Jim SmithIT security expertNetwrix Corporation

5 Steps to Protect PHI and Pass HIPAA Audits

with Less Effort

Jeff MelnickSystems EngineerNetwrix Corporation

David GinsbergPresidentPrivaPlan Associates, Inc

Agenda

Why you need to worry?

Notorious data breaches

HIPAA compliance: panacea or pain point?

Key vulnerabilities

5 steps to protect PHI

Case study: Henry County Hospital

Questions and answers

Prize drawing

*The presentation shouldn’t be considered as a legal advice

Why you need to worry?

Breaches happen against all the odds: 70 healthcare breaches this year

PHI and PII command a high value on the shadow markets

Organizations invest too much in wrong solutions

Too much data: no understanding of what’s going on

Notorious Healthcare Data Breaches

2017

Commonwealth Health Corporation — 697,800 individuals affected

2016

Banner Health — 3,620, 000 individuals affected

Newkirk Products, Inc. — 3,466,120 individuals affected

2016 statistics:

376 16m 34% 44%

breaches records exposed

of all breaches of all records exposed

Perimeter is not helping

BYOD;

IoT;

Interconnectivity;

More data;

Cloud – scary move?!

Insecure devices;

Vulnerabilities in applications and systems;

More hackers!

Ransomware-as-a-service and other easy-to-use hacking tools;

Intrusion tactics are smarter;

State-sponsored attacks.

HIPAA Сompliance

You are obliged to implement controls

Identity management and access control: to ensure that data is only

accessible by personnel that have a business need.

System configuration control: tracking configuration changes and

administrative activities.

Monitoring of access to data: knowledge of who accessed what data and

when and review on a regular basis.

Data handling and encryption control: protection of data in storage and

during transfers.

But does it really help protect the data?

HIPAA Compliance: Panacea or Pain Point?

A very brief review:

HIPAA safeguards ”protected health information”

Creates rights for patients and health plan members

Requires notification in the event of a breach

Is similar to State by State identity theft laws

Patient privacy laws in California are stricter than HIPAA

HIPAA Compliance: Panacea or Pain Point?

HIPAA is enforced!

Enforcement is by the OCR and State Attorney Generals

Enforcement is real

Enforcement has evolved since 2003!

Discussion about the need of ”endpoint vulnerability”

Key Vulnerabilities

A strong correlation to long term Information Security principles -

conducting a Risk Analysis

Principles have been in effect for many years

HIPAA requires a security risk analysis AND risk management

(45 CFR 164.308)

Failure to conduct a risk analysis or conducting a deficient risk analysis

Information system activity review, access controls, and technical audits

Key Vulnerabilities

Common gaps identified during the risk analysis:

Weak auditing and control of user accounts in AD

Scope creep in application permission levels for critical applications like the eHR

Inconsistent and incomplete patch management

Lack of monitoring of transactions

Ransomware and phishing

Infiltration, reconnaissance and exfiltration

The need for awareness, monitoring, and training and vigilance

PrivaPlan Associates, Inc.

dginsberg@privapan.com

www.privaplan.com

877-218-7707

HIPAA compliance, Cybersecurity, risk analysis and vulnerability testing

5 steps to protect PHI

Conduct risk analysis

Consider threats from insiders and business partners

Enforce security policies and controls; make sure they work properly

Train your employees

Adopt best practices

Demonstration

Netwrix Auditor

Why Visibility?

Main reasons to implement a visibility and governance platform:

Case Study: Best Practices

Increase accountability of privileged users:

Review the reports on all changes across Active Directory

Enable alerts on the most critical changes

Record the activity of admins on Windows Server

Complete control over file access permissions

Detect excessive user permissions

Record the activity of admins on Windows Server

Carefully prepare for HIPAA audits

Automate data collection

Case Study: Best Practices

Key Benefits

Mitigated the risk of insider threats

Ensured PHI security

Streamlined HIPAA compliance

Saved at least $40,000 per year

About Netwrix Auditor

Netwrix Auditor

A visibility and governance platform that enables control over

changes, configurations, and access in hybrid cloud IT environments by

providing security analytics to detect anomalies in user behavior and

investigate threat pattern before a data breach occurs.

Netwrix Auditor Applications

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Oracle Database

Netwrix Auditor for Azure AD

Netwrix Auditor for EMC

Netwrix Auditor for SQL Server

Netwrix Auditor for Exchange

Netwrix Auditor for NetApp

Netwrix Auditor for Windows Server

Netwrix Auditor for Office 365

Netwrix Auditor for SharePoint

Netwrix Auditor for VMware

About Netwrix Corporation

Year of foundation: 2006

Headquarters location: Irvine, California

Global customer base: over 8,000

Recognition: Among the fastest growing

software companies in the US with 105

industry awards from Redmond

Magazine, SC Magazine, WindowsIT Pro

and others

Customer support: global 24/5 support

with 97% customer satisfaction

Netwrix Customers

GA

Healthcare & Pharmaceutical

Awards

All awards: www.netwrix.com/awards

Free Trial: setup in your own test environment:

On-premises: netwrix.com/freetrial

Virtual: netwrix.com/go/appliance

Cloud: netwrix.com/go/cloud

Test Drive: virtual POC, try in a Netwrix-hosted test lab netwrix.com/testdrive

Live Demo: product tour with Netwrix expert netwrix.com/livedemo

Contact Sales to obtain more information netwrix.com/contactsales

Webinars: join our upcoming webinars and watch the recorded sessions

netwrix.com/webinars

netwrix.com/webinars#featured

Next Steps

Thank You!

Prize Drawing

Get Your $200 Ticketmaster Gift Card!