Medical Records on the Run: Protecting Patient Data with Device Control and Encryption
May 07, 2015
Medical Records on the Run:Protecting Patient Data with Device Control and Encryption
Today’s Agenda
Protecting Patient Data and HIPAA
Policy-based Device Control and Data Encryption
Device Control at University Health Care System
Conclusion and Q & A
Today’s Speakers
3
Chris MerrittDirector of Solution MarketingLumension
George Ward CISSP, CISM
Manager Information Security, Computer Operations, University Health Care System
Protecting Patient Data and HIPAA
Policy-based Device Control and Data Encryption
Device Control at University Health Care System
Conclusion and Q & A
»
Challenges of Protecting Patient Data
5
Economic and Competitive Pressures
Increased HIPAA and PCI Regulatory Oversight
Increasing Value of Personal Healthcare Information
Data Sharing Outside of the
Four Walls
Consumerizationof IT
Electronic Protected Health
Information (EPHI) Disclosure
Data Sharing Outside of the Four Walls
6
Accessibility to Medical and Billing Records Increases… as Does the Risk
Source: 2008 HIMSS Security Survey
Consumerization of IT
7
8
Health care workers have direct access to sensitive medical records
70% of all serious incidents are sparked by
insiders.IDC Worldwide Security Products and Services
2007 Top 10 Predictions
48% of employees utilize work IT tools for personal reasons
EPHI Disclosure – Accidental or Malicious
Lost Portable Devices
Disgruntled Employees
Data Breaches
9
Risks Incidents Costs
Importance of Device Control
Protecting Electronic Medical Records
USB Drives are the Achilles Heel of Data Protection Due to Size, Transfer Speed, and Ease of Use
» 60% of confidential data resides at the endpoint (IDC)
» 52% of companies surveyed have suffered data loss via USB drives and other removable media (Forrester)
» 53% of organizations would NEVER KNOW what data was on a lost USB device (Ponemon Institute)
» Over 70% of security breaches originate from within the organization (Vista Research)
11
Removable Devices Hold A LOT of Information
40 million USB Devices Sold Within the Last Year
12
What about CD / DVD / Blu-Ray Media?
Storage Capacity for USB Devices
File Type Typical Size (KB)Typical Number of Files Per:
CD Disc DVD Disc (SS SL) Blu-ray Disc (DL)
Text / Email 15 46,500 297,000 3,200,000
Document 100 6,980 44,500 480,000
Spreadsheet 1,485 470 3,000 32,320
10MP JPEG 2,250 310 1,975 21,300
Simple X-Ray 10,000 70 445 4,800
Storage Capacity for CD, DVD and Blu-Ray Discs
File Type Typical Size (KB)Typical Number of Files Per:
512MB USB Drive 2GB USB Drive 32GB USB Drive
Text / Email 15 34,560 139,500 1,984,700
Document 100 5,185 20,920 297,750
Spreadsheet 1,485 350 1,410 20,050
10MP JPEG 2,250 230 930 13,210
Simple X-Ray 10,000 52 209 2,978
A Balanced Approach is Needed
13
HIPAA Security RuleAre You Ready?
HIPAA Security Rule
15
Security• Security Standards: General Rules• Administrative Safeguards• Technical Safeguards• Physical Safeguards• Organizational Requirements• Policy and Procedures and
Documentation Requirements
Enforcement Becoming Real
CVS settlement breaks new ground in HIPAA enforcement
February 2009: CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government $2.25 million and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information.
Also, the company must obtain assessment reports from a third-party organization every two years for the next 20 years to be provided to the Bureau of Consumer Protection at the FTC.
16
Are You Ready for an Audit?
17
Other requests included:1. Please provide a list of all information systems that house ePHI data, as well as
network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.3. Please provide a list of all new hires. 4. Please provide a list of encryption mechanisms use for ePHI. 5. Please provide a list of authentication methods used to identify users authorized
to access ePHI. 6. Please provide a list of outsourced individuals and contractors with access to
ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g., System Security Plan). 10. Please provide a list of all users with access to ePHI data. Please identify each
user's access rights and privileges. 11. Please provide a list of systems administrators, backup operators and users. 12. Please include a list of antivirus servers, installed, including their versions. 13. Please provide a list of software used to manage and control access to the
Internet. 14. Please provide the antivirus software used for desktop and other devices,
including their versions. 15. Please provide a list of users with remote access capabilities.16. Please provide a list of database security requirements and settings. 17. Please provide a list of all Primary Domain Controllers (PDC) and servers
(including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
Provide policies and procedures for: 1.Establishing and terminating users' access to systems housing electronic patient health information (ePHI).2.Emergency access to electronic information systems. 3.Inactive computer sessions (periods of inactivity). 4.Recording and examining activity in information systems that contain or use ePHI. 5.Risk assessments and analyses of relevant information systems that house or process ePHI data. 6.Employee violations (sanctions). 7.Electronically transmitting ePHI. 8.Preventing, detecting, containing and correcting security violations (incident reports). 9.Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.10.Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring. 11.Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.12.Physical access to electronic information systems and the facility in which they are housed. 13.Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).14.Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software. 15.Internet usage. 16.Wireless security (transmission and usage). 17.Firewalls, routers and switches. 18.Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas. 19.Terminating an electronic session and encrypting and decrypting ePHI.20.Transmitting ePHI. 21.Password and server configurations. 22.Anti-virus software. 23.Network remote access. 24.Computer patch management.
Piedmont Hospital was presented with a list of 42 items that HHS officials wanted information on within 10 days:
Protecting Patient Data and HIPAA
Policy-based Device Control and Data Encryption
Device Control at University Health Care System
Conclusion and Q & A
Data Protection at the Endpoint
» Protect Data from Leakage and Theft:Centrally enforce usage policies for all removable devices and media.
» Improve Compliance:Centrally force encryption of data flowing onto removable devices and media to ensure that it cannot be accessed if they are lost or stolen.
» Flexible Exception Management:Make business decisions about policy exceptions and emergency access.
» Continuous Audit Readiness:Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.
19
Policy-Based Device Control and Data Encryption
20
1. Discover all devices that are currently or have ever been connected to every endpoint.
2. Assess device and data usage, including what device, on what machine, by which user, and when.
3. Implement flexible device whitelisting, allowing only approved devices to run.
4. Monitor the effectiveness of device usage policies.
5. Report on data protection policies to prove compliance and conduct forensics.
Practical Data Protection Approach
In-Depth Discovery
Discover all devices that are currently or have ever been connected to every endpoint.
21
• Automatically determine how many and what devices are in use across your organization.
• Easily find devices that you don’t even know about.
21
Device Types: • Biometric devices • COM / Serial Ports • DVD/CD drives • Floppy disk drives • Imaging Devices / Scanners • LPT / Parallel Ports • Modems / Secondary Network Access Devices • Palm Handheld Devices • Portable (Plug and Play) Devices • Printers (USB/Bluetooth) • PS/2 Ports • Removable Storage Devices • RIM BlackBerry Handhelds • Smart Card Readers • Tape Drives • User Defined Devices • Windows CE Handheld Devices • Wireless Network Interface Cards (NICs)
Thorough Assessment
Assess device and data usage, including what device, on what machine, by which user, and when.
22
• Full visibility on usage of all removable devices (e.g., USB flash drives) and media (e.g., CDs/DVDs) by user, machine and time.
• Assess by unique device, device type, device vendor, users and user groups, machines, hours of operation, and more.
• Ensure data is encrypted and secure when on removable devices / media.
22
23
Implement flexible device whitelisting, allowing only approved devices to run.
Implement Security Policy
• Enforce removable device / media and data usage policies to protect sensitive information.
• Define what devices and media can connect to the network and what users or user groups can do with them for flexible exception management.
• Centrally encrypt removable devices and media or force users to encrypt devices / media to ensure that data cannot be accessed if removable devices or media are lost or stolen.
23
24
Monitor the effectiveness of device usage policies.
Continuous Monitoring
24
• Automatically log all network events related to your data protection policy including: » Endpoint status» Device connection» User activity (such as data transfers)» File tracking (including full content shadowing)
• Identify potential threats by logging all device execution attempts and recording all policy changes and administrator activities.
25
Report on data protection policies to prove compliance.
• Provide a detailed audit trail of all device usage attempts.
• Keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.
• Drill down on suspicious behavior for security or legal follow-up.
• Link reporting to Syslog to enable event correlation, automated alerting / reporting, and integrated analysis.
Comprehensive Reporting
25
Device Control Puts You Back in Control
Eliminate a major blindspot at endpoints
» Identify all devices that are currently connected or have ever been connected to network assets
» Use detailed logs of device usage and data transfer (incl. file headers or full content shadowing) for auditing, forensics, etc…
Protect against data loss and theft» Control and manage any removable devices through any ports including USB, Firewire,
WiFi, Bluetooth, etc…
» Enforce encryption policies for data transferred to removable devices / media, including USB flash drives (UFDs), CDs / DVDs, etc…
» Prevent malware introduction via removable devices / media
Policy Management / Control
» Whitelisting / “Default Deny” approach eliminates unwanted / unknown devices
» Granular permissions for devices (class, group, model, ID), users / user groups and machines / machine groups allow for fine exception management
26
Protecting Patient Data and HIPAA
Policy-based Device Control and Data Encryption
Device Control at University Health Care System
Conclusion and Q & A
University Health Care System
581 bed, not-for-profit community hospital in Augusta, GA
» Campus environment
3,000+ employees» 600 independent, private physicians on
active, consulting, courtesy and associate staff
2,500+ Workstations
330+ Servers
120+ Applications (McKesson)
28
Business Driver: Protecting Patient Data and Ensuring Compliance
External audit showed gaps in HIPAA Compliance
Fines for non-compliance with HIPAA now as large as $250,000 per incident
» Covered entities and specified individuals, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
» Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison.
» Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Losing patient data is detrimental to the hospital as a business
29
Health Care Data Loss Incidents in the Headlines
30
Holistic Security
• Understand the threat you need to protect against
• Point security measures are never enough…
31
University Health Care System Objectives
Secure Electronic Protected Health Information (EPHI) and Stay out of the Headlines
Enforce Policy» All USB devices must be encrypted» Unencrypted devices denied by default
Manage by Exception and by Role» Discretionary access model vs. role-based access model
Communicate Policy to Users» Identified every internal communication possible to
leverage (newsletters, memoranda, posters, etc.)» Announced date for policy enforcement in advance» Created awareness around data loss incidents with other
hospitals
32
Discretionary Access Model (Current)
Prov
isio
ning
Serv
ice
Des
k
Chi
ef
Info
rmat
ion
Offi
cer
CIO
Adm
in
Assi
stan
t
Dep
artm
ent
Vice
Pr
esid
ent
Man
ager
Dep
artm
ent
Hea
dU
ser
User requests internet access
Manager Approval
Department Head Approval
Department Vice President
Approval
CIO Admin Assistant
checks that form is
complete
Complete?
CIO Approval
Service Desk creates a call
and sends it to Provisioning
Provisioning grants internet access to user
Access Granted
CIO Admin Assistant
sends request to Service
Desk
Enabling Removable Device Access – Previous Model
33
Centrally Managed Role-Based Access Control Model (Goal)
Pro
vis
ion
ing
Hu
ma
n
Re
so
urc
es
Us
er
New Employee is hired
Orientation List sent to
Provisioning
Users are granted
application access based on
their role
Access Granted
Lumension Device Control – RBAC for USB Devices
34
Justifying Device Control Implementation
35
Compliance » Audit finding remediation
Integrity and Reputation » Incident prevention
Data Protection» Protect our patients» Protect our employees and physicians» Protect financial and intellectual data
Bus
ines
s V
alue
Maturity
SecurityEffectiveness
SecurityEfficiency
BusinessEnablement
Pass audits
Automate controls
Lower Risk
Operational Maturity
Device Control Ensures Security and Enables the Business
36
Measurement of Lumension Device Control
37
Granular Controls Enable Effective Policy
Plan Device Class Device Description
Role-Based Access Control
Removable Storage Devices Memory sticks, Flash drives, ZIP Drives, USB Hard Drives, etc.
DVD/CD Drives CD, CD-R/W, DVD, DVD R/W
Imaging Devices Scanners, webcams, etc.
User Defined Devices Non-standard devices (Generic USB Devices, IPAQ, etc.)
Blocked Portable Devices Digital Cameras, iPhones, MP3 Players, etc.
Modem/Secondary Network Access Devices Modems that do not connect directly through normal channels
Palm Handheld Devices Palm PDAs, Smartphones, etc.
Floppy Disk Drives IDE, parallel, or USB Floppy Drives
RIM Blackberry (Research in Motion) (Research In Motion) Handheld computers/mobile phones
Biometric Devices Fingerprint readers, password managers, etc.
Tape Drives Internal or external tape drives
Windows CE Handheld Devices Windows CE computers using PocketPC OS
Wireless Network Interface Cards Wireless LAN Adaptors
Allowed Printers (USB/Bluetooth) USB and Bluetooth Printers
COM/Serial Port (Serial Communication) Standard modems, phone cradles, etc.
LPT/Parallel Ports (Line Printer Terminal) Standard printers, dongles, etc.
PS/2 Ports (Personal System/2) Keyboards and Mice
Smart Card Readers Readers for smartcards, etokens, or fingerprints
38
Communication Means Message Present Status
Executive Staff Meeting Overview (this presentation) 3/24/2009 Complete
COO Briefing Overview 3/25/2009 Complete
Security Management Subcommittee Overview 4/8/2009 Complete
Cancer Committee Meeting Agenda item 4/10/2009 Complete
E-mail current users Request ‘business need’ justification 4/13/2009 Complete
Department Chair Meetings Agenda item 4/13 - 6/16/2009 Complete
Department Directors Meeting Overview 4/15/2009 Complete
IS Division Meeting Overview 4/15/2009 Complete
F-22 Revision Publish link to Project Website 4/15/2009 Complete
Internal Posters Devices, contact info, effective date 4/16/2009 Complete
Housewide Memo 1 Devices, contact info, effective date 4/21/2009 Complete
Medical Executive Committee Overview 4/21/2009 Complete
IS Steering Overview 4/22/2009 Complete
Employee Communiqué Newsletter Devices, contact info, effective date 4/24/2009 Complete
Housewide Memo 2 Devices, contact info, effective date 4/28/2009 Complete
Volunteer Executive Committee Meeting Agenda item 4/28/2009 Complete
Housewide Memo 3 Devices, contact info, effective date 5/1/2009 Complete
Physician Practice Managers Meeting Agenda item 5/1/2009 Complete
Medical Staff Monthly Newsletter Devices, contact info, effective date 5/3/2009 Complete
Nursing Matters Newsletter Devices, contact info, effective date 5/3/2009 Complete
Foundation Quarterly Newsletter Devices, contact info, effective date 5/15/2009 Complete
Volunteer Quarterly Newsletter Devices, contact info, effective date 5/27/2009 Complete
Communication and Rollout Plan
39
Monthly Newsletters and Memos
On May 12, 2009, University Hospital will protect electronic Protected Health Information (ePHI) by restricting USB storage device use to specific, authorized users.
Unauthorized devices such as Universal Serial Bus (USB) drives, external hard drives, and non-encryptable devices such as digital cameras, cell phones, mp3 players, etc., will be blocked.
Visit the "Device Control Project" link on the hospital's intranet homepage, or contact Dewayne Winston at [email protected] for more information.
40
Internal Posters Throughout Hospital
- Employee entrance
- Cafeteria exit
- Heart & Vascular Institute
- Business Center
- Human Resources
- Staff elevators
41
42
Current Results - ROI
• Audit finding remediated
• No loss of electronic Protected Health Information
• Enforcement of policy by role with exceptions
• Since May 12, 2009:» Blocked 345 unauthorized users
» Blocked 20,000+ unauthorized access attempts
» Weekly log monitoring
» File shadowing enabled
Security that Ensures Compliance AND Business Productivity
Right People
Right Access
Right Resources
Right Things
Efficiently
Productively
Ensure that the
have the
to the
and are doing the
and
43
Protecting Patient Data and HIPAA
Policy-based Device Control and Data Encryption
Device Control at University Health Care System
Conclusion and Q & A
Additional Resources
• Learn More about Technical Controls to Address HIPAA Compliance Challenges:» http://www.lumension.com/hipaa-compliance » Whitepaper - Achieving HIPAA Security Rule Compliance with Lumension
• Optimal Security Blog – http://blog.lumension.com
• Device Scanner Offer» Discover every removable device, such as USB flash drives, that has ever co
nnected to your network
• Protect Your Vital Information Resource Center» Third party research, videos, tools and case studies» http://www.lumension.com/protect-your-vital-information
45
Global Headquarters15880 N. Greenway-Hayden Loop
Suite 100
Scottsdale, AZ 85260
1.888.725.7828