download the presentation slide deck
DESCRIPTION
In this 1 hour webcast IT professionals at two local hospitals talk about how they’ve used encryption solutions to help provide a “safe harbor” in the event of a security incident and tools you can use to keep your organization HIPAA healthy.TRANSCRIPT
1
Alan PhillipsSenior Corporate Engineer
Sophos
Securing your Healthcare Organization Begins with Encryption
Jeff BardingSr. Security Administrator Pomona Valley Hospital and Medical Center
Systems Administrator - Information Systems Union Hospital
Josh Penso
2
Alan PhillipsAugust 2014
Data Protection for Health care
3
GoalsOver the years a great deal of time has been spent worrying about Anti-virus, Firewalls and patch management. With good reason these technologies have been high on priority lists.
Of late we have seen more and more emphasis on the impact caused by the loss of personnel information.
This presentation will discuss the way that modern computing practices put data at risk, and the ramifications of that risk to an organization. An overview of the Safeguard Enterprise encryption suite will provide options to mitigate that risk.
Joining us on the call are Josh Penso and Jeff Barding, who will share with us some of their experiences with SGN
44
Where is the data?
6
Where does your data go?
• Laptops/Mobile computers
• Desktops
• Is your physical security enough to ensure that these are protected?
• USB storage
• Mobile devices
○ Phones
○ Tablets
• Network Servers…
• Back up tapes… follow the trail
7
PCI-DSS
State Privacy & Disclosure laws
HIPAA/HITECH
FERPA
FISMA
GLBA
SOX
PIPEDA
Regulations & Rules
8
HIPAA HITECH now applies to Business Associates (BAs) directly.
HITECH also increased the penalties for Violations of HIPAA.
Not just big breaches – 57,000+ breaches reported of under 500 individuals
HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
HITECH Establishes punishment for willful neglect.
9
• Health Insurance Portability and Accountability Act (HIPAA): Secure “protected health information” (PHI)
• Health Information Technology for Economic and Clinical Health Act (HITECH) includes funding for electronic health records, and enforces increased security & privacy protection requirements.
Definition of Breach
• A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
HIPAA HITECH
10
Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals
• Encrypt your Data!!!
• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1
11
At a high level, PCI-DSS Boils down to these 4 key things:
1) All merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times –the deadlines have already passed.
2) Merchants cannot store certain credit card information or track data from the magnetic strip or PIN data.
3) If permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required.
4) “Carrot & the Stick” – Safe Harbor from fines IF a merchant was compliance at the time of a breach, versus fines as high as $500,000 per incident and the potential loss of the ability to take credit cards.
Payment Card Industry Data Security Standard12 key elements to protect sensitive data & over 250 controls
Source: PCI DSS Compliance Overview, Braintree Payment Solutions, www.getbraintreee.com
12
Examples of HIPAA settlements
• http://www.hhs.gov/news/press/2014pres/04/20140422b.html
• WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013
• Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 -June 13, 2013
• Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013
• HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012
• Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012
• Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012
• HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards --April 13, 2012
• HHS settles HIPAA case with BCBST for $1.5 million --March 13, 2012
13
Dermatology practice settles potential HIPAA violations
• $150,0000
• Stolen unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals
• “As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about –identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
14
Sophos Protects data
15
Security Made Simple – Reference Architecture
16
AT HOME AND ON THE MOVE
Mobile Encryption SafeGuard Encryption
HEADQUARTERS
REMOTE OFFICE
Encryption without compromise
SafeGuard Management Center
SafeGuard Encryption
• Set policy• Report compliance• Store keys• Recover lost p/w
Files
Mgmt
DiskSafeGuard Encryption
Files
Mgmt
SafeGuard EncryptionFiles
Mgmt
Mobile Encryption SafeGuard Encryption
SafeGuard PortableSafeGuard Encryption
1717
Safeguard Enterprise 6.1
18
Introducing Sophos SafeGuard Enterprise 6.1
19
“The traditional view of where data lives”
“Data is moving elsewhere!”
Protecting the Data
To cloud storage On corporate mobilesOn employee devices
20
Management Center
21
Management Center
• Central management of data security policies and protection
• Manage Windows, Mac, Opal and BitLocker
• Predefined and custom security officer roles
• Best in class key management
• Audit the encryption status of the environment and control who has access to what!
22
Device Encryption
23
Device Encryption
• Encrypts laptops, desktops and self-encrypting drives
• Secures all data on PCs and Macs
• Fast initial and on-going encryption
• Secure service accounts for administrators
• Single sign-on
• Central administration and automated deployment
• Easy password recovery options
• Includes Native Device Encryption
“HHS settles HIPAA case with BCBST for $1.5 million”. Here we’ve a case of losing 57 unencrypted Hard drives, not a computer just the drive.
24
Pre-boot Authentication
25
SafeGuard Client For MacOS
• Broader data protection and compliance Full disk encryption (AES 256-bit) for Macs
Compliance audits logs
• End-user productivity Transparent, fast encryption
Graphical power on authentication
Easy recovery options – passwords and data
• Improved IT efficiency Flexible administration options- UI / scripting
Standalone deployment – no need for central mgmt
• Protect investment, manage Costs (TCO) Future integration with Sophos central mgmt
25
Sophos © Confidential. Internal Use only
26
Power On Authentication
SafeGuard Icon
27
Native Device Encryption
28
Native Device Encryption
• Formerly known as Partner connect.
• Manage external Native OS based encryption
• Centrally manages data security across mixed Windows OS computers
Enforces consistent policies
Provides recovery mechanisms for PCs running BitLocker and Mac OSX 10.8/9 File vault 2
Data recovery and central key backup
Centralized log reports
29
Management of the MS BitLocker EngineBuilt in disk encryption
Sophos PIN recovery
Sophos Management
30
Management of Mac FileVault 2Built in disk encryption
Sophos client, recovery etc
Sophos Management
31
Removable Media
32
Data Exchange
• Encrypts removable devices without impacting users• Share data inside/outside organization
Restricts data sharing to specific teams Portable application for use anywhere
• Mix encrypted and non-encrypted data• File Tracking• White/blacklisting of devices
• Alaska DHSS settles HIPAA security case for $1,700,000• The report indicated that a portable electronic storage device (USB
hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee.”
33
Sharing data securely on RM, storing on optical
Use casesProtection against lost USB stickControlled access to shared removable driveSimple decommissioning
Encrypt by policy
Managed PC
Password accessOther PC
* SG Portable for sharing with 3rd parties not available for Macs
34
File Share encryption
35
Control your sensitive dataWhere is your data vulnerable?
IT has access to all corporate data
Files on PCs, laptops, removable media:• Local (offline) copies of server
data• Temporary files
Files on servers:• Salary and other personal data• Staff evaluations• Financial data• Analyses• Correspondence• Customer data• Business plans • Research and project data• etc.
Backups are in plain
Devices and data can be lost
Network traffic can be sniffed
No PCI compliance
IT can access local data, too
36
The solution: File ShareUse file and folder encryption to protect important company data
SafeGuard Management
Data at Restand LAN trafficencrypted
37
File servers outside of your networkInfrastructure as a service?
38
Cloud & Mobile Encryption
39
Secure collaboration in the cloudThe GIANT USB Stick in the sky
Use casesSecure data uploaded to the cloudAccess and share data from any place and devicePrevent unauthorized cloud storage providers to access sensitive data
Managed PC
Encrypt by policy
Password access
Mobile device
40
Secure storage in the cloudEncryption for cloud storage
Managed with SafeGuard Enterprise
File reader with password-protected access
41
Mac File Encryption
42
File Encryption on Macs
42
43
Jeff BardingSr. Security Administrator
Pomona Valley Hospital and Medical CenterBeyond the Basics: Protecting Your Data
44
PVHMC: Who We Are
Serving as Pomona’s first hospital in 1903, Pomona Valley Hospital Medical Center (PVHMC) is a 453-bed and acute care facility supporting eastern Los Angeles and the western San Bernardino counties. Focused on community and utilizing cutting-edge technology, PVHMC is nationally recognized for the Hospital’s Centers of Excellence in oncology, cardiac and vascular care, women’s and children’s services, and kidney stones.
45
Outcomes of Partnering with Sophos
• Benefits realized:
○ Compliance with state and industry regulations
○ Robust product performance
○ Ability to scale with organization needs and standards
• Recommendations:○ Examine your needs and requirements
○ Encrypt at the right levels accordingly
○ Remain proactive with your DLP habits
46
For healthcare, I believe there is a definite need for
encryption in general. For our organization, we know that
Sophos and Safeguard Enterprise allow us to go beyond
the basics so we can encrypt based on our needs, such as
full disk or removable media, without ever compromising
the work we do with our patients and the community.
Jeff Barding, Sr. Security Administrator
“
”
47
Josh PensoSystems Administrator - Information Systems
Union HospitalProtecting Devices and Important Patient Data
48
Union Hospital: Who We Are
Originally opened in 1906, Union Hospital in Dover, Ohio is committed to providing quality healthcare and to supporting the local, surrounding communities. In addition to being one of the safest hospitals in the country, Union Hospital is dedicated to the security of their 1000 employees and the confidential information of their patients.
49
Outcomes of Partnering with Sophos
• Benefits realized:
○ Ease of deployment and management
○ Thorough security consultation and support
○ Decrease in organization and operational risk
• Recommendations:○ Internal discussions and buy-in
○ Clear procedures and documentation
○ Staff education and training
50
Deploying, running, and managing device encryption is extremely
easy and incredibly straight-forward for us. We’ve seen a
significant decrease in the number of issues on devices but also
our staff is not negatively impacted by the encryption and we feel
better knowing that our data is well protected.
.
Josh Penso, System Administrator – Information Systems
“
”
5151
Final thoughts
52
“The traditional view of where data lives”
“Data is moving elsewhere!”
Protecting the Data
To cloud storage On corporate mobilesOn employee devices
53
SGN and the cost of Breaches
Breach Records Fine Product
USB stolen from carAssume 10,000 clients
Unknown $1,700,000 SGN DX
Stolen LaptopAssume 5,000 clients
3,600 $1,500,000 SGN DE\NDE
473 unencrypted back-up computer tapes(assume 1,500clients)
800,000 $750,000 SGN FS
54
Consider
• Who needs access to data?
• Where that data may go?
• Your compliance obligations
• Remember if its encrypted it is safe
55
Protecting data across your environment
Corporate Data on Personal devices
Lost Removable Media
Lost Laptops
Corporate data in cloud storage
Sensitive internal data, corporate data in Amazon
servers
Users don’t notice that it’s there
Minimal work for IT
Stolen data from desktops
5656
Questions?
57
Sophos SafeGuard EncryptionFree 30-day Trial
http://www.sophos.com/encryption
Next Steps