Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
-
Upload
novell -
Category
Health & Medicine
-
view
7 -
download
0
description
Transcript of Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Information Security & Compliance in Healthcare
Beyond HIPAA and HITECH
Why Does Health Data Even Exist?
• People choose to disclose their most intimate information to get the best treatment.
• Doctors earn trust by guaranteeing privacy.• No privacy = people avoid treatment, lie or
omit information, and get sicker.• No American should ever have to choose
between care and privacy. They deserve both.
Agenda
Why traditional approaches don’t work1
Dealing with the complexity in Healthcare2
Adding Privacy to the Matrix3
Correlation is Key4
Questions & Answers5
Healthcare’s Immaturity• Slightly less than half have a dedicated
Information Security Officer
• Roughly 30% have invested in automated log management tools
• The average size of an information security group today – less than three.
• Average years experience in information security – less than five.
An Evolving Threat
• Threats persist with a goal of notoriety.
• Threats are visible and indiscriminate.
• “Big splash” approach.
• Threats persist with a goal of notoriety.
• Threats are visible and indiscriminate.
• “Big splash” approach.
• Threats are fleeting witha goal of profit.
• Threats are silent and highly targeted to exploit target or steal data.
• Threats are fleeting witha goal of profit.
• Threats are silent and highly targeted to exploit target or steal data.
Fame Fortune
People, Identities, &Information
Computers &Networks
• Attackers are increasingly developing highly sophisticated methods with the goal to penetrate rather than destruct.
• We (Symantec) have seen sources of data change and plenty of evidence of “collateral damage”.
• Attackers are increasingly developing highly sophisticated methods with the goal to penetrate rather than destruct.
• We (Symantec) have seen sources of data change and plenty of evidence of “collateral damage”.
Data Breaches by Sector – Healthcare is #2
Good news:
Bad news:
Symantec Corp. Global XV Internet Security Threat Report
Few exposed identities
The number of breaches is high (reporting mandates is part contributor)
An Enormous Challenge• Hundreds/thousands of applications and systems
each producing scores of logs per minute.
• Hundreds or thousands of users generating logs from their activity.
• Organizations need to collect, compile, pars, analyze, correlate and report.
Current State of Log Management
• Manual, reactive processes of the past are simply not adequate to meet today’s security, privacy and compliance mandates.
– Overwhelming manual process
– Specialized audits of high profile patients
– Reactive audits in response to complaints
Disjointed Efforts
• Privacy and Compliance organizations have focused on application monitoring
• Technical and Security organizations have focused on monitoring events affecting security of the IT infrastructure and systems
• This approach is inefficient and adds to the risk of exploitation
Agenda
Why traditional approaches don’t work1
Dealing with the complexity in Healthcare2
Adding Privacy to the Matrix3
Correlation is Key4
Questions & Answers5
Regulatory Landscape• Federal Laws
– HIPAA Privacy & Security Rules
– HITECH requirements
– Confidentiality of Alcohol and Drug Abuse Patient Record Rules (42 CFR part 2)
– Federal Privacy Act
– Payment Card Industry, Data Security Standard
• State Laws– Much variation
• Contractual Requirements
What’s Happening To My Data?
•Greater Access
•Business Associates
•Breach Notification
•Accounting for Disclosures
•Behavioral Modeling
•Normalization of Users
•Patient Identification
What’s New• Capabilities to link data
• Capabilities to look up patient information
• Opportunities for greater consumer involvement
• Opportunities for greater patient electronic access to their information
• Opportunities for enhanced protections
Top Security Trends in Healthcare for 2011• More small scale data
breaches
• Low-tech theft, data stolen through non-electronic means
• Continuing crisis of lost devices
• Data minimization increasingly essential part of data security plans
• Increased collaboration & sharing will increase vulnerability
• Organizations will implement social networking policies
• Data encryption will be seen as a “golden ticket” to compliance
• 3rd Parties will face more stringent breach notification
• Privacy awareness training will gain prominence as essential to breach preparedness
• Possibility of Fed breach notification is high for 2011
Kroll's Fraud Solutions, January 3, 2011
What We Need• A true health care solution that takes an
integrated approach to all logging, monitoring, audit, and review activities.
• A solution that is intelligent enough to deliver a unified view of compliance.
• And smart enough to incorporate privacy monitoring and tie it back to other activity on the network.
Agenda
Why traditional approaches don’t work1
Dealing with the complexity in Healthcare2
Adding Privacy to the Matrix3
Correlation is Key4
Questions & Answers5
The Old Model
• Traditional SIEM and Log Management platforms present views in silos, typically through add on modules such as:
– HIPAA
– PCI/DSS
– ITIL
– ISO
A New Paradigm
• A multidimensional approach that incorporates:– Operations– Security– Compliance– Privacy– Correlation
Where The Data Is• To address Privacy rules, today’s SIEM need
to be able to collect and correlate information from Healthcare Applications.
• Current technologies only address the traditional operations, compliance and security event logs.
• The model for healthcare needs to evolve to include privacy information (User Activity).
One Big Challenge – User Identity• There are two critical components to this
challenge – User Logins and Roles
• Most healthcare organizations do not have mature role based access in place
• Logins vary by system and single User may have many unique Logins
• Identity management will become a critical success factor for Healthcare compliance
Top Privacy Trends in Healthcare for 2011
• HIEs will be launched by inexperienced and understaffed organizations
• Increased fines and regulatory action by AGs• Data breach costs will increase as penalties enforced• Hospital Boards will exert their power to manage data risks to
increase accountability & fiduciary responsibility• A significant “data spill” is inevitable• There will be heightened patient awareness/concern over the
security of their medical data• Final data breach notification from HHS
Correlation is Key
• The ability to pull together multiple pieces of identity based information from multiple sources, and then automatically normalize and make sense of that information, is what is needed to accurately identify who did what and when.
Agenda
Why traditional approaches don’t work1
Dealing with the complexity in Healthcare2
Adding Privacy to the Matrix3
HITECH4
Questions & Answers5
Meaningful Use
• A primary goal of HITECH is the adoption and Meaningful Use interoperable health information technology and electronic health records.
• Meaningful use requires the logging of all PHI actions that occur to include viewing.
• Meaningful use requires unique identifiers and Logins.
Accounting for Disclosures
• HITECH gives patients the right to request an accounting of who has had access to their information.
• This arguably extends the monitoring requirement beyond the core EHR to other systems (finance/insurance).
• A key component of Accounting for Disclosures is determining appropriate access.
Breach Notification
• HITECH provides very specific notification requirements if unsecured patient information is accessed, acquired or disclosed as a result of a breach.
• SIEM can assist in early detection of breaches and aid in limiting impact.
• SIEM can also aid in forensic analysis of what happened and who was involved.
Frequent Themes• Frustration with primarily reactive processes
• Frustration with time consuming manual processes
• Lack of confidence in manual searches
• Desire to mitigate potential public embarrassment
• Gaps in current SIEM/Log Management solutions to address clinical applications
• Lack of log/audit functionality in systems
The Ideal Healthcare SIEM• Multidimensional compliance matrix that
measures against an integrated set of requirements.
• A distinct approach that elevates Privacy to the same level as operations, security and compliance and correlates across all.
• An ability to tie in Identity Management and normalize for user ID and role.
• An established set of reports and alerts
Agenda
Why traditional approaches don’t work1
Dealing with the complexity in Healthcare2
Adding Privacy to the Matrix3
Correlation is Key4
Questions & Answers5