go to www.compliancy-group.com/webinar to join our webinars
or go to http://compliancy-group.com/past-webinars/ to download these and other past webinar slides!
2. Agenda
Non-‐Compliance -‐ Potential Consequences
How to Know Exactly Where your Sensitive Data is and
Identify Where the Real Risks Are
Protecting Data from External Threats
Securing Data from Improper Internal Access
Protecting PHI When Business Associates Are Involved
The Impact of Bring Your Own Device ("BYOD")
3. Compliance is important but expensive Until Now
The Guard Compliance Tracking Solution
EASY Self Audit Questionnaires
Gap Identification Reporting
Remediation Management
Policy and Procedure Templates
Unlimited Number of Patients, Employees and
Associates
Document and Version Control Management
Highly Secure
No IT integration - Web Based Solution
Become Compliant in 60 Days!
Attest for HITECH, and Satisfy Meaningful Use Core Measure 15
To find out more or start a FREE 30 Day
evaluation
Visit www.compliancy-group.com
(855) 85 HIPAA or (855) 854-4722
5. Non-‐Compliance -‐ Potential Consequences
Overview of Breach Reports
Data breaches increased by 32% in 2011
380 large breaches between September 2009 and
October 2011
Over 30,000 plus small breaches in the same period
Over 18 million effected records
Breaches by Industry:
Threats b
Industry
2011
Ponemon Institute 2011 & Symantec Annual Threat Report 2011
6. Non-‐Compliance -‐ Potential Consequences
Large Breaches
Source of 2of Breach (Breaches
Cause
Large Count)
Sept. 009 to Dec. 2011
Affected Individuals
Cause of Breach (Affected Individuals )
Sept. 2009 to Dec. 2011
Unknown Other
6 1 Improper Disposal
2% 0% 149,398
1%
Improper Disposal, Other Loss,
20 , 5% 344,579 7,291,355 , 40%
2%
Hacking/IT Incident
Theft, Hacking/IT Incident
26
196 , 52% 750,195
7%
4%
Unknown,
Loss, Unauthorized 1,911,160 , 11%
55 , 14% Access/Disclosure, Theft,
857,939 , 5% 6,755,205 , 37%
Unauthorized
Access/Disclosure,
75 , 20%
9
Theft, Unauthorized Access / 77% of affected
Disclosure and Loss make up individuals experience
86% of the sources of Large some type of loss or
Breaches theft
7. Non-‐Compliance -‐ Potential Consequences
Compliance is increasingly an issue
The number of HIPAA Privacy Rule compliance and enforcement
complaints have continually increased over the years1.
Privacy and Security Officer Concerns:
What PHI is contained within enterprise?
What PHI is provided to other organizations?
1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
8. Non-‐Compliance -‐ Potential Consequences
Is HIPAA Compliance Enough?
In addition to HIPAA, there are also a multitude of other laws
enacted to govern data privacy including state laws, such as
Massachusetts 201 CMR 17.
Core Objectives for Stage 1 of Meaningful Use include
utilization of Electronic Health Records
Although not a government regulation, the Payment Card
PCI
specific industry security standard that applies to the use and
storage of credit/debit card information.
For Multi-Nationals, there are additional concerns such as the
proposed European Union Data Privacy Regulation
1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
9. Non-‐Compliance -‐ Potential Consequences
Breaches Happen
In the event of a breach, costs to your organization will quickly start
to mount up and can include one or more of the following:
Notifying patients,
FULL Investigating and controlling the breach,
Cost of a Potential litigation and fines,
Breach Intangible costs associated with:
Damage to your brand,
Loss of customers,
Decline in value, and
Reputation Management
10. Non-‐Compliance -‐ Potential Consequences
Compliance Requires Planning
Achieving compliance to HIPAA and other regulations requires a
coordinated effort.
The first step is to establish an overall outline of risks and controls.
This is commonly known as Enterprise Governance, Risk and
Compliance
Develop a Risk Framework to measure the maturity of risk Control Items.
Some examples of Control Item categories include:
Sensitive Data Inventory
Vulnerability assessment
Entitlements Management
Data Loss Detection / Prevention
Data Governance
1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
11. HOW TO KNOW EXACTLY WHERE
YOUR SENSITIVE DATA IS & IDENTIFY
WHERE THE REAL RISKS ARE
12. How to know exactly where your sensitive data is and identify where the real risks are
Identifying Location of Sensitive Data
Which Data
Requires
Protection ?
PHI Data Employee Data Company Data
Healthcare and Pharmaceutical -‐ Healthcare and Companies required to follow Gramm-‐
required to secure PHI per HIPAA Pharmaceutical -‐ Leach-‐Bliley Financial Services
Names
Geographic subdivisions smaller than
required to secure PHI Modernization Act (1999)
a State per HIPAA Companies required to follow Sarbanes-‐
All elements of dates (except year) for
dates directly related to an individual All organizations must Oxley Act (2002)
Telephone / Fax numbers follow their state privacy Multi-‐nationals -‐ face requirements
Electronic mail addresses
Social security numbers laws, similar to Senate Bill including:
Medical record numbers CANADA: Jan 2005 Personal Information
Health plan beneficiary numbers
No 1386 State of
Protection and Electronic Documents Act
Account numbers California JAPAN: Apr 2005 Personal Information
Certificate/License numbers Employee or Corporate
Vehicle identifiers and serial numbers, ID
Protection Law
including license plate numbers Salary, Benefits FRANCE: Oct 2005 Computing and Liberties
Device identifiers and serial numbers
Universal Resource Locators (URLs)
HR status
Act
(termination,
Internet Protocol (IP) address personnel issues) Vendor Data
numbers Family data Security Identifiers
Biometric identifiers, including finger Manager information CUSIP, ISIN, SEDOL
and voice prints Cost Center data
Full face photographic images and any
Other Identifiers
comparable images; and NAV, type of Security
Any other unique identifying Name, Number, Symbol
information. Activity
Companies with customers in MA Account balances,
transactions, trade date
per MGL93H
Financials
All organizations must follow their Price, quantity,
state privacy laws, similar to legal fees, vendor payments
Assets/holdings
Senate Bill No 1386 State of
Comment fields
California Trade dates
13. How to know exactly where your sensitive data is and identify where the real risks are
Lesson 1: Lesson 1:
Major Threat Areas And more
You should be less And more should be less
You
concerned with: concerned with:
External Threats concerned with:
Internal Threats
concerned with:
Vulnerabilities can
exist in many areas of
our Environment
2
Privileged users
Internal users
4
File
To be complaint with HIPAA, External
server
covered entities must implement users File
Firewall
server
technical policies and 1
5
procedures to allow access only Load
to those persons and business
balancer Web
server App Databases
Type of threat server ERP
associates that absolutely 1.
2.
External users / Hackers
Internal users
3 6
require access (164.312(a)(1)). 3.
4.
Files/web servers
Administrators/DBAs/developers
Backups
5. Database vulnerability
6. Data backup
Insider threats are a concern:
Forrester estimates that 75% of threats come from
insiders and that 60% of internal breaches are
undetected.
15. Protecting data from threats
Lesson 1: Lesson 1:
You should be less
concerned with:
And more
concerned with: Threat Deterrence You should be less
concerned with:
And more
concerned with:
External Threats: Internal Threats:
Physical Security Physical Security
Encryption Encryption
Cyber Attack Prevention Entitlements Management
Reducing Instances of PHI Restricting Access to PHI
16. Lesson 1: Lesson 1:
Protecting data from threats
You should be less
concerned with:
And more
concerned with:
You should be less
concerned with:
And more
concerned with:
Physical Security
External Threats: Internal Threats:
Ensuring access to facilities is Ensuring access to areas where
carefully managed. PHI is handled by only those
The process for destruction of who must have access to that
documents should be clear and data.
workable within the working Clean Desk policies need to be
environment of the staff. implemented.
Asset controls which include Clearly marked locked bins to
documentation of asset house documents to be
retirement or destruction shredded are important.
should be implemented.
17. Lesson 1: Lesson 1:
Protecting data from threats
You should be less
concerned with:
And more
concerned with:
You should be less
concerned with:
And more
concerned with:
Encryption
Any devices housing sensitive data should utilize encrypted.
If the device falls into the wrong hands or is hacked, this will provide security from less
sophisticated threats and buy time from more sophisticated ones.
Prevents unauthorized access by Internal Staff and Business Associates.
Data at Rest
Structured and Unstructured Data
Data in Motion
E-‐mails and File Transfers
Performance Impacts
From 3% and up to 30%
Key Management
Administration and Operations Overhead
For thousands of servers
Legacy Systems
Auditing and Reporting
18. Lesson 1: Lesson 1:
Protecting data from threats
You should be less
concerned with:
And more
concerned with:
You should be less
concerned with:
And more
concerned with:
DLP
oversee movement of data.
Discover and monitor the location and flow of sensitive data
Enforce controls to prevent loss of sensitive data through email,
the internet and devices that are used.
A central reporting engine for policy creation and management.
Out of the box support for HIPAA and other regulations.
19. Lesson 1:
Protecting data from external threats
You should be less
concerned with:
And more
concerned with:
Cyber Attack Prevention
Defending against Advanced Persistent Threats
Anomaly detection and prevention
Detect Intruders in real time
Detailed model of network topology, access paths, and threats.
What-‐if analysis predicts risk behavior and business impact
Achieve compliance with cyber security regulations such as NIST, NERC CIP,
FISMA
Cyber Security Audits
Cyber attack simulation, Defenses against malware and Penetration tests
Threat and vulnerability analysis,
System security integration, Definition of security measures and counter-‐ measures,
Inventories of authorized and unauthorized hardware and software,
Secure configurations for hardware, software, wireless and network security devices,
Controlled access and administrative privileges.
Verifying the Security of your Business Associates
20. Lesson 1:
Protecting data from internal threats You should be less
concerned with:
And more
concerned with:
Entitlements Management
Understanding who has access to what.
Ensuring that meaningful entitlements reviews are
conducted periodically.
Ensuring that processes for managing entitlements are
appropriate.
Significant privacy risk exposure exists with entitlements
that do not conform to security policies, regulations, and/or
best practices within and across the environment.
Enterprise Entitlement Solutions typically include separate
mainframe, application specific and LDAP based solutions.
Reviewing for Toxic Combinations.
21. Lesson 1:
Protecting data from external threats
You should be less
concerned with:
And more
concerned with:
Reducing Instances of PHI
PHI may exist in more environments than you realize.
Copies may exist for testing purposes as well as sharing
with third parties.
So you are really protecting an environment that looks like
22. Lesson 1:
Protecting data from external threats
You should be less
concerned with:
And more
concerned with:
Reducing Instances of PHI
QA Testing 2
Privileged users
Internal users
Live -‐ Production 2
File
4
server
Privileged users External
Internal users
users
File
4 server
Firewall
File
server
External
users 1
File
server 5
Firewall
Load
balancer
1
5
UAT Testing 2
Web
server App
server ERP
Databases
Load Privileged users
balancer Internal users 3 6
Web
server App Databases 4
File
server ERP server
Backups
3 6 External
users
File
server
Firewall
Backups
1
5
Load
balancer
Web
2
server App
server ERP
Databases
3 6
Privileged users
Internal users
Copies of PHI may exist in File
server
4
Backups
multiple locations in your External
users
File
environment. server
Firewall
Each of these locations is a 1
5
potential target from external Load
balancer
Web
sources and needs to be server App
server ERP
Databases
protected. 3 6
De-‐identification technology can Backups
be used in these environments.
23. Lesson 1:
Protecting data from internal threats You should be less
concerned with:
And more
concerned with:
Restricting Access to PHI
For exchange of data with business associates or other third parties,
all data going to them should be de-‐identified where permissible.
For purposes of internal testing by our own employees and contracted
business associates, de-‐identification is a must.
PHI that exists in review of System and Database Logs should be de-‐
identified.
Aggregation and analytics should be good candidates for de-‐identified
data.
Live production reports and user interfaces should be reviewed to
determine where de-‐identified data can be substituted.
HIPAA 164.502(d)(2) provides for the uses and disclosures of de-‐
identified information (aka Masked, Obfuscated, Redacted). Health
information that meets the requirements for de-‐identification is
considered not to be individually identifiable health information.
24. Lesson 1:
Protecting data from external threats You should be less
concerned with:
And more
concerned with:
Restricting Access to PHI
QA Testing 2
Privileged users
Internal users
Live -‐ Production 2
File
4
server
Privileged users External
Internal users
users
File
4 server
Firewall
File
server
External
users 1
File
server 5
Firewall
Load
balancer
1
5
UAT Testing 2
Web
server App
server ERP
Databases
Load Privileged users
balancer Internal users 3 6
Web
server App Databases 4
File
server ERP server
Backups
3 6 External
users
File
server
Firewall
Backups
1
5
Load
balancer
Web
2
server App
server ERP
Databases
3 6
Privileged users
Internal users
Exchanges of Data. File
server
4
Backups
External
Internal Testing users
File
server
Firewall
System and Database Logs 1
5
Aggregation and analytics Load
balancer
Web
server App Databases
Reports and User Interfaces server ERP
6
3
De-‐identification technology can Backups
be used in these situations.
26. Protecting PHI when business associates are involved
Business Associates
The HIPAA Privacy Rule places Minnesota Attorney General brought an
responsibility for ensuring that Business enforcement action due to an action by a
Associates maintain privacy on the business associate, Accretive Health, Inc., for an
Covered Entity that they are associating alleged violation under HIPAA using authority
with. under the HITECH Act.
It requires that a covered entity obtain
satisfactory assurances from its business
Actions to take:
associate that the business associate will
appropriately safeguard the protected Have Formal Written Agreements with
health information it receives or creates on Business Associates
behalf of the covered entity.
Minimize PHI that is accessible to Business
The Office of Civil Rights ("OCR") is Associates
required to impose penalties if the
Perform Self-Testing which includes your
covered entity or its business associate act
Business Associates.
with neglect, i.e., with "conscious,
intentional failure or reckless indifference to
the obligation to comply" with HIPAA
requirements.
[45 CFR 164.502(e), 164.504(e),
164.532(d) and (e)]
1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
28. Protecting PHI when business associates are involved
BYOD
Understand where sensitive data Clearly define the scope of what we are trying to
do including:
exists in our environment.
Protecting sensitive data that exists on a
mobile device
Develop plans to manage the sensitive
Providing Secure channels of communication
data that is in our inventory.
Minimizing the amount of sensitive data
Plan for getting to the appropriate level being sent to mobile devices
of maturity to safe-guard data. And doing all this in a cost effective manner
The protection requires a multi-layered
And who we are doing it for: approach.
Any sensitive data that resides on the devices
Internal Employees should be encrypted.
Business Partners / Associates A DLP solution should be used to manage the
communication with endpoints.
Clients / Third Parties Implement the ability to remotely disable
devices that are impacted
Minimize the amount of sensitive data being
sent to these devices.
1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
29.
30. Risk Based Solutions
Axis has created a set of eGRC related
solutions that leverage our overall
consulting expertise as well as our
DMsuiteTM and product
implementation capabilities
Enterprise Governance, Risk and
Compliance
Strategic Business Processes / Goals
Enterprise Architecture
Reference Models, Business Architecture, Application Architecture
Drives Drives
Information Security Architecture
Regulatory & Corporate Requirements, Environment Maturity Assessment
Data Masking Identity / Access Data Information
(De-Identification) Management Management Security
Drives Entitlements Data Sensitive Data Drives
DMsuiteTM
Management Governance Assessment
Operational Environment
31. Data De-‐Identification -‐ DMsuiteTM
DMsuite - A robust,
proprietary tool that has been
deployed at clients for over
8 years with:
Sensitive Data Discovery - HIPAA
Ready Out of the Box,
Data De-Identification and
Auditing functionality.
32. Questions or Further Discussions
Contact: Joe Santangelo
Email: jsantangelo@axistechnologyllc.com
Phone: (646) 596-2670
Twitter: @DataPrivacyDude
33. Compliance is important but expensive Until Now
The Guard Compliance Tracking Solution
EASY Self Audit Questionnaires
Gap Identification Reporting
Remediation Management
Policy and Procedure Templates
Unlimited Number of Patients, Employees and
Associates
Document and Version Control Management
Highly Secure
No IT integration - Web Based Solution
Become Compliant in 60 Days!
Attest for HITECH, and Satisfy Meaningful Use Core Measure 15
To find out more or start a FREE 30 Day
evaluation
Visit www.compliancy-group.com
(855) 85 HIPAA or (855) 854-4722