Post on 25-Mar-2022
Brad Lewis
Brad Lewis - Service Specialist
• 14 years of IT experience • In-House Support Manager • Network Administrator
Assessing Risk: A Path to Action
Kinette Crain
Kinette Crain - Services Analyst
• Managed IT Sales Manager • IT Education Manager • IT and Software Installation & Project Management
Assessing Risk: A Path to Action
EHR Incentive Program
Secure Endpoint Management
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/Stage2_HospitalCore_7_ProtectElectronicHealthInfo.pdf
Compliance Audits
Secure Endpoint Management
How are we measuring up?
http://www.healthcareinfosecurity.com/whats-ahead-for-hipaa-audits-a-5647/p-2
Meaningful Use: • Pre and post payment audits • Maintain supporting documentation,
including risk assessments • 5 -10% can expect audits, including
random selection process
HIPPA Compliance: • There’s still a lot of work to be done
to ensure compliance • Few had conducted complete or
accurate risk assessments • The reasonableness and
appropriateness of encryption must be addressed
Business Pressures
• Consumerization of IT
• BYOD Initiatives
Secure Endpoint Management
What are your challenges?
Endpoint Protection
Definition: Endpoint protection refers to a methodology and strategy of protecting your facility’s network to comply with security standards. Endpoints include PCs, laptops, smart phones, or other wireless and mobile devices.
Secure Endpoint Management
What is endpoint protection?
Secure Endpoint Management
Administrative Safeguards
Security Management
Data Encryption
Secure Risk Assessment
Mobile Device Management
Secure Endpoint Management
Administrative Safeguards
Secure Endpoint Management
Decide Understand the risks to your
organization before you decide which endpoint devices will be allowed.
Do I have a comprehensive policy?
Administrative Safeguards
Secure Endpoint Management
Decide Understand the risks to your
organization before you decide which endpoint devices will be allowed.
Access Consider how endpoint devices affect
the risks (threats and vulnerabilities) to the health information your organization holds.
Do I have a comprehensive policy?
Administrative Safeguards
Secure Endpoint Management
Decide Understand the risks to your
organization before you decide which endpoint devices will be allowed.
Access Consider how endpoint devices affect
the risks (threats and vulnerabilities) to the health information your organization holds.
Identify Identify your organization’s mobile
device risk management strategy, including privacy and security safeguards.
Do I have a comprehensive policy?
Administrative Safeguards
Secure Endpoint Management
Decide Understand the risks to your
organization before you decide which endpoint devices will be allowed.
Access Consider how endpoint devices affect
the risks (threats and vulnerabilities) to the health information your organization holds.
Identify Identify your organization’s mobile
device risk management strategy, including privacy and security safeguards.
Document Develop, document, and implement the
organization’s endpoint security policies and procedures to safeguard health information.
Do I have a comprehensive policy?
Administrative Safeguards
Secure Endpoint Management
Decide Understand the risks to your
organization before you decide which endpoint devices will be allowed.
Access Consider how endpoint devices affect
the risks (threats and vulnerabilities) to the health information your organization holds.
Identify Identify your organization’s mobile
device risk management strategy, including privacy and security safeguards.
Document Develop, document, and implement the
organization’s endpoint security policies and procedures to safeguard health information.
Train Conduct endpoint privacy and security
awareness and training for providers and professionals.
Do I have a comprehensive policy?
Security Management Strategy and Key benefits: • Malicious Software protection
– Minimal system resources – Scans removable storage – Central Management Console
Secure Endpoint Management
Is your security centrally managed?
Security Management Strategy and Key benefits: • Malicious Software protection
– Minimal system resources – Scans removable storage – Central Management Console
• Patch Management – Automated patch deployment – Comprehensive reporting – Patch compliance
Secure Endpoint Management
Is your security centrally managed?
Security Management Strategy and Key benefits: • Malicious Software protection
– Minimal system resources – Scans removable storage – Central Management Console
• Patch Management – Automated patch deployment – Comprehensive reporting – Patch compliance
Secure Endpoint Management
Is your security centrally managed?
• Media Sanitization - Procedure for all endpoint types
Security Management Strategy and Key benefits: • Malicious Software protection
– Minimal system resources – Scans removable storage – Central Management Console
• Patch Management – Automated patch deployment – Comprehensive reporting – Patch compliance
Secure Endpoint Management
Is your security centrally managed?
• Remote Monitoring & Management (RMM) – User defined monitoring & alerts – Alert messaging – Log monitoring
• Media Sanitization - Procedure for all endpoint types
Data Encryption
Key Benefits: • Comprehensive multi-platform coverage • Ease of deployment • Central Management Console • Compliance with privacy mandates • AES-NI hardware chipset compatibility • Password recovery options
Secure Endpoint Management
Do you have a data encryption strategy?
Meaningful Use – Stage 2
“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
Secure Endpoint Management
Is encryption mandatory?
Meaningful Use – Stage 2
“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
Secure Endpoint Management
Is encryption mandatory?
Audit Findings
• Encryption is an addressable implementation specification
• Most people, once gone through the addressable analysis, do encrypt
• Those that don’t encrypt, didn’t go through the analysis
Secure Endpoint Management
How are we measuring up?
http://www.healthcareinfosecurity.com/whats-ahead-for-hipaa-audits-a-5647/p-2
Data Encryption
Common myths surrounding data encryption: • Passwords protect laptops • Data encryption is not practical • Data encryption solutions are hard to manage • Data encryption is too expensive
Secure Endpoint Management
Do these myths exist at your facility?
Mobile Device Management
Strategy: • Document your policy • Consider embracing BYOD • Communicate Responsibility • Take Access Control seriously • Best Practices
Secure Endpoint Management
Are mobile devices managing you?
Mobile Device Management
Strategy: • Document your policy • Consider embracing BYOD • Communicate Responsibility • Take Access Control seriously • Best Practices
Secure Endpoint Management
Are mobile devices managing you?
Secure Endpoint Management
Establish Administrative Safeguards
Conduct a Security Risk Assessment
Establish Security Management
Data Encryption where appropriate
Implement Mobile Device Management platform
Secure Endpoint Management
Are you ready?
Customer Implementation
0 20 40 60 80 100
Malicious SoftwareProtection
Implementation Percentage
Malicious SoftwareProtection
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Malicious SoftwareProtection
Implementation Percentage
ImplementationPercentage
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Remote Mgmt System
Malicious SoftwareProtection
Implementation Percentage
ImplementationPercentage
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
Implementation Percentage
ImplementationPercentage
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
Implementation Percentage
ImplementationPercentage
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
ImplementationPercentageRisk of Loss / Theft
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
ImplementationPercentageRisk of Loss / Theft
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
ImplementationPercentageRisk of Loss / Theft
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
ImplementationPercentageRisk of Loss / Theft
Secure Endpoint Management
Customer Implementation
0 20 40 60 80 100
Mobile Device Mgmt
Data Encryption
Remote Mgmt System
Malicious SoftwareProtection
ImplementationPercentageRisk of Loss / Theft
Secure Endpoint Management
Implications
Secure Endpoint Management
What if I do nothing?
• Idaho State University $400,000
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples
$,$$$,$$$ • Sutter Health
• Affinity Health Plan $1,200,000
• Hospice of North Idaho $50,000
10 Largest HIPAA Breaches of 2012 • Utah Department of Health 780,000 • Emory Healthcare 315,000 • South Carolina Department of Health and Human Services 228,435 • Alere Home Monitoring 116,506 • Memorial Healthcare System 102,153 • Howard University Hospital 66,601 • Apria Healthcare 65,750 • The University of Miami 64,846 • Safe Ride Services 42,000 • Integrated Medical Services 36,609
Secure Endpoint Management
Could it happen to you?
http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0
10 Largest HIPAA Breaches of 2012 • Utah Department of Health 780,000 • Emory Healthcare 315,000 • South Carolina Department of Health and Human Services 228,435 • Alere Home Monitoring 116,506 • Memorial Healthcare System 102,153 • Howard University Hospital 66,601 • Apria Healthcare 65,750 • The University of Miami 64,846 • Safe Ride Services 42,000 • Integrated Medical Services 36,609
Secure Endpoint Management
Could it happen to you?
http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0
10 Largest HIPAA Breaches of 2012 • Utah Department of Health 780,000 • Emory Healthcare 315,000 • South Carolina Department of Health and Human Services 228,435 • Alere Home Monitoring 116,506 • Memorial Healthcare System 102,153 • Howard University Hospital 66,601 • Apria Healthcare 65,750 • The University of Miami 64,846 • Safe Ride Services 42,000 • Integrated Medical Services 36,609
Secure Endpoint Management
Could it happen to you?
http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0
10 Largest HIPAA Breaches of 2012 • Utah Department of Health 780,000 • Emory Healthcare 315,000 • South Carolina Department of Health and Human Services 228,435 • Alere Home Monitoring 116,506 • Memorial Healthcare System 102,153 • Howard University Hospital 66,601 • Apria Healthcare 65,750 • The University of Miami 64,846 • Safe Ride Services 42,000 • Integrated Medical Services 36,609
Secure Endpoint Management
Could it happen to you?
http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0
10 Largest HIPAA Breaches of 2012 • Utah Department of Health 780,000 • Emory Healthcare 315,000 • South Carolina Department of Health and Human Services 228,435 • Alere Home Monitoring 116,506 • Memorial Healthcare System 102,153 • Howard University Hospital 66,601 • Apria Healthcare 65,750 • The University of Miami 64,846 • Safe Ride Services 42,000 • Integrated Medical Services 36,609
Secure Endpoint Management
Could it happen to you?
http://www.healthcareitnews.com/news/10-largest-hipaa-breaches-2012?page=0
Consumer Backlash
• Research link 1 in 4 consumers of a data breach become a victim • Consumers with stolen SSNs were 5 times more likely to be a victim
• Advocate Health Care class action lawsuit filed by 4 million patients
• Massachusetts Medical Group pays $140,000 in privacy suit
Secure Endpoint Management
What will happen next?
Conclusion
Endpoint Protection
Regulatory Pressures
Business Drivers
Consumer Backlash
Secure Endpoint Management
Questions?
Marty Toland - Managed IT Services Director
• Oversees the implementation and management for Managed IT Services division
• CPSI Networking & Internet Services Director
Assessing Risk: A Path to Action
Join the Conversation
Keyword TruBridge
facebook.com/trubridgeservices
@trubridgesvc www.trubridge.net
Secure Endpoint Management