character Length
Special Characters
Compliance
Risk
24
25. More Information
Free Scanner: Discover All Removable Healthy Solution for Protecting
Device Connected to Your Endpoints Patient Data: Guarding Healthcare
http://www.lumension.com/resources/security-
Information with Device Control and
tools/device-scanner.aspx Data Encryption
http://www.lumension.com/Resources/WhitePapers
/Healthy-Solutions-for-Protecting-Patient-Data.aspx
Free Evaluation: Lumension® Data
Protection
IT Pros’ Guide to Data Protection:
http://www.lumension.com/data-protection/data-
protection-software/free-trial.aspx Top 5 Tips for Securing Data in the
Modern Age
http://www.lumension.com/Resources/Whitepapers/
Busy-IT-Professionals-Guide-to-Data-
Protection.aspx
25
26. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
http://blog.lumension.com