Information Security & Compliance in Healthcare

Beyond HIPAA and HITECH

Why Does Health Data Even Exist?

• People choose to disclose their most intimate information to get the best treatment.

• Doctors earn trust by guaranteeing privacy.• No privacy = people avoid treatment, lie or

omit information, and get sicker.• No American should ever have to choose

between care and privacy. They deserve both.

Agenda

Why traditional approaches don’t work1

Dealing with the complexity in Healthcare2

Adding Privacy to the Matrix3

Correlation is Key4

Questions & Answers5

Healthcare’s Immaturity• Slightly less than half have a dedicated

Information Security Officer

• Roughly 30% have invested in automated log management tools

• The average size of an information security group today – less than three.

• Average years experience in information security – less than five.

An Evolving Threat

• Threats persist with a goal of notoriety.

• Threats are visible and indiscriminate.

• “Big splash” approach.

• Threats persist with a goal of notoriety.

• Threats are visible and indiscriminate.

• “Big splash” approach.

• Threats are fleeting witha goal of profit.

• Threats are silent and highly targeted to exploit target or steal data.

• Threats are fleeting witha goal of profit.

• Threats are silent and highly targeted to exploit target or steal data.

Fame Fortune

People, Identities, &Information

Computers &Networks

• Attackers are increasingly developing highly sophisticated methods with the goal to penetrate rather than destruct.

• We (Symantec) have seen sources of data change and plenty of evidence of “collateral damage”.

• Attackers are increasingly developing highly sophisticated methods with the goal to penetrate rather than destruct.

• We (Symantec) have seen sources of data change and plenty of evidence of “collateral damage”.

Data Breaches by Sector – Healthcare is #2

Good news:

Bad news:

Symantec Corp. Global XV Internet Security Threat Report

Few exposed identities

The number of breaches is high (reporting mandates is part contributor)

An Enormous Challenge• Hundreds/thousands of applications and systems

each producing scores of logs per minute.

• Hundreds or thousands of users generating logs from their activity.

• Organizations need to collect, compile, pars, analyze, correlate and report.

Current State of Log Management

• Manual, reactive processes of the past are simply not adequate to meet today’s security, privacy and compliance mandates.

– Overwhelming manual process

– Specialized audits of high profile patients

– Reactive audits in response to complaints

Disjointed Efforts

• Privacy and Compliance organizations have focused on application monitoring

• Technical and Security organizations have focused on monitoring events affecting security of the IT infrastructure and systems

• This approach is inefficient and adds to the risk of exploitation

Agenda

Why traditional approaches don’t work1

Dealing with the complexity in Healthcare2

Adding Privacy to the Matrix3

Correlation is Key4

Questions & Answers5

Regulatory Landscape• Federal Laws

– HIPAA Privacy & Security Rules

– HITECH requirements

– Confidentiality of Alcohol and Drug Abuse Patient Record Rules (42 CFR part 2)

– Federal Privacy Act

– Payment Card Industry, Data Security Standard

• State Laws– Much variation

• Contractual Requirements

What’s Happening To My Data?

•Greater Access

•Business Associates

•Breach Notification

•Accounting for Disclosures

•Behavioral Modeling

•Normalization of Users

•Patient Identification

What’s New• Capabilities to link data

• Capabilities to look up patient information

• Opportunities for greater consumer involvement

• Opportunities for greater patient electronic access to their information

• Opportunities for enhanced protections

Top Security Trends in Healthcare for 2011• More small scale data

breaches

• Low-tech theft, data stolen through non-electronic means

• Continuing crisis of lost devices

• Data minimization increasingly essential part of data security plans

• Increased collaboration & sharing will increase vulnerability

• Organizations will implement social networking policies

• Data encryption will be seen as a “golden ticket” to compliance

• 3rd Parties will face more stringent breach notification

• Privacy awareness training will gain prominence as essential to breach preparedness

• Possibility of Fed breach notification is high for 2011

Kroll's Fraud Solutions, January 3, 2011

What We Need• A true health care solution that takes an

integrated approach to all logging, monitoring, audit, and review activities.

• A solution that is intelligent enough to deliver a unified view of compliance.

• And smart enough to incorporate privacy monitoring and tie it back to other activity on the network.

Agenda

Why traditional approaches don’t work1

Dealing with the complexity in Healthcare2

Adding Privacy to the Matrix3

Correlation is Key4

Questions & Answers5

The Old Model

• Traditional SIEM and Log Management platforms present views in silos, typically through add on modules such as:

– HIPAA

– PCI/DSS

– ITIL

– ISO

A New Paradigm

• A multidimensional approach that incorporates:– Operations– Security– Compliance– Privacy– Correlation

Where The Data Is• To address Privacy rules, today’s SIEM need

to be able to collect and correlate information from Healthcare Applications.

• Current technologies only address the traditional operations, compliance and security event logs.

• The model for healthcare needs to evolve to include privacy information (User Activity).

One Big Challenge – User Identity• There are two critical components to this

challenge – User Logins and Roles

• Most healthcare organizations do not have mature role based access in place

• Logins vary by system and single User may have many unique Logins

• Identity management will become a critical success factor for Healthcare compliance

Top Privacy Trends in Healthcare for 2011

• HIEs will be launched by inexperienced and understaffed organizations

• Increased fines and regulatory action by AGs• Data breach costs will increase as penalties enforced• Hospital Boards will exert their power to manage data risks to

increase accountability & fiduciary responsibility• A significant “data spill” is inevitable• There will be heightened patient awareness/concern over the

security of their medical data• Final data breach notification from HHS

Correlation is Key

• The ability to pull together multiple pieces of identity based information from multiple sources, and then automatically normalize and make sense of that information, is what is needed to accurately identify who did what and when.

Agenda

Why traditional approaches don’t work1

Dealing with the complexity in Healthcare2

Adding Privacy to the Matrix3

HITECH4

Questions & Answers5

Meaningful Use

• A primary goal of HITECH is the adoption and Meaningful Use interoperable health information technology and electronic health records.

• Meaningful use requires the logging of all PHI actions that occur to include viewing.

• Meaningful use requires unique identifiers and Logins.

Accounting for Disclosures

• HITECH gives patients the right to request an accounting of who has had access to their information.

• This arguably extends the monitoring requirement beyond the core EHR to other systems (finance/insurance).

• A key component of Accounting for Disclosures is determining appropriate access.

Breach Notification

• HITECH provides very specific notification requirements if unsecured patient information is accessed, acquired or disclosed as a result of a breach.

• SIEM can assist in early detection of breaches and aid in limiting impact.

• SIEM can also aid in forensic analysis of what happened and who was involved.

Frequent Themes• Frustration with primarily reactive processes

• Frustration with time consuming manual processes

• Lack of confidence in manual searches

• Desire to mitigate potential public embarrassment

• Gaps in current SIEM/Log Management solutions to address clinical applications

• Lack of log/audit functionality in systems

The Ideal Healthcare SIEM• Multidimensional compliance matrix that

measures against an integrated set of requirements.

• A distinct approach that elevates Privacy to the same level as operations, security and compliance and correlates across all.

• An ability to tie in Identity Management and normalize for user ID and role.

• An established set of reports and alerts

Agenda

Why traditional approaches don’t work1

Dealing with the complexity in Healthcare2

Adding Privacy to the Matrix3

Correlation is Key4

Questions & Answers5