How to Guard Healthcare Information with Device Control and Data Encryption

Today’s Agenda

Current IT Security Challenges in Healthcare

Answering IT Security Challenges in Healthcare

Top 5 Recommendations: What You Can Do Now

Today’s Experts

3

Eric OgrenFounder & Principal AnalystThe Ogren Group

Chris MerrittDirector of Solution MarketingLumension

Current IT Security Challengesin Healthcare

5

Data Breaches Still Occurring

6

No. of Reported Breaches HHS Breach Database • 435 incidents involving ~20M records• Median impact = 2,184 records• No breaches in Hawaii, Maine, Rhode

Island, and Vermont• Biggest impact on per capita basis:

South Dakota and Virginia

In 2012, 27% of all respondents indicated their organization had a security breach in the past 12 months (up from 19% in 2010 and 13% in 2008); of those who reported a breach, 69 percent experienced more than one.

Data Breaches Still Occurring

7

Encryption Impact• 70% of incidents and 86% of records• $1.48B in “hard costs”

Data Breaches Still Occurring

8

Stepped Up Enforcement

Audit Program On-going• Published protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html • 20 audits complete; 95 remaining audits will occur in 2012 • Audits will continue in 2013• Results to date:

http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

Audit Issues by Area• Conduct Risk Analysis (17)• Grant Modify User Access (17)• Incident Response (11)• Contingency Planning (34)• Media Reuse and Destruction (18)• Encryption (10)• User Activity Monitoring (46)• Authentication / Integrity (19)• Physical Access (9) 

Observations• Policies and Procedures• Priority HIPAA Compliance Programs• Conduct of Risk Assessment• Managing third party risks

Next Steps based on the reviews • Conduct a robust review & assessment • Determine LoBs affected by HIPAA • Map PHI flow within your organization, as

well as flows to/from third parties • Find all of your PHI • See guidance available on OCR web site

9

Stepped Up Enforcement

Source: Linda Sanches (OCR), 2012 HIPAA Privacy and Security Audits (June 2012)

10

Stepped Up Enforcement

11

Meaningful Use

Stage 1• Effective Feb-2012• 10 steps to meaningful use by Eligible Practices• Core Objective & Measure 15: Protect electronic

health information created or maintained by the certified EHR technology through the implement-ation of appropriate technical capabilities

• Guidance available at http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

Stage 2• Effective Jan-2014• Encryption and Auditable events are two key components of Stage 2 certification

with regards to the security requirements.

Stage 3• Final recommendations published by May-2013

Answering IT Security Challengesin Healthcare

13

Technology: Moving Faster Than HIPAA

An Aug 6, 2012 Google search on “HIPAA compliance virtualization” showed no hhs.gov sources on the first two pages.

DMZ PCIWeb HIPAA

Management

Virtual DatacenterVirtual Datacenter

14

Defense in Depth: Blend Different Approaches

Audit

Vulnerability Management

Reputation/ Behavior

Attack ScanningConfiguration/ Device Control

Data Protection

15

Process: Security for Security Sake Often Fails

16

People: Team Approaches Win

• Involve business early and continually in process– look for “addressable” approaches where standards are evolving

(e.g. BYOD, cloud)– document progress; review results and decisions– train IT staff and users on HIPAA disclosure rules

• Audit everything – ingress and egress– you never know what you are going to need

• Keep up on-going communications– Learn, learn, learn – you’ll be doing this again!

Top 5 RecommendationsWhat You Can Do Now

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Lumension® Endpoint Management and Security Suite

18

Total Endpoint Protection

End

point Security

End

poin

t O

pera

tions Lumension® AntiVirus

Lumension® Application Control

Lumension® Device Control

Lumension® Patch and Remediation

Lumension® Content Wizard

Lumension® Configuration Mgmt.

Lumension® Disk EncryptionLumension® Power Management

Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent

Endpoint Reporting Services

Lumension® Patch and Remediation

19

End

poin

t O

pera

tions Lumension® Patch and Remediation

Lumension® Content Wizard

Lumension® Configuration Mgmt.

Lumension® Power Management

Endpoint Operations

Comprehensive and Secure Patch Management

» Provides rapid, accurate and secure patch and configuration management for applications and operating systems:• Comprehensive support for multiple OS types

(Windows, *nix, Apple), native applications, and 3rd party applications

• Streamline and centralize management of heterogeneous environments

• Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation

Lumension® Security Configuration Mgmt.

20

End

poin

t O

pera

tions Lumension® Patch and Remediation

Lumension® Content Wizard

Lumension® Configuration Mgmt.

Lumension® Power Management

Endpoint Operations

Prevent Configuration Drift and Ensure Policy Compliance

» Ensure that endpoint operating systems and applications are securely configured and in compliance with industry best practices and regulatory standards:• Security Configuration Management• Out-of-the-box Checklist Templates• NIST Validated Solution • Continuous Policy Assessment and Enforcement• Based on Open Standards for Easy Customization• Security Configuration and Posture Reporting

Lumension® Device Control

21

Policy-Based Data Protection and Encryption

» Protect Data from Loss or Theft: Centrally enforce usage policies of all endpoint ports and for all removable devices / media.

» Increase Data Security: Define forced encryption policy for data flows onto removable devices / media. Flexible exception management.

» Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen.

» Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.

Endpoint S

ecurity

Lumension® AntiVirus

Lumension® Application Control

Lumension® Device Control

Lumension® Disk Encryption

Endpoint Security

Lumension® Disk Encryption (powered by Sophos)

22

Transparent Full Disk Encryption for PCs

» Secures all data on endpoint hard drives

» Provides single sign-on to Windows

» Enforces secure, user-friendly pre-boot authentication (multi-factor, multi-user options)

» Quickly recovers forgotten passwords and data (local self-help, challenge / response, etc.)

» Automated deployment, management and auditing via L.E.M.S.S. (integrated version)

Endpoint S

ecurity

Lumension® AntiVirus

Lumension® Application Control

Lumension® Device Control

Lumension® Disk Encryption

Endpoint Security

Defense-in-Depth with Lumension

23

Full DiskEncryption

Fire

wal

l Man

agem

ent

Ant

i-Mal

war

e

Pat

ch a

nd C

onfig

urat

ion

Man

agem

ent

Physical Access

NetworkAccess

Por

t / D

evic

e C

ontr

ol a

nd E

ncry

ptio

n

Risk Management

24

Fragmented

IT Visibility

Increasing

Regulations

Manual & Disparate

Audit Processes

Disjointed

Policies &

Controls HIPAA

PCI

SOX

Password Policy

Character LengthSpecial Characters

Excel

ManualSurveys

Database Business Processes

Compliance

IT Resources

Risk

Disparate Data Collection Functional Silos Non Standardized Processes

More Information

Free Scanner: Discover All Removable Device Connected to Your Endpoints

http://www.lumension.com/resources/security-tools/device-scanner.aspx

Free Evaluation: Lumension® Data Protection

http://www.lumension.com/data-protection/data-protection-software/free-trial.aspx

Healthy Solution for Protecting Patient Data: Guarding Healthcare Information with Device Control and Data Encryption

http://www.lumension.com/Resources/WhitePapers/Healthy-Solutions-for-Protecting-Patient-Data.aspx

IT Pros’ Guide to Data Protection: Top 5 Tips for Securing Data in the Modern Age

http://www.lumension.com/Resources/Whitepapers/Busy-IT-Professionals-Guide-to-Data-Protection.aspx

25

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com

http://blog.lumension.com